Computer Forensics ll Final Flash Cards

Sector

Smallest addressable unit of storage on a disk.

Cluster

Group of sectors; smallest unit used by OS to store files

Slack Space

Unused space within a cluster that may contain leftover data.

Unallocated Space

Space not assigned to any file; deleted data may still exist

File Header (Signature)

First bytes of a file identifying its type

Metadata

data about a file (date created, modified, author).

Bitmap (Raster)

Made of pixels; loses quality when enlarged.

Vector

Uses math formulas; scales without losing quality

Metafile

Combination of bitmap and vector.

Common formats of Graphic File Types

JPG, PNG, GIF, BMP, TIFF

Lossless Compression

No data lost (exp. ZIP).

Lossy Compression

Data permanently removed (exp. JPEG).

File Carving

Recovering files using headers and footers.

Fragmentation

Files stored in multiple locations

Rebuilding headers

Fix damaged files using hex editors

Scope creep

Investigation expands beyond original goal

Common algorithms:

MD5, SHA-1.

Same hash =

file unchanged; different hash = file modified

Autopsy

Disk analysis and file recovery.

Wireshark:

Network traffic analysis

WinHex

Hex editing and analysis

Snort

Intrusion detection system.

What are types of data hiding techniques

Changing file extensions;Hidden files and partitions;Slack space hiding;Encryption and bit shifting; Investigators must detect hidden data

Steganography

Hiding data inside another file (exp. images)

Types of Steganography

Insertion (adds data), Substitution (replaces bits)

Detection Clues for Steganography

file size changes, duplicate files, unusual patterns

Brute Force

tries all combinations

Dictionary Attack

uses common words

Rainbow Tables

precomputed hashes for fast cracking

DDoS

multiple systems flood a target

Zero-day

exploits unknown vulnerabilities

Honeypot

fake system to attract attackers

Honeywall

monitors attacker activity

What is Honeypots & Monitoring

Used to study attack behavior.

Examples of File Struction & Identification

JPEG header = FFD8

What type of files commonly store EXIF metadata?

Image files (JPEG/TIFF)

What information can EXIF metadata reveal?

Camera type, date, time, and location

Why is metadata important in investigations?

It provides valuable evidence and information

What does compression do?

Reduces file size

Where do recovered files come from

unallocated space or slack space.

What does Hex Editors allow

viewing raw binary data

What does hexidecimal analysis do

Used to analyze, repair, and investigate files

What do Investigators do with Hexadecimal Analysis

Investigators compare known header values to identify file types.

Steps of Digital Forensics Process

Plan → Collect → Document → Analyze → Recover → Report

What does Hashing do

creates a digital fingerprint of a file

What is Hashing & Validation used for

Used to verify data integrity

What does Network Forensics Do?

Explain network forensics, difference from computer forensics, its purpose; Analyzing network traffic to investigate incidents;Helps determine how an attack occurred;Network logs record activity and events.

What are the three components of Defense in Depth?

People, Technology, Operations

Which of the following is considered a network vulnerability?

Open ports and misconfiguration

What is the purpose of packet analyzers?

To capture and analyze network traffic