Computer Forensics Final Exam Study Guide
All expert witnesses must be members of associations that license them. True or False?
False
Linux is the only OS that has a kernel. True or False?
False
When investigating graphics files, you should convert them into one standard format. True or False?
False
The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False?
True
To see Google Drive synchronization files, you need a SQL viewer. True or False?
True
Externally enforced ethical rules, with sanctions that can restrict a professional's practice, are more accurately described as which of the following? a. A higher calling b. Laws c. Objectives d. All of the above
b. Laws
What's the most commonly used cellular network worldwide? a. EDGE b. TDMA c. CDMA d. GSM
c. CDMA
To recover a password in macOS, which tool do you use? a. PRTK b. Password Access c. Keychain Access d. Finder
c. Keychain Access
How does macOS reduce file fragmentation? a. By using 256 bit sectors b. By using 128 bit sectors c. By using clusters d. By using clumps
d. By using clumps
A JPEG file is an example of a vector graphic. True or False?
False
Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False?
False
The ANAB mandates the procedures established for a digital forensics lab. True or False?
False
The plain view doctrine in computer searches is well-established law. True or False?
False
The uRLLC 5G category focuses on communications in smart cities. True or False?
False
Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?
False
A CSP's incident response team typically consists of system administrators, network administrators, and legal advisors. True or False?
True
A hashing algorithm is a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk. True or False?
True
A logical acquisition collects only specific files of interest to the case. True or False?
True
A virtual cluster number represents the assigned clusters of files that are nonresident in the MFT. True or False?
True
The purpose of maintaining a network of digital forensics specialists is to develop a list of colleagues who specialize in areas different from your own specialties in case you need help on an investigation. True or False?
True
The type of information conveyed to the expert, amount of time involved in discussions or meetings, and whether the expert provided the attorney with confidential information are three factors courts have used in determining whether to disqualify an expert. True or False?
True
To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server's internal operations. True or False?
True
Which of the following Linux system files contains hashed passwords for the local system? a. /etc/shadow b. /etc/passwd c. /var/log/syslog d. /var/log/dmesg
a. /etc/shadow
Large digital forensics labs should have at least ________ exits. a. 2 b. 4 c. 5 d. 7
a. 2
What's the maximum file size when writing data to a FAT32 drive? a. 2 GB b. 3 GB c. 4 GB d. 6 GB
a. 2 GB
In which cloud service level can customers rent hardware and install whatever OSs and applications they need? a. IaaS b. PaaS c. HaaS d. SaaS
a. IaaS
Bitmap (.bmp) files use which of the following types of compression? a. Lossless b. WinZip c. Lzip d. Lossy
a. Lossless
In the Linux dcfldd command, which three options are used for validating data? a. hash, hashlog, and vf b. h, hl, and vf c. hash, log, and hashlog d. vf, of, and vv
a. hash, hashlog, and vf
Packet analyzers examine what layers of the OSI model? (FINAL EXAM QUESTION) a. All layers b. Layers 2 and 3 c. Layers 2 and 4 d. Layers 4 through 7
b. Layers 2 and 3
What do you call a list of people who have had physical possession of the evidence? a. Affidavit b. Evidence record c. Chain of custody d. Evidence log
c. Chain of custody
Most SIM cards allow ______ access attempts before locking you out. (FINAL EXAM QUESTION) a. One b. Two c. Three d. Four
c. Three
A JPEG file uses which type of compression? a. Lzip b. Lossless c. WinZip d. Lossy
d. Lossy
GSM divides a mobile station into ______ and ______. a. SIM card and EEPROM b. RAM and ME c. RAM and SIM d. SIM card and ME
d. SIM card and ME
A forensic image of a VM includes all snapshots. True or False?
False
A forensic linguist can determine an author's gender by analyzing chat logs and social media communications. True or False?
False
A forensic workstation should always have a direct broadband connection to the Internet. True or False?
False
A live acquisition can be replicated. True or False?
False
A warning banner should never state that the organization has the right to monitor what users do. True or False?
False
ASQ and ANAB are two popular certification programs for digital forensics. True or False?
False
After you shift a file's bits, the hash value remains the same. True or False?
False
An initial-response field kit does not contain evidence bags. True or False?
False
BIOS boot firmware was developed to provide better protection against malware than EFI. True or False?
False
Building a forensic workstation is more expensive than purchasing one. True or False?
False
Codes of professional conduct or responsibility set the highest standards for professionals' expected performance. True or False?
False
Commingled data isn't a concern when acquiring cloud data. True or False?
False
Copyright laws don't apply to Web sites. True or False?
False
Digital forensics and data recovery refer to the same activities. True or False?
False
Digital forensics facilities always have windows. True or False?
False
Ethical obligations are duties that you owe only to others. True or False?
False
Even in the light of recent developments in technology, you shouldn't change your opinion from one you testified to in a previous case. True or False?
False
Evidence storage containers should have several master keys. True or False?
False
FTK Imager can acquire data in a drive's host protected area. True or False?
False
Figures not used in the body of the report can't be included in report appendixes. True or False?
False
Graphics files stored on a computer can't be recovered after they are deleted. True or False?
False
Hardware acquisition tools typically have built-in software for data analysis. True or False?
False
IETF is the organization setting standards for 5G devices. True or False?
False
If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. True or False?
False
In Linux, the *fdisk -l* command lists the suspect drive as */dev/hda1*. So, the following *dcfldd* is command correct. *dcfldd if=image_file.img of=/dev/hda1*. True or False?
False
In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True or False?
False
Only one file format can compress graphics files. True or False?
False
Password recovery is included in all forensics tools. True or False?
False
Slower data transfer speeds and dealing with minor data errors are two disadvantages of the raw format. True or False?
False
Small companies rarely need investigators. True or False?
False
When acquiring a mobile device at an investigation scene, you should leave it connected to a laptop or tablet so that you can observe synchronization as it takes place. True or False?
False
When determining which data acquisition method to use you should not consider how long the acquisition will take. True or False?
False
When using a write-blocking device you can't remove and reconnect drives without having to shut down your workstation. True or False?
False
You can view e-mail headers in Notepad with all popular e-mail clients. True or False?
False
You should always answer questions from onlookers at a crime scene. True or False?
False
You should always prove the allegations made by the person who hired you. True or False?
False
You shouldn't include a narrative of what steps you took in your case report. True or False?
False
Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. True or False?
False
A(n) CSA or cloud service agreement is a contract between a CSP and the customer that describes what services are being provided and at what level. True or False?
True
After examining e-mail headers to find an e-mail's originating address, investigators use forward lookups to track an e-mail to a suspect. True or False?
True
Amazon was an early provider of Web-based services that eventually developed into the cloud concept. True or False?
True
An employer can be held liable for e-mail harassment. True or False?
True
An encrypted drive is one reason to choose a logical acquisition. True or False?
True
An image of a suspect drive can be loaded on a virtual machine. True or False?
True
An unethical technique occurs when an opposing counsel might attempt to make discovery depositions physically uncomfortable. True or False?
True
Being able to incorporate the log files and reports tools generate into your written reports is a major advantage of automated forensics tools in report writing. True or False?
True
CHS stands for cylinders, heads, and sectors. True or False?
True
Commercial encryption programs often rely on key escrow technology to recover files if a password or passphrase is lost. True or False?
True
Commingling evidence means that sensitive or confidential information being mixed with data collected as evidence. True or False?
True
Commonly, proprietary format acquisition files can compress the acquisition data and segment acquisition output files into smaller volumes. True or False?
True
Computer peripherals or attachments can contain DNA evidence. True or False?
True
Data blocks contain actual files and directories and are linked directly to inodes. True or False?
True
Data can't be written to disk with a command-line tool. True or False?
True
Data viewing, keyword searching, decompressing are three subfunctions of the extraction function. True or False?
True
Device drivers contain instructions for the OS on how to interface with hardware devices. True or False?
True
E-mail accessed with a Web browser leaves files in temporary folders. True or False?
True
Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or False?
True
Embezzlement is a type of digital investigation typically conducted in a business environment. True or False?
True
FTK Imager requires that you use a device such as a USB dongle for licensing. True or False?
True
File and directory names are some of the items stored in the FAT database. True or False?
True
For digital evidence, an evidence bag is typically made of antistatic material. True or False?
True
Hard links work in only one partition or volume. True or False?
True
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False?
True
If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?
True
If you were a lay witness at a previous trial, you shouldn't list that case in your written report. True or False?
True
In NTFS, files smaller than 512 bytes are stored in the MFT. True or False?
True
In forensic hashes, a collision occur when two different files have the same hash value. True or False?
True
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. True or False?
True
In the United States, no state or national licensing body specifically licenses forensics examiners. True or False?
True
MFT stands for Master File Table. True or False?
True
Mobile device information might be stored on the internal memory or the SIM card. True or False?
True
One way to determine the resources needed for an investigation is based on the OS of the suspect computer, list the software needed for the examination. True or False?
True
Placing it in paint cans and using Faraday bags are two ways you can isolate a mobile device from incoming signals. True or False?
True
Public cloud services such as Dropbox and OneDrive use Sophos SafeGuard and Sophos Mobile Control as their encryption applications. True or False?
True
SIM card readers can alter evidence by showing that a message has been read when you view it. True or False?
True
Scope creep happens when an investigation goes beyond the bounds of its original description. True or False?
True
Spoliation means destroying a report before the final resolution of a case called. True or False?
True
Standards that others apply to you or that you're compelled to adhere to by external forces (such as licensing bodies) and your own internal rules you use to measure your performance are two types of ethical standards. True or False?
True
Tcpslice can be used to retrieve specific timeframes of packet captures. True or False?
True
Testimony preservation and discovery are two types of depositions. True or False?
True
The Disk Arbitration feature in macOS is used to disable and enable automatic mounting when a drive is connected via a USB or FireWire device. True or False?
True
The Internet of Things includes radio frequency identification (RFID) sensors as well as wired, wireless, and mobile devices. True or False?
True
The Linux Ext4 file system added support for partitions larger than 16 TB. True or False?
True
The cloud services Dropbox, Google Drive, and OneDrive have Registry entries. True or False?
True
The data fork stores a file's actual data, however, and the resource fork contains file metadata and application information. True or False?
True
The main goal of a static acquisition is the preservation of digital evidence. True or False?
True
The multitenancy nature of cloud environments means conflicts in privacy laws can occur. True or False?
True
The primary hashing algorithm the NSRL project uses is SHA-1. True or False?
True
To identify an unknown graphics file format you need to examine a copy of the unknown file with a hexadecimal editor to find the hex code for the first several bytes of the file. True or False?
True
Typically, you need a search warrant to retrieve information from a service provider. True or False?
True
Updates to the EU Data Protection Rules will affect how data is moved during an investigation regardless of location. True or False?
True
Voir dire is the process of qualifying a witness as an expert. True or False?
True
When viewing a file header, you need to include hexadecimal information to view the image. True or False?
True
With newer Linux kernel distributions, USB devices are automatically mounted, which can alter data on it. True or False?
True
You should include work experience, training you provided or contributed to, and professional awards or recognitions in your CV. True or False?
True
You should take these four steps to handle a deposition in which physical circumstances are uncomfortable: 1. Ask the attorney to correct the situation. 2. If the situation is not corrected, note these conditions into the record, and repeat noting them as long as the conditions persist. 3. After you have noted the problem into the record, you can refuse to continue with the deposition. Generally, you should consult with an attorney before taking this step. 4. If you think the behavior was serious enough that you can justify refusing to continue, consider reporting the attorney to his or her state bar association. True or False?
True
You should videotape or sketch anything at a digital crime scene that might be of interest to the investigation. True or False?
True
Your business plan should include physical security items. True or False?
True
In VirtualBox, a(n) __________ file contains settings for virtual hard drives. a. .vbox b. .log c. .vbox-prev d. .ovf
a. .vbox
To trace an IP address in an e-mail header, what type of lookup service can you use? a. A domain lookup service, such as www.arin.net, www.internic.com, or www.whois.net b. Intelius Inc.'s AnyWho online directory c. Verizon's http://superpages.com d. None of the above
a. A domain lookup service, such as www.arin.net, www.internic.com, or www.whois.net
The National Software Reference Library provides what type of resource for digital forensics examiners? a. A list of MD5 and SHA1 hash values for all known OSs and applications b. Reference books and materials for digital forensics c. A list of digital forensics tools that make examinations easier d. A repository for software vendors to register their developed applications
a. A list of MD5 and SHA1 hash values for all known OSs and applications
Which organization has guidelines on how to operate a digital forensics lab? a. ANAB b. SCADA c. NISPOM d. TEMPEST
a. ANAB
What are two concerns when acquiring data from a RAID server? a. Amount of data storage needed and type of RAID b. Type of RAID and antivirus software c. Split RAID and Redundant RAID d. Data transfer speeds and type of RAID
a. Amount of data storage needed and type of RAID
Which of the following is an example of a written report? a. An affidavit b. Voir dire c. A search warrant d. Any of the above
a. An affidavit
With remote acquisitions, what problems should you be aware of? a. Antivirus, antispyware, and firewall programs b. The password of the remote computer's user c. Access permissions over the network d. Data transfer speeds
a. Antivirus, antispyware, and firewall programs
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive. a. EnCase and X-Ways Forensics b. X-Ways Forensics and dd c. dd and EnCase d. dd and Expert Witness
a. EnCase and X-Ways Forensics
Which of the following rules or laws requires an expert to prepare and submit a report? a. FRCP 26 b. FRE 801 c. Both a and b d. Neither of the above
a. FRCP 26
EFS can encrypt which of the following? a. Files, folders, and volumes b. The global Registry c. Certificates and private keys d. Network servers
a. Files, folders, and volumes
Which of the following statements about the legal-sequential numbering system in report writing is true? (FINAL EXAM QUESTION) a. It doesn't indicate the relative importance of information. b. It's required for reports submitted in federal court. c. It's favored because it's easy to organize and understand. d. It's most effective for shorter reports.
a. It doesn't indicate the relative importance of information.
Why is professional conduct important? a. It includes ethics, morals, and standards of behavior b. It saves a company from using warning banners c. It helps with an investigation d. All of the above
a. It includes ethics, morals, and standards of behavior
Which of the following relies on a central database that tracks account data, location data, and subscriber information? a. MSC b. BTS c. BSC d. None of the above
a. MSC
Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? a. Most companies keep inventory databases of all hardware and software used. b. The investigator doesn't have to get a warrant. c. The investigator has to get a warrant. d. Users can load whatever they want on their machines.
a. Most companies keep inventory databases of all hardware and software used.
Typically, a(n) ________ lab has a separate storage area or room for evidence. a. Regional b. Federal c. Research d. State
a. Regional
In which of the following cases did the U.S. Supreme Court require using a search warrant to examine the contents of mobile devices? (FINAL EXAM QUESTION) a. Riley v. California b. Smith v. Oregon c. Miles v. North Dakota d. Dearborn v. Ohio
a. Riley v. California
Which of the following describes fact testimony? (FINAL EXAM QUESTION) a. Scientific or technical testimony describing information recovered during an examination b. Testimony by law enforcement officers c. Testimony based on observations by lay witnesses d. None of the above
a. Scientific or technical testimony describing information recovered during an examination
According to ISO standard 27037, which of the following is an important factor in data acquisition? a. The DEFR's competency b. The DEFR's skills in using the command line c. Conditions at the acquisition setting d. None of the above
a. The DEFR's competency
You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information? (FINAL EXAM QUESTION) a. There's a hidden partition. b. The drive is formatted incorrectly. c. The disk is corrupted. d. Nothing; this is what you'd expect to see.
a. There's a hidden partition.
Why should evidence media be write-protected? a. To make sure data isn't altered b. To comply with Industry standards c. To make image files smaller in size d. To speed up the imaging process
a. To make sure data isn't altered
Router logs can be used to verify what types of e-mail data? a. Tracking flows through e-mail server ports b. Finding blind copies c. Content of attached files d. Message content
a. Tracking flows through e-mail server ports
When should a temporary restraining order be requested for cloud environments? a. When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case b. When cloud customers need immediate access to their data c. When anti-forensics techniques are suspected d. To enforce a court order
a. When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case
Contingency fees can be used to compensate an expert under which circumstances? a. When the expert is acting only as a consultant, not a witness b. When the expert is too expensive to compensate at the hourly rate c. When the expert is willing to accept a contingency fee arrangement d. All of the above
a. When the expert is acting only as a consultant, not a witness
As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? a. You begin to take orders from a police detective without a warrant or subpoena. b. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. c. Your internal investigation begins. d. None of the above.
a. You begin to take orders from a police detective without a warrant or subpoena.
In Linux, which of the following is the home directory for the superuser? a. root b. home c. super d. /home/superuser
a. root
Clusters in Windows always begin numbering at what number? a. 1 b. 2 c. 3 d. 4
b. 2
On a Windows system, sectors typically contain how many bytes? a. 256 b. 512 c. 1024 d. 2048
b. 512
What information is not in an e-mail header? a. Domain name b. Blind copy (bcc) addresses c. Internet addresses d. All of the above
b. Blind copy (bcc) addresses
When working for a prosecutor, what should you do if the evidence you found appears to be exculpatory and isn't being released to the defense? a. Keep the information on file for later review. b. Bring the information to the attention of the prosecutor, then his or her supervisor, and finally to the judge (the court). c. Give the evidence to the defense attorney. d. Destroy the evidence.
b. Bring the information to the attention of the prosecutor, then his or her supervisor, and finally to the judge (the court).
Which forensics tools can connect to a suspect's remote computer and run surreptitiously? a. dd and ddfldd b. EnCase Enterprise and ProDiscover Incident Response c. ddfldd and ProDiscover Incident Response d. dd and EnCase Enterprise
b. EnCase Enterprise and ProDiscover Incident Response
Of all the proprietary formats, which one is the unofficial standard? a. AFF b. Expert Witness c. Uncompress dd d. Segmented dd
b. Expert Witness
Automated tools help you collect and report evidence, but you're responsible for doing which of the following? (FINAL EXAM QUESTION) a. Explaining your formatting choices b. Explaining the significance of the evidence c. Explaining in detail how the software works d. All of the above
b. Explaining the significance of the evidence
Which of the following represents known files you can eliminate from an investigation? (FINAL EXAM QUESTION) a. Any files pertaining to the company b. Files associated with an application c. Any graphics files d. All of the above
b. Files associated with an application
What does a sparse acquisition collect for an investigation? a. Only specific files of interest to the case b. Fragments of unallocated data in addition to the logical allocated data c. Only the logical allocated data d. Only fragments of unallocated data
b. Fragments of unallocated data in addition to the logical allocated data
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you? a. Extensive-response kit b. Initial-response kit c. Car crash kit d. Lightweight kit
b. Initial-response kit
Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation? a. Criminal investigation because law enforcement agencies have more resources at their disposal b. Internal corporate investigation because corporate investigators typically have ready access to company records c. Criminal investigation because subpoenas can be issued to acquire any needed evidence quickly d. Internal corporate investigation because ISPs almost always turn over e-mail and access logs when requested by a large corporation
b. Internal corporate investigation because corporate investigators typically have ready access to company records
Which of the following describes the superblock's function in the Linux file system? a. Stores bootstrap code b. Manages the file system, including configuration information c. Contains links between inodes d. All of the above
b. Manages the file system, including configuration information
Which organization provides good information on safe storage containers? a. ASQ b. NISPOM c. ASCLD d. TEMPEST
b. NISPOM
Which of the following Windows 8 files contains user-specific information? a. User.dat b. Ntuser.dat c. System.dat d. SAM.dat
b. Ntuser.dat
What are the three modes of protection in the DiD strategy? a. People, PCs, mobile devices b. People, technology, operations c. Computer, smartphones, tablets d. PCs, mobile devices, laptops
b. People, technology, operations
The verification function does which of the following? a. Proves that a tool performs as intended b. Proves that two sets of data are identical via hash values c. Creates segmented files d. Verifies hex editors
b. Proves that two sets of data are identical via hash values
When you begin a conversation with an attorney about a specific case, what should you do? a. Ask to meet with the attorney. b. Refuse to discuss details until a retainer agreement is returned. c. Ask who the parties in the case are. d. Answer his or her questions in as much detail as possible.
b. Refuse to discuss details until a retainer agreement is returned.
Digital pictures use data compression to accomplish which of the following goals? a. Provide a crisp and clear image. b. Save space on a hard drive. c. Eliminate redundant data. d. All of the above
b. Save space on a hard drive.
What term refers to labs constructed to shield EMR emissions? a. ASQ b. TEMPEST c. NISPOM d. SCADA
b. TEMPEST
Which of the following is true of most drive-imaging tools? a. They perform the same function as a backup. b. They ensure that the original drive doesn't become corrupt and damage the digital evidence. c. They must be run from the command line. d. All of the above
b. They ensure that the original drive doesn't become corrupt and damage the digital evidence.
Why should you do a standard risk assessment to prepare for an investigation? a. To obtain an affidavit b. To list problems that might happen when conducting an investigation c. To obtain a search warrant d. To discuss the case with the opposing counsel
b. To list problems that might happen when conducting an investigation
What is the space on a drive called when a file is deleted? a. Disk space b. Unallocated space c. Drive space d. None of the above
b. Unallocated space
If you're giving an answer that you think your attorney should follow up on, what should you do? a. Argue with the attorney who asked the question. b. Use an agreed-on expression to alert the attorney to follow up on the question. c. Change the tone of your voice. d. Try to include as much information in your answer as you can.
b. Use an agreed-on expression to alert the attorney to follow up on the question.
Hashing, filtering, and file header analysis make up which function of digital forensics tools? a. Acquisition b. Validation and verification c. Extraction d. Reconstruction
b. Validation and verification
Which of the following is the main challenge in acquiring an image of a system running macOS? a. Most commercial software doesn't support macOS. b. Vendor training is needed. c. The macOS is incompatible with most write-blockers. d. None of the above
b. Vendor training is needed.
The triad of computing security includes which of the following? a. Vulnerability assessment, intrusion response, and monitoring b. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation c. Vulnerability assessment, detection, and monitoring d. Detection, response, and monitoring
b. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation
Sendmail uses which file for instructions on processing an e-mail message? a. syslogd.conf b. sendmail.cf c. mapi.log d. mese.ese
b. sendmail.cf
On a UNIX-like system, which file specifies where to save different types of e-mail log files? a. /var/spool/log b. syslog.conf c. maillog d. log
b. syslog.conf
Which of the following types of files can provide useful information when you're examining an e-mail server? (FINAL EXAM QUESTION) a. .emx files b. .slf files c. .log files d. .dbf files
c. .log files
In Microsoft Outlook, e-mails are typically stored in which of the following? a. .evolution file b. res1.log and res2.log files c. .pst and .ost files d. PU020102.db file
c. .pst and .ost files
On most Linux systems, current user login information is in which of the following locations? a. /var/log/usr b. /var/log/dmesg c. /var/run/utmp d. /var/log/wmtp
c. /var/run/utmp
In FAT32, a 123-KB file uses how many sectors? a. 123 b. 185 c. 246 d. 255
c. 246
How many sectors are typically in a cluster on a disk drive? a. 1 b. 2 or more c. 4 or more d. 8 or more
c. 4 or more
What is a motion in limine? a. A pretrial motion to revise the case schedule b. The movement of molecules in a random fashion c. A pretrial motion for the purpose of excluding certain evidence d. A motion to dismiss the case
c. A pretrial motion for the purpose of excluding certain evidence
Hard links are associated with which of the following? a. An absolute path to a file b. Hidden files c. A specific inode d. Dot notation
c. A specific inode
For which of the following reasons should you wipe a target drive? a. To ensure the quality of digital evidence you acquire b. To make sure unwanted data isn't retained on the drive c. Both a and b d. Neither of the above
c. Both a and b
List three organizations that have a code of ethics or conduct. a. ISFCE, IACIS, AMA b. IACIS, APA, ABA c. Both a and b d. None of the above
c. Both a and b
What kind of information do fact witnesses provide during testimony? a. Facts only b. Observations of the results of tests they performed c. Both a and b d. Neither of the above
c. Both a and b
Which of the following categories of information is stored on a SIM card? a. Call data b. Service-related data c. Both a and b d. None of the above
c. Both a and b
When validating the results of a forensic analysis, you should do which of the following? a. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. b. Use a command-line tool and then a GUI tool. c. Calculate the hash value with two different tools. d. None of the above
c. Calculate the hash value with two different tools.
List three items that should be on an evidence custody form. a. Affidavit, search warrant, and description of the evidence b. Name of the investigator, affidavit and name of the judge assigned to the case c. Case number, name of the investigator and nature of the case d. Description of the evidence, location of the evidence and search warrant
c. Case number, name of the investigator and nature of the case
When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do? a. Search available log files for any forwarded messages. b. Restore the e-mail server from a backup. c. Check the current database files for an existing copy of the e-mail. d. Do nothing because after the file has been deleted, it can no longer be recovered.
c. Check the current database files for an existing copy of the e-mail.
When you access your e-mail, what type of computer architecture are you using? a. Domain b. Mainframe and minicomputers c. Client/server d. None of the above
c. Client/server
Logging options on e-mail servers can be which of the following? a. Disabled by users b. Set up in a circular logging configuration c. Configured to a specified size before being overwritten d. Both b and c
c. Configured to a specified size before being overwritten
When writing a report, what's the most important aspect of formatting? (FINAL EXAM QUESTION) a. A neat appearance b. Clear use of symbols and abbreviations c. Consistency d. Size of the font
c. Consistency
If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? a. Assume the suspect's computer is contaminated. b. Determine a way to obtain the suspect's computer. c. Coordinate with the HAZMAT team. d. Do not enter alone.
c. Coordinate with the HAZMAT team.
Before enlisting in a certification program, thoroughly research the requirements, ________, and acceptability in your area of employment. a. Location b. Business hours c. Cost d. Number of students
c. Cost
What methods do steganography programs use to hide data in graphics files? a. Insertion b. Substitution c. Either of the above d. None of the above
c. Either of the above
Which of the following is a new file added in macOS? a. /var/db/uuid.text b. /var/db/diagnostics c. Either of the above d. None of the above
c. Either of the above
Police in the United States must use procedures that adhere to which of the following? a. First Amendment b. Third Amendment c. Fourth Amendment d. None of the above
c. Fourth Amendment
Forensics software tools are grouped into ______ and ______ applications. a. Local, remote b. Portable, Desktop c. GUI, command-line d. Mobile, PC
c. GUI, command-line
The standards for testing forensics tools are based on which criteria? a. ASTD 1975 b. U.S. Title 18 c. ISO 17025 d. All of the above
c. ISO 17025
A layered network defense strategy puts the most valuable data where? (FINAL EXAM QUESTION) a. In the DMZ b. In the outermost layer c. In the innermost layer d. None of the above
c. In the innermost layer
What are the three rules for a forensic hash? a. Fast, reliable, and the hash value should be at least 2048 bits b. Produce collisions, should be at least 2048 bits, and it can't be predicted c. It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes d. It can be predicted, fast and reliable
c. It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes
Phishing does which of the following? (FINAL EXAM QUESTION) a. Uses DNS poisoning b. Uses DHCP c. Lures users with false promises d. Takes people to fake Web sites
c. Lures users with false promises
List two hashing algorithms commonly used for forensic purposes. a. AES and SHA-2 b. RSA and RC5 c. MD5 and SHA-1 d. MD5 and AES
c. MD5 and SHA-1
Areal density refers to which of the following? a. Number of bits per disk b. Number of bits per partition c. Number of bits per square inch of a disk platter d. Number of bits per platter
c. Number of bits per square inch of a disk platter
The most reliable way to ensure that jurors recall testimony is to do which of the following? a. Emphasize your points with humorous anecdotes. b. Present evidence using oral testimony supported by hand gestures and facial expressions. c. Present evidence combining oral testimony and graphics that support the testimony. d. Wear bright clothing to attract jurors' attention.
c. Present evidence combining oral testimony and graphics that support the testimony.
The number of VMs that can be supported per host by a type 1 hypervisor is generally determined by the amount of __________ and __________. (FINAL EXAM QUESTION) a. Storage, processing power b. RAM, network speed c. RAM, storage d. RAM, GPU
c. RAM, storage
Name the three formats for digital forensics data acquisitions. a. Raw, AICIS, and AFF b. EnCase format, Raw, and dd c. Raw format, proprietary formats, and AFF d. dd, Raw, and AFF
c. Raw format, proprietary formats, and AFF
When you carve a graphics file, recovering the image depends on which of the following skills? a. Recognizing the pattern of the data content b. Recognizing the pattern of a corrupt file c. Recognizing the pattern of the file header content d. Recovering the image from a tape backup
c. Recognizing the pattern of the file header content
A log report in forensics tools does which of the following? a. Tracks file types b. Monitors network intrusion attempts c. Records an investigator's actions in examining a case d. Lists known good files
c. Records an investigator's actions in examining a case
Which of the following certifies when an OS meets UNIX requirements? a. UNIX Users Group b. IEEE c. The Open Group d. SUSE Group
c. The Open Group
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? a. The file can no longer be encrypted. b. EFS protection is maintained on the file. c. The file is unencrypted automatically. d. Only the owner of the file can continue to access it.
c. The file is unencrypted automatically.
Which of the following is true about JPEG and TIF files? a. They differ from other graphics files because their file headers contain fewer bits. b. They differ from other graphics files because their file headers contain more bits. c. They have different values for the first 2 bytes of their file headers. d. They have identical values for the first 2 bytes of their file headers.
c. They have different values for the first 2 bytes of their file headers.
Why is it a good practice to make two images of a suspect drive in a critical investigation? a. To speed up the process b. To have one compressed and one uncompressed copy c. To ensure at least one good copy of the forensically collected data in case of any failures d. None of the above
c. To ensure at least one good copy of the forensically collected data in case of any failures
For what purpose have hypothetical questions traditionally been used in litigation? a. To stimulate discussion between a consulting expert and an expert witness b. To define the case issues for the finder of fact to determine c. To frame the factual context of rendering an expert witness's opinion d. To deter a witness from expanding the scope of his or her investigation beyond the case requirements.
c. To frame the factual context of rendering an expert witness's opinion
Why should you critique your case after it's finished? a. To maintain a professional conduct b. To maintain chain of custody c. To improve your work d. To list problems that might happen when conducting an investigation
c. To improve your work
List two features NTFS has that FAT does not. a. MRU records and file attributes b. Master File Table and MRU records c. Unicode characters and better security d. MRU records and less fragmentation
c. Unicode characters and better security
To determine the types of operating systems needed in your lab, list two sources of information you could use. a. ANAB and IACIS b. EnCE and ACE c. Uniform Crime Report statistics and a list of cases handled in your area d. Local police reports and ISFCE reports
c. Uniform Crime Report statistics and a list of cases handled in your area
Hash values are used for which of the following purposes? a. Filling disk slack b. Reconstructing file fragments c. Validating that the original data hasn't changed d. Determining file size
c. Validating that the original data hasn't changed
Virtual machines have which of the following limitations when running on a host computer? a. Applications can be run on the virtual machine only if they're resident on the physical machine. b. Internet connectivity is restricted to virtual Web sites. c. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. d. Virtual machines can run only OSs that are older than the physical machine's OS.
c. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.
Which of the following is a clue that a virtual machine has been installed on a host system? a. Network logs b. USB drive c. Virtual network adapter d. Virtualization software
c. Virtual network adapter
Which of the following describes plist files? a. They require special installers. b. They're found only in Linux file systems. c. You must have a special editor to view them. d. None of the above
c. You must have a special editor to view them.
At trial as a fact or expert witness, what must you always remember about your testimony? a. Avoid mentioning how much you were paid for your services. b. You're responsible for the outcome of the case. c. Your duty is to report your technical or scientific findings or render an honest opinion. d. All of the above
c. Your duty is to report your technical or scientific findings or render an honest opinion.
Which of the following file extensions are associated with VMware virtual machines? a. .vmx, .r0, and .xml-prev b. .vdi, .ova, and .r0 c. .vbox, .vdi, and .log d. .vmx, .log, and .nvram
d. .vmx, .log, and .nvram
SD cards have a capacity up to which of the following? a. 4 MB b. 100 MB c. 500 MB d. 64 GB
d. 64 GB
According to SANS DFIR Forensics, which of the following tasks should you perform if a mobile device is on and unlocked? (FINAL EXAM QUESTION) a. Isolate the device from the network. b. Disable the screen lock. c. Remove the passcode. d. All of the above
d. All of the above
An expert witness can give an opinion in which of the following situations? a. The witness testifies to a reasonable degree of certainty (probability) about his or her opinion, inference, or conclusion. b. The opinion, inferences, or conclusions depend on special knowledge, skills, or training not within the ordinary experience of laypeople. c. The witness is shown to be qualified as a true expert in the field. d. All of the above
d. All of the above
Building a business case can involve which of the following? a. Procedures for gathering evidence b. Testing software c. Protecting trade secrets d. All of the above
d. All of the above
During your cross-examination, you should do which of the following? a. Maintain eye contact with the jury. b. Help the attorneys, judge, and jury in understanding the case, even if you have to go a bit beyond the scope of your expertise. c. Pay close attention to opposing counsel's questions. d. All of the above
d. All of the above
E-mail headers contain which of the following information? (FINAL EXAM QUESTION) a. An ESMTP number or reference number b. The sender and receiver e-mail addresses c. The e-mail servers the message traveled through to reach its destination d. All of the above
d. All of the above
List three obvious ethical errors. a. 1. Don't accept an assignment if it cannot reasonably be done in the allowed time. 2. Don't reach a conclusion before you have done complete research. 3. Don't fail to report possible conflicts of interest. b. 1. Don't present false data or alter data. 2. Don't report work that was not done. 3. Don't ignore available contradictory data. c. 1. Don't ignore available contradictory data. 2. Don't do work beyond your expertise or competence. 3. Don't allow the attorney who retained you to influence your opinion in an unauthorized way. d. All of the above
d. All of the above
NIST document SP 500-322 defines more than 75 cloud services, including which of the following? a. Drupal as a service b. Backup as a service c. Security as a service d. All of the above
d. All of the above
Remote wiping of a mobile device can result in which of the following? (FINAL EXAM QUESTION) a. Removing account information b. Returning the phone to the original factory settings c. Deleting contacts d. All of the above
d. All of the above
Some clues left on a drive that might indicate steganography include which of the following? a. Graphics files with the same name but different file sizes b. Steganography programs in the suspect's All Programs list c. Multiple copies of a graphics file d. All of the above
d. All of the above
The manager of a digital forensics lab is responsible for which of the following? a. Knowing the lab objectives b. Ensuring that staff members have enough training to do the job c. Making necessary changes in lab procedures and software d. All of the above
d. All of the above
The reconstruction function is needed for which of the following purposes? a. Re-create a suspect drive to show what happened. b. Re-create a drive compromised by malware. c. Create a copy of a drive for other investigators. d. All of the above
d. All of the above
What capabilities should a forensics tool have to acquire data from a cloud? (FINAL EXAM QUESTION) a. Identify and acquire data from the cloud. b. Examine virtual systems. c. Expand and contract data storage capabilities as needed for service changes. d. All of the above
d. All of the above
What expressions are acceptable to use in testimony to respond to a question for which you have no answer? a. I wasn't asked to investigate that. b. That's beyond the scope of my investigation. c. That's beyond the scope of my expertise. d. All of the above
d. All of the above
When using graphics while testifying, which of the following guidelines applies? a. Make sure the jury can see your graphics. b. Your exhibits must be clear and easy to understand. c. Practice using charts for courtroom testimony. d. All of the above
d. All of the above
Which forensic image file format creates or incorporates a validation hash value in the image file? a. AFF b. SMART c. Expert Witness d. All of the above
d. All of the above
Which of the following is a mechanism the ECPA describes for the government to get electronic information from a provider? a. Subpoenas with prior notice b. Search warrants c. Court orders d. All of the above
d. All of the above
Which of the following is a mobile forensics method listed in NIST guidelines? a. Physical extraction b. Logical extraction c. Hex dumping d. All of the above
d. All of the above
Which of the following techniques might be used in covert surveillance? a. Keylogging b. Data sniffing c. Network logs d. All of the above
d. All of the above
You can expect to find a type 2 hypervisor on what type of device? a. Desktop b. Tablet c. Smartphone d. All of the above
d. All of the above
Your curriculum vitae is which of the following? a. A generally required document to be made available before your testimony b. A necessary tool to be an expert witness c. A detailed record of your experience, education, and training d. All of the above
d. All of the above
Policies can address rules for which of the following? a. The amount of personal e-mail you can send b. When you can log on to a company network from home c. The Internet sites you can or can't access d. Any of the above
d. Any of the above
Before testifying, you should do which of the following? a. Create an examination plan with your retaining attorney. b. Make sure you've been paid for your services and the estimated fee for the deposition or trial. c. Get a haircut. d. Both a and b
d. Both a and b
The Known File Filter (KFF) can be used for which of the following purposes? a. Filter known program files from view. b. Calculate hash values of image files. c. Compare hash values of known files with evidence files. d. Both a and c
d. Both a and c
The term TDMA refers to which of the following? a. A technique of dividing a radio frequency so that multiple users share the same channel b. A proprietary protocol developed by Motorola c. A specific cellular network standard d. Both a and c
d. Both a and c
What should you do if you realize you have made a mistake or misstatement during a deposition? (FINAL EXAM QUESTION) a. If the deposition is still in session, refer back to the error and correct it. b. Decide whether the error is minor, and if so, ignore it. c. If the deposition is over, make the correction on the corrections page of the copy provided for your signature. d. Both a and c
d. Both a and c
When do zero day attacks occur? a. On the day the application or OS is released b. Before a patch is available c. Before the vendor is aware of the vulnerability d. Both a and c
d. Both a and c
When searching a victim's computer for a crime committed with a specific e-mail, which of the following provides information for determining the e-mail's originator? a. E-mail header b. Username and password c. Firewall log d. Both a and c
d. Both a and c
Which of the following describes expert witness testimony? a. Testimony designed to assist the jury in determining matters beyond the ordinary person's scope of knowledge b. Testimony that defines issues of the case for determination by the jury c. Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience d. Both a and c
d. Both a and c
What are the two states of encrypted data in a secure cloud? a. RC4 and RC5 b. Homomorphic and AES c. CRC-32 and UTF-16 d. Data in motion and data at rest
d. Data in motion and data at rest
The process of converting raw images to another format is called which of the following? a. Data conversion b. Transmogrification c. Transfiguring d. Demosaicing
d. Demosaicing
Which Registry key contains associations for file extensions? a. HFILE_CLASSES_ROOT b. HFILE_EXTENSIONS c. HKEY_CLASSES_FILE d. HKEY_CLASSES_ROOT
d. HKEY_CLASSES_ROOT
Steganography is used for which of the following purposes? a. Accessing remote computers b. Validating data c. Creating strong passwords d. Hiding data
d. Hiding data
Virtual Machine Extensions (VMX) are part of which of the following? a. AMD Virtualized Technology b. Type 2 hypervisors c. Type 1 hypervisors d. Intel Virtualized Technology
d. Intel Virtualized Technology
What methods are used for digital watermarking? a. Using a hex editor to alter the image data b. Nothing; this is what you'd expect to see. c. Implanted subroutines that link to a central Web server automatically when the watermarked file is accessed d. Invisible modification of the LSBs in the file
d. Invisible modification of the LSBs in the file
What purpose does making your own recording during a deposition serve? a. It assists you with reviewing the transcript of the deposition. b. It prevents opposing counsel from intimidating you. c. It shows the court reporter that you don't trust him or her. d. It allows you to review your testimony with your attorney during breaks.
d. It allows you to review your testimony with your attorney during breaks.
What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data? a. Recursive b. Lossy c. Vector quantization d. Lossless
d. Lossless
Which of the following is a current formatting standard for e-mail? a. HTML b. Outlook c. SMTP d. MIME
d. MIME
What does the Ntuser.dat file contain? a. File and directory names b. Starting cluster numbers c. File attributes d. MRU files list
d. MRU files list
In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive? a. 5% b. 10% c. 15% d. None of the above
d. None of the above
In JPEG files, what's the starting offset position for the JFIF label? a. Offset 0 b. Offset 2 c. Offset 4 d. Offset 6
d. Offset 6
What's the main piece of information you look for in an e-mail message you're investigating? a. Message number b. Sender or receiver's e-mail address c. Subject line content d. Originating e-mail domain or IP address
d. Originating e-mail domain or IP address
Which of the following is the standard format for reports filed electronically in U.S. federal courts and most state courts? a. Excel b. Word c. HTML d. PDF
d. PDF
Block-wise hashing has which of the following benefits for forensics examiners? a. Allows validating sector comparisons between known files b. Provides a faster way to shift bits in a block or sector of data c. Verifies the quality of OS files d. Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive
d. Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive
Which of the following cloud deployment methods typically offers no security? (FINAL EXAM QUESTION) a. Hybrid cloud b. Private cloud c. Community cloud d. Public cloud
d. Public cloud
Rainbow tables serve what purpose for digital forensics examinations? a. Rainbow tables provide a scoring system for probable search terms. b. Rainbow tables are designed to enhance the search capability of many digital forensics examination tools. c. Rainbow tables are a supplement to the NIST NSRL library of hash tables. d. Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords.
d. Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords.
Evidence of cloud access found on a smartphone usually means which cloud service level was in use? a. PaaS b. HaaS c. IaaS d. SaaS
d. SaaS
What are the three levels of cloud services defined by NIST? a. OpenStack, FROST, and management plane b. Hybrid, private, and community clouds c. CRC, DRAM, and IMAP d. SaaS, PaaS, and IaaS
d. SaaS, PaaS, and IaaS
If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords? a. There are no concerns because salting doesn't affect password-recovery tools. b. Salting applies only to OS startup passwords, so there are no serious concerns for examiners. c. The effect on the computer's CMOS clock could alter files' date and time values. d. Salting can make password recovery extremely difficult and time consuming.
d. Salting can make password recovery extremely difficult and time consuming.
What is one of the necessary components of a search warrant? a. Professional codes b. Professional ethics c. Standards of behavior d. Signature of an impartial judicial officer
d. Signature of an impartial judicial officer
In steganalysis, cover-media is which of the following? a. A specific type of graphics file used only for hashing steganographic files b. The content of a file used for a steganography message c. The type of steganographic method used to conceal a message d. The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file
d. The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file
When you arrive at the scene, why should you extract only those items you need to acquire evidence? a. To conceal trade secrets b. To preserver your physical security c. To speed up the acquisition process d. To minimize how much you have to keep track of at the scene
d. To minimize how much you have to keep track of at the scene
Why is physical security so critical for digital forensics labs? a. To ensure continuous funding b. To make sure unwanted data isn't retained on the drive c. To protect trade secrets d. To prevent data from being lost, corrupted, or stolen
d. To prevent data from being lost, corrupted, or stolen
What's the purpose of an affidavit? a. To specify who, what, when, and where—that is, specifics on place, time, items being searched for, and so forth b. To determine the OS of the suspect computer and list the software needed for the examination c. To list problems that might happen when conducting an investigation d. To provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant
d. To provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant
What's the most critical aspect of digital evidence? a. Compression b. Redundancy c. Contingency d. Validation
d. Validation
To find network adapters, you use the __________ command in Windows and the __________ command in Linux. a. tcpdump, netstat b. more, netstat c. top, nd d. ipconfig, ifconfig
d. ipconfig, ifconfig
What are some risks of using tools you have created yourself? (FINAL EXAM QUESTION) a. The tool might not perform reliably. b. You might have to share the tool's source code with opposing counsel for review. c. The tool doesn't generate reports in a standard format. d. The judge might be suspicious of the validity of results from the tool. e. C on the Test, D on the Final Exam
e. C on the Test, D on the Final Exam