Forensics Midterm CH 1-8, Computer Forensics 2nd half Final Exam
Chapter 7 Adding the _____________ flag to the ls -l command has the effect of of showing all files beginning with the "." character in addition to other files.
-a
Chapter 7 Where is the root user's home directory located on a Mac OS X file system?
/private/var/root
Chapter 7 As part of a forensics investigation, you need to recover the logon and logoff history information on a Linux based OS. Where can this information be found?
/var/log/wtmp
Chapter 7 Within the /etc/shadow file, what field contains the password hash for a user account if one exists?
2nd field
Chapter 7 What is the minimum size of a block in UNIX/Linux filesystems?
512
CH 10 Quiz Forensics tools can't directly mount VMs as external drives T/F
False
CH 10 Quiz The Sysinternals Handle utility shows only file system activity, but does not show what processes are using files on the file system T/F
False
CH 10 Quiz Type 2 hypervisors are typically loaded on servers or workstations with a lot of RAM and storage T/F
False
CH 11 Quiz An Internet e-mail is generally part of a local network, and is maintained and managed by an administrator for internal use by a specific company T/F
False
CH 11 Quiz Committing crimes with e-mail is uncommon, and investigators are not generally tasked with linking suspects to e-mail T/F
False
CH 11 Quiz In an e-mail address, everything before the @ symbol represents the domain name T/F
False
CH 11 Review To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server's internal operations. True/False
False
CH 12 Review When acquiring a mobile device at an investigation scene, you should leave it connected to a PC so that you can observe synchronization as it takes place. True/False
False
CH 13 Quiz A search warrant can be used in any kind of case, either civil or criminal T/F
False
CH 13 Quiz The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect. T/F
False
CH 13 Review Any text editor can be used to read Dropbox files. True/False
False
CH 13 Review Commingled data isn't a concern when acquiring cloud data. True/False
False
CH 16 Review All expert witnesses must be members of associations that license them. True or False?
False
CH 16 Review Codes of professional conduct or responsibility set the highest standards for professional's expected performance. True or False?
False
CH 16 Review Ethical obligations are duties that you owe only to others. True or False?
False
CH 9 QUIZ Because attorneys do not have the right of full discovery of digital evidence, it is not possible for new evidence to come to light while complying with a defense request for full discovery. t/f
False
CH 9 QUIZ In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant. t/f
False
CH 9 Review After you shift a file's bits, the hash value remains the same. True/False
False
CH 9 Review Password recovery is included in all forensics tools. True/False
False
Chapter 1 All suspected industrial espionage cases should be treated as civil case investigations. t/f
False
Chapter 3 FTK imager software can acquire a drive's host protected area t/f
False
Chapter 4 Computer-stored records are data the system maintains, such as system log files and proxy server logs. t/f
False
Chapter 4 The fourth amendment state that only warrants "particularly describing the place to be searched and the persons or things to be seized" can be issued. The courts have determined that this phrase means a warrant can authorize a search of a specific place for anything. t/f
False
Chapter 5 A computer stores system configuration and date and time information in the BIOS when power to the system is off t/f
False
Chapter 5 Someone who wants to hide data can create hidden partitions or void-large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities t/f
False
Chapter 6 Making a logical acquisition of a drive with whole disk encryption can result in unreadable files t/f
False
Chapter 6 Physically copying the entire drive is the only type of data-copying method used in software acquisition t/f
False
Chapter 7 In UNIX and Linux, everything except monitors are considered files.
False
Chapter 7 Linux is a certified UNIX operating system.
False
Chapter 8 Most digital cameras use the bitmap format to store photos. t/f
False
Chapter 8 When you decompress data that uses a lossy compression algorithm, you regain data lost by compression. t/f
False
Chapter 1 According to the national institute of standards and technology (NIST), digital forensics involves scientifically examining and analyzing data from computer storage media so that it can be used as evidence in court. t/f
False - Digital forensics is defined as the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. Page 4
Chapter 5 FAT32 is used on older Microsoft OSs, such as ms-dos 3.0 through 6.22, windows 95 (first release), and windows NT 3.3 and 4.0 t/f
False - FAT32 was implemented when technology improved and disks larger than 2 GB were developed.
Chapter 7 Capitalization, or lack thereof, makes no difference with UNIX and Linux commands.
False - Linux commands ARE case sensitive
Chapter 2 The shielding of sensitive computing systems and prevention of electronic eavesdropping of any computer emissions is known as FAUST by the U.S. department of defense. t/f
False - This is called TEMPEST
Chapter 2 Because they are outdated, ribbon cables should not be considered for use within a forensics lab. t/f
False - because you might be dealing with older computers it is a good idea to keep a wide assortment of cables and peripherals to interface with outdated equipment.
Chapter 7 On Mac OS X systems, what utility can be used to encrypt / decrypt a user's home directory?
FileVault
Chapter 7 ________________ is a specialized carving tool that can read many image file formats, such as RAW and Expert Witness.
Foremost
Chapter 7 _______________ contain file and directory metadata and provide a mechanism for linking data stored in data blocks.
Inodes
Chapter 7 Who is the current maintainer of the Linux kernel?
Linus Torvalds
Chapter 7 A hash that begins with "$6" in the shadow file indicates that it is a hash from what hashing algorithm? 2
SHA-512
Chapter 7 What information below is not included within an inode?
The file's or directory's path
Chapter 7 If a file has 510 bytes of data, what is byte 510?
The logical EOF (End of File)
CH 10 Quiz The capability of type 1 hypervisors is limited only by the amount of available RAM, storage, and throughput T/F
True
CH 10 Quiz The honeynet Project was developed to make information widely available in an attempt to thwart internet and network attackers T/F
True
CH 10 Review A forensic image of a VM includes all snapshots. True/False
True
CH 10 Review Tcpslice can be used to retrieve specific timeframes of packet captures. True/False?
True
CH 11 Quiz The DomainKey identified Mail service is a way to verity the names of domains a message is flowing through and was developed as a way to cut down on spam T/F
True
CH 11 Quiz The Pagefile.sys file on a computer can contain message fragments from instant messaging applications T/F
True
CH 11 Review All email headers contain the same types of information. True/False
True
CH 11 Review Internet e-mail accessed with a Web brower leaves files in temporary folders. True/False
True
CH 11 Review You can view e-mail headers in Notepad with all popular e-mail clients. True/False
True
CH 12 Review SIM card readers can alter evidence by showing that a message has been read when you view it? True/False
True
CH 12 Review Typically, you need a search warrant to retrieve information from a service provider. True/False
True
CH 12 Review When investigating social media content, evidence artifacts can vary, depending on the social media channel and the device. True/False
True
CH 13 Quiz In the United State, the Electronic Communications Privacy Act (ECPA) describes 5 mechanisms the government can use to get electronic information from a provider T/F
True
CH 13 Quiz Specially trained system and network administrators are often a CSP's first responders T/F
True
CH 13 Quiz The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET) T/F
True
CH 13 Review Amazon was an early provider of Web-based services that eventually developed into the cloud concept. True/False
True
CH 13 Review The multitenancy nature of cloud environments means conflicts in private laws can occur. True/False
True
CH 13 Review To see Google Drive synchronization files, you need a SQL viewer. True/False
True
CH 14 Review If you were a lay witness at a previous trail. You shouldn't list that case in your written report. True/False
True
CH 15 Review Voir dire is the process of qualifying a witness as an expert. True or False?
True
CH 16 Review In the United States, no state or national licensing body specifically licenses computer forensics examiners. True or False?
True
CH 9 QUIZ Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific files or sectors. t/f
True
CH 9 QUIZ One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you collect is essential for presenting evidence in court. t/f
True
CH 9 QUIZ The advantage of recording hash values is that you can determine whether data has changed. t/f
True
CH 9 Review The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True/False
True
Chapter 1 If you turn evidence over to law enforcement and begin working under their direction, you have become an agent of law enforcement, and are subject to the same restrictions on search and seizure as a law enforcement agent. t/f
True
Chapter 1 Most digital investigations in the private sector involve misuse of computing assets. t/f
True
Chapter 1 User groups for a specific type of system can be very useful in a forensics investigation. t/f
True
Chapter 2 A disaster recovery plan ensures that workstations and file servers can be restored to their original condition in the event of a catastrophe. t/f
True
Chapter 2 Linus live CDs and WinFe disks do not automatically mount hard drives, but can b used to view file systems. t/f
True
Chapter 2 The recording of all updates made to a workstation or machine is referred to as configuration management. t/f
True
Chapter 3 A forensics investigator should verify that acquisition tools can copy data in the HPA of a disk drive t/f
True
Chapter 3 Hardware and software errors or incompatibilities are a common problem when dealing with older hard drives t/f
True
Chapter 3 the image usb utility can be used to create a bootable flash drive t/f
True
Chapter 4 An emergency situation under the PATRIOT Act is defined as the immediate risk of death or personal injury, such as finding a bomb threat in an e-mail. t/f
True
Chapter 4 State public disclosure laws apply to state records, but FOIA allows citizens to request copies of public documents created by federal agencies. t/f
True
Chapter 4 To investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct convert surveillance with little or no cause, and access company computer systems and digital devices without a warrant. t/f
True
Chapter 5 When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space t/f
True
Chapter 6 All forensics acquisition tools have a method for verification of the data-copying process that compares the original drive with the image t/f
True
Chapter 6 ISO standard 23037 states that the most important factors in data acquisition are the DEFR's competency and the use of validated tools t/f
True
Chapter 6 Software forensics tool are grouped into command-line applications and GUI applications t/f
True
Chapter 7 The only pieces of metadata not in an inode are the filename and path. T/F
True
Chapter 7 The term "kernel" is often used when discussing Linux because technically, Linus is only the core of the OS.
True
Chapter 8 Each graphics file type has a unique header value. t/f
True
Chapter 8 Graphics files are created and saved in a graphics editor, such as Microsoft Paint, Adobe Freehand MX, Adobe Photoshop, or Gnome GIMP. t/f
True
Chapter 8 The first 3 bytes of an XIF file are exactly the same as a TIF file. t/f
True
Chapter 5 Each MFT record starts with a header identifying it as a resident or nonresident attribute t/f
True Page 200: Each MFT record starts with a header identifying it as a resident or non-resident attribute.
Chapter 8 Which of the following is not considered to be a non-standard graphics file format? a. .dxf b. .tga c. .rtl d. .psd
a. .dxf
CH 11 Review In Microsoft Outlook, what are the email storage files typically found on a client computer? a. .pst and .ost b. res1.log and res2.log c. PU020102.db d. .evolution
a. .pst and .ost
CH 10 Review Which of the following file extensions are associated with VMware virtual machine? a. .vmx, .log, and .nvram b. .vdi, .ova, and .r0 c. .vmx, .r0, and .xml-prev d. .vbox, .vdi, and .log
a. .vmx, .log, and .nvram
CH 10 Quiz The SANS Investigative Forensics Toolkit (SIFT) appliance can currently only be installed on what version of Ubuntu a. 12.04 b. 13.11 c. 14.04 d. 14.11
a. 12.04
Chapter 2 Which IDO standard below is followed by the ASCLD? a. 17025:2005 b. 17026:2007 c. 12075:2007 d. 12076:2005
a. 17025:2005
CH 15 Quiz When cases go to trial, you as a forensics examiner can play one of ____ roles. a. 2 b. 3 c. 4 d. 5
a. 2
CH 16 Quiz Which of the following options would represent a valid retainer? a. 2 to 8 hours of your usual billable rate b. a verbal agreement c. complete discussion of an ongoing case d. dissemination of evidence
a. 2 to 8 hours of your usual billable rate
CH 16 Quiz FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful. a. 702 b. 703 c. 704 d. 705
a. 702
CH 15 Review Your curriculum vitae is which of the following? (Choose all that apply) a. A necessary tool to be an expert witness b. A generally required document to be made available before your testimony c. A detailed record of your experience, education, and training d. Focused on your skills as they apply to the current case
a. A necessary tool to be an expert witness b. A generally required document to be made available before your testimony c. A detailed record of your experience, education, and training
CH 12 Review The term TDMA refers to which of the following? (Choose all that apply) a. A technique of dividing a radio frequent so that multiple users share the same channel b. A proprietary protocol developed by Motorola c. A specific cellular network standard d. A technique of spreading the signal across many channels
a. A technique of dividing a radio frequent so that multiple users share the same channel c. A specific cellular network standard.
CH 11 Review What information is _NOT_ in an e-mail header? (Choose all that apply) a. Blind copy (Bcc) addresses b. Internet addresses c. Domain name d. Contents of the message e. Type of e-mail server used to send the email
a. Blind copy (Bcc) addresses d. Contents of the message
CH 12 Quiz Within NIST guidelines for mobile forensics methods, the ______________ method requires physically removing flash memory chips and gathering information at the binary level. a. Chip-off b. Logical extraction c. Micro read d. Manual extraction
a. Chip-off
CH 15 Review Before testifying, you should do which of the following? (Choose all that apply) a. Create an examination plan with your attorney. b. Make sure you've been paid for your services and the estimated fee for the deposition or trial. c. Get a haircut d. Type all the draft notes you took during your investigation
a. Create an examination plan with your attorney. b. Make sure you've been paid for your services and the estimated fee for the deposition or trial.
CH 11 Review When searching a victim's computer for a crime committed with a specific email, what provides information for determining the emails originator? (Choose all that apply) a. E-mail header b. Username and password c. Firewall log d. All of the above
a. E-mail header c. Firewall log
CH 9 Review Which forensic image file format creates or incorporates a validation hash value in the image file? (Choose all that apply) a. Expert Witness b. SMART c. AFF d. dd
a. Expert Witness b. SMART c. AFF
Chapter 6 What hex value is the standard indicator for jpeg graphics files? a. FF D8 b. FF D9 c. F8 D8 d. AB CD
a. FF D8
CH 14 Review Which of the following rules or laws requires an expert to prepare and submit a report? a. FRCP 26 b. FRE 801 c. Neither d. Both
a. FRCP 26
CH 14 Quiz An expert's opinion is governed by ________________ and the corresponding rule in many states. a. FRE, Rule 705 b. FRE, Rule 507 c. FRCP 26 d. FRCP 62
a. FRE, Rule 705
CH 9 Review The Known File Filter (KFF) can be used for which of the following purposes? (Choose all that apply) a. Filter known program file from view b. Calculate hash values of image files c. Compare hash values of known files with evidence files d. Filter out evidence that doesn't relate to our investigation
a. Filter known program file from view d. Filter out evidence that doesn't relate to our investigation
CH 10 Quiz What Windows Registry key contains associations for file extensions a. HKEY_CLASSES_ROOT b. HKEY_USERS c. HKEY_LOCAL_MACHINE d. HKEY_CURRENT_CONFIG
a. HKEY_CLASSES_ROOT
CH 15 Review What should you do if you realize you have made a mistake or misstatement during a deposition? (Choose all that apply) a. If the deposition is still in session, refer back to the error and correct it. b. Decide weather the error is minor, and if so, ignor it c. If the deposition if over, make the correction on the corrections page of the copy provided for your signature d. Call the opposing attorney and inform him of your mistake or misstatement e. Request an opportunity to make the correction at trial.
a. If the deposition is still in session, refer back to the error and correct it. c. If the deposition if over, make the correction on the corrections page of the copy provided for your signature
CH 10 Quiz The ___ tool is an updated version of BackTrack, and contains more than 300 tools, such as password crackers, network sniffers, and freeware forensics tools a. Kali Linux b. Ubuntu c. OSForensics d. Sleuth Kit
a. Kali Linux
CH 16 Review Externally enforced ethical rules, with sanctions that can restrict a professional's practice, are more accurately, described as which of the following? a. Laws b. Objectives c. A higher calling d. All of the above
a. Laws
CH 15 Review During your cross-examination, you should do which of the following? (Choose all that apply) a. Maintain eye contact with the jury b. Pay close attention to what your attorney is objecting to. c. Help the attorneys, judge, and jury in understanding the case, even if you have to go a bit beyond the scope of your expertise d. Pay close attention to opposing counsel's questions. e. Answer opposing counsel's questions as briefly as is practical
a. Maintain eye contact with the jury b. Pay close attention to what your attorney is objecting to. d. Pay close attention to opposing counsel's questions. e. Answer opposing counsel's questions as briefly as is practical
CH 15 Review When using graphics while testing, which of the following guidelines applies? (Choose all that apply) a. Make sure the jury can see your graphics b. Practice using charts for courtroom testimony c. Your exhibits must be clear and easy to understand d. Make sure you have plenty of extra graphics, in case you have to explain more complex supporting issues.
a. Make sure the jury can see your graphics b. Practice using charts for courtroom testimony c. Your exhibits must be clear and easy to understand
CH 12 Quiz What type of mobile forensics method listed by NIST guidelines involves looking at a device's content page by page and taking pictures? a. Manual extraction b. Chip-off c. Micro read d. Logical extraction
a. Manual extraction
CH 11 Quiz One of the most noteworthy e-mail scams was 419, otherwise known as the ??? a. Nigerian Scam b. Lake Venture Scam c. Conficker virus d. Iloveyou Scam
a. Nigerian Scam
Chapter 3 which RAID type provides increased speed and data storage capability, but lacks redundancy? a. RAID 0 b. RAID 1 c. RAID 0+1 d. RAID 5
a. RAID 0
Chapter 3 Which option below is not a hashing function used for validation checks? a. RC4 b. MD5 c. SHA-1 d. CRC32
a. RC4
CH 9 Review Rainbow tables serve what purpose for digital forensics examinations?
a. Rainbow tables contain computed hashes of possible passwords that some password- recovery programs can use to crack passwords.
CH 12 Review Remote wiping of a mobile device can result in which of the following? (Choose all that apply) a. Removing account information b. Enabling GPS beacon to track the thief c. Returning the phone to the original factory settings d. Deleting contacts
a. Removing account information c. Returning the phone to the original factory settings d. Deleting contacts
CH 15 Review Which of the following describes fact testimony? a. Scientific or technical testimony describing information recovered during an examination b. Testimony by law enforcement officers c. Testimony based on observations by lay witnesses d. None of the above
a. Scientific or technical testimony describing information recovered during an examination
CH 14 Quiz __________________ means the tone of language you use to address the reader. a. Style b. Format c. Outline d. Prose
a. Style
CH 13 Review Which of the following is a mechanism the ECPA describes for the government to get electronic information from a provider? (Choose all that apply) a. Subpoenas with prior notice b. Temporary restraining orders c. Search warrants d. Court orders
a. Subpoenas with prior notice c. Search warrants d. Court orders
CH 15 Review Which of the following describes expert witness testimony? (Choose all that apply.) a. Testimony designed to assist the jury in determining matters beyond the ordinary person's scope of knowledge b. Testimony that defines issues of the case for determination by the jury c. Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience. d. Testimony designed to raise doubt about facts or witnesses' credibility
a. Testimony designed to assist the jury in determining matters beyond the ordinary person's scope of knowledge c. Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience.
CH 14 Review For what purpose have hypothetical questions traditionally been used in litigation? a. To frame the factual context of rendering an expert witness's opinion. b. To define the case issues for the finder of fact to determine c. To stimulate discussion between consulting expert and expert witnesses d. To deter a witness from expanding the scope of his or her investigation beyond the case requirements. e. All of the above
a. To frame the factual context of rendering an expert witness's opinion.
CH 12 Quiz The use of smart phones for illicit activities is becoming more prevalent. a. true b. false
a. True
Chapter 4 When seizing digital evidence in criminal investigations, whose standards should be followed? a. U.S. DOJ b. ISO/IEC c. IEEE d. ITU
a. U.S. DOJ
CH 12 Quiz The ________________ technology uses the IEEE 802.16e standard and Orthogonal Frequency Division Multiple Access (OFDMA) and supports transmission speeds of 12 Mbps a. WiMAX b. CDMA c. UMB d. MIMO
a. WiMAX
CH 15 Quiz Discuss any potential problems with your attorney ____ a deposition. a. before b. after c. during d. during direct examination at
a. before
Chapter 6 Reconstructing fragments of files that have been deleted from a suspect drive, is know as ??? in North America a. carving b. scraping c salvaging d. sculpting
a. carving
Chapter 2 Candidates who complete the ISCIS test successfully are designated as a ??? a. certified forensic computer examiner (CFCE) b. certified forensics investigator (CFI) c. Certified investigative forensics examiner (CIFE) d. certified investigative examiner (CIE)
a. certified forensic computer examiner (CFCE)
Chapter 6 What is the goal of the NSRL project, created by NIST? a. collect know hash values for commercial software and OS files using SHA hashes b. search for collisions in hash values, and contribute to fixing hashing programs c. create hash values for illegal files and distribute the information to law enforcement d. collect known hash values for commercial software and OS files using MD5 hashes
a. collect know hash values for commercial software and OS files using SHA hashes
CH 16 Quiz A consultant who doesn't testify can earn a ____________________ for locating testifying experts or investigative leads. a. contingency fee b. retainer c. stake in a case d. reprimand
a. contingency fee
CH 13 Quiz A ??? is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities a. court order b. temporary restraining order c. warrant d. subpoena
a. court order
Chapter 5 The ??? command insets a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry a. delete b. edit c. update d. clear
a. delete
CH 15 Quiz You provide ____ testimony when you answer questions from the attorney who hired you. a. direct b. cross c. examination d. rebuttal
a. direct
Chapter 5 Which of the following commands creates an alternate data stream? a. echo text > myfile. txt:syream_name b. ads create myfile.txt(stream_name) "text" c. cat text myfile.txt=stream_name d. echo text
a. echo text > myfile. txt:syream_name
Chapter 4 What does FRE stand for? a. federal rules of evidence b. federal regulations for evidence c. federal rights for everyone d. federal rules for equipment
a. federal rules of evidence
Chapter 4 You must abide by the ??? while collecting evidence a. fourth amendment b. federal rules of evidence c. state's rules of evidence d. fifth amendment
a. fourth amendment
CH 15 Quiz Validate your tools and verify your evidence with ____ to ensure its integrity. a. hashing algorithms b. watermarks c. steganography d. digital certificates
a. hashing algorithms
Chapter 3 The ??? copies evidence of intrusions to an investigation workstation automatically for further analysis over the network. a. intrusion detection system b. active defense mechanism c. total awareness system d. intrusion monitoring system
a. intrusion detection system
Chapter 6 The ??? Linux live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, memfetch, and mboxgrep, and utilizes a kde interface a. kali b. arch c. Ubuntu d. helix3
a. kali
Chapter 6 Which of the following options is not a subfunction of extraction? a. logical data copy b. decrypting c. bookmarking d. carving
a. logical data copy
Chapter 8 What kind of graphics file combines bitmap and vector graphics types? a. metafile b. bitmap c. jpeg d. tif
a. metafile
Chapter 2 Which operating system listed below is not a distribution of the Linux OS? a. minix b. debian c. slackwar d. fedora
a. minix
CH 12 Quiz What method below is NOT an effective method for isolating a mobile device from receiving signals? a. placing the device into a plastic evidence bag b. placing the device into a paint can, preferable one previously containing radio-wave blocking paint c. placing the device into airplane mode d. turning the device off
a. placing the device into a plastic evidence bag
Chapter 4 The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient ??? a. probable cause b. due diligence c. accusations d. reliability
a. probable cause
Chapter 6 What is the purpose of the reconstruction function in a forensics investigation? a. re-create a suspect's drive to show what happened during a crime or incident b. prove that two sets of data are identical c. copy all information from a suspect's drive, including information that may have been hidden d. generate reports or logs that detail the processes undertaken by a forensics investigator
a. re-create a suspect's drive to show what happened during a crime or incident
CH 15 Quiz ____ from both plaintiff and defense is an optional phase of the trial. Generally, it's allowed to cover an issue raised during cross-examination. a. rebuttal b. plaintiff c. closing arguments d. opening statements
a. rebuttal
Chapter 1 Within a computing investigation, the ability to perform a series of steps again and again to produce the same results is known as ??? a. repeatable findings b. reloadable steps c. verifiable reporting d. evidence reporting
a. repeatable findings
CH 9 QUIZ What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords? a. salted passwords b. scrambled passwords c. indexed passwords d. master passwords
a. salted passwords
CH 11 Review Sendmail uses which file for instructions on processing an e-mail message? a. sendmail.cf b. syslogd.conf c. mese.ese d. mapi.log
a. sendmail.cf
CH 15 Quiz When you give ____ testimony, you present this evidence and explain what it is and how it was obtained. a. technical/scientific b. expert c. lay witness d. deposition
a. technical/scientific
Chapter 5 What does the MTF header field at offset 0x00 contain? a. the MFT record identifier FILE b. the size of the MFT record c. the length of the header d. the update sequence array
a. the MFT record identifier FILE
Chapter 2 ??? is responsible for creating an monitoring lab policies for staff, and provides a safe, and provides a safe and secure workplace for staff and evidence. a. the lab manager b. the lab investigator c. the lab secretary d. the lab steward
a. the lab manager
CH 11 Quiz What information is not typically included in an e-mail header a. the sender's physical location b. the originating IP address c. the unique ID of the e-mail d. the originating domain
a. the sender's physical location
CH 12 Quiz Search and seizure procedures for mobile devices are as important as procedures for computers. a. true b. false
a. true
CH 12 Quiz While travelling internationally with a GSM phone, you can pop in a SIM card for the country you're currently in, rather than get a new phone. a. true b. false
a. true
CH 14 Quiz A report can provide justification for collecting more evidence and be used at a probable cause hearing. a. true b. false
a. true
CH 14 Quiz Specially trained system and network administrators are often a CSP's first responders. a. true b. false
a. true
CH 14 Quiz Technical terms, if included in a report, should be defined in ordinary language such that lawyers, judges, and jurors can understand them. a. true b. false
a. true
CH 15 Quiz As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers. a. true b. false
a. true
CH 15 Quiz As an expert witness, you have opinions about what you have found or observed. a. true b. false
a. true
CH 15 Quiz Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise. a. true b. false
a. true
CH 16 Quiz Experts should be paid in full for all previous work and for the anticipated time required for testimony. a. true b. false
a. true
CH 16 Quiz In the United States, there's no state or national licensing body for computer forensics examiners. a. true b. false
a. true
CH 16 Quiz People need ethics to help maintain their balance, especially in difficult and contentious situations. a. true b. false
a. true
Chapter 6 ??? proves that two sets of data are identical by calculating hash values or using another similar method a. verification b. validation c. integration d. compliation
a. verification
CH 14 Quiz When using the PassMark software to find forensic information in e-mails, messages that appear to be suspicious should be flagged __________. a. yellow b. green c. red d. orange
a. yellow
Chapter 6 Which of the following is stated within the ISO 27037 standard? a. hardware acquisition tools can only use CRC-32 hashing b digital evidence first responders should use validated tools c. software forensics tools must provide a GUI interface d. software forensics tools must use the windows OS
b digital evidence first responders should use validated tools
CH 11 Quiz What kind of files are created by Exchange while converting binary data to readable text in order to prevent loss of data a. .txt b. .tmp c. .exe d. .log
b. .tmp
CH 9 QUIZ What format below is used for VMware images? a. .vhd b. .vmdk c. .s01 d. .aff
b. .vmdk
CH 10 Quiz What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine a. .nvram b. .vmen c. .vmpage d. .vmx
b. .vmen
Chapter 5 What hexadecimal code below identifies an NTFS file system in the partition table? a. 05 b. 07 c. 1B d. A5
b. 07
Chapter 5 a master boot record (MBR) partition table marks the first partition starting at what offset? a. 0x1CE b. 0x1BE c. 0x1AE d. 0x1DE
b. 0x1BE
CH 13 Quiz At what offset is a prefetch file's create date & time located a. 0x88 b. 0x80 c. 0x98 d. 0x90
b. 0x80
Chapter 2 In order to qualify for the certified computer crime investigator, basic level certification, candidates must provide documentation of at least ??? cases in which they participated. a. 5 b. 10 c. 15 d. 20
b. 10
CH 9 QUIZ Within Windows Vista and later, partition gaps are _____________ bytes in length. a. 64 b. 128 c. 256 d. 512
b. 128
Chapter 8 How many bits are required to create a pixel capable of displaying 65,536 different colors? a. 8 bit b. 16 bit c. 32 bit d. 64 bit
b. 16 bit
Chapter 8 What act defines precisely how copyright laws pertain to graphics? a. 1988 image ownership act b. 1976 copyright act c. 1923 patented image act d. 1976 computer fraud and abuse act
b. 1976 copyright act
Chapter 3 When using a target drive that is FAT32 formatted, what is the maximum size limitation for split files? a. 512 mg b. 2 gb c. 1 tb d. 1 pb
b. 2 gb
CH 15 Quiz If your CV (curriculum vitae) is more than ____ months old, you probably need to update it to reflect new cases and additional training. a. 2 b. 3 c. 4 d. 5
b. 3
Chapter 5 A typical disk drive stores how many bytes in a single sector? a. 8 b. 512 c. 1024 d. 4096
b. 512
CH 16 Quiz Currently, expert witnesses testify in more than __ percent of trials. a. 55 b. 80 c. 92 d. 78
b. 80
CH 9 Review The National Software Reference Library provides what type of resources for digital forensics examiners?
b. A list of MD5 and SHA1 hash values for all known OSs and applications
CH 13 Quiz Which of the following is not a valid source for cloud forensics training a. Sans Cloud Forensics with F-Response b. A+ Security c. INFOSEC Intitute d. (ISC)2 Certified Cyber Forensics Professional
b. A+ Security
CH 11 Quiz What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact a. iNet b. ARIN c. Google d. ERIN
b. ARIN
CH 14 Review Which of the following is an example of a written report? a. A search warrant b. An affidavit c. Voir Dire d. Any of the above
b. An affidavit
Chapter 5 The ReFs storage engine uses a ??? sort method for fast access to large data sets. a. A+-tree b. B+-tree c. reverse d. numerical
b. B+-tree
CH 10 Review When do zero day attacks occur? (Choose all that apply) a. On the day the application or OS is released b. Before a patch is available c. Before the vendor is aware of the vulnerability d. On the day the patch is created
b. Before a patch is available c. Before the vendor is aware of the vulnerability
CH 15 Review When working for a prosecutor, what should you do if the evidence you found appears to be exculpatory and isn't being released to the defense? a. Keep the information on file for later review b. Bring the information to the attention of the prosecutor, then his or her supervisor and finally to the judge (the court) c. Destroy the evidence d. Five the evidence to the defense attorney
b. Bring the information to the attention of the prosecutor, then his or her supervisor and finally to the judge (the court)
CH 12 Quiz What digital network technology was developed during World War II? a. TDMA b. CDMA c. GSM d. iDEN
b. CDMA
CH 15 Quiz For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you're constantly enhancing your skills through training, teaching, and experience. a. testimony b. CV (curriculum vitae) c. examination plan d. deposition
b. CV (curriculum vitae)
CH 12 Review Which of the following categories of information is stored on a SIM card? (Choose all that apply.) a. Volatile Memory b. Call data c. Service-related data d. None of the above
b. Call data c. Service-related data
Chapter 4 What type of media has a 30-year lifespan? a. DVD-rs b. DLT magnetic tape c. hard drive d. usb thumb drive
b. DLT magnetic tape
CH 11 Quiz Which e-mail recovery program below can recover files from VMware and VirtualPC virtual machines, as well as ISOs and other types of file backups a. Fookes Aid4mail b. DataNumen Outlook Repair c. EnCase Forensics d. AccessData FTK
b. DataNumen Outlook Repair
CH 11 Quiz Which service below does not put log information into /var/log/maillog a. SMTP b. Exchange c. IMAP d. POP
b. Exchange
CH 14 Review Automated tools help you collect and report evidence, but you're responsible for doing which of the following? a. Explaining your formatting choices b. Explaining the significance of the evidence c. Explaining in detail how the software works d. All of the above
b. Explaining the significance of the evidence
Chapter 8 For EXIF JPEG files, the hexadecimal value starting at offset 2 is _____________. a. FFE0 b. FFE1 c. FFD8 d. FFD9
b. FFE1
CH 13 Quiz The ??? tool can be used by bypass a virtual machine's hypervisor, and can be used with OpenStack a. Openforensics b. FROST c. WinHex d. ARC
b. FROST
CH 9 Review Which of the following represents known files you can eliminate from an investigation? (Choose all that apply) a. Any graphics files b. Files associated with an application c. System files the OS uses d. Any files pertaining to the company
b. Files associated with an application c. System files the OS uses
Chapter 4 In cases that involve dangerous setting, what kind of team should be used to recover evidence from the scene? a. B-Team b. HAZMAT c. CDC First Responders d. SWAT
b. HAZMAT
CH 10 Review Which Registry key contains associations for file extensions? a. HFILE_CLASSES_ROOT b. HKEY_CLASSES_ROOT c. HFILE_EXTENSIONS d. HKEY_CLASSES_FILE
b. HKEY_CLASSES_ROOT
CH 9 Review Steganography is used for which of the following purposes?
b. Hiding Data
Chapter 4 ??? are a special category of private sector businesses, due to their ability to investigate computer abuse committed by employees only, but not customers. a. hospitals b. ISPs c. law firms d. news networks
b. ISPs
CH 12 Quiz What organization is responsible for the creation of the requirements for carriers to be considered 4G? a. IEEE b. ITU-R c. ISO d. TIA
b. ITU-R
CH 12 Quiz The ___________________ technology is designed for GSM and Universal Mobile Telecommunications Systems (UMTS) technology, supports 45 Mbps to 144 Mbps transmission speeds. a. WiMAX b. LTE c. MIMO d. UMB
b. LTE
CH 10 Quiz The ___ is the version of Pcap available for Linux based operating systems a. Wincap b. Libcap c. Tcpcap d. Netcap
b. Libcap
CH 11 Review Phishing does which of the following? a. Uses DNS poisoning b. Lures users with false promises c. Takes people to fake websites d. Uses DHCP
b. Lures users with false promises
CH 11 Review Which of the following is a current formatting standard for e-mail? a. SMTP b. MIME c. Outlook d. HTML
b. MIME
CH 12 Review Which of the following relies on a central database that tracks across data, location data and subscriber information? a. BTS b. MSC c. BSC d. None of the above
b. MSC
Chapter 2 ??? describes the characteristics of a safe storage container. a. ISO2960 b. NISPOM c. SSO 990 d. STORSEC
b. NISPOM
Chapter 6 What tool below was written for ms-dos and was commonly used for manual digital investigations? a. SMART b. Norton DiskEdit c. ByteBack d. DataLifter
b. Norton DiskEdit
Chapter 2 ??? can be used to restore backup files directly to a workstation. a. belarc advisor b. Norton ghost c. prodiscover d. photorec
b. Norton ghost
CH 11 Review What's the main piece of information you look for in an email message you're investigating? a. Sender or receivers e-mail address b. Originating e-mail domain or IP address c. Subject line content d. Message number
b. Originating e-mail domain or IP address
CH 10 Quiz The tcpdump and Wireshark utilities both use what well known packet capture format a. Netcap b. Pcap c. Packetd d. RAW
b. Pcap
CH 15 Review The most reliable way to ensure that jurors recall testimony is to do which of the following? a. Present evidence using oral testimony supported by hand gestures and facial expressions b. Present evidence combining oral testimony and graphics that support the testimony c. Wear bright colored clothing to attract juror's attention d. Emphasize your points with humorous anecdotes e. Memorize your testimony carefully
b. Present evidence combining oral testimony and graphics that support the testimony
CH 13 Review Which of the following cloud deployment methods typically offers no security? a. Hybrid Cloud b. Public Cloud c. Community cloud d. Private Cloud
b. Public Cloud
CH 11 Review When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do? a. Search available log files for any forwarded messages b. Restore the e-mail server from a backup c. Check the current database files for an existing copy of the email d. Do nothing because after the file has been deleted, it can no longer be recovered.
b. Restore the e-mail server from a backup
CH 14 Quiz The report generator in ProDiscover defaults to ______________________, which can be opened by most word processors. a. HyperText Markup Language (HTML) b. Rich Text Format (RTF) c. Extensible Markup Language (XML) d. Microsoft Word document format
b. Rich Text Format (RTF)
CH 12 Quiz GSM refers to mobile phones as "mobile stations" and divides a station into two parts, the __________ and the mobile equipment (ME). a. antenna b. SIM card c. radio d. transceiver
b. SIM card
CH 10 Quiz In a ___ attack, the attacker keeps asking your server to establish a connection, with the intent of overloading a server with established connections a. smurf b. SYN flood c. spoof d. ghost
b. SYN flood
CH 9 Review If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords?
b. Salting can make password recovery extremely difficult and time consuming.
CH 10 Review You can expect to find a type 2 hypervisor on what type of device? (Choose all that apply) a. Desktop b. Smartphone c. Tablet d. Network Server
b. Smartphone c. Tablet
CH 10 Quiz The ___ is a good tool for extracting information from large Libpcap files; you simply specify the time frame you want to examine a. Tcpdstat b. Tcpslice c. Ngrep d. tcpdump
b. Tcpslice
CH 15 Review What expressions are acceptable to use in testimony to respond to a question for which you have no answer? (Choose all that apply) a. No Comment b. That's beyond the scope of my expertise c. I don't want to answer that questino d. I was not requested to investigate that e. That is beyond the scope of my investigation
b. That's beyond the scope of my expertise d. I was not requested to investigate that e. That is beyond the scope of my investigation
CH 15 Review In answering a question about the size of a hard drive, which of the following responses is appropriate? (Choose all that apply.) a. It's a very large hard drive b. The technical data sheet indicates it's a 3 terabyte hard drive. c. It's a 3 terabyte hard drive configured with 2.78 terabytes of accessible storage. d. I was unable to determine the drive size because it was so badly damaged
b. The technical data sheet indicates it's a 3 terabyte hard drive. c. It's a 3 terabyte hard drive configured with 2.78 terabytes of accessible storage. d. I was unable to determine the drive size because it was so badly damaged
CH 9 Review You're using Disk Manager to view primary and extended partitions on a subjects drive. The program reports the extended partitions total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?
b. There's a hidden partition
CH 10 Review Virtual Machine Extension (VMX) are part of which of the following? a. Type 1 hypervisors b. Type 2 hypervisors c. Intel Virtualized Technology d. AMD Virtualized Technology
b. Type 2 hypervisor
CH 10 Review Which of the following is a clue that a virtual machine has been installed on a host system? a. Network Logs b. Virtual network adapter c. Virtualization Software d. USB Drive
b. Virtual network adapter
CH 16 Quiz In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous contact with an opposing party? a. Tidemann v. Toshiba Corp b. Wang Laboratories, Inc v. Toshiba Corpc c. Tidemann v. Nadler Golf Car Sales, Inc d. Hewlett-Pachard v. EMC Corp
b. Wang Laboratories, Inc v. Toshiba Corpc
CH 11 Quiz In what state is sending unsolicited email illegal a. Florida b. Washington c. Maine d. New York
b. Washington
CH 15 Review At trial as a fact or expert witness, what must you always remember about your testimony? a. You're responsible for the outcome of the case b. Your duty is to report your technical or scientific findings or render an honest opinion c. Avoid mentioning how much you were paid for your services d. All of the above
b. Your duty is to report your technical or scientific findings or render an honest opinion
Chapter 6 In general, what would a lightweight forensics workstation consist of? a. a tablet with peripherals and forensics apps b. a laptop computer built into a carrying case with a small election of peripheral options c. a laptop computer with almost as many bays and peripherals as a tower d. a tower with several bays and many peripheral devices
b. a laptop computer built into a carrying case with a small election of peripheral options
CH 14 Quiz If a report is long and complex, you should include a(n) _____________. a. appendix b. abstract c. glossary d. table of contents
b. abstract
Chapter 3 Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files? a. advanced forensics disk b. advanced forensic format c. advanced capture image d. advanced open capture
b. advanced forensic format
Chapter 6 What program serves as the GUI front end for accessing sleuth kit's tools? a. detectiveGUI b. autopsy c. kde d. smart
b. autopsy
CH 11 Quiz E-mail administrators may make use of ???, which overwrites a log file when it reaches a specified size or at the end of a specified time frame a. log recycling b. circular logging c. log purging d. log cycling
b. circular logging
CH 14 Quiz The ________________ section of a report starts by referring to the report's purpose, states the main points, draws conclusions, and possibly renders an opinion. a. body b. conclusion c. appendix d. reference
b. conclusion
CH 16 Quiz Before allowing an attorney to describe any case details, determine who the parties are to reduce the possibility of a _______________. a. collaboration b. conflict c. mistrial d. contradiction
b. conflict
Chapter 1 ??? is not one of the functions of the investigations triad. a. digital investigations b. data recovery c. vulnerability threat assessment and risk management d. network intrusion detection and incident response
b. data recovery
Chapter 3 The Linux command ??? can be used to write bit-stream data to files. a. write b. dd c. cat d. dump
b. dd
Chapter 1 The ??? is responsible for analyzing data and determining when another specialist should be called in to assist with analysis. a. digital evidence recorder b. digital evidence specialist c. digital evidence analyst d. digital evidence examiner
b. digital evidence specialist
CH 15 Quiz The ____ is the most important part of testimony at a trial. a. cross-examination b. direct examination c. rebuttal d. motions in limine
b. direct examination
CH 15 Quiz There are two types of depositions: ____ and testimony preservation. a. examination b. discovery c. direct d. rebuttal
b. discovery
Chapter 2 How often should hardware be replace within a forensics lab? a. every 6 to 12 months b. every 12 to 18 months c. every 18 to 24 months d. every 24 to 30 months
b. every 12 to 18 months
CH 14 Quiz An ___________________ is a document that serves as a guideline for knowing what questions to expect when you're testifying. a. testimony procedure b. examination plan c. planned questionnaire d. testimony excerpt
b. examination plan
CH 12 Quiz Because mobile phones are seized at the time of arrest, a search warrant is not necessary to examine the device for information. a. true b. false
b. false
CH 12 Quiz Most Code Division Multiple Access networks conform to IS-95. The systems are referred to as CDMAOne, and when they went to 3G service, they became CDMAThree a. true b. false
b. false
CH 14 Quiz An expert's opinion is governed by FRCP, Rule 26, and the corresponding rule in many states. a. true b. false
b. false
CH 14 Quiz Expert witnesses are not required to submit a written report for civil cases. a. true b. false
b. false
CH 15 Quiz Like a job resume, your CV (curriculum viate) should be geared for a specific trial. a. true b. false
b. false
CH 15 Quiz You should create a formal checklist of your procedures that's applied to all your cases or include such a checklist in your report. a. true b. false
b. false
CH 16 Quiz Expert opinions cannot be presented without stating the underlying factual basis. a. true b. false
b. false
CH 16 Quiz The American Bar Association (ABA) is a licensing body. a. true b. false
b. false
Chapter 1 Signed into law in 1973, the ??? was/were created to ensure consistency in federal proceedings. a. federal proceeding law b. federal rules of evidence c. federal consistency standards d. federal proceedings rules
b. federal rules of evidence
CH 16 Quiz ____ questions can give you the factual structure to support and defend your opinion. a. rapid-fire b. hypothetical c. setup d. compound
b. hypothetical
CH 16 Quiz People who fear having their ______________ acts revealed feel as though they must protest the ________________ acts of others being revealed. a. legal b. improper c. secret d. public
b. improper
Chapter 1 The sale of sensitive or confidential company information to a competitor is known as ??? a. industrial sabotage b. industrial espionage c. industrial collusion d. industrial betrayal
b. industrial espionage
Chapter 2 ??? is a specialized viewer software program a. fastview b. irfanview c. thumbsloader d. absee
b. irfanview
Chapter 8 What file type starts at offset 0 with a hexidecimal value of FFD8? a. tiff b. jpeg c. xdg d. bmp
b. jpeg
CH 10 Quiz At what layers of the OSI model do most packet analyzers function a. layer 1 or 2 b. layer 2 or 3 c. layer 3 or 4 d. layer 4 or 5
b. layer 2 or 3
Chapter 4 ??? would not be found in an initial-response field kit. a. computer evidence bags (antistatic bags) b. leather gloves and disposable gloves c. a digital camera with extra batteries or 35mm camera with film and flash d. external usb devices or a portable hard drive
b. leather gloves and disposable gloves
Chapter 5 Addresses that allow the MFT to link to nonresident files are known as ??? a. virtual cluster numbers b. logical cluster numbers c. sequential cluster numbers d. polarity cluster numbers
b. logical cluster numbers
Chapter 8 The Lempel-Ziv-Welch (LZW) algorithm is used in _____________ compression. a. lossy b. lossless c. vector quantization d. adaptive
b. lossless
Chapter 4 What should you do while copying data on a suspect's computer that is still live? a. open files to view contents b. make notes regarding everything you do c. conduct a google search of unknown extensions using the computer d. check facebook for additional suspects
b. make notes regarding everything you do
CH 13 Quiz A ??? is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it's accessed through the application's Web interface a. configuration manager b. management plane c. backdoor d. programming language
b. management plane
CH 15 Quiz Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony. a. setup b. open-ended c. compound d. repid-fire
b. open-ended
Chapter 3 Within the fdisk interactive menu, what character should be entered to view existing partitions? a. 1 b. p c. o d. d
b. p
Chapter 1 The term ??? describes a database containing information records about crimes that have been committed previously by a criminal. a. police ledger b. police blotter c. police blogger d. police recorder
b. police blotter
CH 16 Quiz The purpose of requesting the ________________ is to deter attorneys from communicating with you solely for the purpose of disqualifying you. a. case b. retainer c. juror list d. evidence
b. retainer
CH 11 Quiz The ??? utility can be used to repair .ost and .pst files, and is included with Microsoft Outlook a. fixmail.exe b. scanpst.exe c. repairpst.exe d. rebuildpst.exe
b. scanpst.exe
Chapter 4 the term ??? describes rooms filled with extremely large disk systems that are typically used by large business data centers. a. storage room b. server farm c. data well d. storage hub
b. server farm
Chapter 2 A TEMPEST facility is designed to accomplish which of the following goals? a. prevent data loss by maintaining consistent backups b. shield sensitive computing systems and prevent electronic eavesdropping of computer emission c. ensure network security from the internet using comprehensive security software d. protect the integrity of data
b. shield sensitive computing systems and prevent electronic eavesdropping of computer emission
Chapter 5 What registry file contains installed programs' settings and associated usernames and passwords? a. default.dat b. software.dat c. sam.dat d. ntuser.dat
b. software.dat
CH 14 Quiz If a preliminary report is written, destroying the preliminary report after the final report is complete could be considered ______________. a. proper data security b. spoliation c. beneficial d. necessary
b. spoliation
CH 13 Quiz The Google drive file ??? contains a detailed list of a user's cloud transactions a. loggedtransactions.log b. sync_log.log c. transact_user.db d. history.db
b. sync_log.log
CH 14 Quiz How you format _____________ is less important than being consistent in applying formatting. a. words b. text c. paragraphs d. sections
b. text
Chapter 5 When using the file allocation table (FAT), where is the FAT database typically written to? a. the innermost track b. the outermost track c. the first sector d. the first partition
b. the outermost track
CH 14 Quiz Lawyers may request _________________ of previous testimony by their own potential experts to ensure that the experts haven't previously testified to a contrary position. a. warrants b. transcripts c. subpoenas d. evidence
b. transcripts
CH 9 QUIZ What letter should be typed into DiskEdit in order to mark a good sector as bad? a. M b. B c. T d. D
b. B
CH 9 QUIZ In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters? a. NTFS b. FAT c. HFSX d. Ext3fs
b. FAT
CH 9 QUIZ Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses ________________ as a way to hide its malicious code from antivirus tools. a. hashing b. bit-shifting c. registry edits d. slack space
b. bit-shifting
CH 9 QUIZ Many commercial encryption programs use a technology called _____________, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure. a. key vault b. key escrow c. bump key d. master key
b. key escrow
CH 9 QUIZ In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes remotely. a. keygrabber b. keylogger c. packet capture d. protocol analyzer
b. keylogger
CH 9 QUIZ The goal of recovering as much information as possible can result in ________________, in which an investigation expands beyond the original description because of unexpected evidence found. a. litigation b. scope creep c. criminal charges d. violations
b. scope creep
CH 13 Quiz Where is the snapshot database created by Google Drive located in Windows a. C:/Program Files/Google/Drive b.C:/Users/username/AppData/Local//Google/Drive c. C:/Users/username/Google/Google drive d. C:/Google/drive
b.C:/Users/username/AppData/Local//Google/Drive
Chapter 7 Select below the command that can be used to display bad block information on a Linux file system, but also has the capability to destroy valuable information.
badblocks
Chapter 7 What type of block does a UNIX/Linux computer only have one of?
boot block
Chapter 5 What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume? a. $MgyMirr b. $TransAct c. $LogFile d. $Backup
c. $LogFile
CH 11 Quiz In older versions of exchange, what type of file was responsible for massages formatted with Messaging Application Programming Interface, and served as the database file a. .ost b. edp c. .edb d. .edi
c. .edb
CH 11 Review Which of the following types of files can provide useful information when you're examining an e-mail server? a. .dbf files b. .emx files c. .log files d. .slf files
c. .log files
CH 11 Quiz Where does the Postfix UNIX mail server store e-mail a. /home/username/mail b. /var/mail/postfix c. /var/spool/postfix d. /etc/postfix
c. /var/spool/postfix
CH 14 Quiz How many words should be in the abstract of a report? a. 50 to 100 words b. 100 to 150 words c. 150 to 299 words d. 200 to 250 words
c. 150 to 299 words
Chapter 8 How many different colors can be displayed by a 24 bit colored pixel? a. 256 b. 65,536 c. 16,777,216 d. 4, 294,967,296
c. 16,777,216
Chapter 2 How long are computing components designed to last in a normal business environment? a. 12 to 16 months b. 14 to 26 months c. 18 to 36 months d. 6 to 90 months
c. 18 to 36 months
Chapter 1 In what year was the computer fraud and abuse act passed? a. 1976 b. 1980 c. 1986 d. 1996
c. 1986
Chapter 8 All TIF files start at offset 0 with what 6 hexadecimal characters? a. 2A 49 48 b. FF 26 9B c. 49 49 2A d. AC 49 2A
c. 49 49 2A
CH 10 Quiz In VirtualBox, ___ different types of virtual network adapters are possible, such as AMD and Intel Pro adapters a. 2 b. 4 c. 6 d. 8
c. 6
CH 12 Review SD cards have a capacity up to which of the following? a. 100 MB b. 4 MB c. 64 GB d. 500 MB
c. 64 GB
CH 11 Review To trace an IP address in an email header, what type of lookup service can you use? (Choose all that apply) a. Intelius Inc's AnyWho online directory b. Verizon's http://superpages.com c. A Domain lookup service, such as www.arin.net, www.internic.com.,or ww.whois.net d. Any Web search engine
c. A Domain lookup service, such as www.arin.net, www.internic.com.,or ww.whois.net d. Any Web search engine
CH 15 Review What is the motion in limine? a. A motion to discuss the case b. THe movement of molecules in a random fashion c. A pretrial motion for the purpose of excluding certain evidence d. A pretrial motion to revise the case schedule
c. A pretrial motion for the purpose of excluding certain evidence
Chapter 8 Which graphics file format below is rarely compressed? a. GIF b. JPEG c. BMP D. None of the above
c. BMP
Chapter 6 What option below is an example of a platform specific encryption tool? a. GnuPG b. TrueCrypt c. BitLocker d. Pretty Good Privacy (PGP)
c. BitLocker
CH 11 Review When you access your email, what type of computer architecture are you using? a. Mainframe and minicomputers b. Domain c. Client/Server d. None of the above
c. Client/server
CH 13 Quiz The ??? is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for privacy agreements, security measures, questionnaires, and more a. OpenStack Framework Alliance b. vCluod Security Advisory Panel c. Cloud Security Alliance d. Cloud Architecture Group
c. Cloud Security Alliance
CH 14 Quiz _______________ is the process of opposing attorneys seeking information from each other. a. Subpoena b. Warranting c. Discovery d. Digging
c. Discovery
Chapter 8 For all JPEG files, the ending hexadecimal marker, also known as the end of image (EOI), is ____________. a. FFD0 b. FFD8 c. FFD9 d. FFFF
c. FFD9
CH 15 Review What kind of information do fact witnesses provide during testimony? (Choose all that apply) a. Their professional opinion on the significance of evidence b. Definitions of issues to be determined bu the founder of the fact c. Facts only d. Observations of the results of tests they performed.
c. Facts only d. Observations of the results of tests they performed.
CH 14 Quiz The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery; the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in which it belongs", was established in what court case? a. Daubert v. Merrell Dow Pharmaceuticals, Inc b. Smith v. United States c. Frye v. United States d. Dillon v. United States
c. Frye v. United States
CH 10 Quiz In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network adapters a. Slow-NetworkAdapters b. Query-ipconfig c. Get-VMNetworkAdapter d. Dump-Betconfig
c. Get-VMNetworkAdapter
CH 12 Quiz Which of the NIST guidelines below requires using a modified boot loader to access RAM for analysis? a. Chip-off b. Manual extraction c. Hex dumping d. Micro read
c. Hex dumping
Chapter 1 What tool, currently maintained by the IRS criminal investigation division and limited to use by law enforcement, can analyze and read special files that are copies of a disk? a. AccessData forensic toolkit b. DeepScan c. ILook d. Photorect
c. ILook
CH 12 Quiz What standard introduced sleep mode to enhance battery life, and is used with TDMA? a. IS-99 b. IS-140 c. IS-136 d. IS-95
c. IS-136
CH 12 Quiz Most Code Division Multiple Access (CDMA) networks conform to ____________ , created by the Telecommunications Industry Association (TIA). a. TS-95 b. 802.11 c. IS-95 d. IS-136
c. IS-95
CH 10 Review A layered network defense strategy puts the most valuable data where? a. In the DMZ b. In the outermost layer c. In the innermost layer d. None of the above
c. In the innermost layer
CH 9 Review Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation? a. Criminal investigation because subpoenas can be issued to acquire any needed evidence quickly. b. Criminal investigation because law enforcement agencies have more resources at their disposal c. Internal corporate investigation because corporate investigators typically have ready access to company records. d. Internal corporate investigation because ISPs almost always turn over email and access logs when requested by a large corporation
c. Internal corporate investigation because corporate investigators typically have ready access to company records.
CH 16 Review What purpose does making your own recording during a deposition serve? a. It shows the court reporter that you do not trust him or her b. It assists you with reviewing the transcript of the deposition c. It allows you to review your testimony with your attorney during breaks. d. It prevents opposing counsel from intimidating you.
c. It allows you to review your testimony with your attorney during breaks.
CH 14 Review Which of the following statements about the legal-sequential numbering system in report writing is true? a. It's favorable because it's easy to organize and understand b. It's most effective for shorter reports c. It doesn't indicate the relative importance of information d. It's required for reports submitted in federal court
c. It doesn't indicate the relative importance of information
CH 10 Review Packet analyzers examine what layers of the OSI model? a. Layers 2 and 4 b. Layers 4 through 7 c. Layers 2 and 3 d. All layers
c. Layers 2 and 3
CH 11 Review The term "via Frontend Transport" in a header indicates that the e-mail is on which of the following? a. UNIX server b. Older NetWare Server c. Microsoft Exchange Server d. Mac Server
c. Microsoft Exchange Server
CH 10 Quiz What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses a. tcpdump b. Argus c. Ngrep d. Tcpslice
c. Ngrep
CH 14 Review Which of the following is the standard format for filed reports in electronically in federal courts? a. Word b. Excel c. PDF d. HTML e. Any of the above
c. PDF
Chapter 3 ??? is the utility used by the ProDiscover program for remote access. a. SubSe7en b. 10pht c. PDServer d. VNCServer
c. PDServer
Chapter 3 ??? creates a virtual volume of a RAID image file, and then makes repairs on the virtual volume, which can then be restored to the original RAID. a. Runtime Software b. RaidRestore c. R-Tools R-Studio d. FixitRaid
c. R-Tools R-Studio
CH 12 Quiz Where is the OS stored on a smartphone? a. RAM b. Microprocessor c. ROM d. Read/write flash
c. ROM
CH 12 Review In which of the following cases did the U.S. Supreme Court require using a search warrant to examine the contents of mobile devices? a. Miles v. North Dakota b. Smith v. Oregon c. Riley v. California d. Dearborn v. Ohio
c. Riley v California
Chapter 5 What registry file contains user account management and security settings? a. default.dat b. software.dat c. SAM.dat d Ntuser.dat
c. SAM.dat
CH 13 Quiz What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing a. Amazon EC2 b. IBM Cloud c. Salesforce d. HP Helion
c. Salesforce
Chapter 6 In what mode do most software write-blockers run? a. RW mode b. Ala mode c. Shell mode d. GUI mode
c. Shell mode
CH 9 Review In steganalysis, cover-media is which of the following?
c. The file a steganalysis tool uses to host a hidden message, such as a JPEG or an MP3 file
CH 9 QUIZ When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and documented? a. Inventory and documentation information should be stored on a drive and then the drive should be reformatted. b. Start the suspect's computer and begin collecting evidence. c. The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS. d. Connect the suspect's computer to the local network so that up to date forensics utilities can be utilized.
c. The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.
CH 11 Review Router logs can be used to verify what types of email data? a. Message content b. Content of Attached files c. Tracking flows through e-mail server ports d. Finding blind copies
c. Tracking flows through email server ports
Chapter 3 Which option below is not a Linus live CD meant for use as a digital forensics tool? a. penguin sleuth b. kali Linux c. Ubuntu d. caine
c. Ubuntu
CH 15 Review If you're giving an answer that you think your attorney should follow up on, what should you do? a. Change the tone of your voice b. Argue with the attorney who asked the question c. Use an agreed-on expression to alert the attorney to follow up on the question d. Try to include as much information in your answer as you can.
c. Use an agreed-on expression to alert the attorney to follow up on the question
Chapter 8 In simple terms, _____________ compression discards bits in much the same way rounding off decimal values discards numbers. a. Huffman b. Lempel-Ziv-Welch (LZW) c. Vector Quantization d. Adaptive Quanization
c. Vector Quantization
CH 10 Quiz What processor instruction set is required in order to utilize virtualization software a. AMD-VT b. Intel VirtualBit c. Virtual Machine Extensions (VMX) d. Virtual HardwareExtensions (VHX)
c. Virtual Machine Extensions (VMX)
CH 13 Quiz Which of the following is NOT a service level for the cloud a. Platform as a service b. Infrastructure as a service c. Virtualization as a service d. Software as a service
c. Virtualization as a service
CH 16 Review Contingency fees can be used to compensate an expert under which circumstances? a. When the expert is too expensive to compensate at the hourly rate b. When the expert is willing to accept a contingency fee arrangement c. When the expert is acting only as a consultant, not a witness d. All of the above
c. When the expert is acting only as a consultant, not a witness
CH 13 Quiz What cloud service listed below provides a freeware type 1 hypervisor used for public and private clouds a. HP Helion b. Amazon EC2 c. XenServer and XenCenter Windows Management Console d. Cisco Cloud Computing
c. XenServer and XenCenter Windows Management Console
CH 16 Review What are some risks of using tools you have created yourself? a. The tool might not perform reliably b. The judge might be suspicious of the validity of the results c. You might have to share the tool's source code with opposing counsel for review d. The tool doesn't generate the reports in a standard format
c. You might have to share the tool's source code with opposing counsel for review
Chapter 1 If a police officer or investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit a(n) ??? a. exhibit b. verdict c. affidavit d. memo
c. affidavit
Chapter 1 ??? describes an accusation of fact that a crime has been committed. a. attrition b. attribution c. allegation d. assignment
c. allegation
Chapter 4 Which system below can be used to quickly and accurately match fingerprints in a database? a. fingerprint identification database (FID) b. systemic fingerprint database (SFD) c. automated fingerprint identification system (AFIS) d. dynamic fingerprint matching system (DFMS)
c. automated fingerprint identification system (AFIS)
Chapter 3 What is the name of the Microsoft solution for whole disk encryption? a. drivecrypt b. truecrypt c. bitlocker d. securedrive
c. bitlocker
Chapter 2 What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations? a. certified computer crime investigator b. certified forensic computer examiner c. certified cyber forensics professional d. encase certified examiner
c. certified cyber forensics professional
Chapter 1 The ??? is not one of the three stages of a typical criminal case. a. complaint b. investigation c. civil suit d. prosecution
c. civil suit
CH 15 Quiz Sometimes opposing attorneys ask several questions inside one question; this practice is called a ____ question. a. leading b. hypothetical c. compound d. rapid-fire
c. compound
Chapter 5 What term below describes a column of tracks on two or more disk platters? a. sector b. cluster c. cylinder d. header
c. cylinder
Chapter 3 The ??? command was developed by Nicholas harbor of the defense computer forensics laboratory. a. dd b. split c. dcfldd d. echo
c. dcfldd
CH 14 Quiz A report using the _________________ system divides material into sections and restarts numbering with each main section. a. numerically ordered b. hierarchical c. decimal numbering d. number formatted
c. decimal numbering
Chapter 8 The process of converting raw picture data to another format is called _________________. a. splicing b. caring c. demosaicing d. vector quanization
c. demosaicing
CH 16 Quiz Attorneys search ____ for information on expert witnesses. a. cross-examination banks b. examination banks c. deposition banks d. disqualification banks
c. deposition banks
Chapter 1 After a judge approves and signs a search warrant, the ??? is responsible for the collection of evidence as defined by the warrant. a. digital evidence recorder b. digital evidence specialist c. digital evidence first responder d. digital evidence scene investigator
c. digital evidence first responder
Chapter 5 What command below can be used to decrypt EFS files? a. cipher b. copy c. efsrecvr d. decrypt
c. efsrecvr
Chapter 1 A chain-of-evidence form, which is used to document what has and had not been done with the original evidence and forensic copies of the evidence, is also known as a(n) ??? a. single-evidence form b. multi-evidence form c. evidence custody form d. evidence tracking form
c. evidence custody form
Chapter 5 Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital extended capacity (SDCX), and memory sticks: a. FAT12 b. FAT32 c. exFAT d. VFAT
c. exFAT
Chapter 1 ??? must be included in an affidavit to support an allegation in order to justify a warrant. a. verdicts b. witnesses c. exhibits d. subpoenas
c. exhibits
Chapter 8 What format was developed as a standard for storing metadata in image files? a. jpeg b. tif c. exif d. bitmap
c. exif
Chapter 6 A keyword search is part of the analysis process within what forensic function? a. reporting b. reconstruction c. extraction d. acquisition
c. extraction
CH 13 Quiz The ??? Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system a. read_filejournal b. filetx.log c. filecache.dbx d. filecache.dll
c. filecache.dbx
Chapter 2 In order to qualify for the advanced certified computer forensic technician certification, a candidate must have ??? years of hands-on experience in computer forensics investigations. a. two b. three c. five d. six
c. five
Chapter 1 Which amendment to the U.S. Constitution protects everyone's right to be secure in their person, residence, and property from search and seizure? a. first amendment b. second amendment c. fourth amendment d. fifth amendment
c. fourth amendment
Chapter 5 What term is used to describe a disk's logical structure of platters, tracks, and sectors? a. cylinder b. trigonometry c. geometry d. mapping
c. geometry
Chapter 6 passwords are typically stored as one-way ??? rather than in plaintext a. hex values b. variables c. hashes d. stack spaces
c. hashes
Chapter 5 the ??? branches in HKEY_LOCAL_MACHINE/software consist of SAM, security, components, and system a. registry b. storage c. hive d. tree
c. hive
CH 14 Quiz The _________________ numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect of the report, and each Arabic numeral is an important piece of supporting information. a. decimal b. ordered-sequential c. legal-sequential d. reverse-order
c. legal-sequential
Chapter 8 When looking at a byte of information in binary, such as 11101100, what is the first bit on the left referred to as? a. major significant bit (MSB) b. least significant bit (LSB) c. most significant bit (MSB) d. leading significant bit (LSB)
c. most significant bit (MSB)
Chapter 4 If practical, ??? team(s) should collect and catalog digital evidence at a crime scene or lab a. two b. five c. one d. three
c. one
CH 14 Quiz When writing a report, group related ideas and sentences into ___________________, a. chapters b. sections c. paragraphs d. separate reports
c. paragraphs
Chapter 4 The term ??? is used to describe someone who might be a suspect of someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest a. criminal b. potential data source c. person of interest d. witness
c. person of interest
CH 16 Quiz The most important laws applying to attorneys and witnesses are the ____. a. professional ethics b. rules of ethics c. rules of evidence d. professional codes of conduct
c. rules of evidence
Chapter 4 Which of the following is not done when preparing for a case? a. describe the nature of the case b. identify the type of OS c. set up covert surveillance d. determine whether you can seize the computer or digital device
c. set up covert surveillance
CH 15 Quiz Leading questions such as "Isn't it true that forensics experts always destroy their handwritten notes?" are referred to as ____ questions. a. hypothetical b. attorney c. setup d. nested
c. setup
Chapter 1 Which option below is not a standard systems analysis step? a. determine a preliminary design or approach to the case. b. obtain and copy an evidence drive c. share evidence with experts outside of the investigation d. mitigate or minimize the risks
c. share evidence with experts outside of the investigation
CH 11 Quiz The Suni Munshani v. Singal Lake Venture Fund II, LP et al case is an example of a case that involves e-mail ??? a. destruction b. spamming c. spoofing d. theft
c. spoofing
CH 15 Quiz Regarding a trial, the term ____ means rejecting potential jurors. a. voir dire b. rebuttal c. strikes d. venireman
c. strikes
CH 11 Review On a Unix-like system, which file specifies where to save different types of e-mail log files? a. maillog b. /var/spool/log c. syslog.conf d. log
c. syslog.conf
CH 13 Quiz Which is not a valid method of deployment for a cloud a. community b. public c. targeted d. private
c. targeted
Chapter 4 Which court case established that it is not necessary for computer programmers to testify in order to authenticate computer-generated records? a. united states v wong b. united states v carey c. united states v salgado d. united states v walser
c. united states v salgado
Chapter 2 Which option below is not one of the recommended practices for maintaining a keyed padlock? a. appoint a key custodian b. take inventory of all keys when the custodian changes c. use a master key d. change locks and keys annually
c. use a master key
CH 10 Review In VirtualBox, a(n) ______ file contains settings for virtual hard drives. a. .vox-prev b. .ovf c. .vbox d. .log
c. vbox
CH 14 Quiz In addition to opinions and exhibits, the ______________ must specify fees paid for the expert's services and list all other civil or criminal cases in which the expert has testified. a. verbal report b. informal report c. written report d. preliminary report
c. written report
Chapter 5 Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks? a. disk track recording (DTR) b. zone based areal density (ZBAD) c. zone bit recording (ZBR) d. cylindrical head calculation (CHC)
c. zone bit recording (ZBR)
CH 9 QUIZ The AccessData program has a hashing database, ________________, which is available only with FTK, and can be used to filter known program files from view and contains the hash values of known illegal files. a. DeepScan Filter b. Unknown File Filter (UFF) c. Known File Filter (KFF) d. FTK Hash Imager
c. Known File Filter (KFF)
CH 9 QUIZ Select the tool below that does not use dictionary attacks or brute force attacks to crack passwords: a. Last Bit b. AccessData PRTK c. OSForensics d. Passware
c. OSForensics
CH 9 QUIZ A ____________ image file containing software is intended to be bit-stream copied to floppy disks or other external media. a. fdisk b. format c. dd d. DiskEdit
c. dd
CH 9 QUIZ A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in order to secure the information contained inside. a. compiler b. shifter c. macro d. script
c. macro
CH 9 QUIZ The term for detecting and analyzing steganography files is _________________. a. carving b. steganology c. steganalysis d. steganomics
c. steganalysis
Chapter 7 The Mac OS reduces file fragmentation by using _______________.
clumps
Chapter 6 The ProDiscover utility makes use of the proprietary ??? file format a. .img b. .pro c. .iso d. .eve
d. .eve
CH 10 Quiz The ___ disk image file format is associated with the VirtualBox hypervisor a. .vmdk b. .had c. .vhd d. .vdi
d. .vdi
CH 11 Quiz Which option below is the correct path to the sendmail configuration file a. /var/etc/sendmail.cf b. /var/mail/sendmail.cf c. /usr/local/sendmail.cf d. /etc/mail/sendmail.cf
d. /etc/mail/sendmail.cf
CH 11 Quiz On a UNIX system, where is a user's mail stored by default a. /var/mail b. /var/log/mail c. /username/mail d. /home/username/mail
d. /home/username/mail
CH 11 Quiz Syslog is generally configured to put all e-mail related log information into what file a. /usr/log/mail.log b. /var/log/message c. /proc/mail d. /var/log/maillog
d. /var/log/maillog
CH 13 Quiz In a prefetch file, the application's last access date and time are at offset ??? a. 0x80 b. 0x88 c. 0xD4 d. 0x90
d. 0x90
CH 15 Quiz Jurors typically average just over ____ years of education and an eighth-grade reading level. a. 9 b. 10 c. 11 d. 12
d. 12
Chapter 2 In order to qualify for the certified computer forensic technician, basic level certification, how many hours of computer forensics training are required? a. 10 b. 20 c. 30 d. 40
d. 40
CH 15 Quiz If a microphone is present during your testimony, place it ____ to eight inches from you. a. 3 b. 4 c. 5 d. 6
d. 6
CH 16 Quiz FRE ____ describes whether basis for the testimony is adequate. a. 700 b. 701 c. 702 d. 703
d. 703
CH 12 Quiz What frequencies can be used by GSM with the TDMA technique a. 1200 to 1500 MHz b. 2.4 GHz to 5.0 GHZ c. 600 to 1000 MHz d. 800 to 1000 MHZ
d. 800 to 1000 MHZ
Chapter 2 What percentage of consumers utilize intel and AMD PCs? a. 60 b. 70 c. 80 d. 90
d. 90
CH 16 Quiz The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients. a. HTCIA b. IACIS c. ISFCE d. ABA
d. ABA
CH 16 Quiz ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities. a. AMA's law b. ABA's model rule c. ABA's model codes d. APA's ethics code
d. APA's ethics code
CH 11 Review Logging options on many email servers can be: a. Disabled by the administrator b. Set up in a circular logging configuration c. Configured to a specified size before being overwritten d. All of the above
d. All of the above
CH 14 Review An expert witness can give an opinion in which the following situations. a. The opinion, inferences, or conclusions depend on a special knowledge, skills, or training not within the ordinary experience of lay people b. The witness is shown to be qualified as a true expert in the field c. The witness testifies to a reasonable degree of certainty (probability) about his or her opinion, inference, or conclusion. d. All of the above
d. All of the above
CH 12 Quiz The _______________ component is made up of radio transceiver equipment that defines cells and communicates with mobile phones; sometimes referred to as a "cell phone tower". a. Vase station controller (BSC) b. Mobile switching center (MSC) c. Base transceiver controller (BTC) d. Base transceiver station (BTS)
d. Base transceiver station (BTS)
CH 9 Review For which of the following reasons should you wipe a target drive? a. To ensure the quality of digital evidence you acquire b. To make sure unwanted data isn't retained on the drive c. neither of the above d. Both a and b
d. Both a and b
CH 13 Quiz Select the folder below that is most likely to contain Dropbox files for a specific user a. C:/User/username/AppData/Dropbox b. C:/Dropbos c. C:/Users/Dropbox d. C:/Users/username/Dropbox
d. C:/Users/username/Dropbox
CH 14 Review When writing a report, what's the most important aspect of formatting? a. A neat appearance b. Size of the font c. Clear use of symbols and abbreviations d. Consistency
d. Consistency
CH 12 Quiz What digital network technology is a digital version of the original analog standard for cell phones? a. GSM b. CDMA c. iDEN d. D-AMPS
d. D-AMPS
CH 13 Review What are the two states of encrypted data in a secure cloud? a. RC4 and RC5 b. CRC-32 and UTF-16 c. Homomorphic and AES d. Data in motion and data at rest
d. Data in motion and data at rest
Chapter 2 Which file system below is utilized by the xbox gaming system? a. NTFS b. ReFS c. EXT d. FATX
d. FATX
CH 11 Quiz Select the program below that can be used to analyze mail from Outlook, Thunderbird, and Eudora a. AccessData FTK b. DataNumen c. R-Tools R-Mail d. Fookes Aid4Mail
d. Fookes Aid4Mail
CH 11 Quiz In order to retrieve logs from exchange, the Powershell cmdlet ??? can be used a. GetExchangeLogs.psl b. GetLogInfo.psl c. ShowExchangeHistrory.psl d. GetTransactionLogStats.psl
d. GetTransactionLogStats.psl
CH 12 Quiz Select below the option that is not a typical feature of smartphones on the market today: a. Microprocessor b. Flash c. ROM d. Hard drive
d. Hard drive
CH 9 QUIZ Which option below is not a disk management tool? a. Partition Magic b. Partition Master c. GRUB d. HexEdit
d. HexEdit
Chapter 3 Which technology below is not a hot-swappable technology? a. usb-3 b. firewire 1394A c. SATA d. IDE
d. IDE
Chapter 6 What algorithm is used to decompress windows files? a. Fibonacci b. zopfli c. Shannon-fano d. Lempel-ziv
d. Lempel-ziv
Chapter 8 Select below the utility that is not a lossless compression utility: a. PKZip b. WinZip c. Stufflt d. Lzip
d. Lzip
CH 13 Quiz Metadata in a prefetch file contains an application's ??? times in UTC format and a counter of how many times the application has run since the prefect file was created a. startup / access b. log event c. ACL d. MAC
d. MAC
CH 10 Quiz The NSA's defense in depth (DiD) strategy contains three modes of protection. Which option below is not one of the three modes a. People b. Technology c. Operations d. Management
d. Management
CH 11 Quiz Exchange uses and Exchange database and is based on the ???, which uses several files in different combinations to provide e-mail service a. Microsoft Mail Storage Engine (MSE) b. Microsoft Stored Mail Extension (SME) c. Microsoft Extended Mail Storage (EMS) d. Microsoft Extensible Storage Engine (ESE)
d. Microsoft Extensible Storage Engine (ESE)
CH 12 Quiz Which component of cell communication is used to route digital packets for the network and relies on a database to support subscribers? a. Base station controller (BSC) b. Base transceiver station (BTS) c. Base transceiver controller (BTC) d. Mobile switching center (MSC)
d. Mobile switching center (MSC)
CH 9 QUIZ The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but does not list hash values of known illegal files. a. Open Hash Database b. HashKeeper Online c. National Hashed Software Referenced. d. National Software Reference Library
d. National Software Reference Library
CH 10 Quiz Select below the option that is not common type 1 hypervisor a. VMwar vSphere b. Microsoft Hyper-V c. Citirix XenServer d. Oracle VirtualBox
d. Oracle VirtualBox
CH 12 Quiz Nonvolatile memory on a mobile device can contain OS files and stored user data, such as a __________________ and backed-up files. a. Professional Data Holder b. Personal Assistant Organizer c. Personal Data Manager d. Personal Information Manager
d. Personal Information Manager
CH 9 Review Block-wise hashing has which of the following benefits for forensics examiners?
d. Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive.
CH 10 Quiz Select below the program within the Ps Tools suite that allows you to run processes remotely a. PsService b. PsPasswd c. PsRemote d. PsExec
d. PsExec
Chapter 3 Which RAID type utilizes mirrored striping, providing fast access and redundancy? a. RAID 1 b. RAID 3 c. RAID 5 d. RAID 10
d. RAID 10
Chapter 3 Which RAID type utilizes a parity bit and allows for the failure of one drive without losing data? a. RAID 1 b. RAID 2 c. RAID 3 d. RAID 5
d. RAID 5
CH 12 Quiz Which of the following is not a type of peripheral memory card used in PDAs? a. Secure Digital (SD) b. Compact Flash (CF) c. Multimedia Card (MMC) d. RamBus (RB)
d. RamBus (RB)
CH 16 Review When you begin a conversation with an attorney about a specific case, what should you do? (Choose all that apply) a. Ask to meet with the attorney b. Answer his or her questions in as much detail as possible c. Ask who the parties in the case are d. Refuse to discuss details until a retainer agreement is returned
d. Refuse to discuss details until a retainer agreement is returned
CH 13 Review Evidence of cloud access found on a smartphone usually means which cloud service level was in use? a. IaaS b. HaaS c. PaaS d. SaaS
d. SaaS
Chapter 5 What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive? a. PP full disk encryption b. voltage SecureFile c. BestCrypt d. TrueCrypt
d. TrueCrypt
Chapter 5 Which of the following is not a valid configuration of Unicode? a. UTF-8 b. UTF-16 c. UTF-32 d. UTF-64
d. UTF-64
CH 14 Quiz Which type of report typically takes place in an attorney's office? a. Examination Plan b. Written Report c. Preliminary Report d. Verbal Report
d. Verbal Report
CH 10 Quiz What virtual machine software supports all Windows and Linux OSs as well as Macintosh and Solaris, and is provided as shareware? a. KVM b. Parallels c. Microsoft Virtual PC d. VirtualBox
d. VirtualBox
CH 13 Review When should a temporary restraining order be requested for cloud environment? a. When cloud customers need immediate access to their data b. To enforce a court order c. When anti-forensics techniques are suspected d. When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case.
d. When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case.
CH 9 QUIZ Which of the following file systems can't be analyzed by OSForensics? a. FAT12 b. Ext2fs c. HFS+ d. XFS
d. XFS
Chapter 1 An evidence custody form does not usually contain ??? a. the nature of the case b. a description of evidence c. vendor names for computer components d. a witness list
d. a witness list
CH 14 Quiz As with any research paper, write the ___________________ last. a. appendix b. body c. acknowledgements d. abstract
d. abstract
Chapter 6 The physical data copy subfunction exists under the ??? function a. reporting b. validation / verification c. extraction d. acquisition
d. acquisition
Chapter 2 Which of the following scenarios should be covered in a disaster recovery plan? a. damage caused by lightning strikes b. damage caused by flood c. damage caused by a virus contamination d. all of the above
d. all of the above
CH 15 Quiz ___ is an attempt by opposing attorneys to prevent you from serving on an important case. a. conflict of interest b. warrant c. deposition d. conflicting out
d. conflicting out
Chapter 6 When performing disk acquisition, the raw data format is typically created with the UNIX/Linux ??? command a. format b. tar c. dump d. dd
d. dd
Chapter 2 Which tool below is not recommended for use in a forensics lab? a. 2.5-inch adapters for drives b. firewire and usb adapters c. SCSI card d. degusser
d. degusser
CH 15 Quiz A ____ differs from a trial testimony because there is no jury or judge. a. rebuttal b. plaintiff c. civil case d. deposition
d. deposition
CH 15 Quiz ____ evidence is evidence that exonerates or diminishes the defendant's liability. a. rebuttal b. plaintiff c. inculpatory d. exculpatory
d. exculpatory
CH 16 Quiz Computer forensics examiners have two roles: fact witness and ____ witness. a. professional b. direct c. discovery d. expert
d. expert
CH 13 Quiz What information blow is not something recorded in Google Drive's snapshot.db file a. modified and created times b. URL pathnames c. file access records d. file SHA values and sizes
d. file SHA values and sizes
CH 11 Quiz What command below could be used on a UNIX system to help locate log directories a. show log b. detail c. search d. find
d. find
Chapter 4 ??? is the term for a statement that is made by someone other than an actual witness to the event while testifying at a hearing a. second-party evidence b. rumor c. fiction d. hearsay
d. hearsay
Chapter 4 A ??? is not a private sector organization a. small to medium business b. large corporation c. on-government organization d. hospital
d. hospital
CH 12 Quiz On what mobile device platform does Facebook use a SQLite database containing friends, their ID numbers, and phone numbers as well as files that tracked all uploads, including pictures? a. Android b. Blackberry c. Windows RT d. iPhone
d. iPhone
CH 15 Quiz ____ is a written list of objections to certain testimony or exhibits. a. defendant b empanelling the jury c. plaintiff d. motion in limine
d. motion in limine
Chapter 1 Which Microsoft OS below is the least intrusive to disks in terms of changing data? a. windows 95 b. windows xp c. windows 7 d. ms-dos 6.22
d. ms-dos 6.22
CH 10 Quiz Select the file below that is used in VirtualBox to create a virtual machine a. .vdi b. .vbox c. .r0 d. ova
d. ova
Chapter 6 In what temporary location below might passwords be stored? a. system32.dll b. CD-ROM drive c. sindows registry d. pagefile.sys
d. pagefile.sys
CH 13 Quiz To reduce the time it takes to start applications, Microsoft has created ??? files, which contain the DLL pathnames and metadata used by application a. temp b. cache c. config d. prefetch
d. prefetch
Chapter 4 ??? is a common cause for lost or corrupted evidence a. public access b. not having enough people on the processing team c. having an undefined security perimeter d. professional curiosity
d. professional curiosity
Chapter 8 The _____________ format is a proprietary format used by Adobe Photoshop. a. .tga b. fhll c. svg d. psd
d. psd
Chapter 8 Which of the following is not a type of graphic file that is created by a graphics program? a. bitmap images b. vector graphics c. metafile graphics d. raster graphics
d. raster graphics
Chapter 8 Referred to as a digital negative, the _______ is typically used on many higher-end digital cameras. a. raster file format b. bitmap file format c. jpeg file format d. raw file format
d. raw file format
Chapter 1 ??? is not recommended for a digital forensics workstation. a. a text editor tool b. a write-blocker device c. an SCSI card d. remote access software
d. remote access software
Chapter 2 Which option below is not a recommendation for securing storage containers? a. the container should be located in a restricted area b. only authorized access should be allowed, and it should be kept to a minimum c, evidence containers should remain locked when they aren't under direct supervision d. rooms with evidence containers should have a secured wireless network
d. rooms with evidence containers should have a secured wireless network
CH 14 Quiz What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a copy of the expert's written report that includes all opinions, the basis for the opinions, and the information considered in coming to those opinions? a. rule 24 b. rule 35 c. rule 36 d. rule 26
d. rule 26
CH 13 Quiz Which of the following is NOT one of the five mechanisms the government can use to get electronic information from a provider a. search warrants b. subpoenas c. court orders d. seizure order
d. seizure order
CH 13 Quiz With cloud systems running in a virtual environment, ??? can give you valuable information before, during, and after an incident a. carving b. live acquisition c. RAM d. snapshot
d. snapshot
Chapter 4 ??? does not recover data in free or slack space a. raw format acquisition b. live acquisition c. static acquisition d. sparse acquisition
d. sparse acquisition
CH 10 Quiz The ___ command line program is a common way of examining network traffic, which provides records of network activity while it is running, and produce hundreds of thousands of records a. netstat b. ls c. ifconfig d. tcpdump
d. tcpdump
Chapter 8 Which of the following formats is not considered to be a standard graphics file format? a. gif b. jpeg c. dxf d. tga
d. tga
Chapter 4 As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state? a. the power cable should be pulled b. the system should be shut down gracefully c. the power should be left on d. the decision should be left to the digital evidence first responder (DEFR)
d. the decision should be left to the digital evidence first responder (DEFR)
Chapter 1 After the evidence has been presented in a trial by jury, the jury must deliver a(n) ??? a. exhibit b. affidavit c. allegation d. verdict
d. verdict
CH 9 QUIZ Which password recovery method uses every possible letter, number, and character found on a keyboard? a. rainbow table b. dictionary attack c. hybrid attack d. brute-force attack
d. brute-force attack
CH 9 QUIZ In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer. a. format b. fdisk c. grub d. diskpart
d. diskpart
CH 11 Quiz What type of Facebook profile is usually only given to law enforcement with a warrant a. private profile b. advanced profile c. basic profile d.Neoprint profile
d.Neoprint profile
CH 11 Review E-mail headers contain which of the following information? (Choose all that apply.) a. The sender and receiver e-mail address b. An ESMTP number or reference number c. The e-mail servers the message traveled through to reach its destination d. The IP address of the receiving server e. All of the above
e. All of the above
Chapter 7 What file is used to store any file information that is not in the MDB or a VCB?
extents overflow file
Chapter 7 The ______________ command can be used to see network interfaces.
ifconfig
Chapter 7 In a B*tree file system, what node stores link information to previous and next nodes?
index node
Chapter 7 What command below will create a symbolic link to a file?
ln -s
CH 16 Quiz What Unicode value is used to identify the Latin alphabet? a. 0x00 b. 0xF8 c. 0xAB d. 0x01
pg 578 a. 0x00
CH 16 Quiz What do the last 8 bits of a Unicode value represent? a. language identification b. character hexadecimal values c. file type identification d. font selection
pg 578 a. language identification
CH 16 Quiz On NTFS drives, Unicode values are how many bits in length? a. 8 bits b. 32 bits c. 16 bits d. 64 bits
pg 578 c. 16 bits
CH 16 Quiz What are the first 8 bits of a Unicode value used for? a. file type identification b. font selection c. character hexadecimal values d. language identification
pg 578 c. character hexadecimal values
CH 16 Quiz When converting plain text to hexadecimal for use with ProDicsover, you need to place ??? between each character's hexadecimal values. a. space (A0) values b. blank (00) values c. null (FF) values d. null (00) values
pg 578 d. null (00) values
Chapter 7 What file under the /etc folder contains the hashed passwords for a local system?
shadow
