99 terms

Computer Forensics

By the 1970s, electronic crimes were increasing, especially in the financial sector.
To be a successful computer forensics investigator, you must be familiar with more than one computing platform.
Computer investigations and forensics fall into the same category: public investigations.
The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant.
Chain of custody is also known as chain of evidence.
ISPs can investigate computer abuse committed by their customers.
If a corporate investigator follows police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.
The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location.
One way to examine a partition's physical level is to use a disk editor, such as Norton DiskEdit, WinHex, or Hex Workshop.
For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.
A nonsteganographic graphics file has a different size than an identical steganographic graphics file.
Bitmap images are collections of dots, or pixels, that form an image.
FBI Computer Analysis and Response Team (CART)
The was formed in 1984 to handle the increasing number of cases involving digital evidence.
Data recovery
involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
Disaster Recovery
involves preventing data loss by using backups, uninterruptible power supply (UPS) devices, and off-site monitoring.
computer investigations
The group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime.
In a case, a suspect is tried for a criminal offense, such as burglary, murder, or molestation.
In general, a criminal case follows three stages: the complaint, the investigation, and the
Based on the incident or crime, the complainant makes a(n), an accusation or supposition of fact that a crime has been committed.
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n)
It's the investigator's responsibility to write the affidavit, which must include (evidence) that support the allegation to justify the warrant.
The affidavit must be under sworn oath to verify that the information in the affidavit is true.
line of authority
Published company policies provide a(n) for a business to conduct internal investigations.
end user
A(n) is a person using a computer to perform routine tasks other than systems administration.
standard risk assessment.
The list of problems you normally expect in the type of case you are handling is known as the
chain of custody
The basic plan for your investigation includes gathering the evidence, establishing the , and performing the forensic analysis.
Email abuse
investigations typically include spam, inappropriate and offensive message content, and harassment or threats.
bit-stream copy
A is a bit-by-bit copy of the original storage medium.
forensics copy.
A bit-stream image is also known as a(n)
bit stream image
To create an exact image of an evidence disk, copying the to a target work disk that's identical to the evidence disk is preferable.
repeatable findings.
In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as
critique the case.
After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and
data acquisition
For computer forensics, is the task of collecting digital evidence from electronic media.
If the computer has an encrypted drive, a (x) acquisition is done if the password or passphrase is available.
creating a disk-to-image file.
____ 68. The most common and flexible data-acquisition method is c
If your time is limited, consider using a logical acquisition or (x) acquisition data copy method.
whole disk encryption
Microsoft has recently added (x) in its Vista Ultimate and Enterprise editions, which makes performing static acquisitions more difficult.
Most federal courts have interpreted computer records as x evidence.
Generally, computer records are considered admissible if they qualify as a x record.
The FOIA (Freedom of Information Act) was originally enacted in the
much easier than
Investigating and controlling computer incident scenes in the corporate environment is x in the criminal environment.
reasonable suspicion
Every business or organization must have a well defined process that describes when an investigation can be initiated. At a minimum, most corporate policies require that employers have a x that a law or policy is being violated.
Environmental and x issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.
initial-response field kit
With a(n) x you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible.
extensive-response field kit
A(n) x kid should include all the tools you can afford to take to the field.
Courts consider evidence data in a computer as x evidence
Evidence is commonly lost or corrupted through professional x, which involves police officers and other professionals who aren't part of the crime scene processing team.
U.S. Department of Justice (DOJ)
Homeland Security
Patriot Act
Department of Defense
When seizing computer evidence in criminal investigations, follow the x standards for seizing digital data.
Windows 9x
During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older x or MS-DOS system.
Real-time surveillance requires x data transmissions between a suspect's computer and a network server.
check fraud.
The most common computer-related crime is
A x is a column of tracks on two or more disk platters.
Records in the MFT are referred to as x.
data runs
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are referred to as x
virtual machine
A x allows you to create a representation of another computer on an existing physical computer.
investigation plan.
You begin any computer forensics case by creating a(n) x
In civil and criminal cases, the scope is often defined by search warrants or x, which specify what data you can recover.
FTK and other computer forensics programs use x to tag and document digital evidence.
full-featured hexadecimal editor, computer forensics tool
Getting a hash value with a x is much faster and easier than with a(n) x
Vector graphics
x are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
graphics editors
You use x to create, modify, and save bitmap, vector, and metafile graphics files.
x images store graphics information as grids of individual pixels.
Exchangable Image File (EXIF)
The majority of digital cameras use the x format to store digital pictures.
carving or salvaging.
Recovering pieces of a file is called x
The image format XIF is derived from the more common x file format.
The simplest way to access a file header is to use a(n) x editor
x steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.
x steganography replaces bits of the host file with other bits of data.
x has also been used to protect copyrighted material by inserting digital watermarks into a file.
When working with image files, computer investigators also need to be aware of x laws to guard against copyright violations.
literary works
Under copyright laws, computer programs may be registered as x
pictoral, graphic, and sculptural.
Under copyright laws, maps and architectural plans may be registered as x
Computer Forensics
x involves obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases.
Fourth Amendment
The x to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.
assessment and risk management
When you work in the vulnerability x group, you test and verify the integrity of standalone workstations and network servers.
police blotter
The x provides a record of clues to crimes that have been committed previously.
password -cracking software
When you are dealing with password protected files, you might need to acquire x or find an expert who can help you crack the passwords.
During the x design or approach to the case, you outline the general steps you need to follow to investigate the case.
The Expert Witness format
x is the default format for acquisitions for Guidance Software EnCase.
There are two types of acquisitions: static acquisitions and x acquisitions.
Digital evidence
x can be any information stored or transmitted in digital form.
government agencies
Private-sector organizations include businesses and x that aren't involved in law enforcement.
expectation of privacy
If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have a(n) x
limiting phrase
When an investigator finds a mix of information, judges often issue a(n) x to the warrant, which allows the police to separate innocent information from evidence.
hazardous materials (HAZMAT)
Some computer cases involve dangerous settings. For these types of investigations, you must rely on the skills of x teams to recover evidence from the scene.
x refers to a disk's structure of platters, tracks, and sectors.
In Microsoft file structures, sectors are grouped to form x, which are storage allocation units of one or more sectors.
Master Boot Record (MBR)
On Windows and DOS computer systems, the x stores information about partitions on a disk and their locations, size, and other important items.
Drive slack includes RAM slack (found primarily in older Microsoft OSs) and x slack.
Partition Boot Sector,
On an NTFS disk, the first data set is the x which starts at sector [0] of the disk.
For most law-enforcement-related computing investigations, the investigator is limited to working with data defined in the search x.
FTK provides two options for searching for keywords: indexed search and x search.
x search catalogs all words on the evidence disk so that FTK can find them quickly.
To generate reports with the FTK ReportWizard, first you need to x files during an examination.
The data-hiding technique x changes data from readable code to data that looks like binary executable code.
A graphics program creates and saves one of three types of image files: bitmap, vector, or x.
Data compression
x is the process of coding of data from a larger form to a smaller form.
The x is the best source for learning more about file formats and their associated extensions