CENGAGE Questions Midterm
Clusters in Windows always begin numbering at what number?
2
In FAT32, a 123-KB file uses how many sectors?
246
How many sectors are typically in a cluster on a disk drive?
4 or more
On a Windows system, sectors typically contain how many bytes?
512
As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? A. You begin to take orders from a police detective without a warrant or subpoena. B. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. C. Your internal investigation begins. D. None of the above.
A
If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? A. Coordinate with the HAZMAT team. B. Determine a way to obtain the suspect's computer. C. Assume the suspect's computer is contaminated.
A
In the Linux dcfldd command, which three options are used for validating data? A. hash, hashlog, and vf B. h, hl, and vf C. hash, log, and hashlog D. vf, of, and vv
A
Of all the proprietary formats, which one is the unofficial standard? A. Expert Witness B. AFF C. Uncompress dd
A
What do you call a list of people who have had physical possession of the evidence? A. Chain of custody B. Affidavit C. Evidence record D. Evidence log
A
What's the maximum file size when writing data to a FAT32 drive? A. 2 GB B. 3 GB C. 4 GB D. 6 GB
A
What's the purpose of an affidavit? A. To provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant B. To specify who, what, when, and where—that is, specifics on place, time, items being searched for, and so forth C. To list problems that might happen when conducting an investigation D. To determine the OS of the suspect computer and list the software needed for the examination
A
Which of the following techniques might be used in covert surveillance (Choose All That Apply)? A. Keylogging B. Data sniffing C. Network logs D. All of the above
A, B
Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons?
A. Most companies keep inventory databases of all hardware and software used. B. The investigator doesn't have to get a warrant. C. The investigator has to get a warrant.
The reconstruction function is needed for which of the following purposes? A. Re-create a suspect drive to show what happened. B. Create a copy of a drive for other investigators. C. Re-create a drive compromised by malware. D. All of the above
All of the above
Before enlisting in a certification program, thoroughly research the requirements, ________, and acceptability in your area of employment. A. Business hours B. Cost C. Location
B
List three items that should be on an evidence custody form. A. Description of the evidence, location of the evidence and search warrant B. Case number, name of the investigator and nature of the case C. Affidavit, search warrant, and description of the evidence D. Name of the investigator, affidavit and name of the judge assigned to the case
B
Police in the United States must use procedures that adhere to which of the following? A.Third Amendment B. Fourth Amendment C. First Amendment D. None of the above
B
The triad of computing security includes which of the following? A. Vulnerability assessment, intrusion response, and monitoring B. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation C. Vulnerability assessment, detection, and monitoring D. Detection, response, and monitoring
B
Typically, a(n) ________ lab has a separate storage area or room for evidence. A. Federal B. Regional C. Research
B
What does a sparse acquisition collect for an investigation? A. Only specific files of interest to the case B. Fragments of unallocated data in addition to the logical allocated data C. Only the logical allocated data
B
What is one of the necessary components of a search warrant? A. Standards of behavior B. Signature of an impartial judicial officer C. Professional codes D. Professional ethics
B
What term refers to labs constructed to shield EMR emissions? A. ASQ B. TEMPEST C.NISPOM D. SCADA
B
Which forensics tools can connect to a suspect's remote computer and run surreptitiously? A. ddfldd and ProDiscover Incident Response B. EnCase Enterprise and ProDiscover Incident Response C. dd and ddfldd
B
Why should evidence media be write-protected? A. To comply with Industry standards B. To make sure data isn't altered C. To speed up the imaging process D. To make image files smaller in size
B
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you? A. Extensive-response kit B. Initial-response kit C. Lightweight kit
B
List two hashing algorithms commonly used for forensic purposes. A. RSA and RC5 B. AES and SHA-2 C. MD5 and SHA-1 D. MD5 and AES
C
Name the three formats for digital forensics data acquisitions. A. Raw, AICIS, and AFF B. EnCase format, Raw, and dd C. Raw format, proprietary formats, and AFF
C
To determine the types of operating systems needed in your lab, list two sources of information you could use. A. ANAB and IACIS B. EnCE and ACE C. Uniform Crime Report statistics and a list of cases handled in your area D. Local police reports and ISFCE reports
C
What are the three rules for a forensic hash? A. Fast, reliable, and the hash value should be at least 2048 bits B. Produce collisions, should be at least 2048 bits, and it can't be predicted C. It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes
C
What are two concerns when acquiring data from a RAID server? A. Data transfer speeds and type of RAID B. Type of RAID and antivirus software C. Amount of data storage needed and type of RAID D. Split RAID and Redundant RAID
C
When you arrive at the scene, why should you extract only those items you need to acquire evidence? A. To preserver your physical security B. To speed up the acquisition process C. To minimize how much you have to keep track of at the scene
C
Why is it a good practice to make two images of a suspect drive in a critical investigation? A. To speed up the process B. To have one compressed and one uncompressed copy C. To ensure at least one good copy of the forensically collected data in case of any failures
C
Why is professional conduct important? A. It helps with an investigation B. It saves a company from using warning banners C. It includes ethics, morals, and standards of behavior D. All of the above
C
With remote acquisitions, what problems should you be aware of? A. Data transfer speeds B. Access permissions over the network C. Antivirus, antispyware, and firewall programs D. The password of the remote computer's user
C
When validating the results of a forensic analysis, you should do which of the following?
Calculate the hash value with two different tools.
Building a business case can involve which of the following? A. Procedures for gathering evidence B. Testing software C. Protecting trade secrets D.All of the above
D
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive. A. dd and Expert Witness B. dd and EnCase C. X-Ways Forensics and dd D. EnCase and X-Ways Forensics
D
Policies can address rules for which of the following? A. The amount of personal e-mail you can send B. When you can log on to a company network from home C. The Internet sites you can or can't access D. Any of the above
D
The manager of a digital forensics lab is responsible for which of the following? A. Ensuring that staff members have enough training to do the job B. Knowing the lab objectives C. Making necessary changes in lab procedures and software D. All of the above
D
What's the most critical aspect of digital evidence? A. Compression B. Redundancy C. Contingency D. Validation
D
Which organization has guidelines on how to operate a digital forensics lab? A. NISPOM B. TEMPEST C. SCADA D. ANAB
D
Which organization provides good information on safe storage containers? A. ASQ B. TEMPEST C. ASCLD D. NISPOM
D
Why is physical security so critical for digital forensics labs? A. To ensure continuous funding B. To make sure unwanted data isn't retained on the drive C. To protect trade secrets D. To prevent data from being lost, corrupted, or stolen
D
Why should you critique your case after it's finished? A. To maintain chain of custody B. To maintain a professional conduct C. To list problems that might happen when conducting an investigation D. To improve your work
D
Why should you do a standard risk assessment to prepare for an investigation? A. To obtain an affidavit B. To discuss the case with the opposing counsel C. To obtain a search warrant D. To list problems that might happen when conducting an investigation
D
A forensic workstation should always have a direct broadband connection to the Internet. T/F
False
A live acquisition can be replicated.
False
A warning banner should never state that the organization has the right to monitor what users do. True False
False
ASQ and ANAB are two popular certification programs for digital forensics. True False
False
An initial-response field kit does not contain evidence bags. True False
False
BIOS boot firmware was developed to provide better protection against malware than EFI does developed?
False
Building a forensic workstation is more expensive than purchasing one.
False
Data can't be written to disk with a command-line tool.
False
Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True False
False
Digital forensics and data recovery refer to the same activities. True False
False
Digital forensics facilities always have windows. True False
False
Evidence storage containers should have several master keys. True False
False
Hardware acquisition tools typically have built-in software for data analysis.
False
If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. True False
False
In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. So, the following dcfldd is command correct. dcfldd if=image_file.img of=/dev/hda1 True False
False
In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results.
False
Slower data transfer speeds and dealing with minor data errors are two disadvantages of the raw format True False
False
Small companies rarely need investigators. True False
False
The ANAB mandates the procedures established for a digital forensics lab. True False
False
The plain view doctrine in computer searches is well-established law. True False
False
Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True False
False
When determining which data acquisition method to use you should not consider how long the acquisition will take. True False
False
When using a write-blocking device you can't remove and reconnect drives without having to shut down your workstation.
False
You should always answer questions from onlookers at a crime scene. True False
False
You should always prove the allegations made by the person who hired you. True False
False
You shouldn't include a narrative of what steps you took in your case report True False
False
Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible.
False
EFS can encrypt which of the following?
Files, folders, and volumes
Forensics software tools are grouped into ______ and ______ applications.
GUI, command-line
The standards for testing forensics tools are based on which criteria?
ISO 17025
What does the Ntuser.dat file contain?
MRU files list
In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?
None of the above
Which of the following Windows 8 files contains user-specific information?
Ntuser.dat
Areal density refers to which of the following?
Number of bits per square inch of a disk platter
The verification function does which of the following?
Proves that two sets of data are identical via hash values
A log report in forensics tools does which of the following?
Records an investigator's actions in examining a case
According to ISO standard 27037, which of the following is an important factor in data acquisition?
The DEFR's competency
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?
The file is unencrypted automatically.
Which of the following is true of most drive-imaging tools?
They ensure that the original drive doesn't become corrupt and damage the digital evidence.
A hashing algorithm is a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk. True False
True
A logical acquisition collects only specific files of interest to the case. True False
True
A virtual cluster number represents the assigned clusters of files that are nonresident in the MFT.
True
An employer can be held liable for e-mail harassment. True False
True
An encrypted drive is one reason to choose a logical acquisition.
True
An image of a suspect drive can be loaded on a virtual machine.
True
CHS stands for cylinders, heads, and sectors.
True
Commingling evidence means that sensitive or confidential information being mixed with data collected as evidence. True False
True
Commonly, proprietary format acquisition files can compress the acquisition data and segment acquisition output files into smaller volumes. True False
True
Computer peripherals or attachments can contain DNA evidence. True False
True
Data viewing, keyword searching, decompressing are three subfunctions of the extraction function.
True
Device drivers contain instructions for the OS on how to interface with hardware devices.
True
Embezzlement is a type of digital investigation typically conducted in a business environment. True False
True
FTK Imager requires that you use a device such as a USB dongle for licensing. True False
True
File and directory names are some of the items stored in the FAT database
True
For digital evidence, an evidence bag is typically made of antistatic material. True False
True
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True False
True
If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True False
True
In NTFS, files smaller than 512 bytes are stored in the MFT.
True
In forensic hashes, a collision occur when two different files have the same hash value. True False
True
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. True False
True
MFT stands for Master File Table.
True
One way to determine the resources needed for an investigation is based on the OS of the suspect computer, list the software needed for the examination.
True
The main goal of a static acquisition is the preservation of digital evidence. True False
True
The primary hashing algorithm the NSRL project uses is SHA-1.
True
The purpose of maintaining a network of digital forensics specialists is to develop a list of colleagues who specialize in areas different from your own specialties in case you need help on an investigation. True False
True
With newer Linux kernel distributions, USB devices are automatically mounted, which can alter data on it. True False
True
You should videotape or sketch anything at a digital crime scene that might be of interest to the investigation. True False
True
Your business plan should include physical security items. True False
True
What is the space on a drive called when a file is deleted?
Unallocated space
List two features NTFS has that FAT does not.
Unicode characters and better security
Hash values are used for which of the following purposes?
Validating that the original data hasn't changed
Hashing, filtering, and file header analysis make up which function of digital forensics tools?
Validation and verification
Virtual machines have which of the following limitations when running on a host computer?
Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.
FTK Imager can acquire data in a drive's host protected area. True False
false
