470 midterm study guide
What hexadecimal code below identifies an NTFS file system in the partition table?
07
A Master Boot Record (MBR) partition table marks the first partition starting at what offset?
0x1BE
At what distance can the EMR from a computer monitor be picked up
1/2 mile
When was the Freedom of Information Act originally enacted?
1960s
What is the maximum amount of time computing components are designed to last in normal business operations?
36 months
By what percentage can lossless compression reduce image file size?
50%
A typical disk drive stores how many bytes in a single sector?
512
When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action? Correct!
80 degrees or higher
Which term refers to an accusation or supposition of fact that a crime has been committed and is made by the complainant, based on the incident?
Allegation
What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?
An affidavit
What will allow the investigator to arrive at a scene, acquire the needed data, and return to the lab as quickly as possible?
An initial-response field kit
What term refers to the individual who has the power to conduct digital forensic investigations?
Authorized requester
The ReFS storage engine uses a __________ sort method for fast access to large data sets.
B+tree
In what process is the acquisition of newer and better resources for investigation justified?
Building a business case
When federal courts are evaluating digital evidence from computer-generated records, what exception is applied to hearsay?
Business-records exception
When confidential business data are included with the criminal evidence, what are they referred to as?
Commingled data
Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence?
Computer Analysis and Response Team
What process refers to recording all the updates made to a workstation?
Configuration management
Which Pacific Northwest agency meets to discuss problems that digital forensics examiners encounter?
Criminal
A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?
Digital forensics
Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?
Digital investigations
When an investigator seeks a search warrant, which of the following must be included in an affidavit to support the allegation of a crime?
Exhibits
Which group often works as part of a team to secure an organization's computers and networks?
Forensics investigators
What organization was created by police officers in order to formalize credentials for digital investigators?
IACIS
Which agency introduced training on software for forensics investigations by the early 1990s?
IACIS
Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes?
Investigating and controlling the scene is much easier in private sector environments.
What must be done, under oath, to verify that the information in the affidavit is true?
It must be notarized.
What does Autopsy use to validate an image?
MD5
What is most often the focus of digital investigations in the private sector?
Misuse of digital assets
In addition to FAT16, FAT32, and Resilient File System, which file system can Windows hard disks also use?
NTFS
Without a warning banner, what right might employees assume they have when using a company's computer systems and network accesses?
Privacy
Methods for restoring large data sets are important for labs using which type of servers?
RAID
Which RAID configuration, also called mirrored striping, is a combination of RAID 1 and RAID 0?
RAID 10
Which RAID configuration offers the greatest access speed and most robust data recovery capability?
RAID 15
In addition to RAID 0, what type of RAID configuration is available for Windows XP, 2000, and NT servers and workstations?
RAID1
At a minimum, what do most company policies require that employers have in order to initiate an investigation?
Reasonable suspicion that a law or policy is being violated.
What registry file contains user account management and security settings?
SAM.dat
In addition to environmental issues, what issues are the investigator's primary concerns when working at the scene to gather information about an incident or a crime?
Safety
What type of acquisition is typically done on a computer seized during a police raid?
Static
What material is recommended for secure storage containers and cabinets?
Steel
During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. What did the U.S. Department of Defense call this special computer-emission shielding? Correct!
Tempest
At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work?
The digital forensics lab
What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive?
TrueCrypt
Which of the following is not a valid configuration of Unicode?
UTF - 64
What reports are generated at the local, state, and federal levels to show the types and frequency of crimes committed?
Uniform crime reports
What kind of forensic investigation lab best preserves the integrity of evidence?
a secure facility
What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?
a warrant
Which type of kit should include all the tools the investigator can afford to take to the field?
an extensive response field kit
Where should your computer backups be kept?
an off site facility
How frequently should floors and carpets in the computer forensic lab be cleaned to help minimize dust that can cause static electricity?
at least once a week
What type of records are considered data that the system maintains, such as system log files and proxy server logs
computer generated
What term below describes a column of tracks on two or more disk platters?
cylinder
What command works similarly to the dd command but has many features designed for computer forensics acquisitions?
dcfldd
What command creates a raw format file that most computer forensics analysis tools can read?
dd
The ___________ command inserts a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry.
delete
What is the most common and flexible data-acquisition method?
disk to image file copy
What command below can be used to decrypt EFS files?
efsrecvr
What term refers to a person using a computer to perform routine tasks other than systems administration?
end user
How frequently does IACIS require recertification to demonstrate continuing work in the field of computer forensics?
every 3 years
What term is used to describe a disk's logical structure of platters, tracks, and sectors?
geometry
The _________ branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and System.
hive
What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?
live
What type of acquisition is used for most remote acquisitions?
live
Addresses that allow the MFT to link to nonresident files are known as _______________.
logical cluster numbers
What type of evidence do courts consider evidence data in a computer to be
physical
What standard is used to determine whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest?
probable cause
The presence of police officers and other professionals who aren't part of the crime scene-processing team may result in the loss or corruption of data through which process?
professional curiosity
Which type of format acquisition leaves the investigator unable to share an image between different vendors' computer forensics analysis tools?
proprietary
What is the third stage of a criminal case, after the complaint and the investigation?
prosecution
. In addition to md5sum, which hashing algorithm utility is included with current distributions of Linux?
sha1sum
What registry file contains installed programs' settings and associated usernames and passwords?
software.dat
If your time is limited, what type of acquisition data copy method should you consider?
sparse
When using the File Allocation Table (FAT), where is the FAT database typically written to?
the outermost track
Under what circumstances are digital records considered admissible?
they are business records
What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult? Correct!
whole disk encryption
What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume?
$LogFile
What does the MFT header field at offset 0x00 contain?
The MFT record identifier FILE
Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks?
Zone Bit Recording (ZBR)
Which of the following commands creates an alternate data stream?
echo text > myfile.txt:stream_name
Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks:
exFAT