Digital forensics review
What hexadecimal code below identifies an NTFS file system in the partition table?
07
You will need a minimum of _____ GHz or faster CPU to run VMWorkstation on a computer.
1.3GHz
In order to qualify for the Certified Computer Forensic Technician, Basic Level certification, how many hours of computer forensics training are required?
40
A typical disk drive stores how many bytes in a single sector?
512
Certified Forensic Computer Examiner (CFCE)
A certificate awarded by IACIS at completion of all portions of the exam
Certified Cyber Forensics Professional (CCFP)
A certification from ISC2 for completing the education and work experience and passing the exam
Certified Computer Examiner (CCE)
A certification from the International Society of Forensic Computer Examiners
Business case
A document that provides justification to upper management or a lender for purchasing new equipment, software, or other tools when upgrading your facility
Secure facility
A facility that can be locked and allows limited access to the room's contents
Digital forensics lab
A lab dedicated to computing investigations; typically, it has a variety of computers, OSs, and forensics software
Cyclic Redundancy Check
A mathematic algorithm that translates a file into a unique hexadecimal value
High Tech Crime Network (HTCN)
A national organization that provides certification for computer crime investigators and digital forensics technicians
Initial-response field kit
A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field
TEMPEST
A term referring to facilities that have been hardened so that electrical signals from computers, the computer network, and telephone systems can't be monitored or accessed easily by someone outside the facility
Keyed hash set
A value created by an encryption utility's secret key
_______ describes an accusation of fact that a crime has been committed.
Allegation
Sniffing
Detecting data transmissions to and from a suspect's computer and a network server to determine the type of data being transmitted over a network
Computer-stored records
Electronic data that a person creates and saves on a computer or digital device, such as a spreadsheet or word-processing document
A computer stores system configuration and date and time information in the BIOS when power to the system is off.
False
A hash value is always represented by a 16 digit number which is unique to the data.
False
All suspected industrial espionage cases should be treated as civil case investigations.
False
Each MFT record starts with a header identifying it as a resident or nonresident attribute.
False
FAT32 is used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.3 and 4.0.
False
Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.
False
The Fourth Amendment states that only warrants "particularly describing the place to be searched and the persons or things to be seized" can be issued. The courts have determined that this phrase means a warrant can authorize a search of a specific place for anything.
False
The shielding of sensitive computing systems and prevention of electronic eavesdropping of any computer emissions is known as FAUST by the U.S. Department of Defense.
False
VMware provides software virtualization that presents a platform to the virtual machine.
False
According to the National Institute of Standards and Technology (NIST), digital forensics involves scientifically examining and analyzing data from computer storage media so that it can be used as evidence in court.
False
Signed into law in 1973, the _______ was/were created to ensure consistency in federal proceedings.
Federal Rule of Evidence
Which amendment to the U.S. Constitution protects everyone's right to be secure in their person, residence, and property from search and seizure?
Fourth Amendment
A Virtual machine connects to external networking via IP address use by the host machine and is useful when you - (select all that apply).
Have resources that must be shared with host. Have limited supply of IP addresses. Want to hide private IP subnet.
Which Microsoft OS below is the least intrusive to disks in terms of changing data?
MS_DOS 6.22
Which operating system listed below is not a distribution of the Linux OS?
Minix
Which of the following are unique to VMworkstation.
Networking Clones Record/Replay Teams
Which of the following are key properties of virtual machines? (select all that apply).
Partitioning Encapsulation Isolation
_______ is not recommended for a digital forensics workstation.
Remote Access Software
Bit-stream image
The file where the bit-stream copy is stored
Risk management
The process of determining how much risk is acceptable for any process or operation, such as replacing equipment
Configuration management
The process of keeping track of all upgrades and patches you apply to your computer's OS and applications
Probable cause
The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest
A disaster recovery plan ensures that workstations and file servers can be restored to their original condition in the event of a catastrophe.
True
An additional benefit of using a Restricted Virtual Machine is that it requires a password to edit information within the virtual machine.
True
An emergency situation under the PATRIOT Act is defined as the immediate risk of death or personal injury, such as finding a bomb threat in an e-mail.
True
If you turn evidence over to law enforcement and begin working under their direction, you have become an agent of law enforcement, and are subject to the same restrictions on search and seizure as a law enforcement agent.
True
Linux Live CDs and WinFE disks do not automatically mount hard drives, but can be used to view file systems.
True
Most digital investigations in the private sector involve misuse of computing assets.
True
One benefit of using VMware is that it offers the benefit of realizing significant cost savings.
True
State public disclosure laws apply to state records, but FOIA allows citizens to request copies of public documents created by federal agencies.
True
The maximum number of Virtual Switches that can be be created is 10 on a Windows machine and 255 on a Linux machine.
True
To investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct covert surveillance with little or no cause, and access company computer systems and digital devices without a warrant.
True
User groups for a specific type of system can be very useful in a forensics investigation.
True
Virtualization enables consolidation of workloads from underutilized servers onto a single server
True
When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space.
True
The recording of all updates made to a workstation or machine is referred to as configuration management.
True
Virtual Provisioning is a strategy for efficiently managing space in a storage area network and does all of the following except for:
Virtual provisioning has a downside and can consume a large amount of power which can slightly increase costs.
Which of the following is not part of virtualization?
Virtualization is a platform that is based on the iOS operating system.
The _______ is not one of the three stages of a typical criminal case.
civil suit
Which of the following scenarios should be covered in a disaster recovery plan?
damage caused by lightning strikes damage caused by flood damage caused by a virus contamination
If practical, _______ team(s) should collect and catalog digital evidence at a crime scene or lab.
one
The term _______ is used to describe someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest.
person of interest
After the evidence has been presented in a trial by jury, the jury must deliver a(n) _______.
verdict
How long are computing components designed to last in a normal business environment?
18 to 36 months
In what year was the Computer Fraud and Abuse Act passed?
1986
Extensive-response field kit
A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers
Nonkeyed hash set
A unique hash number generated by a software tool and used to identify files
Message Digest 5
An algorithm that produces a hexadecimal value of a file or storage media; used to determine whether data has changed
Which system below can be used to quickly and accurately match fingerprints in a database?
Automated Fingerprint Identification System (AFIS)
What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations?
Certified Cyber Forensics Professional
Candidates who complete the IACIS test successfully are designated as a _______.
Certified Forensic Computer Examiner (CFCE)
What type of media has a 30-year lifespan?
DLT magnetic tape
_______ is not one of the functions of the investigations triad.
Data recovery
Computer-generated records
Data the system maintains, such as system log files and proxy server logs
After a judge approves and signs a search warrant, the _______ is responsible for the collection of evidence as defined by the warrant.
Digital Evidence First Responder
The _______ is responsible for analyzing data and determining when another specialist should be called in to assist with analysis.
Digital Evidence Specialist
_______ must be included in an affidavit to support an allegation in order to justify a warrant.
Exhibits
What does FRE stand for?
Federal Rules of Evidence
You must abide by the _______ while collecting evidence.
Fourth Amendment
In cases that involve dangerous settings, what kind of team should be used to recover evidence from the scene?
HAZMAT
What tool, currently maintained by the IRS Criminal Investigation Division and limited to use by law enforcement, can analyze and read special files that are copies of a disk?
ILook
_______ is a specialized viewer software program.
IrfanView
What should you do while copying data on a suspect's computer that is still live?
Make notes regarding everything you do.
_______ can be used to restore backup files directly to a workstation.
Norton Ghost
_______ is a common cause for lost or corrupted evidence.
Professional curiosity
Which of the following is not done when preparing for a case?
Set up covert surveillance.
Which option below is not a standard systems analysis step?
Share evidence with experts outside of the investigation.
_______ does not recover data in free or slack space.
Sparse acquisition
_______ is responsible for creating and monitoring lab policies for staff, and provides a safe and secure workplace for staff and evidence.
The lab manager
When seizing digital evidence in criminal investigations, whose standards should be followed?
U.S. DOJ
Which court case established that it is not necessary for computer programmers to testify in order to authenticate computer-generated records?
United States v. Salgado
Which tool below is not recommended for use in a forensics lab?
Use a master key.
_______ is a specialized viewer software program.
Use a master key.
An evidence custody form does not usually contain _______.
a witness list
If a police officer or investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit a(n) _______.
affidavit
A chain-of-evidence form, which is used to document what has and has not been done with the original evidence and forensic copies of the evidence, is also known as a(n) _______.
evidence custody form
A _______ is not a private sector organization.
hospital
The sale of sensitive or confidential company information to a competitor is known as _______.
industrial espionage
The term _______ describes a database containing informational records about crimes that have been committed previously by a criminal.
police blotter
The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient _______.
probable cause
Within a computing investigation, the ability to perform a series of steps again and again to produce the same results is known as _______.
repeatable findings