CIS 296 computer forensics exam 1

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

if your time is limited, consider using logical acquisition or ____ acquisition data copy method

sparse

one technique for extracting evidence from large systems is called ____

sparse acquisition

typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example

static

in autopsy and many other forensic tools raw format image files don't contain metadata

true

in microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors

true

one way to examine a partition's physical level is to use a disk editor, such as winhex, or hex workshop

true

the definition of digital forensics has evolved over the years from simply involving securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases

true

the fourth amendment to the U.S constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from a search and seizure

true

to be a successful computer forensics investigator, you must be familiar with more than one computing platform

true

when seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data

u.s doj

____ is a core win32 subsystem DLL file

user32.sys

when recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to avoid damage to the drive from overheating

80

image files can be reduces by as much as ____% of the original when using lossless compression

50%

a ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and traffic at will

warning banner

without a warning banner, employees might have an assumed ____ when using a company's computer system and network access

right of privacy

environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime

safety

corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer

silver-platter

real-time surveillance requires ____ data transmissions between a suspect's computer and a network server

sniffing

the FOIA was originally enacted in the ____.

1960's

computer investigations and forensics fall into the same category: public investigations

false

if the computer has an encrypted drive, a live acquisition is done of the password or passphrase is not available

false

the law of search and seizure protects the rights of all people, excluding people suspected of crimes

false

typically, a virtual machine consists of just one file

false

____ often work as a part of a team to secure an organization's computers and networks

forensics investigators

when microsoft introduced windows 2000, it added optional built-in encryption to ntfs called ____

EFS

autopsy uses ____ to validate an image

MD5

on an NTFS disk, immediately after the partition boot sector is the ____

MFT

____ was introduced when microsoft created windows NT and is still the main file system in windows 10

NTFS

____ is how most manufacturers deal with a platter's inner tracks having a smaller circumference that it's outer tracks

ZBR

in a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____

affidavit

____ refers to the number of bits in one square inch of a disk platter

areal density

____ records are data the system maintains, such as system log files and proxy server logs

computer-generated

a ____ is a column of tracks on two or more disk platters

cylinder

the file or folder's MFT record provides cluster addresses where the file is stored on the driver's partition. these clusters addresses are called ____

data runs

the ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions

dd

____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the system/root\Windows\System32\Drivers folder

device drivers

the ____ group manages investigators and conducts forensic analysis of system suspected of containing evidence related to an incident or crime

digital investigation

a(n) ____ is a person using a computer to perform routine tasks other than the system administrator

end user

certain files such as ____ and security log in windows, might lose essential network activity records if power is terminated without a proper shutdown

event log

you use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha256, or sha512

hash

with a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible

initial-response field kit

published company policies provide a(n) ____ for a business to conduct internal investigations

line of authority

linux iso images that can be burned to a CD or DVD are referred to as ____.

linux live CD's

most remote acquisitions have to be done as ____ acquisitions

live

records in the MFT are called ____

metadata

____ is the physical address support program for accessing more than 4GB of physical RAM

ntkrnlpa.exe

courts consider evidence data in a computer as ____ evidence

physical

____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest

probable cause

the purpose of the ____ is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key

recovery certificate

when microsoft created windows 95, it consolidated initialization (.ini) files into the ____.

registry


Kaugnay na mga set ng pag-aaral

INST 362 Midterm Exam, INST 362 Midterm Exam set 2

View Set

Biology: Chapter 5A, 5.5 Review Questions

View Set

Business Law Exam (Chapters 9-16)

View Set

MAN 4720 - Chapter 4 - Business Level Strategy

View Set

College Accounting: A Contemporary Approach - Ch 03 - Analyzing Business Transactions Using T Accounts - Practice

View Set

Chapter 11 (Terms) Technology, Production, and Costs

View Set

Chapter 9: Constructing Gender and Sexuality

View Set