CSF 410 final study guide

¡Supera tus tareas y exámenes ahora con Quizwiz!

mouse jiggler

A_____ is a device that keeps a computer from entering sleep mode or logging the user out

MBR

Identify the following hexadecimal signature: "55 AA"

booting in safe mode

If a image restore from a physical windows system is failing to boot a good first step to try is

true

In order to create a forensic copy of source media, the target media must be equal or greater capacity to the source

forensic copy

In which of the following aquisition methods is it most important to sterilize your target media

The NTUSER.dat registry hive

Intemet Explorer stored typed URLs in

True

Text files (trt) do not have a file signature

fingerprint

a useres internet viewing habits can almost be as distinctive as a

state their opinion

an expert witness can

true

an illicit image is an image whose subject matter is offensive or illegal depending on your cultural or legal landscape

true

many of the tools used to extract NTLM pasword hashes from registry hives get flagged as malware by windows

CHS - MBR LBA - GPT

match the addressing cheme with the partitioning scheme

false

most modern high-capacity hard drives use CHS addressing

false

once specified a files metadata cannot be modified

true

passwords used on word documents is secure because it relies on encryption

true

peer-to-peer (P2P) file-sharing is a decentralized method of file-sharing

false

law enforcement has mdm control over private citizen cell phones

false

proofreading is not necessity when writing reports, the court expects examiners to have mistakes since they are busy people

true

virus toal has a API that can be used to identify known malware signatures

false

vmware supports e01 images as a virtual CD/DVD drive

true

vmware vsphere migration tool can be used to convert a physical machine to a virtual machine

Filesystem

what is used within the boundaries of a volume and tracks file allocation and cluster use?

did not validate tools

what mistake did the investigators make in the casey anthony investigation

true

when a file is deleted from FAT filesystem file contents/data does get changed

FAT-formatted filesystems use ______ addressing

CHS

true

Expert witnesses must be able to explain the technical aspects of a case to a non-technical audience

slack space

Extra space following a file is called ______

four

MBR has a limit of ____ primary partititons

true

Peer-to-peer filesharing uses a decentralized network of computers

false

Peer-to-peer technology is illegal and has no legitimate use cases

false

Reading a files basiuc metadata requires an external application like exiftool due to OS limitations in windows 10/11

false

RAM contents must be captured in the field at the time of device seizure

true

SSds have several features that make it less likely an examiner can aquire deleted files from a filesystem

Publications prior testimony educational history

Select all of the following types of information that you should include on a CV for expert witness evaluation

Encase x-ways ftk suite

Select all of the following which are considered commercial forensic suites

Administrator permissions A capturing device/disk

Select all of the following which you NEED to capture RAM off a running system

memory.dmp

The _____ file stores overflow memory when the system runs out of physical memory

true

The latest version of microsofts web browser is based on chromium

false

The thumbcache is sufficient to prove a user had knowledge of a file's existence

Chain of Custody

Upon leaving a crime scene where the suspect had been accused of assistng in online auctions of illicit material, the police fail to document the person transporting a number of machines to a location used for evidence collection. This violates which of the following principles?

False

You should always pull the plug or power down on running ocmputers when arriving on the scene to not modify any data on the disk

false

VMware will not recognize disks mounted to the host using third party software like FTK imager or image mount pro

True

Vendor-neutral training focuses on methodology instead of using a particular vendor's software

FFFF FFF8

Which byte pattern is used to denote the last cluster in a file data stream in the FAT filesystem?

%AppData%\Roaming

Which folder(s) are uploaded to the active directory server to sync user settings?

Chain of custody

Which of the following are used to ensure that evidence is accounted for at all times?

emails can route through relays when in transit

Which of the following best explains why there may be multiple SMTP servers listed in a emails headers

64-bit chekcsum

Which of the following is teh best method for verifying a target media has been successfully sterilized

network adapter

Which of the following may you want to disable when booting from a restored suspect image

Password Protected Files BIOS Password Windows Login Password

Which of the following security measures can typically be bypassed without decryption

paladin ftk imager

Which of the following tolls can be used to take a forensic image

sample image

Which of the following would be the best choice to perform tool validation of a write blocker

SAM SYSTEM

Which registry hives are needed to extract a user's NTLM password hash?

Digital Forensics

Which terms best fits the definition: Examination and analysis of the digital evidence

remote desktop

_____ is the built-in windows utility to access a computer remotely via the network

gmail

_____ was one of the first client-side rendering applications meaning re-construction page contents with cache was unlikely

image_export

_____ will export file content from a device, media image, or forensic image

interactive

______ is a login where the user is physically located in front of the system per the windows event log

pre-investigation considerations

_______ is used determine your capabilities and equipment specifications to conduct a forensic exam regardless of whetehr it is in the field or a lab environment

white hat

a _____ hacker is a positive or non-malicious actor

false

all forensic analysis on amobile device must be performed internally by your agency

a 2-party consent

as a provate citizen or company in ______ state you must aquire permission to record a telephone conversation

pelican-type

as mentioned in the lecture video, a ___ case is watertight and crush-proof to protect equipment

false

chain of custody is only used in corporate investigations

false

changing a images EXIF metadata does not change the files hash

JSON

chrome stores bookmarks in the following format

false

chrome stores timestamps in the unix timestamp format

resident data

data streams contained within the mft are referred to as

false

emails cannot be routed over IPv4 private addressing space

true

file signatures are the first few bytes that can be used to determine the format of the file

true

ftk suite supports multiple users working on a single case

false

if a user opensa webmail message on their computer that action is untraceable to examiners

true

if a useres profile is corrupted windows will create a temporary user profile

senders IOS device receivers IOS device

imessages can be read by the follwoing parties

true

in order to conduct an online investigation a law enforcement agency is required to obtain a warrant

false

regular expressions are sued for decrypting files such as zip folders

BIOS password reset hardware clock reset boot order reset to factory default

select the likely effects of removing a CMOS battery from a motherboard

the end of the last cluster where a file resides

slack space is located at __

false

social media cannot be a source of digital evidence for showing a conspiracy

false

the DD command is a direct bit-for-bit copy; teh E01 format is also a bit-for-bit copy but does not include additional data within the forensic image

false

the FAT filestsem allows for larger max file sizes compared to NTFS

narrative

the ___ section of the report is the most detailed

investigator

the ____ takes charge of the scene and directs all activity

false

the examiner should only use commercially available write blockers for real investigations. Open source / free write blockers are not considered forensically sound

true

the executive summary portion of your report should be written for a non-technical audience

IOS

the plist format is used by

false

to present your findings in court you must only use commercial forensic software since open-source software is not accepted by the court

false

to recover deleted files media must be examined at the logical level

true

when collecting open source intel from the internet you must collect metadata about the source of that evidence

true

when conducting an undercover investigation you must preserve all communication involved even ones that are not evidentiary relevent to your side of the case

true

when we look at the values in USBSTOR they will inlcude the commerical name of the device

OST MDB PST

which file extentions are used in outlook

temp mail guerrilla mail

which of the following are examples of services that provide disposable emial accounts

aquire an RAM image from the device running the software capture a disk/drive image

which of the following are functions hat can be performed with the FTK imager freeware application

sas ide sata scsi

which of the following are interfaces used to attach a physical drive to a motherboard

tool validation should be performed regularly the examiner should keep a log / record of each time they perform tool validation

which of the following statements are true about tool validation

write blocking

which of the following would you use to protect the fragility of digital evidence

mandatory

which profile is created by network administrators to lock users down to a specific set of settings

PDF w/ Digital Signature

which report format can only be modified by the authors private key

executive staff directors employees with access to data

who will identify subjects that may be involved in an insider threat


Conjuntos de estudio relacionados

Road to Civil War - (History Test) Wednesday, January 25th

View Set

Reproductive Isolating mechanisms

View Set