Shared Flashcard Set

Details

Digital Forensics in Cybersecurity D431
Digital Forensics in Cybersecurity
94
Other
Undergraduate 2
05/26/2024

Additional Other Flashcards

 


 

Cards

Term
a. Electronic Communications Privacy Act (ECPA)

Electronic Communications Privacy Act
(ECPA) of 1986 

Definition

The Electronic Communications Privacy Act of 1986 governs the privacy and disclosure, access, and interception of content and traffic data related to electronic communications.

Requires both parties to consent to the recording of a conversation. 

Basic subscriber information—This information includes name, address, billing information including a credit card number, telephone toll billing records, subscriber’s telephone number, type of service, and length of service. An investigator can obtain this type of information with a subpoena, court order, or search warrant.

Transactional information—This information includes websites visited, email addresses of others with whom the subscriber exchanged email, and buddy lists. An investigator can obtain this type of information with a court order or search warrant.

Content information—An investigator who has a search warrant can obtain content information from retrieved email messages and also acquire unretrieved stored emails.

 

Real-time access—To intercept traffic as it is sent or received, an investigator needs to obtain a wiretap order.

Term
Health Insurance Portability and Accountability Act (HIPPA)
Definition
Law related to the disclosure of personally identifiable protected health information (PHI).
Term
18 U.S.C. 2252B
Definition
Law criminalizing the act of knowingly using a misleading domain name with the intent to deceive a minor into viewing harmful material. 
Term
The Privacy Protection Act (PPA)
Definition
Law protecting journalists from turning over their work or sources to law enforcement before the information is shared with the public.
Term
NIST SP 800-72 Guidelines
Definition
Law or guideline that lists the four states a mobile device can be in when data is extracted from it.
Term
Communications Assistance to Law Enforcement (CALEA)
Definition

Law that includes a provision permitting the wiretapping of VoIP calls. 

The Communications Assistance to Law Enforcement Act of 1994 is a federal wiretap law for traditional wired telephony. It was expanded in 2004 to include wireless, voice over packets, and other forms of electronic communications, including signaling traffic and metadata.

Term
Policy included in the CAN-SPAM Act
Definition
The email sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out.
Term
Which U.S. law requires telecommunications equipment manufacturers to provide built-in surveillance capabilities for federal agencies?
Definition
Communication Assistance to Law Enforcement Act (CALEA) 
Term
Which law requires a search warrant or one of the recognized exceptions to the search warrant requirements for searching email messages on a computer?
Definition
The Fourth Amendment to the U.S. Constitution
Term
The Chief Information Officer of an accounting firm believes sensitive data is being exposed on the local network. Which tool should the IT staff use to gather digital evidence about this security vulnerability?
Definition
Sniffer
Term
A police detective investigating a threat traces the source to a house. The couple at the house shows the detective the only computer the family owns, which is in their son's bedroom. The couple stated that their son is presently in class at a local middle school. How should the detective legally gain access to the computer?
Definition
Obtain consent to search from the parents.
Term
How should a forensic scientist obtain the network configuration from a Windows PC before seizing it from a crime scene?
Definition
By using the ipconfig command from a command prompt on the computer.
Term
The human resources manager of a small accounting firm believes he may have been a victim of a phishing scam. The manager clicked on a link in an email message that asked him to verify the logon credentials for the firm's online bank account. Which digital evidence should a forensic investigator collect to investigate this incident?
Definition
Browser cache
Term
After a company's single-purpose, dedicated messaging server is hacked by a cyber criminal, a forensics expert is hired to investigate the crime and collect evidence. Which digital evidence should be collected?
Definition
Firewall logs
Term
Thomas received an email stating that he needed to follow a link and verify his bank account information to ensure it was secure. Shortly after following the instructions, Thomas noticed money was missing from his bank account. Which digital evidence should be considered to determine how Thomas' information was compromised?
Definition
Email Messages
Term
The CEO of a small computer company has identified a potential hacking attack from an outside competitor. Which type of evidence should a forensic investigator use to identify the source of the hack?
Definition
Network transaction logs
Term
A forensic scientist arrives at a crime scene to begin collecting evidence. What is the first thing the forensic scientist should do?
Definition
Photograph all evidence in its original place
Term
Which method of copying digital evidence ensures proper evidence collection?
Definition
Make the copy at the bit-level
Term
A computer involved in a crime is infected with malware. The computer is on and connected to the company's network. The forensic investigator arrives at the scene. Which action should be the investigator's first step?
Definition
Unplug the computer's Ethernet cable
Term
What are the three basic tasks that a system forensic specialist must keep in mind when handling evidence during a cybercrime investigation?
Definition
A. Find evidence
B. Preserve Evidence
C. Prepare Evidence.
Term
How do forensic specialists show that digital evidence was handled in a protected, secure manner during the process of collecting and analyzing the evidence?
Definition
Chain of Custody
Term
Which characteristics applies to magnetic drives compared to solid-state drives (SSDs)?
Definition
Lower cost
Term
Which characteristics applies to solid-state drives (SSDs) compared to magnetic drives?
Definition
They are less susceptible to damage
Term
Which type of storage format should be transported in a special bag to reduce electrostatic interference?
Definition
Magnetic media
Term
Which Windows component is responsible for reading the boot.ini file and displaying the boot loader menu on Windows XP during the boot process?
Definition
NTLDR
Term
The following line of code is an example of how to make a forensic copy of a suspect drive: dd if=/dev/mem of=/evidence/image.memory1 Which operating system should be used to run this command?
Definition
Linux
Term
Which file system is supported by Mac?
Definition
Hierarchal File System Plus (HFS+)
Term
Where are local passwords stored for the Windows operating system?
Definition
SAM file in \Windows\System32
Term
Where on a Windows system is the config folder located that contains the SAM file?
Definition
C:\Windows\System32
Term
A forensic examiner wants to try to extract passwords for wireless networks to which a system was connected. Where should passwords for wireless networks be stored on a Windows XP system?
Definition
Registry
Term
Which Windows password cracking tool uses rainbow tables?
Definition
Ophcrack
Term
How does a rainbow table work to crack a password?
Definition
It uses a table of all possible keyboard combinations and their hash value, then searches for a match.
Term
What should a forensic investigator use to gather the most reliable routing information for tracking an email message?
Definition
Email header
Term
Which activity involves email tracing?
Definition
Determining the ownership of the source email server.
Term
A forensic examiner reviews a laptop running OS X which has been compromised. The examiner wants to know if there were any mounted volumes created from USB drives. Which digital evidence should be reviewed?
Definition

/var/log 

This directory has many logs in it. The /var/log/daily.out contains data on all mounted volumes, including the dates they were mounted. This is very important in cases involving stolen data. You can see what devices have been attached and get data from them. This folder includes data on removable media, including serial numbers.

Term
Which log or folder contains information about printed documents on a computer running Mac OS X
Definition

/var/spool/cups

In this folder, you will also find information about printed documents. If you need to know what documents have been printed from this Apple device, this folder can give you that information. This includes the name of the document printed and the user who printed it.

Term
Which Windows event log should be checked for evidence of invalid logon attempts?
Definition
Security
Term
A cyber security organization has issued a warning about a cybercriminal who is using a known vulnerability to attack unpatched corporate Macintosh systems. A network administrator decides to examine the software update logs on a Macintosh system to ensure the system has been patched. Which folder contains the software update logs?
Definition

/Library/Receipts 

This folder contains information about system and software updates.This might be of some

interest in investigating malware crimes.

Term
A forensic investigator wants to image an older BlackBerry smartphone running OS 7.0. Which tool should the investigator use?
Definition
BlackBerry Desktop Manager
Term
An investigator wants to extract information from a mobile devices by connecting it to a computer. What should the investigator take great care to ensure?
Definition
That the mobile devices does not synchronize with the computer. 
Term
Which state is a device in if it is powered on, performing tasks, and able to be manipulated by the user?
Definition
Active
Term
What is the purpose of steganography?
Definition
To deliver information secretly
Term
Which method is used to implement steganography through pictures?
Definition
LSB (Least Significant Bit)
Term
The Chief Information Security Officer of a company believes that an attacker has infiltrated the company's network and is using steganography to communicate with external sources. A security team is investigating the incident. They are told to start by focusing on the core elements of steganography. Which are the core elements of steganography?
Definition
Payload, carrier, channel
Term
A system administrator believes data is being leaked from the organization. The administrator decides to use steganography to hide tracking information in the types of files he thinks are being leaked. Which steganographic term describes this tracking information?
Definition
Payload
Term
A criminal organization has compromised a third-party web server and is using it to control a botnet. The botnet server hides command and control messages through the DNS protocol. Which steganographic component are the command and control messages?
Definition
Payload
Term
Which method is commonly used to hide data via steganography?
Definition
LSB
Term
A systems administrator believes an employee is leaking information to a competitor by hiding confidential data in images being attached to outgoing emails. The administrator has captured the outgoing emails. Which tool should the forensic investigator use to search for the hidden data in the images?
Definition
Forensic Toolkit (FTK)
Term
A foreign government is communicating with its agents in the U.S. by hiding text messages in popular American songs, which are uploaded to the web. Which steganographic tool can be used to do this?
Definition
MP3Stego
Term
During a cyber-forensics investigation, a USB drive was found that contained multiple pictures of the same flower. How should an investigator use properties of a file to detect steganography?
Definition
Review the hexadecimal code looking for anomalies in the file headers and endings using a tool such as EnCase
Term
Children's Online Privacy Protection Act of 1998
Definition
The Children's Online Privacy Protection Act of 1998 (COPPA) protects children 13 years of age and under from the collection and use of their personal information by websites.
Term
The Wireless Communications and Public Safety Act of 1999
Definition

The Wireless Communications and Public Safety Act of 1999 allows for collection and use of “empty” communications, which means nonverbal and nontext communications, such as GPS information.

 

Term

The USA PATRIOT Act

 

Definition

The USA PATRIOT Act is the primary law under which a wide variety of internet and communications information content and metadata is currently collected. Provisions exist within the PATRIOT Act to protect the identity and privacy of U.S. citizens.

 

Term
Warrants
Definition

Warrants are not needed when evidence is in plain sight. Courts have held that only the actual owner of a property can grant consent, or someone who has legal guardianship of the owner.  For example, a parent of a minor child can

grant consent to search the child’s living quarters and computers.

Term
Magnetic Media
Definition

Integrated Drive Electronics (IDE) 

 

Because the data is stored magnetically, the drives are susceptible to magnetic interference. This can include being demagnetized. If a drive has been demagnetized, there is no way to recover the data. You should transport drives in special transit bags that reduce electrostatic interference. This reduces the chance of inadvertent loss of data.

Term
Solid-State Drives
Definition

Most SSDs use Negated AND (NAND) gate–based flash memory, which retains memory even without power. Because there are no moving parts, these drives are

usually less susceptible to physical damage than magnetic drives are. The startup time for SSDs is usually much faster than for magnetic storage drives.

Term
USB Drives
Definition
Because there are no moving parts, these drives are resilient to shock damage (i.e., dropping them probably won’t hurt them).
Term
The Advanced Forensic Format
Definition
The advanced forensic file format (abbreviated AFF).

The AFF file format is part of the AFF Library and Toolkit, which is a set of open-source computer forensics programs. Sleuth Kit and Autopsy both support this file format.
Term
EnCase
Definition
The evidence file is an exact copy of the hard drive. EnCase calculates an MD5 hash when the drive is acquired. This hash is used to check for changes, alterations, or errors
Term
Forensic Toolkit (FTK)
Definition
from AccessData Forensic Toolkit is particularly useful at cracking passwords. FTK also provides tools to search and analyze the Windows Registry. FTK gives you a robust set of tools for examining email. FTK is available for Windows or Mac OS. With AccessData’s Forensic Toolkit, processing and analysis can be distributed across up to three computers. FTK has an Explicit Image Detection add-on that automatically detects pornographic images
Term
Sleuth Kit 
Definition
The Sleuth Kit is a collection of command-line tools that are available as a free download. This particular utility is best used when you know the specific file you are searching for. It is not a good option for a general search. That GUI is named Autopsy.
Term
Payload
Definition
Payload is the information to be covertly communicated. In other words, it is the message you want to hide.
Term
Carrier
Definition
The carrier (or carrier file) is the signal, stream, or file in which the payload is hidden.
Term
Channel
Definition
The channel is the type of medium used. This may be a passive channel, such as photos, video, or sound files, or even an active channel, such as a Voice over IP (VoIP) voice call or streaming video connection.
Term
Steganalysis
Definition
Steganalysis is the process of analyzing a file or files for hidden content. Forensic Toolkit (FTK) and EnCase both check for steganography,
Term
Cryptographic Hashes
Definition

First and foremost, it is one-way, not reversible. That means you cannot “unhash” something. The second characteristic is that you get a fixed-length output no matter what input is given. The third is that the algorithm must be collision resistant. A collision occurs when two different inputs to the same hashing algorithm produce the same output (called a hash or digest).

Cryptographic hashes are how many systems, including Microsoft Windows, store passwords. For example, if your password is “password”, then Windows will first hash it, producing something like this:


0BD181063899C9239016320B50D3E896693A96DF

Windows will then store that hash in the SAM (Security Accounts Manager) file in the Windows System directory.

 

Term
Rainbow Tables
Definition
Ophcrack depend on rainbow tables. Ophcrack is usually very successful at cracking Windows local machine passwords. [know Ophcrack as a spoiler answer]
Term
Security log
Definition
This is probably the most important log from a forensics point of view. It has both successful and unsuccessful login events. [anything about external connections]
Term
SAM (Security Accounts Manager)
Definition
REGISTRY HIVE 
HKEY_LOCAL_MACHINE\SAM

SUPPORTING FILES
Sam, Sam.log, Sam.sav
Term
Command Prompt in Mac OS
Definition

The command prompt in Mac OS is a BASH shell

so you can execute Linux commands.

Term
GUID Partition Table
Definition

The GUID Partition Table is used primarily with computers that have an Intel-based processor. It

requires OS X v10.4 or later. Intel-based Mac OS machines can boot only from drives that use

the GUID Partition Table.

Term
Mac OS Logs
The /var/log Log
Definition
This directory has many logs in it. The /var/log/daily.out contains data on all mounted volumes, including the dates they were mounted. This is very important in cases involving stolen data. You can see what devices have been attached and get data from them. This folder includes data on removable media, including serial numbers.
Term
Mac OS Logs 
The /var/spool/cups Folder
Definition
In this folder, you will also find information about printed documents. If you need to know what documents have been printed from this Apple device, this folder can give you that information. This includes the name of the document printed and the user who printed it.
Term
Mac OS Logs
The /private/var/audit Logs
Definition

As the name suggests, these are logs of system audits. This includes things like user login. Obviously, this can be very interesting forensically. These audits are often not in a human-readable format. However, Guidance software makes an audit log parser for Mac OS

audit logs,

Term
Mac OS Logs 

The /private/var/VM Folder
Definition

This folder contains swap and sleep image files. If you hibernate your Mac, this directory will

usually occupy more than 5 gigabytes of disk space. This can be a source of important forensic

data.

Term
Mac OS Logs 
The /Library/Receipts Folder
Definition
This folder contains information about system and software updates. This might be of some interest in investigating malware crimes.
Term
Mac OS Logs
/Library/Mobile
Documents
Definition

This folder is what syncs with iCloud. This is where you will find items that have been saved to

iCloud. It should be quite clear that this can be very interesting forensically.

Term
Mac OS Logs 
The /Users/<user>/.bash_history Log
Definition
As you know, Mac OS is based on FreeBSD, a Unix variant. When you launch the terminal window, what you actually get is a BASH shell. So this particular log can be very interesting. It will show you a variety of commands. You might look for commands such as rm, which would be removing or deleting something, or commands like dd, indicating the user might have tried to make an image of the drive.
Term
Mac OS Logs
Definition
Term
Mac OS Logs
The var/vm Folder
Definition

In this folder, you will find a subfolder named app profile. This will contain lists of recently

opened applications as well as temporary data used by applications. Both of these can be very

interesting in a forensic examination.

Term
Mac OS Logs
The /Users/ Directory
Definition

This is where various users’ files are stored. It is always a good idea to check in this directory to

find out if users have saved data here that could be used as evidence.

Term
Mac OS Logs
The /Users/<user>/Library/Preferences Folder
Definition

As you probably suspect, this folder contains user preferences. This folder even maintains the

preferences of programs that have been deleted. This could be a very valuable place to get

clues about programs that have been deleted from the system.

Term
The /etc Directory (Mac OS)
Definition
Just as in Linux, this is where configuration files are located. Obviously, configuration files can be quite interesting in a forensic investigation. It is often true that cybercriminals like to adjust the system’s configuration. Sometimes this is done in order to facilitate the criminal’s return to the system later.
Term
Can You Undelete in Mac OS?
Definition

Recall that in Windows systems, deleting actually just removes a file from the master file table

(MFT) or file allocation table (FAT) and marks those clusters as available. The file’s data is still

there and can be recovered. What happens when a file is deleted on an HFS or HFS+ volume?

Although the details are a bit different, a similar thing occurs. The references to the file are gone

and the clusters might be used and overwritten. But, depending on how soon after the deletion

you attempt to recover data, you may be able to recover some or all of the data. Even if the data

is overwritten, data may still exist in unallocated space and in index nodes. When a file is

deleted in Mac OS, it is moved to the Trash folder—much like the Recycle Bin in Windows. The

Trash is represented on the file system as a hidden folder, .Trash, on the root directory of the file

system.

Term
Data Doctor
Mobile Device
Definition

Data Doctor—This product recovers all Inbox and Outbox data and all contacts data, and has

an easy-to-use interface. Most important, it has a free trial version, but there is a cost for the full

version.  [know this as a spoiler answer]

Term

Forensics for a Windows 10 phone is done in much the same way as forensics for a Windows

10 PC or laptop is done. 

Definition
Forensic Toolkit and EnCase can both image a phone for you
Term
XRY
Definition
breaking an iPhone passcode
Term
Deleted Files
Definition
When a file is deleted on the iPhone, iPad, or iPod, it is actually moved to the .Trashes\501 folder. Essentially, the data is still there until it is overwritten, so recently deleted files can be retrieved.
Term
Pwnage
Definition

Pwnage—This utility allows you to unlock a locked iPod Touch and is available from

https://pwnage.com/. [know it as a spoiler answer]

Term
Email Files
Definition

.pst (Outlook)
.ost (Offline Outlook Storage)

.mbx or .dbx (Outlook Express)

.mbx (Eudora)

.emi (common to several email clients)

Term
File Extensions associated to Email server Software
Definition

Exchange Server (.edb)

Exchange Public Folders (pub.edb)

Exchange Private Folders (priv.edb)

 

Term
Whats /var/log/lpr?
Definition
Linux printer log
Term
How does windows store passwords?
Definition
Encrypted copy or hash? *Hash.
Term
The Fourth Amendment to the U.S. Constitution
Definition
If an email message resides on a sender’s or recipient’s computer or other device, the Fourth Amendment to the U.S. Constitution and state requirements govern the seizure and collection of the message. Determine whether the person on whose computer the evidence resides has a reasonable expectation of privacy on that computer. The Fourth Amendment requires a search warrant or one of the recognized exceptions to the search warrant requirements, such as consent from the device owner.
Supporting users have an ad free experience!