WGU Course C840 - Digital Forensics Quiz

Questions and Answers

What is the Electronic Communications Privacy Act (ECPA)?

18 U.S.C. 2252B

The Electronic Communications Privacy Act (ECPA)

Foreign Intelligence Surveillance Act (FISA) (correct)

The USA Patriot Act

Identification, preservation, collection, examination, analysis, and presentation are six classes in the matrix of __________.

the Certified-Forensic-Analyst

the DFRWS framework (correct)

The Rules of Evidence

the Forensic Toolkit

If you need to know what documents have been printed from the Macintosh, the __________ folder can give you that information.

/var/spool/cups (correct)

/Users//.bash_history log

/Library/Receipts

var/vm

What name is given to the result of acquiring a file as it is being updated?

slurred image

At which phase of the incident response does computer forensics begin?

eradication

What name is given to the process of searching memory in real time?

live system forensics

The American Heritage Dictionary defines __________ as 'the use of science and technology to investigate and establish facts in criminal or civil courts of law.'

forensics

Which Linux distribution is very popular with beginners?

Ubuntu

The subscriber identity module (SIM) is a memory chip that stores the __________.

international mobile subscriber identity (IMSI)

Which of the following is the definition of dump?

a complete copy of every bit of memory or cache recorded in permanent storage or printed on paper

The __________ is the continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court.

chain of custody

Suspects often overwhelm forensic analysts with false positives and false leads. This is referred to as __________.

data fabrication

What version of RAID are the following descriptors? Striped disks with dedicated parity combine three or more disks in a way that protects data against loss of any one disk.

RAID 3 or 4

__________ is/are the cyber-equivalent of vandalism.

DoS attacks

__________ is offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system.

Physical analysis

Linux offers many different shells. Each shell is designed for a different purpose. __________ is the most commonly used shell in Linux.

Bourne-again shell

The __________ standard for wireless communication of high-speed data for mobile devices is what is commonly called 4G.

long term evolution (LTE)

What term is used to describe a broad category of crime that can encompass many different activities, but essentially, any attempt to gain financial reward through deception?

fraud

A port is a number that identifies a channel in which communication can occur. Which port uses IRC chat rooms?

Port 194

Because Mac OS X is based on FreeBSD, you can use shell commands to extract information. The __________ command returns the hardware information for the host system.

system_profiler SPHardwareDataType

Which shell command is used to remove or delete empty directories?

rmdir

The __________ is a central controller coordinating the other pieces of the BSS.

base station controller (BSC)

The __________ release of Mac OS X had built-in support for iCloud to support cloud computing.

Mac OS X 10.8, named Mountain Lion

What was designed as an area where computer vendors could store data that is shielded from user activities?

host protected area

A __________ is used to send a test packet or echo packet to a machine to determine if the machine is reachable.

ping

The __________ command can be used to quickly catalog a suspect drive.

ls

A(n) __________ is an e-mail server that strips identifying information from an e-mail message before forwarding it.

anonymizer

A one-sided DVD (or digital video disc) can hold __________ gigabytes.

4.7

The __________ cipher is a method of encrypting alphabetic text by using a series of different monoalphabet ciphers.

Vigenère

__________ is a Linux Live CD that you use to boot a system and then use the tools.

BackTrack

Which of the following is the definition of basic input/output system (BIOS)?

the basic instructions stored on a chip for booting up the computer

What is meant by file slack?

the unused space between the logical end of file and the physical end of file

What term is used to describe information that forensic specialists use to support or interpret real or documentary evidence?

testimonial evidence

Essentially, a __________ is a special place on the hard drive where items from memory can be temporarily stored for fast retrieval.

swap file

__________ is a live-system forensic technique in which you collect a memory dump and perform analysis in an isolated environment.

Volatile memory analysis

The National Institute of Standards and Technology (NIST) guidelines list four different states a mobile device can be in when you extract data. Devices are in the __________ state when received from the manufacturer.

nascent

The art and science of writing hidden messages is the definition of what?

steganography

__________ is essentially data about the data. In the case of files, it can include creation time/date, size, and last modified date.

Metadata

What is meant by three-way handshake?

The process of connecting to a server that involves three packets being exchanged

It has been claimed that __________ of all computers connected to the Internet have spyware.

80 %

Hard drives eventually age and begin to encounter problems. You can use the __________ command to help with that.

fsck

In the Linux boot process, the MBR loads up a(n) __________ program, such as LILO.

boot loader

What name is given to a protocol used to send e-mail that works on port 25?

Simple Mail Transfer Protocol (SMTP)

What is meant by steganalysis?

the determination of whether a file or communication hides other information

_________ is the method used by password crackers who work with pre-calculated hashes of all passwords possible.

Rainbow table

RFC 3864 describes message header field names. Message-ID of the message to which there is a reply refers to which of the following options?

references

What term is used to describe the determination of whether a file or communication hides other information?

steganasis

What is meant by symmetric cryptography?

those methods where the same key is used to encrypt and decrypt the plaintext

The chief information officer of an accounting firm believes sensitive data is being exposed on the local network. Which tool should the IT staff use to gather digital evidence about this security vulnerability?

Sniffer

A police detective investigating a threat traces the source to a house. How should the detective legally gain access to the computer?

Obtain consent to search from the parents

How should a forensic scientist obtain the network configuration from a Windows PC before seizing it from a crime scene?

By using the ipconfig command from a command prompt on the computer

Which digital evidence should a forensic investigator collect to investigate a phishing incident involving a bank account?

Browser cache

Which digital evidence should be collected after a dedicated messaging server is hacked?

Firewall logs

Which type of evidence should a forensics investigator use to identify the source of a hack?

Network transaction logs

What is the first thing a forensic scientist should do upon arriving at a crime scene?

Photograph all evidence in its original place

Which method of copying digital evidence ensures proper evidence collection?

Make the copy at the bit-level

Which action should a forensic investigator take first when arriving at a scene with a malware-infected computer?

Unplug the computer's Ethernet cable

What are the three basic tasks a systems forensic specialist must keep in mind when handling evidence during a cybercrime investigation?

1, 3, 7

How do forensic specialists show that digital evidence was handled in a protected manner during the evidence collection process?

Chain of custody

Which characteristic applies to magnetic drives compared to solid-state drives (SSDs)?

Lower cost

Which characteristic applies to solid-state drives (SSDs) compared to magnetic drives?

They are less susceptible to damage

Which type of storage format should be transported in a special bag to reduce electrostatic interference?

Magnetic media

Which Windows component is responsible for reading the boot.ini file and displaying the boot loader menu on Windows XP during the boot process?

NTLDR

Which operating system should be used to run the command dd if=/dev/mem of=/evidence/image.memory1?

Linux

Which file system is supported by Mac?

Hierarchical File System Plus (HFS+)

Which law requires both parties to consent to the recording of a conversation?

Electronic Communications Privacy Act (ECPA)

Which law is related to the disclosure of personally identifiable protected health information (PHI)?

Health Insurance Portability and Accountability Act (HIPAA)

Which U.S. law criminalizes the act of knowingly using a misleading domain name with the intent to deceive a minor into viewing harmful material?

18 U.S.C. 2252B

Which U.S. law protects journalists from turning over their work or sources to law enforcement?

The Privacy Protection Act (PPA)

Which law or guideline lists the four states a mobile device can be in when data is extracted from it?

NIST SP 800-72 Guidelines

Which law includes a provision permitting the wiretapping of VoIP calls?

Communications Assistance to Law Enforcement Act (CALEA)

Which policy is included in the CAN-SPAM Act?

The email sender must provide some mechanism for the receiver to opt-out of future emails that cannot require a fee.

Which United States law requires telecommunications equipment manufacturers to provide built-in surveillance capabilities?

Communication Assistance to Law Enforcement Act (CALEA)

Which law requires a search warrant or recognized exceptions for searching email messages on a computer?

The Fourth Amendment to the U.S. Constitution

What is one purpose of steganography?

To deliver information secretly

Which method is used to implement steganography through pictures?

LSB

What are the core elements of steganography?

Payload, carrier, channel

Which steganographic term describes tracking information used in data leakage?

Payload

Which component represents command and control messages in a compromised botnet server?

Payload

Which method is commonly used to hide data via steganography?

LSB

Which tool should a forensic investigator use to search for hidden data in images captured in emails?

Forensic Toolkit (FTK)

Which steganographic tool is used to hide text messages in popular American songs?

MP3Stego

How should an investigator use file properties to detect steganography?

Review the hexadecimal code looking for anomalies in the file headers

Where are local passwords stored for the Windows operating system?

SAM file in \Windows\System32\

Where is the config folder located that contains the SAM file on a Windows system?

C:\Windows\System32

Where should passwords for wireless networks be stored on a Windows XP system?

Registry

Which Windows password cracking tool uses rainbow tables?

Ophcrack

How does a rainbow table work to crack a password?

It uses a table of all possible keyboard combinations and their hash values.

What should a forensic investigator use to gather the most reliable routing information for tracking an email message?

Email header

Which activity involves email tracing?

Determining the ownership of the source email server

Which digital evidence should be reviewed to check for mounted volumes created from USB drives on a compromised laptop running OS X?

/var/log

Which log or folder contains information about printed documents on a computer running Mac OS X?

/var/spool/cups

Which Windows event log should be checked for evidence of invalid logon attempts?

Security

Which folder contains the software updates logs on a Macintosh system?

/Library/Receipts

Which tool should a forensic investigator use to image an older BlackBerry smartphone running OS 7.0?

BlackBerry Desktop Manager

What should an investigator take care to ensure when extracting information from a mobile device?

That the mobile device does not synchronize with the computer

Which state is a device in if it is powered on, performing tasks, and able to be manipulated by the user?

Active

Rules of evidence can be defined as __________.

rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury

The Windows Registry is organized into five sections. The __________ section contains those settings common to the entire machine.

HKEY_LOCAL_MACHINE (HKLM)

There are specific laws in the United States that are applicable to e-mail investigations. __________ is a U.S. law that prescribes procedures for surveillance and collection of foreign intelligence information.

Foreign Intelligence Surveillance Act (FISA)

Study Notes

Digital Forensics Tools and Techniques

• A Sniffer is used to gather digital evidence on security vulnerabilities in local networks.
• Legal access to a computer during an investigation may require parental consent if minors are involved.
• Use the ipconfig command to obtain network configuration from a Windows PC at a crime scene.
• Forensic investigators should collect browser cache as digital evidence in phishing scams.

Evidence Collection

• Firewall logs are critical for collecting evidence after a security breach, especially for dedicated messaging servers.
• Email messages are utilized to identify how account information was compromised in phishing incidents.
• Network transaction logs are essential for determining the source of hacking attempts.
• The first step a forensic scientist should take at a crime scene is to photograph all evidence in its original place.

Proper Evidence Handling

• Bit-level copying ensures proper evidence collection during investigations.
• Disconnecting the computer from the network is crucial if it is infected with malware to prevent data loss.
• Preserving, cataloging, and preparing evidence are fundamental tasks for forensic specialists.
• The chain of custody is vital for demonstrating the secure handling of digital evidence.

Laws and Regulations in Cyber Forensics

• The Communications Assistance to Law Enforcement Act (CALEA) mandates surveillance capabilities in telecommunications.
• The Health Insurance Portability and Accountability Act (HIPAA) governs the protection of health information.
• The Fourth Amendment requires a search warrant for email searches, ensuring constitutional protection.
• The Children’s Online Privacy Protection Act (COPPA) criminalizes deceptive domain names aimed at minors.

Steganography

• Steganography is the practice of hiding information within other files, enabling secret communication.
• The core components of steganography include payload, carrier, and channel.
• The Least Significant Bit (LSB) method is commonly used for hiding data in images.

Digital Evidence in Various Systems

• Windows stores local passwords in the SAM file located in the System32 directory.
• The logging of printed documents on macOS is found in the /var/spool/cups directory.
• Rainbow tables are utilized by password-cracking tools like Ophcrack to facilitate rapid password recovery.
• Command and control messages can be embedded in DNS protocol communications via compromised servers.

Incident Response and Forensics

• Incident response phases include containment, recovery, and eradication, with forensics beginning during recovery.
• Live system forensics involves real-time memory searching to identify abuse or compromised systems.
• The forensic process includes identification, preservation, collection, examination, analysis, and presentation of evidence.

Key Definitions

• Forensics is defined as the application of science and technology in establishing facts for legal cases.
• A 'dump' refers to acquiring a file as it is being updated, often requiring careful handling of the data.
• A device is considered 'active' when it is powered on and operational, allowing manipulation by a user.

Miscellaneous Knowledge

• Ubuntu is a popular Linux distribution, especially among beginners in digital forensics.
• The Subscriber Identity Module (SIM) stores the International Mobile Subscriber Identity (IMSI) in mobile devices.### Computer and Cybersecurity Concepts
• BIOS performs a hardware test at boot-up to ensure the system is functioning properly.
• Dynamic memory allocation for programs is typically requested from the heap segment using allocators like malloc.
• A complete duplicate of every memory bit, forensic evidence, can be preserved in permanent storage or documentation.
• The boot record on hard drive partitions initializes the booting process.

Forensics and Evidence

• Chain of custody refers to the documented tracking and control of evidence from collection to courtroom appearance.
• Data fabrication overwhelms forensic analysts with misleading information and false leads.
• Evidence links, such as fingerprints, support potential conclusions in investigations.

RAID and Storage Technologies

• RAID 5 combines three or more disks with dedicated parity for fault tolerance, losing the capacity of one disk.
• The term "swapping" refers to storing memory items temporarily on the hard drive for fast retrieval.

Networking and Communication

• DoS attacks are considered cyber-vandalism aimed at disrupting services.
• Port 194 is utilized for IRC chat communications.
• The three-way handshake is the connection process involving three exchanged packets.

Operating Systems and Commands

• In Linux, the Bourne-again shell is the most widely utilized shell for various tasks.
• The command system_profiler SPHardwareDataType provides comprehensive hardware information on Mac OS X systems.
• The command rmdir is specifically used to remove empty directories.

Cryptography and Data Protection

• The Vigenère cipher employs a sequence of monoalphabetic ciphers based on a keyword for encrypting text.
• Metadata consists of data about data, documenting details like creation date and file size.
• Symmetric cryptography uses a single key for both encryption and decryption purposes.

System and Operational Integrity

• Tools like fsck diagnose issues on aging hard drives, enhancing forensic analysis efficiency.
• RFC 3864 outlines header field names for messages, with Message-ID providing reply context.
• Anonymizers mask senders' identities in email communication, enhancing privacy.

Cybersecurity Statistics

• Approximately 80% of all Internet-connected computers are reported to have spyware installed.
• A one-sided DVD can hold up to 4.7 gigabytes of data.

Analysis Techniques

• Volatile memory analysis encompasses live-system techniques for collecting and examining memory dumps.
• Steganalysis tests if files or communications conceal additional information.

Internet Protocols and Standards

• SMTP (Simple Mail Transfer Protocol) operates on port 25 for email transmission.
• The universal mobile telecommunications system refers to the standards used for high-speed mobile data transfer, also related to wireless communication advancements.

Description

This quiz focuses on key concepts in Digital Forensics related to cybersecurity as taught in WGU Course C840. Participants will explore various tools and techniques used to gather digital evidence and understand security vulnerabilities. Test your knowledge and prepare for real-world applications in the field of cybersecurity.