Upgrade to remove ads
Computer Forensics IT357 Final Exam
Terms in this set (113)
Link file shortcuts that point to other files. Created when registered files are opened in windows. Creation dates of a .lnk show when the underlying file was first opened.
The right against unreasonable search and seizure. Notable cases include Terry Vs Ohio 1968 where it was deemed not a violation for a police officer to frisk someone on the street without probable cause if the officer has a reasonable suspicion the person committed, is going to commit, or is committing a crime.
The right to a speedy and public trial by an impartial jury of the state. Guarantees the assistance of council as well. Important to forensic investigators because they must work within a timeframe to produce facts and not hold up a case.
A written sworn statement of fact voluntarily made by an affiant or deponent under oath or affirmation administered by a person authorized to do so by law. Generally used to obtain a search warrant.
Bag and tag
Any evidence obtained should be secured and given identification.
Bit stream image/bit by bit image/forensic image
An exact duplicate of a hard drive down to the bits. Used to ensure no changes have been made to evidence.
California v. Greenwood
Case where police asked a garbage collector for the suspects garbage in which evidence of drug use was found and used as a basis to search the suspect's residence. The case was first dismissed by the California Supreme Court and Court of Appeals as a violation of the 4th Amendment but was overturned by the US Supreme Court as it would only apply if, "subjective expectation of privacy in his garbage that society accepts as objectively reasonable."
15 USC Section 7701. Controlling the Assault of Non-solicited Pornography and Marketing Act. Enforced by the FTC and DOJ though other state or feds may enforce. Requires no false or misleading header information, no deceptive subject lines, identification of the message as an ad, location information including a valid physical postal address, an opt out option, and monitoring what others are doing on your behalf.
Code Division Multiple Access. A cellular frequency that allows each user to communicate over several frequencies as opposed to one.
Computer Fraud and Abuse Act 18 USC Section 1030. First major cybercrime law. Was passed in 1984 though amended in 1986, 1994, and 1996. Makes it illegal to access a 'protected computer' without authorization or exceeding authorization. It also makes it illegal to transmit code that could intentionally or recklessly damage a 'protected computer' (viruses, worms, etc.). It is a federal misdemeanor to traffic in passwords. Enforced by Secret service or any other authorized agency.
Chain of custody
Any evidence taken in must have an established chain of custody. i.e. who obtained the evidence, who collected it, who accessed the evidence, etc. This is to prevent any tampering of the evidence.
Intellectual property right. Strengthened by the No Electronic Theft Act of 1997. Applies to copy of the work, distribution of the work, display or performance of the work publicly, and the creation of derivative works from the original work.
A system program called a process that usually runs in the background and runs at a specific time or in response to specified events. Often used for system maintenance. Historically have been used for exploits. In windows called system agents and services i.e. the event log.
Macs store files as these and resource forks. This contains the raw information.
Formally was a file. The entry still exists but the pointers, the fat allocation units, are zeroed out meaning it is marked for deletion when the space is written over as needed. Can be restored generally under the right conditions.
Based on first-hand knowledge. Used to provide the context of relevance of physical evidence. An examiner may be called upon to provide this that you were the one who obtained the evidence that incriminates the defendant.
Legal term that all evidence should be available and present to both parties.
The Digital Millennium Copyright Act 17 USC Section 1201. Makes illegal under 1201(a)(1) using a measure to circumvent access controls. 1201(a)(2)(A) to manufacture or otherwise traffic in technology that is primarily designed to circumvent access control. 1201(a)(2)(B) to manufacture or otherwise traffic in technology that is primarily designed to circumvent copy protections.
DNA and fingerprint evidence
Generally taken at the scene of a crime/investigation. Can be matched to a database or under court order or permission from a suspect to match against a scene.
Electronic Communications Privacy Act of 1986. Specifics which electronic communications are private. Prohibits; Unauthorized access and disclosure of private communications, government surveillance without a warrant, and unauthorized access by any 3rd party. It restricts government wiretaps of computer communications.
Electronic discovery. Deals with discovery in civil litigation of information stored in an electronic format.
Theft of misappropriation of funds placed in one's trust or belonging to one's employer.
Evidence favorable to the defendant in a criminal trial that exonerates or tends to exonerate the defendant of guilt. It is the opposite of inculpatory evidence which proves guilt.
Metadata on images. Can include things such as what camera took the picture, where the picture was taken through coordinates, when the picture was taken, and even what time the picture was taken in relation to the camera. Also if a program like Photoshop made changes to it.
Exceptions in the requirement for the obtaining of a warrant before taking some kind of action. Usually applies in time-sensitive situations or situations in which harm or death may happen.
A Windows file structure standard. The File Allocation Table. Includes reserved sectors; The boot sector and the BIOS parameter block. The FAT Region indicating which clusters are used by files and directories. The Root Directory Region which holds the directory table that stores metadata about files and directories located in the root folder, and the Data Region where the actual file and directory data is stored which takes up most of the partition.
Federal Rules of Evidence
Code of evidence law adopted in 1975 that applies to U.S. Fed Courts. It governs the proof of facts and inferences flowing from those facts during the trial of civil and criminal lawsuits.
A collection of data that is interpreted by a program and has some meaning.
File formats for different operating systems
Exist. I'll know em when I see em.
File systems for different OS
Exist. I'll know em when I see em.
A tool within the Mac OS. It's a tool like 'My Computer' that helps you to locate and manipulate files.
An exact copy of an electronic medium down to the bits involved. Generally a good idea to create a hash of the image so as to validate if any changes have been made between the original and the copy.
Forensic Image, steps to create
Write-block the evidence drive. Make sure target drive you are copying to is forensically clean. Make a bitstream image a bit-by-bit identical copy of the original drive. Calculate and record the hash with the hash value which shows that nothing has been changed in the process of creating the image.
Run a known file filter script which looks at the hash values of every file to weed out COTS programs. Then run a file header-extension mismatch script which checks for header information that does not match the file extensions. Then run a key 'string' search and develop a keyword list with the case agent. Finally bookmark files of interest and give them to the case agent for review. It may mean more to the investigator than it does to you.
Forensically clean media
Basically completely scrubbed. DoD standards is 3 wipes to ensure everything is gone.
The scientific method of gathering and examining information about the past which is then used in a court of law. In latin means 'of or before the forum'. Basically the background work that happens before evidence is brought to court.
A deception deliberately practiced in order to secure unfair or unlawful gain.
Federal Rules of Evidence. Laws governing the admissibility of evidence. Exclusionary rules include; relevancy, privilege, opinion of expert, hearsay, and authentication. Since 1970 this also includes digital evidence.
Space on a hard disk that is set to be able to be written upon. May contain data from a past deleted or temporary file that is hidden and marked for deletion.
Global System for Mobile Communications a standard developed by the European Telecommunications Standards Institute to describe the protocols for 2nd generation 2G phone networks.
Hackers & viruses
Know this stuff already.
A funcation that can be used to map digital data of arbitrary size to digital data of fixed size. Used in forensics to ensure no changes have been made between a copy of digital evidence and the digital evidence.
Has a base of 16 vs the usual 10 decimal base.
Evidence that proves guilt. It is the opposite of exculpatory.
Contains cache and internet history files. Useful for forensic investigation.
Part of Windows XP recycle bin. A hidden file that stores the original filename and path when a file is sent to the recycle bin.
Data structures that store information about files. Some information includes; size in bytes, group owner the files belong to, owner of the file, date of creation, date of modification, date of last access, file permissions, and an inode/vnode #.
Jurisdiction - types and how it is established
Determined in part by the 6th amendment. 3 main types of jurisdiction include; territorial, personal, and subject matter. Geo-politically it is divided into regional, state, national, and international levels. If it crosses state laws generally it becomes federal jurisdiction like in the case of many computer crimes.
Katz v. US
389 U.S. 347 (1947) A Supreme Court case involving a gambling operation. The suspect transmitted wager information using a phone booth. The government introduced evidence of the conversation from a recording device outside the phone booth. Government argued that the suspect had no expectation of privacy outside the phone booth and that the recorded conversation was admissible. The Supreme court ruled against the government stating that people have an expectation of privacy in addition to places.
Can be implemented as either hardware or software. Its legality falls under ECPA 18 U.S.C 2510. A notable related case is the Scarfo Case and 'Magic Lantern' (2002) where a corrupt loan shark had a keystroke logger implanted on his computer by the FBI. Scarfo used PGP to encrypt data. A Fed New Jersey Judge ruled that the evidence was acceptable and admissible and Scarfo entered a plea agreement.
Know the laws and be able to apply them to a scenario
Known File Filters
Kyllo v. US
Agents used a thermal scanner to scan the suspect's residence who was suspected of growing weed. Heat signatures were the basis for a search of his house. The 9th Circuit upheld the conviction and stated that warrantless surveillance was generally legal and that visual observations do not constitute a 'search'. This decision was reversed by the Supreme Court.
Linux File Systems
Uses a Unix File System made up of; Boot block were each partition contains boot blocks containing the initial bootstrap program used to load the operating system, Superblocks containing identifying magic number and indexing info, and cylinder groups containing a backup of the superblock inodes data-blocks and a cylinder group header with statistics.
Locard's Exchange Principle
Anything externally brought into an investigation site will without a doubt having something left behind that was not originally there.
Contains only the visible files. Usually a physical image is preferable.
Logical v. Physical image
A Logical image contains only the physical files. A physical image is a bit-by-bit forensic copy that can have more information obtained from including the possibility of recovering deleted data.
Includes data forks which contain the raw information and resource forks which contain details of formats used as well as external links. Files on the Mac OS are divided up into those 2 parts.
Pieces of file system metadata which record when certain events pertaining to a computer file occurred most recently. Described as modification, access, and metadata change.
Main types of cell phones
Include smartphones which are basically minicomputers and have much of the information you may generally get from a computer obtained this way, conventional phones which are pretty basic phones, prepaid phones which are disposable, and unlocked phones which generally have more options for modifying internal system data on the phone.
Data about data. Examples include; modification dates, creation dates, size of the file, what file-type the data is, etc.
Microsoft Management Console/MMC
Contains a number of tools for monitoring and managing systems. One of these tools is Windows Event Viewer.
Modus Operandi (M.O.)
The method of operation. Generally a pattern or steps that are consistently taken in the process of performing an action.
No Electronic Theft Act of 1997. Strengthens copyright and trademark laws. Makes it illegal to infringe on copyright even if there is no financial motive. Makes it possible to prosecute those who make infringement possible. Applies to music, movies, and software. Penalty is up to 5 years in prison, $250,000 in fines and $150,000 per infringement or damages in a civil case. Came in response to the unsuccessful prosecution in U.S vs. LaMacchia.
A windows file format. Components include; NTFS boot sector where the bios parameter block is stored, a Master File Table that contains information necessary to retrieve files from the NTFS partition is stored, File System Data that resides outside the Master file table, and a copy of the master file table.
Order of Volatility
Evidence that is the most likely to change or be lost should be the first to be retrieved into evidence. Generally electronic evidence such as computer especially memory located in RAM which would be lost should the computer shut down.
Software and occasionally hardware that can be used to analyze packets coming across the network. Wireshark is a widely used example.
2001. Reduced law enforcement restrictions on searches including phone email medical records etc. and eased restrictions on intelligence gathering, monitoring, and detaining of immigrants suspected of terrorist related activities. Expanded trap and trace and pen registry. Allows for roving wiretaps. Authorized secret searches i.e. sneak and peak. Expired in 2011 by was signed in again for the components roving wiretap, government access to tangible items, and surveillance of individuals suspected of terrorism.
A device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.
Something that supports the prosecution. It could be a log file, disk, etc.
Bit-by-bit forensic copy. Can obtain more information than a logical format, and can possibly recover deleted data.
Tool used in order to determine if a computer has connectivity towards another website.
Evidence that has no expectation of privacy and is in 'plain sight'. This kind of evidence does not need a warrant to be obtained or investigated.
A pyramid scheme where an operator, an individual, or an organization pays returns to its investors from new capital paid to the operators by new investors rather than from profit earned by the operator.
An address used to establish a network service on a server. An IP address gets you a machine. A port gets you a service on a machie.
Private v. Public investigations
Police officers and government agents are public investigators. Private investigators do not have the same access to privileged documentation, do not have the native ability to carry firearms, and pay for their own equipment.
Term that states that an investigator has a reasonable claim to the belief that an individual is about to commit an act, has committed and act, or is plotting to commit an act.
Profile of male & female hackers
Proper language for forensic report writing
Should be proofread and contain proper grammar and spelling. Should spell out any terms that could potentially be unknown to a person reading a report especially shortened words.
Protect America Act
Expired 2007. An amendment to the Foreign Intelligence Surveillance Act. It loosened restrictions and any communications that begin/end overseas can be wiretapped by the government without court supervision. Controversial because it authorizes eavesdropping on international email and phone calls of US citizens without a warrant.
A scheme where the people on top make the vast majority of profits from the people on the bottom. The only way to make profit is to introduce more people into the scheme.
RAID arrays and challenges gathering evidence
Difficult for forensic examiners to create a logical image from due to the need for an identical controller as used to create the array to re-create an identical configuration. RAID arrays separate or duplicate data into different hard drives.
Regional Computer Forensics Laboratory Structure. A one-stop full service forensic laboratory and training center devoted entirely to the examination of digital evidence in support of criminal investigation. The duties consist of; seizing and collecting digital evidence at a crime scene, conducting an impartial examination of submitted computer evidence, and testifying as required.
Part of Windows XP. When files are sent to the Recycle bin, they are stored in a folder called Recycler (in NTFS file systems)
Registry Editor/Registry/Registry Keys
A database for configuration files. Comparable to a computer's central nervous system. Contains information about search terms, programs that were run or installed, web addresses, and files/software that have been recently opened. Normally accessed by control panel and properties. Made up of keys that act like folders.
Looks for semantic, or meaningful, relationships. Used in forensics to determine what evidence may be related to, and strengthen, other evidence.
Contain details of formats used as well as external links. Files on the Mac OS are divided up into those 2 parts.
Wiretaps that are not directly linked to any particular suspect. Fishing for hits.
Security Account Manager File. A Windows file which stores users' passwords. It is also used to authenticate local and remote users. Passwords are stored in a hashed format in the registry hive.
A legal term that refers to intent or knowledge of wrongdoing. This means that an offending party has knowledge of the wrongness of an act or event prior to committing it.
A court order issued by a magistrate, judge, or supreme court official that authorizes law enforcement officers to conduct a search of a person, location, or vehicle for evidence of a crime and to confiscate evidence if it is found. Cannot be issued in aid of civil process.
Sequential, circular, rotating logs
How a file system writes and subsequently erases its logs during normal processes.
Slack Space & what you can find there
Refers to the storage area of a hard drive from the end of a stored file to the end of the file cluster in the hard drive. It can contain relevant information about a suspect that a prosecutor can use in a trial such as deleted files.
Sneak & Peak
Secret searches authorized by the Patriot Act.
Making an email look like it came from someone/somewhere else.
Hiding information in a file. Generally hard to detect. File used to cover the information is called a cover file. Applications may be illegal or legal and include; digital watermarking, passing secret information, and hiding illegal documents.
Steps to investigate a crime scene
Secure any volatile and make copies of any volatile evidence. Revisit.
A standard of legal process under ECPA. A low standard that is subject to legal or prosecutorial discretion. A summons or writ ordering a person to attend a court.
Analysis that produces a timeline, documents the dates and times associated with files and activities, and documents log files.
System-generated file that catalogues images/movies. Used to view thumbnail representations of files. Automatically generated when a user requests to see a thumbnail view. Can be out of sync with the actual contents of the folder. Analysis can assist in recreating the history of a folder or track the movement of a file.
Traditional crimes enhanced by the computer v. new computer crimes
Include; fraud such as online and mass market fraud and fishing, malicious damage through hacking DDoS and viruses, child sex offences, money laundering, theft through fishing and privacy, and stalking through cyber stalking.
Trap & Trace
Device or process which captures the incoming electronic or other impulses which identify the originating number of other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication provided however that such information shall not include the contents of any communication.
URLs that the user has typed in provide stronger evidence than cookies due to a show of intent.
U.S. v. Ivanov
Involved a sting set up by the FBI where the suspect met with undercover FBI agents who provided him with a laptop to demonstrate his computer hacking and security skills. The laptop was loaded with a sniffer program and all keystrokes the suspect made were recorded in his accessing his remote computer. Using the information obtained from the sniffer, the FBI was able to access his systems and obtain evidence without a warrant. The court ruled the 4th amendment did not apply when it came to being on a computer network owned by the U.S. company.
Space that has not been reserved or partitioned on a hard drive.
Unix files systems
Made up of; Boot block were each partition contains boot blocks containing the initial bootstrap program used to load the operating system, Superblocks containing identifying magic number and indexing info, and cylinder groups containing a backup of the superblock inodes data-blocks and a cylinder group header with statistics.
Virginia Computer Crimes Act
Makes it illegal to commit fraud, trespass, invade privacy, or obtain computer services without the proper authority and ownership of the computer to do so.
A document issued by a legal or government official authorizing the police or some other body to make an arrest, search premises, or carry out some other action relating to the administration of justice.
What is required to obtain digital info under the ECPA
To obtain digital info under the ECPA a subpoena must be issued to force third party vendors to turn over customers' privately stored data. Information must not be obtained through pen-trace or wiretaps.
Where internet evidence can be found
Internet evidence can be found in .index in the cache, in cookies, or in temporary internet files
Can turn up information on website and domain ownership from either an IP address or domain name.
A method by which one listens in on and/or records telephone, telegraph, or teletype communications. The process of wiretapping involves tying into a wire or other conductor that is used for communications. Relates to the Patriot Act.
Used in forensics to ensure that no changes are made to a hard drive to preserve evidence integrity. Prevents the writing of information to the drive.
This set is often in folders with...
computer forensics final
Computer Forensic Final
IPM210 - Chapter 11
You might also like...
System Forensics, Investigation and Response, Seco…
Mgmt Digital Forensics chapters 1-7
Other sets by this creator
MSOM301 Management Styles and Principles Final Exa…
GGS101 Intro to Geography Final Exam
IT 466 Network Security II
MSOM301Managing People and Organizations Exam 1 Re…
Other Quizlet sets
I.1 Plants on Land and I.2 Bryophytes
Dr. Lordan Economics Test Chapters 20-24
Marketing 4600 Test 1 chapter 2