Shared Flashcard Set

Details

EC-Council CHFI certification
EC-Council CHFI certification
201
Computer Science
Professional
12/01/2014

Additional Computer Science Flashcards

 


 

Cards

Term
Innocent Images National Initiative (IINI) was developed by:
Definition
Innocent Images National Initiative (IINI) was developed by the FBI as part of its Cybercrimes Program for the purpose of identifying, investigating and prosecuting those who use computers for child sexual exploitation and child pornography.
Term
The Department of Justice created ICAC and PSC.

Internet Crimes Against Children (ICAC) is
Definition
Internet Crimes Against Children (ICAC) is a network of regional task forces to provide federal assistance to state and local law enforcement so they could better investigate computer and internet-based crimes that sexually exploit children.
Term
The Department of Justice created ICAC and PSC.



Project Safe Childhood (PSC) is
Definition
Project Safe Childhood (PSC) is an initiative developed to provide a corrdinated effort in combating child porn. It strives to help local communities create programs to investigate child exploitation and identify and rescue victims.
Term
Anti-Child porn.org is
Definition
a volunteer organization focused on issues related to child porn.

Reference: Kleiman, D., et al (2007). The official CHFI Exam 312-49 Burlington, MA: Syngress Publishing, Inc. p. 781-783.
Term
What are the FRE Article VII rules of evidence?
Definition
In the U.S, Congress adopted the Federal Rules of Evidence as a set of standards that determine how evidence is presented and deemed admissible in court.
Article VII deals with opinions and expert testimony:
Rule 701 - Opinion Testimony by Lay Witness
Rule 702 - Testimony by Experts
Rule 703 - Basis of Opinion Testimony by Experts
Rule 704 - Opinion on Ultimate Issue
Rule 705 - Disclosure of Facts or Data Underlying Expert Opinion
Rule 706 - Court Appointed Experts
Term
Rule 701. Opinion Testimony by Lay Witnesses
Definition
Rule 701. Opinion Testimony by Lay Witnesses
If a witness is not testifying as an expert, testimony in the form of an opinion is limited to one that is:
(a) rationally based on the witness’s perception;
(b) helpful to clearly understanding the witness’s testimony or to determining a fact in issue; and
(c) not based on scientific, technical, or other specialized knowledge within the scope of Rule 702.
(Legislative History Links: Pub. L. 93-595, Jan. 2, 1975; Mar. 2, 1987, eff. Oct. 1, 1987; Apr. 17, 2000,
eff. Dec. 1, 2000; Apr. 26, 2011, eff. Dec. 1, 2011.)
http://federalevidence.com/downloads/rules.of.evidence.pdf
Term

Rule 702. Testimony by Expert Witnesses

VERY IMPORTANT REVIEW ON TEST DAY

Definition

Rule 702. Testimony by Expert Witnesses A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if: (a) the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue; (b) the testimony is based on sufficient facts or data; (c) the testimony is the product of reliable principles and methods; and (d) the expert has reliably applied the principles and methods to the facts of the case. (Legislative History Links: Pub. L. 93-595, Jan. 2, 1975; Apr. 17, 2000, eff. Dec. 1, 2000; Apr. 26, 2011, eff. Dec. 1, 2011.)

http://federalevidence.com/downloads/rules.of.evidence.pdf

Term

Rule 703. Bases of an Expert’s Opinion Testimony

VERY IMPORTANT REVIEW ON TEST DAY

 

Definition

Rule 703. Bases of an Expert’s Opinion Testimony

An expert may base an opinion on facts or data in the case that the expert has been made aware of or personally

observed. If experts in the particular field would reasonably rely on those kinds of facts or data

in forming an opinion on the subject, they need not be admissible for the opinion to be admitted. But if

the facts or data would otherwise be inadmissible, the proponent of the opinion may disclose them to the

jury only if their probative value in helping the jury evaluate the opinion substantially outweighs their

prejudicial effect.

(Legislative History Links: Pub. L. 93-595, Jan. 2, 1975; Mar. 2, 1987, eff. Oct. 1, 1987; Apr. 17, 2000, eff. Dec. 1, 2000;

Apr. 26, 2011, eff. Dec. 1, 2011. ) http://federalevidence.com/downloads/rules.of.evidence.pdf

Term
Rule 704. Opinion on an Ultimate Issue
Definition

Rule 704. Opinion on an Ultimate Issue

(a) In General — Not Automatically Objectionable. An opinion is not objectionable just because it

embraces an ultimate issue.

(b) Exception. In a criminal case, an expert witness must not state an opinion about whether the defendant

did or did not have a mental state or condition that constitutes an element of the crime charged or of a

defense. Those matters are for the trier of fact alone.

(Legislative History Links: Pub. L. 93-595, Jan. 2, 1975; Pub. L. 98-473, Sept. 12, 1994;

Apr. 26, 2011, eff. Dec. 1, 2011.)

Term
Rule 705. Disclosing the Facts or Data Underlying an Expert’s Opinion
Definition

Rule 705. Disclosing the Facts or Data Underlying an Expert’s Opinion

Unless the court orders otherwise, an expert may state an opinion — and give the reasons for it — without

first testifying to the underlying facts or data. But the expert may be required to disclose those facts or data

on cross-examination.

(Legislative History Links: Pub. L. 93-595, Jan. 2, 1975; Mar. 2, 1987, eff. Oct. 1, 1987; Apr. 29, 1994, eff. Dec. 1, 1994;

 Apr. 26, 2011, eff. Dec. 1, 2011.)

Term

Rule 706. Court-Appointed Expert Witnesses

 

 

Definition

Rule 706. Court-Appointed Expert Witnesses

(a) Appointment Process. On a party’s motion or on its own, the court may order the parties to show

cause why expert witnesses should not be appointed and may ask the parties to submit nominations. The

court may appoint any expert that the parties agree on and any of its own choosing. But the court may only

appoint someone who consents to act.

(b) Expert’s Role. The court must inform the expert of the expert’s duties. The court may do so in writing

and have a copy filed with the clerk or may do so orally at a conference in which the parties have an

opportunity to participate. The expert:

(1) must advise the parties of any findings the expert makes;

(2) may be deposed by any party;

(3) may be called to testify by the court or any party; and

(4) may be cross-examined by any party, including the party that called the expert.

(c) Compensation. The expert is entitled to a reasonable compensation, as set by the court. The compensation

is payable as follows:

(1) in a criminal case or in a civil case involving just compensation under the Fifth Amendment, from

any funds that are provided by law; and

(2) in any other civil case, by the parties in the proportion and at the time that the court direct — and

the compensation is then charged like other costs.Federal Rules of Evidence Federal Evidence Review 2014

32 www.FederalEvidence.com

(d) Disclosing the Appointment to the Jury. The court may authorize disclosure to the jury that the court

appointed the expert.

(e) Parties’ Choice of Their Own Experts. This rule does not limit a party in calling its own experts.

(Legislative History Links: Pub. L. 93-595, Jan. 2, 1975; Apr. 17, 2000, eff. Dec. 1, 2000; Apr. 26, 2011,

eff. Dec. 1, 2011.)

Term

Admissibility of Evidence:

DO NOT confuse FRE Rule 401 with the Frye Standard...

Definition

Rule 401: (the relevancy test) addresses the RELEVANCE of evidence to a TRIAL

 

Frye Standard: (the general acceptance test) addresses the ACCEPTABILITY of TECHNIQUES in obtaining evidence or information

Term

Admissibility of Evidence:

evidence must be C.R.M 

 

Definition

competent: reliable/credible

relevant: tend to prove a fact of the case

material: substantiate an issue in question in the case

and

in the USA evidence must be obtained legally

Term
Choose USA sexual harassment laws: 
Definition
Equal Protection Clause of the 14th Amendment 

Civil Rights Act of 1991 

1964 Civil Rights Act, Title VII 
Term
What is the difference between an evidentiary and an expert witness?
Definition
Evidentiary witness is limited to presenting facts of the case 

Expert witness can testify as an evidentiary witness and also make opinons based on scientific, technical or other expert knowledge 

The Rules of Evidence provide a framework of what a witness can and cannot discuss 
Term
File types for Linux are: 
Definition
File types for Linux are: 

d - directory 

- - regular file 

c - character 

b - block 

s - Unix domain socket 

p - named pipe 

l - symbolic link 
Term

Application Password crackers

Windows password recovery tools 

Definition
Windows password recovery tools 
- Windows XP/2000/NT Key Generator - resets the domain adminstrator password for Active Directory 
- ERD Commander 2005 - boots systems into a Windows-like repair environment giving complete control over the system 
- Active@ Password Changer - DOS-based solution for resetting local administrator and user passwords in XP, Vista, 2003, 2000 and NT 
- Cain & Abel 
- LCP 
- SID&USER 
- ophcrack - uses rainbow tables 
- RockXP 
- Magical Jelly Bean Keyfinder 
Term

Application Password Crackers

Office 

Definition
Office 

- Advanced Office XP Password Recovery - Microsoft Office 
- Word Password Recovery Master 
- Office Password Recovery Toolbox 
- Passware Kit - 25 password recovery programs 
- PstPassword - Outlook 
- Access PassView - Microsoft Access 

Term
Application password crackers
Definition
Other 
- Advanced ZIP password recovery - zip file passwords 
- PicoZip Recovery - zip file passwords 
- PDF Password Crackers - pdf file passwords 
- Default Password Databases 
- Dialupass - dial-up passwords 
- Database Sleuth 

Network Password Recovery - network passwords 
- SniffPass - captures password that pass through the network adapter (POP3, IMAP4, SMTP, FTP, HTTP) 

- Asterisk Key - reveals asterisks that hide passwords 
- Asterisk Logger - reveals asterisks that hide passwords 
- Password Spectator - reveals asterisks that hide passwords 

Linux 
- John the Ripper 
- DJohn 

Unix 
- Crack 

HTTP, POP3, FTP, Telnet 
- Brutus 

Email, Instant Messaging... 
- Mail PassView - email 
- Messenger Key - instant messaging 
- MessenPass 
- Mail Recovery 
Term
Which statement is used to see the contents of the MBR?

dd if=/dev/hda bs=16065b | netcat targethost-IP 1234

dd if=/dev/hda of=mbr.bin bs=512 count=1

dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc
Definition

dd if=/dev/hda of=mbr.bin bs=512 count=1 

used to see contents of the master boot record. Must be run as root. Reads the first 512 bytes from /dev/hda (the first IDE drive) and writes them to a file named mbr.bin 


Reference: EC Council Press. (2010). Computer Forensics: Investigating Data and Image Files, 1st Edition. Clifton Park, NY: Cengage Learning. P. 2-4 and 2-5.

Term
Which statement is used to partition an image on another machine?

netcat -l -p 1234 | dd of=/dev/hdc bs=16065b

dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror

dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc
Definition
netcat -l -p 1234 | dd of=/dev/hdc bs=16065b 

used to partition an image on another machine. Run on the target machine 
Term
What are types of search warrants? Select the most comprehensive answer.
Electronic storage device search warrant

Service provider search warrant and electronic storage device search warrant

Service provider search warrant
Definition

Service provider search warrant and electronic storage device search warrant 

 

Electronic storage device search warrant allows for search and seizure of computer components such as hardware, software, storage devices and documentation 

Service provider search warrant allows the first responder to get information such as service records, billing records and subscriber information if the crime is committed through the internet. 

Term
What is the best way to deal with powered-off computers?
Definition
Do not change the state of any electronic device. Leave the computer off
Term
What is the best way to deal with powered-on computers?
Definition

Do not change the state of any electronic device.

Leave the computer on, unplug the network cable and photograph the screen 

Term
What techniques can be used to detect wireless access points?
CHOOSE ONE

Manual detection, active wireless scanning, passive wireless scanning, Nessus vulnerability scanning

Manual detection, Nessus vulnerability scanning

Active and passive wireless scanning
Definition
Manual detection - physically visit the area where a WAP is likely to be and use wardriving techniques to attempt to detect the rogue access point 

Active wireless scanning technique - broadcasting a probe message and waiting for a response from devices in the range 

Passive wireless scannin technique - identifies the presence of any wireless communication to find identify active WAP connections 

Nessus vulnerability scanner 
Term
DNS Cache Poisoning : One way to _______ a host,
DNS cache stores _______of websites recently _______.
Definition
DNS Cache Poisoning 
One way to misdirect a host, is DNS cache poisoning. The DNS cache stores IP addresses of websites recently resolved. It is possible for a hacker to insert fake mappings into DNS server by using buffer overflow or other means. The SOA record tells how long the DNS cache poisoning will last. 

In order to make the DNS server secure from the DNS cache poisoning attack, enable DNS socket pool on the DNS server. The socket pool makes cache poisoning attacks more difficult because an attacker must correctly guess the source port of a DNS query in addition to a random transaction ID to successfully execute the attack. The DNS socket pool enables a DNS server to use source port randomization when issuing DNS queries. This provides enhanced security against cache poisoning attacks. 
Term
Address Resolution Protocol (ARP) Spoofing
ARP spoofing is also known as ARP cache poisoning or ARP poison routing. It is a technique used to
Definition

ARP spoofing is also known as ARP cache poisoning or ARP poison routing.

used to attack a local-area network. ARP spoofing can allow an attacker to intercept data and modify or halt network traffic. ARP spoofing can be used to attack an Ethernet wired or wireless network. 

 

During normal functioning, ARP sends a broadcast with the IP address asking for the associated MAC address. A host having said IP address replies with its MAC address. Thus the ARP cache gains an entry matching IP address with MAC address. 

 

During ARP spoofing or ARP poisoning, ARP sends the same broadcast but an attacker replies with fake MAC address. Now the ARP cache has a false entry and all communication from the host will go to the fake MAC address 

 

One defense against ARP spoofing is placing static ARP entries on servers, workstations, and routers using the ARPWALL system. 

Term
The most common way to use this command is with
-ano switches or -r switch.

CHOOSE ONE:

Netcat

Netstat

Nmap
Definition

netstat -ano

displays TCP and UDP network connections, the listening ports and process identifiers (PID) using those network connections 

netstat - r

displays the routing table 

Term
Which of the statements is true about the Mac OS?

CHOOSE ONE:

Based on BSD Darwin engine

Startup items in /System/Library/StartupItems or /Library/StatupItems

uses .hidden to maintain a list of hidden files

All of the Above
Definition
All of the Above
Term
What three things does the Mac OS X depend on?
CHOOSE ONE:

*Open firmware, boot loader, typical Mac OS X boot sequence

*Proprietary firmware, boot loader, boot sequence

*BIOS, boot loader, autoexec.bat
Definition

Open firmware, boot loader, typical Mac OS X boot sequence :


Open Firmware is a nonproprietary platform-independent boot firmware similar to PC BIOS.

It is stored in ROM and is the first program executed at power up.

Press Command-Option-O-F 

Term
What are two ways to display Open Firmware?

CHOOSE ONE

F8 or telnet

Command-Option-O-F or telnet

Apple key or telnet
Definition

Command-Option-O-F or telnet 

 

Reference: EC Council Press. (2010). Computer Forensics: Hard Disk and operating Systems, 1st Edition. Clifton Park, NY: Cengage Learning. P. 3-12.

Term
Which statement is true about BootX?

CHOOSE ONE

BootX is the default boot loader for Mac OS X

BootX cannot load kernals from HFS+, HFS, UFS, ext2 or TFTP

BootX is similar to BIOS
Definition

BootX is the default boot loader for Mac OS X.

BootX can load kernals from HFS+, HFS, UFS, ext2 or TFTP 

Term
What is the difference between big endian and little endian?
Definition

A big-endian machine stores the

most significant byte

first.

 

A little-endian machine stores the

least significant byte

first

Term
Mac OS X boot process

- BootX ...?
- Kernel...?
- Mac OS X desktop is loaded with login window by default
Definition

Mac OS X boot process 

- BootX initialized Open Firmware 
- BootX creates a pseudodevice called sl_words (secondary loader) 
- BootX looks up device options properties (little endian, real mode...) 
- BootX looks up the chosen device handles 
- BootX initialized handles to memory, keyboard, display 
- BootX checks the security mode 
- BootX finds the kernel and constructs the path to the kernel 
- BootX draws Apple logo splash screen 
- BootX decodes the kernel 
- BootX saves the file system cache data and sets up various boot arguments 
- Kernel executes 
- Kernel determines the root device 
- Kernel initializes BSD data structures, I/O kit 
- Kernel starts /sbin/mach_init which maintains mappings between service names and Mach ports that provide those services 
- Mac OS X desktop is loaded with login window by default 

Term
WHICH type of DoS attack sends ICMP echo packets with spoofed source address.


Fraggle ?

Smurf ?

Land ?
Definition
Smurf attack sends ICMP packets with spoofed source addresses 
Term
WHICH type of DoS attack, the attacker sends a large amount of UDP echo request traffic to the IP broadcast addresses

Fraggle ?

Smurf ?

Land ?
Definition
In a fraggle DoS attack, the attacker sends a large amount of UDP echo request traffic to the IP broadcast addresses 
Term
This type of DoS attack does the attacker fragments the ICMP packet in such a manner that the target computer cannot reassemble it.

Teardrop ?

Jolt ?

Reflective DDoS?
Definition
In a Jolt attack the attacker fragments the ICMP packet in such a manner that the target computer cannot reassemble it. 
Term
This type of DDoS the attacks usually spoof the originating IP addresses and send the requests at reflectors.

Teardrop ?

Jolt ?

Reflective DDoS ?
Definition

Reflective DDoS,

the attacks usually spoof the originating IP addresses and send the requests at reflectors. 

Term

This type of DoS attack involves

sending a spoofed TCP SYN packet

to an open port

with the host IP address as both source and destination.

 

This causes the host to reply to itself continuously:

 

Fraggle?

Smurf?

Land?

Definition
Land attack involves sending a spoofed TCP SYN packet to an open port with the host IP address as both source and destination. This causes the host to reply to itself continuously 
Term

What type of virus can redirect the disk head to read another sector?

 

Definition
A stealth virus is a virus that can redirect the disk head to read another sector 
Term
What type of virus first infects files, and then works as a boot sector virus. It ultimately changes the Master Boot Record (MBR) of the hard disk. Once the boot sector is infected, the virus loads into memory and begins to infect all the program files.
Definition
A multipartite virus first infects files, and then works as a boot sector virus. It ultimately changes the Master Boot Record (MBR) of the hard disk. Once the boot sector is infected, the virus loads into memory and begins to infect all the program files. 
Term
What type of scan sends a SYN flag, receives an SYN/ACK then sends a RST?
Definition
The SYN scan creates a half-open TCP/IP connection. An attacker uses a SYN scan to determine the status of ports on the remote target. SYN scanning is the most common type of port scanning that is used because of its enormous advantages and few drawbacks. As a result, novice attackers tend to overly rely on the SYN scan while performing system reconnaissance.
Term

What type of scan sends FIN, URG, PSH flags?

XMAS ?

 

FIN ?

 

Half-open ?

Definition

XMAS scan sends FIN, URG, PSH 

 

http://nmap.org/book/man-port-scanning-techniques.html

Term

Which nmap scan is a slow scan to avoid detection?

 

nmap -sS -PT -PI -O -T1 122.13.145.15 

 

nmap –sP 10.1.2.0/24 

 

nmap -sS -O www.somewebsite.com/24 

Definition
nmap -sS -PT -PI -O -T1 122.13.145.15 

slow scan to avoid detection 
Term

Which netcat command is an example of port scanning?

 

nc -l -p port_number > /test/outfile.txt

 

nc www.targethost.com 80

 

nc -v -z target port-range

Definition
nc -l -p port_number > /test/outfile.txt 
Term

Which command provides a history of commands?

 

Doskey /history 

 

Dos - history 

 

Ls - history 

Definition

Doskey /history


prints recent commands 

Term

Which port does SSL typically use?

 

 

Definition

Secure Sockets layer typically runs on port 443 



Term

Which port does IS typically used?

 

SMB on port ?

Definition
SMB on port 445 
Term
How many keys does asymmetric encryption have?
Definition

two keys:

 

Asymmetric encryption has a public key and a private key 

Term

Which key is used to encrypt an email to be sent....in asymmetric encryption?

 

 

 

Definition


  • The recipient’s public key encrypts the message




E-mail digital signatures

  • The sender’s private key encrypts (or signs) a hash of the message.
  • The sender’s public key decrypts the hash of the message

E-mail encryption

  • The recipient’s public key encrypts the message
  • The recipient’s private key decrypts the message

It's important to realize that these are two completely separate instances. An email can be encrypted only, digitally signed only, or encrypted and digitally signed.



  • If the public key encrypts information, only the matching private key can decrypt the same information.
  • If the private key encrypts information, only the matching public key can decrypt the same information.
  • Private keys are always kept private and never shared.
  • Public keys are freely shared by embedding them in a certificate.

As mentioned by the other two replies, the CA verifies the certificate (and in turn the public key).



 

Term

Which encryption algorithm is streaming?

 

FISH 

 

AES 

 

DES 

Definition

FISH swim in a stream.....FISH = streaming


FISH - FISH (FIbonacci SHrinking) stream cipher [http://www.google.com/#hl=en&sclient=psy-ab&q=stream+cipher+fish&oq=stream+cipher+fish&gs_l=serp.3...2118.6551.0.6803.25.16.0.0.0.0.1123.3003.5-2j1j1.4.0.les%3B..0.0...1c.1.2.serp.2leYPHYeYtI&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&fp=785d3bc0fb80a0d7&biw=708&bih=643]

AES (Advanced Encryption Standard) is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. [http://en.wikipedia.org/wiki/Advanced_Encryption_Standard] 

DES predessor of AES 

Term
what port does Tini use?
Definition
Port 7777 is the correct port for Tini, reference here: http://www.ntsecurity.nu/toolbox/tini/
Term
What is computer forensics?
Definition

Preservation, identification, extraction, interpretation and documentation of computer evidence.

PIE-ID 

Term
Computer forensics includes:  WHICH ?

- Rules of evidence 

- Legal processes 

- Integrity of evidence 

- Factual reporting of information found 

- Expert opinion about findings presented in a court of law, or other legal or administrative hearing
Definition
ALL!
Term
Which event was instrumental to the evolution of computer forensics?
Definition
1888: Francis Galton made first recorded study of fingerprints to catch potential criminals 
Term
Which event was instrumental to the evolution of computer forensics?
Definition
1893: Hans Gross was first to apply science to criminal investigation. 
Term
Which event was instrumental to the evolution of computer forensics?  1915 Leone Lattes was first to 
Definition

Leone Lattes was first to 


use blood groupings to connect criminal to crime.

Term
Which event was instrumental to the evolution of computer forensics?  1910: Albert Osbron was first to 
Definition
Albert Osbron was first to develop methodology for documenting evidence during examination process. 
Term

Which event was instrumental to the evolution of computer forensics?


1925: Calvin Goddard was first to 

Definition

1925: Calvin Goddard was first to make use of

bullet comparisons. 

Term
Which event was instrumental to the evolution of computer forensics?

1932: FBI set up a...

Definition
1932: FBI set up a... forensic services laboratory for field agents and law authorities. 
Term

Which event was instrumental to the evolution of computer forensics?

 

1984: (CART) was developed:

Definition
1984: (CART) was developed: Computer Analysis & Response Team 
Term

Which event was instrumental to the evolution of computer forensics?

1993: first international conference on computer evidence was held in.... 

Definition
held in USA. 
Term

Which one is NOT an objective of computer forensics?

 

To recover, analyze, and preserve computer related materials in a manner so they can be presented as evidence in a court of law

 

To identify the evidence quickly, estimate the malicious impact on the victim, and determine the intent and identify of the perpetrator

 

To recover and identify the evidence quickly

Definition

NOT :To recover and identify the evidence quickly

 


 

Recovering and identifying evidence quickly is not a primary objective of computer forensics. Working too quickly can lead to mistakes that might compromise the evidence. 


There are two objectives of computer forensics: 

- Recover, analyze, and preserve computer related materials in a manner so they can be presented as evidence in a court of law 

- Identify the evidence quickly, estimate the malicious impact on the victim, and determine the intent and identify of the perpetrator 

Term
What is forensic readiness?
Definition
Organization has specific incident response procedures and designated trained personnel assigned to handle any investigation
Term

Which item is NOT part of forensic readiness planning?

Define business scenarios that require collection of digital evidence

 

Identify potential available evidence

 

Identify crime scene

 

Determine evidence collection requirements

 

Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice

 

Establish a policy for securely handling and storing collected evidence

Definition

Identifying a crime scene is not part of forensic readiness planning. Forensic readiness planning includes: 

- Define business scenarios that require collection of digital evidence 

- Identify potential available evidence 

- Determine evidence collection requirements 

- Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice 

- Establish a policy for securely handling and storing collected evidence 

Term

Which item is NOT part of forensic readiness planning?

Develop a plan to investigate team members

 

Develop a plan to make sure investigative team members are properly trained

 

Develop a process for step-by-step documentation of all activities performed during examination of evidence and the impact of said activities

 

Determine evidence collection requirements

 

Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice

 

Establish a policy for securely handling and storing collected evidence

Definition

Developing a plan to investigate team members is not part of forensic readiness planning The following are part of forensic readiness planning: 

- Develop a plan to make sure investigative team members are properly trained 

- Develop a process for step-by-step documentation of all activities performed during examination of evidence and the impact of said activities 

- Determine evidence collection requirements 

- Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice 

- Establish a policy for securely handling and storing collected evidence 

Term

What is the definition of cybercrime?

Cybercrime means any illegal act that involves a computer or the systems and applications associated with it?

 

Cybercrime is the same as identity theft?

 

Cybercrime is any illegal act that involves a criminal using a computer?

Definition
Cybercrime means any illegal act that involves a computer or the systems and applications associated with it
Term
two categories of cybercrime. 
Definition

Tools of crime and Target of crime are two categories of cybercrime. 


Reference: EC Council Press. (2010). Computer Forensics: Investigation Procedures and Response, 1st Edition. ( Page 1-12 ) Clifton Park, NY: Cengage Learning

Term
two modes of attack 
Definition
Insider attack and External attack are two modes of attack 
Term

Computer crimes include all but which of the following?

Fraud via manipulation of computer records

 

Performing vulnerability assessment for a client

 

Spam

 

Deliberate avoidance of computer security systems

 

Unauthorized access

 

Unauthorized modification of software

Definition
Performing vulnerability assessment for a client with permission is NOT a computer crime. Computer crimes include: 

- Fraud via manipulation of computer records 

- Performing vulnerability assessment for a client 

- Spam 

- Deliberate avoidance of computer security systems 

- Unauthorized access 

- Unauthorized modification of software
Term

CHFI v8.0 Training Course Outline
Module 01: Computer Forensics in Today’s World
Module 02: Computer Forensics Investigation Process
Module 03: Searching and Seizing Computers
Module 04: Digital Evidence
Module 05: First Responder Procedures
Module 06: Computer Forensics Lab
Module 07: Understanding Hard Disks and File Systems
Module 08: Windows Forensics
Module 09: Data Acquisition and Duplication
Module 10: Recovering Deleted Files and Partitions
Module 11: Using AccessData FTK
Module 12: Using EnCase
Module 13: Steganography and Image File Forensics
Module 14: Application Password Crackers
Module 15: Log Capturing and Event Correlation
Module 16: Network Forensics, Investigating Logs and Investigating Network Traffic
Module 17: Wireless Attacks
Module 18: Web Attacks
Module 19: Emails
Module 20: Mobile
Module 21: Investigative Reports
Module 22: Expert Witness

Definition
Term

Authorized penetration testing is NOT a computer crime. Computer crimes include: 

Definition


- Intellectual property theft 

- Industrial espionage by means of access to the computer 

- Identify theft 

- Spreading viruses or worms 

- Authorized penetration testing 

- Denial of Service or DDoS 

Term

What is cybercrime investigation:

 

Collecting clues and forensic evidence about a cybercrime?

 

Securing the crime scene?

 

Disassembing a computer and carefully packaging the harddrive for further investigation?

Definition
Collecting clues and forensic evidence about a cybercrime
Term

When does the investigation begin:

 

When the police arrive?

 

When the crime scene technician arrives?

 

When the crime is suspected?

Definition
When the crime is suspected
Term

What occurs immediately after the investigation begins?

 

Immediate response to preliminary evidence including photographing the scene and marking evidence?

 

Immediately determine the damage from the crime?

 

Immediately call the police?

Definition
Immediately after the investigation begins, collect preliminary evidence including photographing the scene and marking evidence 
Term
When is a search warrant NOT required?
Definition
A search warrent is not required when law enforcement witnesses the crime 
Term
 the proper order for response to a crime by first responders: 
Definition

This is the proper order for response to a crime by first responders: 

1. Begin investigation the moment a crime is suspected

2. Response to preliminary evidence by photographing the scene and marking evidence 

3. Obtain search warrant, if needed 

4. Follow first responder procedures 

5. Seize evidence seized at crime scene then safely number and secure it 

6. Transport evidence to forensic laboratory 

7. Make two bit-stream copies of evidence 

8. Generate a checksum (generally MD5) on the bit-stream images 

9. Prepare chain of custody 

10. Store the original disk so that time stamps and evidence remain intact 

11. Use image copy to analyze the evidence 

12. Prepare a forensic report describing the forensic method and recovery tools 

13. Submit the forensic report 

14. Testify as expert witness, if needed 

Term
How many bit-stream copies are made of the original evidence?
Definition
Two copies are made of the original evidence using two different software packages. 
Term
Which copy is analyzed, the original or the bit-stream?
Definition
The bit-stream copy is analyzed. The original is stored in a safe location so no one can tamper with it. Initially, two copies are made. Then, if the first bit-stream copy is damaged, the second copy can be sued. If the second copy is damaged then another copy can be made from the original. 
Term

What is part of the role of a forensics investigator?

Recover data

 

Determine damage from crime

 

Gather evidence based on forensic guidelines

 

Protect evidence

 

All of the above

Definition

All of the above

The role of a forensics investigator is to: 

- Recover data 

- Determine damage from crime 

- Gather evidence based on forensic guidelines 

- Protect evidence 

- Create images of original evidence 

- Guide officials in managing investigation 

- Reconstruct damaged media 

- Analyze data and prepares report 

- Address the issues in court, if necessary. May act as expert witness. 

Term
There are two associations that can help forensics investigators:
Definition
There is much information on the internet to assist forensics investigators. Two helpful associations are: 

- Computer Technology Investigators Networkhttp://www.ctin.org/ 

- High Technology Crime Investigators Associationhttp://www.htcia.org/ 
Term

What is the role of digital evidence in forensic investigation?

 

Provide material for investigative report in lawsuit?

 

Provide clues to identify the criminal?

 

Support expert witness testimony?

Definition
The role of digital evidence in forensic investigation is to provide clues to identify the criminal
Term

Which of the following is NOT part of corporate investigation?

 

Business must continue during the forensic investigation

 

Generally address policy violations or legal disputes

 

May address wrongful termination

 

Must carefully follow government regulations

 

May address industrial espionage

Definition

Following government regulations is not the primary part of corporate investigation although corporations must adhere to appropriate government regulations. Corporate investigation is generally looking into the following: 

- Business must continue during the forensic investigation 

- Generally address policy violations or legal disputes 

- May address wrongful termination 

- Must carefully follow government regulations 

- May address industrial espionage 

Term

What is generally part of corporate investigation?

 

Definition

Email harassment

 

Falsification of information

 

Embezzlement

 

Fraud

 

Corporate sabatage

 

 

Term
A good investigative report includes: 
Definition

Router settings may be too detailed for an investigative report 

IDS/IPS may be too detailed for an investigative report. 

A good investigative report includes: 

- Methods of investigation 

- Adequate supporting data 

- Description of data collection techniques 

- Calculations used 

- Error analysis 

- Results and comments 

- Graphs and statistics explaining results 

- References 

- Appendices 

- Acknowledgments 

- Litigation support reports 

Term
FTP - Ports and
SSH - Port
SMTP - Port
SFTP - Port (Simple File Transfer Protocol)
LDAP - Port
SSL - Port
SMB - Port (--- NetBIOS Name Service, --- NetBIOS Datagram Service)
Definition
FTP - Ports 20 and 21
SSH - Port 22
SMTP - Port 25
SFTP - Port 115 (Simple File Transfer Protocol)
LDAP - Port 389
SSL - Port 443
SMB - Port 445 (137 - NetBIOS Name Service, 139 - NetBIOS Datagram Service)
Term
Where is the startup-configuration file for a Cisco router?
ROM ?

RAM ?

NVRAM ?
Definition
Startup-configuration file is in NVRAM
Term
Where is the running-configuration file for a Cisco router?
ROM ?

RAM ?

NVRAM ?
Definition
the running-configuration file for a Cisco router
Running-configuration file is in RAM
Term

Which range of HTTP Status Codes

reveals client error status?

Definition
HTTP Status Codes 100-101 - Informational Status Codes HTTP Status Codes 200-206 - Successful Status Codes HTTP Status Codes 300-307 - Redirection Status Codes HTTP Status Codes 400-416 - Client Error Status Codes HTTP Status Codes 500-505 - Server Error Status Codes
Term

Which statements are true regarding EFS?

 

Definition

EFS encyrpts files stored on Windows 2000, XP Pro and Server 2003. It is NOT designed to protect data in transit from one system to another.


EFS uses symmetric and asymmetric cryptography. 

EFS encyryption occurs at the file system level not the application level. It is transparent to the user and to the application. 

If a folder marked for encryption, then every file created in or moved to said folder will be encrypted. 

There is no back door. File encryption uses a symmetric key. This symmetric key is then encrypted with an asymmetric public key. 

EFS keys are protected by the user's password 

EFS-encrypted files do not remain encrypted during transport if saved to or opened from a folder on a remote server. The file is decrypted, traverses the network in plaintext and if saved to a folder with encryption, re-encrypted. 

Term
regarding EnCase:
Definition

 

EnCase organizes evidence into cases.


Evidence can be viewed in various formats:

Evidence can be viewed in table, gallery, timeline or report formats .


Evidence data can be view as text, hex or picture .

Term

From which devices can EnCase acquire data?

 

Evidence file (E01), raw image or dd image ?

 

Local Device ?

 

Smartphones?

Definition

Local Device 

 

Smartphones

 

...

Technically, EnCase would not acquire data from a raw image file or evidence file but these can be viewed in EnCase 

Term
EnCase is divided into three* panes. What are the names of these panes *
Definition

Tree - Case information 

Table, Timeline, Gallery 

View - text, hex, picture, fields... 


fourth pane = filter pane

(Computer Crime, Investigation, and the Law

 By Chuck Easttom)



Term
MD5
Definition

MD5 produces 128-bit hash value

The size of the hash value (128 bits) is small enough to contemplate a birthday attack.

(SHA-1 produces 160-bit has value).

MD5 is used to check data integrity.

MD5 is typically expressed as a 32-digit hexadecimal number

 MD5 is not collision resistantAs such, MD5 is not suitable for applications like SSL certificates or digital signatures that rely on this property for digital security


 http://en.wikipedia.org/wiki/MD5

Term
fat32
Definition

FAT32 is the 32-bit version of the FAT file system .

that uses smaller clusters which results in more efficient storage capacity.

It supports drives up to 2 TB. It can relocate the root directory and use the backup copy rather than the default copy. It can dynamically resize a partition. 

Term
What is CMOS?
Definition
Complementary Metal-Oxide Semiconductor (CMOS) is a chip powered by a CMOS battery inside computers that stores information such as the system time and date and system hardware settings. 
Term

File Systems

?- Sun Solaris 
?- Mac OS 
? - iPod sync'd to MAC 
?- iPod sync'd to Windows 
?- Windows 
?- Unix 
? - Linux 

Definition
ZFS - Sun Solaris 
HFS - Mac OS 
HFS+ - iPod sync'd to MAC 
FAT32 - iPod sync'd to Windows 
NTFS - Windows 
UFS - Unix 
ext1, ext2, ext3 - Linux 
Term

Which dd command is used to make a complete physical backup of a hard disk?


 dd if=/dev/?

Definition

 

dd if=/dev/hda of=/dev/case5img1 

 

Term
Which dd command is used to copy one hard disk partition to another hard disk?
Definition
dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror 

Copy one hard disk partition to another hard disk 
Term
What directory is used to store commands needed for system operability?
Definition
/bin - commands needed for minimal system operability 

/dev - devices for terminals, disks... 

/etc - critical startup and configuration files 

/lib - libraries 

/sbin - commands for booting, repairing aor recovering the system 
Term
Which dd command is used to make an image of a CD?
Definition
dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc 

Make an image of a CD 
Term

Which dd command is used to copy a floppy?

 

 

 

Definition
dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc 
Term
Which dd command is used to copy RAM memory to a file?
Definition
dd if=/dev/mem of=/home/sam/mem.bin bs=1024 

Used to copy RAM memory to a file 
Term
Which dd command is used to restore a disk partiiton from an image file?
Definition

 

dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror 

Used to restore a disk partition from an image file 
Term
From largest to smallest what is the platter organization?
Definition

Platter, track, sector 

Each platter has two read-write heads - one on top and one on bottom. Platters are divided into tracks. Tracks are concentric circles that are divided into sectors. Each sector holds 512 bytes. 

 

Clusters are groups of sectors, eg. 128-sector cluster would have about 65536 bytes. Clusters are the smallest logical storage units on a hard disk.


Term

The forensics laboratory must have :

 

Definition

office space,

storage for evidentiary materials,

interview facility,

and operational laboratory 

( a vault protects against flood, fire, theft...)


Term
/var is used for ...
Definition


...system-specific data and configuration files .


 Nemeth, E., Snyder, G., and Hein, T. (2002). Linux Adminstration Handbook Upper Saddle River, Nj: Prentice Hall PTR. p. 68.

Term

Choose the true statements about SIMPLE:

 

 

 
Definition

Developed by Australian university students using Linux Live CD 

 

Customized kernal and OS so it is impossible to write to the hard disk 

 

SIMPLE launches from a CD 

Term
Which are true about X-Ways Forensics?
Definition
X-Ways Forensics is a work environment including: 

Disk cloning and imaging 

Examining complete directory structure and disk space including slack space 

Viewing and dumping memory including virtual memory 

Support for FAT, NTFS, ext2/3 
Term
Evidor
Definition

Search text on hard disks and retrieves the context of keyword occurrences on computer media 


 

Examines entire allocated space including swap space, hibernate files and unallocated space on Local hard drives 


Evidor cannot access remote networked hard disks 

 

Term
What are some standard /usr sub-directories?
Definition

Typical /user sub-directories include: 

bin - support files for programs 

local - software (stuff you install) 

sbin - more commands for system adminstration and repair 

share - items common to multiple systems 

src - source code for nonlocal software 
(NOT "dev") 


Reference: Nemeth, E., Snyder, G., and Hein, T. (2002). Linux Adminstration Handbook Upper Saddle River, Nj: Prentice Hall PTR. p. 68.

Term
Which are true about EasyRecovery?
Definition

Repairs and restores corrupt or inaccessible Microsoft Office and Zip files 

 

Includes EmailRepair 

 

EasyRecovery does not do disk imaging 

ref chp 13 Official CHFI study guide

Term

Which of these statements are true regarding

18 U.S.C. 2318?

Definition

18 U.S.C. 2318 involves trafficking in

counterfeit phone records,

computer programs,

motion pictures,

audio visual works

or computer program documentation 

Term
18 U.S.C. 2319 involves
Definition
trafficking in unauthorized sound recordings and music video of live musical performances
Term
Decipher the results of ls -l. (Choose all that apply)
drwxr-xr-x 27 root root 4096 Apr 15 2012 /usr/include

This is a directory

Owner can read, write and execute files

This is a regular file
Definition
The file type is "d" meaning directory.

The first group of rwx means the owner can read, write and execute files

Reference: Nemeth, E., Snyder, G., and Hein, T. (2002). Linux Adminstration Handbook Upper Saddle River, Nj: Prentice Hall PTR. p. 68.
Term
Which of these statements are true regarding 18 U.S.C. 2320?



Unauthorized distribution of computer programs

Trafficking in counterfeit goods

Trafficking in counterfeit services
Definition
18 U.S.C. 2320 involves trafficking in

counterfeit goods
or
services
Term
18 U.S.C. 1832 -applies to

18 U.S.C. 1833 - exceptions to

18 U.S.C. 1834 - applies to
Definition
18 U.S.C. 1832 -applies to theft of trade secrets

18 U.S.C. 1833 - exceptions to prohibitions

18 U.S.C. 1834 - criminal forfeiture
Term
17 U.S.C. 506(c-d) applies to
Definition
17 U.S.C. 506(c-d) applies to fraudulent copyright notice
Term
two laws applicable to cyberstalking

18 U.S.C ?

18 U.S.C. ?
Definition
18 U.S.C 875 - interstate communications applies to transmitting any communication containing any demand for ransom, threat to kidnap or injure a person

18 U.S.C. 2261A - interstate stalking
Term
Choose all true about the USA PATRIOT Act:

Greater authority to track and intercept communications for law enforcement and foreign intelligence gathering

Made wiretapping illegal

Passed in response to 911 terrorist attack
Definition
Greater authority to track and intercept communications for law enforcement and foreign intelligence gathering


Passed in response to 911 terrorist attack
Term
Which pertains to federal information security? (Choose one)

CAN-SPAM

GLB

FISMA
Definition
FISMA

Federal Information Security Management Act requires federal agencies to develop, document and implement an agency-wide program to provide information security

Financial Modernization Act of 1999 (Gramm-Leach-Bliley Act) includes provision to protect consumer's personal financial information

CAN-SPAM Act of 2003 (controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirments for those sending commerical email and gives consumers the right to ask emailers to stop spamming them
Term
Which acts pertain to privacy:

CAN-SPAM ?

PIPEDA ?

Data Protection Act 1998 Section 55 ?
Definition
PIPEDA

Data Protection Act 1998 Section 55
===

Personal Information Protection and Electronic Documents Act

Data Protection Act 1998 Section 55: Unlawful obtaining of personal data
Term
Which statutes are used by the FBI to investigate computer-related crimes? CHOOSE ALL THAT APPLY:

18 U.S.C. 875

18 U.S.C. 1029 and 1030

18 U.S.C. 1343, 1361, 1362

18 U.S.C. 1831 and 1832

FISMA

US Patriot Act
Definition
18 U.S.C. 875

18 U.S.C. 1029 and 1030

18 U.S.C. 1343, 1361, 1362

18 U.S.C. 1831 and 1832
Term
Which statements are true regarding the BIOS password?

BIOS manufacturers do not provide a backup password in case the password is lost

BIOS will lock the system completely if the password is typed wrong three times

The BIOS password for Dell is Dell

The BIOS password for Compaq is centra
Definition

BIOS will lock the system completely if the password is typed wrong three times

The BIOS password for Dell is Dell

====

BIOS manufacturers do provide backdoor passwords in case the BIOS password is lost.

The Dell password is Dell and the Compaq password is Compaq.

The Epox password is central.

BIOS will lock after three invalid password attempts.

Term
What are steps to removing the CMOS battery and why remove it?
Definition

If the CMOS battery is removed and replaced after about 30 minutes, the password will reset itself. 

Turn the computer off and unplug the power cord 

Locate the battery on the motherboard 

Carefully lift the battery from the socket 

Wait 30 minutes and replace the battery 

Reboot the computer and enter BIOS 

Set the default settings, save the settings and start the computer 


Reference: EC Council Press. (2010). Computer Forensics: Investigating Data and Image Files, 1st Edition. Clifton Park, NY: Cengage Learning. P. 7-5 and 7-6.

Term
Which statement is used to partition an image on another machine?

dd if=/dev/hda bs=16065b | netcat targethost-IP 1234

dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror

dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc
Definition
dd if=/dev/hda bs=16065b | netcat targethost-IP 1234 

used to partition an image on another machine. Run on the source machine 
Term
Password recovery tools
Definition

Windows password recovery tools 
- Windows XP/2000/NT Key Generator - resets the domain adminstrator password for Active Directory 
- ERD Commander 2005 - boots systems into a Windows-like repair environment giving complete control over the system 
- Active@ Password Changer - DOS-based solution for resetting local administrator and user passwords in XP, Vista, 2003, 2000 and NT 
- Cain & Abel 
- LCP 
- SID&USER 
- ophcrack - uses rainbow tables 
- RockXP 
- Magical Jelly Bean Keyfinder 

Office 
- Advanced Office XP Password Recovery - Microsoft Office 
- Word Password Recovery Master 
- Office Password Recovery Toolbox 
- Passware Kit - 25 password recovery programs 
- PstPassword - Outlook 
- Access PassView - Microsoft Access 

Other 
- Advanced ZIP password recovery - zip file passwords
- PicoZip Recovery - zip file passwords 
- PDF Password Crackers - pdf file passwords 
- Default Password Databases 
- Dialupass - dial-up passwords 
- Database Sleuth 

Network Password Recovery - network passwords 
- SniffPass - captures password that pass through the network adapter (POP3, IMAP4, SMTP, FTP, HTTP) 

- Asterisk Key - reveals asterisks that hide passwords 
- Asterisk Logger - reveals asterisks that hide passwords 
- Password Spectator - reveals asterisks that hide passwords 

Linux 
- John the Ripper 
- DJohn 

Unix 
- Crack 

HTTP, POP3, FTP, Telnet 
- Brutus 

Email, Instant Messaging... 
- Mail PassView - email 
- Messenger Key - instant messaging 
- MessenPass 
- Mail Recovery 

Reference: EC Council Press. (2010). Computer Forensics: Hard Disk and Operating Systems, 1st Edition. Clifton Park, NY: Cengage Learning. Chapter 7. 

Term
Which statement is used to see the contents of the MBR?

dd if=/dev/hda bs=16065b | netcat targethost-IP 1234

dd if=/dev/hda of=mbr.bin bs=512 count=1

dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc
Definition
dd if=/dev/hda of=mbr.bin bs=512 count=1 

used to see contents of the master boot record. Must be run as root. Reads the first 512 bytes from /dev/hda (the first IDE drive) and writes them to a file named mbr.bin 
Term

Which statement is used to partition an image on another machine?

netcat -l -p 1234 | dd of=/dev/hdc bs=16065b

 

dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror

 

dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc

Definition

netcat -l -p 1234 | dd of=/dev/hdc bs=16065b 

 

used to partition an image on another machine.

 

Run on the target machine 

 
Term
two types of search warrants
Definition
Electronic storage device search warrant allows for search and seizure of computer components such as hardware, software, storage devices and documentation 

Service provider search warrant allows the first responder to get information such as service records, billing records and subscriber information if the crime is committed through the internet. 
Term

A forensic investigator wants to find some information on a computer running Linux. He wants to find the computer name and version of Linux. Then he wants to list the files in the root directory Finally, he wants to see protocol information. What commands should he use to accomplish these three tasks?

uname -a 

 

ls -l 

 

netstat -s 

 

dir 

Definition

uname -a

ls -l

netstat -s

can be used to get the required information. 


Reference: EC Council Press. (2010). Computer Forensics: Hard Disk and Operating Systems, 1st Edition. Clifton Park, NY: Cengage Learning. P. 6-2

Term
two Linux boot loaders
Definition
Lilo and grub are two Linux boot loaders. Details about each are found using 

more /etc/lilo.conf 

more /etc/grub.conf 
Term

A forensic investigator types sfdisk -l 

Part of the output lists four devices: /dev/hda1, /dev/hda2, /dev/hda3, and /dev/hda4 

What is an hda device?

There are four types of partitions in Linux: 

Definition
There are four types of partitions in Linux: 

hda - primary master 

hdb - primary slave 

hdc - secondary master 

hdd - secondary slave 
Term

A forensic investigator types: file CopyInstall.log 

 

What is the response?

  1. ASCII text (if the file is ASCII) .
  2. Length of CopyInstall.log .
  3. ELF 32-bit LSB executable... (if the file is actually an executable) .
Definition

What is the response?

  1. ASCII text (if the file is ASCII) .
  2. xno
  3. ELF 32-bit LSB executable... (if the file is actually an executable) 

file command returns the type of file. Attackers may hide files with names or extensions design to fool investigators 

Term

The forensic investigator made a copy of the CopyInstall.log in the root directory and wants to see the contents in hex because he believes this file may not be what it seems. What Linux command line tool could he use?

 

  1. xxd -l CopyInstall.log  
  2. xxd -l CopyInstall.log HexOutput.log  
  3. notepad 
Definition
  1. xxd -l CopyInstall.log  
  2. xxd -l CopyInstall.log HexOutput.log

 

xxd is a command line hex dump tool that can dump hex values to the console or a fil

Term

What is the size of a hard drive having the following: 

 

16384 cylinders/disk 

 

80 heads/cylinder 

 

63 sectors/track 

 

512 bytes/sector

Definition
About 39 GB 

Capacity Calculator 
Term
Computer Forensics: Hard Disk and Operating Systems, 1st Edition. Clifton Park, NY: Cengage Learning. P. 6-9
Definition
Term
rule- based attack
Definition
Term
Network forensics 
Definition
Network forensics is capturing, recording and analysis of network events in order to discover the source of security attacks. 
Term

How does a network intruder enter a system? (Choose all that apply) 

 

Enumeration 

 

Vulnerabilities 

 

Viruses, Trojans, Email infection 

 

Logging on 

 

Router attacks 

 

Password cracking

Definition

 Network intruders can enter a system using the following techniques: 

 

Enumeration yielding topology of network, list of live hosts, network architecture, types of traffic, potential vulnerabilities of host systems 

 

Vulnerabilities 

 

Virus, Trojans, Email infection and other malware 

 

Router attacks 

 

Password cracking 

 

Hint: Take into account that logging on can only be accomplished if the attacker knows the username and password. How would they know this unless they performed some other activitie such as social engineering or password cracking first. All other answers are correct. 

Term

What are some pitfalls of network evidence collection?

 

Gaps in evidence 

 

Other nations may be involved creating legal and political challenges 

 

Locating evidence is only local 

 

Logs change rapidly and some information may be lost before permission is granted to analyze the log 

 

Logs may be housed at ISP which requires special permission (such as a search warrant) to view 

 

End-to-end investigation is fairly simple 

Definition

Evidence can be lost quickly during log analysis becuase logs change rapidly.


There may be gaps in evidence.


Sometimes other nations are involved in the investigation resulting in legal and political issues.


Logs may be ambiguous, incomplete or missing. 

Term
What is required for computer records to be admissible in court of law? 
Definition

Prosecution must present appropriate testimony to show logs are accurate, reliable, fully intact 

 

Witness must authenticate computer records presented as evidence 

Term
Random compliations of data are not admissible. Logs must be kept as a regular business practice. Logs instituted after an incident has commenced ______________ under the business records exception.
Definition
Under the business records exception, logs instituted after an incident has commenced do NOT qualify because they do not reflect customary practice of an organization 
Term

Will record of failures or security breaches on the machine creating logs impeach the evidence?

 

 

Definition

Generally, yes 

 

Failures and security breaches tend to impeach evidence 

Term
Intrusion detection
Definition
Intrusion detection is the process of tracking unauthorized activity using techniques such as inspecting user actions, security logs or audit data
Term

which three types of logs that can be used together to provide more compelling evidence.

 

Router logs 

IDS logs 

TCPDump output 

Firewall logs 

Event logs 

Definition

Firewall logs,

IDS logs

and TCPDump output


can contain evidence of an internet user connecting to a specific server at a given time. 

Term

What causes an IIS log to be suspect?

Full and complete log 

 

Any modification to the log 

 

Carefully implemented log 

Definition
Any modification to the log 
Term

SYSTEM\CurrentControlSet\W32Time\Parameters is part of the registry key used for _______________?

 

Setting time 

 

Loading NTP 

 

Timing logs 

Definition

Loading NTP :

 

Windows time service can be used to synchronize IIS servers by connecting them to external time source. To accomplish this SYSTEM\CurrentControlSet\W32Time\Parameters can be set to NTP. 

Term
does UTC  follow daylight savings time?
Definition
UTC does NOT follow daylight savings time. 
Term
_________ is a process in which many web sites write binary log data.
Definition
Centralized binary logging is a process in which many web sites write binary log data. 
Term

types of IIS logging:


IIS standard logs 


ODBC logging 


System Event log 


Centralized binary logging 

 

IISLogger tool 

Definition

System Event logs are for the operating system.

All other answers are correct. 


IIS standard log, ODBC logging (disables HTTP.sys kernal-mode cache and degrades server performance), centralized binary logging and IISLogger (provides additional functionality on top of IIS standard logging) 

Term

Which of the following statements are true about syslog? 

 

Controlled on per-machine basis with /etc/syslog.conf 

Space key used to define white space 

Local and remote log collection 

Facility, level and action are included 

Audit mechanism used by Linux 

Definition

Controlled on per-machine basis with /etc/syslog.conf  

Local and remote log collection 

Facility, level and action are included 

Audit mechanism used by Linux 


Syslog is the audit mechanism used by Linux.

It permits both local and remote logging. 

Syslog is controlled on a per-machine basis by /etc/syslog.conf. 

Tab key is used to define white space between the selector (left) and the action (right) 

Term
What are the severity levels of syslog? 
Definition

The list of severity Levels:

 

0       Emergency: system is unusable

1       Alert: action must be taken immediately

2       Critical: critical conditions

3       Error: error conditions

4       Warning: warning conditions

5       Notice: normal but significant condition

6       Informational: informational messages

7       Debug: debug-level messages

 

Recommended practice is to use the Notice or Informational level for normal messages.

 

Log is not a syslog level 

Term
Syslog runs on port
Definition
 514 
Term

What files must be changed for remote logging? 

 

/etc/rc.d/init.d/syslog add -r to SYSLOGD_OPTIONS="-m 0 -r" 

 

/etc/sysconfig/syslog add -r to SYSLOGD_OPTIONS="-m 0 -r" 

 

/etc/services files. Syslog 514/udp 

 

/sbin/service syslog restart 

Definition

/etc/rc.d/init.d/syslog add -r to SYSLOGD_OPTIONS="-m 0 -r" 

 

/etc/sysconfig/syslog add -r to SYSLOGD_OPTIONS="-m 0 -r" 

 

/etc/services files. Syslog 514/udp 

 

After the three files have been changed, the administrator must run /sbin/service syslog restart .

Hint: /sbin/service syslog restart is a command not a file. The other three files must be changed before this command can be executed. 

Term
What port does native Windows remote logging run on?
Definition
Windows does not support remote logging. Third-pary utilites like NTsyslog are required to enable remote logging in Windows.
Term

Which statements are true regarding NTP? 

 

Network Time Protocol - internet standard protocol built on UDP 

 

Synchronizes clocks on client computers 

 

Fault tolerant and dynamically autoconfiguring 

 

Use UTC time 

Definition

 

all.

 

Technically, NTP runs over UDP or TCP/IP as explained in these references: 

 

http://tools.ietf.org/html/rfc5905 

 

http://en.wikipedia.org/wiki/Network_Time_Protocol 

Term
Which NTP stratum level is most accurate?
Definition
Stratum levels reflect the distance from the reference clock. Stratum-0 is the reference clock so it is the most accurate and has little delay. Stratum-0 servers are not directly used on the network. They connect to computers in stratum-1.
Term
Which are types of MAC address? 
Definition

Static address is the 48-bit unique address programmed by the Ethernet board manufacturer 

 

Configurable address is programmed into the NIC during initial installtion then becomes static 

 

Dynamic address is obtained when the computer is powered on. There may be a number of systems having the same address

Term
OSI model has seven layers that use the following to exchange data 


Definition
Application - messages 

Presentation - messages 

Session - messages 

Transport - segments 

Network - packets 

Data Link - frames 

Physical - frames 
Term


HTTP, SMTP, NNTP, Telnet, FTP, SNMP, and TFTP are the main protocols for the Session, Presentation and Application Layers 


UDP and TCP are the main protocols for the Transport layer 

RARP, ICMP, IGMP, IP the main protocols for Network layer 

PPP, SLIP, ARP are the main protocols for the Data Link layer

 

Definition
Term

What regular expression :

is a way to detect Cross-Site Scripting attacks. 

It checks for the opening and closing HTML tags (< and >) and the text between them so it can catch < script > 

Definition
/((\%3C)|<)((\%2F)|\/)*(a-z0-9\%]+((\%3E)|>/ix is a way to detect Cross-Site Scripting attacks. 

It checks for the opening and closing HTML tags (< and >) and the text between them so it can catch < script > 

((\%3C)|<) - checks for the opening angle 

((\%2F)||?)* - checks for the forward slash 

(a-z0-9\%]+ - checks for alphanumeric string inside an HTML tag 

((\%3E)|> - checks for the closing angle 
Term
What can be used to detect cookie poisoning
Definition
Intrustion prevention tools trace the cookie's set command given by the Web server. Then, the intrusion prevention catches every HTTP request sent to the webserver and compares any cookie information. If an attacker changes the cookie's contents the replay cookie will not match the stored cookie.
Term
Nebula (NEtwork-based BUffer overfLow) attack detection detects buffer overflows by monitoring the traffic of the packets into the buffer without making any changes to the end hosts. It uses a signature-based comparison to reduce the number of false positives. 
Definition
Term
Apache server has two logs: 
Definition
error log and access log. 

Error log contains diagnostic information and error messages 

Access log contains requests processed by the Apache server 
Term

Task manager lists running proccesses. Why does Helix have a viewer for running processes?

Task manager only shows processes in Windows 

 

Task manager loads too slow 

 

Task manager may be corrupt. Helix runs from a CD so it cannot be modified; therefore, it should display an accurate list of current processes 

Definition

Task manager may be corrupt. Helix runs from a CD so it cannot be modified; therefore, it should display an accurate list of current processes 

 

Reference:Gleason, B. and Fahey, D. (2006). Helix 1.7 for Beginners. Retrieved from Helix v1.8 Software. p. 29.

Term
What are options using dd in Helix?
Definition

What are options using dd in Helix?

Netbios/Local, Netcat, Split image 

Term
What are two imagers in Helix?
Definition
dd and FTK Imager come packaged in Helx v1.8. 
Term
There are many incident response tools in Helix including: 
Definition
Windows Forensics Toolchest (WFT) 

-Incident Response Colelction Report - snapshot of system 

-First Responder's Evidence Disk (FRED) - snapshot of system 

-First Reponder Utility (FRU) - retrieve volatile data 

-Security Reports (SecReport) - collects security-related information - network configuration, audit policy, event log configuration 

-MD5 Generator 

-Command Shell - forensically sound 

-File Recovery 

-Rootkit Revealer - registry and system API discrepanices that may indicate a user-mode or kernal-mode rootkit 

-VNC Server - Virtual Network Computing Server. Remote control software for viewing and interacting with one computer anywhere on the internet 

-Putty SSH - Telnet and SSh for Win32 and Unix 

-Screen Capture 

-Messenger password - reveals passwords for MSN Messenger, Windows Messenger, Yahoo Messenger, ICQ lite, AOL, Trillian, Miranda, GAIM 

-Mail Password Viewer - reveals passwords for Outlook Express, Outlook, Eudora, Netscape, Mozilla Thunderbird, Yahoo mail, Hotmail, Gmail 

-Protected Storage Viewer - reveals passwords stored by Internet Explorer 

-Network Password viewer - Windows Xp allows passwords to be saved in .NET Passport. This utilite recovers passwords for current user 

-Registry Viewer 

-Asterisk Logger - Reveals passwords covered by asterisks 

-IE History Viewer 

-IE Cookie Viewer 

-Mozilla Cookie Viewer 
Term
Ping of Death and Teardrop are two types of DoS attacks. What is a main difference?
Definition
Ping of Death deals with IP fragmentation. When Ethernet maximum transmission unit (MTU) exceeds the limit then fragmentation occurs. The Ping of Death uses an oversized packet that can be up to 65535 octets long which is greater than the maximum size allowed (65507 octets) 

Teardrop attack uses overlapping fragments to slip past an IDS or Firewall. The victim cannot process these overlapping packets so it locks up or crashes 
Term
The Department of Justice created:
Definition
The Department of Justice created ICAC and PSC. 

Internet Crimes Against Children (ICAC) is a network of regional task forces to provide federal assistance to state and local law enforcement so they could better investigate computer and internet-based crimes that sexually exploit children. 

Project Safe Childhood (PSC) is an initiative developed to provide a corrdinated effort in combating child porn. It strives to help local communities create programs to investigate child exploitation and identify and rescue victims. 
Term
Swap file is space on a hard disk (nonvolatile memory) used as a virtual memory extension for RAM. 
Definition
Term

 

System time, wall time and length of time the system has been running should be recorded. 

Date /t and Time /t can be typed in a command prompt in windows to retrieve the system time 
Definition
Term
Net file reveals names of all open shared files and the number of file locks 

PsFile shows list of files open remotely 

openfiles can be used to list or disconnect all open files and folders 
Definition
Term

True!

 

A cache is duplicate data stored in a temporary location so a computer can rapidly access that data. In this case, the NetBIOS Remote Cache Name Table may contain a list of systems that a computer has connected to. 

 

nbtstat -c can be used to view the cache of NetBIOS names on the host operating system 

Definition
When connections are made to other systems using NetBIOS communications, the system will maintain a list of other systems connected. By viewing the contents of the name table cache, an investigator might be able to find other systems affected.
Term
What are two commands to obtain network information?
Definition
netstat -ano shows active connections including protocol, local address, foreign address, state and PID

netstat -r shows the routing table 

netstat -b displays the executable involved in creating the connection ....netstat -b shows the executable involved in creating each connection (Windows XP) 

netstat -v is used in conjunction with -b to show sequence of components involved 
Term
View Windows processes in TaskManager or by typing tasklist from the command prompt 
Definition
Term
When there is an open network connection, some process must be responsible for using that connection. What commands can be used to view the port?
Definition

netstat -o shows process to port mappings 

 

 

 

fport shows process-to-port mappings but must be executed with administrator privileges 

Term

What command can be used to view command history?

doskey /history 

 

show history 

 

scroll up in the command window 

Definition

doskey /history 

scroll up in the command window 

 

If a command window is open, the investigator can scroll up to see command history. But the attacker may have typed cls to clear the screen. Then, the investigator can use the doskey /history command to see the history. 

Term

ClearPageFileAtShutdown - tells the OS to clear the page file when the system is shut down. This will clear virtual memory in the swap file 

 

DisableLastAccess - disables updating of the last access times on files so the timestamp might not be accurate 

Definition
Term

index.dat is used for redundant information such as AutoComplete information. 

 

Index.dat can be found in the History folder for Internet Explorer 

Definition
Term
Definition
The swap file can be organized as a contiguous space so fewer I/O operations are required to read and write. It is a hidden file in the root directory called pagefile.sys.
Term
Each process on a Windows system is represented as an executive process or EProcess. EProcess block is a data structure containing attributes of the process and pointers to threads and process environment blocks
Definition
Term
dt -a -b -v _EPROCESS 


Definition
view EProcess block 

-a show each array element on a new line 

-b displays blocks recursively 

-v verbose mode 
Term

What is the most important element of EProcess?

 
Definition

PEB - Process Environment Block contains: 

 

-pointer to loader data PPEB_LDR_DATA contains pointers to DLLs 

 

-pointer to image base address used to find the beginning of an executable image file 

 

-pointer to process parameters structure which maintains the DLL path, path to executable image and command line used to launch the process 

Term
 the six stages of process creation 

1. Launch .exe: File Execution Options registry key is checked for debugger value. If yes, process starts over 

2. EProcess object created along with KProcess, PEB, and initial address space 

3. Initial thread created 

4. Windows subsystem is notified of new process and thread 

5. Execution of initial thread starts 

6. Initialization of address space is complete for new process and thread
Definition
Term
The EProcess object is created along with KProcess, PEB, and initial address space 
Definition
Term

What tool can parse memory:

 

 

Lsproc.pl d:\dumps\test-mem.dmp 

Definition

Lsproc locates processes but not thread 

Lsproc.pl d:\dumps\test-mem.dmp 



Lspd allows a user to list the details of a process: 

Lspd.pl d:\dumps\test-mem.dmp 0x0414dd60 

Term

What files contains pool headers?

 

 

Pooltag.txt 

Definition
Windows memory manager generally allocates memory in 4KB pages. Sometimes, 4K would be too large and waste memory. So memory manager allocates several pages ahead of time thus keeping an available pool of memory. 
Term
REG_BINARY - raw binary data 

REG_DWORD - 32-bit integer 

REG_SZ - fixed length text string 

REG_EXPAND_SZ - variable length text string 

REG_MULTI_SZ - multiple strings separated by delimiter 

REG_NONE - no data type 

REG_QWORD - 64-bit integer 

REG_LINK - unicode string naming a symbolic link 

REG_RESOURCE_LIST - series of nested arrays storing a resource list 

REG_RESOURCE_REQUIREMENTS_LIST - series of nested arrays storing a device driver's list 

REG_FULL_RESOURCE_DESCRIPTOR - series of nested arrays storing a resource list used by physical hardware device 
Definition
Term
Key cell - contains registry key including offsets to other cells and LastWrite time for the key 

Value cell - holds a value 

Subkey list cell - series of indexes pointing to parent key cells 

Value list cell values of common key cell 

Security descriptor cell - security descriptor information for key cell 
Definition
Term
What are signatures for the cells in the registry?
Definition
Key cell - kn 
Value cell - kv 
Security descriptor cell - ks 
Term
Key cell - 76 bytes 
Value cell - 18 bytes 
Definition
Term
Where is the last time the system was shut down?
Definition
SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName - Computer name 

SYSTEM\ControlSet00x\Control\Windows - Last Time Shutdown 

SYSTEM\CurrentControlSet\Control\TimeZoneInformation - time zone 
Term
SECURITY\Policy\PolAdtEv - audit policy 

SYSTEM\CurrentControlSet\lanmanserver\parameters - shares 

SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\(GUID) - wireless SSID 
Definition
Term

Which registry key is NOT accessed and parsed when a user logs into a system?

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Runonce 

 

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\PoliciesExplorer\Run

 

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run 

 

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\Run 

 

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run 

 

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce 

 

All of the above are parsed when a user logs into a system 

Definition

 

All of the above are parsed when a user logs into a system 

 

Run means the values in this key execute at system startup 

Runonce means the values in this key execute once at system startup then they are deleted 

Term

What steganography methods are used in audio files?

 

Frequencies inaudible to human ear 

 

White space 

 

LSB 

 

Substitution 

Definition

Steganography methods for audio files: 

ALL ABOVE EXCEPT White space (which is for Text)

 


Substitution scheme 

    For example, suppose note F = 0 and note C = 1. Using this scheme, music could be composed with a secret message. 

Low-Bit Encoding 

    Artifacts such as bitmaps and audio files often contain redundant information 

    DigSteg can replace redundant information with a message 

Phase Coding 

    Original sound sequence is shortened into segments 

    New phases are generated for each segment with the message 

    The new phase is combined with the original magnitude to create the encoded output 

Echo Data Hiding 

    Echo is introduced into the original signal 

    Properties of echo are manipulated to hide data. Properties include initial amplitude, decay rate, and offset 

Supporting users have an ad free experience!