BIS 523 Week 4 (Chapter 6)
A business impact analysis indicates an organization cannot operate without its web server for more than 5 days and still recover. The mean time to repair is 3 days. How many days do you have after a disaster to initiate repairs or the organization will not be able to recover?
2
______ is the basic repair tool in Mac OS.
Chkdsk (INCORRECT ANSWER)
__________ is a common method for scoring system vulnerabilities.
Common Vulnerability Scoring System (CVSS)
You are the infrastructure manager for your company's IT department. You are preparing to add forensics to your incident response policies. Which is the absolute first step you must take?
Identify forensic resources
Many different kinds of computer disasters can disrupt normal operations for an organization's systems. What type of disaster is most likely to require a computer forensic expert?
Intrusion
A forensic expert sometimes uses specific measurements to describe an incident in order to analyze it. Which of the following is helpful in tracing the root cause of an incident and involves depiction of something resembling a fish head and fish bones?
Ishikawa diagram
The ________ and the ________ are the two NTFS files of most interest to forensics efforts.
Master File Table (MFT), cluster bitmap
When performing a manual recovery on a Linux system, what is the first step to recovering manually deleted files?
Move the system to single-user mode.
________ is the preferred file system of Windows 2000 and later operating systems.
NFTS
Darien is performing analysis on an image of a seized machine. A power outage causes the computer to power off and back on again. When he attempts to boot up the machine to continue his work, the Windows operating system begins to initialize. However, it does not proceed past the loading screen. What type of damage is likely to have occurred?
Deletion of some critical files by the chkdsk utility (Probably right answer)
In a business impact analysis, which of the following best describes the recovery time objective (RTO)?
The target time to have a down system back up and running
You are attempting to recover deleted files from a storage device. The device's operating system uses the FAT32 file system. What is the most important advantage you have when attempting to recover specific deleted files?
Time; files that were deleted relatively recently are more likely to be recovered
A common approach for manually managed backups is the Grandfather-Father-Son scheme. Consider a server using traditional tape backup that is backed up daily. At the end of the week, a weekly backup is made. At the end of the month, there is a monthly backup made. Which of the following is not true of the Grandfather-Father-Son scheme?
Weekly backups are not reused, only sons and grandfathers.
Which of the following is not true of file carving?
You can perform file carving on the NTFS and FAT32 files systems but not Ext4.
The main purpose of __________ is to prevent legitimate users from being able to access a given computer resource.
a denial of service (DOS) attack
Windows uses __________ on each system as a "scratch pad" to write data when additional random access memory (RAM) is needed.
a swap file
The process whereby a disaster recovery team contemplates likely disasters and the impact each would have on an organization is called:
business impact analysis
One must be able to show the whereabouts and custody of evidence, and how it was handled and stored and by whom, from the time the evidence is first seized by a law enforcement officer or civilian investigator until the moment it is shown in court. What standard does this refer to?
chain of custody
True or False? A CPU cache is not volatile, whereas a CD-ROM is volatile.
false
True or False? A disaster recovery plan (DRP) is focused on keeping the organization functioning as well as possible until a full recovery can be made.
false
True or False? An analysis of how specific incidents might impact business operations is the definition of business continuity plan (BCP).
false
True or False? Diffie-Hellman is a symmetric algorithm.
false
True or False? Exif data is associated with temporary internet files.
false
True or False? From the perspective of digital forensics, changing the time or date stamp on a file does not alter the file.
false
True or False? ISO 27001 deals with contingency planning for U.S. federal information systems specifically.
false
True or False? In Windows, files that are moved to the Recycle Bin are permanently deleted.
false
True or False? In incident response, returning affected systems to normal status occurs during the eradication phase.
false
True or False? Logical damage control is a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification.
false
True or False? When a file on a Windows disk is deleted, the data is removed from the disk.
false
True or False? When gathering evidence in a forensic investigation, working with the original drive is safer than working with a drive image.
false
True or False? You can perform file carving on a PDF file but not on image files.
false
_______ is the unused space between the logical end of a file and the physical end of a file.
file slack
Most often, criminals commit __________ to perpetrate some kind of financial fraud.
identity theft
The amount of time a system can be down before it is impossible for an organization to recover is addressed by:
maximum tolerable downtime (MTD).
Regarding incident response, what step involves restoring software and data from a backup source that has been verified to be free from malware infection?
recovery
In FAT and NTFS file systems, a __________ is used to map files to specific clusters where they are stored on the disk.
table
True or False? Frequency analysis is the basic tool for breaking most classical ciphers, but is not effective against modern methods of cryptography.
true
True or False? Hierarchical storage management (HSM) can be configured to provide near-real-time backup.
true
True or False? If you can hear a hard drive's internal disks spinning, the drive probably has not experienced a catastrophic failure.
true
True or False? Infinitely recursing directories is a symptom of logical damage to a file system.
true
True or False? Investigators must authenticate documentary evidence.
true
True or False? Least significant bit (LSB) is a common steganography method.
true
True or False? MTD, MTTR, and MTTF are associated with business impact analysis.
true
True or False? Mean time to failure (MTTF) is the amount of time, on average, before a given device is likely to fail through normal use.
true
True or False? Modern cryptography is separated into two distinct groups: symmetric cryptography and asymmetric cryptography.
true
True or False? Storage servers in a forensics lab should be backed up at least once a month.
true
True or False? The Windows NTFS file system views a cluster as entirely utilized if even one bit is used.
true
True or False? The forensics process begins once an incident has been discovered, but it does not get fully under way until after the disaster or incident is contained.
true
True or False? The four primary types of backups are full, incremental, differential, and continuous.
true
True or False? The purpose of adding forensics to incident response policies is to ensure that evidence is not destroyed in the process of recovering from an incident or disaster.
true
What kind of data changes rapidly and may be lost when the machine that holds it is powered down?
volatile data
What is the name of a type of targeted phishing attack in which the criminal targets a high-value target, such as a senior company executive?
whaling
True or False? With the consistency checking file system repair technique, a computer's file system is rebuilt from scratch using knowledge of an undamaged file system structure.
False
True or False? An inode is a data structure in the Windows NTFS file system that stores all information about a file except its name and its actual data.
False (it's in linux)
Paige is attempting to recover data from a failed hard disk. She removed the failed drive from the system on which it was installed and then connected it to a test system. She made the connection by simply connecting the data and power cables but did not actually install the failed drive. What step should she perform next?
Boot the test system from its own internal drive.
What term describes a method of using techniques other than brute force to derive an encryption key?
Cryptanalysis
You are successful in recovering data files from a damaged disk. You attempt to open a few files and receive a message that the files have been corrupted. What is the best approach to take to gain access to the data?
Perform file carving
Devaki is a new forensic investigator. She is examining a recently seized hard drive. She was told by the individuals who collected the device that the owner indicated that it did not work. Devaki notices some damage on the case of the hard drive, agrees that it likely does not work, and processes the disk as if it is "lost" or inaccessible. What mistake did Devaki make?
She should have fully evaluated the disk by leveraging multiple techniques to attempt to retrieve the data.
True or False? "Chosen plaintext attack" and "ciphertext-only" are two cryptanalysis methods for cracking encryption.
true
True or False? A collision occurs when two different inputs to the same hashing algorithm produce the same output (or hash).
true
True or False? A network outage can disrupt normal operations for an organization's computer systems and, therefore, constitute a disaster.
true
True or False? After an organization recovers from a disastrous computer incident, if the root cause is not discovered and addressed, the chances of it occurring again are significant.
true
True or False? An MD5 hash taken when a computer drive is acquired is used to check for changes, alterations, or errors.
true
True or False? Disk forensics includes both the recovery of hidden and deleted information and the process of identifying who created a file or message.
true
True or False? Email evidence would be useful for investigating cyberstalking but not a denial of service (DoS) attack.
true
True or False? End users generally cannot repair most physical damage to storage media, such as a hard disk.
true
