Quiz 1-4
"For Windows XP, 2000, and NT servers and workstations, RAID 0 or ____ is available 5 2 4 1"
1
"The FOIA was originally enacted in the ____. 1940s 1950s 1960s 1970s"
1960s
"Older Microsoft disk compression tools, such as DoubleSpace or ____, eliminate only slack disk space between files. DriveSpace PKZip WinZip WinRAR"
DriveSpace
"You should have at least one copy of your backups on site and a duplicate or a previous copy of your backups stored in a safe ____ facility. in-site storage online off-site"
off-site
"Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example. online live real-time static"
static
"A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock. expanded metal steel wood gypsum"
steel
"The most common and flexible data-acquisition method is ____. Sparse data copy Disk-to-disk copy Disk-to-image file copy Disk-to-network copy"
Disk-to-image file copy
"Autopsy uses ____ to validate an image. AFD AFF MD5 RC4"
MD5
"In the Pacific Northwest, ____ meets to discuss problems that digital forensics examiners encounter. FTK FLETC CTIN IACIS"
CTIN
"The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence. Computer Analysis and Response Team (CART) Department of Defense Computer Forensics Laboratory (DCFL) DIBS Federal Rules of Evidence (FRE)"
Computer Analysis and Response Team (CART)
"____ records are data the system maintains, such as system log files and proxy server logs. Hearsay Computer-stored Computer-generated Business"
Computer-generated
"Linux ISO images that can be burned to a CD or DVD are referred to as ____. Linux in a Box Linux Live CDs Forensic Linux ISO CDs"
Linux Live CDs
"In the ____, you justify acquiring newer and better resources to investigate digital forensics cases. business case risk evaluation configuration plan upgrade policy"
business case
"Confidential business data included with the criminal evidence are referred to as ____ data. revealed public exposed commingled"
commingled
"To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe. secure workbench protected PC secure workstation secure facility"
secure facility
"Current distributions of Linux include two hashing algorithm utilities: md5sum and ____. hashsum sha1sum shasum rcsum"
sha1sum
"Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer. silver-tree silver-platter gold-tree gold-platter"
silver-platter
"Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server blocking preventing poisoning sniffing"
sniffing
"The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime. digital investigations network intrusion detection litigation incident response"
digital investigations
"In general, a criminal case follows three stages: the complaint, the investigation, and the ____. prosecution allegation blotter litigation"
prosecution
"IACIS requires recertification every ____ years to demonstrate continuing work in the field of computer forensics. 2 3 4 5"
3
"Computing components are designed to last 18 to ____ months in normal business operations. 24 30 36 42"
36
"The EMR from a computer monitor can be picked up as far away as ____ mile. 43469 43467 43528 1"
43467
"Image files can be reduced by as much as ____% of the original when using lossless compression. 15 25 30 50"
50
"When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to avoid damage to the drive from overheating 80 90 95 105"
80
"What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases? Certified Computer Crime Investigator, Basic Level Certified Computer Forensic Technician, Basic Certified Computer Crime Investigator, Advanced Level Certified Computer Forensic Technician, Advanced"
Certified Computer Forensic Technician, Basic
"____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example Data recovery Computer forensics Network forensics Disaster recovery"
Data recovery
"Certain files, such as the ____ and Security log in Windows, might lose essential network activity records if power is terminated without a proper shutdown. Word log Event log Io.sys Password log"
Event log
"____ often work as part of a team to secure an organization's computers and networks. Data recovery engineers Computer analysts Forensics investigators Network monitors"
Forensics investigators
"____ was created by police officers who wanted to formalize credentials in digital investigations. NISPOM HTCN IACIS TEMPEST"
IACIS
"____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest. Probable cause A warrant A subpoena Reasonable cause"
Probable cause
"For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets. ISDN RAID TEMPEST WAN"
RAID
"In ____ , two or more disk drives become one large volume, so the computer views the disks as a single disk. RAID 6 RAID 5 RAID 1 RAID 0"
RAID 0
"____, or mirrored striping, is a combination of RAID 1 and RAID 0. RAID 6 RAID 0 RAID 5 RAID 10"
RAID 10
"____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment. Risk management Change management Configuration management Risk configuration"
Risk management
"During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____. TEMPEST EMR NISPOM RAID"
TEMPEST
"When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data. U.S. DOJ U.S. DoD Homeland Security Department Patriot Act"
U.S. DOJ
"____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed. IDE reports Uniform crime reports ASCLD reports HTCN reports"
Uniform crime reports
"During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system. MacOS Android Linux Windows"
Windows
"In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____. blotter affidavit litigation report exhibit report"
affidavit
"Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed. litigation blotter allegation prosecution"
allegation
"In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations. authorized requester authority of line line of right authority of right"
authorized requester
"In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery. risk assessment recovery logging configuration management change management"
configuration management
"In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation. fourth amendment civil criminal corporate"
criminal
"The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions. dcfldd raw man bitcopy"
dcfldd
"The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions. dd man raw fdisk"
dd
"A ____ is where you conduct your investigations, store evidence, and do most of your work. storage room forensic workstation workbench digital forensics lab"
digital forensics lab
"A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing security configuration management risk management disaster recovery"
disaster recovery
"A(n) ____ is a person using a computer to perform routine tasks other than systems administration. end user complainant investigator user banner"
end user
"It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant. prosecution reports exhibits litigation"
exhibits
"A(n) ____ should include all the tools you can afford to take to the field. initial-response field kit extensive-response field kit forensic lab forensic workstation"
extensive-response field kit
"One way to investigate older and unusual computing systems is to keep track of ____ that you can find through an online search. uniform reports forums and blogs AICIS lists Minix"
forums and blogs
"You use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512. hash checksum hashlog md5sum"
hash
"Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain ____. conclusive hearsay regular direct"
hearsay
"With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible seizing order bit-stream copy utility extensive-response field kit initial-response field kit"
initial-response field kit
"Published company policies provide a(n) ____ for a business to conduct internal investigations allegation resource line of authority line of allegation litigation path"
line of authority
"If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available. local passive static live"
live
"Most remote acquisitions have to be done as ____ acquisitions. live hot sparse static"
live
"The ____ command displays pages from the online help manual for information on Linux commands and their options. man cmd inst hlp"
man
"Most digital investigations in the private sector involve ____. misuse of digital assets VPN abuse Internet abuse e-mail abuse"
misuse of digital assets
"Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes. as difficult as as easy as much easier than more difficult than"
much easier than
"The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true. challenged examined notarized recorded"
notarized
"Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity. once twice three times four times"
once
"Courts consider evidence data in a computer as ____ evidence. logical invalid virtual physical"
physical
"Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility. oath line of authority professional policy professional conduct"
professional conduct
"Evidence is commonly lost or corrupted through ____, which involves the presence of police officers and other professionals who aren't part of the crime scene-processing team. onlookers FOIA laws professional curiosity HAZMAT teams"
professional curiosity
"One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools. raw AFD proprietary AFF"
proprietary
"Lab costs can be broken down into monthly, ____, and annual expenses. daily weekly bimonthly quarterly"
quarterly
"Every business or organization must have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a ____ that a law or policy is being violated. reasonable suspicion court order stating proof confirmed suspicion"
reasonable suspicion
"Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses. line of privacy line of right right of privacy line of authority"
right of privacy
"Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime safety legal physical corporate"
safety
"If your time is limited, consider using a logical acquisition or ____ acquisition data copy method. disk-to-image lossless sparse disk-to-disk"
sparse
"One technique for extracting evidence from large systems is called ____. large evidence file recovery RAID imaging sparse acquisition RAID copy"
sparse acquisition
"A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. line of authority right banner warning banner right of privacy"
warning banner
"Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab. evidence custody form warrant affidavit FOIA form"
warrant
"Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult. backup utilities NTFS recovery wizards whole disk encryption"
whole disk encryption
"By the early 1990s, the ____ introduced training on software for forensics investigations. FLETC CERT DDBIA IACIS"
IACIS
"Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System. ext2 FAT24 ext3 NTFS"
NTFS
"Generally, digital records are considered admissible if they qualify as a ____ record. computer-generated computer-stored hearsay business"
business