475 Exam 1: 1-6

What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume?

$LogFile

The ProDiscover utility makes use of the proprietary _______________ file format.

.eve

What hexadecimal code below identifies an NTFS file system in the partition table?

07

A Master Boot Record (MBR) partition table marks the first partition starting at what offset?

0x1BE

At what distance can the EMR from a computer monitor be picked up?

1/4 mile

When was the Freedom of Information Act originally enacted?

1960s

What is the maximum amount of time computing components are designed to last in normal business operations?

24 months

By what percentage can lossless compression reduce image file size?

50%

A typical disk drive stores how many bytes in a single sector?

512

When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action?

80 degrees or higher

In general, what would a lightweight forensics workstation consist of?

A laptop computer built into a carrying case with a small selection of peripheral options

What kind of forensic investigation lab best preserves the integrity of evidence?

A secure facility

What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?

A warrant

Which term refers to an accusation or supposition of fact that a crime has been committed and is made by the complainant, based on the incident?

Allegation

What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?

An affidavit

Which type of kit should include all the tools the investigator can afford to take to the field?

An extensive-response field kit

What will allow the investigator to arrive at a scene, acquire the needed data, and return to the lab as quickly as possible?

An initial-response field kit

Where should your computer backups be kept?

An off-site facility

What term refers to the individual who has the power to conduct digital forensic investigations?

Authorized requester

What program serves as the GUI front end for accessing Sleuth Kit's tools?

Autopsy

The ReFS storage engine uses a __________ sort method for fast access to large data sets.

B+-tree

What option below is an example of a platform specific encryption tool?

BitLocker

In what process is the acquisition of newer and better resources for investigation justified?

Building a business case

When federal courts are evaluating digital evidence from computer-generated records, what exception is applied to hearsay?

Business-records exception

What is the goal of the NSRL project, created by NIST?

Collect known hash values for commercial software and OS files using SHA hashes.

When confidential business data are included with the criminal evidence, what are they referred to as?

Commingled data

Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence?

Computer Analysis and Response Team

What type of records are considered data that the system maintains, such as system log files and proxy server logs?

Computer-generated

What process refers to recording all the updates made to a workstation?

Configuration management

At a minimum, what do most company policies require that employers have in order to initiate an investigation?

Confirmed suspicion that a law or policy is being violated.

Which Pacific Northwest agency meets to discuss problems that digital forensics examiners encounter?

Criminal

A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?

Data recovery

Which of the following is stated within the ISO 27037 standard?

Digital Evidence First Responders should use validated tools.

Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?

Digital investigations

What is the most common and flexible data-acquisition method?

Disk-to-image file copy

What term refers to a person using a computer to perform routine tasks other than systems administration?

End user

How frequently does IACIS require recertification to demonstrate continuing work in the field of computer forensics?

Every 2 years

What hex value is the standard indicator for jpeg graphics files?

FF D8

Which group often works as part of a team to secure an organization's computers and networks?

Forensics investigators

What organization was created by police officers in order to formalize credentials for digital investigators?

IACIS

Which agency introduced training on software for forensics investigations by the early 1990s?

IACIS

Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes?

Investigating and controlling the scene is much easier in private sector environments.

What must be done, under oath, to verify that the information in the affidavit is true?

It must be notarized.

The __________ Linux Live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep, and utilizes a KDE interface.

Kali

What algorithm is used to decompress Windows files?

Lempel-Ziv

What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?

Live

What type of acquisition is used for most remote acquisitions?

Live

What does Autopsy use to validate an image?

MD5

What is most often the focus of digital investigations in the private sector?

Misuse of digital assets

In addition to FAT16, FAT32, and Resilient File System, which file system can Windows hard disks also use?

NTFS

What tool below was written for MS-DOS and was commonly used for manual digital investigations?

Norton DiskEdit

In what temporary location below might passwords be stored?

Pagefile.sys

What type of evidence do courts consider evidence data in a computer to be?

Physical

Without a warning banner, what right might employees assume they have when using a company's computer systems and network accesses?

Privacy

What standard is used to determine whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest?

Probable cause

The presence of police officers and other professionals who aren't part of the crime scene-processing team may result in the loss or corruption of data through which process?

Professional curiosity

Which type of format acquisition leaves the investigator unable to share an image between different vendors' computer forensics analysis tools?

Proprietary

What is the third stage of a criminal case, after the complaint and the investigation?

Prosecution

Methods for restoring large data sets are important for labs using which type of servers?

RAID

Which RAID configuration, also called mirrored striping, is a combination of RAID 1 and RAID 0?

RAID 10

Which RAID configuration offers the greatest access speed and most robust data recovery capability?

RAID 5

In addition to RAID 0, what type of RAID configuration is available for Windows XP, 2000, and NT servers and workstations?

RAID1

What is the purpose of the reconstruction function in a forensics investigation?

Re-create a suspect's drive to show what happened during a crime or incident

What registry file contains user account management and security settings?

SAM.dat

In addition to environmental issues, what issues are the investigator's primary concerns when working at the scene to gather information about an incident or a crime?

Safety

In what mode do most write-blockers run?

Shell mode

What registry file contains installed programs' settings and associated usernames and passwords?

Software.dat

If your time is limited, what type of acquisition data copy method should you consider?

Sparse

What type of acquisition is typically done on a computer seized during a police raid?

Static

What material is recommended for secure storage containers and cabinets?

Steel

When an investigator seeks a search warrant, which of the following must be included in an affidavit to support the allegation of a crime?

Subpoena

During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. What did the U.S. Department of Defense call this special computer-emission shielding?

TEMPEST

What does the MFT header field at offset 0x00 contain?

The MFT record identifier FILE

At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work?

The digital forensics lab

When using the File Allocation Table (FAT), where is the FAT database typically written to?

The outermost track

Under what circumstances are digital records considered admissible?

They are business records

What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive?

TrueCrypt

Which of the following is not a valid configuration of Unicode?

UTF-64

What reports are generated at the local, state, and federal levels to show the types and frequency of crimes committed?

Uniform crime reports

_______________ proves that two sets of data are identical by calculating hash values or using another similar method.

Verification

What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult?

Whole disk encryption

Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks?

Zone Bit Recording (ZBR)

The physical data copy subfunction exists under the ______________ function.

acquisition

How frequently should floors and carpets in the computer forensic lab be cleaned to help minimize dust that can cause static electricity?

at least once a week

Reconstructing fragments of files that have been deleted from a suspect drive, is known as ____________ in North America.

carving

What term below describes a column of tracks on two or more disk platters?

cylinder

What command works similarly to the dd command but has many features designed for computer forensics acquisitions?

dcfldd

What command creates a raw format file that most computer forensics analysis tools can read?

dd

When performing disk acquisition, the raw data format is typically created with the UNIX/Linux _____________ command.

dd

The ___________ command inserts a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry.

delete

Which of the following commands creates an alternate data stream?

echo text > myfile.txt:stream_name

What command below can be used to decrypt EFS files?

efsrecvr

Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks:

exFAT

A keyword search is part of the analysis process within what forensic function?

extraction

What term is used to describe a disk's logical structure of platters, tracks, and sectors?

geometry

The _________ branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and System.

hive

Addresses that allow the MFT to link to nonresident files are known as _______________.

logical cluster numbers

Which of the following options is not a subfunction of extraction?

logical data copy

. In addition to md5sum, which hashing algorithm utility is included with current distributions of Linux?

sha1sum

Passwords are typically stored as one-way _____________ rather than in plaintext.

variables