DF FINAL prime
What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?
An affidavit
Which uppercase letter has a hexadecimal value 41? "Z" "A" "C" "G"
"A"
In Microsoft Outlook, what file extension is used with saved sent, drafted, deleted, and received e-mails? .msg .pst .ost .eml
.pst
In Linux, in which directory are most system configuration files stored?
/etc
On a Linux computer, what contains group memberships for the local system?
/etc/group
In Linux, in which directory are most applications and commands stored? /home /etc /usr /var
/usr
At what offset is a prefetch file's create date and time located?
0x80
At what offset are the application's last access date and time located in a prefetch file?
0x90
At what distance can the EMR from a computer monitor be picked up? 1/4 mile 3/4 mile 1/2 mile 1 mile
1/2 mile
In the NTFS MFT, all files and folders are stored in separate records of how many bytes each?
1024
What is the largest disk partition Ext4f can support?
16 TB
When was the Freedom of Information Act originally enacted? 1950s 1940s 1960s 1970s
1960s
The Enhanced Data GSM Environment (EDGE) standard was developed specifically for which type of service? OFDM D-AMPS CDMA 3G
3G
In an e-mail address, what symbol separates the domain name from the rest of the address? . # @ -
@
What document, issued by a judge, compels the recipient to do or not do something? A temporary restraining order A court order A warrant A subpoena
A court order
What type of software runs virtual machines? A virtual server A systems mirror A digital simulator A hypervisor
A hypervisor
Which type of tool has application programming interfaces (APIs) that allow reconfiguring a cloud on the fly and is accessed through the application's Web interface?
A management plane
A government entity must show that there is probable cause to believe the contents of a wire communication, an electronic communication, or other records are relevant to an ongoing criminal investigation to obtain which type of order? A court order with prior notice A subpoena A TRO A search warrant
A search warrant
What usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will? An alarm trigger A consent authorization A warning banner A statement of responsibilities
A warning banner
What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?
A warrant
Which type of kit should include all the tools the investigator can afford to take to the field? A forensic lab kit An extensive-response field kit A forensic workstation kit An initial-response field kit
An extensive-response field kit
What is needed to quickly acquire data at a scene and return to the lab?
An initial-response field kit
What will allow the investigator to arrive at a scene, acquire the needed data, and return to the lab as quickly as possible? An initial-response field kit An extensive-response field kit A seizing order A bit-stream copy utility
An initial-response field kit
Where should your computer backups be kept? Any convenient location A colleague's computer In the Cloud An off-site facility
An off-site facility
Power should not be cut during an investigation involving a live computer, unless it is what type of system?
An older Windows or MS-DOS system
What term refers to the number of bits in one square inch of a disk platter? ZBR Cylinder skew Areal density Head skew
Areal density
Which tool probes, collects, and analyzes session data? Pcap TCPcap Nmap Argus
Argus
How may computer programs be registered under copyright laws? As audiovisual works As motion pictures As architectural works As literary works
As literary works
In Web-based e-mail, how are messages displayed and saved? As CSS codes As web pages As .txt files As .rtf files
As web pages
What specifies the Windows XP path installation and contains options for selecting the Windows version?
Boot.ini
What type of attacks use every possible letter, number, and character found on a keyboard when cracking a password?
Brute-force
In what process is the acquisition of newer and better resources for investigation justified? Modifying the configuration plan Building a business case Conducting a risk evaluation Creating an upgrade policy
Building a business case
Which folder is most likely to contain Dropbox files for a specific user?
C:\Users\username\Dropbox
What technology, developed during WWII, uses the full radio spectrum to define channels and is now used in the U.S. by Sprint, U.S. Cellular, and Verizon?
CDMA
What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases? Certified Computer Crime Investigator, Advanced Level Certified Computer Forensic Technician, Basic Certified Computer Forensic Technician, Advanced Certified Computer Crime Investigator, Basic Level
Certified Computer Forensic Technician, Basic
Which organization has developed resource documentation for cloud service providers and their staff and provides guidance for privacy agreements, security measures, and other issues? OpenStack Framework Alliance Cloud Security Alliance Cloud Architecture Group Cloud Security Advisory Panel
Cloud Security Alliance
Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence?
Computer Analysis and Response Team
What process refers to recording all the updates made to a workstation? Configuration management Recovery logging Change logging Risk minimization
Configuration management
What type of laws should computer investigators be especially aware of when working with image files in order to avoid infringement violations? Copyright International Civil Forensics
Copyright
What type of laws should computer investigators be aware of when working with image files?
Copyright laws
Which type of case involves charges such as burglary, murder, or molestation? Judicial Criminal Civil Corporate
Criminal
What term refers to a column of tracks on two or more disk platters? Cylinder Sector Head Track
Cylinder
Which type of network is a digital version of the original analog standard for cell phones?
D-AMPS
Which activity involves changing or manipulating a file to conceal information?
Data hiding
A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?
Data recovery
What contains instructions for the OS for hardware devices, such as the keyboard, mouse, and video card? Pagefile.sys Device drivers Hal.dll Ntoskrnl.exe
Device drivers
What contains instructions for the OS for hardware devices? Pagefile.sys Device drivers Hal.dll Ntoskrnl.exe
Device drivers
What are packet analyzers?
Devices or software placed on a network to monitor traffic
What type of plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing? Risk management Disaster recovery Configuration management Security
Disaster recovery
What type of copy does the simplest method of duplicating a disk drive make? Partition-to-partition Image-to-partition Image-to-disk Disk-to-image
Disk-to-image
Which type of copy from the suspect disk to the target location does the simplest method of duplicating a disk drive make? Disk-to-image Partition-to-partition Image-to-disk Image-to-partition
Disk-to-image
What older Microsoft disk compression tool eliminates only slack disk space between files? WinZip PKZip WinRAR DriveSpace
DriveSpace
What tool provided by Paraben Software examines IoT devices, has a bootloader for locked mobile devices, and can perform data parsing and cloud data capture? BitPim E3:DS MOBILedit! DataPilot
E3:DS
Where do phones typically store system data? EROM ROM PROM EEPROM
EEPROM
In which format are most digital photographs stored?
EXIF
What term refers to a person using a computer to perform routine tasks other than systems administration? Customer Consumer Complainant End user
End user
Which tool allows network traffic to be viewed graphically?
Etherape
What type of files might lose essential network activity records if power is terminated without a proper shutdown?
Event logs
If a graphics file cannot be opened in an image viewer, what should the next step be?
Examining the file's header data
What must be included in an affidavit to support the allegation of a crime when seeking a search warrant? Exhibits Authorized requester Subpoena Exculpatory evidence
Exhibits
When an investigator seeks a search warrant, which of the following must be included in an affidavit to support the allegation of a crime?
Exhibits
What was the early standard Linux file system? Ext2 NTFS HFS+ Ext3
Ext2
The data-hiding technique involving marking bad clusters is more commonly used with what type of file system? Ext2fs NTFS HFS FAT
FAT
Which activity involves sorting and searching through investigation findings to separate good data and suspicious data?
Filtering
In which discipline do professionals listen to voice recordings to determine who's speaking or read e-mail and other writings known to be by a certain person and determine whether that person wrote the e-mail or letter in question? Communication forensics Forensic linguistics Linguistic analysis Communication linguistics
Forensic linguistics
Which resource can be helpful when investigating older and unusual computing systems? Minix Uniform reports AICIS lists Forums and blogs
Forums and blogs
How many components define the file system on UNIX/Linux? Three Two Four Five
Four
What tools are used to create, modify, and save bitmap, vector, and metafile graphics? Image readers Image viewers Graphics viewers Graphics editors
Graphics editors
Because digital forensics tools have limitations in performing hashing, what tools should be used to ensure data integrity? Steganalysis tools High-level language assemblers Hexadecimal editors HTML editors
Hexadecimal editors
Which project was developed to make information widely available in an attempt to thwart Internet and network hackers? Honeynet Honeypot Honeywall Honeyweb
Honeynet
What organization was created by police officers in order to formalize credentials for digital investigators? TEMPEST IACIS NISPOM HTCN
IACIS
Which agency introduced training on software for forensics investigations by the early 1990s? IACIS DDBIA CERT FLETC
IACIS
Which standard introduced sleep mode to enhance battery life? IS-195 IS-236 IS-361 IS-136
IS-136
Which standards document demands accuracy for all aspects of the testing process? ISO 17025 ISO 5321 ISO 5725 ISO 3657
ISO 5725
In a file's inode, what are the first 10 pointers called? Triple pointers Indirect pointers Double pointers Direct pointers
Indirect pointers
What contains file and directory metadata and provides a mechanism for linking data stored in data blocks? Extnodes InfNodes Inodes Xnodes
Inodes
Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes? Investigating and controlling the scene is equally difficult in both environments. Investigating and controlling the scene is much easier in private sector environments. Investigating and controlling the scene is equally easy in both environments. Investigating and controlling the scene is more difficult in private sector environments.
Investigating and controlling the scene is much easier in private sector environments.
Which JFIF format has a hexadecimal value of FFD8 FFE0 in the first four bytes? JPEG EPS BMP GIF
JPEG
What term is often used when discussing Linux? Module Root Kernel GRUB
Kernel
What technology is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure? Key escrow Passphrase splitting Passphrase escrow Key splitting
Key escrow
When both the original file with no hidden message and the converted file with the hidden message are available, what analysis method is recommended by Johnson and Jajodia? Message-only attack Known cover attack Known message attack Chosen message attack
Known cover attack
Which type of strategy hides the most valuable data at the innermost part of the network?
Layered network defense
On which OSI model layers do most packet analyzers operate? Layers 1 or 2 Layers 2 or 3 Layers 4 or 5 Layers 3 or 4
Layers 2 or 3
What do published company policies provide for a business that enables them to conduct internal investigations? Judicial authorization Line of authority Legitimate justification Absolute process
Line of authority
What term refers to Linux ISO images that can be burned to a CD or DVD? Linux in a Box Linux Live CDs ISO CDs Forensic Linux
Linux Live CDs
What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available? Static Passive Live Local
Live
Which files provide helpful information to an e-mail investigation?
Log and configuration files
What does Autopsy use to validate an image? MD5 AFD AFF RC4
MD5
What is on an NTFS disk immediately after the Partition Boot Sector? HPFS MFT FAT MBR
MFT
Which tool enables the investigator to acquire the forensic image and process it in the same step?
Magnet AXIOM
What are records in the MFT called?
Metadata
Which tool, used by government agencies, retrieves data from smartphones, GPS devices, tablets, music players, and drones? MOBILedit Forensic Micro Systemation XRY DataPilor BitPim
Micro Systemation XRY
At what levels should lab costs be broken down? Daily, weekly, and monthly Monthly, quarterly, and annually Weekly, monthly, and annually Monthly, bimonthly, and quarterly
Monthly, quarterly, and annually
Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr? BootSect.dos NTDetect.com Hal.dll Boot.ini
NTDetect.com
In addition to FAT16, FAT32, and Resilient File System, which file system can Windows hard disks also use? FAT24 ext3 NTFS ext2
NTFS
Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10? NTFS HPFS FAT32 VFAT
NTFS
Which cloud forensics training program is limited to law enforcement personnel? National Institute of Justice Digital Forensics Training INFOSEC Institute (ISC)2 Certified Cyber Forensics Professional Sans Cloud Forensics with F-Response
National Institute of Justice Digital Forensics Training
Which tool was designed as an easy-to-use interface for inspecting and analyzing large tcpdump files?
Netdude
Which filename refers to the Windows XP system service dispatch stubs to executables functions and internal support functions? Ntdll.dll Gdi32.dll User32.dll Advapi32.dll
Ntdll.dll
Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM? Hal.dll Ntkrnlpa.exe Io.sys BootSect.dos
Ntkrnlpa.exe
What is Microsoft's SkyDrive now called? Teams Box OneDrive MS Drive
OneDrive
Which devices have been replaced by iPods, iPads, and other mobile devices for personal use? MMCs PDAs CFs SDHCs
PDAs
Which format can be read by most packet analyzer tools? DOPI Pcap AIATP SYN
Pcap
Without a warning banner, what right might employees assume they have when using a company's computer systems and network accesses? Authority Privacy Consent Anonymity
Privacy
What investigator characteristic determines the investigator's credibility? Fidelity to oath of office Investigatory acumen Line of authority Professional conduct
Professional conduct
What investigator characteristic, which includes ethics, morals, and standards of behavior, determines the investigator's credibility? Investigatory acumen Fidelity to oath of office Professional conduct Line of authority
Professional conduct
The presence of police officers and other professionals who aren't part of the crime scene-processing team may result in the loss or corruption of data through which process? Deliberate destruction Professional curiosity Data drift Police malfeasance
Professional curiosity
Which type of format acquisition leaves the investigator unable to share an image between different vendors' computer forensics analysis tools? AFF AFD Raw Proprietary
Proprietary
In which RAID configuration do two or more disk drives become one large volume, so the computer views the disks as a single disk?
RAID 0
In addition to RAID 0, what type of RAID configuration is available for Windows XP, 2000, and NT servers and workstations? RAID 4 RAID 1 RAID 5 RAID 2
RAID 1
Which RAID configuration offers the greatest access speed and most robust data recovery capability?
RAID 15
At a minimum, what do most company policies require that employers have in order to initiate an investigation?
Reasonable suspicion that a law or policy is being violated.
In older versions of macOS, in which fork are file metadata and application information stored? Block Node Inode Resource
Resource
Which activity involves determining how much risk is acceptable for any process or operation? Risk control Risk analysis Risk configuration Risk management
Risk management
What is the primary hash algorithm used by the NIST project created to collect all known hash values for commercial software and OS files?
SHA-1
Which hashing algorithm is provided by WinHex? CRC AES RC4 SHA-1
SHA-1
What type of cards, consisting of a microprocessor and internal memory, are usually found in GSM devices? SIM MMC SDD SD
SIM
What type of disk is commonly used with Sun Solaris systems?
SPARC
In addition to environmental issues, what issues are the investigator's primary concerns when working at the scene to gather information about an incident or a crime? Safety Legal Corporate Interpersonal
Safety
What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing?
Salesforce
What action alters hash values, making cracking passwords more difficult? Salting passwords Rainbow tabling Code twisting Hash morphing
Salting passwords
Which action alters hash values, making cracking passwords more difficult? Hash morphing Rainbow tabling Salting passwords Code twisting
Salting passwords
To view Gmail Web e-mail headers, what should be clicked after the e-mail has been opened and the down arrow next to the Reply circular arrow has been clicked? Options Show original Message properties More options
Show original
Which doctrine, found to be unconstitutional, was used to allow a civilian or private-sector investigative agent to deliver evidence obtained in a manner that violated the Fourth Amendment to a law enforcement agency?
Silver-platter
With cloud systems running in a virtual environment, what can be used to give the investigator valuable information before, during, and after an incident?
Snapshots
What is required for real-time surveillance of a suspect's computer activity?
Sniffing data transmissions between a suspect's computer and a network server.
In which cloud service level are applications delivered via the Internet?
Software as a service
If your time is limited, what type of acquisition data copy method should you consider?
Sparse
What type of acquisition is typically done on a computer seized during a police raid? Online Static Real-time Live
Static
What material is recommended for secure storage containers and cabinets? Expanded metal Steel Gypsum Wood
Steel
What is another term for steganalysis tools? Hexadecimal editors Steg tools Image editors Image tools
Steg tools
Which term comes from the Greek word for 'hidden writing'? Hagiography Lexicography Steganography Cryptography
Steganography
Which term refers to a data-hiding technique that uses host files to cover the contents of a secret message? Steganos Steganography Graphie Steganalysis
Steganography
Which data-hiding technique replaces bits of the host file with other bits of data?
Substitution
During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. What did the U.S. Department of Defense call this special computer-emission shielding?
TEMPEST
From which file format is the image format XIF derived? BMP JPEG TIF GIF
TIF
Which digital forensics tool is categorized as a single-purpose hardware component? AccessData FTK Safeback Tableau T35es-R2 SATA/IDE eSATA bridge Magnet Forensics AXIOM
Tableau T35es-R2 SATA/IDE eSATA bridge
Which program can be used to examine network traffic? Slackdump Tcpdump Coredump Netdump
Tcpdump
Which tool is useful for extracting information from large Libpcap files? Oinkmaster Memfetch Tcpslice John
Tcpslice
What entity created the Interim Standards used in mobile communications? Global Telecommunications Association International Telecommunications Union Telecommunications Industry Association Global System Communications Industry
Telecommunications Industry Association
Which network protocol analyzer can be programmed to examine TCP headers to find the SYN flag? Memfetch Tethereal Memorizer John
Tethereal
What macOS system application tracks each block on a volume to determine which blocks are in use and which ones are available to receive data? Then Extents Overflow File The Volume Bitmap The Volume Control Block The Master Directory Block
The Volume Bitmap
Where are directories and files stored on a disk drive? The boot block The superblock The inode block The data block
The data block
In macOS, which fork typically contains data the user creates? The user fork The data fork The content fork The resource fork
The data fork
What is the main information being sought when examining e-mail headers?
The originating e-mail's domain name or an IP address
When Microsoft created Windows 95, into what were initialization (.ini) files consolidated? The registry The metadata The inidata The inirecord
The registry
In macOS, when working with an application file, which fork contains additional information, such as menus, dialog boxes, icons, executable code, and controls? The resource fork The system fork The data fork The application fork
The resource fork
What does the SIM file structure begin with? Directory files (DF) The root of the system (MF) Elementary data (EF) Network data (DCS)
The root of the system (MF)
What limits the data that can be sought in a criminal investigation? The applicable administrative rule The search warrant The agency's policies and procedures The legal definition of the purported crime
The search warrant
What technique does GSM use, in which multiple phones take turns sharing a channel? Code Division Multiple Access Time Division Multiple Access Enhanced Data GSM Environment Orthogonal Frequency Division Multiplexing
Time Division Multiple Access
In which log does Exchange log information about changes to its data? Communication Checkpoint Tracking Transaction
Transaction
Which type of virtual machine software is typically, but not exclusively, loaded on servers or workstations with a lot of RAM and storage? Type 2 Type 1 Type 3 Type 4
Type 1
When seizing computer evidence in criminal investigations, which organization's standards should be followed? NSA U.S. DOJ U.S. DoD Department of Homeland Security
U.S. DOJ
Devices used to prevent data from being written to a disk can connect to a computer through FireWire, SATA, PATA, and SCSI controllers as well as which other type of controller? PCMCIA IDE USB 2.0 and 3.0 LCD
USB 2.0 and 3.0
What reports are generated at the local, state, and federal levels to show the types and frequency of crimes committed?
Uniform crime reports
How much internal memory do mobile devices have? Up to 8 GB Up to 16 GB Up to 32 GB Up to 64 GB
Up to 64 GB
What is the simplest way to access a file header? Use a hexadecimal editor Use a disk editor Use a text editor Use an image editor
Use a hexadecimal editor
Which filename refers to a core Win32 subsystem DLL file? Ntoskrnl.exe Hal.dll User32.sys Pagefile.sys
User32.sys
Which product responded to the need for security and performance by producing different CPU designs? Parallels Virtualization KVM Virtualization Technology (VT) Hyper-V
Virtualization Technology (VT)
What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult? Whole disk encryption Backup utilities NTFS Recovery wizards
Whole disk encryption
What cloud service provides a freeware type 1 hypervisor used for public and private clouds? HP Helion Amazon EC2 Cisco Cloud Computing XenServer and XenCenter Windows Management Console
XenServer and XenCenter Windows Management Console
How do most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks? Cylinder skew ZBR Head skew Areal density
ZBR
What term is used for the machines used in a DDoS attack? Zombies Dupes Soldiers Pawns
Zombies
When confidential business data are included with the criminal evidence, what are they referred to as? a. commingled data b. exposed data c. public data d. revealed data
a. commingled data
What command works similarly to the dd command but has many features designed for computer forensics acquisitions? man raw bitcopy dcfldd
dcfldd
What Linux command is used to create the raw data format? rawcp dd d2dump dhex
dd
Which Windows disk partition utility can be used to hide partitions?
diskpart
Which Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system? filecache.dll filetx.log read_filejournal filecache.dbx
filecache.dbx
What option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512?
hash
What command displays pages from the online help manual for information on Linux commands and their options? hlp cmd man inst
man
What format is used for the flat plaintext files some e-mail systems use for message storage?
mbox
Which Google Drive file contains a detailed list of a user's cloud transactions?
sync_log.log
