Computer Forensics Chp. 4-6 Review Questions
Clusters in Windows always begin numbering at what number?
2
The Windows Registry in Windows 9x consists of what two files?
System.dat and User.dat
The standards for testing forensics tools are based on which criteria? a. U.S. Title 18 b. ASTD 1975 c. ISO 17025 d. All of the above
ISO 17025
What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?
It enables you to remove and reconnect drives without having to shut down your workstation, which saves time in processing the evidence drive.
What does MFT stand for?
Master File Table
How to process a crime scene
Secure scene, prepare for search and seizure of computer of digital devices.
A live acquisition is considered an accepted practice in digital forensics. True or False?
True
An image of a suspect drive can be loaded on a virtual machine. True or False?
True
One reason to choose a logical acquisition is an encrypted drive. True or False?
True
RAM slack can contain passwords. True or False?
True
T or F. Commingling evidence means that sensitive or confidential information being mixed with data collected as evidence.
True
Hashing, filtering, and file header analysis make up which function of digital forensics tools? a. Validation and verification b. Acquisition c. Extraction d. Reconstruction
Validation and verification
As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? You begin to take orders from a police detective without a warrant or subpoena. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. Your internal investigation begins. None of the above.
You begin to take orders from a police detective without a warrant or subpoena.
What is the ratio of sectors per cluster in a floppy disk? a. 1:1, b. 2:1, c. 4:1, d. 8:1
a. 1:1
Windows 2000 can be configured to access which of these file formats? (Choose all that apply.) a. FAT12, b. FAT16, c. FAT32, d. NTFS
a. FAT12, b. FAT16, c. FAT32, d. NTFS
EFS can encrypt which of the following? a. Files, folders, and volumes, b. Certificates and private keys, c. The global Registry, d. Network servers
a. Files, folders, and volumes
List three subfunctions of the extraction function.
data viewing, keyword searching, decompressing, carving, decrypting, and bookmarking.
List three items stored in the FAT database.
file and directory names, starting cluster numbers, file attributes, and date and time stamps
Device drivers contain what kind of information?
instructions for the OS on how to interface with hardware devices
Hardware acquisition tools typically have built-in software for data analysis. True or False?
most are used only for acquisition
Which of the following techniques might be used in covert surveillance? Keylogging Data sniffing Network logs All of the above
All of the above
Forensic software tools are grouped into ____________ and _______________ applications.
CL and GUI
T or F. You should always answer questions from onlookers at a crime scene.
False
Hash values are used for which of the following purposes? (Choose all that apply.) a. Determining file size b. Filtering known good files from potentially suspicious data c. Reconstructing file fragments d. Validating that the original data hasn't changed
Filtering known good files from potentially suspicious data. Validating that the original data hasn't changed
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you? Extensive-response kit Initial-response kit Lightweight kit Car crash kit
Initial-response kit
The primary hash the NSRL project uses is SHA-1. True or False?
true
What are the three rules for a forensic hash? Fast, reliable, and the hash value should be at least 2048 bits Produce collisions, should be at least 2048 bits, and it can't be predicted It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes It can be predicted, fast and reliable
It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes
List two hashing algorithms commonly used for forensic purposes. MD5 and AES MD5 and SHA-1 RSA and RC5 AES and SHA-2
MD5 and SHA-1
Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? Most companies keep inventory databases of all hardware and software used. The investigator doesn't have to get a warrant. The investigator has to get a warrant. Users can load whatever they want on their machines.
Most companies keep inventory databases of all hardware and software used.
HPFS is used on which OS?
OS/2
The verification function does which of the following? a. Proves that a tool performs as intended b. Creates segmented files c. Proves that two sets of data are identical via hash values d. Verifies hex editors
Proves that two sets of data are identical via hash values
The reconstruction function is needed for which of the following purposes? (Choose all that apply.) a. Re-create a suspect drive to show what happened. b. Create a copy of a drive for other investigators. c. Recover file headers. d. Re-create a drive compromised by malware.
Re-create a suspect drive to show what happened.
A log report in forensics tools does which of the following? a. Tracks file types b. Monitors network intrusion attempts c. Records an investigator's actions in examining a case d. Lists known good files
Records an investigator's actions in examining a case
In FAT32, a 123 KB file uses how many sectors?
The answer is 246 sectors. 123 x 1024 bytes per KB = 125,952 total bytes in the file. 125,952 bytes / 512 sectors per cluster = 246 sectors
Which of the following is true of most drive-imaging tools? (Choose all that apply.) a. They perform the same function as a backup. b. They ensure that the original drive doesn't become corrupt and damage the digital evidence. c. They create a copy of the original drive. d. They must be run from the command line.
They ensure that the original drive doesn't become corrupt and damage the digital evidence. They create a copy of the original drive.
When you arrive at the scene, why should you extract only those items you need to acquire evidence? To conceal trade secrets To preserver your physical security To speed up the acquisition process To minimize how much you have to keep track of at the scene
To minimize how much you have to keep track of at the scene
In DOS and Windows 9.x, Io.sys is the first file loaded after the ROM bootstrap loader finds the disk. True or False?
True
In NTFS, files smaller than 512 bytes are stored in the MFT. True or False?
True
T or F. Computer peripherals or attachments can contain DNA evidence.
True
T or F. If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy.
True
T or F. If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement.
True
T or F. In forensic hashes, a collision occur when two different files have the same hash value.
True
T or F. In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause.
True
T or F. You should videotape or sketch anything at a digital crime scene that might be of interest to the investigation.
True
List two features NTFS has that FAT does not.
Unicode characters, security, journaling
Zoned bit recording is how disk manufacturers ensure that a platter' s outer tracks store as much data as possible. True or False?
False
What does CHS stand for?
cylinders, heads, sectors
When validating the results of a forensic analysis, you should do which of the following? (Choose all that apply.) a. Calculate the hash value with two different tools. b. Use a different tool to compare the results of evidence you find. c. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. d. Use a command-line tool and then a GUI tool.
Calculate the hash value with two different tools. Use a different tool to compare the results of evidence you find.
If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? Coordinate with the HAZMAT team. Determine a way to obtain the suspect's computer. Assume the suspect's computer is contaminated. Do not enter alone.
Coordinate with the HAZMAT team.
What are the functions of a data run' s field components in an MFT record?
Data runs have three components; the first declares how many bytes are required in the attribute field to store the number of bytes needed for the second and third components. The second component stores the number of clusters assigned to the data run, and the third component contains the starting cluster address value (the LCN or the VCN).
Building a forensic workstation is more expensive than purchasing one. True or False?
False
Data can't be written to disk with a command-line tool. True or False?
False
In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True or False?
False
T or F. An initial-response field kit does not contain evidence bags.
False
T or F. Small companies rarely need investigators.
False
T or F. The plain view doctrine in computer searches is well-established law.
False
On a Windows system, sectors typically contain how many bytes? a. 256, b. 512, c. 1024, d. 2048
b. 512
Which of the following Windows XP files contains user-specific information? a. User.dat, b. Ntuser.dat, c. System.dat, d. Sam.dat
b. Ntuser.dat
What is the space on a drive called when a file is deleted? (Choose all that apply.) a. Disk space, b. Unallocated space, c. Drive space, d. Free space
b. Unallocated space, d. Free space
Areal density refers to which of the following? a. Number of bits per disk, b. Number of bits per partition, c. Number of bits per square inch of a disk platter, d. Number of bits per platter
c. Number of bits per square inch of a disk platter
To encrypt a FAT volume, which of the following utilities can you use? a. Microsoft BitLocker, b. EFS, c. PGP Whole Disk Encryption, d. FreeOTFE
c. PGP Whole Disk Encryption
Virtual machines have which of the following limitations when running on a host computer? a. Internet connectivity is restricted to virtual Web sites. b. Applications can be run on the virtual machine only if they' re resident on the physical machine. c. Virtual machines are limited to the host computer' s peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. d. Virtual machines can run only OSs that are older than the physical machine' s OS.
c. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.
A virtual cluster consists of what kind of clusters?
chained clusters
According to ISO standard 27037, which of the following is an important factor in data acquisition? (Choose all that apply.) a. The DEFR's competency b. The DEFR's skills in using the command line c. Use of validated tools d. Conditions at the acquisition setting
A & B