Computer Forensics test 3
At trial as a fact or expert witness, what must you always remember about your testimony? A. Your duty is to report your technical or scientific findings or render an honest opinion. B. Avoid mentioning how much you were paid for your services. C. You're responsible for the outcome of the case. D. All of the above
A
GSM divides a mobile station into ______ and ______. A. SIM card and ME B. SIM card and EEPROM C. RAM and ME D. RAM and SIM
A
If you're giving an answer that you think your attorney should follow up on, what should you do? A. Use an agreed-on expression to alert the attorney to follow up on the question. B. Change the tone of your voice. C. Argue with the attorney who asked the question. D. Try to include as much information in your answer as you can.
A
Most SIM cards allow ______ access attempts before locking you out. A. Three B. Four C. One D. Two
A
Router logs can be used to verify what types of e-mail data? A. Tracking flows through e-mail server ports B. Finding blind copies C. Message content D. Content of attached files
A
SD cards have a capacity up to which of the following? A. 64 GB B. 4 MB C. 100 MB D. 500 MB
A
To find network adapters, you use the __________ command in Windows and the __________ command in Linux. A. ipconfig , ifconfig B. tcpdump, netstat C. more, netstat d. top, nd
A
What are the three modes of protection in the DiD strategy? A. People, technology, operations B. Computer, smartphones, tablets C. People, PCs, mobile devices D. PCs, mobile devices, laptops
A
What purpose does making your own recording during a deposition serve? A. It allows you to review your testimony with your attorney during breaks. B. It shows the court reporter that you don't trust him or her. C. It assists you with reviewing the transcript of the deposition. D. It prevents opposing counsel from intimidating you.
A
What's the most commonly used cellular network worldwide? A. GSM B. EDGE C. CDMA D. TDMA
A
When you begin a conversation with an attorney about a specific case, what should you do? A. Refuse to discuss details until a retainer agreement is returned. B. Answer his or her questions in as much detail as possible. C. Ask to meet with the attorney. D. Ask who the parties in the case are.
A
Which of the following cloud deployment methods typically offers no security? A. Public cloud B. Private cloud C. Hybrid cloud D. Community cloud
A
Which of the following describes fact testimony? A. Scientific or technical testimony describing information recovered during an examination B. Testimony by law enforcement officers C. Testimony based on observations by lay witnesses D. None of the above
A
Which of the following file extensions are associated with VMware virtual machines? A. .vmx, .log, and .nvram B. .vbox, .vdi, and .log C. .vmx, .r0, and .xml-prev D. .vdi, .ova, and .r0
A
Which of the following rules or laws requires an expert to prepare and submit a report? a: FRCP 26 b: FRE 801 c. Both a and b d.Neither of the above
A
Which of the following statements about the legal-sequential numbering system in report writing is true? A. It doesn't indicate the relative importance of information. B. It's most effective for shorter reports. C. It's favored because it's easy to organize and understand. D. It's required for reports submitted in federal court.
A
Contingency fees can be used to compensate an expert under which circumstances? A. When the expert is too expensive to compensate at the hourly rate B. When the expert is acting only as a consultant, not a witness C. When the expert is willing to accept a contingency fee arrangement D. All of the above
B
Evidence of cloud access found on a smartphone usually means which cloud service level was in use? A. PaaS B. SaaS C. IaaS D. HaaS
B
In VirtualBox, a(n) __________ file contains settings for virtual hard drives. A. .ovf B. .vbox C. .vbox-prev D. .log
B
On a UNIX-like system, which file specifies where to save different types of e-mail log files? A. /var/spool/log B. syslog.conf C. maillog D. log
B
Sendmail uses which file for instructions on processing an e-mail message? A. syslogd.conf B. sendmail.cf C. mapi.log D. mese.ese
B
The number of VMs that can be supported per host by a type 1 hypervisor is generally determined by the amount of __________ and __________. A. Storage, processing power B. RAM, storage C. RAM, GPU D. RAM, network speed
B
What are the two states of encrypted data in a secure cloud? A. RC4 and RC5 B. Data in motion and data at rest C. CRC-32 and UTF-16 D. Homomorphic and AES
B
When writing a report, what's the most important aspect of formatting? A. Clear use of symbols and abbreviations B. Consistency C. A neat appearance D. Size of the font
B
When you access your e-mail, what type of computer architecture are you using? A. Domain B. Client/server C. Mainframe and minicomputers D. None of the above
B
Which Registry key contains associations for file extensions? A. HKEY_CLASSES_FILE B. HKEY_CLASSES_ROOT C. HFILE_CLASSES_ROOT D. HFILE_EXTENSIONS
B
Which of the following is an example of a written report? A. A search warrant B. An affidavit C. Voir dire D. Any of the above
B
Which of the following is the standard format for reports filed electronically in U.S. federal courts and most state courts? A. Excel B. PDF C. Word D. HTML
B
Which of the following relies on a central database that tracks account data, location data, and subscriber information? A. BTS B. MSC C. BSC D. None of the above
B
A layered network defense strategy puts the most valuable data where? A. In the DMZ B. In the outermost layer C. In the innermost layer D. None of the above
C
Automated tools help you collect and report evidence, but you're responsible for doing which of the following? A. Explaining your formatting choices B. Explaining in detail how the software works C. Explaining the significance of the evidence D. All of the above
C
Externally enforced ethical rules, with sanctions that can restrict a professional's practice, are more accurately described as which of the following? A. Objectives B. A higher calling C. Laws D. All of the above
C
For what purpose have hypothetical questions traditionally been used in litigation? A. To stimulate discussion between a consulting expert and an expert witness B. To define the case issues for the finder of fact to determine C. To frame the factual context of rendering an expert witness's opinion D. To deter a witness from expanding the scope of his or her investigation beyond the case requirements.
C
In Microsoft Outlook, e-mails are typically stored in which of the following? A. .evolution file B. res1.log and res2.log files C. .pst and .ost files D. PU020102.db file
C
In which of the following cases did the U.S. Supreme Court require using a search warrant to examine the contents of mobile devices? A. Smith v. Oregon B. Miles v. North Dakota C. Riley v. California D. Dearborn v. Ohio
C
Logging options on e-mail servers can be which of the following? a: Disabled by users b: Set up in a circular logging configuration c: Configured to a specified size before being overwritten d. Both b and c
C
Packet analyzers examine what layers of the OSI model? A. Layers 2 and 4 B. Layers 4 through 7 C. Layers 2 and 3 D. All layers
C
Phishing does which of the following? A. Uses DNS poisoning B. Uses DHCP C. Lures users with false promises D. Takes people to fake Web sites
C
To trace an IP address in an e-mail header, what type of lookup service can you use? A. Intelius Inc.'s AnyWho online directory B. Verizon's http://superpages.com C. A domain lookup service, such as www.arin.net, www.internic.com, or www.whois.net D. None of the above
C
Virtual Machine Extensions (VMX) are part of which of the following? A. Type 2 hypervisors B. AMD Virtualized Technology C. Intel Virtualized Technology D. Type 1 hypervisors
C
What are some risks of using tools you have created yourself? A. You might have to share the tool's source code with opposing counsel for review. B. The judge might be suspicious of the validity of results from the tool. C. The tool doesn't generate reports in a standard format. D. The tool might not perform reliably.
C
What information is not in an e-mail header? A. Domain name B. Internet addresses C. Blind copy (bcc) addresses D. All of the above
C
What is a motion in limine? A. A pretrial motion to revise the case schedule B. A motion to dismiss the case C. A pretrial motion for the purpose of excluding certain evidence D. The movement of molecules in a random fashion
C
When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do? A. Check the current database files for an existing copy of the e-mail. B. Search available log files for any forwarded messages. C. Restore the e-mail server from a backup. D. Do nothing because after the file has been deleted, it can no longer be recovered.
C
Which of the following is a clue that a virtual machine has been installed on a host system? A. Network logs B. Virtualization software C. Virtual network adapter D. USB drive
C
Which of the following types of files can provide useful information when you're examining an e-mail server? A. .emx files B. .slf files C. .log files D. .dbf files
C
According to SANS DFIR Forensics, which of the following tasks should you perform if a mobile device is on and unlocked? A. Remove the passcode. B. Isolate the device from the network. C. Disable the screen lock. D. All of the above
D
An expert witness can give an opinion in which of the following situations? A. The witness is shown to be qualified as a true expert in the field. B. The witness testifies to a reasonable degree of certainty (probability) about his or her opinion, inference, or conclusion. C. The opinion, inferences, or conclusions depend on special knowledge, skills, or training not within the ordinary experience of laypeople. D. All of the above
D
During your cross-examination, you should do which of the following? A. Maintain eye contact with the jury. B. Help the attorneys, judge, and jury in understanding the case, even if you have to go a bit beyond the scope of your expertise. C. Pay close attention to opposing counsel's questions. D. All of the above
D
E-mail headers contain which of the following information? A. An ESMTP number or reference number B. The sender and receiver e-mail addresses C. The e-mail servers the message traveled through to reach its destination D. All of the above
D
In which cloud service level can customers rent hardware and install whatever OSs and applications they need? A. HaaS B. SaaS C. PaaS D. IaaS
D
List three obvious ethical errors. A. * Don't ignore available contradictory data. * Don't do work beyond your expertise or competence. * Don't allow the attorney who retained you to influence your opinion in an unauthorized way. B. * Don't accept an assignment if it cannot reasonably be done in the allowed time. * Don't reach a conclusion before you have done complete research. * Don't fail to report possible conflicts of interest. C. * Don't present false data or alter data. * Don't report work that was not done. * Don't ignore available contradictory data. D. All of the above
D
NIST document SP 500-322 defines more than 75 cloud services, including which of the following? A. Backup as a service B. Drupal as a service C. Security as a service D. All of the above
D
Remote wiping of a mobile device can result in which of the following? A. Deleting contacts B. Returning the phone to the original factory settings C. Removing account information D. All of the above
D
The term TDMA refers to which of the following? a: A technique of dividing a radio frequency so that multiple users share the same channel b: A proprietary protocol developed by Motorola c: A specific cellular network standard d. Both a and c
D
What are the three levels of cloud services defined by NIST? A. Hybrid, private, and community clouds B.OpenStack, FROST, and management plane C. CRC, DRAM, and IMAP D. SaaS, PaaS, and IaaS
D
What capabilities should a forensics tool have to acquire data from a cloud? A. Expand and contract data storage capabilities as needed for service changes. B. Examine virtual systems. C. Identify and acquire data from the cloud. D. All of the above
D
What expressions are acceptable to use in testimony to respond to a question for which you have no answer? A. That's beyond the scope of my expertise. B. I wasn't asked to investigate that. C. That's beyond the scope of my investigation. D. All of the above
D
What's the main piece of information you look for in an e-mail message you're investigating? A. Message number B. Sender or receiver's e-mail address C. Subject line content D. Originating e-mail domain or IP address
D
When should a temporary restraining order be requested for cloud environments? A. When cloud customers need immediate access to their data B. When anti-forensics techniques are suspected C. To enforce a court order D. When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case
D
When using graphics while testifying, which of the following guidelines applies? A. Make sure the jury can see your graphics. B. Your exhibits must be clear and easy to understand. C. Practice using charts for courtroom testimony. D. All of the above
D
When working for a prosecutor, what should you do if the evidence you found appears to be exculpatory and isn't being released to the defense? A. Keep the information on file for later review. B. Give the evidence to the defense attorney. C. Destroy the evidence. D. Bring the information to the attention of the prosecutor, then his or her supervisor, and finally to the judge (the court).
D
Which of the following is a current formatting standard for e-mail? A. HTML B. Outlook C.SMTP D. MIME
D
Which of the following is a mobile forensics method listed in NIST guidelines? A. Logical extraction B. Physical extraction C. Hex dumping D. All of the above
D
You can expect to find a type 2 hypervisor on what type of device? A. Smartphone B. Desktop C. Tablet D. All of the above
D
Which of the following is a mechanism the ECPA describes for the government to get electronic information from a provider? A. Subpoenas with prior notice B. Court orders C. Search warrants D. All of the above
D.
A forensic image of a VM includes all snapshots. True False
F
A forensic linguist can determine an author's gender by analyzing chat logs and social media communications. True False
F
All expert witnesses must be members of associations that license them. True False
F
Codes of professional conduct or responsibility set the highest standards for professionals' expected performance. True False
F
Commingled data isn't a concern when acquiring cloud data. True False
F
Ethical obligations are duties that you owe only to others. True False
F
Even in the light of recent developments in technology, you shouldn't change your opinion from one you testified to in a previous case. True False
F
Figures not used in the body of the report can't be included in report appendixes True False
F
IETF is the organization setting standards for 5G devices. True False
F
The uRLLC 5G category focuses on communications in smart cities. True False
F
When acquiring a mobile device at an investigation scene, you should leave it connected to a laptop or tablet so that you can observe synchronization as it takes place. True False
F
You can view e-mail headers in Notepad with all popular e-mail clients. True False
F
A CSP's incident response team typically consists of system administrators, network administrators, and legal advisors. True False
T
A(n) CSA or cloud service agreement is a contract between a CSP and the customer that describes what services are being provided and at what level. True False
T
After examining e-mail headers to find an e-mail's originating address, investigators use forward lookups to track an e-mail to a suspect. True False
T
Amazon was an early provider of Web-based services that eventually developed into the cloud concept. True False
T
An unethical technique occurs when an opposing counsel might attempt to make discovery depositions physically uncomfortable. True False
T
Being able to incorporate the log files and reports tools generate into your written reports is a major advantage of automated forensics tools in report writing. True False
T
E-mail accessed with a Web browser leaves files in temporary folders. True False
T
If you were a lay witness at a previous trial, you shouldn't list that case in your written report. True False
T
In the United States, no state or national licensing body specifically licenses forensics examiners. True False
T
Mobile device information might be stored on the internal memory or the SIM card. True False
T
Placing it in paint cans and using Faraday bags are two ways you can isolate a mobile device from incoming signals. True False
T
Public cloud services such as Dropbox and OneDrive use Sophos SafeGuard and Sophos Mobile Control as their encryption applications True False
T
SIM card readers can alter evidence by showing that a message has been read when you view it. True False
T
Spoliation means destroying a report before the final resolution of a case called. True False
T
Standards that others apply to you or that you're compelled to adhere to by external forces (such as licensing bodies) and your own internal rules you use to measure your performance are two types of ethical standards. True False
T
Tcpslice can be used to retrieve specific timeframes of packet captures. True False
T
Testimony preservation and discovery are two types of depositions. True False
T
The Internet of Things includes radio frequency identification (RFID) sensors as well as wired, wireless, and mobile devices. True False
T
The cloud services Dropbox, Google Drive, and OneDrive have Registry entries. True False
T
The multitenancy nature of cloud environments means conflicts in privacy laws can occur. True False
T
The type of information conveyed to the expert, amount of time involved in discussions or meetings, and whether the expert provided the attorney with confidential information are three factors courts have used in determining whether to disqualify an expert. True False
T
To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server's internal operations. True False
T
To see Google Drive synchronization files, you need a SQL viewer. True False
T
Typically, you need a search warrant to retrieve information from a service provider. True False
T
Updates to the EU Data Protection Rules will affect how data is moved during an investigation regardless of location. True False
T
Voir dire is the process of qualifying a witness as an expert. True False
T
You should include work experience, training you provided or contributed to, and professional awards or recognitions in your CV. True False
T
You should take these four steps to handle a deposition in which physical circumstances are uncomfortable: 1. Ask the attorney to correct the situation. 2. If the situation is not corrected, note these conditions into the record, and repeat noting them as long as the conditions persist. 3. After you have noted the problem into the record, you can refuse to continue with the deposition. Generally, you should consult with an attorney before taking this step. 4. If you think the behavior was serious enough that you can justify refusing to continue, consider reporting the attorney to his or her state bar association. True False
T
The most reliable way to ensure that jurors recall testimony is to do which of the following? a. Emphasize your points with humorous anecdotes. b. Present evidence combining oral testimony and graphics that support the testimony. c. Wear bright clothing to attract jurors' attention. d. Present evidence using oral testimony supported by hand gestures and facial expressions.
b
List three organizations that have a code of ethics or conduct. a: ISFCE, IACIS, AMA b: IACIS, APA, ABA c.Both a and b d.None of the above
c
What kind of information do fact witnesses provide during testimony? a: Facts only b: Observations of the results of tests they performed c. Both a and b d. Neither of the above
c
Which of the following categories of information is stored on a SIM card? a: Call data b: Service-related data c. Both a and b d. None of the above
c
Before testifying, you should do which of the following? a: Create an examination plan with your retaining attorney. b: Make sure you've been paid for your services and the estimated fee for the deposition or trial. c: Get a haircut. d.Both a and b
d
When do zero day attacks occur? a: On the day the application or OS is released b: Before a patch is available c: Before the vendor is aware of the vulnerability d. Both a and c
d
When searching a victim's computer for a crime committed with a specific e-mail, which of the following provides information for determining the e-mail's originator? a: E-mail header b: Username and password c: Firewall log d. Both a and c
d
Which of the following describes expert witness testimony? a: Testimony designed to assist the jury in determining matters beyond the ordinary person's scope of knowledge b: Testimony that defines issues of the case for determination by the jury c: Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience D. Both a and c
d
Your curriculum vitae is which of the following? A. A detailed record of your experience, education, and training B. A necessary tool to be an expert witness C. A generally required document to be made available before your testimony D. All of the above
d
What should you do if you realize you have made a mistake or misstatement during a deposition? a: If the deposition is still in session, refer back to the error and correct it. b: Decide whether the error is minor, and if so, ignore it. c: If the deposition is over, make the correction on the corrections page of the copy provided for your signature. d. Both a and c
d.