4611 Final Review

In a prefetch file, the application's last access date and time are at offset ________.

0x80

In a prefetch file, the application's last access date and time are at offset ____.

0x90

In order to qualify for the Certified Computer Crime Investigator, Basic Level certification, candidates must provide documentation of at least _______ cases in which they participated.​

10

In what year was the Computer Fraud and Abuse Act passed?​

1986

​In order to qualify for the Certified Computer Forensic Technician, Basic Level certification, how many hours of computer forensics training are required?

40

A typical disk drive stores how many bytes in a single sector?

512

​What percentage of consumers utilize Intel and AMD PCs?

90

NTDetect.com​

A 16-bit program that identifies hardware components during startup snd sends the information to Ntldr.

Resilient File System

A new file system developed for Windows Server 2012. It allows increased stability for disk storage and improved features for data recovery and error checking.​

Encrypting File System (EFS)

A public/private key encryption first used in Windows 2000 on NTFS-formatted disks. The file encrypted with a symmetric key, and then a public/private key is used to encrypt the symmetric key.​

Which of the following is not a valid source for cloud forensics training?

A+ Security

Which RAID type utilizes a parity bit and ​allows for the failure of one drive without losing data?

RAID 5

​Which option below is not a hashing function used for validation checks?

RC4

RAID 6

Redundant parity on each disk

​What registry file contains user account management and security settings?

SAM.dat

What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing?

Salesforce

What cloud application offers a variety of cloud services, including automation and CRM, cloud transactions.

Salesforce

Failing to preserve evidence.

Spoliation

T/ F Most digital investigations in the private sector involve misuse of computing assets.

T

T/F A disaster recovery plan ensures that workstations and file servers can be restored to their original condition in the event of a catastrophe.

T

T/F If you turn evidence over to law enforcement and begin working under their direction, you have become an agent of law enforcement, and are subject to the same restrictions on search and seizure as a law enforcement agent.​

T

T/F Linux Live CDs and WinFE disks do not automatically mount hard drives, but can be used to view file systems.​

T

T/F User groups for a specific type of system can be very useful in a forensics investigation.​

T

T/F ​The recording of all updates made to a workstation or machine is referred to as configuration management.

T

Which is not a valid method of deployment for a cloud?

Targeted

dd

The Linux command _____ can be used to write bit-stream data to files.

fdisk -l

The Linux command _______ can be used to list the current disk devices connected to the computer

dcfldd

The _______ command was developed by Nicholas Harbour of the Defense Computer Forensics Laboratory.

intrusion detection system

The _______ copies evidence of intrusions to an investigation workstation automatically for further analysis over the network.

-b

The _______ switch can be used with the split command to adjust the size of segmented volumes created by the dd command.

CH 10 Quiz What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine a. .nvram b. .vmen c. .vmpage d. .vmx

b. .vmen

CH 13 Quiz At what offset is a prefetch file's create date & time located a. 0x88 b. 0x80 c. 0x98 d. 0x90

b. 0x80

A ____________ image file containing software is intended to be bit-stream copied to floppy disks or other external media.​ a. ​fdisk b. ​format c. ​dd d. ​DiskEdit

c

A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in order to secure the information contained inside.​ a. ​compiler b. shifter c. ​macro d. ​script

c

A ______________ is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities.

court order

R-Tools R-Studio

creates a virtual volume of a RAID image file, and then makes repairs on the virtual volume, which can then be restored to the original RAID

​What term below describes a column of tracks on two or more disk platters?

cylinder

??? does not recover data in free or slack space a. raw format acquisition b. live acquisition c. static acquisition d. sparse acquisition

d

??? is a common cause for lost or corrupted evidence a. public access b. not having enough people on the processing team c. having an undefined security perimeter d. professional curiosity

d

What command below could be used on a UNIX system to help locate log directories a. show log b. detail c. search d. find

d

What type of Facebook profile is usually only given to law enforcement with a warrant a. private profile b. advanced profile c. basic profile d.Neoprint profile

d

Which of the following file systems can't be analyzed by OSForensics? a. ​FAT12 b. Ext2fs c. ​HFS+ d. ​XFS

d

CH 16 Quiz The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients. a. HTCIA b. IACIS c. ISFCE d. ABA

d. ABA

CH 16 Quiz ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities. a. AMA's law b. ABA's model rule c. ABA's model codes d. APA's ethics code

d. APA's ethics code

CH 11 Review Logging options on many email servers can be: a. Disabled by the administrator b. Set up in a circular logging configuration c. Configured to a specified size before being overwritten d. All of the above

d. All of the above

CH 12 Quiz The _______________ component is made up of radio transceiver equipment that defines cells and communicates with mobile phones; sometimes referred to as a "cell phone tower".​ a. Vase station controller (BSC) b. Mobile switching center (MSC) c. Base transceiver controller (BTC) d. Base transceiver station (BTS)

d. Base transceiver station (BTS)

CH 13 Quiz Select the folder below that is most likely to contain Dropbox files for a specific user a. C:/User/username/AppData/Dropbox b. C:/Dropbos c. C:/Users/Dropbox d. C:/Users/username/Dropbox

d. C:/Users/username/Dropbox

CH 12 Quiz ​What digital network technology is a digital version of the original analog standard for cell phones? a. GSM b. CDMA c. iDEN d. D-AMPS

d. D-AMPS

CH 13 Review What are the two states of encrypted data in a secure cloud? a. RC4 and RC5 b. CRC-32 and UTF-16 c. Homomorphic and AES d. Data in motion and data at rest

d. Data in motion and data at rest

The ____ Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system.

filecache.dbx

The _____________ Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system.

filecache.dbx

​In order to qualify for the Advanced Certified Computer Forensic Technician certification, a candidate must have _______ years of hands-on experience in computer forensics investigations.

five

What term is used to describe a disk's logical structure of platters, tracks, and sectors?

geometry

The ______________ is the device that reads and writes data to a drive.​

head

The _________ branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and System.

hive

The _______ copies evidence of intrusions to an investigation workstation automatically for further analysis over the network.

intrusion detection system

IDE

is not a hot-swappable technology

PDServer

is the utility used by the ProDiscover program for remote access

Addresses that allow the MFT to link to nonresident files are known as _______________.​

logical cluster numbers

A ____ is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it's accessed through the application's Web interface.

management plane

A ______________ is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly: it's accessed through the application's Web interface.

management plane

​To create a new primary partition within the fdisk interactive utility, which letter should be typed?

n

Within the fdisk interactive menu, what character should be entered to view existing partitions?​

p

One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you collect is essential for presenting evidence in court.​ t/f

true

State public disclosure laws apply to state records, but FOIA allows citizens to request copies of public documents created by federal agencies. t/f

true

The DomainKey identified Mail service is a way to verity the names of domains a message is flowing through ans was developed as a way to cut down on spam T/F

true

The Pagefile.sys file on a computer can contain message fragments from instant messaging applications T/F

true

The advantage of recording hash values is that you can determine whether data has changed.​ t/f

true

To investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct convert surveillance with little or no cause, and access company computer systems and digital devices without a warrant. t/f

true

Hardware and software errors or incompatibilities are a common problem when dealing with older hard drives.​

True

Homomorphic encryption uses an "ideal lattice" mathematical formula to encrypt data.

True

In 1999, Salesforce.com developed a customer relationship management (CRM) Web service that applied digital marketing research to business subscribers so that they could do their own market analysis; this service eventually led the way to the cloud.

True

In the United States, the Electronic Communications Privacy Act (ECPA) describes five mechanisms the government can use to get electronic information from a provider.

True

Specially trained system and network administrators are often a CSP's first responders.​

True

The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET).

True

The platform as a service cloud service is most likely found on a desktop or a server, although it could also be found on a company network or the remote service provider's infrastructure.

True

??? would not be found in an initial-response field kit. a. computer evidence bags (antistatic bags) b. leather gloves and disposable gloves c. a digital camera with extra batteries or 35mm camera with film and flash d. external usb devices or a portable hard drive

b

E-mail administrators may make use of ???, which overwrites a log file when it reaches a specified size or at the end of a specified time frame a. log recycling b. circular logging c. log purging d. log cycling

b

In cases that involve dangerous setting, what kind of team should be used to recover evidence from the scene? a. B-Team b. HAZMAT c. CDC First Responders d. SWAT

b

In what state is sending unsolicited email illegal a. Florida b. Washington c. Maine d. New York

b

Many commercial encryption programs use a technology called _____________, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure.​ a. ​key vault b. ​key escrow c. ​bump key d. ​master key

b

At what offset is a prefetch file's create date & time located?

0x80

What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume?​

$LogFile

What hexadecimal code below identifies an NTFS file system in the partition table?​

07

A Master Boot Record (MBR) partition table marks the first partition starting at what offset?​

0x1BE

​Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files?

Advanced Forensic Format

_______ describes an accusation of fact that a crime has been committed.

Allegation

Why are ​alternate data streams​ of particular interest when examining NTFS disks?

Alternate data streams are ways data can be appended to existing files. When you're examining a disk, be aware that alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.

/dev/sda

An investigator wants to capture all data on a SATA drive connected to a Linux system. What should the investigator use for the "if=" portion of the dcfldd command

The ReFS storage engine uses a __________ sort method for fast access to large data sets.

B+-tree

What is the name of the Microsoft solution for whole disk encryption?

BitLocker

The _______________ executable is the Windows Boot Manager program, which controls boot flow and allows booting multiple OSs.​

Bootmgr.exe

Where is the snapshot database created by Google Drive located in Windows?

C:\Users\?username?\AppData\Local\\Google\Drive

Select the folder below that is most likely to contain Dropbox files for a specific user:

C:\Users\Username\Dropbox

Where is the snapshot database created by Google Drive located in Windows?

C:\Users\username\AppData\Local\Google\Drive\user_default

Select the folder below that is most likely to contain Dropbox files for a specific user:

C:\Users\username\Dropbox

The ____ is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for privacy agreements, security measures, questionnaires, and more.

Cloud Security Alliance

The ___________ is an organization that has developed resource documentation for CSPs and their staff.

Cloud Security Alliance

Also called "master service agreements."

Cloud service agreements (CSAs)

Use a variety of approaches and systems to build their cloud systems, such as servers using distributive processing methods with data farms for storage.

Cloud service providers (CSPs)

A way to bring people together for a specific purpose, for example, to access to common files.

Community cloud

RAID 4

Data is written in blocks

RAID 2

Data is written to disk on a bit level

Which tool below is not recommended for use in a forensics lab?​

Degausser

Poses a serious legal challenge in cloud forensics.

Deprovisioning

RAID 1

Designed for data recovery

___________ are made up of one or more platters coated with magnetic material, and data ​is stored in a particular way.

Disk drives

​How often should hardware be replaced within a forensics lab?

Every ​12 to 18 months

_______ must be included in an affidavit to support an allegation in order to justify a warrant.

Exhibits

T/F All suspected industrial espionage cases should be treated as civil case investigations.​

F

T/F The shielding of sensitive computing systems and prevention of electronic eavesdropping of any computer emissions is known as FAUST by the U.S. Department of Defense.​

F

T/F ​Because they are outdated, ribbon cables should not be considered for use within a forensics lab.

F

​T/F According to the National Institute of Standards and Technology (NIST), digital forensics involves scientifically examining and analyzing data from computer storage media so that it can be used as evidence in court.

F

Which file system below is utilized by the Xbox gaming system?​

FATX

The ____ tool can be used to bypass a virtual machine's hypervisor, and can be used with OpenStack.

FROST

The ________ tool can be used to bypass a virtual machine's hypervisor, and can be used with OpenStack.

FROST

A search warrant can be used in any kind of case, either civil or criminal.​

False

CH 10 Quiz Forensics tools can't directly mount VMs as external drives T/F

False

CH 10 Quiz The Sysinternals Handle utility shows only file system activity, but does not show what processes are using files on the file system T/F

False

CH 10 Quiz Type 2 hypervisors are typically loaded on servers or workstations with a lot of RAM and storage T/F

False

CH 11 Quiz An Internet e-mail is generally part of a local network, and is maintained and managed by an administrator for internal use by a specific company T/F

False

CH 11 Quiz Committing crimes with e-mail is uncommon, and investigators are not generally tasked with linking suspects to e-mail T/F

False

CH 11 Quiz In an e-mail address, everything before the @ symbol represents the domain name T/F

False

CH 11 Review To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server's internal operations. True/False

False

CH 12 Review When acquiring a mobile device at an investigation scene, you should leave it connected to a PC so that you can observe synchronization as it takes place. True/False

False

CH 13 Quiz A search warrant can be used in any kind of case, either civil or criminal T/F

False

CH 13 Quiz The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect. T/F

False

CH 13 Review Any text editor can be used to read Dropbox files. True/False

False

CH 13 Review Commingled data isn't a concern when acquiring cloud data. True/False

False

CH 16 Review All expert witnesses must be members of associations that license them. True or False?

False

CH 16 Review Codes of professional conduct or responsibility set the highest standards for professional's expected performance. True or False?

False

CH 16 Review Ethical obligations are duties that you owe only to others. True or False?

False

Magnet AXIOM Cloud can retrieve information from Skype, Instagram, Twitter, iCloud, but not from Facebook Messenger.

False

Remote acquisitions are often easier because you're usually dealing with large volumes of data.

False

The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect.

False

A cloud service that's available to the general public.

Public cloud

Enables a company to keep some information private and designate other files as public or community information.

Hybrid cloud

Customers can rent hardware, such as servers and workstations, and install whatever OSs and applications they need.

Infrastructure as a service (IaaS)

_______ is a specialized viewer software program.

IrfanView

Metadata in a prefetch file contains an application's ____ times in UTC format and a counter of how many times the application has run since the prefect file was created.

MAC

Metadata in a prefetch file contains an application's ___________ times in UTC format and a counter of how many times the application has run since the prefect file was created.

MAC

With the release of Windows Server 2012, Microsoft created a new file system: ​Resilient File System (ReFS)​. State the features that are incorporated into ReFS's design.

Maximized data availability Improved data integrity Designed for scalability

Which operating system listed below is not a distribution of the Linux OS?

Minix

Many different unrelated businesses and users share the same applications and storage space.

Multitenancy

_______ describes the characteristics of a safe storage container.

NISPOM

Microsoft created SkyDrive as a cloud service that later became?

OneDrive

Can only be accessed by people who have the necessary credentials.

Private cloud

File Allocation Table (FAT)

The original Microsoft file structure database. It's written to the outermost track of a disk and contains information about each file stored on the drive. PCs use this to organize files on a disk so that the OS can find the files it needs.

What is a partition gap, and how might it be used to hide data?​

The unused space between partitions is called a partition gap. Someone who wants to hide data on a hard disk can create these hidden partitions or voids. Data can then be hidden on the partition gaps that are between primary or logical partitions.

n

To create a new primary partition within the fdisk interactive utility, which letter should be typed

A forensics investigator should verify that acquisition tools can copy data in the HPA of a disk drive.​

True

CH 10 Quiz The capability of type 1 hypervisors is limited only by the amount of available RAM, storage, and throughput T/F

True

CH 10 Quiz The honeynet Project was developed to make information widely available in an attempt to thwart internet and network attackers T/F

True

CH 10 Review A forensic image of a VM includes all snapshots. True/False

True

CH 10 Review Tcpslice can be used to retrieve specific timeframes of packet captures. True/False?

True

CH 11 Quiz The DomainKey identified Mail service is a way to verity the names of domains a message is flowing through and was developed as a way to cut down on spam T/F

True

CH 11 Quiz The Pagefile.sys file on a computer can contain message fragments from instant messaging applications T/F

True

CH 11 Review All email headers contain the same types of information. True/False

True

CH 11 Review Internet e-mail accessed with a Web brower leaves files in temporary folders. True/False

True

CH 11 Review You can view e-mail headers in Notepad with all popular e-mail clients. True/False

True

CH 12 Review SIM card readers can alter evidence by showing that a message has been read when you view it? True/False

True

CH 12 Review Typically, you need a search warrant to retrieve information from a service provider. True/False

True

CH 12 Review When investigating social media content, evidence artifacts can vary, depending on the social media channel and the device. True/False

True

CH 13 Quiz In the United State, the Electronic Communications Privacy Act (ECPA) describes 5 mechanisms the government can use to get electronic information from a provider T/F

True

CH 13 Quiz Specially trained system and network administrators are often a CSP's first responders T/F

True

CH 13 Quiz The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET) T/F

True

CH 13 Review Amazon was an early provider of Web-based services that eventually developed into the cloud concept. True/False

True

CH 13 Review The multitenancy nature of cloud environments means conflicts in private laws can occur. True/False

True

CH 13 Review To see Google Drive synchronization files, you need a SQL viewer. True/False

True

CH 16 Review In the United States, no state or national licensing body specifically licenses computer forensics examiners. True or False?

True

​The ImageUSB utility can be used to create a bootable flash drive.

True

What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive?

TrueCrypt

Which of the following is not a valid configuration of Unicode?​

UTF-64

Which option below is not a Linux Live CD meant for use as a digital forensics tool?​

Ubuntu

What does the $Secure metadata file contain?

Unique security descriptors for the volume are listed in this file. It's where the access control list (ACL) is maintained for all files and folders on the NFTS volume.

RAID 3

Uses data stripping and dedicated parity

Which of the following is NOT a service level for the cloud?

Virtualization as a service

BitLocker

What is the name of the Microsoft solution for whole disk encryption

2 GB

When using a target drive that is FAT32 formatted, what is the maximum size limitation for split files

RAID 0

Which RAID type provides increased speed and data storage capability, but lacks redundancy

RAID 5

Which RAID type utilizes a parity bit and allows for the failure of one drive without losing data

RAID 10

Which RAID type utilizes mirrored striping, providing fast access and redundancy

Advanced Forensic Format

Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files

Ubuntu

Which option below is not a Linux Live CD meant for use as a digital forensics tool

RC4

Which option below is not a hashing function used for validation checks

Which option below is not a standard systems analysis step?​

Which option below is not a standard systems analysis step?​

p

Within the fdisk interactive menu, what character should be entered to view existing partitons

What cloud service listed below provides a freeware type 1 hypervisor used for public and private clouds?

XenServer and XenCenter Windows Management Console

What cloud service listed below provides a freeware type 1 hypervisor used from public and private clouds?

XenServer and XenCenter Windows Management Console

One of the most noteworthy e-mail scams was 419, otherwise known as the ??? a. Nigerian Scam b. Lake Venture Scam c. Conficker virus d. Iloveyou Scam

a

The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient ??? a. probable cause b. due diligence c. accusations d. reliability

a

What does FRE stand for? a. federal rules of evidence b. federal regulations for evidence c. federal rights for everyone d. federal rules for equipment

a

What information is not typically included in an e-mail header a. the sender's physical location b. the originating IP address c. the unique ID of the e-mail d. the originating domain

a

What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords?​ a. salted passwords b. ​scrambled passwords c. ​indexed passwords d. master passwords

a

When seizing digital evidence in criminal investigations, whose standards should be followed? a. U.S. DOJ b. ISO/IEC c. IEEE d. ITU

a

You must abide by the ??? while collecting evidence a. fourth amendment b. federal rules of evidence c. state's rules of evidence d. fifth amendment

a

CH 11 Review In Microsoft Outlook, what are the email storage files typically found on a client computer? a. .pst and .ost b. res1.log and res2.log c. PU020102.db d. .evolution

a. .pst and .ost

CH 10 Review Which of the following file extensions are associated with VMware virtual machine? a. .vmx, .log, and .nvram b. .vdi, .ova, and .r0 c. .vmx, .r0, and .xml-prev d. .vbox, .vdi, and .log

a. .vmx, .log, and .nvram

CH 10 Quiz The SANS Investigative Forensics Toolkit (SIFT) appliance can currently only be installed on what version of Ubuntu a. 12.04 b. 13.11 c. 14.04 d. 14.11

a. 12.04

CH 16 Quiz Which of the following options would represent a valid retainer?​ a. 2 to 8 hours of your usual billable rate b. a verbal agreement c. complete discussion of an ongoing case d. dissemination of evidence

a. 2 to 8 hours of your usual billable rate

CH 16 Quiz FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful. a. 702 b. 703 c. 704 d. 705

a. 702

CH 12 Review The term TDMA refers to which of the following? (Choose all that apply) a. A technique of dividing a radio frequent so that multiple users share the same channel b. A proprietary protocol developed by Motorola c. A specific cellular network standard d. A technique of spreading the signal across many channels

a. A technique of dividing a radio frequent so that multiple users share the same channel c. A specific cellular network standard.

CH 11 Review What information is _NOT_ in an e-mail header? (Choose all that apply) a. Blind copy (Bcc) addresses b. Internet addresses c. Domain name d. Contents of the message e. Type of e-mail server used to send the email

a. Blind copy (Bcc) addresses d. Contents of the message

CH 12 Quiz Within NIST guidelines for mobile forensics methods, the ______________ method requires physically removing flash memory chips and gathering information at the binary level.​ a. Chip-off b. Logical extraction c. Micro read d. Manual extraction

a. Chip-off

CH 11 Review When searching a victim's computer for a crime committed with a specific email, what provides information for determining the emails originator? (Choose all that apply) a. E-mail header b. Username and password c. Firewall log d. All of the above

a. E-mail header c. Firewall log

CH 10 Quiz What Windows Registry key contains associations for file extensions a. HKEY_CLASSES_ROOT b. HKEY_USERS c. HKEY_LOCAL_MACHINE d. HKEY_CURRENT_CONFIG

a. HKEY_CLASSES_ROOT

CH 10 Quiz The ___ tool is an updated version of BackTrack, and contains more than 300 tools, such as password crackers, network sniffers, and freeware forensics tools a. Kali Linux b. Ubuntu c. OSForensics d. Sleuth Kit

a. Kali Linux

CH 16 Review Externally enforced ethical rules, with sanctions that can restrict a professional's practice, are more accurately, described as which of the following? a. Laws b. Objectives c. A higher calling d. All of the above

a. Laws

CH 12 Quiz ​What type of mobile forensics method listed by NIST guidelines involves looking at a device's content page by page and taking pictures? a. Manual extraction b. Chip-off c. Micro read d. Logical extraction

a. Manual extraction

CH 11 Quiz One of the most noteworthy e-mail scams was 419, otherwise known as the ??? a. Nigerian Scam b. Lake Venture Scam c. Conficker virus d. Iloveyou Scam

a. Nigerian Scam

CH 12 Review Remote wiping of a mobile device can result in which of the following? (Choose all that apply) a. Removing account information b. Enabling GPS beacon to track the thief c. Returning the phone to the original factory settings d. Deleting contacts

a. Removing account information c. Returning the phone to the original factory settings d. Deleting contacts

CH 13 Review Which of the following is a mechanism the ECPA describes for the government to get electronic information from a provider? (Choose all that apply) a. Subpoenas with prior notice b. Temporary restraining orders c. Search warrants d. Court orders

a. Subpoenas with prior notice c. Search warrants d. Court orders

CH 12 Quiz The use of smart phones for illicit activities is becoming more prevalent.​ a. true b. false

a. True

CH 12 Quiz The ________________ technology uses the IEEE 802.16e standard and Orthogonal Frequency Division Multiple Access (OFDMA) and supports transmission speeds of 12 Mbps​ a. WiMAX b. CDMA c. UMB d. MIMO

a. WiMAX

CH 16 Quiz A consultant who doesn't testify can earn a ____________________ for locating testifying experts or investigative leads.​ a. contingency fee b. retainer c. stake in a case d. reprimand

a. contingency fee

CH 13 Quiz A ??? is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities a. court order b. temporary restraining order c. warrant d. subpoena

a. court order

CH 12 Quiz What method below is NOT an effective method for isolating a mobile device from receiving signals? a. placing the device into a plastic evidence bag b. placing the device into a paint can, preferable one previously containing radio-wave blocking paint c. placing the device into airplane mode d. turning the device off

a. placing the device into a plastic evidence bag

CH 11 Review Sendmail uses which file for instructions on processing an e-mail message? a. sendmail.cf b. syslogd.conf c. mese.ese d. mapi.log

a. sendmail.cf

CH 11 Quiz What information is not typically included in an e-mail header a. the sender's physical location b. the originating IP address c. the unique ID of the e-mail d. the originating domain

a. the sender's physical location

CH 12 Quiz Search and seizure procedures for mobile devices are as important as procedures for computers.​ a. true b. false

a. true

CH 12 Quiz While travelling internationally with a GSM phone, you can pop in a SIM card for the country you're currently in, rather than get a new phone. a. true b. false

a. true

CH 16 Quiz Experts should be paid in full for all previous work and for the anticipated time required for testimony. a. true b. false

a. true

CH 16 Quiz In the United States, there's no state or national licensing body for computer forensics examiners. a. true b. false

a. true

CH 16 Quiz People need ethics to help maintain their balance, especially in difficult and contentious situations. a. true b. false

a. true

If a police officer or investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit a(n) _______.​

affidavit

??? are a special category of private sector businesses, due to their ability to investigate computer abuse committed by employees only, but not customers. a. hospitals b. ISPs c. law firms d. news networks

b

The ??? utility can be used to repair .ost and .pst files, and is included with Microsoft Outlook a. fixmail.exe b. scanpst.exe c. repairpst.exe d. rebuildpst.exe

b

The goal of recovering as much information as possible can result in ________________, in which an investigation expands beyond the original description because of unexpected evidence found.​ a. ​litigation b. ​scope creep c. ​criminal charges d. ​violations

b

Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses ________________ as a way to hide its malicious code from antivirus tools.​ a. ​hashing b. ​bit-shifting c. ​registry edits d. ​slack space

b

What format below is used for VMware images? a. .vhd b. .vmdk c. .s01 d. .aff

b

What kind of files are created by Exchange while converting binary data to readable text in order to prevent loss of data a. .txt b. .tmp c. .exe d. .log

b

What letter should be typed into DiskEdit in order to mark a good sector as bad?​ a. ​M b. ​B c. ​T d. ​D

b

What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact a. iNet b. ARIN c. Google d. ERIN

b

What should you do while copying data on a suspect's computer that is still live? a. open files to view contents b. make notes regarding everything you do c. conduct a google search of unknown extensions using the computer d. check facebook for additional suspects

b

What type of media has a 30-year lifespan? a. DVD-rs b. DLT magnetic tape c. hard drive d. usb thumb drive

b

Which e-mail recovery program below can recover files from VMware and VirtualPC virtual machines, as well as ISOs and other types of file backups a. Fookes Aid4mail b. DataNumen Outlook Repair c. EnCase Forensics d. AccessData FTK

b

Which service below does not put log information into /var/log/maillog a. SMTP b. Exchange c. IMAP d. POP

b

the term ??? describes rooms filled with extremely large disk systems that are typically used by large business data centers. a. storage room b. server farm c. data well d. storage hub

b

​In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes remotely. a. ​keygrabber b. ​keylogger c. ​packet capture d. ​protocol analyzer

b

​In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters? a. ​NTFS b. ​FAT c. ​HFSX d. ​Ext3fs

b

​Within Windows Vista and later, partition gaps are _____________ bytes in length. a. ​64 b. ​128 c. ​256 d. ​512

b

CH 11 Quiz What kind of files are created by Exchange while converting binary data to readable text in order to prevent loss of data a. .txt b. .tmp c. .exe d. .log

b. .tmp

CH 16 Quiz Currently, expert witnesses testify in more than __ percent of trials. a. 55 b. 80 c. 92 d. 78

b. 80

CH 13 Quiz Which of the following is not a valid source for cloud forensics training a. Sans Cloud Forensics with F-Response b. A+ Security c. INFOSEC Intitute d. (ISC)2 Certified Cyber Forensics Professional

b. A+ Security

CH 11 Quiz What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact a. iNet b. ARIN c. Google d. ERIN

b. ARIN

CH 10 Review When do zero day attacks occur? (Choose all that apply) a. On the day the application or OS is released b. Before a patch is available c. Before the vendor is aware of the vulnerability d. On the day the patch is created

b. Before a patch is available c. Before the vendor is aware of the vulnerability

CH 12 Quiz What digital network technology was developed during World War II? a. TDMA b. CDMA c. GSM d. iDEN

b. CDMA

CH 12 Review Which of the following categories of information is stored on a SIM card? (Choose all that apply.) a. Volatile Memory b. Call data c. Service-related data d. None of the above

b. Call data c. Service-related data

CH 11 Quiz Which e-mail recovery program below can recover files from VMware and VirtualPC virtual machines, as well as ISOs and other types of file backups a. Fookes Aid4mail b. DataNumen Outlook Repair c. EnCase Forensics d. AccessData FTK

b. DataNumen Outlook Repair

CH 11 Quiz Which service below does not put log information into /var/log/maillog a. SMTP b. Exchange c. IMAP d. POP

b. Exchange

CH 13 Quiz The ??? tool can be used by bypass a virtual machine's hypervisor, and can be used with OpenStack a. Openforensics b. FROST c. WinHex d. ARC

b. FROST

CH 10 Review Which Registry key contains associations for file extensions? a. HFILE_CLASSES_ROOT b. HKEY_CLASSES_ROOT c. HFILE_EXTENSIONS d. HKEY_CLASSES_FILE

b. HKEY_CLASSES_ROOT

CH 12 Quiz ​What organization is responsible for the creation of the requirements for carriers to be considered 4G? a. IEEE b. ITU-R c. ISO d. TIA

b. ITU-R

CH 12 Quiz ​The ___________________ technology is designed for GSM and Universal Mobile Telecommunications Systems (UMTS) technology, supports 45 Mbps to 144 Mbps transmission speeds. a. WiMAX b. LTE c. MIMO d. UMB

b. LTE

CH 10 Quiz The ___ is the version of Pcap available for Linux based operating systems a. Wincap b. Libcap c. Tcpcap d. Netcap

b. Libcap

CH 11 Review Phishing does which of the following? a. Uses DNS poisoning b. Lures users with false promises c. Takes people to fake websites d. Uses DHCP

b. Lures users with false promises

CH 11 Review Which of the following is a current formatting standard for e-mail? a. SMTP b. MIME c. Outlook d. HTML

b. MIME

CH 12 Review Which of the following relies on a central database that tracks across data, location data and subscriber information? a. BTS b. MSC c. BSC d. None of the above

b. MSC

CH 11 Review What's the main piece of information you look for in an email message you're investigating? a. Sender or receivers e-mail address b. Originating e-mail domain or IP address c. Subject line content d. Message number

b. Originating e-mail domain or IP address

CH 10 Quiz The tcpdump and Wireshark utilities both use what well known packet capture format a. Netcap b. Pcap c. Packetd d. RAW

b. Pcap

CH 13 Review Which of the following cloud deployment methods typically offers no security? a. Hybrid Cloud b. Public Cloud c. Community cloud d. Private Cloud

b. Public Cloud

CH 11 Review When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do? a. Search available log files for any forwarded messages b. Restore the e-mail server from a backup c. Check the current database files for an existing copy of the email d. Do nothing because after the file has been deleted, it can no longer be recovered.

b. Restore the e-mail server from a backup

CH 12 Quiz GSM refers to mobile phones as "mobile stations" and divides a station into two parts, the __________ and the mobile equipment (ME).​ a. antenna b. SIM card c. radio d. transceiver

b. SIM card

CH 10 Quiz In a ___ attack, the attacker keeps asking your server to establish a connection, with the intent of overloading a server with established connections a. smurf b. SYN flood c. spoof d. ghost

b. SYN flood

CH 10 Review You can expect to find a type 2 hypervisor on what type of device? (Choose all that apply) a. Desktop b. Smartphone c. Tablet d. Network Server

b. Smartphone c. Tablet

CH 10 Quiz The ___ is a good tool for extracting information from large Libpcap files; you simply specify the time frame you want to examine a. Tcpdstat b. Tcpslice c. Ngrep d. tcpdump

b. Tcpslice

CH 10 Review Which of the following is a clue that a virtual machine has been installed on a host system? a. Network Logs b. Virtual network adapter c. Virtualization Software d. USB Drive

b. Virtual network adapter

CH 16 Quiz ​In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous contact with an opposing party? a. Tidemann v. Toshiba Corp b. Wang Laboratories, Inc v. Toshiba Corpc c. Tidemann v. Nadler Golf Car Sales, Inc d. Hewlett-Pachard v. EMC Corp

b. Wang Laboratories, Inc v. Toshiba Corpc

CH 11 Quiz In what state is sending unsolicited email illegal a. Florida b. Washington c. Maine d. New York

b. Washington

CH 11 Quiz E-mail administrators may make use of ???, which overwrites a log file when it reaches a specified size or at the end of a specified time frame a. log recycling b. circular logging c. log purging d. log cycling

b. circular logging

CH 16 Quiz ​Before allowing an attorney to describe any case details, determine who the parties are to reduce the possibility of a _______________. a. collaboration b. conflict c. mistrial d. contradiction

b. conflict

CH 12 Quiz Because mobile phones are seized at the time of arrest, a search warrant is not necessary to examine the device for information.​ a. true b. false

b. false

CH 12 Quiz Most Code Division Multiple Access networks conform to IS-95. The systems are referred to as CDMAOne, and when they went to 3G service, they became CDMAThree a. true b. false

b. false

CH 16 Quiz Expert opinions cannot be presented without stating the underlying factual basis. a. true b. false

b. false

CH 16 Quiz The American Bar Association (ABA) is a licensing body. a. true b. false

b. false

CH 16 Quiz ____ questions can give you the factual structure to support and defend your opinion. a. rapid-fire b. hypothetical c. setup d. compound

b. hypothetical

CH 16 Quiz People who fear having their ______________ acts revealed feel as though they must protest the ________________ acts of others being revealed. a. legal b. improper c. secret d. public

b. improper

CH 10 Quiz At what layers of the OSI model do most packet analyzers function a. layer 1 or 2 b. layer 2 or 3 c. layer 3 or 4 d. layer 4 or 5

b. layer 2 or 3

CH 13 Quiz A ??? is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it's accessed through the application's Web interface a. configuration manager b. management plane c. backdoor d. programming language

b. management plane

CH 16 Quiz The purpose of requesting the ________________ is to deter attorneys from communicating with you solely for the purpose of disqualifying you. a. case b. retainer c. juror list d. evidence

b. retainer

CH 11 Quiz The ??? utility can be used to repair .ost and .pst files, and is included with Microsoft Outlook a. fixmail.exe b. scanpst.exe c. repairpst.exe d. rebuildpst.exe

b. scanpst.exe

CH 13 Quiz The Google drive file ??? contains a detailed list of a user's cloud transactions a. loggedtransactions.log b. sync_log.log c. transact_user.db d. history.db

b. sync_log.log

CH 13 Quiz Where is the snapshot database created by Google Drive located in Windows a. C:/Program Files/Google/Drive b.C:/Users/username/AppData/Local//Google/Drive c. C:/Users/username/Google/Google drive d. C:/Google/drive

b.C:/Users/username/AppData/Local//Google/Drive

If practical, ??? team(s) should collect and catalog digital evidence at a crime scene or lab a. two b. five c. one d. three

c

In older versions of exchange, what type of file was responsible for massages formatted with Messaging Application Programming Interface, and served as the database file a. .ost b. edp c. .edb d. .edi

c

The AccessData program has a hashing database, ________________, which is available only with FTK, and can be used to filter known program files from view and contains the hash values of known illegal files.​ a. ​DeepScan Filter b. Unknown File Filter (UFF) c. ​Known File Filter (KFF) d. ​FTK Hash Imager

c

The Suni Munshani v. Singal Lake Venture Fund II, LP et al case is an example of a case that involves e-mail ??? a. destruction b. spamming c. spoofing d. theft

c

The term ??? is used to describe someone who might be a suspect of someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest a. criminal b. potential data source c. person of interest d. witness

c

The term for detecting and analyzing steganography files is _________________.​ a. ​carving b. ​steganology c. ​steganalysis d. ​steganomics

c

When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and documented?​ a. ​Inventory and documentation information should be stored on a drive and then the drive should be reformatted. b. ​Start the suspect's computer and begin collecting evidence. c. The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.​ d. ​Connect the suspect's computer to the local network so that up to date forensics utilities can be utilized.

c

Where does the Postfix UNIX mail server store e-mail a. /home/username/mail b. /var/mail/postfix c. /var/spool/postfix d. /etc/postfix

c

Which court case established that it is not necessary for computer programmers to testify in order to authenticate computer-generated records? a. united states v wong b. united states v carey c. united states v salgado d. united states v walser

c

Which of the following is not done when preparing for a case? a. describe the nature of the case b. identify the type of OS c. set up covert surveillance d. determine whether you can seize the computer or digital device

c

Which system below can be used to quickly and accurately match fingerprints in a database? a. fingerprint identification database (FID) b. systemic fingerprint database (SFD) c. automated fingerprint identification system (AFIS) d. dynamic fingerprint matching system (DFMS)

c

​Select the tool below that does not use dictionary attacks or brute force attacks to crack passwords: a. ​Last Bit b. ​AccessData PRTK c. ​OSForensics d. ​Passware

c

CH 11 Quiz In older versions of exchange, what type of file was responsible for massages formatted with Messaging Application Programming Interface, and served as the database file a. .ost b. edp c. .edb d. .edi

c. .edb

CH 11 Review Which of the following types of files can provide useful information when you're examining an e-mail server? a. .dbf files b. .emx files c. .log files d. .slf files

c. .log files

CH 11 Quiz Where does the Postfix UNIX mail server store e-mail a. /home/username/mail b. /var/mail/postfix c. /var/spool/postfix d. /etc/postfix

c. /var/spool/postfix

CH 10 Quiz In VirtualBox, ___ different types of virtual network adapters are possible, such as AMD and Intel Pro adapters a. 2 b. 4 c. 6 d. 8

c. 6

CH 12 Review SD cards have a capacity up to which of the following? a. 100 MB b. 4 MB c. 64 GB d. 500 MB

c. 64 GB

CH 11 Review To trace an IP address in an email header, what type of lookup service can you use? (Choose all that apply) a. Intelius Inc's AnyWho online directory b. Verizon's http://superpages.com c. A Domain lookup service, such as www.arin.net, www.internic.com.,or ww.whois.net d. Any Web search engine

c. A Domain lookup service, such as www.arin.net, www.internic.com.,or ww.whois.net d. Any Web search engine

CH 11 Review When you access your email, what type of computer architecture are you using? a. Mainframe and minicomputers b. Domain c. Client/Server d. None of the above

c. Client/server

CH 13 Quiz The ??? is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for privacy agreements, security measures, questionnaires, and more a. OpenStack Framework Alliance b. vCluod Security Advisory Panel c. Cloud Security Alliance d. Cloud Architecture Group

c. Cloud Security Alliance

CH 10 Quiz In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network adapters a. Slow-NetworkAdapters b. Query-ipconfig c. Get-VMNetworkAdapter d. Dump-Betconfig

c. Get-VMNetworkAdapter

CH 12 Quiz Which of the NIST guidelines below requires using a modified boot loader to access RAM for analysis?​ a. Chip-off b. Manual extraction c. Hex dumping d. Micro read

c. Hex dumping

CH 12 Quiz What standard introduced sleep mode to enhance battery life, and is used with TDMA?​ a. IS-99 b. IS-140 c. IS-136 d. IS-95

c. IS-136

CH 12 Quiz ​​Most Code Division Multiple Access (CDMA) networks conform to ____________ , created by the Telecommunications Industry Association (TIA). a. TS-95 b. 802.11 c. IS-95 d. IS-136

c. IS-95

CH 10 Review A layered network defense strategy puts the most valuable data where? a. In the DMZ b. In the outermost layer c. In the innermost layer d. None of the above

c. In the innermost layer

CH 16 Review What purpose does making your own recording during a deposition serve? a. It shows the court reporter that you do not trust him or her b. It assists you with reviewing the transcript of the deposition c. It allows you to review your testimony with your attorney during breaks. d. It prevents opposing counsel from intimidating you.

c. It allows you to review your testimony with your attorney during breaks.

CH 10 Review Packet analyzers examine what layers of the OSI model? a. Layers 2 and 4 b. Layers 4 through 7 c. Layers 2 and 3 d. All layers

c. Layers 2 and 3

CH 11 Review The term "via Frontend Transport" in a header indicates that the e-mail is on which of the following? a. UNIX server b. Older NetWare Server c. Microsoft Exchange Server d. Mac Server

c. Microsoft Exchange Server

CH 10 Quiz What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses a. tcpdump b. Argus c. Ngrep d. Tcpslice

c. Ngrep

CH 12 Quiz Where is the OS stored on a smartphone? a. RAM b. Microprocessor c. ROM d. Read/write flash

c. ROM

CH 12 Review In which of the following cases did the U.S. Supreme Court require using a search warrant to examine the contents of mobile devices? a. Miles v. North Dakota b. Smith v. Oregon c. Riley v. California d. Dearborn v. Ohio

c. Riley v California

CH 13 Quiz What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing a. Amazon EC2 b. IBM Cloud c. Salesforce d. HP Helion

c. Salesforce

CH 11 Review Router logs can be used to verify what types of email data? a. Message content b. Content of Attached files c. Tracking flows through e-mail server ports d. Finding blind copies

c. Tracking flows through email server ports

CH 10 Quiz What processor instruction set is required in order to utilize virtualization software a. AMD-VT b. Intel VirtualBit c. Virtual Machine Extensions (VMX) d. Virtual HardwareExtensions (VHX)

c. Virtual Machine Extensions (VMX)

CH 13 Quiz Which of the following is NOT a service level for the cloud a. Platform as a service b. Infrastructure as a service c. Virtualization as a service d. Software as a service

c. Virtualization as a service

CH 16 Review Contingency fees can be used to compensate an expert under which circumstances? a. When the expert is too expensive to compensate at the hourly rate b. When the expert is willing to accept a contingency fee arrangement c. When the expert is acting only as a consultant, not a witness d. All of the above

c. When the expert is acting only as a consultant, not a witness

CH 13 Quiz What cloud service listed below provides a freeware type 1 hypervisor used for public and private clouds a. HP Helion b. Amazon EC2 c. XenServer and XenCenter Windows Management Console d. Cisco Cloud Computing

c. XenServer and XenCenter Windows Management Console

CH 16 Review What are some risks of using tools you have created yourself? a. The tool might not perform reliably b. The judge might be suspicious of the validity of the results c. You might have to share the tool's source code with opposing counsel for review d. The tool doesn't generate the reports in a standard format

c. You might have to share the tool's source code with opposing counsel for review

CH 16 Quiz Attorneys search ____ for information on expert witnesses. a. cross-examination banks b. examination banks c. deposition banks d. disqualification banks

c. deposition banks

CH 13 Quiz The ??? Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system a. read_filejournal b. filetx.log c. filecache.dbx d. filecache.dll

c. filecache.dbx

CH 16 Quiz The most important laws applying to attorneys and witnesses are the ____. a. professional ethics b. rules of ethics c. rules of evidence d. professional codes of conduct

c. rules of evidence

CH 11 Quiz The Suni Munshani v. Singal Lake Venture Fund II, LP et al case is an example of a case that involves e-mail ??? a. destruction b. spamming c. spoofing d. theft

c. spoofing

CH 11 Review On a Unix-like system, which file specifies where to save different types of e-mail log files? a. maillog b. /var/spool/log c. syslog.conf d. log

c. syslog.conf

CH 13 Quiz Which is not a valid method of deployment for a cloud a. community b. public c. targeted d. private

c. targeted

CH 10 Review In VirtualBox, a(n) ______ file contains settings for virtual hard drives. a. .vox-prev b. .ovf c. .vbox d. .log

c. vbox

vf

can be used with the dcfldd command to compare an image file to the original medium.

​The _______ is not one of the three stages of a typical criminal case.

civil suit

Spare acquisition

collects fragments of unallocated data (RAID)

A ____ is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities.

court order

??? is the term for a statement that is made by someone other than an actual witness to the event while testifying at a hearing a. second-party evidence b. rumor c. fiction d. hearsay

d

A ??? is not a private sector organization a. small to medium business b. large corporation c. on-government organization d. hospital

d

As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state? a. the power cable should be pulled b. the system should be shut down gracefully c. the power should be left on d. the decision should be left to the digital evidence first responder (DEFR)

d

Exchange uses and Exchange database and is based on the ???, which uses several files in different combinations to provide e-mail service a. Microsoft Mail Storage Engine (MSE) b. Microsoft Stored Mail Extension (SME) c. Microsoft Extended Mail Storage (EMS) d. Microsoft Extensible Storage Engine (ESE)

d

In order to retrieve logs from exchange, the Powershell cmdlet ??? can be used a. GetExchangeLogs.psl b. GetLogInfo.psl c. ShowExchangeHistrory.psl d. GetTransactionLogStats.psl

d

On a UNIX system, where is a user's mail stored by default a. /var/mail b. /var/log/mail c. /username/mail d. /home/username/mail

d

Select the program below that can be used to analyze mail from Outlook, Thunderbird, and Eudora a. AccessData FTK b. DataNumen c. R-Tools R-Mail d. Fookes Aid4Mail

d

Syslog is generally configured to put all e-mail related log information into what file a. /usr/log/mail.log b. /var/log/message c. /proc/mail d. /var/log/maillog

d

The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but does not list hash values of known illegal files.​ a. ​Open Hash Database b. ​HashKeeper Online c. ​National Hashed Software Referenced. d. National Software Reference Library

d

Which option below is not a disk management tool?​ a. Partition Magic​ b. ​Partition Master c. ​GRUB d. ​HexEdit

d

Which option below is the correct path to the sendmail configuration file a. /var/etc/sendmail.cf b. /var/mail/sendmail.cf c. /usr/local/sendmail.cf d. /etc/mail/sendmail.cf

d

Which password recovery method uses every possible letter, number, and character found on a keyboard?​ a. ​rainbow table b. ​dictionary attack c. ​hybrid attack d. ​brute-force attack

d

​In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer. a. ​format b. ​fdisk c. ​grub d. ​diskpart

d

CH 10 Quiz The ___ disk image file format is associated with the VirtualBox hypervisor a. .vmdk b. .had c. .vhd d. .vdi

d. .vdi

CH 11 Quiz Which option below is the correct path to the sendmail configuration file a. /var/etc/sendmail.cf b. /var/mail/sendmail.cf c. /usr/local/sendmail.cf d. /etc/mail/sendmail.cf

d. /etc/mail/sendmail.cf

CH 11 Quiz On a UNIX system, where is a user's mail stored by default a. /var/mail b. /var/log/mail c. /username/mail d. /home/username/mail

d. /home/username/mail

CH 11 Quiz Syslog is generally configured to put all e-mail related log information into what file a. /usr/log/mail.log b. /var/log/message c. /proc/mail d. /var/log/maillog

d. /var/log/maillog

CH 13 Quiz In a prefetch file, the application's last access date and time are at offset ??? a. 0x80 b. 0x88 c. 0xD4 d. 0x90

d. 0x90

CH 16 Quiz FRE ____ describes whether basis for the testimony is adequate. a. 700 b. 701 c. 702 d. 703

d. 703

CH 12 Quiz What frequencies can be used by GSM with the TDMA technique a. 1200 to 1500 MHz b. 2.4 GHz to 5.0 GHZ c. 600 to 1000 MHz d. 800 to 1000 MHZ

d. 800 to 1000 MHZ

CH 11 Quiz Select the program below that can be used to analyze mail from Outlook, Thunderbird, and Eudora a. AccessData FTK b. DataNumen c. R-Tools R-Mail d. Fookes Aid4Mail

d. Fookes Aid4Mail

CH 11 Quiz In order to retrieve logs from exchange, the Powershell cmdlet ??? can be used a. GetExchangeLogs.psl b. GetLogInfo.psl c. ShowExchangeHistrory.psl d. GetTransactionLogStats.psl

d. GetTransactionLogStats.psl

CH 12 Quiz ​Select below the option that is not a typical feature of smartphones on the market today: a. Microprocessor b. Flash c. ROM d. Hard drive

d. Hard drive

CH 13 Quiz Metadata in a prefetch file contains an application's ??? times in UTC format and a counter of how many times the application has run since the prefect file was created a. startup / access b. log event c. ACL d. MAC

d. MAC

CH 10 Quiz The NSA's defense in depth (DiD) strategy contains three modes of protection. Which option below is not one of the three modes a. People b. Technology c. Operations d. Management

d. Management

CH 11 Quiz Exchange uses and Exchange database and is based on the ???, which uses several files in different combinations to provide e-mail service a. Microsoft Mail Storage Engine (MSE) b. Microsoft Stored Mail Extension (SME) c. Microsoft Extended Mail Storage (EMS) d. Microsoft Extensible Storage Engine (ESE)

d. Microsoft Extensible Storage Engine (ESE)

CH 12 Quiz Which component of cell communication is used to route digital packets for the network and relies on a database to support subscribers?​ a. Base station controller (BSC) b. Base transceiver station (BTS) c. Base transceiver controller (BTC) d. Mobile switching center (MSC)

d. Mobile switching center (MSC)

CH 10 Quiz Select below the option that is not common type 1 hypervisor a. VMwar vSphere b. Microsoft Hyper-V c. Citirix XenServer d. Oracle VirtualBox

d. Oracle VirtualBox

CH 12 Quiz Nonvolatile memory on a mobile device can contain OS files and stored user data, such as a __________________ and backed-up files. a. Professional Data Holder b. Personal Assistant Organizer c. Personal Data Manager d. Personal Information Manager

d. Personal Information Manager

CH 10 Quiz Select below the program within the Ps Tools suite that allows you to run processes remotely a. PsService b. PsPasswd c. PsRemote d. PsExec

d. PsExec

CH 12 Quiz Which of the following is not a type of peripheral memory card used in PDAs?​ a. Secure Digital (SD) b. Compact Flash (CF) c. Multimedia Card (MMC) d. RamBus (RB)

d. RamBus (RB)

CH 16 Review When you begin a conversation with an attorney about a specific case, what should you do? (Choose all that apply) a. Ask to meet with the attorney b. Answer his or her questions in as much detail as possible c. Ask who the parties in the case are d. Refuse to discuss details until a retainer agreement is returned

d. Refuse to discuss details until a retainer agreement is returned

CH 13 Review Evidence of cloud access found on a smartphone usually means which cloud service level was in use? a. IaaS b. HaaS c. PaaS d. SaaS

d. SaaS

CH 10 Quiz What virtual machine software supports all Windows and Linux OSs as well as Macintosh and Solaris, and is provided as shareware? a. KVM b. Parallels c. Microsoft Virtual PC d. VirtualBox

d. VirtualBox

CH 13 Review When should a temporary restraining order be requested for cloud environment? a. When cloud customers need immediate access to their data b. To enforce a court order c. When anti-forensics techniques are suspected d. When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case.

d. When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case.

CH 16 Quiz Computer forensics examiners have two roles: fact witness and ____ witness. a. professional b. direct c. discovery d. expert

d. expert

CH 13 Quiz What information blow is not something recorded in Google Drive's snapshot.db file a. modified and created times b. URL pathnames c. file access records d. file SHA values and sizes

d. file SHA values and sizes

CH 11 Quiz What command below could be used on a UNIX system to help locate log directories a. show log b. detail c. search d. find

d. find

CH 12 Quiz ​On what mobile device platform does Facebook use a SQLite database containing friends, their ID numbers, and phone numbers as well as files that tracked all uploads, including pictures? a. Android b. Blackberry c. Windows RT d. iPhone

d. iPhone

CH 10 Quiz Select the file below that is used in VirtualBox to create a virtual machine a. .vdi b. .vbox c. .r0 d. ova

d. ova

CH 13 Quiz To reduce the time it takes to start applications, Microsoft has created ??? files, which contain the DLL pathnames and metadata used by application a. temp b. cache c. config d. prefetch

d. prefetch

CH 13 Quiz Which of the following is NOT one of the five mechanisms the government can use to get electronic information from a provider a. search warrants b. subpoenas c. court orders d. seizure order

d. seizure order

CH 13 Quiz With cloud systems running in a virtual environment, ??? can give you valuable information before, during, and after an incident a. carving b. live acquisition c. RAM d. snapshot

d. snapshot

CH 10 Quiz The ___ command line program is a common way of examining network traffic, which provides records of network activity while it is running, and produce hundreds of thousands of records a. netstat b. ls c. ifconfig d. tcpdump

d. tcpdump

CH 11 Quiz What type of Facebook profile is usually only given to law enforcement with a warrant a. private profile b. advanced profile c. basic profile d.Neoprint profile

d.Neoprint profile

The _______ command was developed by Nicholas Harbour of the Defense Computer Forensics Laboratory.

dcfldd

The Linux command _____ can be used to write bit-stream data to files.​

dd

The ___________ command inserts a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry.​

delete

_____________ is composed of the unused space in a cluster between the end of an active file's content and the end of the cluster.​

drive slack

CH 11 Review E-mail headers contain which of the following information? (Choose all that apply.) a. The sender and receiver e-mail address b. An ESMTP number or reference number c. The e-mail servers the message traveled through to reach its destination d. The IP address of the receiving server e. All of the above

e. All of the above

Which of the following commands ​creates an alternate data stream?

echo text > myfile. txt:syream_name

What command below can be used to decrypt EFS files?​

efsrecvr

Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks:​

exFAT

A computer stores system configuration and date and time information in the BIOS when power to the system is off.​​(T/F)

false

An Internet e-mail is generally part of a local network, and is maintained and managed by an administrator for internal use by a specific company T/F

false

Because attorneys do not have the right of full discovery of digital evidence, it is not possible for new evidence to come to light while complying with a defense request for full discovery.​ t/f

false

Committing crimes with e-mail is uncommon, and investigators are not generally tasked with linking suspects to e-mail T/F

false

Computer-stored records are data the system maintains, such as system log files and proxy server logs. t/f

false

Each MFT record starts with a header identifying it as a resident or nonresident attribute.(T/F)

false

FAT32 is used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.3 and 4.0.​(T/F)

false

In an e-mail address, everything before the @ symbol represents the domain name T/F

false

In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant.​ t/f

false

Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.(T/F)

false

The fourth amendment state that only warrants "particularly describing the place to be searched and the persons or things to be seized" can be issued. The courts have determined that this phrase means a warrant can authorize a search of a specific place for anything. t/f

false

The Linux command _______ can be used to list the current disk devices connected to the computer.

fdisk -l

What information below is not something recorded in Google Drive's snapshot.db file?

file SHA values and sizes

CH 16 Quiz What Unicode value is used to identify the Latin alphabet? a. 0x00 b. 0xF8 c. 0xAB d. 0x01

pg 578 a. 0x00

CH 16 Quiz What do the last 8 bits of a Unicode value represent? a. language identification b. character hexadecimal values c. file type identification d. font selection

pg 578 a. language identification

CH 16 Quiz On NTFS drives, Unicode values are how many bits in length? a. 8 bits b. 32 bits c. 16 bits d. 64 bits

pg 578 c. 16 bits

CH 16 Quiz What are the first 8 bits of a Unicode value used for? a. file type identification b. font selection c. character hexadecimal values d. language identification

pg 578 c. character hexadecimal values

CH 16 Quiz When converting plain text to hexadecimal for use with ProDicsover, you need to place ??? between each character's hexadecimal values. a. space (A0) values b. blank (00) values c. null (FF) values d. null (00) values

pg 578 d. null (00) values

To reduce the time it takes to start applications, Microsoft has created ____ files, which contain the DLL pathnames and metadata used by applications.

prefect

To reduce the time it takes to start applications, Microsoft has created ______________ files, which contain the DLL pathnames and metadata used by applications.

prefetch

The purpose of a ______________ is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key.​

recovery certificate

To get a ____, a government entity must show that there's probable cause to believe the contents of a wire communication, an electronic communication, or other records are relevant to an ongoing criminal investigation.

search warrant

Which of the following is not one of the five mechanisms the government can use to get electronic information from a provider?

seizure order

With cloud systems running in a virtual environment, _____________ can give you valuable information before, during, and after an incident.

snapshot

With cloud systems running in a virtual environment, ____ can give you valuable information before, during, and after an incident.

snapshots

What registry file contains installed programs' settings and associated usernames and passwords?​

software.dat

The Google drive file ____ contains a detailed list of a user's cloud transactions.

sync_log.log

The Google drive file ____________ contains a detailed list of user's cloud transactions.

sync_log.log

What does the MFT header field at offset 0x00 contain?

the MFT record identifier FILE

When using the File Allocation Table (FAT), where is the FAT database typically written to?​

the outermost track

Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific files or sectors. ​ t/f

true

An emergency situation under the PATRIOT Act is defined as the immediate risk of death or personal injury, such as finding a bomb threat in an e-mail. t/f

true

When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space.​(T/F)

true

​After the evidence has been presented in a trial by jury, the jury must deliver a(n) _______.

verdict

_______ can be used with the dcfldd command to compare an image file to the original medium.

vf

​Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks?

zone bit recording (ZBR)

Which of the following scenarios should be covered in a disaster recovery plan?​

​**all of the above** damage caused by lightning strikes ​damage caused by flood ​damage caused by a virus contamination

The _______ switch can be used with the split command to adjust the size of segmented volumes created by the dd command.

​-b

Which ISO standard below is followed by the ASCLD?

​17025:2005

How long are computing components designed to last in a normal business environment?​

​18 to 36 months

When using a target drive that is FAT32 formatted, what is the maximum size limitation for split files?​

​2 GB

NTBootdd.sys

​A device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.

Boot.ini

​A file that specifies the Windows path installation and a variety of other startup options.

​What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations?

​Certified Cyber Forensics Professional

​Candidates who complete the IACIS test successfully are designated as a _______.

​Certified Forensic Computer Examiner (CFCE)

tracks

​Concentric circles on a disk platter where data is stored.

_______ is not one of the functions of the investigations triad.

​Data recovery

​After a judge approves and signs a search warrant, the _______ is responsible for the collection of evidence as defined by the warrant.

​Digital Evidence First Responder

The _______ is responsible for analyzing data and determining when another specialist should be called in to assist with analysis.

​Digital Evidence Specialist

Signed into law in 1973, the _______ was/were created to ensure consistency in federal proceedings.

​Federal Rules of Evidence

Which amendment to the U.S. Constitution protects everyone's right to be secure in their person, residence, and property from search and seizure?​

​Fourth Amendment

What tool, currently maintained by the IRS Criminal Investigation Division and limited to use by law enforcement, can analyze and read special files that are copies of a disk?​

​ILook

bootstrap process

​Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.

Which Microsoft OS below is the least intrusive to disks in terms of changing data?​

​MS-DOS 6.22

_______ can be used to restore backup files directly to a workstation.

​Norton Ghost

​Which RAID type provides increased speed and data storage capability, but lacks redundancy?

​RAID 0

Which RAID type utilizes mirrored striping, providing fast access and redundancy?​

​RAID 1

_______ is not recommended for a digital forensics workstation.

​Remote access software

​Which option below is not a recommendation for securing storage containers?

​Rooms with evidence containers should have a secured wireless network.

​A TEMPEST facility is designed to accomplish which of the following goals?

​Shield sensitive computing systems and prevent electronic eavesdropping of computer emissions.

head

​The device that reads and writes data to a disk drive.

NT File System (NTFS)

​The file system that Microsoft created to replace FAT. It uses security features, allows smaller cluster sizes, and uses Unicode, which makes it a more versatile system.

_______ is responsible for creating and monitoring lab policies for staff, and provides a safe and secure workplace for staff and evidence.​

​The lab manager

​Which technology below is not a hot-swappable technology?

​USB-3

Which option below is not one of the recommended practices for maintaining a keyed padlock?

​Use a master key.

​An evidence custody form does not usually contain _______.

​a witness list

A chain-of-evidence form, which is used to document what has and has not been done with the original evidence and forensic copies of the evidence, is also known as a(n) _______.

​evidence custody form

The sale of sensitive or confidential company information to a competitor is known as _______.

​industrial espionage

The term _______ describes a database containing informational records about crimes that have been committed previously by a criminal.

​police blotter

​Within a computing investigation, the ability to perform a series of steps again and again to produce the same results is known as _______.

​repeatable findings