CHFI Web Text Questions 1/2
How many bit values does HFS use to address allocation blocks?
16
What is the maximum size limit for the Recycle Bin in Windows prior to Windows Vista?
3.99 GB
How many bits are used by the MBR partition scheme for storing Logical Block Addresses and the size information on a 512-byte sector?
32
How large is the partition table structure that stores information about the partitions present on the hard disk?
64-byte
What is the machine readable language used in major digital operations such as sending nd receiving emails?
ASCII
Which of the following is a user created source of potential evidence?
Address book
What tool scans the entire system for deleted files and folders and recovers them?
Advanced Disk Recovery
What component of a typical FAT32 file system consists of data that the document framework sues to get to the volume and utilizes the framework parcel to stack the working portion documents?
Boot sector
What stage pf the Linux boot process includes the task of loading the Linux kernel and optional initial RAM disk?
Bootloader Stage
Which of the following is an example of optical media?
CD/DVD
Which type of cases involve disputes between two parties?
Civil
Identify the following project which was launched by NIST that establishes a methodology for testing computer forensics software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware?
Computer Forensic Tool Testing Project (CFTTP)
Which of the following is true regarding computer forensics?
Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them.
In sector, addressing _____________ determines the address of the individual sector on the disk?
Cylinders, Heads, and Sectors (CHS)
What tool for Mac recovers from a crashed or virus corrupted hard drive?
Data Rescue 4
Under which of the following circumstances has a court of law allowed investigators to perform searches without a warrant?
Delay in obtaining a warrant may lead to the destruction of evidence and hamper the investigation process.
Which of the following is NOT part of the Computer Forensics Investigation Methodology?
Destroy evidence
Which tool undeletes and recovers lost files from hard drives, memory cards, and USB flash drives?
DiskDigger
Which of the following basic partitioning tools displays details about GPT partition tables in Windows OS?
DiskPart
Which of the following is not an objective of computer forensics?
Document vulnerabilities allowing further loss of intellectual property, finances, and reputation during an attack.
What are deleted items stored on Windows Vista and later versions of Windows?
Drive:\$Recycle.Bin
Where are deleted items stored on Windows 98 and earlier versions of Windows?
Drive:\RECYCLED
Where are deleted items stored on the Windows 2000, XP, and NT versions of Windows?
Drive:\RECYCLER
Which of the following is NOT a common computer file system?
EFX3
What tool is used for format recovery, unformatting and recovering deleted files emptied from the Recycle Bin, or data lost due to partition loss or damage, software crash, virus infection, or unexpected shutdown and supports hardware RAID?
EaseUS
_______________ is the standard investigative model used by the FBI when conducting investigations against major criminals organizations?
Enterprise Theory of Investigaiton
Which of the following is NOT an element of cybercrime?
Evidence smaller in size
Which of the following should be work area considerations for forensics labs?
Examiner station has an area of about 50-63 square feet.
Courts call knowledgeable persons to testify to the accuracy of the investigative process. These people who testify are known as the:
Expert witnesses
Which file system used in Linux was developed by Stephen Tweedie in 2001 as a journaling file system that improves reliability of the system?
Ext 3
Which logical drive holds the information regarding the data and files that are stored in the disk?
Extended partition
Investigators can immediately take action after receiving a report of a security incident (T/F)
False Investigators cannot jump into action immediately after receiving a complaint or report of a security incident, but they have to follow a specific protocol that includes gathering of plaintiff information, type of incident, and obtaining permission and warrants for taking further action
A computer forensic examiner can investigate any crime as long as he or she takes detailed notes and follows the appropriate processes (T/F)
False The computer forensic examiner must not continue with the investigation if the examination is going to be beyond his or her knowledge level or skill level. In these circumstances, the forensic investigator must seek the assistance of an experienced specialist investigator or undergo training in that particular field to enhance his or her knowledge or skill set. It would be wise to discontinue with the investigation if it is going to adversely affect the outcome of the case. For more information on this topic see Computer Hacking Forensics Investigator Ch
Which of the following is true regarding Enterprise Theory of Investigation?
It adopts a holistic approach toward any criminal activity as a criminal operation rather than as a single criminal act.
What is JPEG an acronym of?
Joint Photographic Experts Group
In the GUID partition table, which Logical Block Address contains the Partition Entry Array?
LBA 2
Which of the following should be physical location and structural design considerations for forensics labs?
Lab exteriors should have no windows.
The process of acquiring volatile data from working computers (locked or in sleep condition) that are already powered on is :
Live data acquisition
What is NOT a command used to determine logged on users?
LoggedSessions SO net sessions, PsLoggedOn, and LogonSessions all determine who is logged on
What command is used to determine the NetBIOS name table cache in Windows?
Nbtstat
Which tool helps collect information about network connections operative in a Windows system?
Netstat
Which of the following is NOT a command used to determine running processes in Windows?
Netstat SO Pslist, Tasklist, and Listdlls help determine running processes in Windows
Which component of the NTFS architecture is a computer system file driver for NTFS?
Ntfs.sys
Which field type refers to the volume descriptor as a primary?
Number 1
What is NOT a command used to determine open files?
Open files SO Openfiles, Net file, and PsFile all determine what are the open files command wise
Which item describes the following UEFI boot process phase? The phase of EFIU consisting of initializing the CPU, temporary memory, and boot firmware volume; locating and executing the chapters to initialize all the found hardware in the system; and creating a hand off block list with all found resources interface descriptors?
PEI (Pre-EFI Initialization) Phase
What is the propetiary Microsoft Office presentation file extension used in PowerPoint?
PPT
What must an investigator do in order to offer a good report to a court of law and ease the prosecution?
Preserve the evidence
Which of the following is NOT where potential evidence may be located?
Processor
Codes of ethics are the principles stated to describe the expected behavior of an investigator while handling a case. Which of the following is NOT a principle that a computer forensic investigator must follow?
Provide personal or prejudiced opinions
Which tool recovers files that have been lost, deleted, corrupted, or even deteriorated?
Quick Recovery
What is the simplest RAID level that does not involve any redundancy, and fragments the file into the user-defined stripe size of the array?
RAID 0
Which of the following consists of volatile storage?
RAM
Which of the following Federal Rules of Evidence governs proceedings in the courts of the United States?
Rule 101
Which of the following Federal Rules of Evidence ensures that the truth may be ascertained and the proceedings justly determined?
Rule 102
Which of the following Federal Rules of Evidence contains Rulings on Evidence?
Rule 103
Which of the following Federal Rules of Evidence states that the court shall restrict the evidence to its proper scope and instruct the jury accordingly?
Rule 105
In forensics laws, "authenticating or identifying evidences" comes under which rule?
Rule 901
In detecting rootkits, the following technique is used to compare characteristics of all system processes and executable files with a database of known rootkit fingerprints?
Signature-Based Detection
Which of the following is a computer created source of potential evidence?
Swap file
Which of the following is true of civil crimes?
The initial reporting of the evidence is generally informal
The main advantage of RAID is that if a single physical disk fails: _________________________
The system will continue to function without loss of data.
What is the role of an expert witness?
To educate the public and court
Which tool recovers lost data from hard drives, RAID, photographs, deleted files, iPods, and removable disks connected via FireWire or USB?
Total Recall
A chain of custody is a critical document in the computer forensics investigation process because the document provides legal validation of appropriate evidence handling (T/F)
True
Because they are always changing, the information in the registers or the processor cache are the most volatile data (T/F)
True
Digital devices store data about sessions such as user and type of connection (T/F)
True
External attacks occur when there are inadequate information-security policies and procedures (T/F)
True
Forensic data duplication involves the creation of a file that has every bit of information from the source in a raw bit stream format (T/F)
True
Forensic readiness includes technical and non technical actions that maximize an organizations competence to use digital evidence (T/F)
True
Minimizing the tangible and intangible losses to the organization or an individual is considered an essential computer forensics use (T/F)
True
Forensic readiness refers to:
an organization's ability to make optimal use of digital evidence in a limited time period and with minimal investigation costs
What UFS file system is composed of a few blocks in the partition reserved at the beginning?
boot blocks
Which of the following should be considered before planning and evaluating the budget for the forensic investigation case?
breakdown of costs into daily and annual expenditure
What document is used as a written record consisting of all processes involved in seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence?
chain of custody document
Which of the following answers refers to a set of methodological procedures and techniques to identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment in such a manner that the discovered evidence is acceptable during a legal and or administrative proceeding in a court of law?
computer forensics
What is the process of permanently deleting or destroying data from storage media?
media sanitization
Which of the following is NOT a digital data storage type?
quantum storage devices
Which of the following is NOT a feature of the Recover My Files tool?
recovering files from a network drive
Which information held by the superblock contains major and minor items that allow the mounting code to determine whether or not supported features are available to the file system?
revision level
In anti forensics techniques, which of the following techniques is used to hide a secret message within an ordinary message and extract it at the destination to maintain confidentiality of data?
steganography
Which of the following is NOT a part of the Computer Forensics Investigation Methodology?
testify as an expert defendant
An investigator may commit some common mistakes while collecting data from the system that result in the loss of critical evidence. Which of the following is NOT a mistake that investigators commonly make?
use of correct cables and cabling techniques
Which of the following refers to the data stored in the registries, cache, and RAM of digital devices?
volatile information
Which of the following describes when the user restarts the system via the operating system?
warm booting
Under which of the following conditions will duplicate evidence NOT suffice?
when original evidence is in possession of the originator
Which of the following is NOT a legitimate authorizer of a search warrant?
First responder
__________ is a 128 bit unique reference number used as an identifier in computer software
Global Unique Identifier (GUID)
Mac uses a _________________
Hierarchical File System
Which of the following is the process of developing a strategy to address the occurrence of any security breach in the system or network?
Incident response
Which of the following is true of cybercrimes?
Investigators, with a warrant, have the authority to forcibly seize the computing devices.
Which of the following is NOT a consideration during a cyber crime investigation?
Value or cost to the victim
What is the name of the abstract layer that resides on top of ac complete file system, allows client applications to access various file systems, and consists of a dispatching layer and numerous caches?
Virtual File System
Which windows operating system powers on and starts up using either the traditional BIOS MBR method or the newer UEFI GPT method?
WIndows 8 or 10
In Linux standard tools, forensic investigators use the following built in Linux commands to copy data from a disk drive:
dd and dcfldd
Computer forensics deals with the process of finding ___________ related to a digital crime to find the culprits and initiate legal action against them?
evidence
Which of the following are frequently left by criminals, assisting investigators in understanding the process of crime and the motive behind it, and allowing them to attempt to identify the person(s) who committed it?
fingerprints
The command ___________ displays the details associated with a file system. The output of this command is file system specific
fsstat
Espionage, theft of intellectual property, manipulation of records, and Trojan horse attacks are examples of what?
insider attacks or primary threats
Cybercrimes can be classified into the following two types of attacks, base don the line of attack:
internal external