Digital forensics review

What hexadecimal code below identifies an NTFS file system in the partition table?​

07

You will need a minimum of _____ GHz or faster CPU to run VMWorkstation on a computer.

1.3GHz

​In order to qualify for the Certified Computer Forensic Technician, Basic Level certification, how many hours of computer forensics training are required?

40

​A typical disk drive stores how many bytes in a single sector?

512

Certified Forensic Computer Examiner (CFCE)

A certificate awarded by IACIS at completion of all portions of the exam

Certified Cyber Forensics Professional (CCFP)

A certification from ISC2 for completing the education and work experience and passing the exam

Certified Computer Examiner (CCE)

A certification from the International Society of Forensic Computer Examiners

Business case

A document that provides justification to upper management or a lender for purchasing new equipment, software, or other tools when upgrading your facility

Secure facility

A facility that can be locked and allows limited access to the room's contents

Digital forensics lab

A lab dedicated to computing investigations; typically, it has a variety of computers, OSs, and forensics software

​Cyclic Redundancy Check

A mathematic algorithm that translates a file into a unique hexadecimal value

High Tech Crime Network (HTCN)

A national organization that provides certification for computer crime investigators and digital forensics technicians

Initial-response field kit

A portable kit containing only the minimum ​tools needed to perform disk acquisitions and preliminary forensics analysis in the field

TEMPEST

A term referring to facilities that have been hardened so that electrical signals from computers, the computer network, and telephone systems can't be monitored or accessed easily by someone outside the facility

Keyed hash set​

A value created by an encryption utility's secret key​

_______ describes an accusation of fact that a crime has been committed.

Allegation

Sniffing

Detecting data transmissions to and from a suspect's computer​ and a network server to determine the type of data being transmitted over a network

​Computer-stored records

Electronic data that a person creates and saves on a computer or digital device, such as a spreadsheet or word-processing document

A computer stores system configuration and date and time information in the BIOS when power to the system is off.​

False

A hash value is always represented by a 16 digit number which is unique to the data.

False

All suspected industrial espionage cases should be treated as civil case investigations.​

False

Each MFT record starts with a header identifying it as a resident or nonresident attribute.​

False

FAT32 is used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.3 and 4.0.​

False

Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.

False

The Fourth Amendment states that only warrants "particularly describing the place to be searched and the persons ​or things to be seized" can be issued. The courts have determined that this phrase means a warrant can authorize a search of a specific place for ​anything.​

False

The shielding of sensitive computing systems and prevention of electronic eavesdropping of any computer emissions is known as FAUST by the U.S. Department of Defense.​

False

VMware provides software virtualization that presents a platform to the virtual machine.

False

​According to the National Institute of Standards and Technology (NIST), digital forensics involves scientifically examining and analyzing data from computer storage media so that it can be used as evidence in court.

False

Signed into law in 1973, the _______ was/were created to ensure consistency in federal proceedings.

Federal Rule of Evidence

Which amendment to the U.S. Constitution protects everyone's right to be secure in their person, residence, and property from search and seizure?​

Fourth Amendment

A Virtual machine connects to external networking via IP address use by the host machine and is useful when you - (select all that apply).

Have resources that must be shared with host. Have limited supply of IP addresses. Want to hide private IP subnet.

Which Microsoft OS below is the least intrusive to disks in terms of changing data?​

MS_DOS 6.22

Which operating system listed below is not a distribution of the Linux OS?

Minix

Which of the following are unique to VMworkstation.

Networking Clones Record/Replay Teams

Which of the following are key properties of virtual machines? (select all that apply).

Partitioning Encapsulation Isolation

_______ is not recommended for a digital forensics workstation.

Remote Access Software

Bit-stream image

The file where the bit-stream copy is stored

Risk management

The process of determining how much risk is acceptable for any process or operation, such as replacing equipment

Configuration management

The process of keeping track of all upgrades and patches you apply to your computer's OS and applications

​Probable cause

The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest

A disaster recovery plan ensures that workstations and file servers can be restored to their original condition in the event of a catastrophe.

True

An additional benefit of using a Restricted Virtual Machine is that it requires a password to edit information within the virtual machine.

True

An emergency situation under the PATRIOT Act is defined as the immediate risk of death or personal ​injury, such as finding a bomb threat in an e-mail.

True

If you turn evidence over to law enforcement and begin working under their direction, you have become an agent of law enforcement, and are subject to the same restrictions on search and seizure as a law enforcement agent.​

True

Linux Live CDs and WinFE disks do not automatically mount hard drives, but can be used to view file systems.​

True

Most digital investigations in the private sector involve misuse of computing assets.

True

One benefit of using VMware is that it offers the benefit of realizing significant cost savings.

True

State public disclosure laws apply to state records, but FOIA allows citizens to request copies of public documents created by federal agencies.​

True

The maximum number of Virtual Switches that can be be created is 10 on a Windows machine and 255 on a Linux machine.

True

To investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct covert surveillance with little or no cause, and access company computer systems and digital devices without a warrant.​

True

User groups for a specific type of system can be very useful in a forensics investigation.​

True

Virtualization enables consolidation of workloads from underutilized servers onto a single server

True

When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space.​

True

​The recording of all updates made to a workstation or machine is referred to as configuration management.

True

Virtual Provisioning is a strategy for efficiently managing space in a storage area network and does all of the following except for:

Virtual provisioning has a downside and can consume a large amount of power which can slightly increase costs.

Which of the following is not part of virtualization?

Virtualization is a platform that is based on the iOS operating system.

​The _______ is not one of the three stages of a typical criminal case.

civil suit

Which of the following scenarios should be covered in a disaster recovery plan?​

damage caused by lightning strikes ​damage caused by flood ​damage caused by a virus contamination

If practical, _______ team(s) should collect and catalog digital evidence at a crime scene or lab.

one

The term _______ is used to describe someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest.

person of interest

​After the evidence has been presented in a trial by jury, the jury must deliver a(n) _______.

verdict

How long are computing components designed to last in a normal business environment?​

​18 to 36 months

In what year was the Computer Fraud and Abuse Act passed?​

​1986

​Extensive-response field kit

​A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers

​Nonkeyed hash set

​A unique hash number generated by a software tool and used to identify files

​Message Digest 5

​An algorithm that produces a hexadecimal value of a file or storage media; used to determine whether data has changed

Which system below can be used to quickly and accurately match fingerprints in a database?​

​Automated Fingerprint Identification System (AFIS)

​What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations?

​Certified Cyber Forensics Professional

​Candidates who complete the IACIS test successfully are designated as a _______.

​Certified Forensic Computer Examiner (CFCE)

What type of media has a 30-year lifespan?​

​DLT magnetic tape

_______ is not one of the functions of the investigations triad.

​Data recovery

​Computer-generated records

​Data the system maintains, such as system log files and proxy server logs

​After a judge approves and signs a search warrant, the _______ is responsible for the collection of evidence as defined by the warrant.

​Digital Evidence First Responder

The _______ is responsible for analyzing data and determining when another specialist should be called in to assist with analysis.

​Digital Evidence Specialist

_______ must be included in an affidavit to support an allegation in order to justify a warrant.

​Exhibits

​What does FRE stand for?

​Federal Rules of Evidence

You must abide by the _______ while collecting evidence.

​Fourth Amendment

In cases that involve dangerous settings, what kind of team should be used to recover evidence from the scene?​

​HAZMAT

What tool, currently maintained by the IRS Criminal Investigation Division and limited to use by law enforcement, can analyze and read special files that are copies of a disk?​

​ILook

_______ is a specialized viewer software program.

​IrfanView

What should you do while copying data on a suspect's computer that is still live?​

​Make notes regarding everything you do.

_______ can be used to restore backup files directly to a workstation.

​Norton Ghost

_______ is a common cause for lost or corrupted evidence.

​Professional curiosity

Which of the following is not done when preparing for a case?​

​Set up covert surveillance.

Which option below is not a standard systems analysis step?​

​Share evidence with experts outside of the investigation.

_______ does not recover data in free or slack space.

​Sparse acquisition

_______ is responsible for creating and monitoring lab policies for staff, and provides a safe and secure workplace for staff and evidence.​

​The lab manager

When seizing digital evidence in criminal investigations, whose standards should be followed?​

​U.S. DOJ

Which court case established that it is not necessary for computer programmers to testify in order to authenticate computer-generated records?​

​United States v. Salgado

Which tool below is not recommended for use in a forensics lab?​

​Use a master key.

_______ is a specialized viewer software program.

​Use a master key.

​An evidence custody form does not usually contain _______.

​a witness list

If a police officer or investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit a(n) _______.​

​affidavit

A chain-of-evidence form, which is used to document what has and has not been done with the original evidence and forensic copies of the evidence, is also known as a(n) _______.

​evidence custody form

A _______ is not ​a private sector organization.

​hospital

The sale of sensitive or confidential company information to a competitor is known as _______.

​industrial espionage

The term _______ describes a database containing informational records about crimes that have been committed previously by a criminal.

​police blotter

The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient _______.​

​probable cause

​Within a computing investigation, the ability to perform a series of steps again and again to produce the same results is known as _______.

​repeatable findings