Beruflich Dokumente
Kultur Dokumente
1/12/2015
256978646.doc
Computer Forensics
1/12/2015
8. ____________________ is the unused space on a disk drive when a file is smaller than
the allocated unit of storage.
Answer: Slack space
9. ____________________ is oral testimony or other evidence that proves a specific fact
(such as an eyewitness's statement, fingerprint, photo, and so on). The knowledge of the
facts is obtained through the five senses of the witness. There are no inferences or
presumptions.
Answer: Direct evidence
10. ____________________ is the remaining sectors of a previously allocated file that are
available for the operating system to use.
Answer: Free space
Multiple-Choice Quiz
1. Which of the following correctly defines evidence as being competent?
A.)
The evidence is material to the case or has a bearing on the matter at hand.
B.)
C.)
D.)
The evidence is material to the case or has a bearing on the matter at hand.
B.)
C.)
D.)
256978646.doc
Computer Forensics
1/12/2015
Evidence in the form of business records, printouts, manuals, and other items
B.)
The knowledge of these facts is obtained through the five senses of the witness.
C.)
Used to aid the jury and may be in the form of a model, experiment, chart, or
other item and be offered to prove an event occurred
D.)
B.)
The evidence is material to the case or has a bearing on the matter at hand.
C.)
Used to aid the jury and may be in the form of a model, experiment, chart, or
other item and be offered to prove an event occurred.
D.)
B.)
C.)
D.)
256978646.doc
Computer Forensics
1/12/2015
A.)
B.)
Verifying software on suspect system and using that software for the
investigation.
C.)
D.)
Boot suspect system with verified floppy, CD, kernel, and tools.
Answer: C. Answer A is the most rigorous method. Answers B and D are other methods
on the rigor spectrum.
7. Which of the following correctly defines slack space?
A.)
B.)
C.)
The remaining sectors of a previously allocated file that are available for the
operating system to use
D.)
The unused space on a disk drive when a file is smaller than the allocated unit of
storage (as in a sector)
Answer: D. Answers A and B are contrived definitions. Answer C is the definition of free
space.
8. Which of the following correctly describes the minimum contents of an evidence control
log book?
A.)
B.)
C.)
D.)
256978646.doc
Computer Forensics
1/12/2015
B.)
A method of verifying that data has been completely deleted from a disk
C.)
D.)
B.)
Accounts for all persons who handled or had access to a specific item of evidence.
C.)
D.)
B.)
The evidence is presented in the form of business records, printouts, and so on.
C.)
The evidence is material to the case or has a bearing on the matter at hand.
D.)
B.)
C.)
The knowledge of the facts is obtained through the five senses of the witness.
D.)
The evidence is used to aid the jury and may be in the form of a model,
experiment, chart, or the like, offered to prove an event occurred.
256978646.doc
Computer Forensics
1/12/2015
The unused space on a disk drive when a file is smaller than the allocated unit of
storage (such as a sector).
B.)
C.)
D.)
The remaining sectors of a previously allocated file that are available for the
operating system to use.
Answer: D. Answer A is the definition of slack space. Answers B and C are contrived
definitions.
14. If you are investigating a computer incident, and you need to remove the disk drive from
a computer and replace it with a copy so the user doesn't know it has been exchanged,
how many copies of the disk should you make, and how should they be used?
A.)
Five copies: one is to replace the drive that will be removed; one is marked,
sealed, logged, and stored with the original, unmodified disk as evidence; one is
for file authentication; one is for analysis; and one is for holding message digests.
B.)
Three copies: one is to replace the drive that will be removed; one to be used for
file authentication; and one for analysis.
C.)
Four copies: one is to replace the drive that will be removed; one is marked,
sealed, logged, and stored with the original, unmodified disk as evidence; one is
for file authentication; and one is for holding message digests.
D.)
Four copies: one is to replace the removed drive; one is marked, sealed, logged,
and stored with the original, unmodified disk as evidence; one is for file
authentication; and one is for analysis.
256978646.doc
Computer Forensics
A.)
1/12/2015
Power down the system, dump the memory, create an image of the system, and
analyze the image.
B.)
Create an image of the system, analyze the image, dump the memory, and power
down the system.
C.)
Dump the memory, power down the system, create an image of the system, and
analyze the image.
D.)
Dump the memory, analyze the image, power down the system, and create an
image of the system.
Essay Quiz
1. A supervisor has brought a confiscated computer to your office which was allegedly used
to view inappropriate material. He has asked you to look for evidence to support this
allegation. Because you work for a small company, you do not have an extra computer
you can dedicate to your analysis. How would you boot the system and begin forensic
analysis? Provide a reason for your method.
Answer: You should boot the suspect system with a verified floppy or CD, kernel, and
tools. This will prevent the operating system from modifying any files during its normal
boot process. This will also ensure that you are only using tools that have been verified
and thus do not contain Trojan horses or backdoors.
2. Explain why you should always search the free space and slack space if you suspect a
person has deliberately deleted files or information on a workstation that you are
analyzing.
Answer: Recall that when a user deletes a file, the file is not actually deleted. Only the
pointer in the file allocation table is deleted. The act of deleting the file merely removes
the pointer and marks the sector(s) holding the file as available for the operating system
to use. The actual data originally stored on the disk remains on the disk in either the slack
space or the free space which could still contain some of the deleted information.
256978646.doc
Computer Forensics
1/12/2015
3. You are a member of your company's computer incident response team and have been
called in after hours to investigate an attack in progress. The network engineers have
identified the attack as coming from a workstation in an office area of your company. The
attack is still in progress and needs to be terminated. You are in the office where the
workstation is located and the computer is on with the hard disk light flashing
occasionally. What steps would you take to terminate the attack and secure the computer
for later forensic analysis?
Answer: In this case, because the attack is still in progress and you know the source of the
attack as one of your own corporate computers, getting a memory image would be
invaluable during your investigation. If you pulled the plug on this workstation, you
would lose the information stored in memory. You should dump the memory before
unplugging this workstation. You would then be able to determine what processes were
running, their configurations, and so on. This type of information would be invaluable for
your investigation.
4. Due to some suspected illegal activities involving a company employee and their
company computer, a senior manager directed the company's workstation support
personnel to remove the hard disk from the workstation, copy the disk, and replace the
hard disk with the copy. The workstation support person entered the office after hours,
removed the hard disk, took it to his lab (which he shares with another person), imaged
the old drive onto a new drive, replaced the drive and then placed the original hard disk in
his desk drawer. He then locked the lab and went home for the night. How will this
evidence stand up in a court of law?
Answer: This incident could encounter legal problems because of a faulty chain of
custody. The worker did not properly mark, label, and secure the hard disk drive which
could be used as evidence. It would be very difficult to state that no unauthorized person
entered the lab. It is conceivable that during court proceedings, the worker could be asked
about how he could be sure that no one touched the disk drive because it was not properly
secured.
5. You have been asked by management to secure the laptop computer of an individual that
was just dismissed from the company under unfavorable circumstances. Pretend that your
256978646.doc
Computer Forensics
1/12/2015
own computer is the laptop that has been secured. Make the first entry in your log book
and describe how you would start this incident off correctly by properly protecting and
securing the evidence.
Answer: Your log should contain the information shown next. You should protect the
laptop by tagging it with your initials, date, and case number. You should protect it from
electromagnetic, mechanical, or physical damage. If possible, store it in a room with
minimal traffic, restricted access, camera monitoring, and entry-logging capabilities.
Item Description
Investigator
Case #
Date
Time
Location
Reason
Smith
03-05
3 Nov 2003
0825
Room 621
Safekeeping
safe
Lab Projects
Lab Project 23.1
Use an MD5 or SHA-1 algorithm to obtain the hash value for a file of your choice. Record the
hash value. Change the file with a word processor or text editor. Obtain the hash value for the
modified file. Compare the result.
Answer: Running MD5 or SHA-1 on two different files should result in different hash values.
The following is an example of calculating the MD5 hash on two files named MD5_example.txt
and MD5_example_after_change.txt. The files contain text identical to their file names.
C:\>dir md*.*
Volume in drive C is LOCAL DISK
Volume Serial Number is 3C62-11DE
Directory of C:\
01/05/1999
04:03p
42,496 md5.exe
11/19/2003
11:45p
15 MD5_example.txt
11/19/2003
11:46p
28 MD5_example_after_change.txt
3 File(s)
0 Dir(s)
42,539 bytes
1,671,606,272 bytes free
C:\>md5 md5_example.txt
DFFB45394FC3452E796FD466B5A5F0F9
256978646.doc
Computer Forensics
1/12/2015
C:\>md5 md5_example_after_change.txt
2F023E53F27D8672E07D8E64E1728D36
10
256978646.doc