M2 Lab Quiz
E3 contains a number of out-of-the-box options for:
sorting files into specific categories for easier analysis later.
In countries where encryption is not permitted, __________ can often be used instead.
steganography
Familiarizing yourself with the ___________ of various mail servers can help you quickly identify the source of an e-mail.
storage archives
Why might it be desirable for a forensic tool to run from a single executable file?
A single executable file means that the tool runs without an installation process, which could tamper with digital evidence documentation.
What kind of forensic tools provide ease of access within the imaged, virtualized, or write-blocked copy of the original system without compromising the workstation or user profiles?
Bootable
Which of the following can filter Internet Explorer history based on a date range or time viewed or a specific user profile?
BrowsingHistoryView
Which of the following reads the browser's history file and displays all of the Internet addresses the machine has visited in recent days?
BrowsingHistoryView
How do forensic investigators protect the data on the computer under investigation?
By conducting the forensic investigation on a forensic image, or copy, of the storage device.
How can the system forensic analyst ensure that no data is written to the target drive and preserve the original forensic data?
By making a copy of the target drive prior to performing the actual forensic investigation
With the files pre-sorted by E3, where would you locate a ZIP file loaded on the target evidence_drive?
Compressed category
Which of the following involves special encoding and decoding of messages or information?
Cryptography
What is the difference between data and evidence?
Data is a collection of facts from which you can draw conclusions, while evidence is a specific type of data that proves or disproves a hypothesis or accusation.
Which of the following tools can be used to identify the devices stored in the Windows Registry?
DevManView
Which of the following tools enables the forensic analyst to view a comprehensive list of all devices and their properties on a targeted computer system?
DevManView
Which of the following forensic tools is best suited to investigating a child pornography case?
E3
How is an audit trail of every machine through which an e-mail message has passed created?
Each server along the way adds its own information to the message header.
Which of the following practices enhances security for an FTP transaction?
Encrypting user names and passwords
You can adjust the sensitivity of Image Analyzer using the __________ slide ruler in the center of the page.
Engine Sensitivity
Which of the following can be used to examine a specific file type to make sure the file is not malicious?
Frhed
Which of the following is typically the first step in performing any kind of computer or digital forensic investigation?
Generating an inventory of software, licenses, security settings, hardware, and network settings
The main purpose of a tool like __________ is to generate an inventory of software, licenses, security settings, hardware, and network settings of a workstation or server system, which are critically important in a computer forensic investigation.
WinAudit
Which of the following tools would an investigator likely use to gather critically important data including installed software and software versions, event logs, security settings, groups and user accounts, open ports, and network configuration settings?
WinAudit
What tool is similar to DevManView and is already present in Microsoft Windows systems?
Windows Device Manager
Which of the following is the most widely used network protocol analyzer?
Wireshark
With the files pre-sorted by E3, where would you locate a rogue application loaded on the target evidence_drive?
Executables category
Which of the following is an incident response tool that has additional built-in features that include gathering system information, creating system images for analysis, and browsing and scanning local machine files and pictures?
Helix
Which of the following tools documents all activity during each session in an audit log that can be saved as a record of the tests conducted on the target machine?
Helix
Which of the following tools enables the user to document and record incident details under the Investigative Notes section?
Helix
A __________ such as Frhed can enable a forensic investigator to view data about a suspicious file or hidden file that may not be visible using a regular text editor.
Hex editor
Which of the following reads and displays the Internet Explorer's cache folder for any user logged onto the local machine and lists all currently stored file types without looking at the cookies?
IECacheView
Which of the following tools displays all Internet Explorer cookies stored on the local machine for all users?
IECookiesView
Which of the following tools in E3 scans all images to determine if any is suspected to be pornographic or otherwise tied to potential criminal activity?
Image Analyzer
Which of the following can be used for digital watermarking, hiding data within images, or identifying the source of a given image or document (embedded copyright)?
Steganography
Which of the following is the practice of hiding private or sensitive information within something that appears to be nothing out of the ordinary?
Steganography
Which of the following replaces useless or unused data with bits of different, invisible information?
Steganography
Which of the following keeps track of your tasks as you explore the digital evidence within E3?
The Common Log
Process Explorer is similar to, but more detailed than:
The Windows Task Manager
Which one of the following statements is true regarding data on a computer under investigation?
The investigators should take precautions not to alter its data.
DevManView can be used to display device lists of another computer on a network, as long as the investigator has:
administrator access rights.
The Common Log is not manually editable, which:
allows this built-in feature to demonstrate the chain of custody in a court of law.
In ancient Greece, hiding hidden messages within seemingly harmless messages became:
an art form.
P2 Commander is a digital forensic tool that is multi-threaded and includes __________ for faster processing.
an integrated database
The objective in computer forensics is to recover, analyze, and present computer-based material in such a way that it can be used:
as evidence in a court of law.
Frhed opens the __________ of the file itself.
byte-level data
Making a copy of the targeted image prior to performing the actual digital forensic investigation allows for a proper external digital forensic investigation that:
can be self-contained in a virtual machine (VM) environment.
It is important to follow __________ procedures to ensure there is no evidence tampering and that the original data source remains intact from the time of collection until presented in court.
chain-of-custody
In a child pornography case, the suspect's computer would be an important evidence piece if it could prove that the accused visited:
child pornography websites and uploaded and/or downloaded pornographic images.
S-Tools uses four:
common encryption algorithms.
Increasing the Engine Sensitivity:
could increase the number of false positives.
E3 includes a(n) ___________ that enables the investigator to sort, search scan, and otherwise work with the e-mail data to find the data most relevant to the case.
e-mail analyzer
The __________ keeps a record of the message's journey as it travels through the communications network.
e-mail message header
SFTP (Secure FTP) is more secure than FTP because it used the SSH (Secure Shell) protocol to transfer files:
in an encrypted fashion.
When investigators change data on a target machine, they could potentially:
invalidate the evidence.
Any time forensic investigators explore a machine in search of evidence, they:
risk changing the very data they seek.
With steganography, hidden information can be:
plaintext, ciphertext, or even images.
Which of the following statements is true regarding DevManView?
It can sort the information it finds.
With the files pre-sorted by E3, if you are particularly interested in the communications between parties, you should concentrate your search on the __________ categories.
Chats and E-mails
Which of the following summarizes all bookmarks and favorites saved from several different browsers including Internet Explorer, Chrome, and Mozilla?
FavoritesView
Which of the following statements is true regarding Internet Explorer 10 and IECookiesView?
Internet Explorer 10 does not limit the effectiveness of IECookiesView as a forensic tool.
Which of the following is a feature of Process Explorer that can be used as part of a computer forensics investigation?
It can be used to monitor and track actual executables and applications loaded and running in a computer, including viruses, spyware, malicious software, and keyboard loggers.
Which of the following statements is true regarding Wireshark?
It is a popular tool for capturing network traffic in promiscuous mode.
Which of the following statements is true regarding NetWitness Investigator?
It is a seven-layer protocol analyzer.
Which of the following statements is true regarding S-Tools?
It is used to apply or decipher steganography.
Which of the following collects Internet search queries made by users using different popular search engines such as Google, Yahoo, and Bing as well as most social networking sites such as Facebook, MySpace, and Twitter?
MyLastSearch
Where would you find a text description for the icons of the most common activities that forensic investigators will perform within Helix?
On the welcome screen in the description pane on the right
Where would you find icons to the most common activities that forensic investigators will perform within Helix?
On the welcome screen in the navigation pane on the left
Which of the following tools keeps track of the amount of time that the system was turned off or on?
PC On/Off Time
Which of the following tools displays information about currently active processes on a given machine?
Process Explorer
What is the surest way to investigate actual IP packet interaction on a network?
Protocol capture and analysis
To be certain that you have found all suspect images on the evidence drive, you will need to:
explore the unallocated space.
Every e-mail, regardless of the software that generated it:
follows a standard (RFC 2822) format.
The goal of system forensic analysis is to discover the "who, what, when, where, why, and how" while ensuring the:
forensic digital evidence is preserved, defensible, and presentable in a court of law.
The Wireshark middle pane is used to display the packet structure and contents of fields within the packet. This middle pane was referred to in the lab as the:
frame detail.
The Wireshark top pane contains all of the packets that Wireshark has captured, in time order, and provides a summary of the contents of the packet in a format close to English. This top pane was referred to in the lab as the:
frame summary.
The goal of any computer forensics investigation is to:
gather evidence from a system without altering the data on the system.
If you were tasked with investigating a child pornography case, it would be important to:
identify the websites and images found on the suspect's computer.
As part of chain-of-custody documentation, it is a common practice to:
make a copy of the targeted image prior to performing the actual digital forensic investigation.
In NetWitness Investigator, passwords are visible in the FTP data because FTP traffic travels in cleartext, which makes it easy to capture by using a:
packet sniffer
Businesses sometimes employ steganography when they want to:
supplement the protection of encryption.
A forensic specialist must adhere to stringent guidelines and avoid:
tampering with the systems under investigation.
When the S-Tools utility reveals files, __________ is also displayed.
the file size for each embedded payload file
In computer forensics, as in any other branch of forensic science, the emphasis must be on:
the integrity and security of evidence.
At a minimum, an e-mail message header must include:
the sender's account and the date.
When it comes to attempts to open an FTP connection, a low rate of attempts followed by a successful logon usually means:
the user has the password for the account.
With DevManView, "driver registry time" can be used to identify:
when a suspected compromise occurred.
To avoid changing the data they seek, forensic investigators make use of tools that incorporate __________ technologies and can be run without having to be installed on the target machine.
write-blocking