Digital evidence can be cited as evidence in nearly every crime category. Forensic investigators need to be absolutely certain that the data they obtain as evidence has not been altered in any way during the capture, analysis, and control. Attorneys, judges and jurors need to feel confident that the information
presented in a computer crime case is legitimate. How can an investigator ensure for certain that his or her evidence is accepted in court? Show
According to the National Institute of Standards and Technology (NIST), the investigator follows a set of procedures designed to prevent the execution of any program that might modify the disk contents. These procedures involve a layered defense against any modifications to the source disk using the following strategies:
The first bullet point speaks of jumpers, but there may be times when the suspect drive’s jumper settings are not easily accessible. Further, not all drives have the ability to use jumpers. What are write blockers?A write blocker is any tool that permits read-only access to data storage devices without compromising the integrity of the data. A write blocker, when used properly, can guarantee the protection of the data chain of custody. NIST‘s general write blocking requirements hold that:
Software versus hardware write blockersSoftware and hardware write blockers do the same job. They prevent writes to storage devices. The main difference between the two types is that software write blockers are installed on a forensic computer workstation, whereas hardware write blockers have write blocking software installed on a controller chip inside a portable physical device. As determined by NIST’s Software Write Block specifications, a software write block tool operates by monitoring and filtering drive I/O commands sent from an application or OS through a given access interface. Programs running in the DOS environment can, in addition to direct access via the drive controller, use two other interfaces: DOS service interface (interrupt 0x21) or BIOS service interface (interrupt 0x13). The primary purpose of a hardware write blocker is to intercept and prevent (or ‘block’) any modifying command operation from ever reaching the storage device. Some of its functions include monitoring and filtering any activity that is transmitted or received between its interface connections to the computer and the storage device. Hardware write blockers provide built in interfaces to a number of storage devices, and can connect to other types of storage with adapters. Hardware devices that write block also provide visual indication of function through LEDs and switches. This makes them easy to use and makes functionality clear to users. Through its WiebeTech line of digital investigation products, CRU offers a wide variety of hardware write-blocking solutions.
To see more information about these products, you can start by choosing a product from the entire WiebeTech product line. To view AOL e-mail headers click Action, ____ from the menu. A written report is frequently a(n) ____ or a declaration. A) subpoena ____ from Technology Pathways is a forensics data analysis tool. You can use it to acquire and analyze data from several different file systems. A ____ is a column of tracks on two or more disk platters. A) cylinder
The report’s ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements. To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. ____ contain instructions for
the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the %system-root%\Windows\System32\Drivers folder. Exchange logs information about changes to its data in a(n) ____ log. A) checkpoint
Most computer investigations in the private sector involve ____. A) e-mail abuse B) misuse of computing assets Your ____ as a computer investigation and forensics analyst is critical because it determines your credibility. A) professional policy E-mail programs either save e-mail messages on the client computer or leave them on the server. E-mail programs either save e-mail messages on the client computer or leave them on the server. Based on the incident or crime, the complainant makes
a(n) ____, an accusation or supposition of fact that a crime has been committed. A) litigation To complete a forensic disk analysis and examination, you need to create a ____. A) forensic disk copy In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network. A) Dir B) ls C) Copy D) owner The list of problems you normally expect in the type of case you are handling is known as the ____. A) standard risk assessment B) chain of evidence C) standard problems form D) problems checklist form A) standard risk assessment Published company policies provide a(n) ____ for a business to conduct internal investigations. ____ is a hidden text file containing startup options for Windows 9x.
Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers. Typically, UNIX installations are set to store logs such as maillog in the ____ directory. In Exchange, to prevent loss of data from the
last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk. A) tracking Computer investigations and forensics fall into the same category: public investigations. Recovering pieces of a file is called ____. Records in the MFT are referred to as ____. The law of search and seizure protects the rights of all people, excluding people suspected of crimes. When you research for computer forensics tools,
strive for versatile, flexible, and robust tools that provide technical support. You can use ____ to boot to Windows without writing any data to the evidence disk. ____ was introduced when Microsoft created Windows NT and is the primary file system for Windows
Vista. Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer. After retrieving and examining evidence data with one tool, you should verify your
results by performing the same tasks with other similar forensics tools. To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click ____ to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header. If you can’t open an image file in an image viewer, the next step is to examine the file’s ____. The GroupWise logs are maintained in a standard log format in the ____ folders. With many computer forensics tools, you can open files with
external viewers. In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____. A) blotter Forensics tools such as ____ can retrieve deleted files for use as evidence. When analyzing digital evidence, your job is to ____. A report using the ____ numbering system divides material into sections and restarts numbering with each main section. To retrieve an Outlook Express e-mail header right-click the message, and then click ____ to open a dialog box showing general information about the message. Software forensics tools are commonly used to copy data from a suspect’s disk drive to a(n) ____. When you write your final report, state what you did and what you ____. Computer forensics tools are divided into ____ major categories. The simplest method of duplicating a disk drive is using a tool that
does a direct ____ copy from the original disk to the target disk. ____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names. Maintaining ____ means you must form and sustain unbiased opinions of your cases. You can always rely on the return path in an e-mail header to show the source account of an e-mail message. One way to compare your results and verify your new forensic tool is
by using a ____, such as HexWorkshop, or WinHex. In general, forensics workstations can be divided into ____ categories. ____ involves preventing data loss by using backups, uninterruptible power supply (UPS) devices, and off-site monitoring. In the Pacific Northwest, ____ meets monthly to discuss problems that law enforcement and corporations face. ____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to NTLDR. ____ is a text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration. A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible.
In general, a criminal case follows three stages: the complaint, the investigation, and the ____. In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____. Many password recovery tools have a feature that allows generating potential lists for a ____ attack. The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____. The uppercase letter ____ has a hexadecimal value of 41. Files with extension ____ are created using Microsoft Outlook Express. With many ____ e-mail programs, you can copy an e-mail message by dragging
the message to a storage medium, such as a folder or disk. Under copyright laws, computer programs may be registered as ____. You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.
Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format. In the following list, ____ is the only steg tool. One way to examine a partition’s physical level is to use a disk editor, such as Norton DiskEdit, WinHex, or Hex Workshop. A(n) ____ is a document that lets you know what questions to expect when you are testifying. Without a warning banner, employees might have
an assumed ____ when using a company’s computer systems and network accesses. It’s the investigator’s responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant. A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute). If a report is long and complex, you should provide a(n) ____. ____ involves recovering
information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. ____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. A) Bitmap images When working on a Windows environment you can press ____ to copy the selected text to the clipboard. A) Ctrl+A B) Ctrl+C If you must write a preliminary report, use words such as “preliminary copy,”“draft copy,” or “working draft.” A) True To be a successful computer forensics investigator, you must be familiar with more than one computing platform. A) True B) False A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. A) warning banner B) right of privacy C) line of authority D) right banner
____ investigations typically include spam, inappropriate and offensive message content, and harassment or threats. A) VPN B) Internet C) E-mail D) Phone Data streams can obscure valuable evidentiary data, intentionally or by coincidence. The Novell e-mail server software is called ____. A) Sendmail B) GroupWise C) Sawmill D) Guardian ____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program. A) Replacement B) Append C) Substitution D) Insertion What's a virtual cluster number?Any cluster in a file has a virtual cluster number (VCN), which is its relative offset from the beginning of the file. For example, a seek to twice the size of a cluster, followed by a read, will return data beginning at the third VCN.
What Macos system application tracks each block on a volume to determine which blocks are in use and which ones are available to receive data?Chapter 6-13 multiple choice. What enables the user to run another OS on an existing physical computer?Virtualization enables cloud providers to serve users with their existing physical computer hardware; it enables cloud users to purchase only the computing resources they need when they need it, and to scale those resources cost-effectively as their workloads grow.
What type of acquisition is typically done on a computer seized during a police raid?Forensics MT MC3. |