forensic interview questions

• Computer Forensics Interview Questions

What is MD5 checksum?
MD5 checksum is a 128 bit value that helps identify the uniqueness of a file

What is an .ISO file?
An ISO file contains an application or CD image of several files and executables. Most app software can be made into an ISO that you then mount as a virtual drive and can browse files within the ISO.

What is a SAM file?
A SAM, or Security Accounts Manager, file is a file specifically used in Windows computers to store user passwords. It’s used to authenticate both remote and local Windows users, and can be used to gain access to a user’s computer.

What is data mining?
Data mining is the process of recording as much data as possible to create reports and analysis on user input

What is data carving?
Data carving is different than data mining in that data carving searches through raw data on a hard drive without using a file system. Data carving is essential for computer forensics investigators to find data when a hard drive’s data is corrupted.

What is steganography?
Steganography conceals a message within a message.

Describe the SHA-1 hash
The secure hash algorithm 1 is a hash algorithm that creates a 160-bit or 20-byte message digest.

How would you handle retrieving data from an encrypted hard drive?
First determine the encryption method used. For simple encryption types, try finding the configuration file. Use tools such as EaseUS Data Recovery, Advanced EFS Data Recovery or Elcomsoft Forensic Disk Decryptor. You can also use brute force methods.

What is an ACL?
An access control list. It is a list used to grant users and processes access to system resources.

How would you be able to tell at the hex level that a file has been deleted in FAT12?
Run fsstat against the FAT partition to gather details.
Run fls to get information about the image files.
This will return information about deleted files and the metatdata information.

What is a form of simple encryption often used by an intruder or criminal?
XOR (exclusive OR)

If you needed to encrypt and compress data for transmission, which would you do first and why?
Compress then encrypt. Because encryption takes up resources and can be cumbersome to perform, it makes sense to compress the data first.

What is the difference between threat, vulnerability and risk?
A threat is what a potential attacker poses, by potentially using a system vulnerability that was never identified as a risk
A threat is the possibility of an attack.
A vulnerability is a weakness in the system.
Risks are items that may cause harm to the system or organization

https://resources.infosecinstitute.com/category/computerforensics/introduction/computer-forensics-interview-questions/#gref