Intro to Digital Forensics
Choose the encoding scheme used for the English language
American Standard Code for Information Interchange (ASCII)
According to the author, which of the following is most volatile when prioritizing the evidence?
CPU
Which of the following meets a series of strict legal requirements before evidence is presented in court.
Chain of custody
Legal authority can be negotiated before taking a computer off-premises in:
Civil Case
Which of the following is not a type of proficiency test?
Dependent
Which of the following are forensic image formats
E01 .001 .AD1
Which of the following represents an image of a document to be printed?
EMF
A file type can always be identified by the file extension.
False
A tool validation process clearly demonstrates that the tool is licensed.
False
According to the author any writes to the evidence will not compromise its integrity and/or jeopardize its admissibility.
False
According to the author interacting with a running computer, in any way, will not cause changes to the system.
False
According to the author, a forensic bag is one way to prevent a network signal from reaching the phone.
False
According to the author, a forensic clone is a backup copy of a hard drive.
False
According to the author, data is generally created in three ways electromagnetism, microscopic electrical transistors (flash), and thumbdrives.
False
Active data is classified as deleted or partially overwritten.
False
Improving the quality of laboratory services provided to the social media system is an objective of ASCLD/LAB.
False
Search Authority is always the final step in any forensic process.
False
The File Allocation Table (FAT) can be expressed as FATX, FAT32, NTFS, FAT16, and FAT12.
False
The NTUSER.DAT file is located in the subfolder config.
False
The best scientific evidence in the world is valuable only if it's inadmissible in a court of law
False
There are 512 bits found in each sector.
False
Which of the following, in the examiners report, can assist our intended audience wade through any unfamiliar jargon and acronyms?
Glossary
Which of the following is where we start to see some potential investigative benefit? in terms of power saving functions
Hibernation
The author describes a process known as Document and Media Exploitation (DOMEX) as paying large dividends and providing _______ to support soldiers on the ground.
Intelligence
Which of the following test is conducted by the agency
Internal
According to the author, the most common hash functions used in digital forensics are
MD5
Which of the following has launched the Computer Forensic Tool Testing Project (CFTT)
NIST
Which of the following applies when the analyst is aware of being tested
Open
Which of the following is not a type of quality assurance proficiency tests?
Oral
The shadow copies provide the source data for ___________.
Restore Points
The virtual lab arrangement allows for a distinct _______ access.
Role-based
Which of the following elements ensures valid and reliable results are produced and justice is served in all types of laboratory setups?
Standard Operating Procedures & Quality of Assurance, Accreditation & Certification
The first "link" in the chain of custody in any case is:
The person collecting the evidence
A forensic examination may be conducted on the original evidence in exigent circumstances.
True
According to the author, JavaScript is a server-side technology.
True
Information is added to the message header from each server along the delivery path of the email message.
True
Internet Message Access Protocol (IMAP) is a two-way communication protocol used by clients to access email on a server.
True
Links files are shortcuts which have a date and time stamps.
True
Metadata is most often defined as data about data.
True
Restore points are snapshots of key system settings and configuration at a specific moment in time.
True
Shadow copies provide the source data for restore points.
True
The browser uses the HTML protocol to send a "get" request to the web server hosting a website.
True
The chain of custody requires tracking each and every time the evidence item(s) changes hands or locations.
True
The operating system of Windows 7 creates a thumbnail cache file called thumbs.db.
True
The registry consist of both NTUSER.DAT and the five (5) root-level keys or hives.
True
The tool validation process is an aspect of our digital forensics that is committed to paper.
True
Which of the listed date/time stamps is updated whenever a file is accessed by the file system?
accessed
Which of the following is the "best" choice when digital evidence can also be valuable for incidents other than litigation and matters of national security.
administrative matters
Which of the following are possible solutions with protecting cell phones from network signals?
aluminum foil. paint can, faraday bag
Which of the following steps involves the examiners use of their skills, experience, and tools to locate and interpret artifacts found on the media?
analysis
A well documented ________ is essential to maintain the integrity of the evidence.
chain of custody
According to the author, what are the advantages of virtual labs?
cost savings access to more tools and storage access to diverse and greater expertise reduction of unnecessary duplication of resources
Which of the listed date/time stamps frequently indicates when a file or folder was created on a particular piece of media?
created
According to the author, the FBI's crime laboratory in Quantico, Virginia, has the distinction of being the _______ forensic lab in the ______.
largest, world
What type of forensic examinations are conducted in the University of Akron High-Technology Forensics Laboratory?
mobile, network, computer, and video
Which of the listed date/time stamps are set when a file is altered in any way and then saved?
modified
Which of the storage items/terms below involves spaces or lands?
optical storage
Which of the following are the most volatile evidence to collect first?
routing table and ARP cache
Which or the following are snapshots of key system settings and configurations at a specific moment in time?
shadow copy
Dennis Rader, known as Bind, Torture, Kill (BTK), murdered:
ten people in Kansas from 1974 to 1991
INDEX.DAT is a binary, container-like file which holds data of value for forensic examiners.
true
The log or audit trail for evidence storage should be maintained with:
who entered when they entered what they removed or what they returned
Which of the following represents the hexadecimal F?
00001111 0x0F 0000-1111 all of the above
Which of the following is equivalent to 0x9C in binary
10011100
Which of the following is equivalent to eight bits and represents one byte?
10101010, 0x4A, 0101-1100, the letter A
The author states, "One of the major struggles in law enforcement is to change the paradigm of the police and get them to think of and seek out _________."
digital evidence
Which of the following is the application of computer science and investigative procedures?
digital forensics
Which of the following creates data written to a platter using a read/write head attached to an actuator arm?
electromagnetism
According to the author, lab security is always a major concern and unauthorized access is the only threat to the evidence, which must be addressed
false
Which of the following without a charge will read a zero?
flash memory
Which of the following is the application of science to solve a legal problem?
forensic science
