Computer Forensics

Name: ________________________ Class: ___________________ Date: __________ ID: A

1

SampleFinal

True/FalseIndicate whether the statement is true or false.

____ 1. Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication.

____ 2. Part of what you have to deliver to the jury is a person they can trust to help them figure out something thatsbeyond their expertise.

____ 3. People need ethics to help maintain their balance, especially in difficult and contentious situations.

____ 4. In the United States, theres no state or national licensing body for computer forensics examiners.

Multiple ChoiceIdentify the choice that best completes the statement or answers the question.

____ 5. ____ are devices and/or software placed on a network to monitor traffic.a. Packet sniffers c. Hubsb. Bridges d. Honeypots

____ 6. E-mail messages are distributed from one central server to many connected client computers, a configurationcalled ____.a. client/server architecture c. client architectureb. central distribution architecture d. peer-to-peer architecture

____ 7. With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storagemedium, such as a folder or disk.a. command-line c. prompt-basedb. shell-based d. GUI

____ 8. In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extensionof ____.a. .ost c. .msgb. .eml d. .pst

____ 9. ____ allocates space for a log file on the server, and then starts overwriting from the beginning when loggingreaches the end of the time frame or the specified log size.a. Continuous logging c. Circular loggingb. Automatic logging d. Server logging

____ 10. Exchange logs information about changes to its data in a(n) ____ log.a. checkpoint c. transactionb. communication d. tracking

____ 11. Typically, report writers use one of two numbering systems: decimal numbering or ____ numbering.a. legal-sequential c. arabic-sequentialb. roman-sequential d. letter-sequential

Name: ________________________ ID: A

2

____ 12. In the main section of your report, you typically cite references with the ____ enclosed in parentheses.a. year of publication and authors last nameb. authors last namec. authors last name and year of publicationd. year of publication

____ 13. When you give ____ testimony, you present this evidence and explain what it is and how it was obtained.a. technical/scientific c. lay witnessb. expert d. deposition

____ 14. ____ evidence is evidence that exonerates or diminishes the defendants liability.a. Rebuttal c. Inculpatoryb. Plaintiff d. Exculpatory

CompletionComplete each statement.

15. An e-mail address in the Return-Path line of an e-mail header is usually indicated as the____________________ field in an e-mail message.

16. So far, there have been three generations of mobile phones: analog, digital personal communications service(PCS), and ____________________.

17. Global System for Mobile Communications (GSM) uses the ______________________ technique, somultiple phones take turns sharing a channel.

18. When writing a report, _________________________ means the tone of language you use to address thereader.

19. The ______________________________ system is frequently used when writing pleadings.

20. The ______________________ of evidence supports the integrity of your evidence.

21. Depending on your attorneys needs, you might provide only your opinion and technical expertise to him orher instead of testifying in court; this role is called a(n) _______________________.

22. _____________________ are standards that others apply to you or that you are compelled to adhere to byexternal forces, such as licensing bodies.

Matching

Match each item with a statement below:a. CDMA c. EDGEb. iDEN d. ROM

____ 23. nonvolatile memory

Name: ________________________ ID: A

3

____ 24. one of the most common digital networks, it uses the full radio frequency spectrum to define channels

Match each item with a statement belowa. Plaintiff f. CVb. Motion in limine g. Testimony preservation depositionc. Voir dire h. Voir dired. Opening statements i. MD5e. Discovery deposition

____ 25. presents the case during a trial

____ 26. provide an overview of the case during a trial

____ 27. questioning potential jurors to see whether theyre qualified

____ 28. usually requested by your client to preserve your testimony in case of schedule conflicts or health problems

____ 29. lists your professional experience

____ 30. allows the judge to decide whether certain evidence should be admitted when the jury isnt present

Short Answer

31. How should you proceed if your network forensic investigation involves other companies?

32. What are some of the tools included with Knoppix STD?

33. Why are network router logs important during an e-mail investigation?

34. What are some of the features offered by SIMCon?

35. What is the basic structure of a report?

36. Provide some guidelines for writing an introduction section for a report.

37. What are some of the factors courts have used in determining whether to disqualify an expert?

ID: A

1

SampleFinalAnswer Section

TRUE/FALSE

1. ANS: T PTS: 1 REF: 4892. ANS: T PTS: 1 REF: 5653. ANS: T PTS: 1 REF: 5964. ANS: T PTS: 1 REF: 597

MULTIPLE CHOICE

5. ANS: A PTS: 1 REF: 4546. ANS: A PTS: 1 REF: 4697. ANS: D PTS: 1 REF: 4728. ANS: D PTS: 1 REF: 4839. ANS: C PTS: 1 REF: 485

10. ANS: C PTS: 1 REF: 48911. ANS: A PTS: 1 REF: 53812. ANS: C PTS: 1 REF: 54113. ANS: A PTS: 1 REF: 55814. ANS: D PTS: 1 REF: 569

COMPLETION

15. ANS: Reply to

PTS: 1 REF: 48216. ANS:

third-generation (3G)third-generation3G3G (third-generation)

PTS: 1 REF: 51517. ANS:

Time Division Multiple Access (TDMA)Time Division Multiple AccessTDMATDMA (Time Division Multiple Access)

PTS: 1 REF: 51618. ANS: style

PTS: 1 REF: 537

ID: A

2

19. ANS: legal-sequential numbering

PTS: 1 REF: 53920. ANS: chain of custody

PTS: 1 REF: 55921. ANS: consulting expert

PTS: 1 REF: 56022. ANS: Codes of professional conduct or responsibility

PTS: 1 REF: 596

MATCHING

23. ANS: D PTS: 1 REF: 51724. ANS: A PTS: 1 REF: 515

25. ANS: A PTS: 1 REF: 56326. ANS: D PTS: 1 REF: 56327. ANS: C PTS: 1 REF: 56328. ANS: G PTS: 1 REF: 57329. ANS: F PTS: 1 REF: 56130. ANS: B PTS: 1 REF: 562

SHORT ANSWER

31. ANS:As with all investigations, keep preservation of evidence in mind. Your investigation might turn up othercompanies that have been compromised. In much the same way you wouldnt turn over proprietary companyinformation to become public record, you shouldnt reveal information discovered about other companies. Inthese situations, the best course of action is to contact the companies and enlist their aid in tracking downnetwork intruders. Depending on the situation, at some point you might have to report the incident to federalauthorities.

PTS: 1 REF: 449 TOP: Critical Thinking

ID: A

3

32. ANS:A few of the Knoppix STD tools include the following:* dcflddThe U.S. DOD computer forensics lab version of the dd command* memfetchForces a memory dump* photorecRetrieves files from a digital camera* snortA popular IDS that performs packet capture and analysis in real time (www.snort.org)* oinkmasterHelps manage snort rules so that you can specify what items to ignore as regular traffic andwhat items should raise alarms* johnThe latest version of John the Ripper, a password cracker* chntpwEnables you to reset passwords on aWindows computer, including the administrator password* tcpdump and etherealPacket sniffers

PTS: 1 REF: 451 TOP: Critical Thinking33. ANS:

Network administrators maintain logs of the inbound and outbound traffic routers handle. Routers have rulesto allow or deny traffic based on source or destination IP address. In most cases, a router is set up to track alltraffic flowing through its ports. Using these logs, you can resolve the path a transmitted e-mail has taken.The network administrator who manages routers can supply the log files you need. Review the router logs tofind the victims (recipients) e-mail, and look for the unique ID number.


SIMCons features include the following:* Reads files on SIM cards* Analyzes file content, including text messages and stored numbers* Recovers deleted text messages* Manages PIN codes* Generates reports that can be used as evidence* Archives files with MD5 and SHA-1 hash values* Exports data to files that can be used in spreadsheet programs* Supports international character sets

PTS: 1 REF: 522 TOP: Critical thinking35. ANS:

A report usually includes the sections shown in the following list, although the order varies depending onorganizational guidelines or case requirements:* Abstract* Table of contents* Body of report* Conclusion* References* Glossary* Acknowledgements* Appendixes

PTS: 1 REF: 535|536 TOP: Critical Thinking

ID: A

4

36. ANS:The introduction should state the reports purpose and show that you are aware of its terms of reference. Youshould also state any methods used and any limitations and indicate how the report is structured. Itsimportant to justify why you are writing the report, so make sure you answer the question What is theproblem?You should also give readers a map of what youre delivering. Introduce the problem, moving frombroader issues to the specific problem, finishing the introduction with the precise aims of the report (keyquestions). Craft this introduction carefully, setting up the processes you used to develop the information inlogical order. Refer to relevant facts, ideas, and theories as well as related research by other authors.


Factors courts have used in determining whether to disqualify an expert include the following:* Whether the attorney informed the expert that their discussions were confidential* Whether the expert reviewed materials marked as confidential or attorney work product* Whether the expert was asked to sign a confidentiality agreement* Number of discussions held over a period of time* The type of documents that were reviewed (publicly filed or confidential)* The type of information conveyed to the expertwhether it included general or specific data or includedconfidential information, trial strategies, plans for method of proof, and so forth* The amount of time involved in discussions or meetings between the expert and attorney* Whether the expert provided the attorney with confidential information* Whether the attorney formally retained the expert* Whether the expert voiced concerns about being retained* Whether the expert was requested to perform services for the attorney* Whether the attorney compensated the expert

PTS: 1 REF: 599 TOP: Critical Thinking

ID: ASampleFinal [Answer Strip]

_____ 1.T

_____ 2.T

_____ 3.T

_____ 4.T

_____ 5.A

_____ 6.A

_____ 7.D

_____ 8.D

_____ 9.C

_____ 10.C

_____ 11.A

_____ 12.C

_____ 13.A

_____ 14.D

_____ 23.D

_____ 24.A

_____ 25.A

_____ 26.D

_____ 27.C

_____ 28.G

_____ 29.F

_____ 30.B

Computer Forensics

Documents

Transcript of Computer Forensics