565 Quiz Review

Which of the following types of files can provide useful information when you're examining an e-mail server? .emx files .slf files .log files .dbf files

.log files

In Microsoft Outlook, e-mails are typically stored in which of the following? .evolution file res1.log and res2.log files .pst and .ost files PU020102.db file

.pst and .ost files

SD cards have a capacity up to which of the following? 100 MB 4 MB 500 MB 64 GB

64 GB

To trace an IP address in an e-mail header, what type of lookup service can you use? Intelius Inc.'s AnyWho online directory Verizon's http://superpages.com A domain lookup service, such as www.arin.net, www.internic.com, or www.whois.net None of the above

A domain lookup service, such as www.arin.net, www.internic.com, or www.whois.net

The National Software Reference Library provides what type of resource for digital forensics examiners? Reference books and materials for digital forensics A list of MD5 and SHA1 hash values for all known OSs and applications A repository for software vendors to register their developed applications A list of digital forensics tools that make examinations easier

A list of MD5 and SHA1 hash values for all known OSs and applications

What is a motion in limine? The movement of molecules in a random fashion A motion to dismiss the case A pretrial motion to revise the case schedule A pretrial motion for the purpose of excluding certain evidence

A pretrial motion for the purpose of excluding certain evidence

According to SANS DFIR Forensics, which of the following tasks should you perform if a mobile device is on and unlocked? Remove the passcode. Isolate the device from the network. Disable the screen lock. All of the above

All of the above

An expert witness can give an opinion in which of the following situations? The opinion, inferences, or conclusions depend on special knowledge, skills, or training not within the ordinary experience of laypeople. The witness is shown to be qualified as a true expert in the field. The witness testifies to a reasonable degree of certainty (probability) about his or her opinion, inference, or conclusion. All of the above

All of the above

During your cross-examination, you should do which of the following? Maintain eye contact with the jury. Pay close attention to opposing counsel's questions. Answer opposing counsel's questions as briefly as is practical. All of the above

All of the above

E-mail headers contain which of the following information? An ESMTP number or reference number The sender and receiver e-mail addresses The e-mail servers the message traveled through to reach its destination All of the above

All of the above

List three obvious ethical errors. * Don't accept an assignment if it cannot reasonably be done in the allowed time. * Don't reach a conclusion before you have done complete research. * Don't fail to report possible conflicts of interest. * Don't present false data or alter data. * Don't report work that was not done. * Don't ignore available contradictory data. * Don't ignore available contradictory data. * Don't do work beyond your expertise or competence. * Don't allow the attorney who retained you to influence your opinion in an unauthorized way. All of the above

All of the above

Remote wiping of a mobile device can result in which of the following? Removing account information Deleting contacts Returning the phone to the original factory settings All of the above

All of the above

What expressions are acceptable to use in testimony to respond to a question for which you have no answer? That's beyond the scope of my expertise. I wasn't asked to investigate that. That's beyond the scope of my investigation. All of the above

All of the above

When using graphics while testifying, which of the following guidelines applies? Practice using charts for courtroom testimony. Your exhibits must be clear and easy to understand. Make sure the jury can see your graphics. All of the above

All of the above

Which forensic image file format creates or incorporates a validation hash value in the image file? Expert Witness SMART AFF All of the above

All of the above

Which of the following is a mobile forensics method listed in NIST guidelines? Logical extraction Physical extraction Hex dumping All of the above

All of the above

Your curriculum vitae is which of the following? A detailed record of your experience, education, and training A generally required document to be made available before your testimony A necessary tool to be an expert witness All of the above

All of the above

The reconstruction function is needed for which of the following purposes? Re-create a suspect drive to show what happened. Create a copy of a drive for other investigators. Re-create a drive compromised by malware. All of the above.

All of the above.

Which of the following is an example of a written report? A search warrant An affidavit Voir dire Any of the above

An affidavit

What information is not in an e-mail header? Domain name Internet addresses Blind copy (bcc) addresses All of the above

Blind copy (bcc) addresses

Before testifying, you should do which of the following? a: Create an examination plan with your retaining attorney. b: Make sure you've been paid for your services and the estimated fee for the deposition or trial. c: Get a haircut. Both a and b

Both a and b

For which of the following reasons should you wipe a target drive? a: To ensure the quality of digital evidence you acquire b: To make sure unwanted data isn't retained on the drive Both a and b Neither of the above

Both a and b

List three organizations that have a code of ethics or conduct. a: ISFCE, IACIS, AMA b: IACIS, APA, ABA Both a and b None of the above

Both a and b

What kind of information do fact witnesses provide during testimony? a: Facts only b: Observations of the results of tests they performed Both a and b Neither of the above

Both a and b

Which of the following categories of information is stored on a SIM card? a: Call data b: Service-related data Both a and b None of the above

Both a and b

The Known File Filter (KFF) can be used for which of the following purposes? a: Filter known program files from view. b: Calculate hash values of image files. c: Compare hash values of known files with evidence files. Both a and c

Both a and c

The term TDMA refers to which of the following? a: A technique of dividing a radio frequency so that multiple users share the same channel b: A proprietary protocol developed by Motorola c: A specific cellular network standard Both a and c

Both a and c

What should you do if you realize you have made a mistake or misstatement during a deposition? a: If the deposition is still in session, refer back to the error and correct it. b: Decide whether the error is minor, and if so, ignore it. c: If the deposition is over, make the correction on the corrections page of the copy provided for your signature. Both a and c

Both a and c

When searching a victim's computer for a crime committed with a specific e-mail, which of the following provides information for determining the e-mail's originator? a: E-mail header b: Username and password c: Firewall log Both a and c

Both a and c

Which of the following describes expert witness testimony? a: Testimony designed to assist the jury in determining matters beyond the ordinary person's scope of knowledge b: Testimony that defines issues of the case for determination by the jury c: Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience Both a and c

Both a and c

When working for a prosecutor, what should you do if the evidence you found appears to be exculpatory and isn't being released to the defense? Give the evidence to the defense attorney. Destroy the evidence. Keep the information on file for later review. Bring the information to the attention of the prosecutor, then his or her supervisor, and finally to the judge (the court).

Bring the information to the attention of the prosecutor, then his or her supervisor, and finally to the judge (the court).

When validating the results of a forensic analysis, you should do which of the following? Calculate the hash value with two different tools. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. Use a command-line tool and then a GUI tool. None of the above

Calculate the hash value with two different tools.

When you access your e-mail, what type of computer architecture are you using? Domain Client/server Mainframe and minicomputers None of the above

Client/server

When writing a report, what's the most important aspect of formatting? Size of the font A neat appearance Clear use of symbols and abbreviations Consistency

Consistency

Automated tools help you collect and report evidence, but you're responsible for doing which of the following? Explaining your formatting choices Explaining in detail how the software works Explaining the significance of the evidence All of the above

Explaining the significance of the evidence

A forensic linguist can determine an author's gender by analyzing chat logs and social media communications.

False

A live acquisition can be replicated.

False

After you shift a file's bits, the hash value remains the same.

False

All expert witnesses must be members of associations that license them.

False

Building a forensic workstation is more expensive than purchasing one.

False

Codes of professional conduct or responsibility set the highest standards for professionals' expected performance.

False

Data can't be written to disk with a command-line tool.

False

Ethical obligations are duties that you owe only to others.

False

Even in the light of recent developments in technology, you shouldn't change your opinion from one you testified to in a previous case.

False

Figures not used in the body of the report can't be included in report appendixes

False

Hardware acquisition tools typically have built-in software for data analysis.

False

IETF is the organization setting standards for 5G devices.

False

In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results.

False

Password recovery is included in all forensics tools.

False

The uRLLC 5G category focuses on communications in smart cities.

False

When acquiring a mobile device at an investigation scene, you should leave it connected to a laptop or tablet so that you can observe synchronization as it takes place.

False

When using a write-blocking device you can't remove and reconnect drives without having to shut down your workstation.

False

You can view e-mail headers in Notepad with all popular e-mail clients.

False

Which of the following represents known files you can eliminate from an investigation? Any files pertaining to the company Files associated with an application Any graphics files All of the above

Files associated with an application

What's the most commonly used cellular network worldwide? GSM EDGE CDMA TDMA

GSM

Forensics software tools are grouped into ______ and ______ applications. GUI, command-line Local, remote Mobile, PC Portable, Desktop

GUI, command-line

Steganography is used for which of the following purposes? Creating strong passwords Validating data Accessing remote computers Hiding data

Hiding data

The standards for testing forensics tools are based on which criteria? ASTD 1975 U.S. Title 18 ISO 17025 All of the above

ISO 17025

Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation? Internal corporate investigation because ISPs almost always turn over e-mail and access logs when requested by a large corporation Criminal investigation because law enforcement agencies have more resources at their disposal Internal corporate investigation because corporate investigators typically have ready access to company records Criminal investigation because subpoenas can be issued to acquire any needed evidence quickly

Internal corporate investigation because corporate investigators typically have ready access to company records

What purpose does making your own recording during a deposition serve? It shows the court reporter that you don't trust him or her. It assists you with reviewing the transcript of the deposition. It allows you to review your testimony with your attorney during breaks. It prevents opposing counsel from intimidating you.

It allows you to review your testimony with your attorney during breaks.

Which of the following statements about the legal-sequential numbering system in report writing is true? It's most effective for shorter reports. It's favored because it's easy to organize and understand. It's required for reports submitted in federal court. It doesn't indicate the relative importance of information.

It doesn't indicate the relative importance of information.

Externally enforced ethical rules, with sanctions that can restrict a professional's practice, are more accurately described as which of the following? A higher calling Objectives Laws All of the above

Laws

Phishing does which of the following? Uses DNS poisoning Uses DHCP Lures users with false promises Takes people to fake Web sites

Lures users with false promises

Which of the following is a current formatting standard for e-mail? HTML Outlook SMTP MIME

MIME

Which of the following relies on a central database that tracks account data, location data, and subscriber information? BTS MSC BSC None of the above

MSC

What's the main piece of information you look for in an e-mail message you're investigating? Message number Sender or receiver's e-mail address Subject line content Originating e-mail domain or IP address

Originating e-mail domain or IP address

Which of the following is the standard format for reports filed electronically in U.S. federal courts and most state courts? Word PDF Excel HTML

PDF

The most reliable way to ensure that jurors recall testimony is to do which of the following? Wear bright clothing to attract jurors' attention. Present evidence combining oral testimony and graphics that support the testimony. Present evidence using oral testimony supported by hand gestures and facial expressions. Emphasize your points with humorous anecdotes.

Present evidence combining oral testimony and graphics that support the testimony.

The verification function does which of the following? Proves that a tool performs as intended Creates segmented files Proves that two sets of data are identical via hash values Verifies hex editors

Proves that two sets of data are identical via hash values

Block-wise hashing has which of the following benefits for forensics examiners? Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive Allows validating sector comparisons between known files Verifies the quality of OS files Provides a faster way to shift bits in a block or sector of data

Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive

Rainbow tables serve what purpose for digital forensics examinations? Rainbow tables provide a scoring system for probable search terms. Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords. Rainbow tables are a supplement to the NIST NSRL library of hash tables. Rainbow tables are designed to enhance the search capability of many digital forensics examination tools.

Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords.

A log report in forensics tools does which of the following? Tracks file types Monitors network intrusion attempts Records an investigator's actions in examining a case Lists known good files

Records an investigator's actions in examining a case

When you begin a conversation with an attorney about a specific case, what should you do? Refuse to discuss details until a retainer agreement is returned. Answer his or her questions in as much detail as possible. Ask who the parties in the case are. Ask to meet with the attorney.

Refuse to discuss details until a retainer agreement is returned.

When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do? Check the current database files for an existing copy of the e-mail. Search available log files for any forwarded messages. Restore the e-mail server from a backup. Do nothing because after the file has been deleted, it can no longer be recovered.

Restore the e-mail server from a backup.

In which of the following cases did the U.S. Supreme Court require using a search warrant to examine the contents of mobile devices? Riley v. California Smith v. Oregon Miles v. North Dakota Dearborn v. Ohio

Riley v. California

GSM divides a mobile station into ______ and ______. SIM card and ME RAM and ME SIM card and EEPROM RAM and SIM

SIM card and ME

If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords? There are no concerns because salting doesn't affect password-recovery tools. Salting applies only to OS startup passwords, so there are no serious concerns for examiners. The effect on the computer's CMOS clock could alter files' date and time values. Salting can make password recovery extremely difficult and time consuming.

Salting can make password recovery extremely difficult and time consuming.

Which of the following describes fact testimony? Scientific or technical testimony describing information recovered during an examination Testimony by law enforcement officers Testimony based on observations by lay witnesses None of the above

Scientific or technical testimony describing information recovered during an examination

According to ISO standard 27037, which of the following is an important factor in data acquisition? The DEFR's competency The DEFR's skills in using the command line Conditions at the acquisition setting None of the above

The DEFR's competency

In steganalysis, cover-media is which of the following? A specific type of graphics file used only for hashing steganographic files The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file The type of steganographic method used to conceal a message The content of a file used for a steganography message

The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file

You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information? Nothing; this is what you'd expect to see. The disk is corrupted. The drive is formatted incorrectly. There's a hidden partition.

There's a hidden partition

Which of the following is true of most drive-imaging tools? They perform the same function as a backup. They ensure that the original drive doesn't become corrupt and damage the digital evidence. They must be run from the command line. All of the above

They ensure that the original drive doesn't become corrupt and damage the digital evidence.

Most SIM cards allow ______ access attempts before locking you out. Three One Two Four

Three

For what purpose have hypothetical questions traditionally been used in litigation? To stimulate discussion between a consulting expert and an expert witness To deter a witness from expanding the scope of his or her investigation beyond the case requirements. To frame the factual context of rendering an expert witness's opinion To define the case issues for the finder of fact to determine

To frame the factual context of rendering an expert witness's opinion

Router logs can be used to verify what types of e-mail data? Tracking flows through e-mail server ports Finding blind copies Message content Content of attached files

Tracking flows through e-mail server ports

After examining e-mail headers to find an e-mail's originating address, investigators use forward lookups to track an e-mail to a suspect.

True

An encrypted drive is one reason to choose a logical acquisition.

True

An unethical technique occurs when an opposing counsel might attempt to make discovery depositions physically uncomfortable.

True

Being able to incorporate the log files and reports tools generate into your written reports is a major advantage of automated forensics tools in report writing.

True

Commercial encryption programs often rely on key escrow technology to recover files if a password or passphrase is lost.

True

Data viewing, keyword searching, decompressing are three subfunctions of the extraction function.

True

E-mail accessed with a Web browser leaves files in temporary folders.

True

If you were a lay witness at a previous trial, you shouldn't list that case in your written report.

True

In the United States, no state or national licensing body specifically licenses forensics examiners.

True

Mobile device information might be stored on the internal memory or the SIM card.

True

Placing it in paint cans and using Faraday bags are two ways you can isolate a mobile device from incoming signals.

True

SIM card readers can alter evidence by showing that a message has been read when you view it.

True

Scope creep happens when an investigation goes beyond the bounds of its original description.

True

Spoliation means destroying a report before the final resolution of a case called.

True

Standards that others apply to you or that you're compelled to adhere to by external forces (such as licensing bodies) and your own internal rules you use to measure your performance are two types of ethical standards.

True

Testimony preservation and discovery are two types of depositions.

True

The Internet of Things includes radio frequency identification (RFID) sensors as well as wired, wireless, and mobile devices.

True

The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length.

True

The primary hashing algorithm the NSRL project uses is SHA-1.

True

The type of information conveyed to the expert, amount of time involved in discussions or meetings, and whether the expert provided the attorney with confidential information are three factors courts have used in determining whether to disqualify an expert.

True

To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server's internal operations.

True

Typically, you need a search warrant to retrieve information from a service provider.

True

Voir dire is the process of qualifying a witness as an expert.

True

You should include work experience, training you provided or contributed to, and professional awards or recognitions in your CV.

True

You should take these four steps to handle a deposition in which physical circumstances are uncomfortable: 1. Ask the attorney to correct the situation. 2. If the situation is not corrected, note these conditions into the record, and repeat noting them as long as the conditions persist. 3. After you have noted the problem into the record, you can refuse to continue with the deposition. Generally, you should consult with an attorney before taking this step. 4. If you think the behavior was serious enough that you can justify refusing to continue, consider reporting the attorney to his or her state bar association.

True

If you're giving an answer that you think your attorney should follow up on, what should you do? Use an agreed-on expression to alert the attorney to follow up on the question. Argue with the attorney who asked the question. Try to include as much information in your answer as you can. Change the tone of your voice.

Use an agreed-on expression to alert the attorney to follow up on the question.

Hash values are used for which of the following purposes? Determining file size Filling disk slack Reconstructing file fragments Validating that the original data hasn't changed

Validating that the original data hasn't changed

Hashing, filtering, and file header analysis make up which function of digital forensics tools? Validation and verification Acquisition Extraction Reconstruction

Validation and verification

Contingency fees can be used to compensate an expert under which circumstances? When the expert is willing to accept a contingency fee arrangement When the expert is acting only as a consultant, not a witness When the expert is too expensive to compensate at the hourly rate All of the above

When the expert is acting only as a consultant, not a witness

What are some risks of using tools you have created yourself? The judge might be suspicious of the validity of results from the tool. The tool might not perform reliably. You might have to share the tool's source code with opposing counsel for review. The tool doesn't generate reports in a standard format.

You might have to share the tool's source code with opposing counsel for review.

At trial as a fact or expert witness, what must you always remember about your testimony? You're responsible for the outcome of the case. Your duty is to report your technical or scientific findings or render an honest opinion. Avoid mentioning how much you were paid for your services. All of the above

Your duty is to report your technical or scientific findings or render an honest opinion.

Which of the following rules or laws requires an expert to prepare and submit a report? a: FRCP 26 b: FRE 801 Both a and b Neither of the above

a: FRCP 26

Logging options on e-mail servers can be which of the following? a: Disabled by users b: Set up in a circular logging configuration c: Configured to a specified size before being overwritten Both b and c

c: Configured to a specified size before being overwritten

Sendmail uses which file for instructions on processing an e-mail message? syslogd.conf sendmail.cf mapi.log mese.ese

sendmail.cf

On a UNIX-like system, which file specifies where to save different types of e-mail log files? /var/spool/log syslog.conf maillog log

syslog.conf