CF Exam 1

At what distance can the EMR from a computer monitor be picked up?

1/2 mile

What process refers to recording all the updates made to a workstation?

Configuration management

A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?

Data Recovery

When an investigator seeks a search warrant, which of the following must be included in an affidavit to support the allegation of a crime?

Exhibits

Under what circumstances are digital records considered admissible?

They are business reports

What command creates a raw format file that most computer forensics analysis tools can read?

dd

In the NTFS MFT, all files and folders are stored in separate records of how many bytes each?

1024

When was the Freedom of Information Act originally enacted?

1960's

What is the maximum amount of time computing components are designed to last in normal business operations?

36 months

When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action?

80 degrees or higher

What enables the user to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment?

A Virtual Machine

What usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will?

A Warning Banner

What kind of forensic investigation lab best preserves the integrity of evidence?

A secure facility

What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?

A warrant

Which term refers to an accusation or supposition of fact that a crime has been committed and is made by the complainant, based on the incident?

Allegation

What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?

An affidavit

Which type of kit should include all the tools the investigator can afford to take to the field?

An extensive-response field kit

What will allow the investigator to arrive at a scene, acquire the needed data, and return to the lab as quickly as possible?

An initial-response field kit

Power should not be cut during an investigation involving a live computer, unless it is what type of system?

An older Windows or MS-DOS system

What term refers to the number of bits in one square inch of a disk platter?

Areal Density

How frequently should floors and carpets in the computer forensic lab be cleaned to help minimize dust that can cause static electricity?

At least once a week

What term refers to the individual who has the power to conduct digital forensic investigations?

Authorized Requester

What specifies the Windows XP path installation and contains options for selecting the Windows version?

Boot.ini

When federal courts are evaluating digital evidence from computer-generated records, what exception is applied to hearsay?

Business-records exception

When confidential business data are included with the criminal evidence, what are they referred to as?

Commingled data

What type of records are considered data that the system maintains, such as system log files and proxy server logs?

Computer-generated

Which type of case involves charges such as burglary, murder, or molestation?

Criminal

What term refers to a column of tracks on two or more disk platters?

Cylinder

What contains instructions for the OS for hardware devices, such as the keyboard, mouse, and video card?

Device Drivers

Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?

Digital Investigations

What type of plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you?7're analyzing?

Disaster recovery

What is the most common and flexible data-acquisition method?

Disk-to-image file copy

What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced?

EFS

What term refers to a person using a computer to perform routine tasks other than systems administration?

End User

What type of files might lose essential network activity records if power is terminated without a proper shutdown?

Event logs

As data is added, the MFT can expand to take up 75% of the NTFS disk.

False

Corporate investigators always have the authority to seize all computer equipment during a corporate investigation.

False

Which group often works as part of a team to secure an organization's computers and networks?

Forensic Investigation

Which resource can be helpful when investigating older and unusual computing systems?

Forums and blogs

What organization was created by police officers in order to formalize credentials for digital investigators?

IACIS

Which agency introduced training on software for forensics investigations by the early 1990s?

IACIS

Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes?

Investigating and controlling the scene is much easier in private sector environments.

What must be done, under oath, to verify that the information in the affidavit is T?

It must be notarized.

What do published company policies provide for a business that enables them to conduct internal investigations?

Line of authority

What term refers to Linux ISO images that can be burned to a CD or DVD?

Linux Live CDs

What type of acquisition is used for most remote acquisitions?

Live

What does Autopsy use to validate an image?

MD5

What is on an NTFS disk immediately after the Partition Boot Sector?

MFT

What is most often the focus of digital investigations in the private sector?

Misuse of digital assets

Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren?7't related to the BIOS?

NTBootdd.sys

Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr?

NTDetect.com

In addition to FAT16, FAT32, and Resilient File System, which file system can Windows hard disks also use?

NTFS

Which filename refers to the Windows XP system service dispatch stubs to executables functions and internal support functions?

Ntdll.dll

What type of evidence do courts consider evidence data in a computer to be?

Physical

Without a warning banner, what right might employees assume they have when using a company's computer systems and network accesses?

Privacy

What standard is used to determine whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest?

Probable Cause

What investigator characteristic, which includes ethics, morals, and standards of behavior, determines the investigator's credibility?

Professional Conduct

The presence of police officers and other professionals who aren't part of the crime scene-processing team may result in the loss or corruption of data through which process?

Professional curiosity

What is the third stage of a criminal case, after the complaint and the investigation?

Prosecution

Methods for restoring large data sets are important for labs using which type of servers?

RAID

In addition to RAID 0, what type of RAID configuration is available for Windows XP, 2000, and NT servers and workstations?

RAID 1

Which RAID configuration, also called mirrored striping, is a combination of RAID 1 and RAID 0?

RAID 10

Which RAID configuration offers the greatest access speed and most robust data recovery capability?

RAID 15

At a minimum, what do most company policies require that employers have in order to initiate an investigation?

Reasonable suspicion that a law or policy is being violated.

Which activity involves determining how much risk is acceptable for any process or operation?

Risk management

In addition to environmental issues, what issues are the investigator's primary concerns when working at the scene to gather information about an incident or a crime?

Safety

Which doctrine, found to be unconstitutional, was used to allow a civilian or private-sector investigative agent to deliver evidence obtained in a manner that violated the Fourth Amendment to a law enforcement agency?

Silver-platter

What is required for real-time surveillance of a suspect?7's computer activity?

Sniffing data transmissions between a suspect?7's computer and a network server.

If your time is limited, what type of acquisition data copy method should you consider?

Sparse

Which technique can be used for extracting evidence from large systems?

Sparse acquisition

What type of acquisition is typically done on a computer seized during a police raid?

Static

During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. What did the U.S. Department of Defense call this special computer-emission shielding?

TEMPEST

When Microsoft created Windows 95, into what were initialization (.ini) files consolidated?

The Registry

At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work?

The digital forensics lab

Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized.

True

Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.

True

If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.

True

Maintaining credibility means you must form and sustain unbiased opinions of your cases.

True

Some cases involve dangerous settings. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene.

True

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.

True

The type of file system an OS uses determines how data is stored on the disk

True

To be a successful computer forensics investigator, you must be familiar with more than one computing platform.

True

When seizing computer evidence in criminal investigations, which organization's standards should be followed?

U.S. DOJ

What reports are generated at the local, state, and federal levels to show the types and frequency of crimes committed?

Uniform Crime Reports

Which filename refers to a core Win32 subsystem DLL file?

User32.sys

What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult?

Whole Disk Encryption

How do most manufacturers deal with a platter?7's inner tracks having a smaller circumference than its outer tracks?

ZBR

What command works similarly to the dd command but has many features designed for computer forensics acquisitions?

dcfldd

What option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512?

hash

In addition to md5sum, which hashing algorithm utility is included with current distributions of Linux?

sha1sum