Term
|
Definition
| is a column of tracks on two or more disk platters. |
|
|
Term
| ZBR is how most manufacturers deal with _______ |
|
Definition
| a platter's inner tracks being shorter than its outer tracks. |
|
|
Term
|
Definition
| the number of bits in one square inch of a disk platter. |
|
|
Term
|
Definition
| the file structure database that Microsoft originally designed for floppy disks. |
|
|
Term
| NTFS was introduced when _____ |
|
Definition
| Microsoft created Windows NT and is the primary file system for Windows Vista. |
|
|
Term
| What is immediately after the Partition Boot Sector on an NTFS disk? |
|
Definition
|
|
Term
|
Definition
|
|
Term
| In the NTFS MFT, all files and folders are |
|
Definition
| stored in separate records of 1024 bytes each. |
|
|
Term
| 9. The file or folder’s MFT record provides cluster addresses where the file is stored on the drive’s partition. These cluster addresses are referred to as |
|
Definition
|
|
Term
| When Microsoft introduced Windows 2000, it added _______ |
|
Definition
| built-in encryption to NTFS called EFS. |
|
|
Term
| The purpose of the recovery certificate is to _______ |
|
Definition
| provide a mechanism for recovering encrypted files under EFS if there’s a problem with the user’s original private key. |
|
|
Term
| When Microsoft created Windows 95, it consolidated initialization (.ini) files into |
|
Definition
|
|
Term
| Boot.ini, located in the root folder of the system partition, specifies |
|
Definition
| the Windows XP path installation and contains options for selecting the Windows version. |
|
|
Term
| ______ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to NTLDR. |
|
Definition
|
|
Term
| NTBootdd.sys , located in the root folder of the system partition, is the device driver that allows |
|
Definition
| the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS. |
|
|
Term
| Device drivers contain instructions for the OS for hardware devices, such as |
|
Definition
| the keyboard, mouse, and video card, and are stored in the %system-root%\Windows\System32\Drivers folder. |
|
|
Term
|
Definition
| a hidden text file containing startup options for Windows 9x. |
|
|
Term
| The Command.com file provides a |
|
Definition
| command prompt when booting to MS-DOS mode (DPMI). |
|
|
Term
|
Definition
| text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration. |
|
|
Term
|
Definition
| a batch file containing customized settings for MS-DOS that runs automatically. |
|
|
Term
| A virtual machine allows you to |
|
Definition
| create a representation of another computer on an existing physical computer. |
|
|
Term
| Computer forensics tools are divided into ____ major categories. |
|
Definition
|
|
Term
| Software forensics tools are commonly used to |
|
Definition
| copy data from a suspect’s disk drive to an image file. |
|
|
Term
| To make a disk acquisition with En.exe the requirements are: |
|
Definition
| only a PC running MS-DOS with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable. |
|
|
Term
|
Definition
| is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux dd command. |
|
|
Term
| Discrimination of data involves |
|
Definition
| sorting and searching through all investigation data. |
|
|
Term
| Many password recovery tools have a feature that |
|
Definition
| allows generating potential lists for a password dictionary attack. |
|
|
Term
| The simplest method of duplicating a disk drive is |
|
Definition
| using a tool that does a direct disk-to-disk copy from the original disk to the target disk. |
|
|
Term
| To complete a forensic disk analysis and examination, you need to |
|
Definition
|
|
Term
| The first tools that analyzed and extracted data from floppy disks and hard disks were |
|
Definition
| MS-DOS tools for IBM PC file systems. |
|
|
Term
| In Windows 2000 and XP, the ______ shows you the owner of a file if you have multiple users on the system or network. |
|
Definition
|
|
Term
| forensics workstations can be divided into ___ categories. |
|
Definition
|
|
Term
|
Definition
| is a forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation |
|
|
Term
|
Definition
| a simple drive-imaging station. |
|
|
Term
|
Definition
| can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk. |
|
|
Term
| Many vendors have developed _____ that connect to a computer through FireWire, USB 2.0,and SCSI controllers. |
|
Definition
|
|
Term
|
Definition
| publishes articles, provides tools, and creates procedures for testing and validating computer forensics software. |
|
|
Term
| The standards document, _____ demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible. |
|
Definition
|
|
Term
|
Definition
| is 39. The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files |
|
|
Term
|
Definition
| is the primary hash algorithm used by the NSRL. |
|
|
Term
| One way to compare your results and verify your new forensic tool is by ____ |
|
Definition
| using a disk editor, such as HexWorkshop, or WinHex. |
|
|
Term
| Although a disk editor gives you the most flexibility in testing, it might not be capable of |
|
Definition
| examining a compressed file’s contents. |
|
|
Term
| There are ___ tracks available for the program area on a CD |
|
Definition
|
|
Term
| The Advanced SCSI Programming Interface (ASPI) provides |
|
Definition
| several software drivers that allow communication between the OS and the SCSI component. |
|
|
Term
| All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard |
|
Definition
| 40-pin ribbon or shielded cable |
|
|
Term
| ATA-66, ATA-100, and ATA-133 can use the |
|
Definition
| newer 40-pin/80-wire cable |
|
|
Term
| IDE ATA controller on an old 486 PC doesn’t recognize disk drives larger than |
|
Definition
|
|
Term
| Scope creep _____ needed to extract,analyze,and present evidence. |
|
Definition
| increases the time and resources |
|
|
Term
| You begin any computer forensics case by |
|
Definition
| creating an investigation plan. |
|
|
Term
| In civil and criminal cases, _____ is often defined by search warrants or subpoenas, which specify what data you can recover. |
|
Definition
|
|
Term
| There are ___ searching options for keywords which FTK offers |
|
Definition
|
|
Term
| ____ can locate items such as text hidden in unallocated space that might not turn up in an indexed search. |
|
Definition
|
|
Term
| The stemming search feature allows you to |
|
Definition
| look for words with extensions such as “ing,”“ed,” and so forth. |
|
|
Term
| In FTK indexed search mode, you can |
|
Definition
| also look for files that were accessed or changed during a certain time period |
|
|
Term
| FTK and other computer forensics programs use _______ to tag and document digital evidence. |
|
Definition
|
|
Term
| Getting a hash value with a hexadecimal editor is ______ with a computer forensics tool. |
|
Definition
| much faster and easier than |
|
|
Term
|
Definition
| known file hash values to files on your evidence drive or image files to see whether they contain suspicious data. |
|
|
Term
|
Definition
| changing or manipulating a file to conceal information. |
|
|
Term
| One way to hide partitions is to |
|
Definition
| create a partition on a disk, and then use a disk editor such as Norton DiskEdit to manually delete any reference to it. |
|
|
Term
| Marking bad clusters data-hiding technique is more common with |
|
Definition
|
|
Term
| The term steganography comes from |
|
Definition
| the Greek word for“hidden writing.” |
|
|
Term
| Steganography is defined as |
|
Definition
| the art and science of hiding messages in such a way that only the intended recipient knows the message is there. |
|
|
Term
| Many commercial encryption programs use a technology called _____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure. |
|
Definition
|
|
Term
| People who want to hide data can also use |
|
Definition
| advanced encryption programs, such as PGP or BestCrypt. |
|
|
Term
|
Definition
| a fairly easy task in computer forensic analysis |
|
|
Term
|
Definition
| use every possible letter, number, and character found on a keyboard when cracking a password. |
|
|
Term
|
Definition
| handy when you need to image the drive of a computer far away from your location or when you don’t want a suspect to be aware of an ongoing investigation. |
|
|
Term
| HDHOST is a remote access program for |
|
Definition
| communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer’s file system. |
|
|
Term
| Vector graphics are based on |
|
Definition
| mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. |
|
|
Term
| Graphics editors are used to |
|
Definition
| create, modify, and save bitmap, vector, and metafile graphics files. |
|
|
Term
|
Definition
| store graphics information as grids of individual pixels. |
|
|
Term
|
Definition
| the process of converting raw picture data to another format |
|
|
Term
| The majority of digital cameras use the ____ format to store digital pictures |
|
Definition
|
|
Term
| Lossy compression compresses data by |
|
Definition
| permanently discarding bits of information in the file. |
|
|
Term
|
Definition
| is recovering pieces of a file |
|
|
Term
| A JPEG file has a hexadecimal header value of |
|
Definition
|
|
Term
| If you can’t open an image file in an image viewer, the next step is to |
|
Definition
| examine the file’s header data. |
|
|
Term
| The uppercase letter “A” has a hexadecimal value of |
|
Definition
|
|
Term
| The image format ___ is derived from the more common TIFF file format. |
|
Definition
|
|
Term
| The simplest way to access a file header is to use |
|
Definition
|
|
Term
| The ____ starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03 |
|
Definition
|
|
Term
|
Definition
| the art of hiding information inside image files |
|
|
Term
| _______ places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program. |
|
Definition
|
|
Term
| _______ replaces bits of the host file with other bits of data. |
|
Definition
| Substitution steganography |
|
|
Term
|
Definition
| steg tool (steganography). |
|
|
Term
| Steganography has also been used to protect |
|
Definition
| copyrighted material by inserting digital watermarks into a file |
|
|
Term
| When working with image files, computer investigators also need to be aware of |
|
Definition
| copyright laws to guard against copyright violations. |
|
|
Term
| Under copyright laws, computer programs may be |
|
Definition
| registered as literary works |
|
|
Term
| Under copyright laws, maps and architectural plans may be |
|
Definition
| registered as pictorial, graphic, and sculptural works |
|
|
