Computer Forensics exam 1 Ch 1-5
how many rounds does DES have?
16
you are investigating a breach of a file server that resulted in several stolen files. Which federal law is most likely to apply?
18 USC 1030, Fraud and related activity in connection with computers
what is the key length used for DES?
56
Bob was asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend for or against using a disk-imaging tool?
A simple DOS copy will not include deleted files, file slack, and other information
what Linux command can be used to create a hash?
MD5sum
which of the following is an asymmetric cryptography algorithm invented by three mathematicians in the 1970s?
RSA
________ is the most commonly used hashing algorithm
SHA1
which of the following drives would be least susceptible to damage when dropped?
SSD
which of the following is an example of a multialphabet cipher?
Vigenere
in steganography, the ________ is the data to be covertly communicated. In other words, it is the message you want to hide
payload
when cataloging digital evidence, the primary goal is to do what?
preserve evidence integrity
if the computer is turned on when you arrive, what does the Secret Service recommend you do?
shut down according to recommended Secret Service procedure
hiding messages inside another medium is referred to as
steganography
which file might contain data that was live in memory and not stored on the hard drive
swap file
What is the essence of the Daubert Standard?
that only tools or techniques that have been accepted by the scientific community are admissible at trial
which of the following is important to the investigator regarding logging?
the logging methods, log retention, location of stored logs
what is the purpose of hashing a copy of a suspect drive?
to check for changes
what is the starting point for investigating denial of service attacks?
tracing the packets
it is legal for employers to monitor work computers
true
spyware is legal
true
the Caesar cipher is the oldest known encryption method
true
you should make at least two bitstream copies of a suspect drive
true
which of the following encryption algorithms uses three key ciphers in a block system and uses the Rijndael algorithm?
AES
you need to image a server that is set up with RAID 5. How would you approach this?
Image the entire array as a single disk.
where would you seek evidence that ophcrack had been used on a Windows Server 2008 machine?
In the logs of the server, look for the reboot of the system
the most common way steganography is accomplished is via
LSB
what type of encryption uses a different key to encrypt the message than it uses to decrypt the message?
asymmetric
in steganography, the _______ is the stream or file into which the data is hidden
carrier
In a computer forensics investigation, describe the route that evidence takes from the time you find it until the case is closed or goes to court
chain of custody
which of the following crimes is most likely to leave email evidence
cyberstalking
what Linux command can be used to wipe a target drive?
dd
logic bombs are often perpetrated by
disgruntled employees
when investigating a virus, what is the first step?
document the virus
what is the most important reason that you not touch the actual original evidence any more than you have to?
each time you touch digital data, there is some chance of altering it
RAID 4 should be acquired as individual disks
false
Your roommate can give consent to search your computer
false
evidence need not be locked if it is at a police station
false
it is acceptable, when you have evidence in a vehicle, to stop for a meal, if the vehicle is locked
false
the MD5 message-digest algorithm is used to
hash a disk to verify that a disk has not altered when you examine it
why should you not all cable connections for a computer you want to seize as evidence?
in case other devices were connected
what is the primary reason to take cyberstalking seriously
it can be a prelude to real-world violence
to preserve digital evidence, an investigator should
make two copies of each evidence item using different imaging tools
an improvement on the Caesar cipher that uses more than one shift is called a
multialphabet substitution
it takes _________ occurrence(s) of overextending yourself during testimony to ruin your career
only one
