Digital Forensics Quiz 5-8

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

"Computing components are designed to last 18 to ____ months in normal business operations. 24 30 36 42"

36

"Older Microsoft disk compression tools, such as DoubleSpace or ____, eliminate only slack disk space between files. DriveSpace PKZip WinZip WinRAR"

DriveSpace

"If your time is limited, consider using a logical acquisition or ____ acquisition data copy method. disk-to-image lossless sparse disk-to-disk"

sparse

"One technique for extracting evidence from large systems is called ____. large evidence file recovery RAID imaging sparse acquisition RAID copy"

sparse acquisition

"Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example. online live real-time static"

static

"A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock. expanded metal steel wood gypsum"

steel

"A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. line of authority right banner warning banner right of privacy"

warning banner

"Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab. evidence custody form warrant affidavit FOIA form"

warrant

The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software. NSRL FS-TST NIST CFTT

" "NIST

The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____. NSRL PARTAB CFTT FS-TST

" "NSRL

____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS. NTBootdd.sys Ntoskrnl.exe Hal.dll Boot.ini

" "NTBootdd.sys

____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr. NTDetect.com BootSect.dos Hal.dll Boot.ini

" "NTDetect.com

____ was introduced when Microsoft created Windows NT and is still the main file system in Windows 10. HPFS FAT32 NTFS VFAT

" "NTFS

____ is Windows XP system service dispatch stubs to executables functions and internal support functions. Ntdll.dll Gdi32.dll User32.dll Advapi32.dll

" "Ntdll.dll

____ is the physical address support program for accessing more than 4 GB of physical RAM. Ntkrnlpa.exe Hal.dll Io.sys BootSect.dos

" "Ntkrnlpa.exe

With ____, Macintosh moved to the Intel processor and became UNIX based. El Capitan OS X Lion High Sierra

" "OS X

When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____. Metadata Inidata Registry IniRecord

" "Registry

The primary hash algorithm used by the NSRL project is ____. CRC-32 RC4 MD5 SHA-1

" "SHA-1

____ disks are commonly used with Sun Solaris systems. F.R.E.D. DiskSpy SPARC FIRE IDE

" "SPARC

____ has been used to protect copyrighted material by inserting digital watermarks into a file. Archiving Steganography Encryption Compression

" "Steganography

____ is a data-hiding technique that uses host files to cover the contents of a secret message. Steganography Graphie Steganalysis Steganos

" "Steganography

____ steganography replaces bits of the host file with other bits of data. Append Replacement Substitution Insertion

" "Substitution

The image format XIF is derived from the more common ____ file format. TIF JPEG BMP GIF

" "TIF

Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0 and 3.0, SATA, PATA, and SCSI controllers. USB LCD PCMCIA IDE

" "USB

____ is a core Win32 subsystem DLL file. Hal.dll User32.sys Pagefile.sys Ntoskrnl.exe

" "User32.sys

____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. Vector graphics Line-art images Bitmap images Metafile graphics

" "Vector graphics

"IACIS requires recertification every ____ years to demonstrate continuing work in the field of computer forensics. 2 3 4 5"

3

"____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest. Probable cause A warrant A subpoena Reasonable cause"

Probable cause

"In ____ , two or more disk drives become one large volume, so the computer views the disks as a single disk. RAID 6 RAID 5 RAID 1 RAID 0"

RAID 0

"____, or mirrored striping, is a combination of RAID 1 and RAID 0. RAID 6 RAID 0 RAID 5 RAID 10"

RAID 10

____ images store graphics information as grids of pixels. Metafiles Raster Vector Bitmap

" "Bitmap

"When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data. U.S. DOJ U.S. DoD Homeland Security Department Patriot Act"

U.S. DOJ

"Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime safety legal physical corporate"

safety

"To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe. secure workbench protected PC secure workstation secure facility"

secure facility

"Current distributions of Linux include two hashing algorithm utilities: md5sum and ____. hashsum sha1sum shasum rcsum"

sha1sum

"Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer. silver-tree silver-platter gold-tree gold-platter"

silver-platter

"Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server blocking preventing poisoning sniffing"

sniffing

"Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility. oath line of authority professional policy professional conduct"

professional conduct

"____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment. Risk management Change management Configuration management Risk configuration"

Risk management

The term ____ is often used when discussing Linux because technically, Linux is only the core of the OS. GRUB kernel root module

" "kernel

Under copyright laws, computer programs may be registered as ____. literary works audiovisual works motion pictures architectural works

" "literary works

In macOS, volumes have allocation blocks and ____ blocks. master clumped clustered logical

" "logical

Records in the MFT are called ____. inodes hyperdata metadata infodata

" "metadata

"In the Pacific Northwest, ____ meets to discuss problems that digital forensics examiners encounter. FTK FLETC CTIN IACIS"

CTIN

"By the early 1990s, the ____ introduced training on software for forensics investigations. FLETC CERT DDBIA IACIS"

IACIS

"____ was created by police officers who wanted to formalize credentials in digital investigations. NISPOM HTCN IACIS TEMPEST"

IACIS

"During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____. TEMPEST EMR NISPOM RAID"

TEMPEST

"____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed. IDE reports Uniform crime reports ASCLD reports HTCN reports"

Uniform crime reports

"Generally, digital records are considered admissible if they qualify as a ____ record. computer-generated computer-stored hearsay business"

business

"In the ____, you justify acquiring newer and better resources to investigate digital forensics cases. business case risk evaluation configuration plan upgrade policy"

business case

"Most digital investigations in the private sector involve ____. misuse of digital assets VPN abuse Internet abuse e-mail abuse"

misuse of digital assets

"Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes. as difficult as as easy as much easier than more difficult than"

much easier than

____, located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version. NTDetect.com BootSec.dos Boot.ini NTBootdd.sys

" "Boot.ini

____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the systemroot\Windows\System32\Drivers folder. Pagefile.sys Device drivers Hal.dll Ntoskrnl.exe

" "Device drivers

When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____. RAR EFS LZH VFAT

" "EFS

Most digital photographs are stored in the ____ format. EXIF TIFF PNG GIF

" "EXIF

The early standard Linux file system was ____. Ext2 NTFS Ext3 HFS+

" "Ext2

____ is the file structure database that Microsoft originally designed for floppy disks. FAT VFAT FAT32 NTFS

" "FAT

____ involves sorting and searching through investigation findings to separate good data and suspicious data. Filtering Acquisition Validation Reconstruction

" "Filtering

The uppercase letter ____ has a hexadecimal value 41. "A" "C" "G" "Z"

" ""A"

In Linux most system configuration files are stored in the ____ directory. /var /etc /dev /home

" "/etc

On a Linux computer, ____ represents file systems exported to remote hosts. /var/log/wtmp /etc/exports /var/run/utmp /etc/fstab

" "/etc/exports

On a Linux computer, ____ contains group memberships for the local system. /etc/passwd /etc/shadow /etc/group /etc/fstab

" "/etc/group

In Linux, m ost applications and commands are in the ____ directory or its subdirectories bin and sbin. /home /var /etc /usr

" "/usr

In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each. 1024 1512 2048 2512

" "1024

Ext4f can support disk partitions as large as ____ TB. 4 8 10 16

" "16

"Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult. backup utilities NTFS recovery wizards whole disk encryption"

whole disk encryption

"Image files can be reduced by as much as ____% of the original when using lossless compression. 15 25 30 50"

50

"When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to avoid damage to the drive from overheating 80 90 95 105"

80

"The most common and flexible data-acquisition method is ____. Sparse data copy Disk-to-disk copy Disk-to-image file copy Disk-to-network copy"

Disk-to-image file copy

"Autopsy uses ____ to validate an image. AFD AFF MD5 RC4"

MD5

"Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System. ext2 FAT24 ext3 NTFS"

NTFS

"For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets. ISDN RAID TEMPEST WAN"

RAID

"During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system. MacOS Android Linux Windows"

Windows

"In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation. fourth amendment civil criminal corporate"

criminal

"Most remote acquisitions have to be done as ____ acquisitions. live hot sparse static"

live

"The FOIA was originally enacted in the ____. 1940s 1950s 1960s 1970s"

1960s

Digital forensics tools are divided into ____ major categories. 2 3 4 5

" "2

In general, forensics workstations can be divided into ____ categories. 2 3 4 5

" "3

Magnet ____ enables you to acquire the forensic image and process it in the same step. FTK DEFR dd AXIOM

" "AXIOM

____ refers to the number of bits in one square inch of a disk platter. Head skew Areal density ZBR Cylinder skew

" "Areal density

____ components define the file system on UNIX/Linux. Two Three Four Five

" "Four

The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems. Apple Commodore IBM Atari

" "IBM

The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible. ISO 3657 ISO 5321 ISO 5725 ISO 17025

" "ISO 5725

____ contain file and directory metadata and provide a mechanism for linking data stored in data blocks. InfNodes Extnodes Xnodes Inodes

" "Inodes

____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program. Append Replacement Substitution Insertion

" "Insertion

The JFIF ____ format has a hexadecimal value of FFD8 FFE0 in the first four bytes. BMP JPEG EPS GIF

" "JPEG

On older Mac OSs all information about the volume is stored in the ____. Volume Control Block (VCB) Extents Overflow File (EOF) Volume Bitmap (VB) Master Directory Block (MDB)

" "Master Directory Block (MDB)

"For Windows XP, 2000, and NT servers and workstations, RAID 0 or ____ is available 5 2 4 1"

1

"The EMR from a computer monitor can be picked up as far away as ____ mile. 1/4 1/2 3/4 1"

1/2

____ compression compresses data by permanently discarding bits of information in the file. Huffman Lossless Redundant Lossy

" "Lossy

On an NTFS disk, immediately after the Partition Boot Sector is the ____. FAT MFT HPFS MBR

" "MFT

With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data. Extents overflow file Master Directory Block Volume Bitmap Volume Control Block

" "Volume Bitmap

____ can be software or hardware and are used to protect evidence disks by preventing data from being written to them. Write-blockers Disk editors Workstations Drive-imaging

" "Write-blockers

The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03. TIFF XIF GIF JPEG

" "XIF

____ is how most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks. Head skew Areal density Cylinder skew ZBR

" "ZBR

Recovering fragments of a file is called ____. carving saving rebuilding slacking

" "carving

When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations. copyright forensics international civil

" "copyright

A ____ is a column of tracks on two or more disk platters. track head cylinder sector

" "cylinder

In macOS, the ____ fork typically contains data the user creates. data content user resource

" "data

The ____ is where directories and files are stored on a disk drive. boot block data block superblock inode block

" "data block

The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are called ____. virtual runs metada data runs metaruns

" "data runs

The raw data format, typically created with the Linux ____ command, is a simple bit-for-bit copy of a data file, a disk partition, or an entire drive. rawcp dd dhex d2dump

" "dd

The process of converting raw picture data to another format is referred to as ____. JEIDA rastering rendering demosaicing

" "demosaicing

In Windows 2000 and later, the ____ command shows you the file owner if you have multiple users on the system or network. ls owner dir Copy

" "dir

One way to compare results and verify your a new tool is by using a ____, such as HexWorkshop, or WinHex. disk imager disk editor write-blocker bit-stream copier

" "disk editor

The simplest method of duplicating a disk drive is using a tool that makes a direct ____ copy from the suspect disk to the target location. image-to-disk partition-to-partition disk-to-image image-to-partition

" "disk-to-image

On Mac OSs, the ____ stores any file information not in the MDB or Volume Control Block (VCB). extents overflow file volume information block catalog master directory block

" "extents overflow file

You use ____ to create, modify, and save bitmap, vector, and metafile graphics. graphics editors image readers image viewers graphics viewers

" "graphics editors

If you can't open a graphics file in an image viewer, the next step is to examine the file's ____. size extension name header data

" "header data

The simplest way to access a file header is to use a(n) ____ editor text disk image hexadecimal

" "hexadecimal

Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____. image file firmware recovery copy backup file

" "image file

In a files's inode, the first 10 pointers are called ____ pointers. double triple direct indirect

" "indirect

Many password recovery tools have a feature for generating potential lists for a ____ attack. salting birthday brute-force password dictionary

" "password dictionary

A forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation is also known as a ____. field workstation lightweight workstation portable workstation stationary workstation

" "portable workstation

The purpose of the ____ is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key. root certificate administrator certificate recovery certificate certificate escrow

" "recovery certificate

To complete a forensic disk analysis and examination, you need to create a ____. budget plan risk assessment report forensic disk copy

" "report

In macOS, w hen you're working with an application file, the ____ fork contains additional information, such as menus, dialog boxes, icons, executable code, and controls. application system data resource

" "resource

In older versions of macOS, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored. inodes blocks node resource

" "resource

Steganalysis tools are also called ____. image tools hexadecimal editors image editors steg tools

" "steg tools

A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment. logic drive logic machine virtual file virtual machine

" "virtual machine

When the hard link count drops to ____, the file is effectively deleted. -1 0 1 2

"0

"What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases? Certified Computer Crime Investigator, Basic Level Certified Computer Forensic Technician, Basic Certified Computer Crime Investigator, Advanced Level Certified Computer Forensic Technician, Advanced"

Certified Computer Forensic Technician, Basic

"The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence. Computer Analysis and Response Team (CART) Department of Defense Computer Forensics Laboratory (DCFL) DIBS Federal Rules of Evidence (FRE)"

Computer Analysis and Response Team (CART)

"____ records are data the system maintains, such as system log files and proxy server logs. Hearsay Computer-stored Computer-generated Business"

Computer-generated

"____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example Data recovery Computer forensics Network forensics Disaster recovery"

Data recovery

"Certain files, such as the ____ and Security log in Windows, might lose essential network activity records if power is terminated without a proper shutdown. Word log Event log Io.sys Password log"

Event log

"____ often work as part of a team to secure an organization's computers and networks. Data recovery engineers Computer analysts Forensics investigators Network monitors"

Forensics investigators

"Linux ISO images that can be burned to a CD or DVD are referred to as ____. Linux in a Box Linux Live CDs Forensic Linux ISO CDs"

Linux Live CDs

On older Mac OSs all information about the volume is stored in the ____. Volume Control Block (VCB) Master Directory Block (MDB) Volume Bitmap (VB) Extents Overflow File (EOF)

Master Directory Block (MDB)

"In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____. blotter affidavit litigation report exhibit report"

affidavit

"Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed. litigation blotter allegation prosecution"

allegation

"In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations. authorized requester authority of line line of right authority of right"

authorized requester

"Confidential business data included with the criminal evidence are referred to as ____ data. revealed public exposed commingled"

commingled

"In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery. risk assessment recovery logging configuration management change management"

configuration management

"The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions. dcfldd raw man bitcopy"

dcfldd

"The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions. dd man raw fdisk"

dd

"A ____ is where you conduct your investigations, store evidence, and do most of your work. storage room forensic workstation workbench digital forensics lab"

digital forensics lab

"The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime. digital investigations network intrusion detection litigation incident response"

digital investigations

"A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing security configuration management risk management disaster recovery"

disaster recovery

"A(n) ____ is a person using a computer to perform routine tasks other than systems administration. end user complainant investigator user banner"

end user

"It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant. prosecution reports exhibits litigation"

exhibits

"A(n) ____ should include all the tools you can afford to take to the field. initial-response field kit extensive-response field kit forensic lab forensic workstation"

extensive-response field kit

"One way to investigate older and unusual computing systems is to keep track of ____ that you can find through an online search. uniform reports forums and blogs AICIS lists Minix"

forums and blogs

"You use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512. hash checksum hashlog md5sum"

hash

"Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain ____. conclusive hearsay regular direct"

hearsay

"With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible seizing order bit-stream copy utility extensive-response field kit initial-response field kit"

initial-response field kit

"Published company policies provide a(n) ____ for a business to conduct internal investigations allegation resource line of authority line of allegation litigation path"

line of authority

"If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available. local passive static live"

live

"The ____ command displays pages from the online help manual for information on Linux commands and their options. man cmd inst hlp"

man

"The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true. challenged examined notarized recorded"

notarized

"You should have at least one copy of your backups on site and a duplicate or a previous copy of your backups stored in a safe ____ facility. in-site storage online off-site"

off-site

"Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity. once twice three times four times"

once

"Courts consider evidence data in a computer as ____ evidence. logical invalid virtual physical"

physical

"Evidence is commonly lost or corrupted through ____, which involves the presence of police officers and other professionals who aren't part of the crime scene-processing team. onlookers FOIA laws professional curiosity HAZMAT teams"

professional curiosity

"One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools. raw AFD proprietary AFF"

proprietary

"In general, a criminal case follows three stages: the complaint, the investigation, and the ____. prosecution allegation blotter litigation"

prosecution

"Lab costs can be broken down into monthly, ____, and annual expenses. daily weekly bimonthly quarterly"

quarterly

"Every business or organization must have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a ____ that a law or policy is being violated. reasonable suspicion court order stating proof confirmed suspicion"

reasonable suspicion

"Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses. line of privacy line of right right of privacy line of authority"

right of privacy


Kaugnay na mga set ng pag-aaral

Juris Exam 1, Juris Kahoot, MPJE ty coral, MPJE, MPJE Review - NY-2018 C

View Set

Therapeutic Communication Practice Questions (Ch.9)

View Set

Chapter 7 Part 1- Knee, Patella, Femur

View Set

11.1 Where is Industry Distributed?

View Set

Head, Face, Neck, Lymph: Anatomy

View Set

Топографія нижнього поверху черевної порожнини

View Set