Forensics Midterm CH 1-5
Chapter 2 Which of the following scenarios should be covered in a disaster recovery plan? a. damage caused by lightning strikes b. damage caused by flood c. damage caused by a virus contamination d. all of the above
d. all of the above
Chapter 2 Which tool below is not recommended for use in a forensics lab? a. 2.5-inch adapters for drives b. firewire and usb adapters c. SCSI card d. degusser
d. degusser
The _______ switch can be used with the split command to adjust the size of segmented volumes created by the dd command.
-b
An investigator wants to capture all data on a SATA drive connected to a Linux system. What should the investigator use for the "if=" portion of the dcfldd command?
/dev/sda
Chapter 5 a master boot record (MBR) partition table marks the first partition starting at what offset? a. 0x1CE b. 0x1BE c. 0x1AE d. 0x1DE
b. 0x1BE
Chapter 1 ??? is not one of the functions of the investigations triad. a. digital investigations b. data recovery c. vulnerability threat assessment and risk management d. network intrusion detection and incident response
b. data recovery
Chapter 1 The ??? is responsible for analyzing data and determining when another specialist should be called in to assist with analysis. a. digital evidence recorder b. digital evidence specialist c. digital evidence analyst d. digital evidence examiner
b. digital evidence specialist
Chapter 1 Signed into law in 1973, the ??? was/were created to ensure consistency in federal proceedings. a. federal proceeding law b. federal rules of evidence c. federal consistency standards d. federal proceedings rules
b. federal rules of evidence
Chapter 3 Within the fdisk interactive menu, what character should be entered to view existing partitions? a. 1 b. p c. o d. d
b. p
Chapter 4 Which court case established that it is not necessary for computer programmers to testify in order to authenticate computer-generated records? a. united states v wong b. united states v carey c. united states v salgado d. united states v walser
c. united states v salgado
Chapter 1 An evidence custody form does not usually contain ??? a. the nature of the case b. a description of evidence c. vendor names for computer components d. a witness list
d. a witness list
Chapter 2 Candidates who complete the IACIS test successfully are designated as a ??? a. certified forensic computer examiner (CFCE) b. certified forensics investigator (CFI) c. Certified investigative forensics examiner (CIFE) d. certified investigative examiner (CIE)
a. certified forensic computer examiner (CFCE)
Chapter 2 In order to qualify for the certified computer crime investigator, basic level certification, candidates must provide documentation of at least ??? cases in which they participated. a. 5 b. 10 c. 15 d. 20
b. 10
Chapter 3 When using a target drive that is FAT32 formatted, what is the maximum size limitation for split files? a. 512 mg b. 2 gb c. 1 tb d. 1 pb
b. 2 gb
Chapter 5 A typical disk drive stores how many bytes in a single sector? a. 8 b. 512 c. 1024 d. 4096
b. 512
Chapter 5 The ReFs storage engine uses a ??? sort method for fast access to large data sets. a. A+-tree b. B+-tree c. reverse d. numerical
b. B+-tree
Chapter 4 What type of media has a 30-year lifespan? a. DVD-rs b. DLT magnetic tape c. hard drive d. usb thumb drive
b. DLT magnetic tape
Chapter 4 In cases that involve dangerous setting, what kind of team should be used to recover evidence from the scene? a. B-Team b. HAZMAT c. CDC First Responders d. SWAT
b. HAZMAT
Chapter 4 ??? are a special category of private sector businesses, due to their ability to investigate computer abuse committed by employees only, but not customers. a. hospitals b. ISPs c. law firms d. news networks
b. ISPs
Chapter 2 ??? describes the characteristics of a safe storage container. a. ISO2960 b. NISPOM c. SSO 990 d. STORSEC
b. NISPOM
Chapter 3 Which option below is not a Linus live CD meant for use as a digital forensics tool? a. penguin sleuth b. kali Linux c. Ubuntu d. caine
c. Ubuntu
Chapter 4 If practical, ??? team(s) should collect and catalog digital evidence at a crime scene or lab a. two b. five c. one d. three
c. one
Chapter 1 Which option below is not a standard systems analysis step? a. determine a preliminary design or approach to the case. b. obtain and copy an evidence drive c. share evidence with experts outside of the investigation d. mitigate or minimize the risks
c. share evidence with experts outside of the investigation
Chapter 2 Which option below is not one of the recommended practices for maintaining a keyed padlock? a. appoint a key custodian b. take inventory of all keys when the custodian changes c. use a master key d. change locks and keys annually
c. use a master key
Chapter 5 Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks? a. disk track recording (DTR) b. zone based areal density (ZBAD) c. zone bit recording (ZBR) d. cylindrical head calculation (CHC)
c. zone bit recording (ZBR)
Chapter 1 Which Microsoft OS below is the least intrusive to disks in terms of changing data? a. windows 95 b. windows xp c. windows 7 d. ms-dos 6.22
d. ms-dos 6.22
Chapter 4 ??? is a common cause for lost or corrupted evidence a. public access b. not having enough people on the processing team c. having an undefined security perimeter d. professional curiosity
d. professional curiosity
Chapter 1 ??? is not recommended for a digital forensics workstation. a. a text editor tool b. a write-blocker device c. an SCSI card d. remote access software
d. remote access software
To create a new primary partition within the fdisk interactive utility, which letter should be typed?
n
Chapter 5 What hexadecimal code below identifies an NTFS file system in the partition table? a. 05 b. 07 c. 1B d. A5
b. 07
Chapter 2 ??? can be used to restore backup files directly to a workstation. a. belarc advisor b. Norton ghost c. prodiscover d. photorec
b. Norton ghost
Chapter 5 the ??? branches in HKEY_LOCAL_MACHINE/software consist of SAM, security, components, and system a. registry b. storage c. hive d. tree
c. hive
Chapter 3 which RAID type provides increased speed and data storage capability, but lacks redundancy? a. RAID 0 b. RAID 1 c. RAID 0+1 d. RAID 5
a. RAID 0
Chapter 3 Which option below is not a hashing function used for validation checks? a. RC4 b. MD5 c. SHA-1 d. CRC32
a. RC4
Chapter 4 When seizing digital evidence in criminal investigations, whose standards should be followed? a. U.S. DOJ b. ISO/IEC c. IEEE d. ITU
a. U.S. DOJ
Chapter 2 A TEMPEST facility is designed to accomplish which of the following goals? a. prevent data loss by maintaining consistent backups b. shield sensitive computing systems and prevent electronic eavesdropping of computer emission c. ensure network security from the internet using comprehensive security software d. protect the integrity of data
b. shield sensitive computing systems and prevent electronic eavesdropping of computer emission
Chapter 5 What registry file contains installed programs' settings and associated usernames and passwords? a. default.dat b. software.dat c. sam.dat d. ntuser.dat
b. software.dat
Chapter 5 When using the file allocation table (FAT), where is the FAT database typically written to? a. the innermost track b. the outermost track c. the first sector d. the first partition
b. the outermost track
Chapter 2 In order to qualify for the certified computer forensic technician, basic level certification, how many hours of computer forensics training are required? a. 10 b. 20 c. 30 d. 40
d. 40
Chapter 2 What percentage of consumers utilize intel and AMD PCs? a. 60 b. 70 c. 80 d. 90
d. 90
Chapter 2 Which file system below is utilized by the xbox gaming system? a. NTFS b. ReFS c. EXT d. FATX
d. FATX
Chapter 3 Which technology below is not a hot-swappable technology? a. usb-3 b. firewire 1394A c. SATA d. IDE
d. IDE
Chapter 3 Which RAID type utilizes mirrored striping, providing fast access and redundancy? a. RAID 1 b. RAID 3 c. RAID 5 d. RAID 10
d. RAID 10
Chapter 3 Which RAID type utilizes a parity bit and allows for the failure of one drive without losing data? a. RAID 1 b. RAID 2 c. RAID 3 d. RAID 5
d. RAID 5
Chapter 5 What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive? a. PP full disk encryption b. voltage SecureFile c. BestCrypt d. TrueCrypt
d. TrueCrypt
Chapter 2 Which option below is not a recommendation for securing storage containers? a. the container should be located in a restricted area b. only authorized access should be allowed, and it should be kept to a minimum c, evidence containers should remain locked when they aren't under direct supervision d. rooms with evidence containers should have a secured wireless network
d. rooms with evidence containers should have a secured wireless network
Chapter 4 ??? does not recover data in free or slack space a. raw format acquisition b. live acquisition c. static acquisition d. sparse acquisition
d. sparse acquisition
Chapter 4 As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state? a. the power cable should be pulled b. the system should be shut down gracefully c. the power should be left on d. the decision should be left to the digital evidence first responder (DEFR)
d. the decision should be left to the digital evidence first responder (DEFR)
Chapter 1 After the evidence has been presented in a trial by jury, the jury must deliver a(n) ??? a. exhibit b. affidavit c. allegation d. verdict
d. verdict
Chapter 5 The ??? command insets a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry a. delete b. edit c. update d. clear
a. delete
Chapter 5 Which of the following commands creates an alternate data stream? a. echo text > myfile. txt:syream_name b. ads create myfile.txt(stream_name) "text" c. cat text myfile.txt=stream_name d. echo text
a. echo text > myfile. txt:syream_name
Chapter 4 What does FRE stand for? a. federal rules of evidence b. federal regulations for evidence c. federal rights for everyone d. federal rules for equipment
a. federal rules of evidence
Chapter 4 You must abide by the ??? while collecting evidence a. fourth amendment b. federal rules of evidence c. state's rules of evidence d. fifth amendment
a. fourth amendment
Chapter 3 The ??? copies evidence of intrusions to an investigation workstation automatically for further analysis over the network. a. intrusion detection system b. active defense mechanism c. total awareness system d. intrusion monitoring system
a. intrusion detection system
Chapter 2 Which operating system listed below is not a distribution of the Linux OS? a. minix b. debian c. slackwar d. fedora
a. minix
Chapter 4 The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient ??? a. probable cause b. due diligence c. accusations d. reliability
a. probable cause
Chapter 1 Within a computing investigation, the ability to perform a series of steps again and again to produce the same results is known as ??? a. repeatable findings b. reloadable steps c. verifiable reporting d. evidence reporting
a. repeatable findings
Chapter 5 What does the MTF header field at offset 0x00 contain? a. the MFT record identifier FILE b. the size of the MFT record c. the length of the header d. the update sequence array
a. the MFT record identifier FILE
Chapter 2 ??? is responsible for creating an monitoring lab policies for staff, and provides a safe, and provides a safe and secure workplace for staff and evidence. a. the lab manager b. the lab investigator c. the lab secretary d. the lab steward
a. the lab manager
Chapter 3 Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files? a. advanced forensics disk b. advanced forensic format c. advanced capture image d. advanced open capture
b. advanced forensic format
Chapter 3 The Linux command ??? can be used to write bit-stream data to files. a. write b. dd c. cat d. dump
b. dd
Chapter 2 How often should hardware be replaced within a forensics lab? a. every 6 to 12 months b. every 12 to 18 months c. every 18 to 24 months d. every 24 to 30 months
b. every 12 to 18 months
Chapter 1 The sale of sensitive or confidential company information to a competitor is known as ??? a. industrial sabotage b. industrial espionage c. industrial collusion d. industrial betrayal
b. industrial espionage
Chapter 2 ??? is a specialized viewer software program a. fastview b. irfanview c. thumbsloader d. absee
b. irfanview
Chapter 4 ??? would not be found in an initial-response field kit. a. computer evidence bags (antistatic bags) b. leather gloves and disposable gloves c. a digital camera with extra batteries or 35mm camera with film and flash d. external usb devices or a portable hard drive
b. leather gloves and disposable gloves
Chapter 5 Addresses that allow the MFT to link to nonresident files are known as ??? a. virtual cluster numbers b. logical cluster numbers c. sequential cluster numbers d. polarity cluster numbers
b. logical cluster numbers
Chapter 4 What should you do while copying data on a suspect's computer that is still live? a. open files to view contents b. make notes regarding everything you do c. conduct a google search of unknown extensions using the computer d. check facebook for additional suspects
b. make notes regarding everything you do
Chapter 1 The term ??? describes a database containing information records about crimes that have been committed previously by a criminal. a. police ledger b. police blotter c. police blogger d. police recorder
b. police blotter
Chapter 4 the term ??? describes rooms filled with extremely large disk systems that are typically used by large business data centers. a. storage room b. server farm c. data well d. storage hub
b. server farm
Chapter 5 What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume? a. $MgyMirr b. $TransAct c. $LogFile d. $Backup
c. $LogFile
Chapter 2 How long are computing components designed to last in a normal business environment? a. 12 to 16 months b. 14 to 26 months c. 18 to 36 months d. 6 to 90 months
c. 18 to 36 months
Chapter 1 In what year was the computer fraud and abuse act passed? a. 1976 b. 1980 c. 1986 d. 1996
c. 1986
Chapter 1 What tool, currently maintained by the IRS criminal investigation division and limited to use by law enforcement, can analyze and read special files that are copies of a disk? a. AccessData forensic toolkit b. DeepScan c. ILook d. Photorect
c. ILook
Chapter 3 ??? is the utility used by the ProDiscover program for remote access. a. SubSe7en b. 10pht c. PDServer d. VNCServer
c. PDServer
Chapter 3 ??? creates a virtual volume of a RAID image file, and then makes repairs on the virtual volume, which can then be restored to the original RAID. a. Runtime Software b. RaidRestore c. R-Tools R-Studio d. FixitRaid
c. R-Tools R-Studio
Chapter 5 What registry file contains user account management and security settings? a. default.dat b. software.dat c. SAM.dat d Ntuser.dat
c. SAM.dat
Chapter 1 If a police officer or investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit a(n) ??? a. exhibit b. verdict c. affidavit d. memo
c. affidavit
Chapter 1 ??? describes an accusation of fact that a crime has been committed. a. attrition b. attribution c. allegation d. assignment
c. allegation
Chapter 4 Which system below can be used to quickly and accurately match fingerprints in a database? a. fingerprint identification database (FID) b. systemic fingerprint database (SFD) c. automated fingerprint identification system (AFIS) d. dynamic fingerprint matching system (DFMS)
c. automated fingerprint identification system (AFIS)
Chapter 3 What is the name of the Microsoft solution for whole disk encryption? a. drivecrypt b. truecrypt c. bitlocker d. securedrive
c. bitlocker
Chapter 2 What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations? a. certified computer crime investigator b. certified forensic computer examiner c. certified cyber forensics professional d. encase certified examiner
c. certified cyber forensics professional
Chapter 1 The ??? is not one of the three stages of a typical criminal case. a. complaint b. investigation c. civil suit d. prosecution
c. civil suit
Chapter 5 What term below describes a column of tracks on two or more disk platters? a. sector b. cluster c. cylinder d. header
c. cylinder
Chapter 3 The ??? command was developed by Nicholas harbor of the defense computer forensics laboratory. a. dd b. split c. dcfldd d. echo
c. dcfldd
Chapter 1 After a judge approves and signs a search warrant, the ??? is responsible for the collection of evidence as defined by the warrant. a. digital evidence recorder b. digital evidence specialist c. digital evidence first responder d. digital evidence scene investigator
c. digital evidence first responder
Chapter 5 What command below can be used to decrypt EFS files? a. cipher b. copy c. efsrecvr d. decrypt
c. efsrecvr
Chapter 1 A chain-of-evidence form, which is used to document what has and had not been done with the original evidence and forensic copies of the evidence, is also known as a(n) ??? a. single-evidence form b. multi-evidence form c. evidence custody form d. evidence tracking form
c. evidence custody form
Chapter 5 Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital extended capacity (SDCX), and memory sticks: a. FAT12 b. FAT32 c. exFAT d. VFAT
c. exFAT
Chapter 1 ??? must be included in an affidavit to support an allegation in order to justify a warrant. a. verdicts b. witnesses c. exhibits d. subpoenas
c. exhibits
Chapter 2 In order to qualify for the advanced certified computer forensic technician certification, a candidate must have ??? years of hands-on experience in computer forensics investigations. a. two b. three c. five d. six
c. five
Chapter 1 Which amendment to the U.S. Constitution protects everyone's right to be secure in their person, residence, and property from search and seizure? a. first amendment b. second amendment c. fourth amendment d. fifth amendment
c. fourth amendment
Chapter 5 What term is used to describe a disk's logical structure of platters, tracks, and sectors? a. cylinder b. trigonometry c. geometry d. mapping
c. geometry
Chapter 4 The term ??? is used to describe someone who might be a suspect of someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest a. criminal b. potential data source c. person of interest d. witness
c. person of interest
Chapter 4 Which of the following is not done when preparing for a case? a. describe the nature of the case b. identify the type of OS c. set up covert surveillance d. determine whether you can seize the computer or digital device
c. set up covert surveillance
Chapter 5 Which of the following is not a valid configuration of Unicode? a. UTF-8 b. UTF-16 c. UTF-32 d. UTF-64
d. UTF-64
Chapter 4 ??? is the term for a statement that is made by someone other than an actual witness to the event while testifying at a hearing a. second-party evidence b. rumor c. fiction d. hearsay
d. hearsay
Chapter 4 A ??? is not a private sector organization a. small to medium business b. large corporation c. on-government organization d. hospital
d. hospital
_______ can be used with the dcfldd command to compare an image file to the original medium.
vf