Forensic Exam

Can only be accessed by people who have the necessary credentials.

Private Cloud

WinHex provides several hashing algorithms, such as MD5 and ____. a) SHA-1 b) RC4 c) CRC d) AES

a) SHA-1

Most remote acquisitions have to be done as ____ acquisitions. a) live b) static c) sparse d) hot

a) live

A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing. a) risk management b) configuration management c) disaster recovery d) security

c) disaster recovery

It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant. a) litigation b) prosecution c) exhibits d) reports

c) exhibits

The software that runs virtual machines is called a ____. a) host b) computer c) hypervisor d) server

c) hypervisor

Which of the following is not one of the five mechanisms the government can use to get electronic information from a provider? a) subpoenas b) search warrants c) seizure order d) court orders

c) seizure order

Most packet analyzers operate on layer 2 or ____ of the OSI model. a) 5 b) 1 c) 7 d) 3

d) 3

With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or drive. a) prompt-based b) shell-based c) command-line d) GUI

d) GUI

Which of the following is NOT a component of Ext 4? a) super block b) boot block c) inode block d) Resource block

d) Resource block

The files that provide helpful information to an e-mail investigation are log files and ____ files. a) scripts b) .rts c) batch d) configuration

d) configuration

A ____ is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities. a) temporary restraining order b) warrant c) subpoena d) court order

d) court order

A ____ is a column of tracks on two or more disk platters. a) track b) head c) sector d) cylinder

d) cylinder

In macOS, the ____ fork typically contains data the user creates. a) resource b) content c) user d) data

d) data

A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment. a) virtual file b) logic machine c) logic drive d) virtual machine

d) virtual machine

Remote acquisitions are often easier because you're usually dealing with large volumes of data. a) False b) True

a) False

Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics. a) False b) True

a) False

____ often work as part of a team to secure an organization's computers and networks. a) Forensics investigators b) Network monitors c) Computer analysts d) Data recovery engineers

a) Forensics investigators

Google doc is an example of ______. a) Software as a Service b) Platform as a Service c) Infrastructure as a Service d) Security as a Service

a) Software as a Service

Specially trained system and network administrators are often a CSP's first responders. a) True b) False

a) True

Courts consider evidence data in a computer as ____ evidence. a) physical b) invalid c) virtual d) logical

a) physical

Whether you're serving as an expert witness or a fact witness, be professional and polite when presenting yourself to any attorney or the court. a) False b) True

b) True

If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available. a) live b) local c) static d) passive

a) live

____ trains people to listen to voice recordings to determine who's speaking or read e-mail and other writings known to be by a certain person and determine whether that person wrote the e-mail or letter in question. a) Email trafficking b) Communication forensics c) Forensic linguistics d) Email forensics

c) Forensic linguistics

____ contain file and directory metadata and provide a mechanism for linking data stored in data blocks. a) Extnodes b) Xnodes c) Inodes d) InfNodes

c) Inodes

____ hide the most valuable data at the innermost part of the network. a) Protocols b) Firewalls c) Layered network defense strategies d) NAT

c) Layered network defense strategies

To view Gmail Web e-mail headers open the e-mail, click the down arrow next to the Reply circular arrow, and click ____. a) Message properties b) Options c) Show original d) More options

c) Show original

In a file's inode, the first 10 pointers are called ____ pointers. a) indirect b) double c) direct d) triple

c) direct

One technique for extracting evidence from large systems is called ____. a) RAID imaging b) RAID copy c) large evidence file recovery d) sparse acquisition

d) sparse acquisition

Enables a company to keep some information private and designate other files as public or community information.

Hybrid Cloud

The current file system for Linux is _____. a) Ext 4 b) APFS c) NTFS

a) Ext 4

The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are called ____. a) metaruns b) virtual runs c) metada d) data runs

d) data runs

The term ____ is often used when discussing Linux because technically, Linux is only the core of the OS. a) module b) GRUB c) root d) kernel

d) kernel

A way to bring people together for a specific purpose, for example, to access common files.

Community Cloud

A cloud service that's available to the general public.

Public Cloud

In an e-mail address, everything after the ____ symbol represents the domain name. a) @ b) # c) . d) -

a) @

All Unix-like operating systems have a kernel. a) True b) False

a) True

Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence. a) True b) False

a) True

E-mail programs either save e-mail messages on the client computer or leave them on the server. a) True b) False

a) True

If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy. a) True b) False

a) True

If a file contains information, it always occupies at least one allocation block. a) True b) False

a) True

Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive. a) True b) False

a) True

Some cases involve dangerous settings. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene. a) True b) False

a) True

The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure. a) True b) False

a) True

The chain of custody of evidence supports the integrity of your evidence. a) True b) False

a) True

The platform as a service cloud service is most likely found on a desktop or a server, although it could also be found on a company network or the remote service provider's infrastructure. a) True b) False

a) True

The type of file system an OS uses determines how data is stored on the disk. a) True b) False

a) True

There are inherent conflicts between the goals of attorneys and the goals of scientists or technicians (experts). a) True b) False

a) True

To be a successful computer forensics investigator, you must be familiar with more than one computing platform. a) True b) False

a) True

Unix and Linux commands are case sensitive. a) True b) False

a) True

You can send and receive e-mail in two environments: via the Internet or an intranet (an internal network). a) True b) False

a) True

____ hypervisors are typically, but not exclusively, loaded on servers or workstations with a lot of RAM and storage. a) Type 1 b) Type 2 c) Type 3 d) Type 4

a) Type 1

In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk. a) checkpoint b) temporary c) milestone d) tracking

a) checkpoint

The ____ is where directories and files are stored on a disk drive. a) data block b) inode block c) superblock d) boot block

a) data block

One way to hide partitions is with the Windows disk partition utility, ____. a) diskpart b) System Commander c) PartitionMagic d) Norton DiskEdit

a) diskpart

Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure. a) key escrow b) key splitting c) steganography d) password backup

a) key escrow

Published company policies provide a(n) ____ for a business to conduct internal investigations. a) line of authority b) litigation path c) allegation resource d) line of allegation

a) line of authority

Records in the MFT are called ____. a) metadata b) hyperdata c) inodes d) infodata

a) metadata

Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes. a) much easier than b) more difficult than c) as difficult as d) as easy as

a) much easier than

The purpose of the ____ is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key. a) recovery certificate b) certificate escrow c) root certificate d) administrator certificate

a) recovery certificate

The most important laws applying to attorneys and witnesses are the ____. a) rules of evidence b) rules of ethics c) professional codes of conduct d) professional ethics

a) rules of evidence

Leading questions such as "Isn't it true that forensics experts always destroy their handwritten notes?" are referred to as ____ questions. a) setup b) attorney c) nested d) hypothetical

a) setup

With cloud systems running in a virtual environment, ____ can give you valuable information before, during, and after an incident. a) snapshots b) carving c) RAM d) live acquisition

a) snapshots

Exchange logs information about changes to its data in a(n) ____ log. a) transaction b) checkpoint c) tracking d) communication

a) transaction

Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab. a) warrant b) evidence custody form c) FOIA form d) affidavit

a) warrant

When the hard link count drops to ____, the file is effectively deleted. a) -1 b) 0 c) 1 d) 2

b) 0

For forensics examiner, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you're constantly enhancing your skills through training, teaching, and experience. a) testimony b) CV c) examination plan d) deposition

b) CV

____ is an attempt by opposing attorneys to prevent you from serving on an important case. a) Deposition b) Conflicting out c) Warrant d) Conflict of interest

b) Conflicting out

Which is NOT one of the triad that makes up computer security? a) Digital investigations b) Data recovery c) Vulnerability assessment and risk management d) Network intrusion detection and incident response

b) Data recovery

As an expert witness, you can't testify if you weren't present when the event occurred. a) True b) False

b) False

Computer investigations and forensics fall into the same category: public investigations. a) True b) False

b) False

ISPs can investigate computer abuse committed by their customers. a) True b) False

b) False

If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately. a) True b) False

b) False

Maintaining credibility means you must form and sustain unbiased opinions of your cases. a) True b) False

b) False

The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect. a) True b) False

b) False

When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant, which allows the police present all evidence together. a) True b) False

b) False

Data ____ involves changing or manipulating a file to conceal information. a) Creep b) Hiding c) Integrity d) Recovery

b) Hiding

The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers. a) Honeypot b) Honeynet c) Honeyweb d) Honeywall

b) Honeynet

To enhance searching for and eliminating known OS and application files, Autopsy has an indexed version of the NIST ____ of MD5 hashes. a) NRP b) NSRL c) UFSL d) YAFF

b) NSRL

____ was introduced when Microsoft created Windows NT and is still the main file system in Windows 10. a) FAT32 b) NTFS c) VFAT d) HPFS

b) NTFS

____ determines how long a piece of information lasts on a system. a) Liveness b) Order of volatility c) Continuity level d) Longevity

b) Order of volatility

____ increases the time and resources needed to extract, analyze, and present evidence. a) Court order for discovery b) Scope creep c) Litigation path d) Investigation plan

b) Scope creep

Computing systems in a forensics lab should be able to process typical cases in a timely manner. a) False b) True

b) True

Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack. a) False b) True

b) True

For digital investigators, tracking intranet e-mail is easier because accounts use standard names the administrator establishes. a) False b) True

b) True

In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors. a) False b) True

b) True

In the United States, there's no state or national licensing body for digital forensics examiners. a) False b) True

b) True

It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows. a) False b) True

b) True

People need ethics to help maintain their balance, especially in difficult and contentious situations. a) False b) True

b) True

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file. a) False b) True

b) True

Which of the following is NOT a service level for the cloud? a) Platform as a service b) Virtualization as a service c) Software as a service d) Infrastructure as a service

b) Virtualization as a service

Generally, digital records are considered admissible if they qualify as a ____ record. a) computer-stored b) business c) hearsay d) computer-generated

b) business

E-mail messages are distributed from a central server to many connected client computers, a configuration called ____. a) peer-to-peer architecture b) client/server architecture c) central distribution architecture d) client architecture

b) client/server architecture

A ____ is where you conduct your investigations, store evidence, and do most of your work. a) storage room b) digital forensics lab c) workbench d) forensic workstation

b) digital forensics lab

A(n) ____ should include all the tools you can afford to take to the field. a) forensic workstation b) extensive-response field kit c) forensic lab d) initial-response field kit

b) extensive-response field kit

If your time is limited, consider using a logical acquisition or ____ acquisition data copy method. a) lossless b) sparse c) disk-to-image d) disk-to-disk

b) sparse

A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. a) line of authority b) warning banner c) right banner d) right of privacy

b) warning banner

____ refers to the number of bits in one square inch of a disk platter. a) Head skew b) ZBR c) Areal density d) Cylinder skew

c) Areal density

____ records are data the system maintains, such as system log files and proxy server logs. a) Hearsay b) Business c) Computer-generated d) Computer-stored

c) Computer-generated

____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. a) Computer forensics b) Network forensics c) Data recovery d) Disaster recovery

c) Data recovery

____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest. a) A warrant b) Reasonable cause c) Probable cause d) A subpoena

c) Probable cause

____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment. a) Risk configuration b) Configuration management c) Risk management d) Change management

c) Risk management

In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____. a) blotter b) exhibit report c) affidavit d) litigation report

c) affidavit

When you give ____ testimony, you present this evidence and explain what it is and how it was obtained. a) lay witness b) expert c) technical/scientific d) deposition

c) technical/scientific

____ is a way to verify the names of domains a message is flowing through. a) www.google.com b) www.juno.com c) www.dkim.org d) www.whatis.com

c) www.dkim.org

Forensics examiners have two roles: fact witness and ____ witness. a) discovery b) professional c) direct d) expert

d) expert

In macOS, volumes have allocation blocks and ____ blocks. a) master b) clumped c) clustered d) logical

d) logical

One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools. a) AFF b) raw c) AFD d) proprietary

d) proprietary

In general, a criminal case follows three stages: the complaint, the investigation, and the ____. a) litigation b) blotter c) allegation d) prosecution

d) prosecution