Intro to Digital Forensics Final Exam Questions
False
According to the author GPS units are separated into four categories and the data can be grouped into three categories True False
False
According to the author data is generally created in three ways electromagnetism, microscopic electrical transistors (flash), and thumbdrives. True False
False
According to the author each cell site will have four panels per side. True False
False
According to the author the cell tower will have 2 transmitters and 3 receivers. True False
all of the above
According to the author which of the following are log files of interest in network investigations? authentication, firewall application, operating system all of the above none of the above
False
According to the author, a forensic bag is one way to prevent a network signal from reaching the phone.
bit-for-bit
According to the author, a forensic clone is an exact _____ copy of a computer storage drive. byte-for-byte sector-for-sector bit-for-bit all of the above none of the above
False
According to the author, lab security is always a major concern and unauthorized access is the only threat to the evidence, which must be addressed.
largest, world
According to the author, the FBI's crime laboratory in Quantico, Virginia, has the distinction of being the _______ forensic lab in the ______. largest, country largest, world greatest, USA greatest, globe none of the above
MD5
According to the author, the most common hash functions used in digital forensics are: CRC SJA2 SJA1 MD5
all of the above
According to the author, what are the advantages of virtual labs? 1. cost savings 2. access to more tools and storage 3. access to diverse and greater expertise 4. reduction of unnecessary duplication of resource all of the above all of the above except number 4
CPU
According to the author, which of the following is most volatile when prioritizing the evidence? memory CPU data on storage drives archived data all of the above
False
Active data is classified as deleted or partially overwritten. True False
All of the above
An IPv4 address is made up of: four octets four decimal numbers all of the above none of the above
All of the above
An IPv6 address is made up of: eight hextets, 128 bits 32 hexadecimal digits, 32 nibbles all of the above none of the above
American Standard Code for Information Interchange
Choose the encoding scheme used for the English language. American Society Code for Interchange Information American Society Code for Information Interchange American Standard Code for Interchange Information American Standard Code for Information Interchange
ten people in Kansas from 1974 to 1991
Dennis Rader, known as Bind, Torture, Kill (BTK), murdered: ten people in Kentucky from 1974 to 1991 ten people in Arkansas from 1974 to 1991 ten people in Kansas from 1974 to 1991 ten people in Kalamazoo from 1974 to 1991
civil cases
Legal authority can be negotiated before taking a computer off-premises in: criminal cases civil cases all of the above none of the above
True
Links files are shortcuts which have a date and time stamps. True False
True
Metadata is most often defined as data about data.
True
Network investigative "sniffer" tools include Snort, NetIntercept, and Wireshark True False
False
Packet switching breaks the data into large chunks of data called packets True False
True
Restore points are snapshots of key system settings and configuration at a specific moment in time.
False
Search Authority is always the final step in any forensic process. True False
P2P
Select the network configuration where file sharing is the predominant use of the network client/server P2P all of the above none of the above
True
Shadow copies provide the source data for restore points.
False
The File Allocation Table (FAT) can be expressed as FATX, FAT32, NTFS, FAT16, and FAT12. True False
False
The NTUSER.DAT file is located in the subfolder config. Question options: True False
Intelligence
The author describes a process known as Document and Media Exploitation (DOMEX) as paying large dividends and providing _______ to support soldiers on the ground. forensic science digital forensics criminal investigations intelligence
digital evidence
The author states, "One of the major struggles in law enforcement is to change the paradigm of the police and get them to think of and seek out _________." administrative matters digital evidence criminal investigations forensic science
False
The best scientific evidence in the world is valuable only if it's inadmissible in a court of law True False
True
The chain of custody requires tracking each and every time the evidence item(s) changes hands or locations.
person collecting the evidence
The first "link" in the chain of custody in any case is: person recording the evidence person receiving the evidence person collecting the evidence all of the above
all of the above
The log or audit trail for evidence storage should be maintained with: 1. who entered 2. when they entered 3. what they removed 4. or what they returned all of the above all of the above except number 4
False
The operating system of Windows 7 creates a thumbnail cache file called thumbs.db.
False
The registry consist of both NTUSER.DAT and the five (5) root-level keys or hives. Question options: True False
restore points
The shadow copies provide the source data for ___________. registry files link files prefetch files restore points all of the above none of the above
role-based
The virtual lab arrangement allows for a distinct _______ access. role-playing proprietary-role fundamental-role role-based
False
There are 512 bits found in each sector. True False
footer, payload, and header
What are the three (3) parts of a packet? data, footer, and top bottom, data, and header payload, foot, and top footer, payload, and header
mobile, network, computer, and video
What type of forensic examinations are conducted in the University of Akron High-Technology Forensics Laboratory? video, mobile, and computer video, audio, and mobile mobile, network, computer, and video network, mobile, and computer
open
Which of the following applies when the analyst is aware of being tested external oral open closed
all of the above
Which of the following are forensic image formats .E01 .001 .AD1 all of the above
all of the above
Which of the following are known and included as a cell site? related radio equipment mast base station all of the above
all of the above
Which of the following are methods used to locate at cell phone? GPS directional antenna triangulation all of the above
all of the above
Which of the following are possible solutions with protecting cell phones from network signals? aluminum foil paint can faraday bag all of the above
All of the above
Which of the following are required to show origination and termination locations? CDRs physical addresses of towers all of the above none of the above
routing table and ARP cache
Which of the following are the most volatile evidence to collect first? routing table and ARP cache temporary files system and swap space remotely logged data data on the hard drive
home location registers
Which of the following components will record the current location of the device? base station controllers base stations home location registers all of the above
electromagnetism
Which of the following creates data written to a platter using a read/write head attached to an actuator arm? reflecting light microscopic electrical transistors electromagnetism all of the above
all of the above
Which of the following devices would have a static IP address? routers, servers printers, routers servers, printers all of the above
all of the above
Which of the following element(s) ensure valid and reliable results are produced and justice is served in all types of laboratory setups? Standard Operating Procedures & Quality Assurance Accreditation & Certification all of the above none of the above
mobile switching center
Which of the following holds a tremendous amount of forensic evidence? base station base station controller mobile switching center all of the above
10011100
Which of the following is equivalent to 0x9C 10101100 1001-1010 10011100 none of the above
all of the above
Which of the following is equivalent to eight bits and represents one byte? 10101010 0x4A 0101-1100 A all of the above none of the above
dependent
Which of the following is not a type of proficiency test? open, blind dependent blind, internal external
oral
Which of the following is not a type of quality assurance proficiency tests? oral external internal blind
administrative matters
Which of the following is the "best" choice when digital evidence can also be valuable for incidents other than litigation and matters of national security. administrative matters digital forensics criminal investigations intelligence
digital forensics
Which of the following is the application of computer science and investigative procedures? administrative matters digital forensics criminal investigations forensic science
forensic science
Which of the following is the application of science to solve a legal problem? administrative matters digital forensics criminal investigations forensic science
hibernation
Which of the following is where we start to see some potential investigative benefit? sleep hibernation sleep and hibernation none of the above
hibernation
Which of the following is where we start to see some potential investigative benefit? Question options: sleep hibernation sleep and hibernation none of the above
chain of custody
Which of the following meets a series of strict legal requirements before evidence is presented in court. chain of logs chain of custody notes all of the above
mobile switching centers
Which of the following network components will handle SMS messages? routers and switches base stations and base stations controllers mobile switching centers all of the above
registry
Which of the following plays a crucial role in the operation of a PC? sleep hibernation sleep and registry registry
registry
Which of the following plays a crucial role in the operation of a PC? Question options: sleep hibernation sleep and registry registry
firewall
Which of the following programs is located at a network gateway server to protect network resources? Snort DDoS firewall IDS
all of the above
Which of the following represents F? 00001111 1111 0000-1111 all of the above none of the above
EMF
Which of the following represents an image of a document to be printed? SHA-1 MD5 EMF ROM
EMF
Which of the following represents an image of a document to be printed? Question options: SHA-1 MD5 EMF ROM
analysis
Which of the following steps involves the examiners use of their skills, experience, and tools to locate and interpret artifacts found on the media? imaging/hashing chain of custody search authority analysis
internal
Which of the following test is conducted by the agency output input external internal
flash memory
Which of the following without a charge will read a zero? magnetic disks and flash memory magnetic disks flash memory optical storage all of the above none of the abov
glossary
Which of the following, in the examiners report, can assist our intended audience wade through any unfamiliar jargon and acronyms? forms notes glossary all of the above
modified
Which of the listed date/time stamps are set when a file is altered in any way and then saved? created modified accessed none of the above
created
Which of the listed date/time stamps frequently indicates when a file or folder was created on a particular piece of media? created modified accessed none of the above
accessed
Which of the listed date/time stamps is updated whenever a file in accessed by the file system? created modified accessed none of the above
optical storage
Which of the storage items/terms below involves spaces or lands? magnetic disks and flash memory magnetic disks flash memory optical storage all of the above none of the above
restore points
Which or the following are snapshots of key system settings and configurations at a specific moment in time? registry files link files prefetch files restore points all of the above none of the above
False
A company's Intranet is public, and access to it is not limited True False
False
A file type can always be identified by the file extension. True False
False
A physical or logical acquisition captures all of the data on a cell phone
chain of custody
A well documented ________ is essential to maintain the integrity of the evidence. imaging/hashing chain of custody search authority none of the above
