Computer Forensics - Coursework Example

45 questions, worth 2 points each question worth 10 points In a criminal investigation, the prosecutor is required to provide a copy of all evidence in discovery. In these investigations, what is the minimum number of copies that should be made of each digital media device? ________TWO2. True or False: Of the three phases of an investigation: Acquisition, Authentication, and Analysis, Acquisition is the process of retrieving digital evidence and verifying that it is authentic. ________ FALSE3.

“A specialty field in which companies retrieve files that were deleted accidentally or purposefully” is the definition for which of the following terms? ________a. Private Investigationb. Computer Forensicsc. Data Recoveryd. Continuity of Operations4. Evidence that indicates a suspect is innocent of a crime with which they are charged is known as:a. Exculpatory Evidenceb. Hearsay Evidencec. Physical Evidenced. Inculpatory Evidence5. True or False: Corporate investigators in the U.S. must use procedures that adhere to the 4th amendment to the constitution?

_________ FALSE6. The following are examples of what type of digital crime: Child Pornography, Embezzlement, Fraud, Software Piracy? ________a. Crimes committed with a computerb. Crimes committed against a computerc. Crimes committed against a computer userd. None of the Above7. The triad of computing security includes which of the following? ________a. Detection, response, and monitoringb. Vulnerability assessment, detection, and monitoringc. Vulnerability assessment, intrusion response, and investigationd.

Vulnerability assessment, intrusion response, and monitoring.8. FAT-32 is the default file system for what operating system? ________a. Windows XPb. MAC OSc. Windows 98d. MS-DOS9. Windows 2000 came standard with which default file system? FAT-16, FAT-3210. True or False: It is absolutely necessary to use a write-blocker when connecting to a digital media device containing a raw image (DD file) for the purposes of copying it. ___________ FALSE11. List three items that should be on an evidence custody form:a.

Case number b. name of the investigator assigned to the case c. nature of the cased. location where evidence was obtained12. What section of law in Texas do you think could be used to prosecute a person who hacks into a business server and damages files? Section 1030(a)(3) 13. True or False: As an expert, you are always obligated to prove the position taken by the person that hired you. FALSE14. Which of the following best describes tools essential for a cyber crime investigator’s toolkit?

________a. Flashlight, toothbrush, digital camerab. Digital Camera, flashlight, faraday bagc. Sketchpad, IDE to USB interface, permanent markerd. All of the above15. Which of the following is not a valid file system? _________a. Reiser FSb. FAT-32c. NTFSd. EXT-3216. CFCE is a certification provided by completing training, as well as written and practical examinations conducted by which of the following? _______a. HTCIAb. NW3Cc. SERFTCd. IACIS17. ENCE is a certification provided by what vendor of forensics software? _______a. Encaseb.

Guidance Softwarec. Access Datad. Paraben18. When imaging a hard drive, the largest file segment allowed in a proprietary format image is typically 650 MB, but it can be adjusted in some applications up to 2 GB. This 2 GB limit is caused by which of the following? ________a. Legal requirement to have image files no larger than 2 GB.b. Target drives formatted as FAT, where 2GB is the upper limit on file size.c. All of the aboved. None of the above19. The Expert Witness Image format is a proprietary format of which software vendor? ______a. Access Datab.

Digital Intelligencec. Guidance Softwared. Paraben20. True or False: Password protected data can only be preserved using live acquisitions._______ TRUE21. Handheld imaging devices are very useful in the acquisition of digital images in the field. Which of the following is not an available handheld imager? _______a. Logicube Dossierb. ImageMasster Forensic IIIc. ExactImager IId. None of the Above22. MD5 and SHA-1 are both defacto standard authentication algorithms. They are both derived from what previous message digest algorithm?

Hashing algorithm23. What does RAID stand for? redundant array of independent disks 24. When conducting remote acquisitions, what problems should you be aware of? _______a. Data transfer speedsb. Access permissions over the networkc. Antivirus, antispyware, and firewall programsd. All of the above25. True or False: FTK Imager can acquire data from a drive’s host protected area. _______TRUE26. True or False: Computer stored records are records such as server proxy logs and system log files generated by the computer.

FALSE27. A physical architectural description of a hard drive would include the following: _______a. Cylindersb. Clustersc. Partitionsd. None of the Above28. True or False: A computer system running Windows XP cannot have a File Allocation Table indicating where the files are stored on the disk. FALSE29. True or False: Anime pictures of children appearing nude is considered child pornography in the U.S. _______TRUE30. FAT-16 supports disk partitions with a maximum storage capacity of: ________a. 1 GBb. 2 GBc. 4 GBd. 8 GB31.

File slack on a hard disk is composed of which of the following (Select all that apply): _______a. RAM Slackb. Swap spacec. Disk Slackd. ROM slack32. If a person creates a file that contains 4097 bytes of information, and the file is saved to a hard disk that has clusters of 4 sectors each, how much file slack is associated with that file? 4916.4 bytes33. True or False: When a file is deleted on a Windows system, the operating system inserts a Hex D5 in the place of the first character of the filename, indicating to the OS that the file has been deleted. TRUE34. All of the following are reserved metadata records in a Master File Table, except which? _______a. $Volumeb. $Bitmapc. $Ownerd.

$Secure35. True or False: A registry in a windows operating system is a database that contains information about the system and the users of the system. _______TRUE36. List three items contained in the FAT database:a. File and Directory namesb. Starting cluster numbersc. File attributes & Date and time stamps37. True or False: Encase and Sleuthkit are both open-source forensics toolkits. ________TRUE38. When considering new forensics software tools, you should do which of the following? _______a.

Uninstall other forensics softwareb. Reinstall the OSc. Test and validate the softwared. All of the above39. When two different inputs result in the same output from a hashing algorithm, this is called a: _______a. Conflictb. Collisionc. Errord. None of the above40. The following four functions are used in the MD-5 hashing algorithm. True or False: They are used in random order during the execution of the algorithm. __________TRUE41. True or False: Using multiple hashing algorithms will decrease the chances of a collision between two different inputs. TRUE42. True or False: FTK 1.

8X has the capability to analyze MacIntosh file systems. _______TRUE43. Access Data’s FTK software will always work in the demo mode on which of the following: _______a. An image of a disk of size less than 1 GB.b. An image no bigger than a floppy disk.c. An image no bigger than a CD.d. None of the above.44. How many bytes on a disk with 15 Heads, 40,000 cylinders and 64 sectors per cylinder? 19660800000 BYTES45. The property of the popular message digest algorithms that makes sure that a very small change in the input results in a very large change in the output is called:a.

Avalon Effectb. Tornado Effectc. Hurricane Effectd. None of the above.46. (10 point question) Read the following scenario and respond to the questions below:As a digital forensics examiner, you have been called to the scene of a Kidnapping. Several witnesses have told the investigator that the victim was very excited about a new person they met online. Your job at the scene as a digital forensics examiner is to recommend to the investigating officer a course of action as to what digital evidence may or may not be needed to investigate this crime.a. Provide a list of potential digital evidence that the investigator is going to want to seize for possible forensic examination.

Be thorough, as the lead investigator in this case is not computer savvy.The following would be the required digital evidence:-Digital photo of the scene of crime – the photo should cover the areas from which the abduction occurred. If should clearly cover the area, for ease of identification of the area during crime analysis and investigation. In case the abductors or the victim left any belonging behind at the scene of crime, a digital photo should be taken. Evidence of the online communication – the investigator should collect information of the conversations done by the two parties online.

The investigator should focus on getting information leading to the identification of the abductor. The collected information should include; the name used by the abductor in the online platform, photos and any other biographic information. The investigator should record snapshots of the conversations between the parties. Collection of information on the people likely to offer information leading to arrest of the kidnapper(s). The investigator should look at the friends of the kidnapper in the online platform if possible.

Digital evidence from witness – if there are witnesses, the investigator should digitally record their evidence. For instance, the investigator can record audio evidence from the witnesses. b. Once the evidence is gathered, and transported back to the laboratory, describe in detail the steps you will go through to process this digital evidence and perform an examination. Discuss the tools that you will use, the scientific process that you will follow, and the mechanism for reporting evidence back to the investigator.

Be sure to follow the three A’s!The first thing to do would be transferring the digitally collected evidence to the computer. To investigate the identity of the abductor, I would start by looking at any photos obtained from the media in which the victim and the abductor where exchanging messages. Using the available digital intelligence software, the photos are examined against the databases kept by the crime records department. To analyze the evidence given by the eye witnesses, I would play the recorded audios, and identify consistency in their evidence, as compared to the evidence collected from other techniques.

To ensure that the evidence is not manipulated, I would use encryption techniques such as a password. After observing consistency in the evidence, I then prepare a report to the relevant authorities, reporting on the findings and recommendations on the course of action. c. What additional sources of evidence might there be besides the digital equipment and media that would have been seized? How would you gain access to this evidence?Another source of evidence would be the databases of the service providers.

For instance, if the abductors made a phone call at the time they were going to meet the victim, the information can be obtained from the service provider. To gain access to the information, the investigator should follow the legal procedures, which may involve seeking permission from the relevant authorities.