Forensics Midterm CH 1-5

Chapter 2 Which of the following scenarios should be covered in a disaster recovery plan? a. damage caused by lightning strikes b. damage caused by flood c. damage caused by a virus contamination d. all of the above

d. all of the above

Chapter 2 Which tool below is not recommended for use in a forensics lab? a. 2.5-inch adapters for drives b. firewire and usb adapters c. SCSI card d. degusser

d. degusser

The _______ switch can be used with the split command to adjust the size of segmented volumes created by the dd command.

-b

​An investigator wants to capture all data on a SATA drive connected to a Linux system. What should the investigator use for the "if=" portion of the dcfldd command?

/dev/sda

Chapter 5 a master boot record (MBR) partition table marks the first partition starting at what offset? a. 0x1CE b. 0x1BE c. 0x1AE d. 0x1DE

b. 0x1BE

Chapter 1 ??? is not one of the functions of the investigations triad. a. digital investigations b. data recovery c. vulnerability threat assessment and risk management d. network intrusion detection and incident response

b. data recovery

Chapter 1 The ??? is responsible for analyzing data and determining when another specialist should be called in to assist with analysis. a. digital evidence recorder b. digital evidence specialist c. digital evidence analyst d. digital evidence examiner

b. digital evidence specialist

Chapter 1 Signed into law in 1973, the ??? was/were created to ensure consistency in federal proceedings. a. federal proceeding law b. federal rules of evidence c. federal consistency standards d. federal proceedings rules

b. federal rules of evidence

Chapter 3 Within the fdisk interactive menu, what character should be entered to view existing partitions? a. 1 b. p c. o d. d

b. p

Chapter 4 Which court case established that it is not necessary for computer programmers to testify in order to authenticate computer-generated records? a. united states v wong b. united states v carey c. united states v salgado d. united states v walser

c. united states v salgado

Chapter 1 An evidence custody form does not usually contain ??? a. the nature of the case b. a description of evidence c. vendor names for computer components d. a witness list

d. a witness list

Chapter 2 Candidates who complete the IACIS test successfully are designated as a ??? a. certified forensic computer examiner (CFCE) b. certified forensics investigator (CFI) c. Certified investigative forensics examiner (CIFE) d. certified investigative examiner (CIE)

a. certified forensic computer examiner (CFCE)

Chapter 2 In order to qualify for the certified computer crime investigator, basic level certification, candidates must provide documentation of at least ??? cases in which they participated. a. 5 b. 10 c. 15 d. 20

b. 10

Chapter 3 When using a target drive that is FAT32 formatted, what is the maximum size limitation for split files? a. 512 mg b. 2 gb c. 1 tb d. 1 pb

b. 2 gb

Chapter 5 A typical disk drive stores how many bytes in a single sector? a. 8 b. 512 c. 1024 d. 4096

b. 512

Chapter 5 The ReFs storage engine uses a ??? sort method for fast access to large data sets. a. A+-tree b. B+-tree c. reverse d. numerical

b. B+-tree

Chapter 4 What type of media has a 30-year lifespan? a. DVD-rs b. DLT magnetic tape c. hard drive d. usb thumb drive

b. DLT magnetic tape

Chapter 4 In cases that involve dangerous setting, what kind of team should be used to recover evidence from the scene? a. B-Team b. HAZMAT c. CDC First Responders d. SWAT

b. HAZMAT

Chapter 4 ??? are a special category of private sector businesses, due to their ability to investigate computer abuse committed by employees only, but not customers. a. hospitals b. ISPs c. law firms d. news networks

b. ISPs

Chapter 2 ??? describes the characteristics of a safe storage container. a. ISO2960 b. NISPOM c. SSO 990 d. STORSEC

b. NISPOM

Chapter 3 Which option below is not a Linus live CD meant for use as a digital forensics tool? a. penguin sleuth b. kali Linux c. Ubuntu d. caine

c. Ubuntu

Chapter 4 If practical, ??? team(s) should collect and catalog digital evidence at a crime scene or lab a. two b. five c. one d. three

c. one

Chapter 1 Which option below is not a standard systems analysis step? a. determine a preliminary design or approach to the case. b. obtain and copy an evidence drive c. share evidence with experts outside of the investigation d. mitigate or minimize the risks

c. share evidence with experts outside of the investigation

Chapter 2 Which option below is not one of the recommended practices for maintaining a keyed padlock? a. appoint a key custodian b. take inventory of all keys when the custodian changes c. use a master key d. change locks and keys annually

c. use a master key

Chapter 5 Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks? a. disk track recording (DTR) b. zone based areal density (ZBAD) c. zone bit recording (ZBR) d. cylindrical head calculation (CHC)

c. zone bit recording (ZBR)

Chapter 1 Which Microsoft OS below is the least intrusive to disks in terms of changing data? a. windows 95 b. windows xp c. windows 7 d. ms-dos 6.22

d. ms-dos 6.22

Chapter 4 ??? is a common cause for lost or corrupted evidence a. public access b. not having enough people on the processing team c. having an undefined security perimeter d. professional curiosity

d. professional curiosity

Chapter 1 ??? is not recommended for a digital forensics workstation. a. a text editor tool b. a write-blocker device c. an SCSI card d. remote access software

d. remote access software

​To create a new primary partition within the fdisk interactive utility, which letter should be typed?

n

Chapter 5 What hexadecimal code below identifies an NTFS file system in the partition table? a. 05 b. 07 c. 1B d. A5

b. 07

Chapter 2 ??? can be used to restore backup files directly to a workstation. a. belarc advisor b. Norton ghost c. prodiscover d. photorec

b. Norton ghost

Chapter 5 the ??? branches in HKEY_LOCAL_MACHINE/software consist of SAM, security, components, and system a. registry b. storage c. hive d. tree

c. hive

Chapter 3 which RAID type provides increased speed and data storage capability, but lacks redundancy? a. RAID 0 b. RAID 1 c. RAID 0+1 d. RAID 5

a. RAID 0

Chapter 3 Which option below is not a hashing function used for validation checks? a. RC4 b. MD5 c. SHA-1 d. CRC32

a. RC4

Chapter 4 When seizing digital evidence in criminal investigations, whose standards should be followed? a. U.S. DOJ b. ISO/IEC c. IEEE d. ITU

a. U.S. DOJ

Chapter 2 A TEMPEST facility is designed to accomplish which of the following goals? a. prevent data loss by maintaining consistent backups b. shield sensitive computing systems and prevent electronic eavesdropping of computer emission c. ensure network security from the internet using comprehensive security software d. protect the integrity of data

b. shield sensitive computing systems and prevent electronic eavesdropping of computer emission

Chapter 5 What registry file contains installed programs' settings and associated usernames and passwords? a. default.dat b. software.dat c. sam.dat d. ntuser.dat

b. software.dat

Chapter 5 When using the file allocation table (FAT), where is the FAT database typically written to? a. the innermost track b. the outermost track c. the first sector d. the first partition

b. the outermost track

Chapter 2 In order to qualify for the certified computer forensic technician, basic level certification, how many hours of computer forensics training are required? a. 10 b. 20 c. 30 d. 40

d. 40

Chapter 2 What percentage of consumers utilize intel and AMD PCs? a. 60 b. 70 c. 80 d. 90

d. 90

Chapter 2 Which file system below is utilized by the xbox gaming system? a. NTFS b. ReFS c. EXT d. FATX

d. FATX

Chapter 3 Which technology below is not a hot-swappable technology? a. usb-3 b. firewire 1394A c. SATA d. IDE

d. IDE

Chapter 3 Which RAID type utilizes mirrored striping, providing fast access and redundancy? a. RAID 1 b. RAID 3 c. RAID 5 d. RAID 10

d. RAID 10

Chapter 3 Which RAID type utilizes a parity bit and allows for the failure of one drive without losing data? a. RAID 1 b. RAID 2 c. RAID 3 d. RAID 5

d. RAID 5

Chapter 5 What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive? a. PP full disk encryption b. voltage SecureFile c. BestCrypt d. TrueCrypt

d. TrueCrypt

Chapter 2 Which option below is not a recommendation for securing storage containers? a. the container should be located in a restricted area b. only authorized access should be allowed, and it should be kept to a minimum c, evidence containers should remain locked when they aren't under direct supervision d. rooms with evidence containers should have a secured wireless network

d. rooms with evidence containers should have a secured wireless network

Chapter 4 ??? does not recover data in free or slack space a. raw format acquisition b. live acquisition c. static acquisition d. sparse acquisition

d. sparse acquisition

Chapter 4 As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state? a. the power cable should be pulled b. the system should be shut down gracefully c. the power should be left on d. the decision should be left to the digital evidence first responder (DEFR)

d. the decision should be left to the digital evidence first responder (DEFR)

Chapter 1 After the evidence has been presented in a trial by jury, the jury must deliver a(n) ??? a. exhibit b. affidavit c. allegation d. verdict

d. verdict

Chapter 5 The ??? command insets a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry a. delete b. edit c. update d. clear

a. delete

Chapter 5 Which of the following commands creates an alternate data stream? a. echo text > myfile. txt:syream_name b. ads create myfile.txt(stream_name) "text" c. cat text myfile.txt=stream_name d. echo text

a. echo text > myfile. txt:syream_name

Chapter 4 What does FRE stand for? a. federal rules of evidence b. federal regulations for evidence c. federal rights for everyone d. federal rules for equipment

a. federal rules of evidence

Chapter 4 You must abide by the ??? while collecting evidence a. fourth amendment b. federal rules of evidence c. state's rules of evidence d. fifth amendment

a. fourth amendment

Chapter 3 The ??? copies evidence of intrusions to an investigation workstation automatically for further analysis over the network. a. intrusion detection system b. active defense mechanism c. total awareness system d. intrusion monitoring system

a. intrusion detection system

Chapter 2 Which operating system listed below is not a distribution of the Linux OS? a. minix b. debian c. slackwar d. fedora

a. minix

Chapter 4 The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient ??? a. probable cause b. due diligence c. accusations d. reliability

a. probable cause

Chapter 1 Within a computing investigation, the ability to perform a series of steps again and again to produce the same results is known as ??? a. repeatable findings b. reloadable steps c. verifiable reporting d. evidence reporting

a. repeatable findings

Chapter 5 What does the MTF header field at offset 0x00 contain? a. the MFT record identifier FILE b. the size of the MFT record c. the length of the header d. the update sequence array

a. the MFT record identifier FILE

Chapter 2 ??? is responsible for creating an monitoring lab policies for staff, and provides a safe, and provides a safe and secure workplace for staff and evidence. a. the lab manager b. the lab investigator c. the lab secretary d. the lab steward

a. the lab manager

Chapter 3 Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files? a. advanced forensics disk b. advanced forensic format c. advanced capture image d. advanced open capture

b. advanced forensic format

Chapter 3 The Linux command ??? can be used to write bit-stream data to files. a. write b. dd c. cat d. dump

b. dd

Chapter 2 How often should hardware be replaced within a forensics lab? a. every 6 to 12 months b. every 12 to 18 months c. every 18 to 24 months d. every 24 to 30 months

b. every 12 to 18 months

Chapter 1 The sale of sensitive or confidential company information to a competitor is known as ??? a. industrial sabotage b. industrial espionage c. industrial collusion d. industrial betrayal

b. industrial espionage

Chapter 2 ??? is a specialized viewer software program a. fastview b. irfanview c. thumbsloader d. absee

b. irfanview

Chapter 4 ??? would not be found in an initial-response field kit. a. computer evidence bags (antistatic bags) b. leather gloves and disposable gloves c. a digital camera with extra batteries or 35mm camera with film and flash d. external usb devices or a portable hard drive

b. leather gloves and disposable gloves

Chapter 5 Addresses that allow the MFT to link to nonresident files are known as ??? a. virtual cluster numbers b. logical cluster numbers c. sequential cluster numbers d. polarity cluster numbers

b. logical cluster numbers

Chapter 4 What should you do while copying data on a suspect's computer that is still live? a. open files to view contents b. make notes regarding everything you do c. conduct a google search of unknown extensions using the computer d. check facebook for additional suspects

b. make notes regarding everything you do

Chapter 1 The term ??? describes a database containing information records about crimes that have been committed previously by a criminal. a. police ledger b. police blotter c. police blogger d. police recorder

b. police blotter

Chapter 4 the term ??? describes rooms filled with extremely large disk systems that are typically used by large business data centers. a. storage room b. server farm c. data well d. storage hub

b. server farm

Chapter 5 What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume? a. $MgyMirr b. $TransAct c. $LogFile d. $Backup

c. $LogFile

Chapter 2 How long are computing components designed to last in a normal business environment? a. 12 to 16 months b. 14 to 26 months c. 18 to 36 months d. 6 to 90 months

c. 18 to 36 months

Chapter 1 In what year was the computer fraud and abuse act passed? a. 1976 b. 1980 c. 1986 d. 1996

c. 1986

Chapter 1 What tool, currently maintained by the IRS criminal investigation division and limited to use by law enforcement, can analyze and read special files that are copies of a disk? a. AccessData forensic toolkit b. DeepScan c. ILook d. Photorect

c. ILook

Chapter 3 ??? is the utility used by the ProDiscover program for remote access. a. SubSe7en b. 10pht c. PDServer d. VNCServer

c. PDServer

Chapter 3 ??? creates a virtual volume of a RAID image file, and then makes repairs on the virtual volume, which can then be restored to the original RAID. a. Runtime Software b. RaidRestore c. R-Tools R-Studio d. FixitRaid

c. R-Tools R-Studio

Chapter 5 What registry file contains user account management and security settings? a. default.dat b. software.dat c. SAM.dat d Ntuser.dat

c. SAM.dat

Chapter 1 If a police officer or investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit a(n) ??? a. exhibit b. verdict c. affidavit d. memo

c. affidavit

Chapter 1 ??? describes an accusation of fact that a crime has been committed. a. attrition b. attribution c. allegation d. assignment

c. allegation

Chapter 4 Which system below can be used to quickly and accurately match fingerprints in a database? a. fingerprint identification database (FID) b. systemic fingerprint database (SFD) c. automated fingerprint identification system (AFIS) d. dynamic fingerprint matching system (DFMS)

c. automated fingerprint identification system (AFIS)

Chapter 3 What is the name of the Microsoft solution for whole disk encryption? a. drivecrypt b. truecrypt c. bitlocker d. securedrive

c. bitlocker

Chapter 2 What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations? a. certified computer crime investigator b. certified forensic computer examiner c. certified cyber forensics professional d. encase certified examiner

c. certified cyber forensics professional

Chapter 1 The ??? is not one of the three stages of a typical criminal case. a. complaint b. investigation c. civil suit d. prosecution

c. civil suit

Chapter 5 What term below describes a column of tracks on two or more disk platters? a. sector b. cluster c. cylinder d. header

c. cylinder

Chapter 3 The ??? command was developed by Nicholas harbor of the defense computer forensics laboratory. a. dd b. split c. dcfldd d. echo

c. dcfldd

Chapter 1 After a judge approves and signs a search warrant, the ??? is responsible for the collection of evidence as defined by the warrant. a. digital evidence recorder b. digital evidence specialist c. digital evidence first responder d. digital evidence scene investigator

c. digital evidence first responder

Chapter 5 What command below can be used to decrypt EFS files? a. cipher b. copy c. efsrecvr d. decrypt

c. efsrecvr

Chapter 1 A chain-of-evidence form, which is used to document what has and had not been done with the original evidence and forensic copies of the evidence, is also known as a(n) ??? a. single-evidence form b. multi-evidence form c. evidence custody form d. evidence tracking form

c. evidence custody form

Chapter 5 Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital extended capacity (SDCX), and memory sticks: a. FAT12 b. FAT32 c. exFAT d. VFAT

c. exFAT

Chapter 1 ??? must be included in an affidavit to support an allegation in order to justify a warrant. a. verdicts b. witnesses c. exhibits d. subpoenas

c. exhibits

Chapter 2 In order to qualify for the advanced certified computer forensic technician certification, a candidate must have ??? years of hands-on experience in computer forensics investigations. a. two b. three c. five d. six

c. five

Chapter 1 Which amendment to the U.S. Constitution protects everyone's right to be secure in their person, residence, and property from search and seizure? a. first amendment b. second amendment c. fourth amendment d. fifth amendment

c. fourth amendment

Chapter 5 What term is used to describe a disk's logical structure of platters, tracks, and sectors? a. cylinder b. trigonometry c. geometry d. mapping

c. geometry

Chapter 4 The term ??? is used to describe someone who might be a suspect of someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest a. criminal b. potential data source c. person of interest d. witness

c. person of interest

Chapter 4 Which of the following is not done when preparing for a case? a. describe the nature of the case b. identify the type of OS c. set up covert surveillance d. determine whether you can seize the computer or digital device

c. set up covert surveillance

Chapter 5 Which of the following is not a valid configuration of Unicode? a. UTF-8 b. UTF-16 c. UTF-32 d. UTF-64

d. UTF-64

Chapter 4 ??? is the term for a statement that is made by someone other than an actual witness to the event while testifying at a hearing a. second-party evidence b. rumor c. fiction d. hearsay

d. hearsay

Chapter 4 A ??? is not a private sector organization a. small to medium business b. large corporation c. on-government organization d. hospital

d. hospital

_______ can be used with the dcfldd command to compare an image file to the original medium.

vf