WGU Forensics and Network Intrusion - C702 - 330 Q&A (answered 2023)

1. Computer forensics: refers to a set of methodological procedures and tech- niques to identify, gather, preserve, extract, interpret, document and present evi- dence from computing equipment that is acceptable in a court of Law 2. Cybercrime is defined: as any illegal act involving a computing device, net- work, its systems, or its applications. It is categorized into two types based on the line of attack: internal attacks and external attacks 3. Computer crimes: pose new challenges for investigators due to their speed, anonymity, volatile nature of evidence, global origin of the crimes and difference in laws, and limited legal understanding 4. Approaches to manage cybercrime investigations include: civil, criminal, and administrative approaches 5. Digital evidence is: "any information of probative value that is either stored or transmitted in a digital form". It is of two types: volatile (Power off its lost) and non-volatile (now difference if off) 6. Forensic readiness refers to: an organization's ability to optimally use digital evidence in a limited period of time and with minimal investigation costs. Helps maintain Business Continuity. Practice Drills. ' Plan: 1. Identify potential evidence required. 2. Determine Source 3. Define Policy 4. establish Policy 5. Identify if Full/formal investigation is required. 6. create process for documenting procedure 7. Legal advisory board 8. Keep Incident response team ready. includes technical and non-technical actions that maximize an organization's com- petence to use digital evidence. 7. Organizations often include computer forensics as part of their: incident response plan to track and prosecute the perpetrators of an incident 8. Which of the following is true regarding computer forensics?: Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them. 9. Which of the following is not an objective of computer forensics?: Doc- ument vulnerabilities allowing further loss of intellectual property, finances, and reputation during an attack. 10. What is not an impact of cybercrime?: Huge financial gain 11. Which of the following is true of cybercrimes?: Investigators, with a warrant, have the authority to forcibly seize the computing devices. 12. Which of the following is true of civil crimes?: The initial reporting of the evidence is generally informal. 13. Which of the following is a user-created source of potential evidence?: - Address book 14. Which of the following is a computer-created source of potential evi- dence?: Steganography 15. Under which of the following conditions will duplicate evidence not suf- fice?: When original evidence is in possession of the originator 16. Rules: Rule 101: Scope (in US) Rule 102: Purpose (truth & Just) Rule 103: Rulings on Evidence Rule 104: Preliminary Questions Rule 105: Limited Admissibility(proper scope) Rule 502: Attorney-Client Privilege and Work Product; Limitations on Waiver Rule 608: A Witness's Character for Truthfulness or Untruthfulness Rule 609: Impeachment by Evidence of a Criminal Conviction Rule 614: Court's Calling or Examining a Witness Rule 701: Opinion Testimony by Lay Witnesses Rule 705: Disclosing the Facts or Data Underlying an Expert's Opinion Rule 801: Definitions That Apply to This Article; Exclusions from Hearsay Rule 803: Exceptions to the Rule Against Hearsay-Regardless of Whether the Declarant is Available as a Witness Rule 804: Exceptions to the Rule Against Hearsay-When the Declarant is Unavail- able as a Witness Rule 901: Authenticating or Identifying Evidence Rule 1001: Definitions that apply to this article Rule 1002: Requirement of the Original Rule 1003. Admissibility of Duplicates Rule 1004. Admissibility of Other Evidence of Content 17. Minimizing the tangible and intangible losses to the organization or an individual is considered an essential computer forensics use.: True 18. Cybercrimes can be classified into the following two types of attacks, based on the line of attack.: Internal and external 19. Espionage, theft of intellectual property, manipulation of records, and Trojan horse attacks are examples of what?: Insider attacks or primary threats 20. External attacks originate from outside of an organization or can be remote in nature. Such attacks occur when: there are inadequate informa- tion-security policies and procedures. 21. Which type of cases involve disputes between two parties?: Civil cases involve disputes between two parties, which may include an individual versus a company, an individual versus another individual, or one company versus another. 22. is the standard investigative model used by the FBI when conducting investigations against major criminal organizations.: Enterprise Theory of Investigation (ETI) 23. Gramm-Leach-Bliley Act (GLBA): requires companies that offer financial products or services to protect customer information against security threats protects customers sensitive data by requiring financial institutions to inform their customers of their information-sharing practices 24. Investigators can immediately take action after receiving a report of a security incident.: False Investigators cannot jump into action immediately after receiving a complaint or report of a security incident, but they have to follow a specific protocol that includes gathering of plaintiff information, type of incident, and obtaining permission and warrants for taking further action. 25. Computer Forensics Tool Testing Program (CFTT): methodology for testing computer forensics software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware 26. (Digital Data Storage) The disk drive is a hardware device that reads data from a disk and writes onto another computer disk. Types of disk drives include:: magnetic storage devices, optical storage devices, and flash memory devices. 27. The logical structure of a hard disk is: the file system and software utilized to control access to the storage on the disk. 28. SSD is a data storage device that uses: solid-state flash memory to store data and provides access to the stored data in the same manner as an HDD; however, SSDs are significantly faster than HDDs. 29. Booting refers to: the process of starting or restarting OSes when the user turns on a system. It is of two types: Cold boot (Hard boot) and Warm boot (Soft boot). 30. A file system is a: set of data types employed for storage, hierarchical cate- gorization, management, navigation, access, and data recovery. 31. Tools such as Autopsy and The Sleuth Kit can be used to: analyze files of various file systems. 32. RAID and JBOD storage systems contain: multiple hard disks and maintain large amounts of data; they help in decreasing the loss of data in case of the failure of a single disk. 33. hex editors: Files of different formats can be analyzed using tools such as hex editors to understand the original format of the file (in case the file has been tampered with). 34. first field in a volume descriptor: Number 0 indicates that the volume de- scriptor is a boot record Number 1: indicates that the volume descriptor is a primary volume descriptor Number 2: indicates that the volume descriptor is a supplementary volume descrip- tor Number 3: indicates that the volume descriptor is a volume partition descriptor Number 255: indicates that the volume descriptor is a volume descriptor set terminator 35. Disk Partitions: Primary partition: It is the drive that holds information regard- ing the OS, the system area, and other information required for booting. Extended partition: It is the logical drive that holds information regarding the data and files stored on the disk. 36. Booting Process: ª Cold booting: This process occurs when the user first turns on the computer. Also called as hard booting, this is required after the user completely cuts the power supply to the system. ª Warm booting: This process occurs when the user restarts the computer via the OS. Windows XP, Vista, and 7 OSes power on and start up using the conventional BIOS-MBR method. Windows 8 and later versions use the newer UEFI-GPT method 37. basic partitioning tools: DiskPart displays details about GPT partition tables in Windows OS Mac systems use the OS X Disk utility Linux uses the GNU Parted tool. 38. Linux Boot Process: ª - initializes the system hardware, POST happens ª Bootloader stage - loading the Linux kernel and optional initial RAM disk ª Kernel stage 39. FAT Partition Boot Sector: - first sector (512 bytes) of a FAT file system - holds data used by the file system to access the partition or volume - consists of data that the document framework uses to access the volume. - stack the working framework portion documents. FAT12 - 1.5 Bytes per cluster, limit 4087 clusters. FAT16 - 2 Bytes per cluster, limit 4087 - 65,256 clusters. FAT32 - 4 Bytes per cluster, limit 65,526 - 268,435,456 clusters. 40. NTFS Architecture: ª Hard disk: It is comprised of at least one partition ª Master Boot Record: It contains executable master boot code that the computer system BIOS loads into memory; this code is used to scan the Master Boot Record to locate the partition table to find out which partition is active/bootable ª Boot sector: Also known as volume boot record (VBR), it is a very first sector found in a NTFS filesystem which stores the boot code and other information, such as the type, location of size of data in NTFS filesystem ª N: As a boot loader, it accesses the NTFS filesystem and loads contents of the file ª N: It is a computer system file driver for NTFS ª Kernel mode: It is the processing mode that permits the executable code to have direct access to all the system components ª User mode: It is the processing mode in which an executable program or code runs ª Many system files are stored in the root directory of an NTFS volume; these files contain file-system metadata. ª Now the Standard File System - Improvements over FAT due to improvements in performance, reliability, and disk space utilization as s well as security access-con- trol lists and file system journaling(resilience to errors). 41. superblockholds the following information:: ª Magic number: It allows the mounting software to verify the Superblock for the ext2 file system. For the present ext2 version, it is 0xEF53. ª Revision level: The major and minor revision levels allow the mounting code to determine whether a file system supports features that are only available in particular revisions of the file system. There are also feature compatibility fields that help the mounting code in determining which new features can safely be used on the file system. ª Mount count and maximum mount count: Together, these allow the system to determine if it needs to fully check the file system. The mount count is incremented each time the system mounts the file system. When the mount count reaches the maximum mount count, the warning message "maximal mount count reached, running e2fsck is recommended" is displayed. ª Block group number: It is the block-group number containing the superblock copy ª Block size: It contains information on the size of a block for the file system in bytes ª Blocks per group: It is a fixed number equal to the number of blocks in a group ª Free blocks: It is the number of free blocks in the file system ª Free inodes: It is the number of free inodes in the file system ª First inode: It is the inode number of the first inode of the file system