WGU C840 Digital Forensics 2023

WGU C840 Digital Forensics 2023 expert report Ans- A formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted as well as the specialist's own curriculum vitae (CV). Anything the specialist plans to testify about at a trial must be included in the expert report. Testimonial evidence Ans- Information that forensic specialists use to support or interpret real or documentary evidence; for example, to demonstrate that the fingerprints found on a keyboard are those of a specific individual. Daubert standard Ans- The standard holding that only methods and tools widely accepted in the scientific community can be used in court. If the computer is turned on when you arrive, what does the Secret Service recommend you do? AnsShut down according to the recommended Secret Service procedure. Communications Assistance to Law Enforcement Act of 1994 Ans- The Communications Assistance to Law Enforcement Act of 1994 is a federal wiretap law for traditional wired telephony. It was expanded to include wireless, voice over packet, and other forms of electronic communications, including signaling traffic and metadata. Digital evidence Ans- Digital evidence is information processed and assembled so that it is relevant to an investigation and supports a specific finding or determination. Federal Privacy Act of 1974 Ans- The Federal Privacy Act of 1974, a United States federal law that establishes a code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by U.S. federal agencies. Power Spy, Verity, ICU, and WorkTime Ans- Spyware good fictitious e-mail response rate Ans- 1-3% Which crime is most likely to leave e-mail evidence? Ans- Cyberstalking Where would you seek evidence that ophcrack had been used on a Windows Server 2008 machine? AnsIn the logs of the server; look for the reboot of the system A SYN flood is an example of what? Ans- DoS attack definition of a virus, in relation to a computer? Ans- a type of malware that requires a host program or human help to propagate What is the starting point for investigating the denial of service attacks? Ans- Tracing the packets China Eagle Union Ans- The cyberterrorism group, the China Eagle Union, consists of several thousand Chinese hackers whose stated goal is to infiltrate Western computer systems. Members and leaders of the group insist that not only does the Chinese government have no involvement in their activities, but that they are breaking Chinese law and are in constant danger of arrest and imprisonment. However, most analysts believe this group is working with the full knowledge and support of the Chinese government. Rules of evidence Ans- Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury. file slack Ans- The unused space between the logical end of the file and the physical end of the file. It is also called slack space. The Analysis Plan Ans- Before forensic examination can begin, an analysis plan should be created. This plan guides work in the analysis process. How will you gather evidence? Are there concerns about evidence being changed or destroyed? What tools are most appropriate for this specific investigation? A standard data analysis plan should be created and customized for specific situations and circumstances. What is the most important reason that you not touch the actual original evidence any more than you have to? Ans- Each time you touch digital data, there is some chance of altering it. You should make at least two bitstream copies of a suspect drive. Ans- TRUE To preserve digital evidence, an investigator should Ans- make two copies of each evidence item using different imaging tools What would be the primary reason for you to recommend for or against making a DOS Copy Ans- A simple DOS copy will not include deleted files, file slack, and other information. Which starting-point forensic certification covers the general principles and techniques of forensics, but not specific tools such as EnCase or FTK? Ans- (CHFI) EC Council Certified Hacking Forensic Investigator This forensic certification is open to both the public and private sectors and is specific to the use and mastery of FTK. Requirements for taking the exam include completing the boot camp and Windows forensic courses. Ans- AccessData Certified Examiner. AccessData is the creator of Forensic Toolkit (FTK) software. Federal Rules of Evidence (FRE) Ans- The Federal Rules of Evidence (FRE) is a code of evidence law. The FRE governs the admission of facts by which parties in the U.S. federal court system may prove their cases. The rules of evidence, encompasses the rules and legal principles that govern the proof of facts in a legal proceeding. These rules determine what evidence must or must not be considered by the trier of fact in reaching its decision The DoD Cyber Crime Center (DC3) Ans- DC3 is involved with DoD investigations that require computer forensics support to detect, enhance, or recover digital media. DC3 provides computer investigation training. It trains forensic examiners, investigators, system administrators, and others. It also ensures that defense information systems are secure from unauthorized use, criminal and fraudulent activities, and foreign intelligence service exploitation. DC3 ets standards for digital evidence processing, analysis, and diagnostics. Expert testimony Ans- Expert testimony involves the authentication of evidence-based upon scientific or technical knowledge relevant to cases. Forensic examiners are often called upon to authenticate evidence between given specimens and other items. Forensic specialists should not undertake an examination that is beyond their knowledge and skill. temporary data Ans- Data that an operating system creates and overwrites without the computer user taking direct action to save this data. Physical analysis Ans- Offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system. Logical analysis Ans- Analysis involving using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data. sweepers Ans- A kind of software that cleans unallocated space. Also called a scrubber. It is acceptable, when you have evidence in a vehicle, to stop for a meal, if the vehicle is locked. AnsFALSE What Linux command can be used to create a hash? Ans- MD5sum EnCase Format Ans- The EnCase format is a proprietary format that is defined by Guidance Software for use in its forensic tool to store hard drive images and individual files. It includes a hash of the file to ensure nothing was changed when it was copied from the source. advanced Forensic Format (AFF) Ans- This file format, abbreviated AFF, has three variations: AFF, AFM, and AFD. The AFF variation stores all data and metadata in a single file. The AFM variation stores the data and the metadata in separate files. The AFD variation stores the data and metadata in multiple small files. The AFF file format is part of the AFF Library and Toolkit, which is a set of open-source computer forensics programs. Sleuth Kit and Autopsy both support this file format. The Generic Forensic Zip Ans- an open source file format used to store evidence from forensic examinations IXimager Ans- developed by the IRS and restricted to law enforcement and government use What Linux command can be used to wipe a target drive? Ans- dd RAID 0 Ans- disk striping RAID 1 Ans- completely mirrors the contents of disks so there is an identical copy of the drive running on the machine RAID 3 or 4 Ans- combines three or more disks in a way that protects data against loss of any one disk RAID 5 Ans- striped disks with distributed parity combines three or more disks in a way that protects data against the loss of any one disk. It is similar to RAID 3, but the parity is not stored on one dedicated drive; instead, parity information is interspersed across the drive array You need to image a server that is set up with RAID 5. How would you approach this? Ans- Image each disk separately. RAID 4 should be acquired as individual disks Ans- FALSE Swap files Ans- Swap files are the most important type of ambient data. Windows uses swap files on each system as a "scratch pad" to write data when additional RAM is needed. A swap file is a virtual memory extension of RAM. Most computer users are unaware of the existence of swap files. The size of these files is usually about 1.5 times the size of the physical RAM in the machine. Swap files contain remnants of word processing documents, e-mails, Internet browsing activity, database entries, and almost any other work that has occurred during past Windows sessions. Swap files can be temporary or permanent. volume slack Ans- Volume slack is the unused space between the end of the file system and the end of the partition where the file system resides. For example, suppose that two partitions are filled with data. When you delete one of them, the data is not actually deleted. Instead, it is hidden. RAID 6 Ans- RAID 6 is a striped set with dual distributed parity. This RAID level is similar to RAID 5, RAID 6 offers both backup and increased speed. Additionally, a RAID 6 array can continue operating if up to two of its drives fail. This requires a minimum of 4 drives. carrier Ans- The signal, stream, or data file into which the payload is hidden. least significant bit (LSB) Ans- The last bit or least significant bit is used to store data. payload Ans- The data to be covertly communicated. In other words, it is the message you want to hide. channel Ans- The type of medium used to hide data in steganography. This may be photos, video, sound files, or Voice over IP. Steganophony Ans- The use of steganography with sound files. Caesar cipher Ans- The method of cryptography in which someone chooses a number by which to shift each letter of a text in the alphabet and substitute the new letter for the letter being encrypted. For example, if your text is "A CAT," and you choose to shift by two letters, your encrypted text is "C ECV." This is also known as a monoalphabet, single-alphabet, or substitution cipher. Vigenère cipher Ans- A method of encrypting alphabetic text by using a series of different monoalphabetic ciphers selected based on the letters of a keyword. A polyalphabetic cipher. Substitution Ans- In cryptography, the method of changing some parts of the plaintext for some matching part of the ciphertext. Transposition Ans- In terms of cryptography, this is the swapping of blocks of ciphertext. block cipher Ans- A form of cryptography that encrypts data in blocks; 64-bit blocks are quite common, although some algorithms (like AES) use larger blocks. Feistel function Ans- A cryptographic function that splits blocks of data into two parts. It is one of the most influential developments in symmetric block ciphers. keyspace Ans- The total number of keys. Euler's Totient Ans- The total number of coprime numbers. Two numbers are considered coprime if they have no common factors. Cryptanalysis Ans- A method of using techniques other than brute force to derive a cryptographic key. Kasiski examination Ans- A method of attacking polyalphabetic substitution ciphers by deducing the length of the keyword. This is sometimes also called Kasiski's test or Kasiski's method. The most common way steganography is accomplished is via Ans- LSB In steganography, the ________ is the stream or file into which the data is hidden. Ans- carrier Atbash Ans- Hebrew scribes copying the book of Jeremiah used the Atbash cipher. This cipher is very simple and simply reverses the alphabet. This is, by modern standards, a very primitive and easy-tobreak cipher. However, it helps one get a feel for how cryptography works. The total number of possible keys for DES is _________, which a modern computer system can break in a reasonable amount of time. Ans- 2 to the 56th power How many rounds does DES have? Ans- 16 An improvement on the Caesar cipher that uses more than one shift is called a Ans- multialphabet substitution ______ is an asymmetric cryptography algorithm invented by three mathematicians in the 1970s? AnsRSA encryption algorithms uses three key ciphers in a block system and uses the Rijndael algorithm? AnsAES What is the key length used for DES? Ans- 56 example of a multialphabet cipher? Ans- Vigenère The Caesar cipher is the oldest known encryption method. Ans- TRUE Inodes Ans- A data structure in the file system that stores all the information about a file except its name and its actual data. test system Ans- A functional system compatible with the hard drive from which someone is trying to recover data. Logical damage Ans- Damage to how the data is stored—for example, file system corruption. Consistency checking Ans- A technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification. There are two fundamental files that are part of NTFS that are of most interest. These are the Master File Table (MFT), and the __________. Ans- Cluster Bitmap cluster bitmap Ans- The cluster bitmap file is a map of all the clusters on the hard drive. This is an array of bit entries where each bit indicates whether its corresponding cluster is allocated/used or free/unused. When files are deleted from an NTFS system, the process is similar to what occurs in FAT. The main difference is that clusters are first marked as deleted, thus "moved" to the Recycle Bin. In NTFS prior to Vista, the Recycle Bin resides in a hidden directory called RECYCLER. In Vista and Windows 7, the name of the directory was changed to $recycle. bin. Only when you empty the Recycle Bin is the cluster marked as fully available. More specifically, when a file is deleted, the filename in the MFT is marked with a special character that signifies to the computer that the file has been deleted. Just as with FAT systems, clusters in an NTFS system are more likely to be overwritten as more time elapses after deletion. The file allocation table is really a list of entries that map to each __________ on the disk partition. AnsCluster file allocation table (FAT) Ans- The file allocation table (FAT) is a list of entries that map to each cluster on the disk partition. Each entry records one of five things: The cluster number of the next cluster for this file is recorded; if the cluster is the end of a chain, then it has a special end of cluster chain (EOC) entry; bad clusters have a special entry in the file allocation table; reserved clusters have a special entry in the file allocation table; open, or available, clusters are also marked in the file allocation table. When files are deleted, data is not actually removed from the drive. Rather, the FAT is updated to reflect that those clusters are no longer in use. If new information is saved to the drive, it may be saved to those clusters overwriting the old information. Meaning, from a forensic point of view, that the more recently a file is deleted, the more likely you will be able to recover the file. Why can you undelete files in Windows 7? Ans- Nothing is deleted; it is just removed from MFT. In the Linux operating system, when is a file deleted? Ans- When the iNode count reaches 0 What contains records that correspond to each deleted file in the Recycle Bin? Ans- INFO2 file The space between the end of a file and the end of the cluster (if there is any such space) is called what? Ans- Slack space In Linux, what is the data structure in the file system that stores all the information about a file except its name and its actual data? Ans- iNode A test system is a functional system compatible with the system from which a hard drive was removed for the purpose of trying to recover data. Ans- TRUE Which of the following is the Linux equivalent of a shortcut? Ans- Symbolic link definition of inode? Ans- a data structure in the file system that stores all the information about a file except its name and its actual data. An inode can refer to a file or a folder/directory. In either case, the inode is really a link to the file. This is important because there are basically two types of links. The first type is the hard link. A hard link is an inode that links directly to a specific file. The second type of file link is called a soft link or symbolic link. In this case, the link is not actually a file itself, but rather a pointer to another file or directory. You can think of this as the same thing as a shortcut, such as you might find in Windows. What name is given to a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification? Ans- consistency checking Consistency checking Ans- Consistency checking involves scanning a disk's logical structure and ensuring that it is consistent with its specification. For instance, in most file systems, a directory must have at least two entries: a dot (.) entry that points to itself and a dot-dot (..) entry that points to its parent. A file system repair program reads each directory to ensure that these entries exist and point to the correct directories. If they do not, the program displays an error message, and you can correct the problem. Consistency checking has two major problems. Consistency checks can fail if file systems are highly damaged. In this case, the repair program may crash, or it may believe the drive has an invalid file system. Next, chkdsk utility might automatically delete data files if the files are out of place or unexplainable. The utility does this to ensure that the operating system can run properly. However, the deleted files may be important and irreplaceable user files. Anonymous remailing Ans- The process of sending an email message to an anonymizer. The anonymizer strips identifying information from an email message before forwarding it with the anonymous mailing computer's IP address. Foreign Intelligence Surveillance Act (FISA) Ans- A U.S. law that prescribes procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between foreign powers and agents of foreign powers, which may include U.S. citizens and permanent residents suspected of espionage or terrorism. common e-mail header fields is commonly used with values "bulk," "junk," or "list"; or used to indicate that automated "vacation" or "out of office" responses should not be returned for the mail? Ansprecedence RFC 3864 Ans- RFC 3864 describes registration procedures for message header fields at the IANA; it provides for permanent and provisional field names, including also fields defined for MIME, netnews, and HTTP, and referencing relevant RFCs. What is the .ost file format used for? Ans- Microsoft Outlook offline storage Electronic Communications Privacy Act Ans- The Electronic Communications Privacy Act (ECPA) is a United States federal statute that prohibits the third party from intercepting or disclosing communications without authorization. The ECPA requires different legal processes to obtain specific types of information: 1. Basic subscriber information—This information includes name, address, billing information including a credit card number, telephone toll billing records, subscriber's telephone number, type of service, and length of service. An investigator can obtain this type of information with a subpoena, court order, or search warrant. 2. Transactional information—This information includes Web sites visited, e-mail addresses of others with whom the subscriber exchanged e-m