CS 249 Midterm

¡Supera tus tareas y exámenes ahora con Quizwiz!

A CPU cache is not volatile, whereas a CD-ROM is volatile.

False

A SYN flood is software that self-replicates.

False

A distributed denial of service (DDoS) attack is possible with traditional telephone systems by using an automatic dialer to tie up target phone lines.

False

A sector is the basic unit of data storage on a hard disk, which is usually 64 KB.

False

A swap file is an example of persistent data.

False

Computer forensics is the exclusive domain of law enforcement.

False

Denial of service (DoS) attack refers to the type of password crackers that work with pre-calculated hashes of all passwords available within a certain character space.

False

Disk Investigator is a Linux Live CD that you use to boot a system and then use the tools.

False

Disk forensics refers to the process of examining malicious computer code.

False

During an attack, hackers break into computer systems and steal secret defense plans of the United States. This is an example of a Trojan horse.

False

From the perspective of digital forensics, changing the time or date stamp on a file does not alter the file.

False

Identity theft refers to any software that monitors activity on a computer.

False

If you change the extension of a file so it looks like some other type of file, you also change the file structure itself.

False

Internet forensics is the study of the source and content of email as evidence.

False

Life span refers to how long information is accurate.

False

Making two copies of a suspect's drive, using two different imaging tools, can help to prove that evidence is accurate.

False

Malware forensics is also known as internet forensics.

False

Offline analysis is another term for live analysis.

False

Residual information in file slack is always overwritten when a new file is created.

False

The Tribal Flood Network (TFN) is one of the most widely deployed viruses.

False

The benefit of using automated forensic systems is that you do not have to know how to perform all forensic processes manually.

False

The only way to clean random access memory (RAM) is with cleansing devices known as sweepers or scrubbers.

False

The term distributed denial of service (DDoS) attack describes the process of connecting to a server that involves three packets being exchanged.

False

Viruses are difficult to locate but easy to trace back to the creator.

False

When seizing a suspect computer, you need to remove drives only if they are currently attached to cabling.

False

What are attributes of a solid-state drive (SSD)?

Flash memory and microchips

Jim is a forensic specialist. He seized a suspect computer from a crime scene, removed the hard drive and bagged it, documented and labeled the equipment, took photographs, completed a chain of custody form, and locked the computer in his car. On the way to the lab, he stopped to purchase supplies to use at the next crime scene. What did Jim do wrong?

He left the computer unattended while shopping for supplies.

__________ is a Linux Live CD that you use to boot a system and then use the tools. It is a free Linux distribution, making it attractive to schools teaching forensics or laboratories on a strict budget.

Kali Linux

_________ is the method used by password crackers who work with pre-calculated hashes of all passwords possible within a certain character space.

Rainbow table

__________ is the concept that any scientific evidence presented in a trial has to have been reviewed and tested by the relevant scientific community.

The Daubert Standard

__________ sets standards for digital evidence processing, analysis, and diagnostics.

The DoD Cyber Crime Center (DC3)

__________ refers to phishing with a specific, high-value target in mind. For example, the attacker may target the president or CEO of a company.

Whaling

China Eagle Union is ______.

a Chinease cyberterrorism group

How you will gather evidence and which tools are most appropriate for a specific investigation are part of ___________.

a forensic analysis plan

Windows uses __________ on each system as a "scratch pad" to write data when additional random access memory (RAM) is needed.

a swap file

EIDE is _________.

a type of magnetic drive

Use of __________ enables an investigator to reconstruct file fragments if files have been deleted or overwritten.

bit-level tools

Demonstrative evidence means information that helps explain other evidence. An example of demonstrative evidence is a chart that explains a technical concept to the judge and jury.

True

Email evidence would be useful for investigating cyberstalking but not a denial of service (DoS) attack.

True

File slack and slack space are the same thing.

True

File slack and space are the same thing.

True

Fraud refers to a broad category of crime that can encompass many different activities, but essentially, any attempt to gain financial reward through deception.

True

Helix is a customized Linux Live CD used for computer forensics.

True

If a hard drive has been demagnetized, there is no way to recover the data.

True

If an attacker doesn't spoof a MAC address, each packet sent in a denial of service (DoS) attack contains evidence of the machine from which it was launched.

True

In a forensics lab, the machines being examined should not be connected to the Internet.

True

Incriminating evidence shows, or tends to show, a person's involvement in an act, or evidence that can establish guilt.

True

Investigators must authenticate documentary evidence.

True

One way to obscure information is to scramble it by encryption.

True

SHA1 and SHA2 are currently the most widely used hashing algorithms.

True

Solid-state drives (SSDs) are often used in tablets and in some laptops.

True

Spyware software is legal, if used correctly.

True

The Linux dd command is commonly used to forensically wipe a drive.

True

The act of wrongfully obtaining another person's personal data is a crime, with or without stealing any money.

True

The term scrubber refers to software that cleans unallocated drive space.

True

When determining when evidence was created, a forensic specialist should not trust a computer's internal clock or activity logs.

True

_______ is the area of a hard drive that has never been allocated for file storage.

Unallocated space

One must be able to show the whereabouts and custody of evidence, how it was handled, stored and by whom, from the time the evidence is first seized by a law enforcement officer or civilian investigator until the moment it is shown in court. This is referred to as ________.

chain of custody

The __________ is the continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered.

chain of custody

Generally, _______ is considered to be the use of analytical and investigative techniques to identify, collect, examine, and preserve evidence or information that is magnetically stored or encoded.

computer forensics

The unused space between the logical end of file and the physical end of file is known as __________.

file slack

An attempt to gain financial reward through deception is called ______.

fraud

The __________ command is used to send a test network packet, or echo packet, to a machine to determine if the machine is reachable and how long the packet takes to reach the machine.

ping

A system forensics specialist has three basic tasks related to handling evidence: find evidence, preserve evidence, and __________ evidence.

prepare

An example of volatile data is __________.

state of network connections

People try to thwart investigators by using encryption to scramble information or _________ to hide information, or both together.

stenography

After imaging a drive, you must always create a hash of the original and the copy.

True

An MD5 hash taken when a computer drive is acquired is used to check for changes, alterations, or errors.

True

An attacker may distribute a logic bomb via a Trojan horse.

True

An expert witness who leaves information out of an expert report usually cannot testify about the information at trial.

True

With respect to phishing, a good fictitious email gets a __________ response rate, according to the Federal Bureau of Investigation (FBI).

1 to 3 percent

Which of the following is NOT true of chain of custody forms?

A chain of custody form is a federal form and is therefore universal.

__________ is designed to render a target unreachable by legitimate users, not to provide the attacker access to the site.

A denial of service (DoS) attack

__________ is the cyber equivalent of vandalism.

A denial of service (DoS) attack

What is the definition of hash?

A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions

__________ contains remnants of word processing documents, emails, Internet browsing activity, database entries, and almost any other work that has occurred during past Windows sessions.

A swap file

Which forensic certification is open to both the public and private sectors and is specific to the use and mastery of FTK?

AccessData Certified Examiner

What is meant by distributed denial of service (DDoS) attack?

An attack in which the attacker seeks to infect several machines, and use those machines to overwhelm the target system to achieve a denial of service

Susan is a hacker. After breaking into a computer system and running some hacking tools, she deleted several files she created to cover her tracks. What general term describes Susan's actions?

Anti-forensics

What is the definition of a virus, in relation to a computer?

Any software that self-replicates

Before imaging a drive, you must forensically wipe the target drive to ensure no residual data remains.

True

__________ is information at the level of 1s and 0s stored in computer memory or on a storage device.

Bit-level information

The __________ is a federal wiretap law for traditional wired telephony that was expanded to include wireless, voice over internet protocol (VoIP), and other forms of electronic communications.

Communications Assistance for Law Enforcement Act of 1994

_______ is an industry certification that focuses on knowledge of PC hardware.

CompTIA A+

The __________ was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information.

Computer Security Act of 1987

Ben was browsing reviews on a sporting goods website from which he purchased items in the past. He saw a comment that read "Great price on camping gear! Read my review." When he clicked the associated link, a new window appeared and prompted him to log in again. What type of attach is most likely underway?

Cross-site scripting (XXS)

A suspect stores data where an investigator is unlikely to find it. What is this technique called?

Data hiding

Ed is an expert witness providing testimony in court. He uses a high-tech computer animation to explain a technical concept to the judge and jury. What type of evidence is Ed using?

Demonstrative

Identification, preservation, collection, examination, analysis, and presentation are six classes in the matrix of the __________.

Digital Forensic Research Workshop (DFRWS) framework

__________ is information that has been processed and assembled to be relevant to an investigation, and that supports a specific finding or determination.

Digital evidence

__________ is a free utility that comes as a graphical user interface for use with Windows operating systems. When you first launch the utility, it presents you with a cluster-by-cluster view of your hard drive in hexadecimal form.

Disk Investigator

__________ is data stored as written matter, on paper or in electronic files.

Documentary evidence

Jan is entering the digital forensics field and wants to pursue a general forensics certification. Which certification is BEST to start with?

EC-Council Certified Hacking Forensic Investigator (CHFI)

The __________ format is a proprietary file format defined by Guidance Software for use in its forensic tool to store hard drive images and individual files.

EnCase

What is a formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted?

Expert report

Which of the following requires certification candidates to take an approved training course, pass a written test, and submit to a review of the candidate's work history?

High Tech Crime Network certifications

What was designed as an area where computer vendors could store data that is shielded from user activities and operating system utilities, such as delete and format?

Host protected area (HPA)

Which of the following are subclasses of fraud?

Investment offers and data piracy

What is NOT true of cyberstalking?

Is not a criminal offense

What is NOT true of random access memory (RAM)?

It cannot be changed

What is the process of searching memory in real time, typically for working with compromised hosts or to identify system abuse?

Live system forensics

What term describes analysis performed on an evidence disk or a forensic duplicate using the native operating system?

Logical analysis

What term describes data about information, such as disk partition structures and file tables?

Metadata

One principal of evidence gathering is to avoid changing the evidence. Which of the following is NOT true of evidence gathering?

Photograph seized equipment after you set it up in the lab.

__________ is offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system.

Physical analysis

The __________ protects journalists from being required to turn over to law enforcement any work product and documentary material, including sources, before it is disseminated to the public.

Privacy Protection Act of 1980

What version of RAID involves three or more striped disks with parity that protect data against the loss of any one disk?

RAID 3 or 4

__________ govern whether, when, how, and why proof of a legal case can be placed before a judge or jury.

Rules of evidence

Which of the following BEST defines rules of evidence?

Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury

The __________ contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies.

Sarbanes-Oxley Act of 2002

When gathering systems evidence, what is NOT a common principle?

Search throughout a device

What term describes information that forensic specialists use to support or interpret real or documentary evidence? For example, a specialist might demonstrate that the fingerprints found on a keyboard are those of a specific individual.

Testimonial evidence

What uses microchips that retain data in non-volatile memory chips and contains no moving parts?

Solid-state drive (SSD)

What is a type of targeted phishing attack in which the criminal targets a specific group; forexample, IT staff at a bank?

Spear phishing

Aditya is a digital forensics specialist. He is investigating the computer of an identity theft victim. What should he look for first?

Spyware

What term describes data that an operating system creates and overwrites without the computer user directly saving this data?

Temporary data

A forensic certification is meant to demonstrate a baseline of competence.

True

A warrant is not needed when evidence is in plain sight.

True

The process of connecting to a server and exchanging packets containing acknowledgment (ACK) and synchronize (SYN) flags is called:

Three-way handshake

A denial of service (DoS) attack typically does NOT harm data on the target server.

True

What kind of data changes rapidly and may be lost when the machine that holds it is powered down?

Volatile data

According to the order of volatility in RFC 3227, what evidence should you collect first on a typical system?

Volatile data, then file slack

This is the space that remains on a hard drive if the partitions do not use all the available space.

Volume slack

The use of electronic communications to harass or threaten another person is the definition of __________.

cyberstalking

The distribution of illegally copied materials via the Internet is known as __________.

data privacy

A SYN flood is an example of a(n) ________.

denial of service (DoS) attack

The term ______ refers to testimony taken from a witness or party to a case before a trial.

deposition

Most often, criminals commit __________in order to perpetrate some king of financial fraud.

identity theft

Forensic investigators who collect data as evidence must understand the __________ of information, which refers to how long it is valid.

life span

Malware that executes damage when a specific condition is met is the definition of __________.

logic bomb

The number 22 for SSH (Secure Shell) and 80 for Hypertext Transfer Protocol (HTTP) are examples of ________.

logical port numbers

Two of the easiest things to extract during __________ are a list of all website uniform resource locators (URLs) and a list of all email addresses on the computer.

physical analysis


Conjuntos de estudio relacionados

Human Diseases Final Study Guide

View Set

Business Law Chapter 2 Multiple Choice

View Set

SURNAME, FIRST NAME INITIAL.MIDDLE NAME INITIAL (DATE). TITLE: Subtitle (ed). PublisherEnglish

View Set

Macro: Ch 31- Fiscal Policy, Deficits, and Debt

View Set