695 quizzes
Recovering fragments of a file is called ____.
carving
What do you call a list of people who have had physical possession of the evidence?
chain of custody
What are the two states of encrypted data in a secure cloud?
data in motion and data in rest
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
data recovery
Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule.
false
IETF is the organization setting standards for 5G devices.
false
Small companies rarely need investigators.
false
The HFS and HFS+ file systems have four descriptors for the end of a file (EOF).
false
The plain view doctrine in computer searches is well-established law.
false
Under normal circumstances, a private-sector investigator is considered an agent of law enforcement.
false
You should always answer questions from onlookers at a crime scene.
false
You should always prove the allegations made by the person who hired you.
false
You shouldn't include a narrative of what steps you took in your case report
false
In the Linux dcfldd command, which three options are used for validating data?
hash, hashlog, and vf
Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.
image file
What are the three rules for a forensic hash?
it can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes
Which of the following techniques might be used in covert surveillance (Choose All That Apply)?
key logging and data sniffing
Under copyright laws, computer programs may be registered as ____.
literary works
____ compression compresses data by permanently discarding bits of information in the file.
lossy
The ____ command displays pages from the online help manual for information on Linux commands and their options.
man
Which of the following relies on a central database that tracks account data, location data, and subscriber information?
msc
In general, a criminal case follows three stages: the complaint, the investigation, and the ____.
prosecution
Which of the following cloud deployment methods typically offers no security?
public cloud
____ from both the plaintiff's and defense's attorneys is an optional phase of the trial. Generally, it's allowed to cover an issue raised during cross-examination of a witness.
rebuttal
In which of the following cases did the U.S. Supreme Court require using a search warrant to examine the contents of mobile devices?
riley v california
A CSP's incident response team typically consists of system administrators, network administrators, and legal advisors.
true
A(n) CSA or cloud service agreement is a contract between a CSP and the customer that describes what services are being provided and at what level.
true
Amazon was an early provider of Web-based services that eventually developed into the cloud concept.
true
Commingling evidence means that sensitive or confidential information being mixed with data collected as evidence.
true
Computer peripherals or attachments can contain DNA evidence.
true
Embezzlement is a type of digital investigation typically conducted in a business environment.
true
For digital evidence, an evidence bag is typically made of antistatic material.
true
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy.
true
If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement.
true
In forensic hashes, a collision occur when two different files have the same hash value.
true
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause.
true
Mobile device information might be stored on the internal memory or the SIM card.
true
One way to determine the resources needed for an investigation is based on the OS of the suspect computer, list the software needed for the examination.
true
Placing it in paint cans and using Faraday bags are two ways you can isolate a mobile device from incoming signals.
true
Public cloud services such as Dropbox and OneDrive use Sophos SafeGuard and Sophos Mobile Control as their encryption applications
true
SIM card readers can alter evidence by showing that a message has been read when you view it.
true
The Internet of Things includes radio frequency identification (RFID) sensors as well as wired, wireless, and mobile devices.
true
The cloud services Dropbox, Google Drive, and OneDrive have Registry entries.
true
The purpose of maintaining a network of digital forensics specialists is to develop a list of colleagues who specialize in areas different from your own specialties in case you need help on an investigation.
true
____ contains configuration information for Sendmail, helping the investigator to determine where the log files reside.
/etc/sendmail.cf
Clusters in Windows always begin numbering at what number?
2
What's the maximum file size when writing data to a FAT32 drive?
2 GB
In FAT32, a 123-KB file uses how many sectors?
246
Most SIM cards allow ______ access attempts before locking you out.
3
How many sectors are typically in a cluster on a disk drive?
4 or more
Police in the United States must use procedures that adhere to which of the following?
4th
On a Windows system, sectors typically contain how many bytes?
512
SD cards have a capacity up to which of the following?
64gb
____, located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version.
Boot.ini
List three items that should be on an evidence custody form.
Case number, name of the investigator and nature of the case
The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence.
Computer Analysis and Response Team (CART)
____ records are data the system maintains, such as system log files and proxy server logs.
Computer-generated
If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following?
Coordinate with the HAZMAT team.
BIOS boot firmware was developed to provide better protection against malware than EFI does developed?
FALSE
Commingled data isn't a concern when acquiring cloud data.
FALSE
FTK Imager can acquire data in a drive's host protected area.
FALSE
In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. So, the following dcfldd is command correct. dcfldd if=image_file.img of=/dev/hda1
FALSE
Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which always get funding from the government or other agencies.
FALSE
Slower data transfer speeds and dealing with minor data errors are two disadvantages of the raw format
FALSE
The uRLLC 5G category focuses on communications in smart cities.
FALSE
When determining which data acquisition method to use you should not consider how long the acquisition will take.
FALSE
Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible.
FALSE
Marking bad clusters data-hiding technique is more common with ____ file systems.
FAT
____ is the file structure database that Microsoft originally designed for floppy disks.
FAT
The ____ tool can be used to bypass a virtual machine's hypervisor, and can be used with OpenStack.
FROST
What capabilities should a forensics tool have to acquire data from a cloud?
Identify and acquire data from the cloud. Examine virtual systems. Expand and contract data storage capabilities as needed for service changes.
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?
Initial-response kit
According to SANS DFIR Forensics, which of the following tasks should you perform if a mobile device is on and unlocked?
Isolate the device from the network. Disable the screen lock. Remove the passcode.
List two hashing algorithms commonly used for forensic purposes.
MD5 and SHA-1
The SIM file structure begins with the root of the system (____).
MF
What does the Ntuser.dat file contain?
MRU files list
Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons?
Most companies keep inventory databases of all hardware and software used.
In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?
NONE
Which of the following Windows 8 files contains user-specific information?
Ntuser.dat
Areal density refers to which of the following?
Number of bits per square inch of a disk platter
With ____, Macintosh moved to the Intel processor and became UNIX based.
OS X
Which of the following is a mobile forensics method listed in NIST guidelines?
Physical extraction Hex dumping Logical extraction
GSM divides a mobile station into ______ and ______.
SIM card and ME
____ disks are commonly used with Sun Solaris systems.
SPARC
Evidence of cloud access found on a smartphone usually means which cloud service level was in use?
SaaS
What are the three levels of cloud services defined by NIST?
Saas, IaaS, PaaS
What is one of the necessary components of a search warrant?
Signature of an impartial judicial officer
Which of the following is a mechanism the ECPA describes for the government to get electronic information from a provider?
Subpoenas with prior notice Search warrants Court orders
During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____.
TEMPEST
A hashing algorithm is a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk.
TRUE
A logical acquisition collects only specific files of interest to the case.
TRUE
A virtual cluster number represents the assigned clusters of files that are nonresident in the MFT.
TRUE
CHS stands for cylinders, heads, and sectors.
TRUE
Commonly, proprietary format acquisition files can compress the acquisition data and segment acquisition output files into smaller volumes.
TRUE
Device drivers contain instructions for the OS on how to interface with hardware devices.
TRUE
FTK Imager requires that you use a device such as a USB dongle for licensing.
TRUE
In NTFS, files smaller than 512 bytes are stored in the MFT.
TRUE
MFT stands for Master File Table.
TRUE
The main goal of a static acquisition is the preservation of digital evidence.
TRUE
The multitenancy nature of cloud environments means conflicts in privacy laws can occur.
TRUE
To see Google Drive synchronization files, you need a SQL viewer.
TRUE
With newer Linux kernel distributions, USB devices are automatically mounted, which can alter data on it.
TRUE
Why is it a good practice to make two images of a suspect drive in a critical investigation?
To ensure at least one good copy of the forensically collected data in case of any failures
When you arrive at the scene, why should you extract only those items you need to acquire evidence?
To minimize how much you have to keep track of at the scene
What's the purpose of an affidavit?
To provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant
An image of a suspect drive can be loaded on a virtual machine.
True
Virtual machines have which of the following limitations when running on a host computer?
Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.
Intel ____ has responded to the need for security and performance by producing different CPU designs.
Virtualization Technology (VT)
The triad of computing security includes which of the following?
Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation
When should a temporary restraining order be requested for cloud environments?
When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case
As a private-sector investigator, you can become an agent of law enforcement when which of the following happens?
You begin to take orders from a police detective without a warrant or subpoena.
Which of the following categories of information is stored on a SIM card?
a: Call data b: Service-related data
____ provide additional resource material not included in the body of the report.
appendixes
In a prefetch file, the application's last access date and time are at offset ___
0x90
The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients.
ABA
What are two concerns when acquiring data from a RAID server?
Amount of data storage needed and type of RAID
With remote acquisitions, what problems should you be aware of?
Antivirus, antispyware, and firewall programs
NIST document SP 500-322 defines more than 75 cloud services, including which of the following?
Backup as a service Security as a service Drupal as a service
Which type of network is a digital version of the original analog standard for cell phones?
D-AMPS
____ is a layered network defense strategy developed by the National Security Agency (NSA).
Defense in Depth
The ____ digital network, a faster version of GSM, is designed to deliver data.
EDGE
Which forensics tools can connect to a suspect's remote computer and run surreptitiously?
EnCase Enterprise and ProDiscover Incident Response
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.
EnCase and X-Ways Forensics
Of all the proprietary formats, which one is the unofficial standard?
Expert Witness
On Mac OSs, the ____ stores any file information not in the MDB or Volume Control Block (VCB).
Extents overflow file
EFS can encrypt which of the following?
Files, folders, and volumes
What does a sparse acquisition collect for an investigation?
Fragments of unallocated data in addition to the logical allocated data
What's the most commonly used cellular network worldwide?
GSM
You use ____ to create, modify, and save bitmap, vector, and metafile graphics.
Graphics editor
In which cloud service level can customers rent hardware and install whatever OSs and applications they need?
IaaS
Why is professional conduct important?
It includes ethics, morals, and standards of behavior
Lab costs can be broken down into monthly, ____, and annual expenses.
Quarterly
Name the three formats for digital forensics data acquisitions
Raw format, proprietary formats, and AFF
Remote wiping of a mobile device can result in which of the following?
Returning the phone to the original factory settings Removing account information Deleting contacts
Policies can address rules for which of the following?
The Internet sites you can or can't access The amount of personal e-mail you can send When you can log on to a company network from home
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?
The file is unencrypted automatically.
What sections of a report are included in the report body?
The introduction and discussion
Why should you critique your case after it's finished?
To improve your work
Why should you do a standard risk assessment to prepare for an investigation?
To list problems that might happen when conducting an investigation
Why should evidence media be write-protected?
To make sure data isn't altered
File and directory names are some of the items stored in the FAT database.
True
What is the space on a drive called when a file is deleted?
Unallocated space
List two features NTFS has that FAT does not.
Unicode characters and better security
What's the most critical aspect of digital evidence?
VALIDATION
What term is used for the machines used in a DDoS attack?
Zombies
The term TDMA refers to which of the following?
a: A technique of dividing a radio frequency so that multiple users share the same channel c: A specific cellular network standard
Confidential business data included with the criminal evidence are referred to as ____ data.
commingled
The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.
dd
A warning banner should never state that the organization has the right to monitor what users do.
false
An initial-response field kit does not contain evidence bags.
false
Digital forensics and data recovery refer to the same activities.
false
Typically, you need a search warrant to retrieve information from a service provider.
true
Updates to the EU Data Protection Rules will affect how data is moved during an investigation regardless of location.
true
When acquiring a mobile device at an investigation scene, you should leave it connected to a laptop or tablet so that you can observe synchronization as it takes place.
true
You should videotape or sketch anything at a digital crime scene that might be of interest to the investigation.
true