ITE-473-101_ Digital Forensic Analysis Final Exam Review

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/132

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

133 Terms

1
New cards

Digital (Computer) Forensics

Scientific methods to identify, preserve, analyze, and present digital evidence for court use.

2
New cards

Expert Testimony Modes

Deposition: sworn, out-of-court Q&A recorded for later use. Live in Court: sworn, direct & cross exams; explain methods, tools, conclusions in plain language.

3
New cards

Eyewitness testimony

Testimony given by a witness who personally observed the event.

4
New cards

Physical Evidence

Tangible evidence that can be physically handled.

5
New cards

Digital Evidence

Evidence in the form of bits & bytes.

6
New cards

Lay vs. Expert witnesses

A lay witness testifies about what they personally observed or experienced, while an expert witness provides opinions and analysis based on their specialized knowledge and expertise.

7
New cards

Material Evidence

Relevant and significant evidence that directly impacts the outcome of a case.

8
New cards

Immaterial Evidence

Evidence that is not relevant or important to the matter at hand in a legal case.

9
New cards

Common AntiForensics

Techniques used to hinder forensic investigations, including secure wiping, encryption, steganography, file/metadata obfuscation, and hidden partitions.

10
New cards

Daubert Standard

An admissibility test requiring that digital forensics tools & processes must be testable, peer-reviewed, have a known error rate, and be generally accepted.

11
New cards

Chain of Custody

Continuous log of who, when, why an item of evidence changed hands; protects evidence integrity.

12
New cards

Typical Computer Crimes

Crimes including hacking, ID theft, cyberstalking, online fraud, DoS, malware distribution, and cyberterrorism.

13
New cards

Order of Volatility

The sequence of data collection from most to least volatile: CPU/cache, routing tables & process list, RAM, temp FS, disk, remote logs physical configs.

14
New cards

Three Evidence-Handling Tasks

1. Identify/collect 2. Preserve (image, hash, store) 3. Analyze/examine.

15
New cards

Before Shutting a Live System

Take pictures and document everything then grab running processes, network sessions, open files, RAM image, photos/time stamps—then power down.

16
New cards

No PizzaHut Stops

Unattended evidence can be stolen or tampered with, breaking chain of custody and court admissibility.

17
New cards

Pre-Examination Workflow (Drives)

Seize & log, wipe target media, copy bit-level image, hash & verify, secure original, work only on the copy.

18
New cards

Hashes

One-way, fixed-length 'digital fingerprints' supposed to be collision proof (e.g., SHA256) to prove data integrity and identify files.

19
New cards

Swap File

A temporary storage space on a hard drive that's used when a computer's physical memory (RAM) is full.

20
New cards

Host Protected Area (HPA)

Hidden drive region invisible to OS; handy for diagnostics or for hiding data.

21
New cards

File Slack (NTFS)

Unused space within a file that exists between the end of the actual file data and the end of the last allocated cluster.

22
New cards

Unallocated Space

Filesystem-marked 'free' areas that still store remnants of deleted data until overwritten.

23
New cards

Steganography

Concealing data inside carrier files so the very existence of a message is hidden.

24
New cards

LSB Method

Embed bits by flipping the least-significant bit of pixel/byte values—imperceptible visual change.

25
New cards

Stego Terms

Payload = hidden data, Carrier = cover file, Channel = medium/route used to deliver carrier.

26
New cards

Detecting Stego

Look for anomalies in the carrier file, such as unusual color patterns, file size discrepancies, or the presence of known steganography signatures.

27
New cards

Detecting Stego Tools

Use specialized tools like StegExpose or StegAlyze to automate the detection process. These tools employ algorithms and statistical models to analyze files for signs of steganography.

28
New cards

Encryption vs Stego

Encryption hides content (obvious ciphertext); stego hides existence of the message.

29
New cards

Kerckhoffs' Principle

Security rests on secrecy of the key, not the algorithm—designs should remain secure if algorithm is public.

30
New cards

Symmetric Crypto

One shared key (fast, key exchange problem).

31
New cards

Asymmetric Crypto

Public/private pair (secure exchange, slower).

32
New cards

Good Hash Algorithm Traits

Oneway, Collision resistant, Fixed length output.

33
New cards

Frequency Analysis

A method used to measure and analyze the occurrence or frequency of different events, items, or characteristics within a dataset or population.

34
New cards

Ophcrack

Uses rainbow tables to reverse hashes and reveal Windows passwords rapidly.

35
New cards

Investigation

Structured fact‑finding process to determine what happened and who is responsible.

36
New cards

Forensics

Use of scientific methods to analyze evidence for legal purposes.

37
New cards

Felony

Serious crime punishable by > 1 year in prison or larger fines.

38
New cards

Misdemeanor

Less‑serious crime punishable by ≤ 1 year in jail or smaller fines.

39
New cards

Evidence (physical)

Tangible items (e.g., weapon, hard drive) that support or refute a fact.

40
New cards

Evidence (digital)

Electronic data (e.g., logs, emails) that support or refute a fact.

41
New cards

Testimony

Sworn statement or account given by a witness.

42
New cards

Inculpatory

Supports guilt.

43
New cards

Exculpatory

Supports innocence.

44
New cards

Circumstantial

Indirect.

45
New cards

Hearsay

Second hand.

46
New cards

dd Extraction Command

dd if= of= bs=512 skip= count=<#sectors>

47
New cards

dd Extraction Example

Example: pull a 200 sector file starting at sector 1000.

48
New cards

Master File Table (MFT)

Stores information about every file on the volume.

49
New cards

MFT Entries

Each file has at least one entry storing metadata.

50
New cards

Attributes

Metadata stored within MFT.

51
New cards

Resident Files

Small files stored directly in the MFT.

52
New cards

Non-Resident Files

Larger files stored in clusters outside the MFT.

53
New cards

Clusters

Smallest unit of storage in NTFS.

54
New cards

Bitmaps

Keeps track of used and free clusters.

55
New cards

File Slack

Unused space in the last cluster of a file.

56
New cards

Forensically Scrubbing a Drive

Overwriting data using tools like DBAN.

57
New cards

Degaussing

Magnetic erasure.

58
New cards

Physical destruction

Shredding, drilling, incineration.

59
New cards

Secure erase commands

Built into SSD firmware.

60
New cards

Super Block

Stores metadata about the file system.

61
New cards

Block Groups

Divides the file system for efficient management.

62
New cards

Inodes

Stores information about files (permissions, size, timestamps).

63
New cards

Data Blocks

Contains actual file data.

64
New cards

Physical Damage

Hardware failure (e.g., head crash, water damage).

65
New cards

Logical Damage

Corrupt file system (e.g., accidental formatting, malware).

66
New cards

Zero-Knowledge Analysis

Recovering data without prior knowledge of the system.

67
New cards

File Carving

Extracting files from raw disk images using header/footer analysis.

68
New cards

File Carving Tools

Scalpel, carver-recovery.exe.

69
New cards

Business Continuity Plan (BCP)

Ensures business functions continue after a disaster.

70
New cards

Disaster Recovery Plan (DRP)

Focuses on restoring IT operations.

71
New cards

Full Backup

Copies all data.

72
New cards

Differential Backup

Copies changes since last full backup.

73
New cards

Incremental Backup

Copies changes since last backup of any type.

74
New cards

Hierarchical Storage Management (HSM)

Continuous backup.

75
New cards

Stack Memory

Stores local variables, function calls; managed automatically.

76
New cards

Heap Memory

Stores dynamically allocated memory; managed manually.

77
New cards

Windows Swap File

Acts as virtual memory, stores temporarily swapped-out RAM pages.

78
New cards

Windows Swap File Location

pagefile.sys in root directory.

79
New cards

Event Viewer

Access system logs.

80
New cards

Log Files

Security logs, application logs, system logs.

81
New cards

MAC Properties in Windows

Modified, Accessed, Created timestamps used in forensic timeline analysis.

82
New cards

Windows Registry

Stores system and user settings.

83
New cards

Important Registry Files

HKCU: Current user settings; HKLM: System-wide settings; HKCR: File associations.

84
New cards

Linux Shell

Command-line interface (e.g., Bash, Zsh).

85
New cards

Basic Linux Commands

ls (list files), cp (copy files), dd (disk imaging), cd (change directory), rm (delete files), fdisk (manage disk partitions).

86
New cards

Run Levels in Linux

Defines system state: 0: Halt system, 1: Single-user mode, 3: Multi-user mode (no GUI), 5: Multi-user mode with GUI, 6: Reboot.

87
New cards

Linux Log Files

/var/log/ important logs: auth.log (authentication attempts), syslog (system events), dmesg (kernel messages).

88
New cards

Important Mac File System Directories

/Users: Home directories; /Applications: Installed applications; /Network: Network settings; /etc: System configuration files.

89
New cards

Target Disk Mode in Mac Forensics

Allows a Mac to be accessed as an external drive for forensic imaging.

90
New cards

Email Protocols

SMTP: Sends email between clients and servers (port 25 or 465 secure); POP3: Downloads email and typically deletes it from the server (port 110 or 995 secure); IMAP: Views and stores email on the server (port 143 or 993 secure).

91
New cards

Email Headers

Show the true source, path, timestamps, and can detect spoofing or tampering.

92
New cards

Common Email File Types

.pst (Outlook archive file), .ost (Outlook offline storage), .mbx (Mailbox file for older clients), .eml (Individual saved email messages).

93
New cards

Difficulties in Mobile Forensics

Encryption, frequent updates and new OS versions, locked devices and remote wipe capability, cloud synchronizing and distributed data, changing phone technology.

94
New cards

Types of Evidence from Mobile Devices

Messages (SMS, MMS, emails), call logs, photos, videos, GPS/location history, app data and browser history, contacts and calendar entries.

95
New cards

Mobile Forensics Pyramid

Represents levels of access: Manual extraction, Logical extraction, File-system extraction, Physical - non-invasive, Chip-off, Micro-read.

96
New cards

Important Parts of Network Packets

Header: Source IP, destination IP, protocol info.

97
New cards

Mobile Forensics Pyramid

Represents levels of access: Manual extraction, Logical extraction, File‑system extraction, Physical - non‑invasive, Chip‑off, Micro‑read.

98
New cards

Network Packet Header

Source IP, destination IP, protocol info.

99
New cards

Network Packet Payload

Actual data transmitted.

100
New cards

Network Packet Trailer

End-of-packet markers, error checking.