Images – Jpegs use DCT compression Images – vector images experience no quality loss when resized Attacks – SYN

Flood involves spoofing the sources IP address Incident Handling – First step is Identification. Last step is to Report Events Sexual Harassment – must be finally reported to Company Decision Makers File Forensics – the File Header must be examined to determine the if the correct ext is used or hidden Email – ref pda # FF – DOScopy imaging will not detect Fileslack or deleted files BB – PasswordKeeper uses AES encryption CP – Acts of CP must be reported to the ACPO NF – It is important to use the NTP to ensure all devices times are synchronized Law – legal sequential numbering is used in Legal Pleadings Law – 18USC 2252 Lab – forensic workstations must be scanned before beginning investigations Inv – each case must be handled professionally and managed with utmost importance Att – Fraggle attack is similar to a Smurf attack but uses UDP FF – the Boot Loader loads the OS Inv- Primary goal of a forensic investigator is to preserve the Evidence Integrity Tool – Visual TimeAnalysis Tool is used to determine how long each user used a program Inv – Prepare system for acquisition, connect devices, copy evidence, secure evidence Inv – When inspecting a machine with the HDD in, check the Date and Time in the CMOS Net – POP3 (receiving email) uses port 110 Net – Info obtained from DHCP logs in WIFI networks can be MAC addresses Law – 4th Amendment Tool – Encase searches the MFT to recover files in NTFS partitions

Net – DHCP log files contain the specific time that IP’s are given out / leased Tool: Evidor used to find Slackspace Net – IIS uses the UTC time Standard Inv – Multievidence forms go in the report. only the file reference is removed.0.0.Tool – fdisk /dev/had – creates Linux partitions Tool – dd if=/dev/xxx of-mbr.0 shows that ports are in listening mode . 0001. 2 Bit Stream Copies must be made FF – Deleting a dynamic partition can corrupt the disk Image – When the quality of image is lost this is due to Lossy Compression FF – Each Sector in a HDD is made up of 512 bytes FF – When deleting a FAT file in Windows.Backs up the MBR BB – uses SHA-1 for hashing Inv – (nnnn/zzz) nnnn = evidence number eg. Zzz= exhibit number eg 01a FF – When acquiring images. the configuration and startup files are stored in NVRAM Law.txt Tool – Before doing a search in EnCase.USPTO (United States Patent and Trademark Office) responsible for trademarks and services Francis Galton was responsible for the first set of forensics and fingerprinting Net – Gateway will show the IP address of a proxy Net – 0. not the file.1 in FAT Inv – Never appropriate to use a formal checklist in a final report Inv – If a crime is detected in an investigation it should be reported to Law Enforcement Net – In routers. Single evidence and chain-of-custody forms go in a Secure Container FF – Floppy disks use the FAT 12 format Net – Apache log files are located at usr/local/apache_ Tool – var/bin/files/file.backup bs=512 count=1 . Keywords must be added Tool – Encase searches MSWIN 4.

slave device is recognized as hdd Computer Forensics is used when – Mod 1 slide 36 Law – For copyright and anti-piracy. USB Dongles are usually used Tool – MD5’s should always be compared with the original to maintain integrity.CP – In Austrailia. Tool – A Write-Blocker should be used to prevent contamination of data. . Trademark will apply Law – Netspionage is corporate network spying FF – In Linux.pst extension Tools – The ARP –s command is used to adda staric IP entry to the ARP table FF – A Cluster is the smallest unit of storage Law – Copyright lasts 70 years + the life of the author Media – CF memory comes in Type I and II and use only 5% power Law – If applying for a brand of clothing. the Secondary. search the SwapFile Images – JPEG images are identified by the hex value – FF D8 FF E0 00 10 Law – FBI and NSA share jurisdiction in regional crimes Inv – Low Level Incident Response meanse it must be responded to in One Working Day. Net – Passwords in Active directory are located in the SAM file Tool – An MD5 for verification should be made before and after acquisition FF – Microsoft Outlook files have a . a BitStream copy must be done first Inv – End-to-End concept shows the entire forensic trail from start to finish Law . a person can serve up to 10 years imprisonment for CP Tool – Encase verifies its bytes with a 32-bit CRC FF – In acquiring images.IINI stands for Innocent Images National Initiative (Federal Bureau of Investigation's Cyber Crimes Program Email – Header Email – RCPT TO – shows SMTP connection to recipient FF – When files are created / printed and may not be saved.

the Metric Value increases by 1 Tool – MD5 hash is a 32 character long hex figure and is 128 bits in strength Net Web – The CNAME value in the DNS record maps the host name to IP FF – Virtual Memory should be scanned to find hidden processes FF .Images – Visual Semagrams are symbols that are left around depicting sensitive info Tool – Isolation Envelope should be used in containing a Wifi enabled PDA Tool – Paraben’s Lockdown tool is used in Windows Tool – SetFile –a V startup.535 bytes Media – If a PDA has peripherals attached to it.bak file FF – Lost Cluster is one which is used but not allocated SH – For cases involving sexual Harassment.txt = will make txt a hidden file FF/Tool – The offset hexadecimal location is the 0x at the Beginning of a file Inv – Clients / non-forensic personnel should never do forensic searching themselves in the even that they contaminate the data Law – The is qualified to address the behaviors and characteristics of the defendant FF – The file header is usually the first few bytes of the file Tool – Paraben’s Decryption Collection is popular for it ability to distribute password analysis to 16 machines or less. photograph and document all peripherals before acquiring. FF – Outlook archive can be restored using the Outlook. Media – If an IPod is used on a Windows machine. Net – When the routing table of a router is updated. it uses the FAT32 system. NTFS recycle bin = c:/Recycler Att – A ping of Death sends 65. Inv – Discovery is the initial step of demanding documents before the case goes to trial Inv – Temporal Analysis is the identification of the Timing and Sequence of events Inv – Investigators must always guard against Scope Creep . 4 investigators are needed Tools – NIST is the organization that validates Forensic tools and their usage.FAT recycle bin = c:/Recycled.

One way to identify the presence of hidden partitions on a suspect's hard drive is to Add up the total size of all known partitions and compare it to the total size of the hard Drive Tools. Law/Inv – Warning banners alert the user to their right of privacy FF – BitStream copies are used because they are robust and not simple copies Lab – Forensic labs uaually have one entrance FF – The colon ( : ) in the MFT represents a Data Stream File Att – Bruteforce and Dictionary attacks are commomly used to crack password protected files Law. Att . Law Enforcement will have to first be contacted because the ISP must preserve the privacy of its customers.A search warrant must be obtained first before searching premises and seizing specific items.Inv/Rep – The final repot should be in pdf format if requested in hardcopy Inv – When asked to comment on an ongoing case.10.23 00-19-A5-D2-BC-31 adds static IP address and MAC address to the ARP table .120.Buffer offerflow attempt on the firewall 126 FF – Capacity of a HDD CxHxSpt x512 (CHS values) Media – Dual layer bluray can store up to 50GB. Law/Inv – In the event that an investigator needs an ISP’s assistance on a crime.SMTP command used to manually enter the recipient of an email = RCPT TO: FF . Single layer is 27 Att – Fraggle attack sends spoofed UDP packets (instead of ping packets) with a fake source address to the IP broadcast address of a large network Law .C:###BOT_TEXT###gt;arp -s long would a copyright last if established after 1977 – 70 years + authors life Email . refer the reporter to the case attorney.

0.disadvantage of using Linux when forensically analyzing a hard drive Linux cannot identify the last sector when the drive has an odd number of sectors Tools/Linux .When investigating a computer forensics case where Microsoft Exchange and Blackberry Enterprise server are used. Media – DeviceInfo stores the computer names and usernames used to connect to an iPod . you state OPINIONS about what you observed. you are only providing the facts as you have found them in your investigation.0. Why would this not be recommended? Searching create cache files which would hinder the investigation BB .0 = /8 FF/Linux .Inv – If a firm does not have any on-site IT employees. but wants to search for evidence of the breach themselves to prevent any possible media attention. Company’s PBX system Inv .dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror. As an expert.As a technical or scientific witness.The longer a disk is in use. sync = Fill the disk with zeros Net . the less likely it is that deleted files will be overwritten Net – When using CIDR 255. where would investigator need to search to find email sent from a Blackberry device Microsoft Exchange server FF .what layer of the OSI model are you monitoring while watching traffic to and from router = Network Att – Phreaking is an attack on a phone system eg.

Paraben's Lockdown device Windows to write hard drive data Media – When a PDA is seized in an investigation while the device is turned on Keep the device powered on Inv . it appears that the user was manually typing in different user ID numbers.FF – E5h indicates that the files have been marked for deletion FF – LSASS. They tampered with the evidence by using it Att .Packaging the electronic evidence is the first step taken in an investigation for laboratory forensic staff members Computer Forensics focuses on three categories of data Passive Data.From the log.exe is processed at the end of a Windows XP boot to initialized the logon dialog box FF – Slack Space will usually contain recently deleted files Tools.The gateway will be the IP used to manage the access point Inv –The incident team run the disk on an isolated system and found that the system disk was accidentally erased. a "link" refers to Someone that takes possession of a piece of evidence Net .When discussing the chain of custody in an investigation. Archival Data And Latent Data Law – Lay witnesses are not considered experts in any particular field Tools/Linux . Thist technique was is called Parameter Tampering Inv .Sniffers place NICs in promiscuous mode work at the Network layer???? Att -Why would you need to find out the gateway of a device when investigating a wireless attack .Linux command that can be used to create bit-stream images is DD .

using a cipher to send secret messages in between each other. FF – It is possible to recover files that have been emptied from the Recycle Bin on a Windows computer because The data is still present until the original location of the file is used .What prompted the US Patriot Act to be created – Trade Centres attack 1993 Images .Grill Cipher .Tools .Forensic Sorter considered faster at processing files and easier to manage Because it Classifies data into 14 categories Law .