Term
a. Electronic Communications Privacy Act (ECPA)
Electronic Communications Privacy Act
(ECPA) of 1986 |
|
Definition
The Electronic Communications Privacy Act of 1986 governs the privacy and disclosure, access, and interception of content and traffic data related to electronic communications.
Requires both parties to consent to the recording of a conversation.
Basic subscriber information—This information includes name, address, billing information including a credit card number, telephone toll billing records, subscriber’s telephone number, type of service, and length of service. An investigator can obtain this type of information with a subpoena, court order, or search warrant.
Transactional information—This information includes websites visited, email addresses of others with whom the subscriber exchanged email, and buddy lists. An investigator can obtain this type of information with a court order or search warrant.
Content information—An investigator who has a search warrant can obtain content information from retrieved email messages and also acquire unretrieved stored emails.
Real-time access—To intercept traffic as it is sent or received, an investigator needs to obtain a wiretap order. |
|
|
Term
| Health Insurance Portability and Accountability Act (HIPPA) |
|
Definition
| Law related to the disclosure of personally identifiable protected health information (PHI). |
|
|
Term
|
Definition
| Law criminalizing the act of knowingly using a misleading domain name with the intent to deceive a minor into viewing harmful material. |
|
|
Term
| The Privacy Protection Act (PPA) |
|
Definition
| Law protecting journalists from turning over their work or sources to law enforcement before the information is shared with the public. |
|
|
Term
| NIST SP 800-72 Guidelines |
|
Definition
| Law or guideline that lists the four states a mobile device can be in when data is extracted from it. |
|
|
Term
| Communications Assistance to Law Enforcement (CALEA) |
|
Definition
Law that includes a provision permitting the wiretapping of VoIP calls.
The Communications Assistance to Law Enforcement Act of 1994 is a federal wiretap law for traditional wired telephony. It was expanded in 2004 to include wireless, voice over packets, and other forms of electronic communications, including signaling traffic and metadata. |
|
|
Term
| Policy included in the CAN-SPAM Act |
|
Definition
| The email sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out. |
|
|
Term
| Which U.S. law requires telecommunications equipment manufacturers to provide built-in surveillance capabilities for federal agencies? |
|
Definition
| Communication Assistance to Law Enforcement Act (CALEA) |
|
|
Term
| Which law requires a search warrant or one of the recognized exceptions to the search warrant requirements for searching email messages on a computer? |
|
Definition
| The Fourth Amendment to the U.S. Constitution |
|
|
Term
| The Chief Information Officer of an accounting firm believes sensitive data is being exposed on the local network. Which tool should the IT staff use to gather digital evidence about this security vulnerability? |
|
Definition
|
|
Term
| A police detective investigating a threat traces the source to a house. The couple at the house shows the detective the only computer the family owns, which is in their son's bedroom. The couple stated that their son is presently in class at a local middle school. How should the detective legally gain access to the computer? |
|
Definition
| Obtain consent to search from the parents. |
|
|
Term
| How should a forensic scientist obtain the network configuration from a Windows PC before seizing it from a crime scene? |
|
Definition
| By using the ipconfig command from a command prompt on the computer. |
|
|
Term
| The human resources manager of a small accounting firm believes he may have been a victim of a phishing scam. The manager clicked on a link in an email message that asked him to verify the logon credentials for the firm's online bank account. Which digital evidence should a forensic investigator collect to investigate this incident? |
|
Definition
|
|
Term
| After a company's single-purpose, dedicated messaging server is hacked by a cyber criminal, a forensics expert is hired to investigate the crime and collect evidence. Which digital evidence should be collected? |
|
Definition
|
|
Term
| Thomas received an email stating that he needed to follow a link and verify his bank account information to ensure it was secure. Shortly after following the instructions, Thomas noticed money was missing from his bank account. Which digital evidence should be considered to determine how Thomas' information was compromised? |
|
Definition
|
|
Term
| The CEO of a small computer company has identified a potential hacking attack from an outside competitor. Which type of evidence should a forensic investigator use to identify the source of the hack? |
|
Definition
|
|
Term
| A forensic scientist arrives at a crime scene to begin collecting evidence. What is the first thing the forensic scientist should do? |
|
Definition
| Photograph all evidence in its original place |
|
|
Term
| Which method of copying digital evidence ensures proper evidence collection? |
|
Definition
| Make the copy at the bit-level |
|
|
Term
| A computer involved in a crime is infected with malware. The computer is on and connected to the company's network. The forensic investigator arrives at the scene. Which action should be the investigator's first step? |
|
Definition
| Unplug the computer's Ethernet cable |
|
|
Term
| What are the three basic tasks that a system forensic specialist must keep in mind when handling evidence during a cybercrime investigation? |
|
Definition
A. Find evidence
B. Preserve Evidence
C. Prepare Evidence. |
|
|
Term
| How do forensic specialists show that digital evidence was handled in a protected, secure manner during the process of collecting and analyzing the evidence? |
|
Definition
|
|
Term
| Which characteristics applies to magnetic drives compared to solid-state drives (SSDs)? |
|
Definition
|
|
Term
| Which characteristics applies to solid-state drives (SSDs) compared to magnetic drives? |
|
Definition
| They are less susceptible to damage |
|
|
Term
| Which type of storage format should be transported in a special bag to reduce electrostatic interference? |
|
Definition
|
|
Term
| Which Windows component is responsible for reading the boot.ini file and displaying the boot loader menu on Windows XP during the boot process? |
|
Definition
|
|
Term
| The following line of code is an example of how to make a forensic copy of a suspect drive: dd if=/dev/mem of=/evidence/image.memory1 Which operating system should be used to run this command? |
|
Definition
|
|
Term
| Which file system is supported by Mac? |
|
Definition
| Hierarchal File System Plus (HFS+) |
|
|
Term
| Where are local passwords stored for the Windows operating system? |
|
Definition
| SAM file in \Windows\System32 |
|
|
Term
| Where on a Windows system is the config folder located that contains the SAM file? |
|
Definition
|
|
Term
| A forensic examiner wants to try to extract passwords for wireless networks to which a system was connected. Where should passwords for wireless networks be stored on a Windows XP system? |
|
Definition
|
|
Term
| Which Windows password cracking tool uses rainbow tables? |
|
Definition
|
|
Term
| How does a rainbow table work to crack a password? |
|
Definition
| It uses a table of all possible keyboard combinations and their hash value, then searches for a match. |
|
|
Term
| What should a forensic investigator use to gather the most reliable routing information for tracking an email message? |
|
Definition
|
|
Term
| Which activity involves email tracing? |
|
Definition
| Determining the ownership of the source email server. |
|
|
Term
| A forensic examiner reviews a laptop running OS X which has been compromised. The examiner wants to know if there were any mounted volumes created from USB drives. Which digital evidence should be reviewed? |
|
Definition
/var/log
This directory has many logs in it. The /var/log/daily.out contains data on all mounted volumes, including the dates they were mounted. This is very important in cases involving stolen data. You can see what devices have been attached and get data from them. This folder includes data on removable media, including serial numbers. |
|
|
Term
| Which log or folder contains information about printed documents on a computer running Mac OS X |
|
Definition
/var/spool/cups
In this folder, you will also find information about printed documents. If you need to know what documents have been printed from this Apple device, this folder can give you that information. This includes the name of the document printed and the user who printed it. |
|
|
Term
| Which Windows event log should be checked for evidence of invalid logon attempts? |
|
Definition
|
|
Term
| A cyber security organization has issued a warning about a cybercriminal who is using a known vulnerability to attack unpatched corporate Macintosh systems. A network administrator decides to examine the software update logs on a Macintosh system to ensure the system has been patched. Which folder contains the software update logs? |
|
Definition
/Library/Receipts
This folder contains information about system and software updates.This might be of some
interest in investigating malware crimes. |
|
|
Term
| A forensic investigator wants to image an older BlackBerry smartphone running OS 7.0. Which tool should the investigator use? |
|
Definition
| BlackBerry Desktop Manager |
|
|
Term
| An investigator wants to extract information from a mobile devices by connecting it to a computer. What should the investigator take great care to ensure? |
|
Definition
| That the mobile devices does not synchronize with the computer. |
|
|
Term
| Which state is a device in if it is powered on, performing tasks, and able to be manipulated by the user? |
|
Definition
|
|
Term
| What is the purpose of steganography? |
|
Definition
| To deliver information secretly |
|
|
Term
| Which method is used to implement steganography through pictures? |
|
Definition
| LSB (Least Significant Bit) |
|
|
Term
| The Chief Information Security Officer of a company believes that an attacker has infiltrated the company's network and is using steganography to communicate with external sources. A security team is investigating the incident. They are told to start by focusing on the core elements of steganography. Which are the core elements of steganography? |
|
Definition
| Payload, carrier, channel |
|
|
Term
| A system administrator believes data is being leaked from the organization. The administrator decides to use steganography to hide tracking information in the types of files he thinks are being leaked. Which steganographic term describes this tracking information? |
|
Definition
|
|
Term
| A criminal organization has compromised a third-party web server and is using it to control a botnet. The botnet server hides command and control messages through the DNS protocol. Which steganographic component are the command and control messages? |
|
Definition
|
|
Term
| Which method is commonly used to hide data via steganography? |
|
Definition
|
|
Term
| A systems administrator believes an employee is leaking information to a competitor by hiding confidential data in images being attached to outgoing emails. The administrator has captured the outgoing emails. Which tool should the forensic investigator use to search for the hidden data in the images? |
|
Definition
|
|
Term
| A foreign government is communicating with its agents in the U.S. by hiding text messages in popular American songs, which are uploaded to the web. Which steganographic tool can be used to do this? |
|
Definition
|
|
Term
| During a cyber-forensics investigation, a USB drive was found that contained multiple pictures of the same flower. How should an investigator use properties of a file to detect steganography? |
|
Definition
| Review the hexadecimal code looking for anomalies in the file headers and endings using a tool such as EnCase |
|
|
Term
| Children's Online Privacy Protection Act of 1998 |
|
Definition
| The Children's Online Privacy Protection Act of 1998 (COPPA) protects children 13 years of age and under from the collection and use of their personal information by websites. |
|
|
Term
| The Wireless Communications and Public Safety Act of 1999 |
|
Definition
The Wireless Communications and Public Safety Act of 1999 allows for collection and use of “empty” communications, which means nonverbal and nontext communications, such as GPS information.
|
|
|
Term
|
Definition
The USA PATRIOT Act is the primary law under which a wide variety of internet and communications information content and metadata is currently collected. Provisions exist within the PATRIOT Act to protect the identity and privacy of U.S. citizens.
|
|
|
Term
|
Definition
Warrants are not needed when evidence is in plain sight. Courts have held that only the actual owner of a property can grant consent, or someone who has legal guardianship of the owner. For example, a parent of a minor child can
grant consent to search the child’s living quarters and computers. |
|
|
Term
|
Definition
Integrated Drive Electronics (IDE)
Because the data is stored magnetically, the drives are susceptible to magnetic interference. This can include being demagnetized. If a drive has been demagnetized, there is no way to recover the data. You should transport drives in special transit bags that reduce electrostatic interference. This reduces the chance of inadvertent loss of data. |
|
|
Term
|
Definition
Most SSDs use Negated AND (NAND) gate–based flash memory, which retains memory even without power. Because there are no moving parts, these drives are
usually less susceptible to physical damage than magnetic drives are. The startup time for SSDs is usually much faster than for magnetic storage drives. |
|
|
Term
|
Definition
| Because there are no moving parts, these drives are resilient to shock damage (i.e., dropping them probably won’t hurt them). |
|
|
Term
| The Advanced Forensic Format |
|
Definition
The advanced forensic file format (abbreviated AFF).
The AFF file format is part of the AFF Library and Toolkit, which is a set of open-source computer forensics programs. Sleuth Kit and Autopsy both support this file format. |
|
|
Term
|
Definition
| The evidence file is an exact copy of the hard drive. EnCase calculates an MD5 hash when the drive is acquired. This hash is used to check for changes, alterations, or errors |
|
|
Term
|
Definition
| from AccessData Forensic Toolkit is particularly useful at cracking passwords. FTK also provides tools to search and analyze the Windows Registry. FTK gives you a robust set of tools for examining email. FTK is available for Windows or Mac OS. With AccessData’s Forensic Toolkit, processing and analysis can be distributed across up to three computers. FTK has an Explicit Image Detection add-on that automatically detects pornographic images |
|
|
Term
|
Definition
| The Sleuth Kit is a collection of command-line tools that are available as a free download. This particular utility is best used when you know the specific file you are searching for. It is not a good option for a general search. That GUI is named Autopsy. |
|
|
Term
|
Definition
| Payload is the information to be covertly communicated. In other words, it is the message you want to hide. |
|
|
Term
|
Definition
| The carrier (or carrier file) is the signal, stream, or file in which the payload is hidden. |
|
|
Term
|
Definition
| The channel is the type of medium used. This may be a passive channel, such as photos, video, or sound files, or even an active channel, such as a Voice over IP (VoIP) voice call or streaming video connection. |
|
|
Term
|
Definition
| Steganalysis is the process of analyzing a file or files for hidden content. Forensic Toolkit (FTK) and EnCase both check for steganography, |
|
|
Term
|
Definition
First and foremost, it is one-way, not reversible. That means you cannot “unhash” something. The second characteristic is that you get a fixed-length output no matter what input is given. The third is that the algorithm must be collision resistant. A collision occurs when two different inputs to the same hashing algorithm produce the same output (called a hash or digest).
Cryptographic hashes are how many systems, including Microsoft Windows, store passwords. For example, if your password is “password”, then Windows will first hash it, producing something like this:
0BD181063899C9239016320B50D3E896693A96DF
Windows will then store that hash in the SAM (Security Accounts Manager) file in the Windows System directory.
|
|
|
Term
|
Definition
| Ophcrack depend on rainbow tables. Ophcrack is usually very successful at cracking Windows local machine passwords. [know Ophcrack as a spoiler answer] |
|
|
Term
|
Definition
| This is probably the most important log from a forensics point of view. It has both successful and unsuccessful login events. [anything about external connections] |
|
|
Term
| SAM (Security Accounts Manager) |
|
Definition
REGISTRY HIVE
HKEY_LOCAL_MACHINE\SAM
SUPPORTING FILES
Sam, Sam.log, Sam.sav |
|
|
Term
|
Definition
The command prompt in Mac OS is a BASH shell
so you can execute Linux commands. |
|
|
Term
|
Definition
The GUID Partition Table is used primarily with computers that have an Intel-based processor. It
requires OS X v10.4 or later. Intel-based Mac OS machines can boot only from drives that use
the GUID Partition Table. |
|
|
Term
Mac OS Logs
The /var/log Log |
|
Definition
| This directory has many logs in it. The /var/log/daily.out contains data on all mounted volumes, including the dates they were mounted. This is very important in cases involving stolen data. You can see what devices have been attached and get data from them. This folder includes data on removable media, including serial numbers. |
|
|
Term
Mac OS Logs
The /var/spool/cups Folder |
|
Definition
| In this folder, you will also find information about printed documents. If you need to know what documents have been printed from this Apple device, this folder can give you that information. This includes the name of the document printed and the user who printed it. |
|
|
Term
Mac OS Logs
The /private/var/audit Logs |
|
Definition
As the name suggests, these are logs of system audits. This includes things like user login. Obviously, this can be very interesting forensically. These audits are often not in a human-readable format. However, Guidance software makes an audit log parser for Mac OS
audit logs, |
|
|
Term
Mac OS Logs
The /private/var/VM Folder |
|
Definition
This folder contains swap and sleep image files. If you hibernate your Mac, this directory will
usually occupy more than 5 gigabytes of disk space. This can be a source of important forensic
data. |
|
|
Term
Mac OS Logs
The /Library/Receipts Folder |
|
Definition
| This folder contains information about system and software updates. This might be of some interest in investigating malware crimes. |
|
|
Term
Mac OS Logs
/Library/Mobile Documents |
|
Definition
This folder is what syncs with iCloud. This is where you will find items that have been saved to
iCloud. It should be quite clear that this can be very interesting forensically. |
|
|
Term
Mac OS Logs
The /Users/<user>/.bash_history Log |
|
Definition
| As you know, Mac OS is based on FreeBSD, a Unix variant. When you launch the terminal window, what you actually get is a BASH shell. So this particular log can be very interesting. It will show you a variety of commands. You might look for commands such as rm, which would be removing or deleting something, or commands like dd, indicating the user might have tried to make an image of the drive. |
|
|
Term
|
Definition
|
|
Term
Mac OS Logs
The var/vm Folder |
|
Definition
In this folder, you will find a subfolder named app profile. This will contain lists of recently
opened applications as well as temporary data used by applications. Both of these can be very
interesting in a forensic examination. |
|
|
Term
Mac OS Logs
The /Users/ Directory |
|
Definition
This is where various users’ files are stored. It is always a good idea to check in this directory to
find out if users have saved data here that could be used as evidence. |
|
|
Term
Mac OS Logs
The /Users/<user>/Library/Preferences Folder |
|
Definition
As you probably suspect, this folder contains user preferences. This folder even maintains the
preferences of programs that have been deleted. This could be a very valuable place to get
clues about programs that have been deleted from the system. |
|
|
Term
| The /etc Directory (Mac OS) |
|
Definition
| Just as in Linux, this is where configuration files are located. Obviously, configuration files can be quite interesting in a forensic investigation. It is often true that cybercriminals like to adjust the system’s configuration. Sometimes this is done in order to facilitate the criminal’s return to the system later. |
|
|
Term
| Can You Undelete in Mac OS? |
|
Definition
Recall that in Windows systems, deleting actually just removes a file from the master file table
(MFT) or file allocation table (FAT) and marks those clusters as available. The file’s data is still
there and can be recovered. What happens when a file is deleted on an HFS or HFS+ volume?
Although the details are a bit different, a similar thing occurs. The references to the file are gone
and the clusters might be used and overwritten. But, depending on how soon after the deletion
you attempt to recover data, you may be able to recover some or all of the data. Even if the data
is overwritten, data may still exist in unallocated space and in index nodes. When a file is
deleted in Mac OS, it is moved to the Trash folder—much like the Recycle Bin in Windows. The
Trash is represented on the file system as a hidden folder, .Trash, on the root directory of the file
system. |
|
|
Term
|
Definition
Data Doctor—This product recovers all Inbox and Outbox data and all contacts data, and has
an easy-to-use interface. Most important, it has a free trial version, but there is a cost for the full
version. [know this as a spoiler answer] |
|
|
Term
Forensics for a Windows 10 phone is done in much the same way as forensics for a Windows
10 PC or laptop is done. |
|
Definition
| Forensic Toolkit and EnCase can both image a phone for you |
|
|
Term
|
Definition
| breaking an iPhone passcode |
|
|
Term
|
Definition
| When a file is deleted on the iPhone, iPad, or iPod, it is actually moved to the .Trashes\501 folder. Essentially, the data is still there until it is overwritten, so recently deleted files can be retrieved. |
|
|
Term
|
Definition
Pwnage—This utility allows you to unlock a locked iPod Touch and is available from
https://pwnage.com/. [know it as a spoiler answer] |
|
|
Term
|
Definition
.pst (Outlook)
.ost (Offline Outlook Storage)
.mbx or .dbx (Outlook Express)
.mbx (Eudora)
.emi (common to several email clients) |
|
|
Term
| File Extensions associated to Email server Software |
|
Definition
Exchange Server (.edb)
Exchange Public Folders (pub.edb)
Exchange Private Folders (priv.edb)
|
|
|
Term
|
Definition
|
|
Term
| How does windows store passwords? |
|
Definition
| Encrypted copy or hash? *Hash. |
|
|
Term
| The Fourth Amendment to the U.S. Constitution |
|
Definition
| If an email message resides on a sender’s or recipient’s computer or other device, the Fourth Amendment to the U.S. Constitution and state requirements govern the seizure and collection of the message. Determine whether the person on whose computer the evidence resides has a reasonable expectation of privacy on that computer. The Fourth Amendment requires a search warrant or one of the recognized exceptions to the search warrant requirements, such as consent from the device owner. |
|
|
