CHFI - my WGU notes
US Federal Rules of Evidence - Answer • 101 - Govern proceedings in the US and
before UC bankruptcy judges and magistrate judges
• 102 - Purpose and construction - the truth may be ascertained and proceedings justly
determined
• 103 - Ruling on evidence (if error- how to deal with it, if objection - how to deal with
etc)
• 105 - Limited admissibility - When evidence is admissible or not. When admissible for
one purpose but not another, the court will restrict the evidence to its scope
• Rule 402 - General Admissibility of Relevant Evidence
• Rule 502 - Attorney-Client privilege and work product; Limitations on waiver
• Rule 608 - Evidence of character and conduct of witness
• Rule 609 - Impeachment by evidence of a criminal conviction
• Rule 614 - Calling and interrogation of witnesses by court
• Rule 701 - Opinion testimony by lay witnesses
• Rule 705 - Disclosure of facts or data underlying expert opinion
• 801 - 804 Hearsay - Relaying to something 3rd party stated
• Rule 901 - Authenticating or Identifying Evidence
• 1001 - Definitions
• 1002 Requirement of original
• 1003 - Admissibility of Duplicates
• 1004 - Admissibility of other evidence of content
SWGDE - Answer Based on the SWGDE work to create the set of standards for
gathering of digital evidence.
• Criteria 1.1 - All agencies that seize and/or examine digital evidence must maintain an
appropriate SOP document
• Criteria 1.2 - Agency management must review the SOPs annually
• Criteria 1.3 - Procedures used must be generally accepted in the field
• Criteria 1.4 - The agency must maintain written copies of appropriate technical
procedures
• Criteria 1.5 - The agency must use hardware and software that is appropriate and
effective
• Criteria 1.6 - All activities must be recorded in writing and be available for review and
testimony
• Criteria 1.7 - Any action that has the potential to alter, damage, or destroy any aspect
of original evidence must be performed by qualified persons in a forensically sound
manner
Cloud Crime - Answer *Cloud as a subject It refers to a crime in which the attackers try
to compromise the security of a cloud environment to steal data or inject a malware. Ex:
Identity theft of cloud user's accounts, unauthorized modification or deletion of data
stored in the Cloud, installation of malware on the cloud, etc.
,*Cloud as an object when the attacker uses the cloud to commit a crime targeted
towards the CSP. The main aim of the attacker is to impact cloud service provider. Ex:
DDoS attacks that can bring the whole cloud down.
*Cloud as a tool when the attacker uses one compromised cloud account to attack other
accounts. In such cases, both the source and target cloud can store the evidence data.
Rule 101 - Answer Govern proceedings in the courts of the U.S. and before U.S.
bankruptcy judges and the U.S. magistrate judges, to the extent and with the exceptions
stated in rule 1101
Purpose and construction
law of evidence to the end that the truth may be ascertained and proceedings justly
determined - Answer Rule 102
Rule 103 - Answer Rulings on evidence
Rule 105 - Answer Limited Admissibility
When evidence is admissible or not and under what conditions 2. When evidence is
admissible for one purpose but not another, the court will restrict the evidence to its
scope
Rule 1001 - Answer Definitions
Consist of letters, words, or numbers, or their equivalent, set down by handwriting,
typewriting, printing, photostating, photographing, magnetic impulse, mechanical or
electric recording, or other forms of data
The UEFI boot process has five phases and each phase has its own role. These five
phases are: - Answer SEC (Security) Phase This phase of EFI consists of initialization
code that the system executes after powering the EFI system on. It manages platform
reset events and sets the system so that it can find, validate, install, and run the PEI.
PEI (Pre-EFI Initialization) Phase The PEI phase initializes the CPU, temporary
memory, and boot firmware volume (BFV). It locates and executes the Pre Initialization
chapters (PEIMs) present in the BFV so as to initialize all the found hardware in the
system. Finally, it creates a Hand-Off Block List with all found resources interface
descriptors and passes it to the next phase i.e. the DXE phase.
DXE (Driver Execution Environment) Phase Most of the initialization happens in this
phase. Using the Hand-Off Block List (HOBL), it initializes the entire system physical
memory, I/O, and MIMO (Memory Mapped Input Output) resources and finally begins
dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL).
The DXE core produces a set of EFI Boot Services and EFI Runtime Services. The EFI
Boot Services provided are allocating memory and loading executable images. The EFI
Runtime services provided are converting memory addresses from physical to virtual
,while handing over to the kernel, and resetting the CPU, to code running within the EFI
environment or within the OS kernel once the CPU takes the control of the system.
BDS (Boot Device Selection) Phase In this phase, the BDS interprets the boot
configuration data and selects the Boot Policy for later implementation. This phase
works with the DXE to check if the device drivers require signature verification. In this
phase, the system loads MBR boot code into memory for Legacy BIOS Boot or loads
the Bootloader program from the EFI partition for UEFI Boot. It also provides an option
for the user to choose EFI Shell or an UEFI application as the Boot Device from the
Setup.
RT (Run Time) Phase At this point, the system clears the UEFI program from memory
and transfers it to the OS. During UEFI BIOS update the OS calls the run time service
using a small part of the memory.
SEC - Answer SEC (Security) Phase This phase of EFI consists of initialization code
that the system executes after powering the EFI system on. It manages platform reset
events and sets the system so that it can find, validate, install, and run the PEI.
PEI - Answer (Pre-EFI Initialization) Phase The PEI phase initializes the CPU,
temporary memory, and boot firmware volume (BFV). It locates and executes the Pre
Initialization chapters (PEIMs) present in the BFV so as to initialize all the found
hardware in the system. Finally, it creates a Hand-Off Block List with all found resources
interface descriptors and passes it to the next phase i.e. the DXE phase.
DXE - Answer (Driver Execution Environment) Phase Most of the initialization happens
in this phase. Using the Hand-Off Block List (HOBL), it initializes the entire system
physical memory, I/O, and MIMO (Memory Mapped Input Output) resources and finally
begins dispatching DXE Drivers present in the system Firmware Volumes (given in the
HOBL). The DXE core produces a set of EFI Boot Services and EFI Runtime Services.
The EFI Boot Services provided are allocating memory and loading executable images.
The EFI Runtime services provided are converting memory addresses from physical to
virtual while handing over to the kernel, and resetting the CPU, to code running within
the EFI environment or within the OS kernel once the CPU takes the control of the
system.
BDS (Boot Device Selection) - Answer Phase In this phase, the BDS interprets the boot
configuration data and selects the Boot Policy for later implementation. This phase
works with the DXE to check if the device drivers require signature verification. In this
phase, the system loads MBR boot code into memory for Legacy BIOS Boot or loads
the Bootloader program from the EFI partition for UEFI Boot. It also provides an option
for the user to choose EFI Shell or an UEFI application as the Boot Device from the
Setup.
, RT (Run Time) - Answer Phase At this point, the system clears the UEFI program from
memory and transfers it to the OS. During UEFI BIOS update the OS calls the run time
service using a small part of the memory.
Superblock holds the following information: - Answer Magic Number: It allows the
mounting software to verify the Superblock for the EXT2 file system. For the present
EXT2 version, it is 0xEF53. •
Revision Level: The major and minor revision levels allow the mounting code to
determine whether or not this file system supports features that are only available in
particular revisions of the file system. There are also feature compatibility fields that
help the mounting code to determine which new features can safely be used on this file
system. •
Mount Count and Maximum Mount Count: Together these allow the system to
determine if it needs to fully check the file system. The mount count increments each
time the system mounts the file system and displays the warning message of "maximal
mount count reached, running e2fsck is recommended'' when it equals the maximum
mount count
GUID Partition Table (GPT) - Answer LBA0 - stores the protective MBR
LBA1- contains the GPT header
LBA2- GPT header comprises a pointer partition table or Partition Array at LBA2
LBA34 - the first usable sector
Sending Email using the following machine reliable language - Answer ASCI
UNICODE - Answer Microsoft Work, Java, XML and .Net
Power Point Format - Answer PPT- Power Point Format
EaseUS Data Recovery Wizard - Answer EaseUS Data Recovery Wizard software is
used to do format recovery and unformat and recover deleted files emptied from the
Recycle Bin or data lost due to partition loss or damage, software crash, virus infection,
unexpected shutdown, or any other unknown reasons under Windows 10, 8, 7,
2000/XP/Vista/2003/2008 R2 SP1/Windows 7 SP1. This software supports hardware
RAID and hard drive, USB drive, SD card, memory card
Recover My Files - Answer data recovery software recovers deleted files emptied from
the Windows Recycle Bin and files lost due to the format or corruption of a hard drive,
virus or Trojan infection, and unexpected system shutdown or software failure
• Recovers files even if emptied from the Recycle Bin data
• Recovers files after accidental format, even after Windows is reinstalled
• Performs disk recovery after a hard disk crash • Recovers files after a partitioning
error
• Recovers data from RAW hard drives
US Federal Rules of Evidence - Answer • 101 - Govern proceedings in the US and
before UC bankruptcy judges and magistrate judges
• 102 - Purpose and construction - the truth may be ascertained and proceedings justly
determined
• 103 - Ruling on evidence (if error- how to deal with it, if objection - how to deal with
etc)
• 105 - Limited admissibility - When evidence is admissible or not. When admissible for
one purpose but not another, the court will restrict the evidence to its scope
• Rule 402 - General Admissibility of Relevant Evidence
• Rule 502 - Attorney-Client privilege and work product; Limitations on waiver
• Rule 608 - Evidence of character and conduct of witness
• Rule 609 - Impeachment by evidence of a criminal conviction
• Rule 614 - Calling and interrogation of witnesses by court
• Rule 701 - Opinion testimony by lay witnesses
• Rule 705 - Disclosure of facts or data underlying expert opinion
• 801 - 804 Hearsay - Relaying to something 3rd party stated
• Rule 901 - Authenticating or Identifying Evidence
• 1001 - Definitions
• 1002 Requirement of original
• 1003 - Admissibility of Duplicates
• 1004 - Admissibility of other evidence of content
SWGDE - Answer Based on the SWGDE work to create the set of standards for
gathering of digital evidence.
• Criteria 1.1 - All agencies that seize and/or examine digital evidence must maintain an
appropriate SOP document
• Criteria 1.2 - Agency management must review the SOPs annually
• Criteria 1.3 - Procedures used must be generally accepted in the field
• Criteria 1.4 - The agency must maintain written copies of appropriate technical
procedures
• Criteria 1.5 - The agency must use hardware and software that is appropriate and
effective
• Criteria 1.6 - All activities must be recorded in writing and be available for review and
testimony
• Criteria 1.7 - Any action that has the potential to alter, damage, or destroy any aspect
of original evidence must be performed by qualified persons in a forensically sound
manner
Cloud Crime - Answer *Cloud as a subject It refers to a crime in which the attackers try
to compromise the security of a cloud environment to steal data or inject a malware. Ex:
Identity theft of cloud user's accounts, unauthorized modification or deletion of data
stored in the Cloud, installation of malware on the cloud, etc.
,*Cloud as an object when the attacker uses the cloud to commit a crime targeted
towards the CSP. The main aim of the attacker is to impact cloud service provider. Ex:
DDoS attacks that can bring the whole cloud down.
*Cloud as a tool when the attacker uses one compromised cloud account to attack other
accounts. In such cases, both the source and target cloud can store the evidence data.
Rule 101 - Answer Govern proceedings in the courts of the U.S. and before U.S.
bankruptcy judges and the U.S. magistrate judges, to the extent and with the exceptions
stated in rule 1101
Purpose and construction
law of evidence to the end that the truth may be ascertained and proceedings justly
determined - Answer Rule 102
Rule 103 - Answer Rulings on evidence
Rule 105 - Answer Limited Admissibility
When evidence is admissible or not and under what conditions 2. When evidence is
admissible for one purpose but not another, the court will restrict the evidence to its
scope
Rule 1001 - Answer Definitions
Consist of letters, words, or numbers, or their equivalent, set down by handwriting,
typewriting, printing, photostating, photographing, magnetic impulse, mechanical or
electric recording, or other forms of data
The UEFI boot process has five phases and each phase has its own role. These five
phases are: - Answer SEC (Security) Phase This phase of EFI consists of initialization
code that the system executes after powering the EFI system on. It manages platform
reset events and sets the system so that it can find, validate, install, and run the PEI.
PEI (Pre-EFI Initialization) Phase The PEI phase initializes the CPU, temporary
memory, and boot firmware volume (BFV). It locates and executes the Pre Initialization
chapters (PEIMs) present in the BFV so as to initialize all the found hardware in the
system. Finally, it creates a Hand-Off Block List with all found resources interface
descriptors and passes it to the next phase i.e. the DXE phase.
DXE (Driver Execution Environment) Phase Most of the initialization happens in this
phase. Using the Hand-Off Block List (HOBL), it initializes the entire system physical
memory, I/O, and MIMO (Memory Mapped Input Output) resources and finally begins
dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL).
The DXE core produces a set of EFI Boot Services and EFI Runtime Services. The EFI
Boot Services provided are allocating memory and loading executable images. The EFI
Runtime services provided are converting memory addresses from physical to virtual
,while handing over to the kernel, and resetting the CPU, to code running within the EFI
environment or within the OS kernel once the CPU takes the control of the system.
BDS (Boot Device Selection) Phase In this phase, the BDS interprets the boot
configuration data and selects the Boot Policy for later implementation. This phase
works with the DXE to check if the device drivers require signature verification. In this
phase, the system loads MBR boot code into memory for Legacy BIOS Boot or loads
the Bootloader program from the EFI partition for UEFI Boot. It also provides an option
for the user to choose EFI Shell or an UEFI application as the Boot Device from the
Setup.
RT (Run Time) Phase At this point, the system clears the UEFI program from memory
and transfers it to the OS. During UEFI BIOS update the OS calls the run time service
using a small part of the memory.
SEC - Answer SEC (Security) Phase This phase of EFI consists of initialization code
that the system executes after powering the EFI system on. It manages platform reset
events and sets the system so that it can find, validate, install, and run the PEI.
PEI - Answer (Pre-EFI Initialization) Phase The PEI phase initializes the CPU,
temporary memory, and boot firmware volume (BFV). It locates and executes the Pre
Initialization chapters (PEIMs) present in the BFV so as to initialize all the found
hardware in the system. Finally, it creates a Hand-Off Block List with all found resources
interface descriptors and passes it to the next phase i.e. the DXE phase.
DXE - Answer (Driver Execution Environment) Phase Most of the initialization happens
in this phase. Using the Hand-Off Block List (HOBL), it initializes the entire system
physical memory, I/O, and MIMO (Memory Mapped Input Output) resources and finally
begins dispatching DXE Drivers present in the system Firmware Volumes (given in the
HOBL). The DXE core produces a set of EFI Boot Services and EFI Runtime Services.
The EFI Boot Services provided are allocating memory and loading executable images.
The EFI Runtime services provided are converting memory addresses from physical to
virtual while handing over to the kernel, and resetting the CPU, to code running within
the EFI environment or within the OS kernel once the CPU takes the control of the
system.
BDS (Boot Device Selection) - Answer Phase In this phase, the BDS interprets the boot
configuration data and selects the Boot Policy for later implementation. This phase
works with the DXE to check if the device drivers require signature verification. In this
phase, the system loads MBR boot code into memory for Legacy BIOS Boot or loads
the Bootloader program from the EFI partition for UEFI Boot. It also provides an option
for the user to choose EFI Shell or an UEFI application as the Boot Device from the
Setup.
, RT (Run Time) - Answer Phase At this point, the system clears the UEFI program from
memory and transfers it to the OS. During UEFI BIOS update the OS calls the run time
service using a small part of the memory.
Superblock holds the following information: - Answer Magic Number: It allows the
mounting software to verify the Superblock for the EXT2 file system. For the present
EXT2 version, it is 0xEF53. •
Revision Level: The major and minor revision levels allow the mounting code to
determine whether or not this file system supports features that are only available in
particular revisions of the file system. There are also feature compatibility fields that
help the mounting code to determine which new features can safely be used on this file
system. •
Mount Count and Maximum Mount Count: Together these allow the system to
determine if it needs to fully check the file system. The mount count increments each
time the system mounts the file system and displays the warning message of "maximal
mount count reached, running e2fsck is recommended'' when it equals the maximum
mount count
GUID Partition Table (GPT) - Answer LBA0 - stores the protective MBR
LBA1- contains the GPT header
LBA2- GPT header comprises a pointer partition table or Partition Array at LBA2
LBA34 - the first usable sector
Sending Email using the following machine reliable language - Answer ASCI
UNICODE - Answer Microsoft Work, Java, XML and .Net
Power Point Format - Answer PPT- Power Point Format
EaseUS Data Recovery Wizard - Answer EaseUS Data Recovery Wizard software is
used to do format recovery and unformat and recover deleted files emptied from the
Recycle Bin or data lost due to partition loss or damage, software crash, virus infection,
unexpected shutdown, or any other unknown reasons under Windows 10, 8, 7,
2000/XP/Vista/2003/2008 R2 SP1/Windows 7 SP1. This software supports hardware
RAID and hard drive, USB drive, SD card, memory card
Recover My Files - Answer data recovery software recovers deleted files emptied from
the Windows Recycle Bin and files lost due to the format or corruption of a hard drive,
virus or Trojan infection, and unexpected system shutdown or software failure
• Recovers files even if emptied from the Recycle Bin data
• Recovers files after accidental format, even after Windows is reinstalled
• Performs disk recovery after a hard disk crash • Recovers files after a partitioning
error
• Recovers data from RAW hard drives
