Home
Subjects
Expert solutions
Create
Log in
Sign up
Upgrade to remove ads
Only ₩37,125/year
-
Flashcards
-
Learn
-
Test
-
Match
-
Flashcards
-
Learn
-
Test
-
Match
Explaining Digital Forensics
Terms in this set (32)
Digital forensics is the practice of collecting evidence from computer systems to a standard that will be accepted in
a court of law
What does ESO stand for?
electronically stored information
- A forensic examination of a device such as a fixed drive that contains electronically stored information (ESO) entails a search of
the whole drive
E-discovery is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format such that it can be used as
evidence in a trial
What is the first phase of a forensics investigation?
documenting the scene
A retrospective network analysis (RNA) solution provides the means to record network events at either a packet header or
payload level
Digital forensics can be used for info gathering to protect against
espionage and hacking
What are the 2 different ways digital intel is deployed?
Counter Intel and Strategic Intel
Counter Intel: identification and analysis of specific adversary TTPs, provides info about how to configure and audit active logging systems so they are most likely to capture evidence of attempted and
successful intrusions
Strategic Intel is data and research that has been analyzed to produce actionable insights which are used to inform risk management and security control provisioning to build mature
cybersecurity capabilities
Acquisition is the process of obtaining a forensically clean copy of data from a
device held as evidence
An image can be acquired from either volatile or nonvolatile storage and the general principle is to capture evidence in the order of volatility, from ---- to -----
more volatile to less
The Forensic Toolkit (FTK) from accessdata suite is designed to run on
Windows Server (or server cluster)
The Sleuth Kit is an open-source collection of command line tools and programming libraries for
disk imaging and file analysis
Autopsy is a graphical front-end for these tools and acts as a
case management/workflow tool
WinHex from X-Ways is a commercial tool for forensic recovery and analysis of binary data with support for a range of file systems and
memory dump types
The Volatility Framework is widely used for
system memory analysis
System memory is volatile data held in modules
Random Access Memory (RAM)
---- means that data is lost when power is removed and a system memory dump creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys
Volatile
A ----- file is created on disk in the root folder of the boot volume when a Windows host is put into a sleep state, and if it can be recovered the data can be decompressed and loaded into a software tool for analysis
hibernation
Disk image acquisition refers to acquiring data from
nonvolatile storage
---- storage includes hard disk drives (HDDs), solid-state drives (SSDs), firmware, other types of flash memory (USB thumb drives and memory cards), optical media (CD, DVD, Blu-Ray)
Nonvolatile
What are the 3 device states for persistent storage acquisition
live acquisition, static acquisition by shutting down the host, and static acquisition by pulling the plug
---- means copying data while the host is still running, and may capture more evidence or more data for analysis and reduce the impact on overall services, but data on actual disks will have changed, so this method may not produce legally acceptable evidence
Live acquisition
---- acquisition by --- ----- the host: this runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself
Static acquisition by shutting down the host
---- acquisition by ---- ---- ----: means disconnecting power at the wall socket which is more likely to preserve the storage devices in a forensically clean state
Static acquisition by pulling the plug
Recording process establishes --- of evidence as deriving directly from crime scene
provenance
A --- ---- assures that data or metadata on the source disk or file system prevents any data on the disk or volume from being changed by filtering write commands at the drive and OS level
write blocker
--- can refer either to hardware components or software, and software-based cache is stored in the file system and can be acquired as part of a disk image
Cache
Some cache artifacts generated by the OS and apps are held in ---- only, such as portions of the registry, cryptographic keys, password hashes, some types of cookies etc.
memory
True or False, the contents of hardware cache (CPU registers and disk controller read/write cache) is generally not recoverable
True
---- refers to any type of data that is not part of the mainstream data structures of an OS
Artifacts
Sets found in the same folderSecurity+ Lesson 21
21 terms
LG711
Security+ Lesson 4
48 terms
LG711
Security+ Lesson 5
63 terms
LG711
Security+ Lesson 7
57 terms
LG711
Other sets by this creatorCompTIA A+ Lesson 6
27 terms
LG711
CompTIA A+ Lesson 5
59 terms
LG711
CCNA Lesson 10
23 terms
LG711
CCNA Lesson 9
36 terms
LG711
Verified questionsCOMPUTER SCIENCE
Look at the following function definition: $$ \begin{matrix} \text{def my_function(a, b, c):}\\ \text{d = (a + c) / b}\\ \text{print(d)}\\ \end{matrix} $$ a. Write a statement that calls this function and uses keyword arguments to pass 2 into a, 4 into b, and 6 into c. b. What value will be displayed when the function call executes?
Verified answer
COMPUTER SCIENCE
Is disk scheduling, other than FCFS scheduling, useful in a single-user environment? Explain your answer.
Verified answer
COMPUTER SCIENCE
Why do global variables make a program difficult to debug?
Verified answer
COMPUTER SCIENCE
The following pseudocode describes how to extract the dollars and cents from a price given as a floating-point value. For example, a price of 2.95 yields values 2 and 95 for the dollars and cents. Convert the price to an integer and store it in a variable dollars. Multiply the difference price - dollars by 100 and add 0.5. Convert the result to an integer variable and store it in a variable cents. Translate this pseudocode into a Python program. Read a price and print the dollars and cents. Test your program with inputs 2.95 and 4.35.
Verified answer
Other Quizlet setsdược lý nguyên xèo
89 terms
nguyen_xeo
.
20 terms
Lexi__Thompson
Ch 23: Digestive System CYU and Review Questions
43 terms
juliasalman0PLUS