CIST 2612 QUIZZES
A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment.
virtual machine
When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to avoid damage to the drive from overheating.
80
Computing components are designed to last 18 to ____ months in normal business operations.
36
____ refers to the number of bits in one square inch of a disk platter.
Areal Density
Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.
BACKUP UTILITIES
Generally, digital records are considered admissible if they qualify as a ____ record
BUSINESS
Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes.
MUCH EASIER THAN
____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.
PROBABLE CAUSE
Evidence is commonly lost or corrupted through ____, which involves the presence of police officers and other professionals who aren't part of the crime scene-processing team.
PROFESSIONAL CURIOUSITY
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.
PROPRIETARY
In ____, two or more disk drives become one large volume, so the computer views the disks as a single disk.
RAID 0
____, or mirrored striping, is a combination of RAID 1 and RAID 0.
RAID 10
____, or mirrored striping with parity, is a combination of RAID 1 and RAID 5.
RAID 15
Every business or organization must have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a ____ that a law or policy is being violated.
REASONABLE SUSPICION
____involves determining how much risk is acceptable for any process or operation, such as replacing equipment.
RISK MANAGEMENT
Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.
SAFETY
To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe.
SECURE FACILITY
Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server.
SNIFFING
One technique for extracting evidence from large systems is called ____.
SPARSE ACQUISITION
Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.
STATIC
A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.
STEEL
When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data.
U.S DoJ
___are generated at the federal, state, and local levels to show the types and frequency of crimes committed.
UNIFORM CRIME REPORTS
____ is a core Win32 subsystem DLL file.
User32.sys
Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab.
WARRANT
The FOIA was originally enacted in the ____.
1960s
The EMR from a computer monitor can be picked up as far away as ___mile.
1/2
In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.
1024
____, located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version
Boot.ini
What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases?
CERTIFIED COMPUTER FORENSICS TECHNICIAN., BASIC
____ records are data the system maintains, such as system log files and proxy server logs.
COMPUTER-GENERATED
The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.
DCFLDD
The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.
DD
____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the systemroot\Windows\System32\Drivers folder.
DEVICE DRIVERS
A _______ is where you conduct your investigations, store evidence , and do most of your work.
DIGITAL FORENSICS LAB
A _____ plan specifies how to rebuild a forensic workstation after is has been severely contaminated by a virus from a drive you're analyzing.
DISASTER RECOVERY
The most common and flexible data-acquisition method is ____.
DISK -TO-IMAGE FILE COPY
Older Microsoft disk compression tools, such as DoubleSpace or ____, eliminate only slack disk space between files.
DRIVESPACE
When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____.
EFS
____ is the file structure database that Microsoft originally designed for floppy disks.
FAT
One way to investigate older and unusual computing systems is to keep track of ____ that you can find through an online search.
FORUMS AND BLOGS
You use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512.
HASH
Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain ____.
HEARSAY
___ was created by police officers who wanted to formalize credentials in digital investigations.
IACIS
With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible.
INITIAL RESPONSE FIELD-KIT
Linux ISO images that can be burned to a CD or DVD are referred to as ____.
LINUX LIVE CDS
Most remote acquisitions have to be done as ____ acquisitions.
LIVE
The ____ command displays pages from the online help manual for information on Linux commands and their options.
MAN
Autopsy uses ____ to validate an image.
MD5
On an NTFS disk, immediately after the Partition Boot Sector is the ____.
MFT
Records in the MFT are called ____
Metadata
____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.
NTBootdd.sys
____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr.
NTDetect.com
Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System.
NTFS
____ was introduced when Microsoft created Windows NT and is still the main file system in Windows 10.
NTFS
____ is Windows XP system service dispatch stubs to executables functions and internal support functions.
Ntdll.dll
____ is the physical address support program for accessing more than 4 GB of physical RAM.
Ntkrnlpa.exe
You should have at least one copy of your backups on site and a duplicate or a previous copy of your backups stored in a safe
OFF-SITE
Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity.
ONCE
During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____.
TEMPEST
____ is how most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks.
ZBR
A ____ is a column of tracks on two or more disk platters.
cylinder
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are called ____.
data runs
The purpose of the ____ is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key.
recovery certificate
When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____.
registry