WGU C702 Exam 2023 with complete solutions

Quantitative Risk Analysis - ANSWER-- Computer Forensics - ANSWER-A set of methodological procedures and techniques that help identify, gather, preserve, extract, interpret, document, and present evidence from computers in a way that is legally admissible Cyber Crime - ANSWER-Any illegal act involving a computing device, network, its systems, or its applications. Both internal and external Enterprise Theory of Investigation (ETI) - ANSWER-Methodology for investigating criminal activity Types of Cyber Crime - ANSWER-Civil, Criminal, Administrative Civil Cases - ANSWER-Involve disputes between two parties. Brought for violation of contracts and lawsuits where a guilty outcome generally results in monetary damages to the plaintiff Criminal Cases - ANSWER-Brought by law enforcement agencies in response to a suspected violation of law where a guilty outcome results in monetary damages, imprisonment, or both Administrative Cases - ANSWER-An internal investigation by an organization to discover if its employees/clients/partners are abiding by the rules or policies (Violation of company policies). Non-criminal in nature and are related to misconduct or activities of an employee Rules of Forensic Investigation - ANSWER-Safeguard the integrity of the evidence and render it acceptable in a court of law. The forensic examiner must make duplicate copies of the original evidence. The duplicate copies must be accurate replications of the originals, and the forensic examiner must also authenticate the duplicate copies to avoid questions about the integrity of the evidence. Must not continue with the investigation if the examination is going to be beyond his or her knowledge level or skill level. Cyber Crime Investigation Methodology/Steps - ANSWER-1.Identify the computer crime 2.Collect preliminary evidence 3.Obtain court warrant dor discovery/seizure of evidence 4.Perform first responder procedures 5.Seize evidence at the crime scene 6. Transport evidence to lab 7.Create two bitstream copies of the evidence 8. Generate MD5 checksum of the images 9. Maintain chain of custody 10. Store original evidence in secure location 11. Analyze the image copy for evidence 12. Prepare a forensic report 13. Submit a report to client 14. Testify in course as an expert witness Locard's Exchange Principle - ANSWER-Anyone of anything, entering a crime scene takes something of the scene with them and leaves something of themselves behind when they leave. Types of Digital Data - ANSWER-Volatile Data Non-volatile Data Volatile Data - ANSWER-Temporary information on a device that requires a constant power supply and is deleted if the power supply is interrupted Non-Volatile Data - ANSWER-Secondary storage of data. Long-term, persistent data. Permanent data stored on secondary storage devices, such as hard disks and memory cards. Characteristics of Digital Evidence - ANSWER-1. Be Relevant 2. Be probative 3. Be authentic 4. Be accurate 5. Be complete 6. Be convincing 7. Be admissible Admissible evidence - ANSWER-Evidence that can be legally and properly introduced in a civil or criminal trial. Evidence is relevant to the case Authentic Evidence - ANSWER-Evidence that is in its original or genuine state. Investigators must provide supporting documents regarding the authenticity, accuracy, and integrity of the evidence Complete Evidence - ANSWER-Evidence must either prove or disprove the fact Reliable Evidence - ANSWER-evidence that possesses a sufficient degree of likelihood that it is true and accurate Evidence must be proven dependable when the evidence was extracted Believable Evidence - ANSWER-Evidence must be presented in a clear manner and expert opinions must be obtained where necessary Rules of Evidence - ANSWER-Rules governing the admissibility of evidence in trial courts. Best Evidence Rule - ANSWER-states that secondary evidence, or a copy, is inadmissible in court when the original exists. Duplicate evidence will suffice under the following conditions: -Original evidence is destroyed due to fire or flood -Original evidence is destroyed in the normal course of business -Original evidence is in possession of a third party Forensic Readiness - ANSWER-An organization's ability to make optimal use of digital evidence in a limited period and with minimal investigation costs. Fourth Amendment - ANSWER-Protects against unreasonable search and seizure. Government agents may not search or seize areas or things in which a person has reasonable expectation of privacy, without a search warrant. Chain of Custody - ANSWER-a written record of all people who have had possession of an item of evidence Rule 101: Scope - ANSWER-These rules govern proceedings in the courts of the United States and before United States bankruptcy judges and United States magistrate judges, to the extent and with the exceptions stated in rule 1101. Rule 102: Purpose and Construction - ANSWER-These rules shall be construed to secure fairness in administration, elimination of unjustifiable expense and delay, and promotion of growth and development of the law of evidence to the end that the truth may be ascertained and proceedings justly determined. Rule 105: Limited Admissibility - ANSWER-When evidence that is admissible as to one party or for one purpose but not admissible as to another party or for another purpose is admitted, the court, upon ITProTV Video Notes for CHFI v9 request, shall restrict the evidence to its proper scope and instruct the jury accordingly Rule 801: Hearsay - ANSWER-"Hearsay" means a statement that: (1) the declarant does not make while testifying at the current trial or hearing; and (2) a party offers in evidence to prove the truth of the matter asserted in the statement. Rule 1002. Requirement of the Original - ANSWER-An original writing, recording, or photograph is required in order to prove its content unless these rules or a federal statute provides otherwise. Rule 1003. Admissibility of Duplicates - ANSWER-A duplicate is admissible to the same extent as the original unless a genuine question is raised about the original's authenticity or the circumstances make it unfair to admit the duplicate. Rule 1004. Admissibility of Other Evidence of Content - ANSWER-Admissibility of Other Evidence of Content Scientific Working Group on Digital Evidence (SWGDE) - ANSWER-brings together organizations actively engaged in the field of digital and multimedia evidence to foster communication and cooperation as well as to ensure quality and consistency within the forensic community. Computer Forensics Investigation Process - ANSWER-1. Pre-Investigation 2. Investigation 3. Post-Investigation Pre-Investigation - ANSWER-Tasks performed prior to investigation Setting up a computer forensics lab, toolkit, and workstation Investiagtion - ANSWER-Main phase in computer forensics investigation Acquisition, preservation, and analysis of the data Post-Investigation - ANSWER-Reporting and documentation of all the actions undertaken and the findings Ensure that the target audience can easily understand the report Ensure report provides adequate and acceptable evidence Computer Forensics Laboratory - ANSWER-Work area considerations (50-63 sq. ft per station) no windows ASCLD/Lab Accreditation ISO/IEC 17025 Forensic Hardware Tools - ANSWER-FRED, Paraben's StrongHold, PC-3000 Data Extractor, Paraben's Chat Stick, RAPID IMAGE 7020 X2, RoadMASSter-3 X2, ZX-Tower, Data Recovery Stick, Tableau T8-R2 Forensic USB Bridge FRED - ANSWER-Acquires data directly from hard drives and storage devices Paraben's StrongHold - ANSWER-blocks out wireless signals PC-3000 Data Extractor - ANSWER-Diagnoses and fixes file system issues, so data can be obtained Paraben's Chat Stick - ANSWER-Thumb drive devices; searches the entire computer and scan for chat logs RAPID IMAGE 7020 X2 - ANSWER-Copy one "Master" hard drive to up to 19 "Target" hard drives RoadMASSter-3 X2 - ANSWER-Ruggedized portable lab for HDD data acquisition and analysis. ZX-Tower - ANSWER-Secure sanitization of hard disk Data Recovery Stick - ANSWER-Recovers deleted files Tableau T8-R2 Forensic USB Bridge - ANSWER-Write blocking of USB storage devices Cain & Abel - ANSWER-Password recovery for Windows OS Recuva - ANSWER-Recover lost pictures, music, docs, video, email. Recover all types of lost files from disk or removable media Capsa - ANSWER-Sniffer R-Drive Image - ANSWER-Creation of disk image files for backup FileMerlin - ANSWER-Converts word processing to a wide range of file formats AccessData FTK - ANSWER-Court-cited digital investigations platform provides processing and indexing up front EnCase - ANSWER-Rapidly acquire data and unearth potential evidence with disk-level forensic analysis The Sleuth Kit - ANSWER-Command line tools to analyze disk images and recover files L0phtCrack - ANSWER-Password auditing and recovery software Ophcrack - ANSWER-Password cracker based on rainbow tables Computer Forensic Tool Testing Project (CFTT) - ANSWER-NIST, establishes a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware. Image Integrity Tools - ANSWER-HashCalc, MDF Calculator, HashMyFiles HashCalc - ANSWER-Create MD5 has for files, text and hex string (13 different algorithms) MDF Calculator - ANSWER-View MD5 hash to compare to provided hash value HashMyFiles - ANSWER-Calculate MD5 hash on one or more files Recover My Files - ANSWER-recover deleted files emptied from the windows recycle bin and files lost due to the format or corruption of a hard drive, virus, or trojan infection, and unexpected system shutdown or software failure Advanced Disk Recovery - ANSWER-Quick or deep scan for lost or deleted files UndeletePlus - ANSWER-Quick or deep scan for lost or deleted files. same as Advanced Disk Recovery Data Analysis Tools - ANSWER-FTK Imager, EnCase Forensic, The Sleuth Kit (TSK) FTK Imager - ANSWER-imaging tools that enables analysis of files and folders on local hard drives, CDs/DVDs, network drives and examination of the content of forensic images or memory dumps EnCase Forensic - ANSWER-Generates and evidence report, acquire large amounts of evidence, as fast as possible from laptops and desktop computers to mobile devices The Sleuth Kit (TSK) - ANSWER-Library and collection of command-line tools allowing investigation of volume and file system data fsstat istat fls img_stat Forensic Investigation Team - ANSWER-Attorney, Photographer, Incident Responder, Decision Maker, Incident Analyzer, Evidence, Examiner/Investigator, Evidence Documenter, Evidence Manager, Expert Witness 18 USC 1029 - ANSWER-Fraud and related activity in connection with access devices 18 USC 1030 - ANSWER-Fraud and related activity in connection with computers 18 USC 1361-2 - ANSWER-Prohibit malicious mischief 18 USC 2252A - ANSWER-Child pornography 18 USC 2252B - ANSWER-Misleading domains on Internet 18 USC 2702 - ANSWER-Voluntary disclosure of customer communications or records 42 USC 2000AA - ANSWER-Privacy Protection Act Rule 402 - ANSWER-Relevant Evidence Rule 502 - ANSWER-Attorney-Client Privilege and Work Product; Limitations on Waiver Rule 608 - ANSWER-Evidence of character and conduct of witness Rule 609 - ANSWER-Impeachment by evidence Rule 614 - ANSWER-Interrogation of Witnesses Rule 701 - ANSWER-Opinion testimony Rule 705 - ANSWER-Disclosure of facts Platters - ANSWER-Circular metal disks mounted into a drive enclosure Tracks - ANSWER-Concentric rings on the platters that store data Track Numbering - ANSWER-Starts at 0 and goes to 1023 Sectors - ANSWER-Smallest physical storage unites located on a hard disk platter (512 bytes long) Clusters - ANSWER-Smallest accessible/logical storage unit on the hard disk Slack Space - ANSWER-Wasted are of the disk cluster lying between end of the file and end of the cluster Bad Sectors - ANSWER-Portions of a disk that are unusable due to some flaws (Don't support read and write) Sparse File - ANSWER-File that attempts to use file system space efficiently when allocated blocks are mostly empty. Cylinders, Head, and Sectors (CHS) - ANSWER-Determine the sector addressing for individual sectors on a disk Logical Block Addressing (LBA) - ANSWER-Address data by allotting a sequential number to each sector Globally Unique Identifier (GUID) - ANSWER-128-bit unique number generated by windows used to identify COM DLLs File Carving - ANSWER-The process of reassembling computer files from fragments in the absence of file system metadata. JPEG - ANSWER-Joint Photographic Experts Group File type for images, can achieve 90% compression Hex value FF D8 FF BMP - ANSWER-Device independent bitmap (DIB), standard graphics image file format for Windows GIF - ANSWER-Contains 8 bits per pixel and displays 256 colors per frame fsstat (TSK) - ANSWER-display details associated with the file system istat (TSK) - ANSWER-Display details of meta-data structure (INODE) fls (TSK) - ANSWER-List file and directory names in a disk image img_stat (TSK) - ANSWER-Displays details of an image file Master Boot Record (MBR) - ANSWER-The first sector on a hard drive, which contains the partition table and a program the BIOS uses to boot an OS from the drive. 512 bytes long Contains four 16-byte master partition records Starts at sector 0 Signature 0x55AA Master Boot Code - ANSWER-Loads into BIOS and initiated system boot process American Standard Code for Information Interchange (ASCII) - ANSWER-128 specified characters coded into 7-bit integers Source code of a program, batch files, macros, scripts, HTML and XML documents ASCII Table - ANSWER-Non-printable Coded between 0 and 31 Lower ASCII codes between 32 and 127 Higher ASCII codes between 128 and 255 Universal Coded Character Set (USC) - ANSWER-Standard for encoding, representation, and management of texts More than characters XML, Java, and Microsoft.NET Back Up the MBR - ANSWER-dd if=/dev/xxx of=p bs=512 count=1 Restore the MBR - ANSWER-dd if=p of=/dev/xxx bs=512 count=1 GUID Partition Table (GPT) - ANSWER-Allows disks larger than 2TB Can have 128 Windows partitions CRC for data integrity CRC32 checksum for header and partition table