Legal
This chronological documentation records the seizure, custody, control, and transfer of evidence
What is the Chain of Custody?
These "shortcuts" record the last time a file was opened, even if the file was deleted.
What are LNK files?
This "hidden" file in a user's home directory tracks commands entered into the command line.
What is .bash_history?
Public Cloud forensics is generally heavily involved with the evaluation of __________.
logs
T/F: Even if spoliation occurs in good faith, the trial judge might still suppress (disqualify) the forensic evidence or permit an adverse inference.
True
This doctrine allows the seizure of evidence not in a warrant if seen in the open during a lawful search.
What is the Plain View (Sight) Doctrine?
Located in System32\config, this Registry hive contains the "LastWrite" times for USB devices.
What is the SYSTEM hive?
This /var/log file is the primary source for investigating failed SSH logins and sudo usage.
What is auth.log (or secure)?
This file format is the standard for "Full Packet Captures," recording every bit of data.
What is PCAP?
In a SSD: Factory Access Mode allows for reading the encryption key directly from the drive _______, enabling a usable bitstream image to be obtained from the device, without changing the original evidence.
firmware
The ________ amendment protects against the government being able to force a person to decrypt data.
5th
Within the NTFS Master File Table (MFT), these two specific attributes store timestamp data; one is easily modified by user-level "timestomping" tools, while the other is typically only updated by the OS kernel, creating a discrepancy for investigators.
What are $Standard_Information ($SI) and $File_Name ($FN)?
This is the primary command-line tool used by investigators to query and filter the binary logs managed by systemd.
What is journalctl?
To reconstruct a captured VoIP call in Wireshark, an investigator must first navigate to the Telephony menu and analyze streams using this specific protocol.
What is RTP (Real-time Transport Protocol)?
This technique recovers files by searching for "magic bytes" when the metadata is missing.
What is Data Carving?
The ________ decision established that the government must know in advance both that a certain piece of evidence exists and its location before a defendant can be compelled to produce that evidence.
Hoffman
This hidden file records every change made to the filesystem metadata, allowing an investigator to see what files were created or deleted even if the MFT entry has been overwritten.
What is the $UsnJrnl (Update Sequence Number Journal)?
WildCard
Wildcard
This security solution monitors and inspects "data in motion" across the network to prevent sensitive information like SSNs or credit card numbers from being exfiltrated.
What is Network DLP (Data Loss Prevention)?
This specific recovery metric defines the maximum age of the files an organization is willing to lose (e.g., "We must be able to recover data from 1 hour ago").
What is RPO (Recovery Point Objective)?
This 1993 Supreme Court case set the standard for admitting expert scientific testimony.
Name Case or Standard.
What is Daubert (v. Merrell Dow Pharmaceuticals)?
While this artifact provides the "Run Count" and evidence that an application was actually executed by the CPU, this other artifact is used to prove a user's intent by tracking which specific documents or folders they manually opened.
What are Prefetch and LNK Files?
To view logs for a specific background service, such as a malicious script running as a daemon, an investigator would use the -u flag followed by this.
What is the Unit Name?
This specific Wazuh module monitors changes to critical system files and can alert an investigator if an attacker modifies a Windows DLL or a Linux binary.
What is FIM (File Integrity Monitoring)?
When a user deletes a file in Windows, it is moved here and renamed with a string starting with $R or $I.
What is the Recycle Bin ($Recycle.Bin)?