On mac oss, the ____ stores any file information not in the mdb or volume control block (vcb).

Click On The Link Below To Purchase A+ Graded Material

Instant Download

http://budapp.net/CIS-562-Final-Exam-Week-11-Strayer-NEW-CIS562W11E.htm

Chapters 7 Through 16

Chapter 7: Current Computer Forensics Tools

TRUE/FALSE

1. When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.

1. In software acquisition, there are three types of data-copying methods.

1. To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.

1. The Windows platforms have long been the primary command-line interface OSs.

1. After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.

MULTIPLE CHOICE

1. Computer forensics tools are divided into ____ major categories.

1. Software forensics tools are commonly used to copy data from a suspect’s disk drive to a(n) ____.

1. To make a disk acquisition with En.exe requires only a PC running ____ with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable.

1. Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command.

1. ____ of data involves sorting and searching through all investigation data.

1. Many password recovery tools have a feature that allows generating potential lists for a ____attack.

1. The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk.

1. To complete a forensic disk analysis and examination, you need to create a ____.

1. The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems.

1. In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network.

1. In general, forensics workstations can be divided into ____ categories.

1. A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____.

1. ____ is a simple drive-imaging station.

1. ____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk.

1. Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers.

1. The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.

1. The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.

1. The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.

1. The primary hash algorithm used by the NSRL project is ____.

1. One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.

1. Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file’s contents.

COMPLETION

1. Software forensic tools are grouped into command-line applications and ____________________ applications.

1. The Windows application of EnCase requires a(n) ____________________ device, such as FastBloc, to prevent Windows from accessing and corrupting a suspect disk drive.

1. The ____________________ function is the most demanding of all tasks for computer investigators to master.

1. Because there are a number of different versions of UNIX and Linux, these platforms are referred to as ____________________ platforms.

1. Hardware manufacturers have designed most computer components to last about ____________________ months between failures.

MATCHING

Match each item with a statement below

1. letters embedded near the beginning of all JPEG files

1. European term for carving

1. a direct copy of a disk drive

1. usually a laptop computer built into a carrying case with a small selection of peripheral options

1. one of the first MS-DOS tools used for a computer investigation

1. software-enabled write-blocker

1. system file where passwords may have been written temporarily

1. a tower with several bays and many peripheral devices

1. command-line disk acquisition tool from New Technologies, Inc.

SHORT ANSWER

1. What are the five major function categories of any computer forensics tool?

1. Explain the validation of evidence data process.

1. What are some of the advantages of using command-line forensics tools?

1. Explain the advantages and disadvantages of GUI forensics tools.

1. Illustrate how to consider hardware needs when planning your lab budget.

1. Describe some of the problems you may encounter if you decide to build your own forensics workstation.

1. Illustrate the use of a write-blocker on a Windows environment.

1. Briefly explain the NIST general approach for testing computer forensics tools.

1. Explain the difference between repeatable results and reproducible results.

1. Briefly explain the purpose of the NIST NSRL project.

Chapter 8: Macintosh and Linux Boot Processes and File Systems

TRUE/FALSE

1. If a file contains information, it always occupies at least one allocation block.

1. Older Macintosh computers use the same type of BIOS firmware commonly found in PC-based systems.

1. GPL and BSD variations are examples of open-source software.

1. A UNIX or Linux computer has two boot blocks, which are located on the main hard disk.

1. Under ISO 9660 for DVDs, the Micro-UDF (M-UDF) function has been added to allow for long filenames.

MULTIPLE CHOICE

1. Macintosh OS X is built on a core called ____.

1. In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored.

1. The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is ____.

1. On older Macintosh OSs all information about the volume is stored in the ____.

1. With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.

1. On Mac OSs, File Manager uses the ____to store any information not in the MDB or Volume Control Block (VCB).

1. Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement.

1. The standard Linux file system is ____.

1. Ext2fs can support disks as large as ____ TB and files as large as 2 GB.

1. Linux is unique in that it uses ____, or information nodes, that contain descriptive information about each file or directory.

1. To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of ____.

1. ____ components define the file system on UNIX.

1. The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive.

1. LILO uses a configuration file named ____ located in the /Etc directory.

1. Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of OSs.

1. On a Linux computer, ____  is the path for the first partition on the primary master IDE disk drive.

1. There are ____  tracks available for the program area on a CD.

1. The ____provides several software drivers that allow communication between the OS and the SCSI component.

1. All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard ____ ribbon or shielded cable.

1. ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable.

1. IDE ATA controller on an old 486 PC doesn’t recognize disk drives larger than 8.4 ____.

COMPLETION

1. Before OS X, Macintosh uses the ____________________, in which files are stored in directories, or folders, that can be nested in other folders.

1. The Macintosh file system has ____________________ descriptors for the end of file (EOF).

1. ____________________ is a journaling version of Ext2fs that reduces file recovery time after a crash.

1. When you turn on the power to a UNIX workstation, instruction code located in firmware on the system’s CPU loads into RAM. This firmware is called ____________________ code because it’s located in ROM.

1. CD players that are 12X or faster read discs by using a(n) _____________________ system.

MATCHING

Match each item with a statement below

1. older Linux boot manager utility

1. Macintosh tool that works with the OS to keep track of files and maintain users’ desktops

1. any storage medium used to store files

1. the list command on Linux

1. maintains relationships between files and directories on a volume on a Mac OS

1. the first data after the superblock on a UNIX or Linux file system

1. ISO standard for CDs

1. Mac OS utility that handles reading, writing, and storing data to physical media

1. groups of contiguous allocation blocks

SHORT ANSWER

1. Explain the relation between allocation blocks and logical block on a Mac OS file system.

1. Explain the use of B*-trees on Mac OS 9 file system.

1. Explain the use of forensic tools for Macintosh systems.

1. What are the functions of the superblock on a UNIX or Linux file system?

1. What is a bad block inode on Linux?

1. What is a continuation inode?

1. Describe the CD creation process.

1. Write a brief history of SCSI.

1. Explain the problems you can encounter with pre-ATA-33 devices when connecting them to current PCs.

1. What problems can hidden partitions on IDE devices cause to forensic investigators?

Chapter 9: Computer Forensics Analysis and Validation

TRUE/FALSE

1. The defense request for full discovery of digital evidence applies only to criminal cases in the United States.

1. For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.

1. FTK cannot perform forensics analysis on FAT12 file systems.

1. FTK cannot analyze data from image files from other vendors.

1. A nonsteganographic graphics file has a different size than an identical steganographic graphics file.

MULTIPLE CHOICE

1. ____ increases the time and resources needed to extract,analyze,and present evidence.

1. You begin any computer forensics case by creating a(n) ____.

1. In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover.

1. There are ____  searching options for keywords which FTK offers.

1. ____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search.

1. The ____ search feature allows you to look for words with extensions such as “ing,”“ed,” and so forth.

1. In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period.

1. FTK and other computer forensics programs use ____ to tag and document digital evidence.

1. Getting a hash value with a ____ is much faster and easier than with a(n) ____.

1. AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data.

1. Data ____ involves changing or manipulating a file to conceal information.

1. One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it.

1. Marking bad clusters data-hiding technique is more common with ____ file systems.

1. The term ____ comes from the Greek word for“hidden writing.”

1. ____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there.

1. Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure.

1. People who want to hide data can also use advanced encryption programs, such as PGP or ____.

1. ____ recovery is a fairly easy task in computer forensic analysis.

1. ____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.

1. ____ are handy when you need to image the drive of a computer far away from your location or when you don’t want a suspect to be aware of an ongoing investigation.

1. ____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer’s file system.

COMPLETION

1. For most law-enforcement-related computing investigations, the investigator is limited to working with data defined in the search ____________________.

1. FTK provides two options for searching for keywords: indexed search and ____________________ search.

1. ____________________ search catalogs all words on the evidence disk so that FTK can find them quickly.

1. To generate reports with the FTK ReportWizard, first you need to ____________________ files during an examination.

1. The data-hiding technique ____________________ changes data from readable code to data that looks like binary executable code.

MATCHING

Match each item with a statement below

1. defines the investigation’s goal and scope, the materials needed, and the tasks to perform

1. a hashing algorithm

1. one of the most critical aspects of computer forensics

1. a type of compressed file

1. an FTK searching option

1. a password recovery program available from AccessData

1. a disk-partitioning utility

1. program used to clean all data from the target drive you plan to use

1. limit a civil investigation

SHORT ANSWER

1. Describe the effects of scope creep on an investigation in the corporate environment.

1. Describe with examples why the approach you take for a forensics case depends largely on the specific type of case you’re investigating.

1. How should you approach a case in which an employee is suspected of industrial espionage?

1. What are the file systems supported by FTK for forensic analysis?

1. How does the Known File Filter program work?

1. How can you validate the integrity of raw format image files with ProDiscover?

1. How can you hide data by marking bad clusters?

1. Briefly describe how to use steganography for creating digital watermarks.

1. What are the basic guidelines to identify steganography files?

1. Briefly describe the differences between brute-force attacks and dictionary attacks to crack passwords.

Chapter 10: Recovering Graphics Files

TRUE/FALSE

1. Bitmap imagesare collections of dots, or pixels, that form an image.

PTS:               1         REF:              398

1. Operating systems do not have tools for recovering image files.

PTS:               1         REF:              405

1. If a graphics file is fragmented across areas on a disk, first you must recover all the fragments to re-create the file.

PTS:               1         REF:              405

1. With many computer forensics tools, you can open files with external viewers.

PTS:               1         REF:              425

1. Steganography cannot be used with file formats other than image files.

PTS:               1         REF:              428

MULTIPLE CHOICE

1. ____are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.

PTS:               1         REF:              398

1. You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.

PTS:               1         REF:              398

1. ____ images store graphics information as grids of individual pixels.

PTS:               1         REF:              398

1. The process of converting raw picture data to another format is referred to as ____.

PTS:               1         REF:              401

1. The majority of digital cameras use the ____ format to store digital pictures.

PTS:               1         REF:              401

1. ____ compression compresses data by permanently discarding bits of information in the file.

PTS:               1         REF:              404

1. Recovering pieces of a file is called ____.

PTS:               1         REF:              405

1. A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10.

PTS:               1         REF:              408

1. If you can’t open an image file in an image viewer, the next step is to examine the file’s ____.

PTS:               1         REF:              414

1. The uppercase letter ____ has a hexadecimal value of 41.

PTS:               1         REF:              417

1. The image format XIF is derived from the more common ____ file format.

PTS:               1         REF:              423

1. The simplest way to access a file header is to use a(n) ____ editor

PTS:               1         REF:              423

1. The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03.

PTS:               1         REF:              425

1. ____ is the art of hiding information inside image files.

PTS:               1         REF:              425

1. ____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.

PTS:               1         REF:              426

1. ____ steganography replaces bits of the host file with other bits of data.

PTS:               1         REF:              426

1. In the following list, ____ is the only steg tool.

PTS:               1         REF:              429

1. ____ has also been used to protect copyrighted material by inserting digital watermarks into a file.

PTS:               1         REF:              430

1. When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations.

PTS:               1         REF:              430

1. Under copyright laws, computer programs may be registered as ____.

PTS:               1         REF:              430

1. Under copyright laws, maps and architectural plans may be registered as ____.

PTS:               1         REF:              430

COMPLETION

1. A graphics program creates and saves one of three types of image files: bitmap, vector, or ____________________.

1. ____________________ is the process of coding of data from a larger form to a smaller form.

1. The ____________________ is the best source for learning more about file formats and their associated extensions.

1. All ____________________ files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 2A.

1. The two major forms of steganography are ____________________ and substitution.

MATCHING

Match each item with a statement below

1. drawing program that creates vector files

1. Gnome graphics editor

1. image format derived from the TIFF file format

1. combinations of bitmap and vector images

1. short for “picture elements”

1. are also called steg tools

1. graphics file format that uses lossy compression

1. tool used to rebuild image file headers

1. Microsoft image viewer

SHORT ANSWER

1. Briefly describe the Exchangeable Image File (EXIF) format.

1. Explain how lossless compression relates to image file formats.

1. How does vector quantization (VQ) compress data?

1. Explain how someone can use a disk editor tool to mark clusters as “bad” clusters.

1. Identify and describe some image viewers.

1. Write a brief history of steganography.

1. Describe how to hide information on an 8-bit bitmap image file using substitution steganography.

1. Explain how steganalysis tools work.

1. Give a brief overview of copyright laws pertaining to graphics within and outside the U.S.

1. Present a list of categories covered under copyright laws in the U.S.

Chapter 11: Virtual Machines, Network Forensics, and Live Acquisitions

TRUE/FALSE

1. When intruders break into a network, they rarely leave a trail behind.

PTS:               1         REF:              442

1. Network forensics is a fast, easy process.

PTS:               1         REF:              447

1. PsList from PsTools allows you to list detailed information about processes.

PTS:               1         REF:              450

1. With the Knoppix STD tools on a portable CD, you can examine almost any network system.

PTS:               1         REF:              451

1. Ngrep cannot be used to examine e-mail headers or IRC chats.

PTS:               1         REF:              455

MULTIPLE CHOICE

1. ____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.

PTS:               1         REF:              442

1. ____ hide the most valuable data at the innermost part of the network.

PTS:               1         REF:              442

1. ____ forensics is the systematic tracking of incoming and outgoing traffic on your network.

PTS:               1         REF:              442

1. ____ can be used to create a bootable forensic CD and perform a live acquisition.

PTS:               1         REF:              445

1. Helix operates in two modes:Windows Live (GUI or command line) and ____.

PTS:               1         REF:              445

1. A common way of examining network traffic is by running the ____ program.

PTS:               1         REF:              448

1. ____ is a suite of tools created by Sysinternals.

PTS:               1         REF:              450

1. ____ is a Sysinternals command that shows all Registry data in real time on a Windows computer.

PTS:               1         REF:              450

1. The PSTools ____ kills processes by name or process ID.

PTS:               1         REF:              450

1. ____ is a popular network intrusion detection system that performs packet capture and analysis in real time.

PTS:               1         REF:              451

1. ____ is the U.S. DoD computer forensics lab’s version of the dd command that comes with Knoppix-STD.

PTS:               1         REF:              451

1. The Knoppix STD tool ____ enables you to reset passwords on a Windows computer, including the administrator password

PTS:               1         REF:              451

1. ____are devices and/or software placed on a network to monitor traffic.

PTS:               1         REF:              454

1. Most packet sniffers operate on layer 2 or ____ of the OSI model.

PTS:               1         REF:              454

1. Most packet sniffer tools can read anything captured in ____ format.

PTS:               1         REF:              455

1. In a(n) ____ attack, the attacker keeps asking your server to establish a connection.

PTS:               1         REF:              455

1. ____ is the text version of Ethereal, a packet sniffer tool.

PTS:               1         REF:              455

1. ____ is a good tool for extracting information from large Libpcap files.

PTS:               1         REF:              455

1. The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.

PTS:               1         REF:              458

1. Machines used on a DDoS are known as ____simply because they have unwittingly become part of the attack.

PTS:               1         REF:              458

1. A ____ is a computer set up to look like any other machine on your network, but it lures the attacker to it.

PTS:               1         REF:              459

COMPLETION

1. ____________________ is a layered network defense strategy developed by the National Security Agency (NSA).

1. The term ____________________ means how long a piece of information lasts on a system.

1. ____________________ logs record traffic in and out of a network.

1. The PSTools ____________________ tool allows you to suspend processes.

ANS: PsSuspend

1. The U.K. Honeynet Project has created the ____________________. It contains the honeywall and honeypot on a bootable memory stick.

MATCHING

Match each item with a statement below

1. displays who’s logged on locally

1. displays the security identifier (SID) of a computer or user

1. an audit control program that detects anomalies in traffic and sends an alert automatically

1. usually refers to network forensics

1. a bootable Linux CD intended for computer and network forensics

1. shuts down and optionally restarts a computer

1. helps manage snort rules so that you can specify what items to ignore as regular traffic and what items should raise alarms

1. a network analysis tool

1. type of malware

SHORT ANSWER

1. Why is testing networks as important as testing servers?

1. When are live acquisitions useful?

1. What is the general procedure for a live acquisition?

1. Detail a standard procedure for network forensics investigations.

1. How should you proceed if your network forensic investigation involves other companies?

1. Describe some of the Windows tools available at Sysinternals.

1. What are some of the tools included with the PSTools suite?

1. What is Knoppix-STD?

1. What are some of the tools included with Knoppix STD?

1. Explain The Auditor tool.

Chapter 12: E-mail Investigations

TRUE/FALSE

1. For computer investigators, tracking intranet e-mail is relatively easy because the accounts use standard names established by the network or e-mail administrator.

PTS:               1         REF:              470

1. You can always rely on the return path in an e-mail header to show the source account of an e-mail message.

PTS:               1         REF:              482

1. E-mail programs either save e-mail messages on the client computer or leave them on the server.

PTS:               1         REF:              483

1. All e-mail servers are databases that store multiple users’ e-mails.

PTS:               1         REF:              485

1. Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication.

PTS:               1         REF:              489

MULTIPLE CHOICE

1. E-mail messages are distributed from one central server to many connected client computers, a configuration called ____.

PTS:               1         REF:              469

1. In an e-mail address, everything after the ____ symbol represents the domain name.

PTS:               1         REF:              470

1. With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk.

PTS:               1         REF:              472

1. When working on a Windows environment you can press ____ to copy the selected text to the clipboard.

PTS:               1         REF:              473

1. To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click ____to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header.

PTS:               1         REF:              473

1. To retrieve an Outlook Express e-mail header right-click the message, and then click ____to open a dialog box showing general information about the message.

PTS:               1         REF:              473

1. For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command.

PTS:               1         REF:              477

1. To view AOL e-mail headers click Action, ____ from the menu.

PTS:               1         REF:              478

1. To view e-mail headers on Yahoo! click the ____ link in the Mail Options window, and then click Show all headers on incoming messages.

PTS:               1         REF:              480

1. In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____.

PTS:               1         REF:              483

1. ____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names.

PTS:               1         REF:              484

1. ____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size.

PTS:               1         REF:              485

1. The files that provide helpful information to an e-mail investigation are log files and ____ files.

PTS:               1         REF:              487

1. ____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside.

PTS:               1         REF:              487

1. Typically, UNIX installations are set to store logs such as maillog in the ____ directory.

PTS:               1         REF:              488

1. Exchange logs information about changes to its data in a(n) ____ log.

PTS:               1         REF:              489

1. In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk.

PTS:               1         REF:              489

1. The Novell e-mail server software is called ____.

PTS:               1         REF:              491

1. GroupWise has ____ ways of organizing the mailboxes on the server.

PTS:               1         REF:              491

1. The GroupWise logs are maintained in a standard log format in the ____ folders.

PTS:               1         REF:              491

1. Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format.

PTS:               1         REF:              500

COMPLETION

1. You can send and receive e-mail in two environments:via the ____________________ or an intranet (an internal network).

1. An e-mail address in the Return-Path line of an e-mail header is usually indicated as the ____________________ field in an e-mail message.

1. Administrators usually set e-mail servers to ____________________ logging mode.

1. In UNIX e-mail servers, the ____________________ file simply specifies where to save different types of e-mail log files.

1. Vendor-unique e-mail file systems, such as Microsoft .pst or .ost, typically use ____________________ formatting, which can be difficult to read with a text or hexadecimal editor.

MATCHING

Match each item with a statement below:

1. Web site to check file extensions and match the file to a program

1. command line e-mail program used with UNIX

1. text editor used with Windows

1. the first folder the GroupWise server shares

1. text editor used with UNIX

1. the electronic address book in Outlook

1. a network firewall device

1. a registry Web site

1. includes e-mail logging instructions

SHORT ANSWER

1. Describe how e-mail account names are created on an intranet environment.

1. Describe the process of examining e-mail messages when you have access to the victim’s computer and when this access is not possible.

1. What are the steps for retrieving e-mail headers on Pine?

1. What are the steps for viewing e-mail headers in Hotmail?

1. What kind of information can you find in an e-mail header?

1. Explain how to handle attachments during an e-mail investigation.

1. Why are network router logs important during an e-mail investigation?

1. What kind of information is normally included in e-mail logs?

1. Provide a brief description of Microsoft Exchange Server. Additionally, explain the differences between .edb and .stm files.

1. Briefly explain how to use AccessData FTK to recover e-mails.

Chapter 13: Cell Phone and Mobile Device Forensics

TRUE/FALSE

1. Many people store more information on their cell phones than they do on their computers.

PTS:               1         REF:              514

1. Investigating cell phones and mobile devices is a relatively easy task in digital forensics.

PTS:               1         REF:              514

1. TDMA can operate in the cell phone (800 to 1000 MHz) or PCS (1900 MHz) frequency.

PTS:               1         REF:              516

1. Typically, phones developed for use on a GSM network are compatible with phones designed for a CDMA network.

PTS:               1         REF:              516

1. Portability of information is what makes SIM cards so versatile.

PTS:               1         REF:              517

MULTIPLE CHOICE

1. Developed during WWII, this technology,____, was patented by Qualcomm after the war.

PTS:               1         REF:              515

1. The ____ digital network divides a radio frequency into time slots.

PTS:               1         REF:              515

1. The ____ network is a digital version of the original analog standard for cell phones.

PTS:               1         REF:              515

1. The ____ digital network, a faster version of GSM, is designed to deliver data.

PTS:               1         REF:              515

1. TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life.

PTS:               1         REF:              516

1. Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips.

PTS:               1         REF:              517

1. ____ cards are found most commonly in GSM devices and consist of a microprocessor and from 16 KB to 4 MB of EEPROM.

PTS:               1         REF:              517

1. ____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth.

PTS:               1         REF:              518

1. The file system for a SIM card is a ____ structure.

PTS:               1         REF:              520

1. The SIM file structure begins with the root of the system (____).

PTS:               1         REF:              520

1. Paraben Software is a leader in mobile forensics software and offers several tools, including ____, which can be used to acquire data from a variety of phone models.

PTS:               1         REF:              522

1. In a Windows environment, BitPim stores files in ____ by default.

PTS:               1         REF:              522

1. ____ is a forensics software tool containing a built-in write blocker.

PTS:               1         REF:              522

COMPLETION

1. So far, there have been three generations of mobile phones: analog, digital personal communications service (PCS), and ____________________.

1. Most Code Division Multiple Access (CDMA) networks conform to IS-95, created by the ______________________.

1. Global System for Mobile Communications (GSM) uses the ______________________ technique, so multiple phones take turns sharing a channel.

1. The 3G standard was developed by the ______________________ under the United Nations.

1. Mobile devices can range from simple phones to small computers, also called ______________________.

MATCHING

Match each item with a statement below:

1. proprietary protocol developed by Motorola

1. nonvolatile memory

1. standard developed specifically for 3G

1. one of the most common digital networks, it uses the full radio frequency spectrum to define channels

SHORT ANSWER

1. What is some of the information that can be stored in a cell phone?

1. What is the bandwidth offered by 3G mobile phones?

1. What are the three main components used for cell phone communications?

1. Briefly describe cell phone hardware.

1. Identify several uses of SIM cards.

1. Identify and define three kinds of peripheral memory cards used with PDAs.

1. How can you isolate a mobile device from incoming signals?

1. What are the four categories of information that can be retrieved from a SIM card?

1. What is the general procedure to access the content on a mobile phone SIM card?

1. What are some of the features offered by SIMCon?

Chapter 14: Report Writing for High-Tech Investigations

TRUE/FALSE

1. Besides presenting facts, reports can communicate expert opinion.

PTS:               1         REF:              530

1. A verbal report is more structured than a written report.

PTS:               1         REF:              532

1. If you must write a preliminary report, use words such as “preliminary copy,”“draft copy,” or “working draft.”

PTS:               1         REF:              535

1. As with any research paper, write the report abstract last.

PTS:               1         REF:              536

1. When writing a report, use a formal, technical style.

PTS:               1         REF:              537

MULTIPLE CHOICE

1. Attorneys can now submit documents electronically in many courts; the standard format in federal courts is ____.

PTS:               1         REF:              531

1. A(n) ____is a document that lets you know what questions to expect when you are testifying.

PTS:               1         REF:              532

1. You can use the ____ to help your attorney learn the terms and functions used in computer forensics.

PTS:               1         REF:              532

1. A written report is frequently a(n) ____ or a declaration.

PTS:               1         REF:              532

1. If a report is long and complex, you should provide a(n) ____.

PTS:               1         REF:              536

1. A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute).

PTS:               1         REF:              532

1. In the past, the method for expressing an opinion has been to frame a ____ question based on available factual evidence.

PTS:               1         REF:              533

1. An expert’s opinion is governed by FRE, Rule ____, and the corresponding rule in many states.

PTS:               1         REF:              534

1. Remember that anything you write down as part of your examination for a report is subject to ____ from the opposing attorney.

PTS:               1         REF:              535

1. A written preliminary report is considered a ____ document because opposing counsel can demand discovery on it.

PTS:               1         REF:              535

1. The abstract should be one or two paragraphs totaling about 150 to ____ words.

PTS:               1         REF:              536

1. ____ provide additional resource material not included in the body of the report.

PTS:               1         REF:              536

1. Typically, report writers use one of two numbering systems: decimal numbering or ____ numbering.

PTS:               1         REF:              538

1. A report using the ____ numbering system divides material into sections and restarts numbering with each main section.

PTS:               1         REF:              538

1. In the main section of your report, you typically cite references with the ____ enclosed in parentheses.

PTS:               1         REF:              541

1. Save broader generalizations and summaries for the report’s ____.

PTS:               1         REF:              541

1. The report’s ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements.

PTS:               1         REF:              541

1. If necessary, you can include ____ containing material such as raw data, figures not used in the body of the report, and anticipated exhibits.

PTS:               1         REF:              542

1. Reports and logs generated by forensic tools are typically in plaintext format, a word processor format, or ____ format.

PTS:               1         REF:              543

1. Files with extensions .ods and ____ are created using OpenOffice Calc.

PTS:               1         REF:              543

1. Files with extension ____ are created using Microsoft Outlook Express.

PTS:               1         REF:              543

COMPLETION

1. Lawyers use services called _________________________(libraries), which store examples of expert witnesses’ previous testimony.

1. The report body consists of the introduction and _________________________ sections.

1. When writing a report, _________________________ means the tone of language you use to address the reader.

1. _________________________ assist readers in scanning the text quickly by highlighting the main points and logical development of information.

1. The ______________________________ system is frequently used when writing pleadings.

MATCHING

Match each item with a statement below

1. draw reader’s attention to a point in your report.

1. a report layout system

1. used by an attorney to guide an expert witness in his or her testimony

1. computer forensics software tool

1. lawyers jargon for destroying or concealing evidence

1. stands for Message Digest 5

1. typically takes place in an attorney’s office where the attorney requests your consultant’s report

1. starts by referring to the report’s purpose, states the main points, draws conclusions, and possibly renders an opinion

1. a witness testifying to personally observed facts

SHORT ANSWER

1. What are the report requirements for civil cases as specified on Rule 26, FRCP?

1. Briefly explain how to limit your report to specifics.

1. What are the areas of investigation usually addressed by a verbal report?

1. Explain how hypothetical questions can be used to ensure that you as a witness are basing your opinion on facts expected to be supported by evidence.

1. What are the four conditions required for an expert witness to testify to an opinion or conclusion?

1. What is the basic structure of a report?

1. Provide some guidelines for writing an introduction section for a report.

1. What do you need to consider to produce clear, concise reports?

1. Explain how to use supportive material on a report.

1. How should you explain examination and data collection methods?

Chapter 15: Expert Testimony in High-Tech Investigations

TRUE/FALSE

1. As an expert witness, you have opinions about what you have found or observed.

PTS:               1         REF:              558

1. Create a formal checklist of your procedures that’s applied to all your cases or include such a checklist in your report.

PTS:               1         REF:              559

1. As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.

PTS:               1         REF:              559

1. Like a job resume, your CV should be geared for a specific trial.

PTS:               1         REF:              561

1. Part of what you have to deliver to the jury is a person they can trust to help them figure out something that’s beyond their expertise.

PTS:               1         REF:              565

MULTIPLE CHOICE

1. When cases go to trial, you as a forensics examiner can play one of ____ roles.

PTS:               1         REF:              558

1. When you give ____ testimony, you present this evidence and explain what it is and how it was obtained.

PTS:               1         REF:              558

1. Validate your tools and verify your evidence with ____ to ensure its integrity.

PTS:               1         REF:              559

1. For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you’re constantly enhancing your skills through training, teaching, and experience.

PTS:               1         REF:              561

1. If your CV is more than ____ months old, you probably need to update it to reflect new cases and additional training.

PTS:               1         REF:              561

1. ____ is a written list of objections to certain testimony or exhibits.

PTS:               1         REF:              562

1. Regarding a trial, the term ____ means rejecting potential jurors.

PTS:               1         REF:              563

1. ____ from both plaintiff and defense is an optional phase of the trial. Generally, it’s allowed to cover an issue raised during cross-examination.

PTS:               1         REF:              563

1. If a microphone is present during your testimony, place it ____ to eight inches from you.

PTS:               1         REF:              565

1. Jurors typically average just over ____ years of education and an eighth-grade reading level.

PTS:               1         REF:              565

1. ____ is an attempt by opposing attorneys to prevent you from serving on an important case.

PTS:               1         REF:              568

1. ____ evidence is evidence that exonerates or diminishes the defendant’s liability.

PTS:               1         REF:              569

1. You provide ____ testimony when you answer questions from the attorney who hired you.

PTS:               1         REF:              569

1. The ____ is the most important part of testimony at a trial.

PTS:               1         REF:              569

1. Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony.

PTS:               1         REF:              569

1. Leading questions such as “Isn’t it true that forensics experts always destroy their handwritten notes?” are referred to as ____ questions.

PTS:               1         REF:              570

1. Sometimes opposing attorneys ask several questions inside one question; this practice is called ____ questions.

PTS:               1         REF:              571

1. A ____differs from a trial testimony because there is no jury or judge.

PTS:               1         REF:              573

1. There are two types of depositions: ____ and testimony preservation.

PTS:               1         REF:              573

1. Discuss any potential problems with your attorney ____ a deposition.

PTS:               1         REF:              574

1. A(n) ____ hearing generally addresses the administrative agency’s subject matter and seeks evidence in your testimony on a subject for which it’s contemplating making a rule.

PTS:               1         REF:              575

COMPLETION

1. The ______________________ of evidence supports the integrity of your evidence.

1. Depending on your attorney’s needs, you might provide only your opinion and technical expertise to him or her instead of testifying in court; this role is called a(n) _______________________.

1. _____________________ is a pretrial motion to exclude certain evidence because it would prejudice the jury.

1. At a trial, _____________________ are statements that organize the evidence and state the applicable law.

1. The purpose of the _____________________ is for the opposing attorney to preview your testimony before trial.

MATCHING

Match each item with a statement below

1. part of the discovery process for trial

1. presents the case during a trial

1. provide an overview of the case during a trial

1. questioning potential jurors to see whether they’re qualified

1. usually requested by your client to preserve your testimony in case of schedule conflicts or health problems

1. a hashing algorithm

1. lists your professional experience

1. an expert witness qualification phase

1. allows the judge to decide whether certain evidence should be admitted when the jury isn’t present

SHORT ANSWER

1. What are the differences between a technical or scientific witness and an expert witness?

1. What should you do when preparing for testimony?

1. What are some of the questions you should consider when preparing your testimony?

1. What are some of the technical definitions that you should prepare before your testimony?

1. What are some of the reasons to avoid contact with news media during a case?

1. What are the procedures followed during a trial?

1. What should you do when you find exculpatory evidence?

1. How can you deal with rapid-fire questions during a cross-examination?

1. Explain the differences between discovery deposition and testimony preservation deposition.

1. Briefly describe judicial hearings.

Chapter 16: Ethics for the Expert Witness

TRUE/FALSE

1. People need ethics to help maintain their balance, especially in difficult and contentious situations.

PTS:               1         REF:              596

1. In the United States, there’s no state or national licensing body for computer forensics examiners.

PTS:               1         REF:              597

1. Experts should be paid in full for all previous work and for the anticipated time required for testimony.

PTS:               1         REF:              600

1. Expert opinions cannot be presented without stating the underlying factual basis.

PTS:               1         REF:              601

1. The American Bar Association (ABA) is a licensing body.

PTS:               1         REF:              603

MULTIPLE CHOICE

1. The most important laws applying to attorneys and witnesses are the ____.

PTS:               1         REF:              597

1. Computer forensics examiners have two roles: scientific/technical witness and ____ witness.

PTS:               1         REF:              597

1. Attorneys search ____ for information on expert witnesses.

PTS:               1         REF:              598

1. ____ questions can give you the factual structure to support and defend your opinion.

PTS:               1         REF:              601

1. FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful.

PTS:               1         REF:              601

1. FRE ____ describes whether basis for the testimony is adequate.

PTS:               1         REF:              601

1. The ABA’s ____ contains provisions limiting the fees experts can receive for their services.

PTS:               1         REF:              603

1. The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients.

PTS:               1         REF:              603

1. ____ are the experts who testify most often.

PTS:               1         REF:              604

1. ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities.

PTS:               1         REF:              605

1. The ____ Ethics Code cautions psychologists about the limitations of assessment tools.

PTS:               1         REF:              605

COMPLETION

1. _____________________ are the rules you internalize and use to measure your performance.

1. _____________________ are standards that others apply to you or that you are compelled to adhere to by external forces, such as licensing bodies.

1. Some attorneys contact many experts as a ploy to disqualify them or prevent opposing counsel from hiring them; this practice is called “____________________.”

1. The ____________________ is the foundation of medical ethics.

1. For psychologists, the most broadly accepted set of guidelines governing their conduct as experts is the _____________________ (APA’s) Ethical Principles of Psychologists and Code of Conduct.

MATCHING

Match each item with a statement below:

1. provides a well-defined, simple guide for expected behavior of computer forensics examiners

1. prescribe the methods by which experts appear at trial

1. one of the effects of violating court rules or laws

1. help you maintain your self-respect and the respect of your profession

SHORT ANSWER

1. Briefly describe the issues related to an attorney’s “opinion shopping.”

1. What are some of the factors courts have used in determining whether to disqualify an expert?

1. Describe some of the traps for unwary experts.

1. What are some of the most obvious ethical errors?

1. What are some of the guidelines included in the ISFCE code of ethics?

1. What are some of the requirements included in the HTCIA core values?

1. What are some of standards for IACIS members that apply to testifying?

1. What are the five recommendations set out by the AMA’s policy on expert witness testimony?

1. Why is it difficult to enforce any professional organization’s ethical guidelines?

1. What are the ethical responsibilities owed to you by your attorney?