CTC 328 Study for all the Quizzes (Ch. 1-6)
What is the goal of the NSRL project, created by NIST? a. Collect known hash values for commercial software and OS files using SHA hashes. b. Search for collisions in hash values, and contribute to fixing hashing programs. c. Collect known hash values for commercial software and OS files using MD5 hashes. d. Create hash values for illegal files and distribute the information to law enforcement.
Selected Answer: a. Collect known hash values for commercial software and OS files using SHA hashes.
What is the purpose of the reconstruction function in a forensics investigation? a. Re-create a suspect's drive to show what happened during a crime or incident. b. Generate reports or logs that detail the processes undertaken by a forensics investigator. c. Prove that two sets of data are identical. d. Copy all information from a suspect's drive, including information that may have been hidden.
Selected Answer: a. Re-create a suspect's drive to show what happened during a crime or incident.
When performing disk acquisition, the raw data format is typically created with the UNIX/Linux _____________ command. a. dump b. dd c. tar d. format
Selected Answer: b. dd
Most digital investigations in the private sector involve misuse of computing assets. True or False
true
Software forensics tools are grouped into command-line applications and GUI applications true or false
true
To investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct covert surveillance with little or no cause, and access company computer systems and digital devices without a warrant. True or false
True
The ___________ command inserts a HEX E5 (0xe5) in a filename's first letter position in the associated directory entry. a. delete b. edit c. update d. clear
-a. delete
The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient _______. Selected Answer: a. probable cause b. accusations c. due diligence d. reliability
Correct a. probable cause
An investigator wants to capture all data on a SATA drive connected to a Linux system. What should the investigator use for the "if=" portion of the dcfldd command? Selected Answer: Answers: a. /dev/sda b. /dev/hda c. /dev/sda1 d. /dev/hda1
Correct a. /dev/sda
_______ is a common cause for lost or corrupted evidence. a. Professional curiosity b. Having an undefined security perimeter c. Public access d. Not having enough people on the processing team
Correct a. Professional curiosity
_______ does not recover data in free or slack space. Selected Answer: a. Live acquisition b. Raw format acquisition c. Sparse acquisition d. Static acquisition
Correct c. Sparse acquisition
Which RAID type utilizes mirrored striping, providing fast access and redundancy? Selected Answer: a. RAID 3 b. RAID 5 c. RAID 1 d. RAID 10
Correct d. RAID 10
The Linux command _____ can be used to write bit-stream data to files. Selected Answer: Answers: a. dump b. cat c. write d. dd
Correct d. dd
Which option below is not a hashing function used for validation checks? Selected Answer: a. CRC32 b. SHA-1 c. MD5 d. RC4
Correct d.RC4
What does FRE stand for? Selected Answer: a. Federal Regulations for Evidence b. Federal Rules of Evidence c. Federal Rules for Equipment d. Federal Rights for Everyone
Correct b. Federal Rules of Evidence
When seizing digital evidence in criminal investigations, whose standards should be followed? Selected Answer: a. U.S. DOJ b. ITU c. ISO/IEC d. IEEE
Correcta. U.S. DOJ
_______ is the utility used by the ProDiscover program for remote access. Selected Answer: a. VNCServer b. PDServer c. l0pht d. SubSe7en
Correctb. PDServer
What is the name of the Microsoft solution for whole disk encryption? Selected Answer: Answers: a. SecureDrive b. TrueCrypt c. BitLocker d. DriveCrypt
Correctc. BitLocker
You must abide by the _______ while collecting evidence. Selected Answer: a. Federal Rules of Evidence b. Fifth Amendment c. Fourth Amendment d. state's Rules of Evidence
Correctc. Fourth Amendment
Computer-stored records are data the system maintains, such as system log files and proxy server logs. True or False
False
The Fourth Amendment states that only warrants "particularly describing the place to be searched and the persons or things to be seized" can be issued. The courts have determined that this phrase means a warrant can authorize a search of a specific place for anything. True or false
False
All forensics acquisition tools have a method for verification of the data-copying process that compares the original drive with the image. True or False
True
Passwords are typically stored as one-way _____________ rather than in plaintext. a. hashes b. hex values c. variables d. slack spaces
Variables
How often should hardware be replaced within a forensics lab? Answers: a. Every 12 to 18 months b. Every 24 to 30 months c. Every 18 to 24 months d. Every 6 to 12 months
a. Every 12 to 18 months
What term is used to describe a disk's logical structure of platters, tracks, and sectors? Answers: a. geometry b. mapping c. cylinder d. trigonometry
a. geometry
A Master Boot Record (MBR) partition table marks the first partition starting at what offset? a. 0x1BE b. 0x1AE c. 0x1DE d. 0x1CE
a. 0x1BE
What option below is an example of a platform specific encryption tool? a. BitLocker b. GnuPG c. TrueCrypt d. Pretty Good Privacy (PGP)
a. BitLocker
_______ is not one of the functions of the investigations triad. Answers: a. Data recovery b. Digital investigations c. Vulnerability/threat assessment and risk management d. Network intrusion detection and incident response
a. Data recovery
_______ must be included in an affidavit to support an allegation in order to justify a warrant. Answers: a. Exhibits b. Witnesses c. Verdicts d. Subpoenas
a. Exhibits
What tool, currently maintained by the IRS Criminal Investigation Division and limited to use by law enforcement, can analyze and read special files that are copies of a disk? a. ILook b. Photorec c. DeepScan d. AccessData Forensic Toolkit
a. ILook
The _______ is responsible for analyzing data and determining when another specialist should be called in to assist with analysis. a. Digital Evidence Specialist b. Digital Evidence Analyst c. Digital Evidence Examiner d. Digital Evidence First Responder
a. Digital Evidence Specialist
The _________ branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and System. a. registry b. hive c. storage d. tree
b hive
A typical disk drive stores how many bytes in a single sector? Answers: a. 1024 b. 512 c. 8 d. 4096
b. 512
What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations? Answers: a. EnCase Certified Examiner b. Certified Cyber Forensics Professional c. Certified Forensic Computer Examiner d. Certified Computer Crime Investigator
b. Certified Cyber Forensics Professional
A TEMPEST facility is designed to accomplish which of the following goals? Answers: a. Ensure network security from the Internet using comprehensive security software. b. Shield sensitive computing systems and prevent electronic eavesdropping of computer emissions. c. Prevent data loss by maintaining consistent backups. d. Protect the integrity of data.
b. Shield sensitive computing systems and prevent electronic eavesdropping of computer emissions.
_______ is responsible for creating and monitoring lab policies for staff, and provides a safe and secure workplace for staff and evidence. Answers: a. The lab steward b. The lab manager c. The lab secretary d. The lab investigator
b. The lab manager
What hex value is the standard indicator for jpeg graphics files? a. F8 D8 b. FF D8 c. FF D9 d. AB CD
b. FF D8
What registry file contains installed programs' settings and associated usernames and passwords? a. System.dat b. Software.dat c. Default.dat d. Security.dat
b. Software.dat
A chain-of-evidence form, which is used to document what has and has not been done with the original evidence and forensic copies of the evidence, is also known as a(n) _______. Answers: a. evidence tracking form b. evidence custody form c. single-evidence form d. multi-evidence form
b. evidence custody form
Within a computing investigation, the ability to perform a series of steps again and again to produce the same results is known as _______. a. verifiable reporting b. repeatable findings c. reloadable steps d. evidence reporting
b. repeatable findings
The __________ Linux Live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep, and utilizes a KDE interface. a. Ubuntu b. Helix3 c. Kali d. Arch
c kali
When using the File Allocation Table (FAT), where is the FAT database typically written to? a. The first sector b. The innermost track c. The outermost track d. The first partition
c. the outermost track
Which tool below is not recommended for use in a forensics lab? Answers: a. FireWire and USB adapters b. 2.5-inch adapters for drives c. Degausser d. SCSI cards
c. Degausser
Which option below is not a standard systems analysis step? Answers: a. Mitigate or minimize the risks. b. Obtain and copy an evidence drive. c. Share evidence with experts outside of the investigation. d. Determine a preliminary design or approach to the case.
c. Share evidence with experts outside of the investigation.
Reconstructing fragments of files that have been deleted from a suspect drive, is known as ____________ in North America. a. sculpting b. scraping c. carving d. salvaging
c. carving
The sale of sensitive or confidential company information to a competitor is known as _______. Answers: a. industrial sabotage b. industrial betrayal c. industrial espionage d. industrial collusion
c. industrial espionage
How long are computing components designed to last in a normal business environment? Answers: a. 14 to 26 months b. 36 to 90 months c. 12 to 16 months d. 18 to 36 months
d. 18 to 36 months
Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files? Selected Answer: a. Advanced Open Capture b. Advanced Capture Image c. Advanced Forensics Disk d. Advanced Forensic Format
d. Advanced Forensic Format
Which of the following scenarios should be covered in a disaster recovery plan? Answers: a. damage caused by lightning strikes b. damage caused by flood c. damage caused by a virus contamination d. all of the above
d. all of the above
A computer stores system configuration and date and time information in the BIOS when power to the system is off. Selected Answer: False or True
false
All suspected industrial espionage cases should be treated as civil case investigations. Answers: True or False
false
FTK Imager software can acquire a drive's host protected area. Selected Answer: True or false
false
Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities. Selected Answer: true or false
false
A disaster recovery plan ensures that workstations and file servers can be restored to their original condition in the event of a catastrophe. Answers: True False
true
A forensics investigator should verify that acquisition tools can copy data in the HPA of a disk drive. True or false
true
When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space. Selected Answer: True or false
true
The ImageUSB utility can be used to create a bootable flash drive. Selected Answer: True or false
true
The recording of all updates made to a workstation or machine is referred to as configuration management. Answers: True False
true
Which ISO standard below is followed by the ASCLD? Answers: a. 17025:2005 b. 17026:2007 c. 12076:2005 d. 12075:2007
17025:2005
As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state? Selected Answer: a. The power cable should be pulled. b. The decision should be left to the Digital Evidence First Responder (DEFR). c. The system should be shut down gracefully. d. The power should be left on.
The decision should be left to the Digital Evidence First Responder (DEFR).