Network Security - Advanced Security and Beyond

1. ______Computer Forensic___________ can attempt to retrieve information that can be used in the pursuit of the criminal.
2. The reasons to make computer forensics more important are: ___High amount of digital evidence; increased scrutiny by legal profession; higher lever of computer skill by criminals.
3. List the ways that computer forensics is different from standard investigations: __Volume of electronic evidence; Distribution of evidence; Dynamic content; False leads; Encrypted evidence; Hidden evidence.
4. Taking photographs of the crime scene is a step to ___secure the crime scene________.
5. The computer forensic team first captures _______volatile____________ data to preserve the data; this includes any data in _______content of RAM; Current network connections; Logon sessions; network configurations; open files.
6. _____Mirror image (bit-stream)____________ backups create exact replicas of the computer contents at the crime scene.
7. The ____chain of custody___________ documents that the evidence was under strict control all times and no unauthorized person was given the opportunity to corrupt the evidence.
8. __RAM slack______________ are data from RAM that is used to fill up the last sector on a disk.

9. 
   

Forensic Team Step	Action
Secure the crime scene	Instruct users to call response team at first hint of security issue.
	Document surroundings
	Label and photograph equipment
	Take custody of computer, peripherals, and media.
Preserve the data	Capture volatile data
	Perform mirror image backup
Establish chain of custody	Document in detail location of evidence
Examine for evidence	Search files, document, e-mail etc.
	Examine Windows page files.
	Explore RAM slack
	Look at file slack

10. ___Trusted Platform Model (TPM)___________ is to make a cryptographic coprocessor standard equipment on every microprocessor.
11. ____Behavior blocking_________ protects computers by recognizing when they are not acting normally.
12. ______Host intrusion prevention (HIP)_ restricts the availability of functions such as read, write and execute and protects system resources such as ports, files, and registry keys.