Guide to Computer Forensics and Investigations 6e Chapters (1-10)
"In a Linux shell, the f-disk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of =/dev/hda1"
"False The correct command is dcfldd if=/dev/hda1 of=image_file.img"
Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?
"Internal corporate investigation because corporate investigators typically have ready access to company records"
"If a suspect computer is located in an area that might have toxic chemicals, you must do which of the following? (Choose all that apply.) A) Coordinate with a HAZMAT team B) Determine a way to obtain the suspect computer C) Assume the suspect computer is contaminated D) Do not enter alone"
"a. Coordinate with the HAZMAT team. c. Assume the suspect computer is contaminated."
"With remote acquisitions, what problems should you be aware of? (Choose all that apply) a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. The password of the remote computer's user"
"a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs"
"FTK's Known File Filter (KFF) can be used for which of the following purposes? (Choose all that apply.) a. Filter known program files from view. b. Calculate hash values of image files. c. Compare hash values of known files to evidence files. d. Filter out evidence that doesn't relate to your investigation. 4. For what legal and illegal purposes can you use steganography?"
"a. Filter known program files from view. c. Compare hash values of known files to evidence files."
"Which of the following techniques might be used in covert surveillance? (Choose all that apply) A) Keylogging B) Data Sniffing C) Network logs"
"a. Keylogging b. Data sniffing refer to review sheets"
"The manager of a digital forensics lab is responsible for which of the following? (Choose all that apply) a. Making necessary changes in the lab procedures and software b. Ensuring that staff members have enough training to do the job c. Knowing the lab objectives d. None of the above"
"a. Making necessary changes in the lab procedures and software b. Ensuring that staff members have enough training to do the job c. Knowing the lab objectives"
"As a corporate investigator, you can become an agent of law enforcement when which of the following happens? (Choose all that apply.) A) You begin to take orders from a police detective without a warrant or subpoena. B) Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. C) Your internal investigation begins D) None of the above"
"a. You begin to take orders from a police detective without a warrant or subpoena. b. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement"
"Which of the following represents known files you can eliminate from an investigation? (Choose all that apply.) a. Any graphics files b. Files associated with an application c. System files the OS uses d. Any files pertaining to the company`"
"b. Files associated with an application c. System files the OS uses"
Digital pictures use data compression to accomplish which of the following goals? (Choose all that apply)
-save space on a hard drive -produce a file that can be e-mailed or posted on the Internet
In VirtualBox, a(n) (blank) file contains settings for virtual hard drives
.vbox
Which of the following file extensions are associated with VMware virtual machines?
.vmx, .log, and .nvram
Which of the following Linux system files contains hashed passwords for the local system?
/etc/shadow
On most Linux systems, current user login information is in which of the following locations?
/var/log/utmp
Clusters in Windows always begin numbering at what number?
0
Large digital forensics labs should have at least ## exits
1
What's the maximum file size when writing data to a FAT32 drive?
2 GB (a limitation of FAT file systems)
In FAT32, a 123 KB file uses how many sectors?
246 sectors
On a Windows system, sectors typically contain how many bytes?
512
The National Software Reference Library provides what type of resource for digital forensics examiners?
A list of MD5 and SHA1 hash values for all known OSs and applications
What does a logical acquisition collect for an investigation?
A logical acquisition captures only specific files of interest to the case or specific types of files
What is a hashing algorithm?
A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk
What does a sparse acquisition collect for an investigation?
A sparse acquisition collects fragments of unallocated (detected) data
Hard links are associated with which of the following?
A specific node
Which organization has guidelines on how to operate a digital forensics lab?
ASCLD
List two items that should appear on a warning banner
Access to this system and network is restricted and use of this system and network is for official business only.
What are the major improvements in the Linux Ext4 file system?
Added support for partitions larger than 16 TB, improved management of large files and offered a more flexible approach to adding file system features
What are two advantages and disadvantages of the raw format?
Advances for raw format are fast data transfers and the capability to ignore minor data read errors on the source drive. Disadvantages of raw format is that some raw format tools might not collect marginal (bad) sectors on the source drive
"What's the purpose of an affidavit? "
Affidavit is often used to justify issuing a warrant or to deal with abuse in a corporation.
"Building a business case can involve which of the following? a. Procedures for gathering evidence b. Testing software c. Protecting trade secrets d. All of the above"
All of the above
"Policies can address rules for which of the following? a. When you can log on to a company network from home b. The Internet sites you can or can't access c. The amount of personal e-mail you can send d. Any of the above"
Any of the above
When do zero day attacks occur? (Choose all that apply.)
Before a patch is available, Before the vendor is aware of the vulnerability
What is professional conduct, and why is it important?
Behavior expected of an employee in the workplace or other professional setting. It is important because it determines your credibility
"For which of the following reasons should you wipe a target drive? a. To ensure the quality of digital evidence you acquire b. To make sure unwanted data isn't retained on the drive c. Neither of the above d. Both a and b"
Both a and b
If a suspect computer is running Windows 2000, which of the following can you perform safely?
Browsing open applications refer to review sheets
When validating the results of a forensic analysis, you should do which of the following? (Choose all that apply)
Calculate the hash value with two different tools, Use a different tool to compare the results of evidence you find
List three items that should be on an evidence custody form
Case number, Investigating organization, Investigator
What do you call a list of people who have had physical possession of the evidence?
Chain of Custody
How does the Mac OS reduce file fragmentation?
Clumps
Describe what should be videotaped or sketched at a computer crime scene
Computers, cable connections, overview of scene—anything that might be of interest to the investigation
What should you consider when determining which data acquisition method to use?
Consider the size of the source (suspect) disk, whether you can retain the source disk as evidence or must return it to the owner
What does CHS stand for?
Cylinder head sector
Explain the differences in resource and data forks used in the Mac OS
Data fork: where data is stored. Resource fork: where file metadata and application information are stored
What are the functions of a data run's field components in an MFT record?
Data runs have three components: The first declares how many bytes are required in the attribute field to store the number of bytes needed for the second and third components. The second component stores the number of clusters assigned to the data run. The third component contains the starting cluster address value (the LCN or the VCN)
List three sub-function of the extraction function
Data viewing, Keyword searching, Decompressing or compressingCarving, Decrypting, Bookmarking or tagging
The process of converting raw images to another format is called which of the following?
Demosaicing
What are some ways to determine the resources needed for an investigation?
Determine the OS of the suspect computer & list the software to use for the examination
When you perform an acquisition at a remote location, what should you consider to prepare for this task?
Determining whether there's sufficient electrical power and lighting and checking the temperature and humidity at the location
Device drivers contain what kind of information?
Device drivers contain instructions for the OS on how to interact with hardware devices
Why was EFI boot firmware developed?
EFI boot firmware was developed to provide better protection against malware then BIOS does
List two types of digital investigations typically conducted in a business environment
Email Abuse, and Internet Abuse
Which forensics tool can connect to a suspect's remote computer and run surreptitiously?
EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response
Name two commercial tools that can make a forensics sector-by-sector copy of a drive to a larger drive
EnCase, and ProDiscover
What's the advantage of a write blocking device that connects to a computer through a FireWire or USB controller?
Enable user to remove and reconnect drives without having to shut down the workstation, which saves time
Which forensic Image file format creates or incorporates a validation hash value in the image file? (Choose all that apply)
Expert Witness, SMART
What items should your business plan include?
Explaining how much a benefit to the company the lab will be, being exact as possible of the price of the items, how many digital forensics examiners you will need, the training of them,the need of more than one lab, and the cost of security.
List three items that should be in your case report
Explanation of basic computer and network processes, a narrative of what steps you took, and a description of findings.
A JPEG file is an example of a vector graphic. True or False?
FALSE
A forensic image of a VM includes all snapshots. True or False?
FALSE
A forensic workstation should always have a direct broadband connection to the Internet. True or False?
FALSE
A live acquisition is considered an accepted practice in digital forensics. True or False?
FALSE
After you shift a file's bits, the hash value remains the same. True or False?
FALSE
Building a forensic workstation is more expensive than purchasing one. True or False?
FALSE
Copyright laws don't apply to websites. True or False?
FALSE
Data can't be written to disk with a command-line tool. True or False?
FALSE
Digital Forensics and data recovery refer to the same activities. True or False?
FALSE
Digital forensics facilities always have windows. True or False?
FALSE
Evidence storage containers should have several master keys. True or False?
FALSE
Graphics files stored on a computer can't be recovered after they are deleted. True or False?
FALSE
Hardware acquisition tools typically have built in software for data analysis. True or False?
FALSE
If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. True or False?
FALSE
In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True and False?
FALSE
Linux is the only OS that has a kernel. True or False?
FALSE
Only one file format can compress graphics files. True or False?
FALSE
Password recovery is included in all computer forensics tools. True or False?`
FALSE
Small companies rarely need investigators. True or false?
FALSE
The ASCLD mandates the procedures established for a digital forensics lab. True or False?
FALSE
The plain view doctrine in computer searches is well-established law. True or False?
FALSE
The primary hash the NSRL project uses is SHA-1. True or False?
FALSE
Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?
FALSE
Validating an image file once, the first time you open it, is enough. True or False?
FALSE
When investigating graphics files, you should convert them into one standard format. True or False?
FALSE
You should always answer questions from onlookers at a crime scene. True or false?
FALSE
You should always prove the allegations made by the person who hired you. True or False?
FALSE
Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. True or False?
FALSE
List three items stored in the FAT database
Filenames, Directory names, Date and time stamps
EFS can encrypt which of the following?
Files, folders, and volumes
Hash Values are used for which of the following purposes? (Choose all that apply)
Filtering known good files from potentially suspicious data & validating that the original data hasn't changed.
Police in the United States must use procedures that adhere to which of the following?
Fourth Amendment
Which Registry key contains associations for file extensions?
HKEY_CLASSES_ROOT
List two popular certification systems for digital forensics
HTCN, EnCE
Forensic software tools are grouped into _ and _applications
Hardware and software
Which of the following is true about JPEG and TIF files?
Have different values for the first 2 bytes of their file headers
Steganography is used for which of the following purposes?
Hiding data
The standards for testing forensic tools are based on which criteria?
ISO 17025
Why is physical security so critical for digital forensics labs?
If the security is not at an acceptable place, then the opposing party can argue that the information could have been tampered with.
What methods do stenography programs use to hide data in graphics files? (Choose all that apply)
Insertion, Substitution
What methods are sued for digital watermarking? (Choose all that apply)
Invisible modification of the LSBs in the file, Layering visible symbols on top of the image
What are the three rules for a forensic hash?
It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes
What's a virtual cluster number?
It represents the assigned clusters of files that are nonresident in the MFT. If a file has become fragmented, it can have two or more VCNs. The first VCN for a nonresident file is listed as 0.
To recover a password on a Mac system, which tool do you use?
Keychain access
Packet analyzers examine what layers of the OSI model?
Layers 2 and 3
A JPEG file uses which type of compression?
Lossy
Identify two hashing algorithms commonly used for forensic purposes
MD5 and SHA-1
What does MFT stand for?
Master file table
"Corporate investigations are typically easier than law enforcement investigations for which of the following reasons? a. Most companies keep inventory databases of all hardware and software used b. The investigator doesn't have to gets a warrant c. The investigator has to get a warrant d. Users can load whatever they want on their machines"
Most companies keep inventory databases of all hardware and software used.
Which organization provides good information on safe storage contianers?
NISPOM
With newer Linux kernel distributions, what happens if you connect a hot swappable device, such a USB drive, containing evidence?
Newer Linux distributions automatically mount the USB device, which could alter data on it
In Windows 7 and later, how much data from RAM slack on a disk drive?
No data from RAM is copied to RAM slack on a disk drive
Areal density refers to which of the following?
Number of bits per square inch
What's the ProDiscover remote access utility?
PDServer
How does ProDiscover Incident Response encrypt the connection between the examiner's and suspect's computer?
ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect's workstation.
The verification function does which of the following?
Proves that two sets of data are identical via hash values
List two features NTFS has that FAt does not
Provides more information, More control
The number of VMs that can be supported per host by a type 1 hypervisor is generally determined by the amount of (blank) and (blank)
RAM, storage
Name the three formats for digital forensics data acquisitions
Raw format, proprietary format, and advanced forensic format
The reconstruction function is needed for which of the following purposes? (Choose all that apply)
Re-create a suspect drive to show what happened, create a copy of a drive for other investigators & re-create a drive compromised by hardware.
When you carve a graphics file, recovering the image depends on which of the following skills?
Recognizing the pattern of the file header count. Explain how to identify an unknown graphics file format that your digital forensics tool doesn't recognize
A log report in forensics tool does which of the following?
Records an investigator's actions in examining a case
Typically, a(n) lab has a separate storage area or room for evidence
Regional
What does the Ntuser.dat file contain?
Registry
What three items should you research before enlisting in a certification program?
Requirements, cost, and acceptability
________________ happens when an investigation goes beyond the bounds of its original description.
Scope Creep
List three items that should be in an initial-response field kit
Small computer toolkit, large-capacity drive, IDE ribbon cables
Which of the following describes the superblock's function in the Linux file system? (Choose all that apply)
Specifies the disk geometry and available space. Manages the file system including configuration information
What term refers to labs constructed to shield EMR emissions?
TEMPEST
An employee can be held liable for e-mail harassment. True or False?
TRUE
An image of a suspect drive can be loaded on a virtual machine. True or False?
TRUE
Computer peripherals or attachments can contain DNA evidence. True or false?
TRUE
Data blocks contain actual files and directories and are linked directly to inodes. True or False?
TRUE
Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False?
TRUE
Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or False?
TRUE
EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?
TRUE
FTK Imager can acquire data in a drive's host protected area. True or False?
TRUE
For digital evidence, an evidence bag is typically made of antistatic material. True or False?
TRUE
Hard Links work in only one partition or volume. True or False?
TRUE
If you discover a criminal act, such as murder or child pornography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or false?
TRUE
In NTFS, files smaller than 512 bytes are stored in the MFT. True or False?
TRUE
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause. True or False?
TRUE
One reason to choose a logical acquisition is an encrypted drive. True or False?
TRUE
Tcpslice can be used to retrieve specific time frames of packet captures. True or False?
TRUE
When recovering a file with ProDiscover, your first objective is to recover cluster values. True or False?
TRUE
When viewing a file header, you need to include hexadecimal information to view the inage. True or False?
TRUE
a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True or false?
TRUE
"According to ISO standard 27037, which of the following is an important factor in data acquisition? (Choose all that apply) "
The DEFR's competency & use of validated tools
in steganalysis cover-media is which of the following?
The content of a file used for a steganography message
Of all the proprietary formats, which one is the unofficial standard?
The expert witness format is the unofficial standard
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?
The file is unencrypted automatically
Which of the following certifies when an OS meets UNIX requirements?
The open group
List two features common with proprietary format acquisition files
The option to compress or not compress image files of a suspect drive, thus saving target space. The capability to split an image into smaller segmented files for archiving purposes such as to CDs or DVDs, with data integrity checks integrated into each segment
You're using Disk Manager to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?
There's a hidden partition
Which of the following is true of most drive-imaging tools? (Choose all that apply)
They ensure that the original drive doesn't become corrupt and damage the digital evidence, they create a copy of the original drive.
Why should you critique your case after it's finished?
To determine what improvements you made during each case, what could have been done differently, and how to apply those lessons to future cases
Why is it a good practice to make two images of a suspect drive in a critical investigation?
To ensure at least one good copy of the forensically collected data in case of any failures
What's the purpose of maintaining a network of digital forensics specialists?
To have the option of calling on a specialist to help with a case you cannot solve
Why should evidence media be write-protected?
To make sure data can not be altered
What's the main goal of a static acquisition?
To preserve digital evidence
What is the space on a drive called when a file is deleted? (Choose all that apply)
Unallocated space,Free Space
To determine the types of operating systems needed in your lab, list two sources of information you could use
Uniform crime report and finding out how many crimes occurred in the area
What's the Disk Arbitration feature used for in Mac OS X?
Used for disabling and enabling automatic mounting when a drive is connected via a USB or FireWire device
Hashing, filtering , and file header analysis make up which function of digital forensics tools?
Validation and verification
Virtual machines have which of the following limitations when running on a host computer?
Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices
What is a clue that a virtual machine has been installed on a host system?
Virtual network adapter
The triad of computing security includes which of the following?
Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation
Why should you do a standard risk assessment to prepare for an investigation?
You do a standard risk assessment to understand the risks that could halt to investigation
Which of the following describes p list files? (Choose all that apply)
You must have a special editor to view them. They're preference files for application
What are the necessary components of a search warrant?
You need an affidavit of the evidence to conduct an investigation
Which the following is the main challenge in acquiring an image of a Mac system? (Choose all that apply)
You need special tools to remove drives from a MAC system or open its case. Vendor training is needed
What are two concerns when acquiring data from a RAID server?
amount of data storage needed, and the type of RAID server (0, 1, 5, etc.)
In the Linux dcfldd command, which three options are used for validating data?
hash=, hashlog=, and vf=
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?
initial-response field kit
A layered network defense strategy puts the most valuable data where?
innermost part of the network
Virtual Machine Extensions (VMX) are part of which of the following?
intel virtualized technology
To find network adapters, you use the (blank) command in Windows and the (blank) command in Linux
ipconfig, ifconfig
Commercial encryption programs often rely on a technology known as _______________ to recover files if a password or passphrase is lost
key escrow
You can expect to find a type 2 hypervisor on what type of device? (Choose all that apply.)
laptop, desktop, tablet
Bitmap (.bmp) files use which if the following types of compression?
lossless
What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?
lossless
Some clues left on a drive that might indicate stenography include which of the following? (Choose all that apply)
multiple copies of a graphics file ,graphics files with the same name but different sizes, graphic files with different file stamps
Which of the following Windows 8 files contain user-specific information?
ntuser.dat
In JPEG files, what's the starting offset position for the JFIF label?
offset 6
How many sectors are typically in a cluster on a disk drive?
one
What are the three modes of protection in the DiD strategy?
people, technology, operations
In Linux, which of the following is the home directory for the superuser?
root
Commingling evidence means what in a corporate setting?
sensitive corporate information being mixed with data collected as evidence
When you arrive at the scene, why should you extract only those items you need to acquire evidence?
to minimize how much you have to keep track of at the scene
What's the most critical aspect of digital evidence?
validation
