Final CTC 328

¡Supera tus tareas y exámenes ahora con Quizwiz!

Which ot the following file extensions are associated with VMware virtual machine? a. _vmx, log, and _nvram b. _vdi, ova, and _r0 c. _vmx, TO, and _xml-prev d. .vbox, .vdi, and -log

.vmx, .log, and .nvram

How many bits are required to create a pixel capable of displaying 65,536 different colors? a. 8 bit b. 16 bit c 32 bit d. 64 bit

16 bit

In VidualBox, different types of virtual network adapters are possible, such as AMD and Intel Pro adapters a 2 b 4 c 6 d 8

6

Which graphics file format below is rarely compressed? a. GIF b. JPEG c BMP D. None ot the above

BMP

When do zero day attacks occur? (Choose all that apply) a. On the day the application or OS is released b. Before a patch is available c. Before the vendor is aware of the vulnerability d. On the day the patch is created

Before a patch is available Before the vendor is aware of the vulnerability

The is responsible for analyzing data and determining when another specialist should be called in to assist with analysis. a. Digital Evidence Specialist b. Digital Evidence Analyst c Digital Evidence Examiner d. Digital Evidence First Responder

Digital Evidence Specialist

Which of the following is not considered to be a non standard graphics tile format? a. .dxf b. .tga c .rtl d. .psd

.dxf

In older versions of exchange, what type of file was responsible for massages formatted with Messaging Application Programming Interface, and served as the database file a. .ost b edp c .edb d. .edi

.edb

Which of the following types of files can provide useful intormation when you're examining an e-mail server? a. dbf files b. _emx files c. .log files d. .sltfiles

.log files

In Microsoft Outlook, what are the email storage files typically found on a client computer? a. .pst and .ost b resl _log and res2_lag c. PU020102 db .d _evolution

.pst and .ost

What kind of files are created by Exchange while converting binary data ta readable text in order to prevent lass of data a. txt b. .tmp c. .exe d. .log

.tmp

VirtualBox a(n) ??? In file contains settings for virtual hard drives a. .vox-prev b. ovf c. .vbox d. log

.vbox

The disk image file format is associated with the VirtualBax hyper-visor a. .vmdk b. had c. .vhd d. .vdi

.vdi

What format below is used tor VMware images? a. _vhd b. .vmdk c _s01 d. aff

.vmdk

What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine a. .nvram b. .vmen c. .vmpage d. .vmx

.vmen

Which option below is the correct path to the sendmail configuration file a. /var/etc/sendmail.cf b. /var/mail/sendmail cf c. /usrflocal/sendmail.ct d. /etc/mail/sendmail.cf

/etc/mail/sendmail.cf

Syslog is generally configured to put all e-mail related log intonation into what tile a. /usr/log/mail]og b. /var/log/message c /proc/mail d. /var/log/maillog

/var/log/maillog

Where does the Postfix IJNIX mail server store e-mail a. /home/username/mail b. /var/mail/posttix c /var/spool/postfix d. /etc/posttlx

/var/spool/postfix

What hexadecimal cade below identifies an NTFS file system in the partition table? a 05 b. 07 c 1B d A5

07

a master boot record (MBR) partition table marks the first partition starting at what offset? a. 0x1CE b. 0x1BE c. 0x1AE d. 0x1DE

0X1BE

In order to qualify for the ceftified computer crime Investigator, basic level certification, candidates must provide documentation ot at least ??? cases in which they participated. a 5 b. 10 c 15 d. 20

10

The SANS Investigative Forensics Toolkit (SIFT) appliance can currently only be installed on what version ot Ubuntu a. 12.04 b 13.11 c 14.04 d 14.11

12.04

Within Windows Vista and later, partition gaps are bytes in length a. 64 b 128 c. 256 d 512

128

How many words should be in the abstract ot a report? a. 50 to 100 words b. 100 to 150 words c 150 to 299 words d. 200 to 250 words

150 to 299 words

How many different colors can be displayed by a 24 bit colored pixel? a. 256 b. 65,536 c 16,77,216 d 4,294,697,296

16,77,216

Which IDO standard below is followed by the ASCLD? a. 17025:2005 b 17026:2007 c 12075 2007 d 12076:2005

17025:2005

How long ara computing components designed to last in a normal business environment? a. 12 to 16 months b 14 to 26 months c 18 to 36 months d 6 to 90 months

18 to 36 months

What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact a. iNet b. ARIN c. Google d. ERIN

ARIN

E-mail headers contain which af the following information? (Choose all that apply.) a. The sender and receiver e-mail address b. An ESMTP number or reference number c The e-mail servers the message traveled through to reach its destination d. The IP address of the receiving server e. All of the above

All of the above

Logging options on many email servers can be: a. Disabled by the administrator b Set up in a circular logging configuration c Configured to a specified size before being overwritten d All of the above

All of the above

What letter should be typed into DiskEdit in order to mark a goad sector as bad? a M b B c T d D

B

The ReFs storage engine uses a ??? access to large data sets. a. A+-tree b. B+-tree c reverse d.numerical

B+-tree

When searching a victim's computer for a crime committed with a specific email, what provides information for determining the emails originator? (Choose all that apply) a. E-mail header b. Username and password c. Firewall log d. All at the above

E-mail header Firewall log

Select the program below that can be used to analyze mail from Outlook, Thunderbird7 and Eudora a. AccessData FTK b. DataNuman c. R-Tools R-Mail d. Fookes Aid4Mail

Fookes Aid4Mail

The NSA's defense in depth (DiD) strategy contains three modes ot protection. Which option below IS not one of the three modes a. People b Technology c. Operations d. Management

Management

Phishing does which otthe following? a. Uses DNS poisoning b. Lures users with false promises c Takes people to fake websites d. Uses DHCP

Lures users with false promises

Select below the utility that is not a lossless compression utility a. PKZip b. WinZip c. Stufflt d. Lzip

Lzip

Which of the following is a current formatting standard for e_mail? a. SMTP b. MIME c. Outlook d. HTML

MIME

An evidence custody form does not usually contain a. the nature of the case b. a description ot evidence c vendor names for computer components d. a witness list

a witness list

What term below describes a column of tracks on two or more disk platters? a. sector b. cluster c cylinder d header

cylinder

What term is used to describe a disk's logical structure of platters, tracks, and sectors? a. cylinder b trigonometry c geometry d mapping

geometry

Which Microsoft OS below is the least intrusive to disks in terms ot changing data? a. windows 95 b. windows XP c windows 7 d. ms-dos 6.22

ms-dos 6.22

The is a good tool for extracting information from large Libpcap files; you simply specify the time frame you want to exam•ne a. Tcpdstat b. Tcpslice c. Ngrep d. tcpdump

tcpslice

How you format is less important than being consistent In applying formatting_ a. words b. text c. paragraphs d. sections

text

Which of the following formats is not considered to be a standard graphics file format? a. gif b. jpeg c. dxt d. tga

tga

What does the MTF header field at offset 0x00 contain? a. the MFT record identifier FILE b the size of the MET record c the length of the header d. the update sequence array

the MFT record identifier FILE

A disaster recovery plan ensures that workstations and tile servers can be restored to their original condition in the event of a catastrophe. t,ff

true

A report can provide justification for collecting more evidence and be used at a probable cause hearing a. true 5. false

true

Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific files or sectors_ t/t

true

All email headers contain the same types of information True/False

true

Graphics files are created and saved in a graphics editor, such as Microsoft Paint, Adobe Freehand MX, Adobe Photoshop, or Gnome GIMP t/f

true

Most digital investigations in the private sector involve misuse of computing assets True False

true

One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you collect is essential for presenting evidence in court t/f

true

Specially trained system and network administrators are often a CSPs first responders. a. true b. false

true

State public disclosure laws apply to state records, but FOIA (Freedom of Information Act) allows citizens to request copies of public documents created by federal agencies

true

The advantage of recording hash values is that you can determine whether data has changed. t/f

true

The capability of type 1 hypervisors is limited only by the amount of available RAM, storage, and throughput

true

The first 3 bytes of an XIF file are exactly the same as a TIF file t/f

true

The honeynet Project was developed to make information widely available in an attempt to thwart intemet and network attackers

true

True/ False Linus live CDs and WinFe disks do not automatically mount hard drives, but can b used to view file systems

true

TrueFalse An experts opinion is governed by FRCP, Rule 26, and the corresponding rule in many states.

true

User groups for a specific type of system can be very useful in a forensics investigation. t/f

true

When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space

true

Which court case established that it is not necessary for computer programmers to testify in order to authenticate computer-generated records? a. united states v wong b. united states v carey c. united states v salgado d. united states v walser

united states v salgado

Which option below is not one of the recommended practices tor maintaining a keyed padlock? a. appoint a key custodian b. take inventory af all keys when the custodian changes c use a master key d. change locks and keys annually

use a master key

After the evidence has been presented in a trial by jury, the jury must deliver a(n) a. exhibit b. affidavit c. allegation d. verdict

verdict

What's the main piece of information you look for in an email message you're Investigating? a. Sender or receivers e-mail address b. Originating e-mail domain or IP address c. Subject line content d. Message number

Originating e-mail domain or IP address

Virtual Machine Extension (VMX) are pan of which of the following? a. Type 1 hypervisors b. Type 2 hypervisors c Intel Virtualized Technology d. AMD Virtualized Technology

Type 2 hypervisors

When seizing digital evidence in criminal investigations, whose standards should be followed? a. U.S. DOJ b ISO/IEC c. IEEE d ITU

U.S. DOJ

is the process of opposing attorneys seeking information from each other a. Subpoena b. Warranting c. Discovery d. Digging

discovery

In Windows, the command can be used to both hide and reveal partitions within Explorer. a. format b. fdisk c grub d. diskpart

diskpart

A chain-of-evidence form, which is used to document what has and has not been done with the original evidence and forensic copies of the evidence, is also known as a(n) Answers: a. evidence tracking form b. evidence custody form c single-evidence form d. multi-evidence form

evidence custody form

Most digital cameras use the bitmap format to store photos t/f

false

All TIF files start at offset 0 with what 6 hexadecimal characters? a. IA 49 48 b. FF 26 9B c. 49 49 2A d. AC 49

49 49 2A

Which technology below is not a hot-swappable technology? a. usb-3 b firewire 1394A c. SATA d IDE

IDE

What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume? a. $MgyMirr b. $TransAct c $LogFile d. $Backup

$LogFile

On a UNIX system, where is a user'S mail stored by default a. /var/mail b. "varllog/mail c tusemame/mail d. /home/username/mail

/home/username/mail

Federal courts, as a matter of rule, require all fact or expert witnesses to provide a report trial in civil cases_

before

A report using the system divides material into sections and restarts numbering with each main section.

decimal numbering

A report using the system divides material into sections and restatts numbering with each main section_ a. numerically ordered b. hierarchical c. decimal numbering d. number formatted

decimal numbering

Which tool below is not recommended for use in a forensics lab? a. 2_5-inch adapters for drives b. firewwe and usb adapters c. SCSI card d. degusser

degusser

Libraries of previous given testimony that law firms can access_

deposition banks

After a judge approves and signs a search warrant, the ?99 is responsible tor the collection ot evidence as defined by the warrant a. digital evidence recorder b. digital evidence specialist c. digital evidence first responder d. digital evidence scene investigator

digital evidence first responder

The fourth amendment state that only warrants "particularly describing the place to be searched and the persons or things to Oe seized" can be issued. The courts have determined that this phrase means a warrant can authorize a search af a specific place far anything.

false

The shielding ot sensitive computing systems and prevention of electronic eavesdropping of any computer emissions is known as FAUST by the U.S. department of defense. t/f

false

True / False FAT32 is used on older Microsoft OSs, such as ms-dos 3.0 through 6.22, windows 95 (first release), and windows NT 3.3 and 4.0

false

True / False FTK imager software can acquire a drive's host protected area

false

True / False Someone who wants to hide data can create hidden partitions or void-large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities

false

decause attorneys do not have the right ot tull discovery ot digital evidence, it is not possible for new evidence to come to light while complying with a defense request for full discovery. t/f

false

in private sector cases, like criminal and Civil cases, the scope is always defined by a search warrant. t/f

false

Which file system below is utilized by the xb0K gaming system? a. NTFS b. Reg-S c EXT d. FATX

fatx

Signed into law in 1973 the was/were created to ensure consistency in tederal proceedings. a. federal proceeding law b. federal rules of evidence c federal consistency standards d. federal proceedings rules

federal rules of evidence

What does FRE stand for? a. federal rules of evidence b. federal regulations tor evidence c. federal rights for everyone d. federal rules tor equipment

federal rules of evidence

What command below could be used on a UNIX system to help locate log directories a. show log b. detail c. search d. find

find

Which operating system listed below is not a distribution of the Linux OS? a. minix b. debian c. slackwar d. fedora

minix

As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state? a. the power cable should be pulled b. the system should be shut down gracefully c. the power should be left on d. the decision should be left to the digital evidence first responder (DEFR)

the decision should be left to the digital evidence first responder (DEFR)

Tcpslice can be used to retneve specific timeframes ot packet captures. True/False?

true

You can view e-mail headers in Notepad with all popular e-mail clients. True/False

true

What act defines precisely how copyright laws pertain to graphics? a. 1988 image ownership act b. 1976 copyright act c. 1923 patented image act d. 1976 computer fraud and abuse act

1976 copyright act

In what year was the computer fraud and abuse act passed? a. 1976 b. 1980 c. 1986 d. 1996

1986

When using a target drive that is FAT32 formatted, what is the maximum size limitation tor split files? a. 512 mg b. 2gb c 1 tb d. 1 pb

2 gb

In order to quality tor the certified computer forensic technician, basic level certification, how many hours of computer forensics training are required? a. 10 b 20 c. 30 d 40

40

A typical disk drive stores how many bytes in a single sector? a 8 b. 512 c. 1024 d 4096

512

What percentage of consumers utilize intel and AMD PCs? a. 60 b. 70 c 80 d. 90

90

To trace an IP address in an email header, what type ot lookup service can you use? (Choose all that apply) a. Intelius Inc's AnyWho online directory b. Verizon's http://suparpages.com c. A Domain lookup service, such as www.arin.net, www_internic_comw,or ww _whoiswnet d. Any Web search engine

A Domain lookup service, such as www.arin.net, www_internic_comw,or ww _whoiswnet Any Web search engine

Which option below is not a disk management tool? a. Partition Magic b. Partition Master c GRUB d. HexEdit

HexEdit

Which option below is not a hashing function used for validation checks? a. RC4 b MD5 c. SHA-I d CRC32

RC4

is not recommended for a digital forensics workstation. Answers: a A write-blocker device b Remote access software C A text editor tool d An SCSI card

Remote access software

At what layers of the OSI model do most packet analyzers function a. layer 1 or 2 b. layer 2 or 3 c. layer 3 or 4 d. layer 4 or 5

SYN flood

In a attack, the attacker keeps asking your server to establish a connection, with the intent of overloading a server with established connections a. smull b. SYN flood c. spoof d. ghost

SYN flood

Router logs can be used to verify what types of email data? a. Message content b. Content of Attached files c. Tracking flows through e-mail server ports d. Finding blind copies

Tracking flows through e-mail server ports

In simple terms, compression discards bits in much the same way rounding off decimal values discards numbers. a. Huffman b. Lempel-Ziv-Welch (LZW) c. Vector Quantization d. Adaptive Quanization

Vector Quantization

Which type of report typically takes place in an attorney's office? a. Examination Plan b. Written Report c. Preliminary Report d. Verbal Report

Verbal Report

What processor instruction set is required in order to utilize virtualization software a. AMD-VT b. Intel VirtualBit c. Virtual Machine Extensions (VMX) d. Virtual HardwareExtensions (VHX)

Virtual Machine Extensions (VMX)

Which open-source acquisition format is capable of producing compressed or uncompressed image tiles, and uses the afd extension for segmented image files? a. advanced forensics disk b. advanced forensic format c. advanced capture mage d. advanced open capture

advanced forensic format

If a police officer or Investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit a(n) a. exhibit b. verdict c. affidavit d. memo

affidavit

Which of the following scenanos should be covered in a disaster recovery plan? a. damage caused by lightning strikes b. damage caused by flood c damage caused by a virus contamination d. all of the above

all of the above

describes an accusation of fact that a crime has been committed. a. attrition b. attribution c. allegation d. assignment

allegation

Provides additional resource material not included in the body of the report_

appendix

E-mail administrators may make use ot ??? , which ovewrites a log file when it reaches a specified size or at the end af a specified time frame a. log recycling b. circular logging c. log purging d. log cycling

circular logging

The is not one of the three stages of a typical criminal case a. complaint b. prosecution c investigation d civil suit

civil suit

Because they are outdated, ribbon cables should nat be considered tor use within a forensics lab. t/f

false

Computer-stored records are data the system maintains, such as system log files and proxy server logs

false

In an e-mail address, everything before the @ symbol represents the domain name

false

True/ False A computer stores system configuration and date and time information in the BIOS when power to the system is off

false

In order to qualify for the advanced certified computer forensic technician certification, a candidate must have years ot hands-on experience in computer torensics investigations. a. two b. three c five d. six

five

The numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect of the report, and each Arabic numeral is an important piece of supporting infdrmation_ a. decimal b. ordered-sequential c legal-sequential d. reverse-orde

legal-sequential

The term ??? is used to describe someone who might be a suspect of someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest a. criminal b. potential data source c. person of interest d. witness

person of interest

QQQ is a common cause for lost or corrupted evidence a. public access b. not having enough people on the processing team c having an undefined security perimeter d. professional curiosity

professional curiosity

The ??? format is a proprietary format used by Adobe Photoshop a. _tga b fhll c. svg d. psd

psd

which RAID type provides increased speed and data storage capability, but lacks redundancy? a. RAID O b. RAID 1 c. RAID 0+1 d. RAID 5

raid 0

Which RAID type utilizes mirrored providing fast access and redundancy? a. RAID 1 b RAID 3 c. RAID 5 d RAID 10

raid 10

Which RAID type utilizes a parity bit and allows for the failure of ane drive without losing data? a. RAID 1 b RAID 2 c. RAID 3 d RAID 5

raid 5

Which of the following is not a type of graphic file that is created by a graphics program? a. bitmap images b. vector graphics c. metafile graphics d. raster graphics

raster graphics

Referred to as a digital negative, the is typically used on many higher-end digital cameras. a. raster file format b. bitmap file format c jpeg file format d. raw file format

raw file format

??? is responsible for creating an monitoring lab policies for staff! and provides a sate, and provides a sate and secure workplace for staff and evidence_ a. the lab manager b. the lab investigator c. the lab secretary d. the lab steward

the lab manager

When using the file allocation table (FAT), where is the FAT database typically written to? a. the innermost track b. the outermost track c the first sector d. the first partition

the outermost track

What information is not typically included in an e-mail header a. the sender's physical location b. the originating IP address c. the unique ID ot the e-mail d. the originating domain

the sender's physical location

Lawyers may request af previous testimony by their own potential experts to ensure that the experts havent previously testified to a contrary position. a. warrants b. transcripts c. subpoenas d. evidence

transcripts

A torensic image ot a VM includes all snapshots. True/False

true

An emergency situation under the PATRIOT Act is defined as the immediate risk of death or personal injury, such as finding a bomb threat in an e-mail_

true

Internet e-mail accessed with a Web brower leaves files in temporary folders True/False

true

It you turn evidence over to law enforcement and begin working under their direction, you have become an agent of law enforcement, and are subject to the same restrictions on search and seizure as a law enforcement agent t/f

true

The DomainKey identitied Mail service is a way to verity the names of domains a message is flowing through and was developed as a way to cut down an spam

true

The Pagefile_sys file on a computer can contain message fragments from instant messaging applications

true

To investigate employees suspected of improper use of company digital assets, a company policy statement about misuse ot digital assets allows corporate investigators to conduct convert surveillance with little or no cause, and access company computer systems and digital devices without a warrant_

true

True / False Each MFT record starts with a header identifying it as a resident or nonresident attribute

true

True False A torensics investigator should verity that acquisition tools can copy data In the HPA of a disk drive

true

True/ False Hardware and software errors or incompatibilities are a common problem when dealing with older hard drives

true

True/ False the image usb utility can be used to create a bootable flash drive

true

Each graphics file type has a unique header value. t/f

true

What intormation is NOT in an e-mail header? (Choose all that apply) a. Blind copy (Bcc) addresses b. Internet addresses c. Domain name d. Contents of the message e. Type af e-mail server used to send the email

Blind copy (Bcc) addresses Contents of the message

When you access your email, what type ot computer architecture are you using? a. Mainframe and minicomputers b. Domain c. Client/Server d. None of the above

Client/Server

What type of media has a 30-year lifespanQ a. DVD-rs b. DLT magnetic tape c hard drive d. usb thumb drive

DLT magnetic tape

Which e-mail recovery program below can recover files from VMware and VirtualPC virtual machines, as well as ISOS and other types of file backups a. Fookes Aid4mail b DataNumen Outlook Repair c. EnCase Forensics d. AccessData FTK

DataNumen Outlook Repair

Which service below does not put log information into /var/log/maillog a. SMTP b. Exchange c. 'MAP d. POP

Exchange

In which tile system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters? a. NTFS b FAT c. HFSX d Ext3fs

FAT

For all JPEG files, the ending hexadecimal marker, also known as the end of image (EOI), is a. FFD0 b FFD8 c. FFD9 d FFFF

FFD9

For EXIF JPEG files, the hexadecimal value starting at offset 2 is a. FFE0 b_ FEE1 c. FFD8 d. FFD9

FFE1

An expert's opinion is governed by and the corresponding rule In many states_

FRCP 26

Which amendment to the U.S. Constitution protects everyone's right to be secure in their person, residence, and property from search and seizure? a Fifth Amendment b Second Amendment C First Amendment d Fourth Amendment

Fourth Amendment

The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery; the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the padicular field in which it belongs", was established in what court case? a. Daubert v_ Merrell Dow Pharmaceuticals, Inc b. Smith v. LJnited States c. Frye v. United States d. Dillon v. United States

Frye v. United States

In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network adapters a. Slow-NetworkAdapters b. Query-ipconfig c. Get-VMNetworkAdapter d. Dump-Betconfig

Get-VMNetworkAdapter

In order to retrieve logs from exchange the Powershell cmdlet ??? can be used a. GetExchangeLogs_psl b. GetLoglnfa_psl c ShowExchangeHistrory_psl d. GetTransactionLogStats_psl

GetTransactionLogStats_psl

In cases that involve dangerous setting, what kind of team should be used to recover evidence from the scene? a. B-Team b. HAZMAT c. CDC First Responders d. SWAT

HAZMAT

Which Registry key contains associations tor tile extensions? a. HALE CLASSES ROOT b. HKEY CLASSES ROOT c HE-ILE EXTENSIONS d. HKEY CLASSES FILE

HKEY_CLASSES_ROOT

What Windows Registry key contains associations for file extensions a. HKEY CLASSES ROOT . b HKEY USERS c. HKEY LOCAL MACHINE d HKEY CURRENT CONFIG

HKEY_CLASSES_ROOT .

What tool, currently maintained by tha IRS Criminal Investigation Division and limited to use by law enforcement, can analyze and read special files that are copies ot a disk? a. ILook b. Photorec c. DeepScan d. AccessData Forensic Toolkit

ILook

??? are a special category of private sector businesses, due to their ability to investigate computer abuse committed by employees only, but not customers. a. hospitals b. ISPs (Internet Service Provider) c. law firms d. news networks

ISPs (Internet Service Provider)

A layered network defense strategy puts the most valuable data where? a. In the DMZ b. In the outermost layer c. In the innermost layer d. None of the above

In the innermost layer

The tool is an updated version of BackTrack, and contains more than 300 tools, such as password crackers, network sniffersr and freeware forensics tools a. Kali Linux b. Ubuntu c. OSForensics d. Sleuth Kit

Kali Linux

The AccessData program has a hashing database which is available only with FTK, and can be used ta filter known program files from view and contains the hash values of known illegal files a. DeepScan Filter b. unknown File Filter CUFF) c. Known File Filter (KFF) d. FTK Hash Imager

Known File Filter (KFF)

A person whose testimony is based on personal observation; not considered to be an expert in a particular field_

Lay Witness

Packet analyzers examine what layers of the OSI model? a. Layers 2 and 4 b. Layers 4 through 7 c. Layers 2 and 3 d. All layers

Layers 2 and 3

The is the version of Pcap available for Linux based operating systems a. Wincap b. Libcap . c Tcpcap d. Netcap

Libcap

The term "via Frontend Transport" in a header indicates that the e-mail is on which of the following? a. UNIX server b Older NetWare Server c. Microsoft Exchange Server d Mac Server

Microsoft Exchange Server

Exchange uses and Exchange database and is based on the ???, which uses several tiles in ditterent combinations to provide e-mail service a. Microsoft Mail Storage Engine (MSE) b. Microsoft Stored Mail Extension (SME) c. Microsoft Extended Mail Storage (EMS) d. Microsoft Extensible Storage Engine (ESE)

Microsoft Extensible Storage Engine (ESE)

describes the characteristics of a safe storage container a. IS02960 b. NISPOM c. sso ego d. STORSEC

NISPOM

The maintains a national database of updated file hash values for a variety of OSS, applications, and images, but does not list hash values of known illegal files a. Open Hash Database b. HashKeeper Online c National Hashed Software Referenced_ d. National Software Reference Library

National Software Reference Library

What type of Facebook profile is usually only given to law enforcement with a warrant a. private profile b. advanced profile c. basic profile d_Neoprint profile

Neoprint profile

What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and VI ruses a. tcpdump b. Argus c. Ngrep d. Tcpslice

Ngrep

One of the most noteworthy e-mail scams was 4191 otherwise known as the ??? a. Nigerian Scam b. Lake Venture Scam c. Conticker virus d. Iloveyou Scam

Nigerian Scam

can be used to restore backup files directly to a workstation. a. belarc advisor b. Norton ghost c prodiscover d. photorec

Norton ghost

Select the tool below that does not use dictionary attacks or brute torce attacks to crack passwords: a. Last Bit b. AccessData PRTK c OSForensics d. Passware

OSForensics

Select below the option that is not common type 1 hypervisor a. VMwar vSphere b. Microsoft Hyper-V c. Citirix XenServer d. Oracle virtualBox

Oracle virtualBox

is the utility used by the ProDiscover program for remote access. a. SubSe7en b 10pht c. PDServer d VNCServer

PDServer

The tcpdump and Wireshark utilities both use what well known packet capture format a. Netcap b. Pcap c. Packetd d. RAW

Pcap

Select below the program within the Ps Tools suite that allows you to run processes remotely a. PsService b PsPasswd c PsRemote d PsExec

PsExec

??? creates a vidual volume of a RAID image file, and then makes repairs on the virtual volume, which can then be restored to the original RAID a. Runtime Software b. RaidRestore c R-Tools R-Studio d. FixitRaid

R-Tools R-Studio

When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do? a. Search available log files tor any tomarded messages b. Restore the e-mail server from a backup c. Check the current database tiles tor an existing copy ot the email d. Do nothing because after the file has been deleted, it can no longer be recovered.

Restore the e-mail server from a backup

The report generator in ProD1scover detaults to which can be opened by most word processors a. HyperTe',ä Markup Language (HTML) b. Rich Text Format (RTF) c. Extensible Markup Language (XML) d. Microsoft Word document format

Rich Text Format (RTF)

What registry file contains user account management and security settings? a. default.dat b. software.dat c SAM.dat d Ntuser.dat

SAM.dat

Which option below is not a standard systems analysis step? a. Mitigate or minimize the risks. b Obtain and copy an evidence drive c Share evidence with experts outside of the investigation. d. Determine a preliminary design or approach to the case.

Share evidence with experts outside of the investigation.

Which option below is not a standard systems analysis step? a. Mitigate or minimize the risks b. Obtain and copy an evidence drive. c Determine a preliminary design or approach to the case. d Share evidence with experts outside of the investigation.

Share evidence with experts outside of the investigation.

You can expect to find a type 2 hypervisor on what type ot device? (Choose all that apply) a. Desktop b. Smartphone c. Tablet d. Network Server

Smartphone Tablet

When pedorming a static acquisition, what should be done after the hardware on a suspect's computer has bean inventoried and documented? a. Inventory and documentation information should be stored on a drive and then the drive should be reformatted. b. Stan the suspect's computer and begin collecting evidence c The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS. d. Connect the suspect's computer to the local network so that up to date forensics utilities can ba utilized

The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.

What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive? a. PP full disk encryption b. voltage SecureFile c BestCrypt d. TrueCrypt

TrueCrypt

Which of the following is not a valid Unicode? a. UTE-8 b. UTF-16 c. UTF-32 d. UTF-64

UTF-64

Which option below is not a Linus live CD meant for use as a digital torensics tool? a. penguin sleuth b. kali Linux c Ubuntu d. caine

Ubuntu

Which of the following is a clue that a virtual machine has been installed on a host system? a. Network Lags b Virtual network adapter c. Virtualization Software d. USB Drive

Virtual network adapter

What viltual machine software supports all Windows and Linux OSS as well as Macintosh and Solaris, and is provided as shareware? a. KVM b. Parallels c. Microsoft Virtual PC d. VirtualBox

VirtualBox

In what state is sending unsolicited email illegal a. Florida b. Washington c Maine d. New York

Washington

Which of the following file systems can't be analyzed by OSForensics? a. FAT12 b. Ext2fs c. HFS+ d. XFS

XFS

As with any research paper, write the last. a. appendix b. body c acknowledgements d. abstract

abstract

If a report is long and complex, you should include a(n) a. appendix b abstract c glossary d table of contents

abstract

Which system below can be used to quickly and accurately match fingerprints In a database? a. fingerprint identification database (FID) b. systemic fingerprint database (SFD) c. automated fingerprint Identification system (AFIS) d. dynamic fingerprint matching system (DFMS)

automated fingerprint Identification system (AFIS)

Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses as a way to hide its malicious code from antivirus tools. a. hashing b. bit-shifting c registry edits d. slack space

bit-shifting

What is the name of the Microsoft solution for whole disk encryption? a. drivecrypt b. truecrypt c. bitlocker d. securedrive

bitlocker

Which password recovery method uses every possible letter, number, and character found on a keyboard? a. rainbow table b. dictionary attack c. hybrid attack d. brute-force attack

brute-force attack

What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations? a. certified computer crime investigator b. certified torensic computer examiner c certified cyber forensics professional d. encase certified examiner

certified cyber forensics professional

Candidates who complete the ISCIS test successfully are designated as a a. certified forensic computer examiner (CFCE) b. certified forensics investigator (CFI) c. CeÄitied investigative forensics examiner (CIFE) d. certified investigative examiner (CIE)

certified forensic computer examiner (CFCE)

The section ot a report starts by referring to the report's purpose, states the main points, draws conclusions, and possibly renders an opinion. a. body b. conclusion c. appendix d. reference

conclusion

QQQ is not one of the functions of the investigations triad_ a. digital investigations b. data recovery c vulnerability threat assessment and risk management d. newvork intrusion detection and incident response

data recovery

The ??? command was developed by Nicholas harbor of the detense computer torensics laboratory. a. dd b. split c dcfldd d. echo

dcfldd

A ??? image file containing software is intended to be bit-stream copied to floppy disks or other external media. a. tdlSk b. format c. dd d. DiskEdit

dd

The Linux command QQQ can be used to write bit-stream data ta files a. write b. dd c. cat d. dump

dd

The ??? command insets a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry a. delete b. edit c. update d clear

delete

The process of convening raw picture data to another format is called a. splicing b. caring c demosaicing d. vector quanization

demosaicing

The ??? IS responsible for analyzing data and determining when another specialist should be called in to assist with analysis. a. digital evidence recorder b. digital evidence specialist c. digital evidence analyst d. digital evidence examiner

digital evidence specialist

Which of the following commands creates an alternate data stream? a. echo text > myfile. txt_syream_name b. ads create myfile. txt(stream name) 'text' c. cat text myfile. txt=stream_name d. echo text

echo text > myfile. txt_syream_name

What command below can be used to decrypt EFS files? a. cipher b copy c efsrecvr d decrypt

efsrecvr

How often should hardware be replace within a forensics lab? a. every 6 to 12 months b. every 12 to 18 months c. every 18 to 24 months d. every 24 to 30 months

every 12 to 18 months

A chain-of-evidence form, which is used to document what has and has not been done with the original evidence and torensic copies ot the evidence, is also known as a(n) a evidence tracking form b evidence custody form c emulti-evidence torm d.single-evidence torm

evidence custody form

Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital extended capacity (SDCX), and memory sticks a. FAT12 b. FAT32 c. exFAT d. VFAT

exFAT

An is a document that serves as a guideline for knowing what questions to expect when you're testifying a. testimony procedure b. examination plan c. planned questionnaire d. testimony excerpt

examination plan

QQQ must be included in an affidavit to support an allegation in order to justify a warrant. a. verdicts b. witnesses c. exhibits d. subpoenas

exhibits

must be Included in an affidavit to support an allegation in order to justify a warrant Answers: a. Exhibits b. Witnesses c. Verdicts d. Subpoenas

exhibits

What format was developed as a standard for storing metadata in image files? a. Jpeg b. tif c exif d. bitmap

exif

According to the national institute of standards and technology (NIST), digital forensics involves scientifically examimng and analyzing data trom computer storage media so that it can be used as evidence in court_ tit

false

All suspected industrial espionage cases should be treated as civil case investigations. t/f

false

All suspected industrial espionage cases should be treated as civil case investigations. True or False

false

An Intemet e-mail is generally part ot a local network, and is maintained and managed by an administrator for internal use by a specific company

false

An expert's opinion is governed by FRCP, Rule 26, and the corresponding rule in many states. a. true b. false

false

Committing crimes with e-mail is uncommon, and investigators are not generally tasked with linking suspects to e-mail

false

Expert witnesses are not required to submit a written repart for civil cases. a. true b. talse

false

Forensics tools can't directly mount VMS as external drives

false

The Sysinternals Handle utility shows only file system activity, but does not show what processes are using files an the file system

false

Type 2 hyper-visors are typically loaded on servers or workstations with a lot ot RAM and storage

false

When you decompress data that uses a lossy compression algorithm, you regain data lost by compression. t/f

false

You must abide by the Q?? while collecting evidence a. fourth amendment b. federal rules of evidence c state's rules of evidence d. fifth amendment

fourth amendment

??? is the term for a statement that is made by someone other than an actual witness to the event while testifying at a hearing a. second-party evidence b. rumor c. fiction d. hearsay

hearsay

Assists readers in scanning the text quickly by highlighting the main points and logical development of information.

high risk document

the branches in HKEY_LOCAL_MACHINE/software consist of SAM security, components, and system a. registry b. storage c hive

hive

A ??? is not a private sector organization a. small to medium business b. large corporation c. on-government organization d. hospital

hospital

The sale of sensitive or confidential company information to a competitor is known as a industrial betrayal b industrial espionage c industrial sabotage d industrial collusion

industrial espionage

The ??? copies evidence of Intrusions to an investigation workstation automatically for further analysis over the network a. intrusion detection system b. active defense mechanism c. total awareness system d. intrusion monitoring system

intrusion detection system

is a specialized viewer software program a. fastview b. irfanview c. thumbsloader d. absee

irfanview

What file type starts at offset 0 with a hexidecimal value of FFD8? a. tiff b. Jpeg c xdg d. bmp

jpeg

Many commercial encryption programs use a technology called which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure_ a. key vault b. key escrow c bump key d. master key

key escrow

In order to aid a forensics investigation, a hardware or software can be utilized to capture keystrokes remotely. a. keygrabber b. keylogger c. packet capture d. protocol analyzer

keylogger

would not be found in an initial-response field kit a. computer evidence bags (antistatic bags) b. leather gloves and disposable gloves c a digital camera with extra batteries or 35mm camera with tilm and flash d. external usb devices or a poftable hard drive

leather gloves and disposable gloves

Addresses that allow the MFT to link to nonresident files are known as ??? a. virtual cluster numbers b. logical cluster numbers c sequential cluster numbers d. polarity cluster numbers

logical cluster numbers

The Lempel-Ziv-Welch (LZW) algorithm is used in compression. a. lossy b. lossless c. vector quantization d. adaptive

lossless

A user with programming experience may use an assembler program (also called a ) on a file to scramble bits, In order to secure the information contained inside. a. compiler b. shifter c. macro d. scnpt

macro

What should you do while copying data on a suspect's computer that is still live? a. open files to view contents b. make notes regarding everything you do c conduct a google search of unknown extensions using the computer d. check facebook tor additional suspects

make notes regarding everything you do

What kind of graphics file combines bitmap and vector graphics types? a. metafile b. bitmap c. jpeg d. tif

metafile

When looking at a byte of information In binary, such as 1 1101100, what is the first bit on the left referred to as? a. major significant bit (MSB) b. least significant bit (LSB) c most significant bit (MSB) d. leading significant bit (LSB)

most significant bit (MSB)

If practical, ?? team(s) should collect and catalog digital evidence at a crime scene or lab a. two b. five c. one d. three

one

Select the file below that is used in Virtua180x to create a virtual machine a. _vdi b. _vbox c r0 d. ova

ova

Within the fdisk interactive menu, what character should be entered to view existing partitions? a 1 b p c o d d

p

When writing a report, group related ideas and sentences into a. chapters b. sections c paragraphs d. separate reports

paragraphs

The term describes a database containing information records about crimes that have been committed previously by a criminal. a. police ledger b. police blotter c. police blogger d. police recorder

police blotter

The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient ??? a. probable cause b. due diligence c. accusations d. reliability

probable cause

Within a computing investigation, the ability to perform a series of steps again and again to produce the same results IS known as a. verifiable reporting b repeatable findings c. reloadable steps d evidence repofiing

repeatable findings

WhiCh option below is not a recommendation for securing storage containers? a. the container should be located in a restricted area b. only authorized access should be allowed, and it should be kept to a minimum c, evidence containers should remain locked when they aren't under direct supervision d. rooms with evidence containers should have a secured wireless network

rooms with evidence containers should have a secured wireless network

What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a copy of the expert's written report that includes all opinions, the basis for the opinions, and the intormation considered in coming to those opinions? a. rule 24 b. rule 35 c rule 36 d. rule 26

rule 26

What technique IS designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords? a. salted passwords b. scrambled passwords c. indexed passwords d. master passwords

salted passwords

The utility can be used to repair ost and _pst files, and IS included with Microsoft Outlook a. fixmail.exe b. scanpst.exe c. repairpst.exe d. rebuildpstexe

scanpst.exe

The goal of recovering as much information as possible can result in , in which an investigation expands beyond the original description because of unexpected evidence found. a. litigation b. scope creep c criminal charges d. violations

scope creep

Sendmail uses which file far instructions an processing an e-mail message? a. sendmail.cf b. syslogd_conf c mese.ese d. mapi.log

sendmail.cf

the term ??? describes rooms filled with extremely large disk systems that are typically used by large business data centers a. storage room b. server farm c. data well d. storage hub

server farm

Which of the following is not done when preparing tor a case? a. describe the nature of the case b. identity the type of OS c set up covert surveillance d. determine whether you can seize the computer or digital device

set up covert surveillance

A TEMPEST tacility IS designed to accomplish which otthe following goals? a. prevent data loss by maintaining consistent backups b. shield sensitive computing systems and prevent electronic eavesdropping of computer emission c. ensure net,vork security trom the internet using comprehensive security software d. protect the integrity of data

shield sensitive computing systems and prevent electronic eavesdropping of computer emission

A written report containing sensitive information that could create an opening for the opposing attorney to discredit you

signpost

What registry file contains installed programs' settings and associated usernames and passwords? a. default.dat b. software.dat c sam.dat d ntuser.dat

software.dat

??? does not recover data in free or slack space a. raw format acquisition b. live acquisition c. static acquisition d. sparse acquisition

sparse acquisition

If a preliminary report is written, destroying the preliminary report atter the final report is complete could be considered a. proper data security b. spoliation c. beneficial d. necessary

spoliation

The Suni Munshani v. Singal Lake Venture Fund Il, LP et al case is an example of a case that involves e-mail ??? a. destruction b. spamming c. spoofing d theft

spoofing

The term for detecting and analyzing steganography files is a. carving b steganalogy c steganalysis d steganomics

steganalysis

means the tone of language you use to address the reader. a. Style b. Format c Outline d. Prose

style

On a Unix-like system, which tile specifies where to save different types of e-mail log files? a. maillog b. /var/spool/log c. syslog.conf d. log

syslog.conf

The command line program is a common way of examining network traffic, which provides records of network activity while it IS running, and produce hundreds ot thousands of records a. netstat b. Is c. ifconfig d. tcpdump

tcpdump

In addition to opinions and exhibits, the must specify fees paid for the expert's setvices and list all other Civil or criminal cases in which the expert has testified a. verbal report b. informal report c. written report d. preliminary report

written report

When using the PassMark software to find forensic intormation in e-mails, messages that appear to be suspicious should be flagged a. yellow b. green c. red d. orange

yellow

Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks? a. disk track recording (DTR) b. zone based areal density (ZBAD) c. zone bit recording (ZBR) d cylindrical head calculation (CHC)

zone bit recording (ZBR)


Conjuntos de estudio relacionados

AP psych Unit Two questions for midterm

View Set

Chapter 25 Fluid and Electrolytes Objectives

View Set

American Civics and Government - Checkpoints

View Set

Brokenshire APUSH Semester 1 Tests

View Set