Addresses how to restore a workstation you reconfigured for a specific investigation

Upgrade to remove ads

Only ₩37,125/year

• Flashcards

• Learn

• Test

• Match

• Flashcards

• Learn

• Test

• Match

Terms in this set (277)

Fourth Amendment

The _________ to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.

Police Blotter

The _________ provides a record of clues to crimes that have been committed previously.

Litigation

The legal process of proving guilt or innocence in court

Computer Forensics

Investigates data that can be retrieved from a computer's hard disk or other storage media.

Affidavit

Sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence.

Case Law

Allows legal counsel to use previous cases similar to the current one because the laws don't yet exist.

Line of Authority

Specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.

HTCIA

Organization that exchanges information about techniques related to computer investigations and security.

Network Forensics

Yields information about how a perpetrator or an attacker gained access to a network.

Industrial espionage

Involves selling sensitive or confidential company information to a competitor.

Single-Evidence Form

A(n) ________ lists each piece of evidence on a separate page.

Interview

A(n) ____________ is usually conducted to collect information from a witness or suspect about specific facts related to an investigation.

Self-Evaluation

An essential part of professional growth.

FTK's Internet Keyword Search

Extracts all related e-mail address information for web-based e-mail investigations.

Interrogation

Process of trying to get a suspect to confess to a specific incident or crime.

Multi-evidence form

A type of evidence custody form

Data recovery

Is the more well known and lucrative side of the computer forensics business.

Free Space

Can be used for new files that are saved or files that expand as data is added to them.

MS-Dos 6.22

The least intrusive (in terms of changing data) Microsoft operating system.

Norton DiskEdit

An older computer forensics tool.

ASCLD (American Society of Crime Laboratory Directors)

The __________ provides guidelines for managing a forensics lab and for acquiring official crime-lab certification.

the same

For daily work production, several examiners can work together in a large open area, as long as they all have ________ level of authority and access need.

Guidance Software

Sponsors the EnCe certification program

Business Case

A plan you can use to sell your services to your management or clients

MAN

Stands for Metropolitan Area network

Norton Ghost

Tool for directly restoring files

Disaster Recovery Plan

Addresses how to restore a workstation you reconfigured for a specific investigation.

FireWire

Ruled by the IEEE 1394B standard

SIG

Can be a valuable source of support for recovering and analyzing uncommon systems.

ASCLD/LAB

Certification program that regulates how crime labs are organized and managed.

raw

Bit-stream data to files copy techniques creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a(n) ______ format.

lossless

Popular archiving tools, such as PKZip and WinZip, use an algorithm referred to as ________ compression.

live

There are two types of acquisitions: Static acquisitions and _________ acquisitions.

EnCase

Forensic tool developed by Guidance Software

SafeBack

Example of a disk-to-disk copy maker tool.

AFF

Open source data acquisition format.

Lossy Compression

Used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed.

IXimager

ILook imaging tool

Data Acquisition

Process of copying data

WinZip

Example of a lossless compression tool.

Data Recovery

Involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash.

Computer Forensics

The task of recovering data that users have hidden or deleted, with the goal of ensuring that the recovered data that users have hidden or deleted, with the goal of ensuring that thee recovered data is valid so that it can be used as evidence.

Inculpatory

In criminal cases, the expression is "incriminating".

Exculpatory

Evidence that might clear the suspect.

data recovery

Use computer forensics techniques to retrieve information their clients have lost.

CART (The FBI Computer Analysis and Response Team)

This group was formed in 1984 to handle the increasing number of cases involving digital evidence.

Fourth Amendment

This protects everyone's rights to be secure in their person, residence, and property from search and seizure.

Affidavit

A sworn statement of support of facts about or evidence of a crime, submitted to a judge with the request for a search warrant before seizing evidence.

notarized

You must have an affidavit ________ under sworn oath to verify that the information in the affidavit is true.

Line of authority

This states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.

Line of Authority

The order in which people or positions are notified of a problem; these people or positions have the legal right to initiate an investigation, take possession of evidence and have access to evidence.

Search Warrant

Legal documents that allow law enforcement to search an office, a place of business, or other locale for evidence related to an alleged crime.

Silver-Platter Doctrine

A policy no longer in effect that allowed a state law enforcement officer to pass illegally obtained evidence to the federal government and allowed federal prosecution to use that evidence.

Private Sector

During this kind of investigation, you search for evidence to support allegations of abuse of a company's assets and, in some cases, criminal complaints.

Computing Assets

Most computer investigations in the private sector involve misuse of ___________.

Industrial Espionage, Embezzlement, and Murder

Criminal acts in private sectors involve acts such as:

Chain of Custody

The route the evidence takes from the time you find it until the case is closed or goes to court.

Preserve the evidence

The first rule for all investigations.

Evidence Custody Form

Helps to document what has and has not been done with the original evidence and forensic copies of the evidence.

Who recovered the Evidence
When the evidence was recovered
Who possessed the evidence at the time it was recovered

What information should be documented about evidence?

Single-Evidence Form

Lists each piece of evidence on a separate page

Multi-Evidence form

An evidence custody form used to list all items associated with a case.

anti-static bags

Which type of bag should be used when collecting computer evidence?

Single-Evidence Form

This form gives you more flexibility in tracking separate pieces of evidence for your chain-of-custody log.

Attorney-Client Privilege

When conducting a computer forensic analysis under ______ rules for an attorney, you must keep all findings confidential.

Interview

Usually conducted to collect information from a witness or suspect about specific facts related to an investigation.

Interrogation

The process of trying to get a suspect to confess to a specific incident or crime.

Forensic Workstation

To conduct an investigation and analysis, you must have a specifically configured PC known as?

Forensic Workstation

A computer loaded with additional bays and forensic software.

MS-DOS 6.22

The least intrusive OS to disks in terms of changing data.

Hardware Write-Blockers

Some of these are inserted between the disk controller and the hard disk, and others are connected to USB or FireWire ports.

Things required for a Forensics Workstation

A workstation
A write-blocker device
Computer Forensic Acquisition tool
Computer Forensic Analysis tool
Target Drive
Spare PATA or SATA ports
USB Ports

Bit-Stream Copy

a bit-by-bit copy (also known as a sector copy) of the original drive or storage medium and is an exact duplicate.

Backup Software

This type of software can only copy or compress files that are stored in a folder or are a known file type.

Bit-Stream Image

The file containing the bit-stream copy of all data on a disk or disk partition.

Forensic Copy

Another name for Bit-Stream Image

Preserve the original evidence

The first rule of computer forensics

Case Critique

In order to improve your work, you need to do a __________ after the case is closed.

low-emanating Workstation

A workstation that is more expensive than the average workstation, but less expensive than a TEMPEST lab.

2, 1

The ideal configuration for multiple work stations is to have ____ forensic workstations plus ____ non-forensic workstation with Internet Access.

2, 0

Large or regional computer forensic labs should have at least ___ controlled exits and ____ windows.

Uniform Crime Report

Annual ___________ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.

IACIS (International Association of Computer Investigative Specialists)

One of the oldest professional computer forensic organizations created by police officers who wanted to formalize credentials in computing investigations.

NTFS

New Technology File System

FAT16, FAT32, NTFS

Windows File Systems:

SIGs (Special Interest Groups)

These can be a valuable source of support for recovering and analyzing uncommon systems.

Disaster recovery Plan

This ensures that you can restore your workstation and file servers to their original condition if a catastrophic failure occurs.

Backup System

Central to a disaster recovery plan is:

RAID

For labs using high-end ______ severs, you must consider methods for restoring large data sets.

Electromagnetic Radiation (EMR)

Most electronic devices emit this

intercept

Certain kinds of equipment can _________ EMR, which can be used to determine the data the device is transmitting or displaying.

TEMPEST

A ________ lab requires lining the walls, ceiling, floor, and doors with specially grounded conductive metal sheets.

TEMPEST

A shield which shields sensitive computing systems and prevent electronic eavesdropping of any computer emission.

Configuration Management

A process which records all updates you make to your workstation.

Risk Management

Determining how much risk is acceptable for any process or operation.

image file

The data a computer forensics tool collects is stored as a __________

raw format

This copy technique creates simple sequential flat files of a suspect drive or data set. The output of these files is referred to as?

Proprietary format

This type of format typically offers several features that complement the vendor's analysis tool.

Advanced Forensic Format (AFF)

A new open-source acquisition format developed by Dr. Simson L. Garfinkel

Static Acquisition

This type of acquisition is typically done on a computer seized during a police raid.

Live Acquistion

If a computer has an encrypted drive, this type of acquisition is done.

Static Acquisitions

This is the preferred way to collect digital evidence.

Logical Acquisition

Captures only specific files of interest to a case or specific file types

Sparse Acquisition

Collects that of the Logical Acquisition, but also collects fragments of unallocated data.

Sparse Acquisition

Use this acquisition method only when you don't need to examine the entire drive.

Hardware Acquisition

This type of acquisition tool can access the drive at the BIOS level

2

As standard practice, make at least ____ images of digital evidence you collect.

Write-blocking hardware device

Because windows can easily contaminate your evidence drive, you must protect it with a well tested ___________________.

Live CDs

Linux ISO Images are referred to as

Computer Forensics

Linux ISO images are specifically designed for?

fdisk -l

This Linux command lists all IDE drives as hda, hdb, and so on.

Government Agencies

Private-sector organizations include business and ________ that aren't involved in law enforcement.

Expectation of Privacy

If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have a(n) ___________

Limiting Phrase

When an investigator finds a mix of information, judges often issue a(n) ______ to the warrant, which allows the police to separate innocent information from evidence.

bit-stream

If decontamination of a crime scene might destroy electronic evidence, a HAZMAT specialist or an investigator in HAZMAT gear should make a(n) _________ image copy of a suspect's hard disk.

HAZMAT

You should rely on this when dealing with terrorist attacks

Konkeror

Web browser

Low-Level investigations

What most cases in the corporate environment are considered

FOIA

Agencies must comply with these laws and make documents they find and create available as public records

AFIS

Fingerprints can be tested with these systems

innocent information

Information unrelated to a computing investigation case.

commingled data

Confidential business data that might be included with the criminal evidence.

Commingled

Placing child pornography images in a subfolder where bicycle plans are stored is doing what to the data?

ISPs

Can investigate computer abuse committed by their employees, but not customers.

CTIN (Computer Technology Investigators Network)

List one organization mentioned in the chapter that provides computer forensics training.

false

Computer forensics and data recovery refer to the same thing, true or false

Fourth Amendment

Police in the United States must use procedures that adhere to which of the following?

c

The triad of computing security includes which of the following? Answer a b c or d
a. Detection, response, and monitoring
b. vulnerability assessment, detection, and monitoring
c. vulnerability assessment, intrusion response, and investigation
d. vulnerability assessment, intrusion response, and monitoring

embezzlement, e-mail harassment, cyberstalking,

List the three common types of digital crime

false

A corporate investigator must follow Fourth Amendment standards when conducting an investigation

d

Policies can address rules for which of the following? Answer a b c or d
a. when you can log on to a company network from home
b. the internet sites you can or cannot access
c. the amount of personal email you can send
d. any of the above

right to monitor

List an item that should appear on an internal warning banner.

True

Warning banners are often easier to present in court than policy manuals are

false

under normal circumstances a corporate investigator is considered an agent of law enforcement

Corporate environment

fraud, embezzlement, insider trading, espionage, and email harassment are all types of computer investigations typically conducted in the __________________.

professional conduct

_________ is ethics, morals and stands of behavior. It is important because it determines your credibility.

Professional Journal

This helps you remember what procedures were followed if the case ever goes to court.

Still being debated

Laws and procedures for PDAs are which of the following?
a. well established
b. still being debated
c. on the law books
d. none of the above

Requester

__________ should be appointed to avoid conflicts from competing interests between organizations or departments.

affidavit

The purpose of an __________ is to provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant.

who, what, when and where

What are the necessary components of a search warrant?

evidence custody form

Case number, investigator and location evidence was obtained are all items that should be on a ___________.

Risk assessment

________ should be done to list problems that might happen when conducting your investigation as an aid in planning a case.

false

You should always prove the allegations made by the person who hired you.

True

For digital evidence, an evidence bag is typically made of antistatic material

b

Who should have access to a secure container? answer a b c or d
a. only the primary investigator
b. only the investigators in the group
c. everyone on the floor
d. only senior-level management

write-protected

Evidence media should be _________ to ensure that is is not altered

case report

An explanation of basic computer and network processes, a narrative of what steps you took, and a description of your findings should all be included in your __________.

Chain of custody

What do you call a list of people who have had physical possession of the evidence?

acquisitions officer

providing a list of all components that were seized, noting whether the computer was running at the time it was taken into evidence, making notes of the state of the computer at the time it was acquired, noting the operating system if the computer is running, and photographing any open windows to document currently running programs are all jobs that a ________ is responsible for at a crime scene.

confidentiality

The most important point to remember when assigned to work on an attorney-client privilege case is?

Attorney-Client

You should minimize written correspondence, make sure all written documentation and communication includes a label stating that it is privileged communications and confidential work product, and assisting the attorney and paralegal in analyzing data when working in an ___________ case.

False

Data collected before an attorney issues a memorandum for an attorney client privilege case is protected under the confidential work product rule.

True

An employer can be held liable for email harassment true or false

d

Building a business case can involve which of the following? answer a b c or d
a. Procedures for gathering evidence
b. testing software
c. protecting trade secrets
d. all of the above

False

The ASCLD mandates the procedures established for a computer forensic lab, true or false?

d

The manager of a computer forensic lab is responsible for which of the following? Answer a b c or d
a. necessary changes in lab procedures and software
b. ensuring that staff members have sufficient training to do the job.
c. knowing the lab objectives
d. All of the above

OS

Uniform Crime report statistics for your area and a list of cases handled in your area or at your company are sources that can help you determine the _________ needed in your lab.

business plan

Physical Security Items, How many machines are needed, what os's the lab commonly examines, why certain software is needed, and how the lab will benefit the company are all things that should be included in a _______________.

certification

IACI, HTCN, EnCE, ACE are all popular ________ systems for computer forensics

True

The national cybercrime training partnership is available only to law enforcement true or false

Physical Security

________ is critical for computer forensics lab to maintain the chain of custody and prevent data from being lost, corrupted, or stolen.

False

If a visitor to your computer forensics lab is a personal friend, it is not necessary to have him or her sign the visitor's log, true or false?

Requirements, Cost, Acceptability

What three items should you research before enlisting in a certification program?

2

Large computer forensic labs should have at least _______ exits

Regional

Typically a(n) _________ lab has a separate storage are or room for evidence.

False

Computer forensic facilities always have windows, true or false.

False

The chief custodian of evidence storage containers should keep several master keys, true or false?

B

Putting out fires in a computer lab typically requires a ______ rated fire extinguisher

False

A forensic workstation should always have a direct broadband connection to the internet, true or false?

NISPOM

Which organization provides good information on safe storage containers?

ASCLD

Which organization has guidelines on how to operate a computer forensics lab?

TEMPEST

What name refers to labs constructed to shield EMR emissions?

Static Acquisition

The primary goal of __________ is to preserve digital evidence.

proprietary format

This type of file format gives options to compress or not compress files, and has the capability to split an image into smaller segments.

Expert Witness Format

Which propriety format is the unofficial standard?

magnetic tape

The advantage of using this type of backup system for forensic acquisitions if that there is no limit to the size of data that can be acquired.

standard data backup tool

When a suspects computer can't be taken offline for several hours, but can be shut down long enough to switch disks, you should use a ____________ such as Norton Ghost

Validation

What is the most critical aspect of computer evidence?

hashing algorithm

A utility designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file or entire disk.

md5sum and sha1sum

Which hashing algorithm utilities can be run from a linux shell prompt?

hash= , hashlog= , vf=

In the linux dcfldd command, which three options are used for validating data?

2 GB

What is the maximum file size when writing data to a FAT32 drive?

False

R-Studio and DiskExplorer are used primarily for computer forensics. True or false?

d

With remote acquisitions, what problem should you be aware of? answer a b c or d
a. data transfer speeds
b. access permissions over the network
c. antivirus, antispyware, and firewall programs,
d all of the above

ProDiscover

The program _______ provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect's workstation.

ServLet

What is the EnCase Enterprise remove program?

PDServer

What is the ProDiscover remote access program?

DiskExplorer

What is the Runtime Software utility used to acquire data over a network connection?

False

HDHost is automatically encrypted when connected to another computer, true or false?

TCP/IP, Serial RS232 Port

List the two types of connections in HDHost.

False

EnCase, FTK, SMART, and iLook treat the image file as though it were the original disk, true or false?

True

When possible, you should make two copies of evidence, true or false?

False

FTK imager can acquire data in a drive's host protected area, true or false?

a

Corporate investigations are typically easier than law enforcement for which of the following reasons?
a. most companies keep inventory databases of all hardware and software used.
b. the investigator does not have to get a warrant
c. the investigator has to get a warrant.
d. users can load whatever they want on their machines.

True

In the united states, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause, true or false?

True

If you discover a criminal act, such as murder or child pornography, while investigation a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or false?

agent of law enforcement

As a corporate investigator, you can become an _______ __ ____ __________ when you begin to take orders from a police detective without a warrant or subpoena and/or your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement.

False

The plain view doctrine in computer searches is well-established law. True or false.

a and c

If a suspect computer is located in an area that might have toxic chemicals, you must do which of the following (choose all that apply answer a b c and/or d)
a. Coordinate with the HAZMAT team
b. Determine a way to obtain the suspect computer
c. Assume the suspect computer is contaminated.
d. Do not enter alone.

forensic hash

A _______ can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes are all rules for a?

collision

In forensic hashes, a ___________ occurs when two files have the same hash value.

True

Computer peripherals or attachments can contain DNA evidence, true or false?

Browsing open applications

If a suspect computer is running windows 2000, which of the following can you perform safely?
a. browsing open applications
b. disconnecting power
c. Either of the above
d. none of the above

anything that might be of interest

Describe what should be videotaped or sketched at a computer crime scene.

Data Sniffing, Keylogging

Which of the following techniques might be used in covert surveillance? (choose all that apply)
a. keylogging
b. data sniffing
c. network logs
d. none of the above

commingling

This means confidential business data that might be included with the criminal evidence.

SHA-1, MD5

List two hashing algorithms commonly used for forensic purposes.

False

Small companies rarely need investigators true or false

True

If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an
expectation of privacy. True or False?

Initial response field kit

You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?

False

You should always answer questions from onlookers at a crime scene. True or False?

Affidavit

The document, given under penalty of perjury, that investigators create to detail their findings. This document is often used to justify issuing a warrant or to deal with abuse
in a corporation.

allegations

A charge made against someone or something before proof has been found.

authorized requester

In a corporate environment, the person who has the right to request an investigation, such as the chief security officer or chief intelligence officer.

Computer Forensics

The process of applying scientific methods to collect and analyze data and information that can be used as evidence.

Computer Investigations

Conducting forensic analysis of systems suspected of containing evidence related to an incident or a crime.

CTIN (Computer Technology Investigations Network)

A nonprofit group based in Seattle-Tacoma, WA, composed of law enforcement members, private corporation security
professionals, and other security professionals whose aim is to improve the quality of high-technology investigations in the Pacific Northwest.

Criminal Case

A case in which criminal law must be applied.

Criminal Law

Statutes applicable to a jurisdiction that state offenses against the peace and dignity of the jurisdiction and the elements that define these offenses.

data recovery

A specialty field in which companies retrieve files that were deleted accidentally or purposefully.

disaster recovery

A specialty field in which companies perform real-time backups,
monitoring, data recovery, and hot site operations.

enterprise network environment

A large corporate computing system that can include
formerly independent systems.

approved secure container

A fireproof container locked by a key or combination.

attorney-client priviledge

Communication between an attorney and client about legal
matters is protected as confidential communications. The purpose of having confidential communications is to promote honest and open dialogue between an attorney and client.
This confidential information must not be shared with unauthorized people.

bit-stream copy

A bit-by-bit duplicate of data on the original storage medium. This process is usually called "acquiring an image" or "making an image.

bit-stream image

The file where the bit-stream copy is stored; usually referred to as an "image," "image save," or "image file."

chain of custody

The route evidence takes from the time the investigator obtains it until the case is closed or goes to court.

evidence bags

Nonstatic bags used to transport removable media, hard drives, and other computer components.

evidence custody form

A printed form indicating who has signed out and been in physical possession of evidence.

forensic copy

Another name for a bit-stream image.

forensic workstation

A workstation set up to allow copying forensic evidence, whether on a hard drive, USB drive, CD, or Zip disk. It usually has software preloaded and ready to use.

password-cracking software

Software used to match the hash patterns of passwords or to
simply guess passwords by using common combinations or standard algorithms.

password protected

The method of requiring a password to limit access to certain files and areas of storage media; this method prevents unintentional or unauthorized use.

repeatable findings

Being able to obtain the same results every time from a computer forensics examination.

ASCLD (American Society of Crime Laboratory Directors)

A national society that sets the standards, management, and audit procedures for labs used in crime analysis, including
computer forensics labs used by the police, FBI, and similar organizations.

business case

A document that provides justification to upper management or a lender for purchasing new equipment, software, or other tools when upgrading your facility. In many instances, a business case shows how upgrades will benefit the company.

CEECS (Certified Electronic Evidence Collection Specialists)

A certificate awarded by IACIS at completion of the written exam.

CFCE (Certified Forensic Computer Examiner)

A certificate awarded by IACIS at completion of all portions of the exam.

configuration management

The process of keeping track of all upgrades and patches you
apply to your computer's OS and applications.

HTCN (High Tech Crime Network)

A national organization that provides certification for
computer crime investigators and computer forensics technicians.

risk management

The process of determining how much risk is acceptable for any process or operation, such as replacing equipment.

Secure Facility

A facility that can be locked and allows limited access to the room's contents.

SIGs (Special Interest Groups)

Associated with various operating systems, these groups
maintain electronic mailing lists and might hold meetings to exchange information about current and legacy operating systems.

TEMPEST

A term referring to facilities that have been hardened so that electrical signals from computers, the computer network, and telephone systems can't be monitored or accessed easily by someone outside the facility.

Uniform Crime Report

Information collected at the federal, state, and local levels to
determine the types and frequencies of crimes committed.

AFF (Advanced Forensic Format)

A new data acquisition format developed by Simson L.
Garfinkel and Basis Technology. This open and extensible format stores image data and metadata. File extensions include .afd for segmented image files and .afm for ______ metadata.

live acquisition

A data acquisition method used when a suspect computer can't be shut down to perform a static acquisition. Data is collected from the local computer or over a remote network connection. The captured data might be altered during the acquisition
because it's not write-protected. ___________ aren't repeatable because data is continually being altered by the suspect computer's OS.

logical acquisition

This data acquisition method captures only specific files of interest to the case or specific types of files, such as Outlook PST files.

raw format

A data acquisition format that creates simple sequential flat files of a suspect drive or data set.

RAID (Redundant Array of Independent Disks)

Two or more disks combined into one large drive in several configurations for special needs. Some_______ systems are designed for redundancy to ensure continuous operations if one disk fails. Another configuration spreads data across several disks to improve access speeds for reads and writes.

Sparse Acquisitions

Like logical acquisitions, this data acquisition method captures only specific files of interest to the case, but it also collects fragments of unallocated (deleted) data.

Static Acquisitions

A data acquisition method used when a suspect drive is write-protected and can't be altered. If disk evidence is preserved correctly, _____________ are repeatable.

whole disk encryption

An encryption technique that performs a sector-by-sector encryption of an entire drive. Each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method.

4-mm dat

Magnetic tapes that store about 4 GB of data, but like CD-Rs, are slow to read and write data.

AFIS (Automated Fingerprint Identification System)

A computerized system for identifying fingerprints that's connected to a central database; used to identify criminal suspects and review thousands of fingerprint samples at high speed.

computer-generated records

Data generated by a computer, such as system log files or
proxy server logs.

computer-stored records

Digital files generated by a person, such as electronic spreadsheets.

Covert Surveillance

Observing people or places without being detected, often using
electronic equipment, such as video cameras or key stroke/screen capture programs.

CRC (Cyclic Redundancy Check)

A mathematical algorithm that translates a file into a unique hexadecimal value.

digital evidence

Evidence consisting of information stored or transmitted in electronic form

extensive response field kit

A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers. This kit should contain two or more types of software or hardware computer forensics tools, such as extra storage drives.

Hazardous Materials (HAZMAT)

Chemical, biological, or radiological substances that can
cause harm to people.

initial response field kit

A portable kit containing only the minimum tools needed to
perform disk acquisitions and preliminary forensics analysis in the field.

innocent information

Data that doesn't contribute to evidence of a crime or violation.

IOCE (International Organization on Computer Evidence)

A group that sets standards for recovering, preserving, and examining digital evidence.

keyed hash set

A value created by an encryption utility's secret key.

limiting phrase

Wording in a search warrant that limits the scope of a search for evidence.

low-level investigations

Corporate cases that require less effort than a major criminal case.

MD5 (message Digest 5)

An algorithm that produces a hexadecimal value of a file or
storage media. Used to determine whether data has been changed.

NIST (National Institute of Standards and Technology)

One of the governing bodies responsible for setting standards for various U.S. industries.

nonkeyed hash set

A unique hash number generated by a software tool

Person of interest

Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest.

Plain View Doctrine

When conducting a search and seizure, objects in plain view of a law enforcement officer, who has the right to be in position to have that view, are subject to seizure without a warrant and can be introduced as evidence. As applied to executing searches of computers, the plain view doctrine's limitations are less clear.

ServLet

a small, server-resident program that typically runs automatically in response to user input.

Nonkeyed Hash Set

Most computer forensic hashing needs can be satisfied with a _____________________.

MD5

You can use the ____ function in FTK Imager to obtain the digital signature of a file or an entire drive.

Students also viewed

Quiz 1-4

79 terms

Morgan_Elder

Comp For Final Study Guide

90 terms

alexis_ramirez739

Chapter 03: Data Acquisition

40 terms

Josh_Siere

ITSY-2443-006

41 terms

Aaron_Roth64

Sets found in the same folder

Computer Forensics

125 terms

Demi_Brand4

Computer Forensics Chapter 4

34 terms

Wade_Dotson

Guide to Computer Forensics and Investigations, 4t…

154 terms

jamesstallins

Computer and Cyber Forensics

112 terms

argonzalez0

Other sets by this creator

Windows Server Administration

87 terms

tykofire

Criminalistics

44 terms

tykofire

MKTG2200

51 terms

tykofire

Networking

39 terms

tykofire

Verified questions

engineering

The following table gives weight gain-time data for the oxidation of some metal at an elevated temperature. $$ \begin{matrix}\mathrm{W (mg/cm^{2})} & \text{Time (min)}\\\text{1.54} & \text{10}\\\text{23.24} & \text{150}\\\text{95.37} & \text{620}\\\end{matrix} $$ (a ) Determine whether the oxidation kinetics obey a linear, parabolic, or logarithmic rate expression. (b ) Now compute W after a time of 1200 min.

Verified answer

engineering

For each situation below, determine (1) if the variable(s) is(are) discrete or continuous, and (2) if the information involves certainty, risk, and/or uncertainty. (a) A friend in real estate tells you the price per square foot for new houses will go up slowly or rapidly during the next 6 months. (b) Your manager informs the staff that there is an equal chance that sales will be between 50 and 55 units next month. (c) Jane got paid yesterday and $800 was taken out in income taxes. The amount withheld next month will be larger because of a pay raise between 3% and 5%. (d) There is a 20% chance of rain and a 30% chance of snow today. (e) The first cost of a new front-end loader is$34,000 or $38,000 depending on the size purchased.

Verified answer

engineering

Steam enters an insulated pipe at 200 kPa and 200$^\circ{}$C and leaves at 150 kPa and 150$^\circ{}$C. The inlet-to-outlet diameter ratio for the pipe is $D_{1}/D_{2}$ = 1.80. Determine the inlet and exit velocities of the steam.

Verified answer

engineering

The plate has a mass of 3 kg and is welded to the fixed vertical shaft, which rotates at the constant speed of $20 \pi \mathrm{rad} / \mathrm{s}$. Compute the moment M applied to the shaft by the plate due to dynamic imbalance.

Verified answer

Recommended textbook solutions

Chemistry for Engineering Students

2nd EditionLawrence S. Brown, Thomas A. Holme

945 solutions

Chemical Reaction Engineering

3rd EditionOctave Levenspiel

228 solutions

Materials Science and Engineering: An Introduction

9th EditionDavid G. Rethwisch, William D. Callister

1,115 solutions

Machines and Mechanisms: Applied Kinematic Analysis

4th EditionDavid H. Myszka

693 solutions

Other Quizlet sets

Chapter 9

33 terms

kmburrell

SY0-501 Security+ (All Terms) 2

569 terms

jrliverman16

7th Grade Obj. 2.02

11 terms

hallje

What questions should an investigator ask to determine whether a computer crime was committed?

What are the considerations you should have when deciding what data acquisition method to use on your investigation?

What term refers to the original media that needs to be investigated?

Is a method of keeping track of who has handled a piece of evidence when and for what purpose?