intro Digital forensics Final study

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Which of the following types of files can provide useful information when you're examining an e-mail server?

.log files

In Microsoft Outlook, what are the e-mail storage files typically found on a client computer?

.pst and .ost

In VirtualBox, a(n)file contains settings for virtual hard drives.

.vbox

How many sectors are typically in a cluster on a disk drive?

4 or more

On a Windows system, sectors typically contain how many bytes?

512

To trace an IP address in an e-mail header, what type of lookup service can you use? (Choose all that apply.)

A domain lookup service, such as www.arin.net, www.internic.com, or www.whois.net Any Web search engine

The National Software Reference Library provides what type of resource for digital forensics examiners?

A list of MD5 and SHA1 hash values for all known OSs and applications

Your curriculum vitae is which of the following? (CV)

A necessary tool to be an expert witness A generally required document to be made available before your testimony A detailed record of your experience, education, and training

What is a motion in limine?

A pretrial motion for the purpose of excluding certain evidence

List two items that should appear on a warning banner.

A warning banner should have a warning and what is expected of the user. It should inform the end user that the organization of admin reserves the right to inspect computer systems and network traffic at will. Something that may be in a contract signed to use such resources. You can expect to have no privacy for certain actions and that it is used for certain purposes only. Using the system consents to this, and unauthorized users are subject to prosecution.

What are some ways to determine the resources needed for an investigation?

A way to find what resources are needed is through assessments of the company and what type of investigation is needed. Looking at what is targeted can tell a team that they need certain software or personnel for certain tasks. Finding what the issue was could lead a team from investigating the integrity of a company's systems to the company itself.

Which of the following is an example of a written report?

An affidavit

What can be included in report appendixes? *

Any other resources used and data

When do zero day attacks occur? (

Before a patch is available Before the vendor is aware of the vulnerability

When working for a prosecutor, what should you do if the evidence you found appears to be exculpatory and isn't being released to the defense?

Bring the information to the attention of the prosecutor, then his or her supervisor, and finally to the judge (the court). -tell everyone

If a suspect computer is running Windows 10, which of the following can you perform safely?

Browsing open applications

What does CHS stand for?

CHS stands for Cylinder, head, and sector calculation.

When validating the results of a forensic analysis, you should do which of the following? (Choose all that apply.)

Calculate the hash value with two different tools. Use a different tool to compare the results of evidence you find. Make sure you don't get screwed in court!

When you access your e-mail, what type of computer architecture are you using?

Client/server

When writing a report, what's the most important aspect of formatting?

Consistency- cause if you ain't consistent then what you doing?

If a suspect computer is found in an area that might have toxic chemicals, you must do which of the following?

Coordinate with the HAZMAT team.-hell if I'm doing it Assume the suspect computer is contaminated.

Before testifying, you should do which of the following?

Create an examination plan with your retaining attorney. Make sure you've been paid for your services and the estimated fee for the deposition or trial. -surprising to make sure you are paid

With remote acquisitions, what problems should you be aware of? (Choose all that apply.)

Data transfer speeds Access permissions over the network Antivirus, antispyware, and firewall programs

The process of converting raw images to another format is called which of the following?

Demosaicing

You can expect to find a type 2 hypervisor on what type of device? (Choose all that apply.)

Desktop Smartphone Tablet

When searching a victim's computer for a crime committed with a specific e-mail, which of the following provides information for determining the e-mail's originator? (Choose all that apply.)

E-mail header Firewall log

Describe what should be videotaped or sketched at a digital crime scene.

Everything should be videotaped or sketched along with the room and devices found. Every little detail needs to be tracked, down to the wires connected and to where.

Which forensic image file format creates or incorporates a validation hash value in the image file?

Expert Witness SMART AFF

Automated tools help you collect and report evidence, but you're responsible for doing which of the following?

Explaining the significance of the evidence- ChatGPT ain't doing that for you... yet

Which of the following rules or laws requires an expert to prepare and submit a report?

FRCP 26

What kind of information do fact witnesses provide during testimony?

Facts only-duh

A JPEG file is an example of a vector graphic. True or False?

False

A forensic image of a VM includes all snapshots. True or False?

False

A forensic workstation should always have a direct broadband connection to the Internet.

False

Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule.

False

Digital forensics and data recovery refer to the same activities.

False

Only one file format can compress graphics files. True or False?

False

The plain view doctrine in computer searches is well-established law. True or False?

False

Under normal circumstances, a private-sector investigator is considered anagent of law enforcement.

False

Zone bit recording is how manufacturers ensure that the outer tracks store as much data as possible. True or False?

False

A live acquisition can be replicated. True or False?

False- cause of the nature of it

After you shift a file's bits, the hash value remains the same. True or False?

False- changes everything

When investigating graphics files, you should convert them into one standard format. True or False?

False- could change things

Data can't be written to disk with a command-line tool. True or False?

False- course it can

Graphics files stored on a computer can't be recovered after they are deleted. True or False?

False- course they cannnn

Copyright laws don't apply to Web sites. True or False?

False- course they do

You should always prove the allegations made by the person who hired you

False- good faith

If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log.

False- if you do this... why?

Building a forensic workstation is more expensive than purchasing one. True or False?

False- like a pc

You can view e-mail headers in Notepad with all popular e-mail clients. True or False?

False- need a reader as it'll be garble

You should always answer questions from onlookers at a crime scene. True or False?

False- no info for them

Password recovery is included in all forensics tools. True or False?

False- not installed in all

FTK Imager can acquire data in a drive's host protected area.

False- says nope

The ANAB (ANSI National Accreditation Board) mandates the procedures established for a digital forensics lab.

False- someone else

Hardware acquisition tools typically have built-in software for data analysis. True or False?

False- that would be too simple

A forensic linguist can determine an author's gender by analyzing chat logs and social media communications. True or False?

False- unless you're a magician

Small companies rarely need investigators. True or False?

False- why in the hell wouldn't they?

In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True or False?

False- would be repeatable I think

Evidence storage containers should have several master keys.

False-keeping it safe

Which of the following represents known files you can eliminate from an investigation? (Choose all that apply.)

Files associated with an application System files the OS uses

EFS can encrypt which of the following?

Files, folders, and volumes

The Known File Filter (KFF) can be used for which of the following purposes?

Filter known program files from view. Compare hash values of known files with evidence files.

Hash values are used for which of the following purposes?

Filtering known good files from potentially suspicious data Validating that the original data hasn't changed

Police in the United States must use procedures that adhere to which of the following?

Fourth Amendment

Forensic software tools are grouped into ____and ______applications.

GUI, command line

Which Registry key contains associations for file extensions?

HKEY_CLASSES_ROOT

Steganography is used for which of the following purposes?

Hiding data

When you perform an acquisition at a remote location, what should you consider to prepare for this task?

I should consider what software or hardware I will need for the acquisition. I will need to assess what kind of environment it is within and whether are there safety mechanisms. Do they have sufficient power and safe servers.

The standards for testing forensics tools are based on which criteria?

ISO 17025

What should you do if you realize you have made a mistake or misstatement during a deposition?

If the deposition is still in session, refer back to the error and correct it. If the deposition is over, make the correction on the corrections page of the copy provided for your signature.

These modes of protection are people, operations, and technologies.

In the innermost layer- unless you wanna do a little trolling

What methods do steganography programs use to hide data in graphics files? (Choose all that apply.)

Insertion Substitution

Device drivers contain what kind of information?

Instructions for the OS on how to interface with hardware devices.

Virtual Machine Extensions (VMX) are part of which of the following?

Intel Virtualized Technology

Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?

Internal corporate investigation because corporate investigators typically have ready access to company records Can look at things without warrant as its a policy

What information is not in an e-mail header? (Choose all that apply.)

Internet addresses Contents of the message

What methods are used for digital watermarking? (Choose all that apply.)

Invisible modification of the LSBs in the file Layering visible symbols on top of the image

What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller? span>

It allows the investigators to extract data from a computer without editing it. In certain scenarios, an OS can create a change in a computer, thus damaging its integrity. It could impact the investigation, but if we made sure that could never happen, then it would ensure integrity. It also allows users to remove drives without having to shut down a workstation.

What does a sparse acquisition collect for an investigation?

It collects fragments, similar to the logical acquisition, of unallocated or deleted data.

Which of the following statements about the legal-sequential numbering system in report writing is true?

It doesn't indicate the relative importance of information.

List two features NTFS has that FAT does not.

It has access to Unicode along with its features of Unicode-8, and it has access to journaling.

What is a hashing algorithm?

It is a utility that creates a binary or hexadecimal number that represents the data transcribed. This is unique to the piece of data and can validate the integrity and ensure it was not tampered with.

Why is physical security so critical for digital forensics labs?

It is critical to keep security tight so no harm is done to the evidence. If it is tampered with it could inhibit an investigation. Keeping the integrity of the evidence is key.

What are the three rules for a forensic hash?

It is something that shouldn't be predictable, two hashes shouldn't be the same, and if something changes then the hash will change.

What is professional conduct, and why is it important?

It is the behavior that is expected of professionals involving their ethics, morals, and how they should behave. They should maintain proper behavior to maintain objectivity and credibility by maintaining confidentiality.

What's a virtual cluster number?

It is when a disk is highly fragmented and when data is first written to nonresident files. Additional VCNs are added as needed by the size.

Why should evidence media be write-protected?

It might be the only copies that are accessible, and any damage could damage the case. A bad investigator might damage or even affect the findings with their own traces on the device. It should be copied so it can be looked through and kept safe if it is ever needed. If it is destroyed, then it could pose a big threat to the investigation team.

What does a logical acquisition collect for an investigation?

It only collects specific files of interest for an investigation or even specific types of files.

List three items you should include in your CV.*

It should have your education, experience, and training

What items should your business plan include?

It should include the justification, budget development, facility costs, software requirements, approval and acquisition, implementation, acceptance testing, correction for acceptance, and production of the plan. Just a plan in general and not winging it

List three items stored in the FAT database.

It usually contains filenames, directories, and date and time stamps, along with the starting cluster number.

Why was EFI boot firmware developed?

It was designed to provide better protection against malware than BIOS does.

Why should you do a standard risk assessment to prepare for an investigation?

It will allow the team to know what they are dealing with. Making an initial investigation will show what systems are in use or what problem needs to be dealt with. Possibly making sure no further issues arise.

What's the purpose of an affidavit?

Its purpose is to be served to a judge to be able to grant someone a search warrant. It should be in good faith and with sufficient evidence.

Which of the following techniques might be used in covert surveillance? (Choose all that apply.)

Keylogging data sniffing

Packet analyzers examine what layers of the OSI model?

Layers 2 and 3 (data link and network layer)

Bitmap (.bmp) files use which of the following types of compression?

Lossless

A JPEG file uses which type of compression?

Lossy

Phishing does which of the following?

Lures users with false promises

List two hashing algorithms commonly used for forensics purposes.

MD5 and SHA-1

Which of the following is a current formatting standard for e-mail?

MIME

During your cross-examination, you should do which of the following?

Maintain eye contact with the jury. Pay close attention to what your attorney is objecting to. Pay close attention to opposing counsel's questions. Answer opposing counsel's questions as briefly as is practical. -PAY ATTENTION

When using graphics while testifying, which of the following guidelines applies?

Make sure the jury can see your graphics. Practice using charts for courtroom testimony. Your exhibits must be clear and easy to understand- don't use 140p images

The manager of a digital forensics lab is responsible for which of the following?

Making necessary changes in lab procedures and software Ensuring that staff members have enough training to do the job Knowing the lab objectives

Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons?

Most companies keep inventory databases of all hardware and software used.

Some clues left on a drive that might indicate steganography include which of the following? (Choose all that apply.)

Multiple copies of a graphics file Graphics files with the same name but different file sizes Steganography programs in the suspect's All Programs list

Which of the following Windows 8 files contains user-specific information?

Ntuser.dat

Areal density refers to which of the following?

Number of bits per square inch of a disk platter

In JPEG files, what's the starting offset position for the JFIF label?

Offset 6

What are two concerns when acquiring data from a RAID server?

One concern is the amount of storage required since it takes two disks for each volume. Another concern is if the tool used can copy the data correctly.

To determine the types of operating systems needed in your lab, list two sources of information you could use.

One source is researching the computers commonly used in an organization. A second source would be the American Society of Crime Laboratory Directors (ASCLD).

What's the main piece of information you look for in an e-mail message you're investigating?

Originating e-mail domain or IP address

Which of the following is the standard format for reports filed electronically in U.S. federal courts and most state courts?

PDF- figured

The most reliable way to ensure that jurors recall testimony is to do which of the following?

Present evidence combining oral testimony and graphics that support the testimony.

When you arrive at the scene, why should you extract only those items you need to acquire evidence?

Probing anymore or extracting more than needed might cause trouble. It might cause space or legal problems. It could even affect the speed if you are looking through hundreds of files.

Building a business case can involve which of the following?

Procedures for gathering evidence Testing software Protecting trade secrets

The verification function does which of the following?

Proves that two sets of data are identical via hash values

Block-wise hashing has which of the following benefits for forensics examiners?

Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive

The number of VMs that can be supported per host by a type 1 hypervisor is generally determined by the amount of ___and ____.

RAM, Storage

Rainbow tables serve what purpose for digital forensics examinations?

Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords

The reconstruction function is needed for which of the following purposes? (Choose all that apply.)

Re-create a suspect drive to show what happened. Create a copy of a drive for other investigators. Re-create a drive compromised by malware.

When you carve a graphics file, recovering the image depends on which of the following skills?

Recognizing the pattern of the file header content ( the first few bytes)

A log report in forensics tools does which of the following?

Records an investigator's actions in examining a case

When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do?

Restore the e-mail server from a backup.

If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords?

Salting can make password recovery extremely difficult and time consuming.

Digital pictures use data compression to accomplish which of the following goals?

Save space on a hard drive Produce a file that can be e-mailed or posted on the Internet.

Which of the following describes fact testimony?

Scientific or technical testimony describing information recovered during an examination- make sure it's legit

_______________ happens when an investigation goes beyond the bounds of its original description.

Scope Creep

Logging options on e-mail servers can be which of the following? (Choose all that apply.)

Set up in a circular logging configuration Configured to a specified size before being overwritten

Why should you critique your case after it's finished?

So you can ask what could have been done better or more efficiently. Was everything that I expected, or was I thorough enough? How to improve future cases or make sure the proper channels were used. Even finding new problems or finding new techniques is a good thing about it.

What are the necessary components of a search warrant?

Some necessary components are to submit an affidavit that states there is sufficient cause for a search warrant. It must have the evidence that supports the reason for the warrant, and only that evidence is collected. It should have enough evidence and not be targeting a certain person unless with reasonable suspicion.

Which of the following describes expert witness testimony?

Testimony designed to assist the jury in determining matters beyond the ordinary person's scope of knowledge- explaining what they don't know

List two types of depositions.

Testimony preservation and discovery oral and written

What do you call a list of people who have had physical possession of the evidence?

That will be called the chain of custody.

Of all the proprietary formats, which one is the unofficial standard?

That will be the Expert Witness Compression format.

Explain how to identify an unknown graphics file format that your digital forensics tool doesn't recognize.

That would be looking at the hex code and finding the starting bytes to see what format it could be in.

What expressions are acceptable to use in testimony to respond to a question for which you have no answer?

That's beyond the scope of my expertise. I wasn't asked to investigate that. That's beyond the scope of my investigation. -beyond scope? good response

Which organization has guidelines on how to operate a digital forensics lab?

The ANAB has good guidelines on how to operate and maintain a digital forensics lab. It is owned by ANSI and ASQ.

According to ISO standard 27037, which of the following is an important factor in data acquisition?

The DEFR's competency Use of validated tools

In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?

The RAM slack is zeroed out, and no RAM data is loaded into the slack.

In a Linux shell, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1

The command is correct.

In steganalysis, cover-media is which of the following?

The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file

What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?

The file is unencrypted automatically.

What's the most critical aspect of digital evidence?

The most critical aspect of digital evidence is validation of digital evidence.

An expert witness can give an opinion in which of the following situations?

The opinion, inferences, or conclusions depend on special knowledge, skills, or training not within the ordinary experience of laypeople. The witness is shown to be qualified as a true expert in the field. The witness testifies to a reasonable degree of certainty (probability) about his or her opinion, inference, or conclusion.

Which organization provides good information on safe storage containers?

The organization known as NISPOM has good information in documents chapter 5, section 3.

What's the maximum file size when writing data to a FAT32 drive?

The segmented volume size shouldn't exceed 2GB each.

E-mail headers contain which of the following information? (Choose all that apply.)

The sender and receiver e-mail addresses An ESMTP number or reference number The e-mail servers the message traveled through to reach its destination

In answering a question about the size of a hard drive, which of the following responses is appropriate?

The technical data sheet indicates it's a 3 terabyte hard drive. It's a 3 terabyte hard drive configured with 2.78 terabytes of accessible storage. I was unable to determine the drive size because it was so badly damaged.

Which forensics tools can connect to a suspect's remote computer and run surreptitiously?

There are ProDiscover, EnCase Enterprise, R-tools R-Studio, WetStone US-LATT PRO, and F-Response.

List three sub-functions of the extraction function.

There are data viewing, keyword searching, and carving.

List two types of digital investigations typically conducted in a business environment.

There are the abuse or misuse of computing assets and e-mail abuse.

Name the three formats for digital forensics data acquisitions.

There is a raw format, proprietary format, and advanced forensic format.

List three items that should be in an initial-response field kit.

There should be a laptop or small PC, some media with a large capacity, and a forensic system or tool.

You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?

There's a hidden partition.

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.

These are Guidance Encase and X-ways Winhex Specialist edition.

What are the three modes of protection in the DiD strategy?

These modes of protection are people, operations, and technologies.

List two features common with proprietary format acquisition files.

They allow the option for compression or not compressing image files of a suspect drive, and have the capability to split an image into smaller segmented files for archiving purposes.

Clusters in Windows always begin numbering at what number?

They are assigned two since the first ones are for the system area etc.

Which of the following is true of most drive-imaging tools? (Choose all that apply.)

They ensure that the original drive doesn't become corrupt and damage the digital evidence. They create a copy of the original drive.

Which of the following is true about JPEG and TIF files?

They have different values for the first 2 bytes of their file headers.

With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?

They try to mount the data on the device and possibly alter the device.

What does the Ntuser.dat file contain?

This file contains the recently opened files and the desktop configuration settings.

Why is it a good practice to make two images of a suspect drive in a critical investigation?

This is because we are dealing with sometimes volatile devices. It is important to create contingencies for a what-if. Especially if it is a critical case then making a copy will allow us to look at a disk without altering the original one. Possibly damaging very good evidence. If you damage or lose a copy then you have a backup as well. Murphy's law might happen.

What's the purpose of maintaining a network of digital forensics specialists?

This is to develop and supplement our knowledge. Networking with contacts, especially those who are the best in the field, allows us to keep up with the hot topics. We can meet and discuss various problems with certain things in the field and get input to find a second opinion. Understanding the latest threats or events that attackers are currently using before anyone else. Being able to share knowledge on topics and increase efficiency along with security.

Commingling evidence means what in a corporate setting?

This means combining confidential business evidence with evidence that is found.

What does MFT stand for?

This stands for Master File Table.

What term refers to labs constructed to shield EMR emissions?

This was known as TEMPEST.

What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?

This will be lossless as it reduces without deleting portions of data.

In the Linux dcfldd command, which three options are used for validating data?

Three commands are vf, hash, and hashlong with an = after each.

List three items that should be on an evidence custody form.

Three items could be the organization being investigated, what the evidence is, a description, and the model number.

List three items that should be in your case report.

Three items that should be there are what was done and found, the notes of what you did and if the steps could be repeated to show the same result, and if there is conclusive evidence.

For which of the following reasons should you wipe a target drive?

To ensure the quality of digital evidence you acquire To make sure unwanted data isn't retained on the drive

For what purpose have hypothetical questions traditionally been used in litigation?

To frame the factual context of rendering an expert witness's opinion

What's the main goal of a static acquisition?

To maintain the integrity of the media device.

Router logs can be used to verify what types of e-mail data?

Tracking flows through e-mail server ports

In FAT32, a 123 KB file uses how many sectors?

Transferring KB to B and dividing by 512 to get 246 sectors.

After examining e-mail headers to find an e-mail's originating address, investigators use forward lookups to track an e-mail to a suspect. True or False?

True

An encrypted drive is one reason to choose a logical acquisition. True or False?

True

Computer peripherals or attachments can contain DNA evidence. True or False?

True

E-mail accessed with a Web browser leaves files in temporary folders. True or False?

True

Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or False?

True

If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False?

True

If you discover a criminal act, such as murder or child pornography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?

True

If you were a lay witness at a previous trial, you shouldn't list that case in your written report. True or False?

True

In NTFS, files smaller than 512 bytes are stored in the MFT. True or False?

True

Tcpslice can be used to retrieve specific timeframes of packet captures. True or False?

True

The primary hash the NSRL (Nation software reference library) project uses is SHA-1. True or False?

True

To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server's internal operations. True or False?

True

Voir dire is the process of qualifying a witness as an expert. True or False?

True

When recovering a file with ProDiscover, your first objective is to recover cluster values. True or False? True

True

In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause. True or False?

True- good luck committing crimes :D

The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False?

True- more in size= more in time

For digital evidence, an evidence bag is typically made of antistatic material.

True- no sparks

An employer can be held liable for e-mail harassment.

True- why wouldn't they

An image of a suspect drive can be loaded on a virtual machine. True or False?

True-loaded as logical or something

EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk.

True-piece it back together?

What are two advantages and disadvantages of the raw format?

Two advantages of raw format are the fast data transfers and the capability to ignore minor data read errors on the source drive. Two disadvantages are the amount of storage needed, and the raw format tools might not collect bad sectors.

List two popular certification systems for digital forensics.

Two popular certifications are the High Tech Crime Network and ACE certifications.

What is the space on a drive called when a file is deleted? (Choose all that apply.)

Unallocated space Free space

If you're giving an answer that you think your attorney should follow up on, what should you do?

Use an agreed-on expression to alert the attorney to follow up on the question. -_-

Hashing, filtering, and file header analysis make up which function of digital forensics tools?

Validation and verification

Virtual machines have which of the following limitations when running on a host computer?

Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.

Which of the following is a clue that a virtual machine has been installed on a host system?

Virtual network adapter

The triad of computing security includes which of the following?

Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation

What should you consider when determining which data acquisition method to use?

We should consider the size of the drive being investigated, if we have ease of access to the disk or have to return it, the time to do the action, and where it is located.

You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?

We should take an initial response kit.

Policies can address rules for which of the following?

When you can log on to a company network from home The Internet sites you can or can't access The amount of personal e-mail you can send

As a private-sector investigator, you can become an agent of law enforcement when which of the following happens?

You begin to take orders from a police detective without a warrant or subpoena. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement.

What three items should you research before enlisting in a certification program?

You should research the cost of it, the requirements to take it, and if it is expected in the company you work for or want to work at.

At trial as a fact or expert witness, what must you always remember about your testimony?

Your duty is to report your technical or scientific findings or render an honest opinion.

Digital forensics facilities always have windows.

false

To find network adapters, you use the ---- command in Windows and the---- command in Linux.

ipconfig, ifconfig

Commercial encryption programs often rely on _______________ technology to recover files if a password or passphrase is lost.

key escrow

What's a major advantage of automated forensics tools in report writing?*

log files and create reports like autopsy along with keeping track of things

Typically, a(n) __________ lab has a separate storage area or room for evidence. *

regional

Sendmail uses which file for instructions on processing an e-mail message?

sendmail.cf

What is destroying a report before the final resolution of a case called?*

spoliation- should be this but idkkkkk

On a UNIX-like system, which file specifies where to save different types of e-mail log files?

syslog.conf

When viewing a file header, you need to include hexadecimal information to view the image. True or False?

true- can change the file entirely sometimes

Large digital forensics labs should have at least ______ exits.

two

Which of the following file extensions are associated with VMware virtual machines?

vmx, .log, and .nvram

In forensic hashes, when does a collision occur?*

when two different files have the same hash value.


Kaugnay na mga set ng pag-aaral

Introduction to Coordinate Systems

View Set

SEP - Foundationalist theories of epistemic justification

View Set

FORCE AND LAW OF MOTION SECTION 3 REVIEWWW

View Set

Chapter 7 thru Chapter 12_Computer Network Fundamentals

View Set

Florida 2 15 Taxes, Retirement, and other Insurance Concepts

View Set

Depression and Suicidal Thoughts/Behaviors and Practice Q's

View Set