CIS 282 Fall 2022 - Final Studyguide

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

What term refers to the number of bits in one square inch of a disk platter?

Areal density

Where do phones typically store system data? A.) ROM B.) EEPROM C.) EROM D.) PROM

EEPROM

In which format are most digital photographs stored?

EXIF

Which term is often used when discussing Linux because technically, Linux is only the core of the OS?

Kernel

Which agency introduced training on software for forensics investigations by the early 1990s?

IACIS

Remote acquisitions are often easier because you're usually dealing with large volumes of data.

False

Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses. A.) True B.) False

False

At what levels should lab costs be broken down?

Monthly, quarterly, and annually

Which motion provides a written list of objections to certain testimony or exhibits?

Motion in limine

What organization was created by police officers in order to formalize credentials for digital investigators?

IACIS

ow do most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks?

ZBR

In macOS, in addition to allocation blocks, what kind of blocks do volumes have?

Logical blocks

In older versions of macOS, in which fork are file metadata and application information stored?

Resource

In which cloud service level are applications delivered via the Internet?

Software as a service

As an expert witness, you have opinions about what you have found or observed. A.) True B.) False

True

Bitmap images are collections of dots, or pixels, in a grid format that form a graphic.

True

By the 1970s, electronic crimes were increasing, especially in the financial sector. A.) True B.) False

True

Computers used several OSs before Windows and MS-DOS dominated the market. A.) True B.) False

True

Experts should be paid in full for all previous work and for the anticipated time required for testimony.

True

Which program can be used to examine network traffic? A.) tcpdump B.) netdump C.) slackdump D.) coredump

tcpdump

The Enhanced Data GSM Environment (EDGE) standard was developed specifically for which type of service? A.) OFDM B.) CDMA C.) D-AMPS D.) 3G

3G

Which organization has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients?

ABA

Which document offers comprehensive guidance for psychologists, with an entire section devoted to forensics activities?

APA's Ethics Code

Which images store graphics information as grids of pixels?

Bitmap

When federal courts are evaluating digital evidence from computer-generated records, what exception is applied to hearsay? A.) Computer-generated records exception B.) Best-evidence rule exception C.) Business-records exception D.) Digital-records authenticity exception

Business-records exception

What technology, developed during WWII, uses the full radio spectrum to define channels and is now used in the U.S. by Sprint, U.S. Cellular, and Verizon?

CDMA

As data is added, the MFT can expand to take up 75% of the NTFS disk. A.) True B.) False

False

Autopsy for Windows cannot perform forensics analysis on FAT file systems. A.) True B.) False

False

Computer investigations and forensics fall into the same category: public investigations. A.) True B.) False

False

Corporate investigators always have the authority to seize all computer equipment during a corporate investigation. A.) True B.) False

False

E-mail crimes and violations rarely depend on the city, state, and country in which the e-mail originated.

False

Expert opinions cannot be presented without stating the underlying factual basis.

False

ISPs can investigate computer abuse committed by their customers.

False

If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately. A.) True B.) False

False

If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available.

False

If you must write a preliminary report, use words such as "preliminary copy," "draft copy," or "working draft."

False

In software acquisition, there are three types of data-copying methods. A.) True B.) False

False

Investigating crimes or policy violations involving e-mail is different than investigating other types of computer abuse and crimes.

False

Investigating smartphones and other mobile devices is a relatively easy task in digital forensics. A.) True B.) False

False

Most basic phones use the same OSs as PCs. A.) True B.) False

False

Network forensics is a fast, easy process. A.) True B.) False

False

Operating systems do not have tools for recovering image files. A.) True B.) False

False

Steganography cannot be used with file formats other than image files.

False

The first 5 bytes (characters) for all MFT records are FILE.

False

The law of search and seizure protects the rights of all people, excluding people suspected of crimes.

False

The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect. A.) True B.) False

False

Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume. A.) True B.) False

False

When intruders break into a network, they rarely leave a trail behind. A.) True B.) False

False

When two files look the same when viewed but one has an invisible digital watermark, they appear to be the same file except for their sizes.

False

Windows OSs do not have a kernel.

False

You should create a formal checklist of your procedures that's applied to all your cases or include such a checklist in your report.

False

macOS is built with the new Apple File System (APFS). The current version offers better security, encryption, and performance speeds, but users can't mount HFS+ drives.

False

Which activity involves sorting and searching through investigation findings to separate good data and suspicious data? A.) Filtering B.) Acquisition C.) Reconstruction D.) Validation

Filtering

Which tool enables the investigator to acquire the forensic image and process it in the same step?

Magnet AXIOM

What does scope creep typically do?

Increases the time and resources needed to extract, analyze, and present data

Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes? A.) Investigating and controlling the scene is more difficult in private sector environments. B.) Investigating and controlling the scene is equally difficult in both environments. C.) Investigating and controlling the scene is equally easy in both environments. D.) Investigating and controlling the scene is much easier in private sector environments.

Investigating and controlling the scene is much easier in private sector environments.

What type of cards, consisting of a microprocessor and internal memory, are usually found in GSM devices?

SIM

With cloud systems running in a virtual environment, what can be used to give the investigator valuable information before, during, and after an incident?

Snapshots

What type of acquisition is typically done on a computer seized during a police raid? A.) Static B.) Real-Time C.) Live D.) Online

Static

In addition to search warrants, what defines the scope of civil and criminal cases?

Subpoenas

Which digital forensics tool is categorized as a single-purpose hardware component?

Tableau T35es-R2 SATA/IDE eSATA bridge

Which standard states that, to provide reliable and valid testimony, the expert has the "ethical responsibility to present a complete and unbiased picture of the . . . research relevant to the case at hand?" A.) The APA standard B.) The ABA standard C.) The IACIS standard D.) The Daubert standard

The Daubert standard

Suppose you have been hired to determine whether a corrupted file was intentionally altered or altered by a virus. Your forensic examination did not find evidence of a virus and did not find evidence of intentional alteration. What conclusion can you offer? A.) The cause of the file's corruption is unknown. B.) The file was corrupted by a software malfunction. C.) The file was accidentally corrupted. D.) The file was corrupted by unknown malware.

The cause of the file's corruption is unknown.

At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work?

The digital forensics lab

Many people store more information on smartphones and tablets than on computers.

True

One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop. A.) True B.) False

True

Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise.

True

People need ethics to help maintain their balance, especially in difficult and contentious situations. A.) True B.) False

True

Portability of information is what makes SIM cards so versatile.

True

Several password-cracking tools are available for handling password-protected data or systems. A.) True B.) False

True

Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive.

True

Some notable UNIX distributions included Silicon Graphics, Inc. (SGI) IRIX, Santa Cruz Operation (SCO) UnixWare, Sun Solaris, IBM AIX, and HP-UX A.) True B.) False

True

Specially trained system and network administrators are often a CSP's first responders.​

True

The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET).

True

The chain of custody of evidence supports the integrity of your evidence.

True

The defense request for full discovery of digital evidence applies only to criminal cases in the United States.

True

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file. A.) True B.) False

True

The pipe (|) character redirects the output of the command preceding it.

True

The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location. A.) True B.) False

True

The type of file system an OS uses determines how data is stored on the disk. A.) True B.) False

True

To be a successful computer forensics investigator, you must be familiar with more than one computing platform.

True

To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. A.) True B.) False

True

Virtual machines are now common for both personal and business use. A.) True B.) False

True

When searching for specific record information, sometimes you see duplicate files with the same name that have different data runs, meaning the file was written to disk more than once on separate occasions.

True

When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.

True

With many computer forensics tools, you can open files with external viewers.

True

What reports are generated at the local, state, and federal levels to show the types and frequency of crimes committed?

Uniform crime reports

As with any research paper, write the report abstract last. A.) True B.) False

True

How many years of education does the typical juror have?

12

When was the Freedom of Information Act originally enacted? A.) 1960s B.) 1940s C.) 1950s D.) 1970s

1960s

In an e-mail address, what symbol separates the domain name from the rest of the address?

@

What document, issued by a judge, compels the recipient to do or not do something?

A court order

What type of software runs virtual machines?

A hypervisor

What should be provided if a report is long and complex?

An abstract

A written report is often submitted as what type of document?

An affidavit

What is most appropriately used to help an attorney learn the terms and functions used in digital forensics?

An examination plan

Which document serves as a guideline for knowing what questions an investigator should expect when testifying?

An examination plan

Where do software forensics tools copy data from a suspect's disk drive?

An image file

What should be created in order to begin a digital forensics case?

An investigation plan

How often should the document describing your expertise and used to quality your testimony be updated to reflect new cases and additional training?

At least every three months

How can an investigator minimize any challenges an opposing attorney could make to discredit the investigator's report or testimony?

Be as thorough as possible during the forensic examination (?)

What name is used for the configuration typically used for e-mail messages that are distributed from a central server to many connected client computers?

Client/server architecture

Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence?

Computer Analysis and Response Team

What type of records are considered data that the system maintains, such as system log files and proxy server logs?

Computer-generated

What term refers to a column of tracks on two or more disk platters?

Cylinder

Which activity involves changing or manipulating a file to conceal information?

Data hiding

A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?

Data recovery

Which network defense strategy, developed by the National Security Agency (NSA), has three modes of protection?

Defense in Depth

Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?

Digital investigations

What is the most common and flexible data-acquisition method?

Disk-to-image file copy

Which type of digital network is a faster version of GSM, designed to deliver data?

EDGE

Macintosh moved to the Intel processor and became UNIX based with which operating system?

El Capitan

What term refers to evidence that exonerates or diminishes the defendant's liability? A.) Direct B.) Inculpatory C.) Rebuttal D.) Exculpatory

Exculpatory

What was the early standard Linux file system?

Ext2

Which acronym refers to the file structure database that Microsoft originally designed for floppy disks? A.) VFAT B.) FAT C.) NTFS D.) FAT32

FAT

A search warrant can be used in any kind of case, either civil or criminal.​

False

A verbal report is more structured than a written report.

False

In which discipline do professionals listen to voice recordings to determine who's speaking or read e-mail and other writings known to be by a certain person and determine whether that person wrote the e-mail or letter in question? A.) Forensic linguistics B.) Communication forensics C.) Communication linguistics D.) Linguistic analysis

Forensic linguistics

Which group often works as part of a team to secure an organization's computers and networks? A.) Computer analysts B.) Network monitors C.) Forensics investigators D.) Data recovery engineers

Forensics investigators

In what type of e-mail programs can the user copy an e-mail message by dragging the message to a storage medium, such as a folder or drive?

GUI

What tools are used to create, modify, and save bitmap, vector, and metafile graphics?

Graphics editors

Because digital forensics tools have limitations in performing hashing, what tools should be used to ensure data integrity?

Hexadecimal editors

Which type of strategy hides the most valuable data at the innermost part of the network?

Layered network defense

What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?

Live

Which type of compression compresses data permanently by discarding bits of information in the file?

Lossy

Metadata in a prefetch file contains an application's ____ times in UTC format and a counter of how many times the application has run since the prefect file was created.

MAC

In addition to FAT16, FAT32, and Resilient File System, which file system can Windows hard disks also use?

NTFS

Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?

NTFS

Which type of forensics can help you determine whether a system is truly under attack or a user has inadvertently installed an untested patch or custom program? A.) Traffic forensics B.) Intrusion forensics C.) DDoS forensics D.) Network forensics

Network forensics

What is the standard format in U.S. federal courts for the electronic submission of documents?

Portable Document Format (PDF) (?)

What files, created by Microsoft, contain the DLL pathnames and metadata used by applications and reduce the time it takes to start applications?

Prefetch

Which type of format acquisition leaves the investigator unable to share an image between different vendors' computer forensics analysis tools?

Proprietary

What optional phase of a trial typically involves an issue raised during cross-examination of a witness?

Rebuttal

What is the main information being sought when examining e-mail headers? A.) The types of encryption being used B.) The originating e-mail's domain name or an IP address C.) The date and time the e-mail was sent D.) The type of attachments included, if any

The originating e-mail's domain name or an IP address

Under what circumstances are digital records considered admissible?

They are business records

A challenge with using social media data in court is authenticating the author and the information. A.) True B.) False

True

A forensics analysis of a 6 TB disk, for example, can take several days or weeks.

True

A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks A.) True B.) False

True

A judge can exclude evidence obtained from a poorly worded warrant. A.) True B.) False

True

After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant. A.) True B.) False

True

After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.

True

Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence. A.) True B.) False

True

As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.

True

Because bring your own device (BYOD) has become a business standard, investigators must consider how to keep employees' personal data separate from case evidence. A.) True B.) False

True

Before attempting to install a type 2 hypervisor, you need to enable virtualization in the BIOS before attempting to create a VM. A.) True B.) False

True

Besides presenting facts, reports can communicate expert opinion. A.) True B.) False

True

Computing systems in a forensics lab should be able to process typical cases in a timely manner. A.) True B.) False

True

For digital investigators, tracking intranet e-mail is easier because accounts use standard names the administrator establishes. A.) True B.) False

True

For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses. A.) True B.) False

True

Forensic linguistics encompasses civil cases, criminal cases, cyberterrorism cases, and other legal proceedings. A.) True B.) False

True

If a file contains information, it always occupies at least one allocation block. A.) True B.) False

True

If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file.

True

If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.

True

In Autopsy and many other forensics tools raw format image files don't contain metadata. A.) True B.) False

True

In network forensics, you have to restore the drive to see how malware that attackers have installed on the system works. A.) True B.) False

True

In the United States, there's no state or national licensing body for digital forensics examiners.

True

Lawyers use services called deposition banks (libraries), which store examples of expert witnesses' previous testimony. A.) True B.) False

True

What kinds of images are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes? A.) Metafile graphics B.) Vector graphics C.) Bitmap images D.) Line-art images

Vector graphics

What Linux command is used to create the raw data format?

dd

What command creates a raw format file that most computer forensics analysis tools can read?

dd


Kaugnay na mga set ng pag-aaral

Home Owners Course Pre-test (Clearpoint) March 2022

View Set

Unit 2: Nature vs. Nurture Study Guide

View Set

Strategic Management: Chapter 12

View Set