Cj 348 - Exam 2 - Ch. 7, 8, 9 & 11

It is possible for individuals to hide files in plain sight by renaming or changing the file extensions. By altering the name or extension of a file, it can be disguised as a different type of file or appear as a harmless file. This can be done to prevent others from easily finding or accessing the hidden files.

Peripheral devices are external hardware components that are connected to a computer system but are not essential for its basic functioning. They include devices such as printers, scanners, keyboards, mice, and speakers. These devices provide additional functionality and convenience to the user but are not necessary for the core operations of the computer. Therefore, the statement "Peripheral devices are devices that are not essential parts of a computer system" is true.

Cyberterrorism refers to the politically, religiously, or ideologically motivated use of computers (or related technology) to target critical infrastructure with the intention of causing harm to people or property in order to influence the population or government policies. This involves the use of cyber attacks to create fear, disrupt systems, and cause damage. It is different from cyberwarfare, which involves the use of cyber attacks by states against other states, and hacktivism, which involves politically motivated hacking activities by individuals or groups. Therefore, the correct answer is Cyberterrorism.

Encryption is the process of converting information into a code to prevent unauthorized access. By using encryption, an individual can protect their files or data by rendering them unreadable to anyone who does not have the encryption key or password. This ensures that third parties cannot access or use the file without the necessary credentials, providing a physical block to unauthorized access.

Chain of custody is the process by which investigators preserve the crime scene and evidence throughout the life cycle of a case. It involves documenting and maintaining a record of the movement and handling of evidence, from the time it is collected until it is presented in court. This ensures that the evidence is not tampered with or contaminated, and maintains its integrity and admissibility in court. Reporting, note taking, and videography may be part of the investigative process, but they do not specifically refer to the preservation of evidence and maintaining its chain of custody.

At a crime scene, it is important to capture photographs from different perspectives to provide a comprehensive view of the scene. Overall photographs help to establish the context and layout of the crime scene, documenting the entire area. Medium-range photographs focus on specific areas or objects within the crime scene, providing more detail and clarity. Close-range photographs capture fine details, such as fingerprints or bloodstains, which can be crucial for forensic analysis. By including overall, medium-range, and close-range photographs, investigators can ensure that all necessary information is captured and preserved for further examination.

Cookies are small files that are created by websites and stored on a user's computer hard drive when they visit a particular website. These files contain data such as user preferences, login information, and browsing activity. Cookies are used by websites to track user behavior, personalize content, and provide a better browsing experience. They are commonly used for purposes like remembering user preferences, keeping users logged in, and providing targeted advertisements.

Faraday bags are necessary to prevent messages from being sent or received by electronic devices. These bags are designed with a special material that creates a Faraday cage, which blocks electromagnetic signals from entering or leaving the bag. This is important in situations where electronic devices need to be isolated, such as during forensic investigations or in secure environments where signal interception is a concern. Antistatic bags, static banks, and antisignal bags do not serve the same purpose as Faraday bags, making them incorrect options.

A forensic toolkit should contain antistatic bags, tweezers, and pliers. Antistatic bags are used to store and transport electronic devices safely, preventing damage from electrostatic discharge. Tweezers are essential for handling small and delicate items, such as tiny screws or fragments. Pliers are useful for tasks like cutting wires or removing components. Therefore, all of the above items are necessary in a forensic toolkit to ensure proper handling and examination of evidence.

An email address consists of two main components: the username and the domain. The username is the unique identifier for the individual or entity that owns the email address, while the domain represents the server or service provider that hosts the email account. Together, the username and domain form a complete email address that allows messages to be sent and received.

The computer user may create various types of files such as documents, images, and graphics. Therefore, the correct answer is "all of the above" as it includes all the mentioned file types that can be created by the computer user.

Computer forensics investigators need to consider all of the mentioned factors when packaging and transporting evidence. Magnetic fields can potentially damage or alter the data stored on electronic devices, so precautions must be taken to shield the evidence from such fields. Static electricity can also corrupt or erase data, so proper grounding and anti-static measures are necessary. Corrosive elements can cause physical damage to the evidence, and temperature fluctuations can affect the integrity of the data. Therefore, all of these factors need to be taken into account to ensure the preservation and integrity of the evidence during transportation.

ARIN, or the American Registry for Internet Numbers, is responsible for assigning and registering IP addresses in the North American region. It is one of the five Regional Internet Registries (RIRs) that allocate and manage IP addresses worldwide. Each RIR is responsible for a specific geographic region, and ARIN specifically covers North America. They ensure that IP addresses are distributed fairly and efficiently, and also play a role in policy development and coordination within their region.

The correct answer is "All of the above" because the sketch should contain all the mentioned elements: the case number, location of the crime, and type of crime. These details are crucial for accurately representing the crime scene and providing necessary information for investigation purposes. Including all of these elements in the sketch ensures that it is comprehensive and helpful in solving the case.

The USA Patriot Act criminalized acts of cyberterrorism. This legislation was passed in response to the 9/11 attacks and aimed to enhance the powers of law enforcement agencies to prevent and investigate terrorist activities. The act included provisions that expanded the definition of terrorism to include cyberterrorism and provided law enforcement agencies with the authority to investigate and prosecute individuals involved in such acts.

The X-Originating-IP field reveals the real IP address of the computer from which the email was originally sent from. This field provides information about the source of the email and can be used to track the location and identity of the sender. The other options listed, such as Received, Message ID, and X-mailer, do not specifically indicate the real IP address of the sender.

The correct answer is "all of the above." This is because the communications industry, banking and finance industry, and energy industry are all examples of critical infrastructure. Critical infrastructure refers to the systems and assets that are essential for the functioning of a society and its economy. These industries play crucial roles in various aspects of daily life, such as communication, financial transactions, and energy supply. Therefore, all three industries mentioned are considered examples of critical infrastructure.

All of the options listed - food and agriculture industry, critical manufacturing industry, dams industry, and postal and shipping - can be considered examples of critical infrastructure. Critical infrastructure refers to the systems and assets that are essential for the functioning of a society and its economy. These industries play a crucial role in providing essential goods and services, ensuring the stability and security of a nation. Therefore, all of the options mentioned can be classified as critical infrastructure.

Peripheral devices are additional devices that can be connected to a computer system but are not necessary for its basic functioning. These devices include input devices like keyboards and mice, output devices like printers and monitors, storage devices like hard drives and USB flash drives, and communication devices like modems and routers. While they enhance the functionality and usability of a computer system, they are not essential for its core operations. Therefore, peripheral devices are considered as devices that are not essential parts of a computer system.

Stuxnet was a computer worm that was specifically designed to target and disrupt industrial control systems, particularly those used in Iran's nuclear program. It was discovered in 2010 and is believed to have been developed by a joint effort between the United States and Israel. Stuxnet was highly sophisticated and used multiple zero-day vulnerabilities to infiltrate and manipulate the programmable logic controllers (PLCs) used in the targeted systems. Its primary goal was to sabotage Iran's uranium enrichment facilities by causing physical damage to the centrifuges. Stuxnet is considered one of the most complex and destructive cyber weapons ever created.

Application logs are logs that contain the events logged by programs and applications. These logs record various activities and events performed by the applications and programs, including any errors or issues encountered. Therefore, the correct answer is "application."

The correct answer is notes, sketches, photographs, video, reports. This answer includes all the essential methods of documenting a crime scene. Notes are important for recording observations and details. Sketches help to provide a visual representation of the scene. Photographs capture the scene and any evidence present. Video footage allows for a comprehensive view of the crime scene. Reports summarize all the collected information and findings.

Hacktivism refers to the intentional access to a computer system and/or website without authorization or exceeding authorized access in pursuit of a political goal. It involves using hacking techniques to promote a social or political agenda, often through defacing or disrupting websites, leaking sensitive information, or launching cyber attacks. Unlike cyberterrorism, which aims to cause fear and harm for political or ideological reasons, hacktivism focuses on activism and using hacking as a means of protest or advocacy. Cyberwarfare, on the other hand, typically involves state-sponsored attacks on other nations' computer systems for military or strategic purposes.

Cyberwarfare refers to a state-sponsored cyberattack against another state's computers or information networks, which must amount to an "armed attack" and be committed in conjunction with real-world, physical attacks. This distinguishes cyberwarfare from cyberterrorism, which is the use of cyberattacks by non-state actors to intimidate or coerce governments or societies. Hacktivism, on the other hand, involves the use of hacking and other cyber techniques to promote political or social causes. Therefore, the correct answer is Cyberwarfare.

Unallocated space refers to the portion of a storage device that is available but has not been assigned or used for storing any data. This space can be either unused or previously used but deleted. It is different from a hidden partition, which is a separate section of a storage device that is not visible to the user. A bad cluster refers to a damaged or defective area on a storage device. Slack space, on the other hand, refers to the unused portion within a file's last cluster. Therefore, the correct answer is unallocated space.

In order to provide a narrative of what happened at the crime scene and how the investigation was conducted, reports are essential. Reports contain detailed information about the evidence collected, witness statements, forensic analysis, and any other relevant findings. They provide a comprehensive overview of the crime scene investigation, allowing investigators and other parties involved to understand the sequence of events and draw conclusions based on the evidence gathered. Videos, sketches, and other materials may also be used to support the reports, but the reports themselves are the primary source of information for documenting and analyzing the crime scene.

Electronic evidence should be kept in a forensic lab that is climate controlled, cool and dry, and protected from magnetic fields or radio frequency interference sources. This is because electronic devices are sensitive to temperature and humidity fluctuations, which can cause damage to the evidence. Additionally, magnetic fields and radio frequency interference can corrupt or erase the data stored on electronic devices. Therefore, keeping the forensic lab climate controlled, cool and dry, and free from magnetic fields or radio frequency interference sources ensures the preservation and integrity of electronic evidence.

Cyberterrorists seek to provoke widespread panic and fear, cause illness, and cause serious bodily harm. This means that they aim to create chaos and terrorize people through their actions. They may use cyberattacks or other malicious activities to achieve these objectives. Their ultimate goal is to cause harm and disrupt society, instilling fear and panic among the population.

The basic fields of header information in an email include the recipient (To), the sender (From), the subject of the email, and the date it was sent. These fields provide essential information for the email recipient to identify the sender, understand the purpose of the email, and determine when it was sent. The body of the email contains the actual content of the message, while the return address is not typically included in the header information.

Volatile data refers to data that is stored in temporary memory and is lost when the computer is powered off. It is not preserved in the hard drive. Therefore, the statement that volatile data is stored and preserved in the hard drive when the computer is powered off is false.

Videos and photographs are often used to document the overall crime scene. They complement each other by providing different perspectives and capturing different details. Videos can capture the movement and dynamics of the scene, while photographs can provide a more detailed and still image of specific areas or evidence. Together, they create a comprehensive documentation of the crime scene and evidence.

The Received-SPF field is intended for spam filtering. SPF (Sender Policy Framework) is an email authentication method that verifies the sender's identity and checks if the email is coming from an authorized source. By including the Received-SPF field in the email header, the recipient's email server can determine if the email has passed the SPF check and if it is likely to be legitimate or spam.

ICS-CERT seeks to reduce cyber risks by responding to and analyzing control systems incidents, providing support for incident response and forensic analysis, and coordinating efforts and sharing information among private agencies and local, state, federal, and tribal governments. This comprehensive approach allows ICS-CERT to address cyber risks from various angles and collaborate with different stakeholders to enhance cybersecurity in control systems.

The Message ID field consists of a unique string assigned by the sending e-mail server to the message. This identifier helps in tracking and identifying individual messages, allowing for efficient organization and retrieval of emails. It is typically used for message threading and to prevent duplicate delivery of messages.

A write blocker device is used to prevent anything from being written to the hard drive or other data source. It is a hardware tool that allows investigators to access and analyze data without altering or contaminating the original evidence. By using a write blocker device, investigators can ensure the integrity and admissibility of the evidence by preventing any accidental or intentional modification of the data. This is crucial in digital forensics and investigations to maintain the chain of custody and preserve the evidence in its original state.

To determine the original address from which a message was sent, a user should pay close attention to the "Message ID" field in the full header. The Message ID is a unique identifier assigned to each email message by the mail server. By analyzing the Message ID, the user can trace the path of the message and identify the original sender's address.

The correct answer is "a and b" because both the Cyber Security Enhancement Act of 2002 and the Homeland Security Act of 2002 include enhanced penalties for cybercrimes. These acts were enacted in order to strengthen the legal framework and increase the severity of punishments for individuals involved in cybercrimes, thereby enhancing cybersecurity measures and protecting against cyber threats. The National Defense Authorization Act may also have provisions related to cybercrimes, but it is not specifically mentioned in the question.

The correct answer is "All of the above" because email systems use multiple protocols to communicate with each other. The Simple Mail Transfer Protocol (SMTP) is used to send emails from one server to another. The Post Office Protocol 3 (POP3) is used to retrieve emails from a remote server. The Internet Message Access Protocol (IMAP) is used to access and manage emails on a remote server. Therefore, all of these protocols are essential for the functioning of email systems.

The X-Mailer field specifies the email system used to send the message. This field is typically included in the email header and provides information about the software or program that was used to compose and send the email. It can be helpful in identifying the source of the email and determining if it is legitimate or potentially suspicious. The other options listed (Received, Message ID, X-Originating-IP) do not specifically refer to the email system used to send the message.

None of the options provided (Received-SPF, Message ID, Return-Path, MIME-Version) are the correct answer. The field that makes a recommendation to the user as to the validity of the origin of the message and the integrity of its content is the DKIM (DomainKeys Identified Mail) field. DKIM is an email authentication method that uses a digital signature to verify that an email message was not altered during transit and that it came from the specified domain.