Quiz 1-4
RAID
"For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets. ISDN RAID TEMPEST WAN"
business
"Generally, digital records are considered admissible if they qualify as a ____ record. computer-generated computer-stored hearsay business"
3
"IACIS requires recertification every ____ years to demonstrate continuing work in the field of computer forensics. 2 3 4 5"
live
"If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available. local passive static live"
sparse
"If your time is limited, consider using a logical acquisition or ____ acquisition data copy method. disk-to-image lossless sparse disk-to-disk"
50
"Image files can be reduced by as much as ____% of the original when using lossless compression. 15 25 30 50"
RAID 0
"In ____ , two or more disk drives become one large volume, so the computer views the disks as a single disk. RAID 6 RAID 5 RAID 1 RAID 0"
criminal
"In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation. fourth amendment civil criminal corporate"
affidavit
"In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____. blotter affidavit litigation report exhibit report"
configuration management
"In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery. risk assessment recovery logging configuration management change management"
authorized requester
"In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations. authorized requester authority of line line of right authority of right"
prosecution
"In general, a criminal case follows three stages: the complaint, the investigation, and the ____. prosecution allegation blotter litigation"
CTIN
"In the Pacific Northwest, ____ meets to discuss problems that digital forensics examiners encounter. FTK FLETC CTIN IACIS"
business case
"In the ____, you justify acquiring newer and better resources to investigate digital forensics cases. business case risk evaluation configuration plan upgrade policy"
much easier than
"Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes. as difficult as as easy as much easier than more difficult than"
exhibits
"It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant. prosecution reports exhibits litigation"
quarterly
"Lab costs can be broken down into monthly, ____, and annual expenses. daily weekly bimonthly quarterly"
warrant
"Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab. evidence custody form warrant affidavit FOIA form"
Linux Live CDs
"Linux ISO images that can be burned to a CD or DVD are referred to as ____. Linux in a Box Linux Live CDs Forensic Linux ISO CDs"
whole disk encryption
"Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult. backup utilities NTFS recovery wizards whole disk encryption"
misuse of digital assets
"Most digital investigations in the private sector involve ____. misuse of digital assets VPN abuse Internet abuse e-mail abuse"
hearsay
"Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain ____. conclusive hearsay regular direct"
live
"Most remote acquisitions have to be done as ____ acquisitions. live hot sparse static"
DriveSpace
"Older Microsoft disk compression tools, such as DoubleSpace or ____, eliminate only slack disk space between files. DriveSpace PKZip WinZip WinRAR"
proprietary
"One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools. raw AFD proprietary AFF"
sparse acquisition
"One technique for extracting evidence from large systems is called ____. large evidence file recovery RAID imaging sparse acquisition RAID copy"
forums and blogs
"One way to investigate older and unusual computing systems is to keep track of ____ that you can find through an online search. uniform reports forums and blogs AICIS lists Minix"
line of authority
"Published company policies provide a(n) ____ for a business to conduct internal investigations allegation resource line of authority line of allegation litigation path"
sniffing
"Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server blocking preventing poisoning sniffing"
43467
"The EMR from a computer monitor can be picked up as far away as ____ mile. 43469 43467 43528 1"
Computer Analysis and Response Team (CART)
"The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence. Computer Analysis and Response Team (CART) Department of Defense Computer Forensics Laboratory (DCFL) DIBS Federal Rules of Evidence (FRE)"
1960s
"The FOIA was originally enacted in the ____. 1940s 1950s 1960s 1970s"
dd
"The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions. dd man raw fdisk"
man
"The ____ command displays pages from the online help manual for information on Linux commands and their options. man cmd inst hlp"
dcfldd
"The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions. dcfldd raw man bitcopy"
digital investigations
"The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime. digital investigations network intrusion detection litigation incident response"
notarized
"The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true. challenged examined notarized recorded"
digital forensics lab
"A ____ is where you conduct your investigations, store evidence, and do most of your work. storage room forensic workstation workbench digital forensics lab"
disaster recovery
"A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing security configuration management risk management disaster recovery"
warning banner
"A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. line of authority right banner warning banner right of privacy"
steel
"A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock. expanded metal steel wood gypsum"
end user
"A(n) ____ is a person using a computer to perform routine tasks other than systems administration. end user complainant investigator user banner"
extensive-response field kit
"A(n) ____ should include all the tools you can afford to take to the field. initial-response field kit extensive-response field kit forensic lab forensic workstation"
professional curiosity
"Evidence is commonly lost or corrupted through ____, which involves the presence of police officers and other professionals who aren't part of the crime scene-processing team. onlookers FOIA laws professional curiosity HAZMAT teams"
once
"Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity. once twice three times four times"
1
"For Windows XP, 2000, and NT servers and workstations, RAID 0 or ____ is available 5 2 4 1"
MD5
"Autopsy uses ____ to validate an image. AFD AFF MD5 RC4"
allegation
"Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed. litigation blotter allegation prosecution"
IACIS
"By the early 1990s, the ____ introduced training on software for forensics investigations. FLETC CERT DDBIA IACIS"
Event log
"Certain files, such as the ____ and Security log in Windows, might lose essential network activity records if power is terminated without a proper shutdown. Word log Event log Io.sys Password log"
36
"Computing components are designed to last 18 to ____ months in normal business operations. 24 30 36 42"
commingled
"Confidential business data included with the criminal evidence are referred to as ____ data. revealed public exposed commingled"
silver-platter
"Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer. silver-tree silver-platter gold-tree gold-platter"
physical
"Courts consider evidence data in a computer as ____ evidence. logical invalid virtual physical"
sha1sum
"Current distributions of Linux include two hashing algorithm utilities: md5sum and ____. hashsum sha1sum shasum rcsum"
Windows
"During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system. MacOS Android Linux Windows"
TEMPEST
"During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____. TEMPEST EMR NISPOM RAID"
safety
"Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime safety legal physical corporate"
reasonable suspicion
"Every business or organization must have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a ____ that a law or policy is being violated. reasonable suspicion court order stating proof confirmed suspicion"
Disk-to-image file copy
"The most common and flexible data-acquisition method is ____. Sparse data copy Disk-to-disk copy Disk-to-image file copy Disk-to-network copy"
secure facility
"To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe. secure workbench protected PC secure workstation secure facility"
static
"Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example. online live real-time static"
Certified Computer Forensic Technician, Basic
"What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases? Certified Computer Crime Investigator, Basic Level Certified Computer Forensic Technician, Basic Certified Computer Crime Investigator, Advanced Level Certified Computer Forensic Technician, Advanced"
80
"When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to avoid damage to the drive from overheating 80 90 95 105"
U.S. DOJ
"When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data. U.S. DOJ U.S. DoD Homeland Security Department Patriot Act"
NTFS
"Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System. ext2 FAT24 ext3 NTFS"
initial-response field kit
"With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible seizing order bit-stream copy utility extensive-response field kit initial-response field kit"
right of privacy
"Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses. line of privacy line of right right of privacy line of authority"
off-site
"You should have at least one copy of your backups on site and a duplicate or a previous copy of your backups stored in a safe ____ facility. in-site storage online off-site"
hash
"You use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512. hash checksum hashlog md5sum"
professional conduct
"Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility. oath line of authority professional policy professional conduct"
Uniform crime reports
"____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed. IDE reports Uniform crime reports ASCLD reports HTCN reports"
Risk management
"____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment. Risk management Change management Configuration management Risk configuration"
Data recovery
"____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example Data recovery Computer forensics Network forensics Disaster recovery"
Probable cause
"____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest. Probable cause A warrant A subpoena Reasonable cause"
Forensics investigators
"____ often work as part of a team to secure an organization's computers and networks. Data recovery engineers Computer analysts Forensics investigators Network monitors"
Computer-generated
"____ records are data the system maintains, such as system log files and proxy server logs. Hearsay Computer-stored Computer-generated Business"
IACIS
"____ was created by police officers who wanted to formalize credentials in digital investigations. NISPOM HTCN IACIS TEMPEST"
RAID 10
"____, or mirrored striping, is a combination of RAID 1 and RAID 0. RAID 6 RAID 0 RAID 5 RAID 10"
