IT 226 - TEST 1 REVIEW
When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action?
80 degrees or higher
What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?
A warrant
What is the best approach to handling the expectation of privacy by employees in the event an investigation needs to be carried out on company-owned digital assets?
A well-defined published policy that clearly states that an employer has the right to examine, inspect or access company-owned assets.
Sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence.
Affidavit
What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?
An affidavit
Computer crime
Any crime involving the use of a computer system
When federal courts are evaluating digital evidence from computer-generated records, what exception is applied to hearsay?
Business-records exception
Which of the following are ideal examples of storage media?
CD's & Magnetic Tape
What is the term for tracking evidence in an investigation?
Chain of Custody
What type of records are considered data that the system maintains, such as system log files and proxy server logs?
Computer-generated
What term refers to a column of tracks on two or more disk platters?
Cylinder
Hashing algorithms are used on evidence files to uphold the chain of custody in an investigation. Which of the following is NOT a hashing algorithm?
DAT-1
What is the most common and flexible data-acquisition method
Disk-to-image file copy
Which acronym refers to the file structure database that Microsoft originally designed for floppy disks?
FAT
Which of the following is NOT an example of a Microsoft file system?
FAT28
Which of the following CANNOT be used as a forensics data acquisition format?
FTK
Corporate investigators always have the authority to seize all computer equipment during a corporate investigation.
False
For daily work production, several examiners can work together in a large open area, as long as they all have different levels of authority and access needs.
False
What Amendment to the U.S. Constitution provides protection against unlawful searches and seizures?
Fourth Amendment
If you face an investigation where dangerous substances might be around, you may need to obtain which of the following?
HAZMAT certificate
MD5 and SHA1 are examples of which of the following:
Hashing Algorithms
Why should companies publish a policy stating their right to inspect computing assets at will?
If a company doesn't display a warning banner or publish a policy statingthat it reserves the right to inspect computing assets at will, employees have an expectation of privacy.
What should you do when working on an Internet investigation and the suspect's computer is on?
If you're working on a network or Internet investigation and the computer is on, save data in any current applications as safely as possible and record all active windows or shell sessions. Don't examine folders or network connections or press any keys unless it's necessary.
Involves selling sensitive or confidential company information to a competitor.
Industrial espionage
How can you secure a computer incident or crime scene?
Investigators secure an incident or crime scene to preserve the evidence and to keep information about the incident or crime confidential. Information made public could jeopardize the investigation.
What does Autopsy use to validate an image
MD5
What is on an NTFS disk immediately after the Partition Boot Sector?
MFT
What is most often the focus of digital investigations in the private sector?
Misuse of digital assets
Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?
NTFS
What is a good resource for known OSs and applications?
National Software Resource Library (NSRL)
What type of evidence do courts consider evidence data in a computer to be?
Physical
When investigators find evidentiary items that aren't specified in a warrant or under probable cause, what type of doctrine applies?
Plainview Doctrine
Mobile device forensics
Preservation and analysis of cell phones, smart phones, and satellite navigation (GPS) systems
Computer forensics
Preservation and analysis of computers
Malware forensics
Preservation and analysis of malicious code such as viruses, worms, and Trojan horse programs
Network forensics
Preservation and analysis of traffic and logs from networks
What is the first rule of digital forensics and subsequent analysis of evidence?
Preserve the original evidence, and analyze a copy only
Without a warning banner, what right might employees assume they have when using a company's computer systems and network accesses?
Privacy
What standard is used to determine whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest?
Probable cause
What investigator characteristic, which includes ethics, morals, and standards of behavior, determines the investigator's credibility?
Professional conduct
The presence of police officers and other professionals who aren't part of the crime scene-processing team may result in the loss or corruption of data through which process?
Professional curiosity
Which type of format acquisition leaves the investigator unable to share an image between different vendors' computer forensics analysis tools?
Proprietary
Which RAID configuration, also called mirrored striping, is a combination of RAID 1 and RAID 0
RAID 10
At a minimum, what do most company policies require that employers have in order to initiate an investigation?
Reasonable suspicion that a law or policy is being violated.
Which of the following keeps a record of attached hardware, user preferences, network connections, and installed software?
Registry
If your time is limited, what type of acquisition data copy method should you consider?
Sparse
If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.
True
The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.
True
Under what circumstances are digital records considered admissible?
business records
Of the following methods for acquiring data for forensic analysis, which of the following is NOT one of them?
data-to-data file
What command creates a raw format file that most computer forensics analysis tools can read?
dd
Which Linux command is used to create a forensic copy of an image?
dd
The application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
digital forensics
Specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.
line of Authority
Yields information about how attackers gain access to a network along with files they might have copied, examined, or tampered with.
network forensics
In addition to md5, which hashing algorithm utility is included with current distributions of Linux?
sha1