Chapter 1-7 End of Chapter Questions

Which of the following Linux system files contains hashed passwords for the local system? /var/log/syslog /etc/passwd /etc/shadow /var/log/dmesg

/etc/shadow

On most Linux systems, current user login information is in which of the following locations? /var/log/usr /var/run/utmp /var/log/dmesg /var/log/wmtp

/var/run/utmp

Clusters in Windows always begin numbering at what number? 1 2 3 4

2

What's the maximum file size when writing data to a FAT32 drive? 2 GB 3 GB 4 GB 6 GB

2 GB

In FAT32, a 123-KB file uses how many sectors? 123 185 246 255

246

How many sectors are typically in a cluster on a disk drive? 1 2 or more 4 or more 8 or more

4 or more

On a Windows system, sectors typically contain how many bytes? 256 512 1024 2048

512

Hard links are associated with which of the following? Dot notation A specific inode Hidden files An absolute path to a file

A specific inode

What are two concerns when acquiring data from a RAID server? Data transfer speeds and type of RAID Type of RAID and antivirus software Amount of data storage needed and type of RAID Split RAID and Redundant RAID

Amount of data storage needed and type of RAID

With remote acquisitions, what problems should you be aware of? Data transfer speeds Access permissions over the network Antivirus, antispyware, and firewall programs The password of the remote computer's user

Antivirus, antispyware, and firewall programs

How does macOS reduce file fragmentation? By using clumps By using 256 bit sectors By using clusters By using 128 bit sectors

By using clumps

Which of the following is a new file added in macOS? /var/db/diagnostics /var/db/uuid.text Either of the above None of the above

Either of the above

Which forensics tools can connect to a suspect's remote computer and run surreptitiously? ddfldd and ProDiscover Incident Response EnCase Enterprise and ProDiscover Incident Response dd and ddfldd dd and EnCase Enterprise

EnCase Enterprise and ProDiscover Incident Response

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive. dd and Expert Witness dd and EnCase X-Ways Forensics and dd EnCase and X-Ways Forensics

EnCase and X-Ways Forensics

Of all the proprietary formats, which one is the unofficial standard? Expert Witness AFF Uncompress dd Segmented dd

Expert Witness

T or F. BIOS boot firmware was developed to provide better protection against malware than EFI does developed?

False

T or F. FTK Imager can acquire data in a drive's host protected area.

False

T or F. In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. So, the following dcfldd is command correct. dcfldd if=image_file.img of=/dev/hda1

False

T or F. Slower data transfer speeds and dealing with minor data errors are two disadvantages of the raw format

False

T or F. When determining which data acquisition method to use you should not consider how long the acquisition will take.

False

T or F. Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible.

False

T or F.Linux is the only OS that has a kernel.

False

EFS can encrypt which of the following? Files, folders, and volumes Certificates and private keys The global Registry Network servers

Files, folders, and volumes

What does a sparse acquisition collect for an investigation? Only specific files of interest to the case Fragments of unallocated data in addition to the logical allocated data Only the logical allocated data Only fragments of unallocated data

Fragments of unallocated data in addition to the logical allocated data

What does the Ntuser.dat file contain? File and directory names Starting cluster numbers File attributes MRU files list

MRU files list

Which of the following describes the superblock's function in the Linux file system? Contains links between inodes Manages the file system, including configuration information Stores bootstrap code All of the above

Manages the file system, including configuration information

Which of the following Windows 8 files contains user-specific information? User.dat Ntuser.dat System.dat SAM.dat

Ntuser.dat

Areal density refers to which of the following? Number of bits per disk Number of bits per partition Number of bits per square inch of a disk platter Number of bits per platter

Number of bits per square inch of a disk platter

Name the three formats for digital forensics data acquisitions. Raw, AICIS, and AFF EnCase format, Raw, and dd Raw format, proprietary formats, and AFF dd, Raw, and AFF

Raw format, proprietary formats, and AFF

Which of the following certifies when an OS meets UNIX requirements? UNIX Users Group The Open Group IEEE SUSE Group

The Open Group

What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? The file can no longer be encrypted. EFS protection is maintained on the file. The file is unencrypted automatically. Only the owner of the file can continue to access it.

The file is unencrypted automatically.

Why is it a good practice to make two images of a suspect drive in a critical investigation? To speed up the process To have one compressed and one uncompressed copy To ensure at least one good copy of the forensically collected data in case of any failures None of the above

To ensure at least one good copy of the forensically collected data in case of any failures

T or F. A hashing algorithm is a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk.

True

T or F. A logical acquisition collects only specific files of interest to the case.

True

T or F. A virtual cluster number represents the assigned clusters of files that are nonresident in the MFT.

True

T or F. An image of a suspect drive can be loaded on a virtual machine.

True

T or F. CHS stands for cylinders, heads, and sectors.

True

T or F. Commonly, proprietary format acquisition files can compress the acquisition data and segment acquisition output files into smaller volumes.

True

T or F. Data blocks contain actual files and directories and are linked directly to inodes.

True

T or F. Device drivers contain instructions for the OS on how to interface with hardware devices.

True

T or F. FTK Imager requires that you use a device such as a USB dongle for licensing.

True

T or F. File and directory names are some of the items stored in the FAT database.

True

T or F. Hard links work in only one partition or volume.

True

T or F. In NTFS, files smaller than 512 bytes are stored in the MFT.

True

T or F. MFT stands for Master File Table.

True

T or F. The Disk Arbitration feature in macOS is used to disable and enable automatic mounting when a drive is connected via a USB or FireWire device.

True

T or F. The data fork stores a file's actual data, however, and the resource fork contains file metadata and application information.

True

T or F. The main goal of a static acquisition is the preservation of digital evidence.

True

T or F. With newer Linux kernel distributions, USB devices are automatically mounted, which can alter data on it.

True

T or F.The Linux Ext4 file system added support for partitions larger than 16 TB.

True

What is the space on a drive called when a file is deleted? Disk space Unallocated space Drive space None of the above

Unallocated space

List two features NTFS has that FAT does not. MRU records and file attributes Master File Table and MRU records Unicode characters and better security MRU records and less fragmentation

Unicode characters and better security

What's the most critical aspect of digital evidence? Compression Redundancy Contingency Validation

Validation

Which of the following is the main challenge in acquiring an image of a system running macOS? Vendor training is needed. The macOS is incompatible with most write-blockers. Most commercial software doesn't support macOS. None of the above

Vendor training is needed.

Virtual machines have which of the following limitations when running on a host computer? Internet connectivity is restricted to virtual Web sites. Applications can be run on the virtual machine only if they're resident on the physical machine. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. Virtual machines can run only OSs that are older than the physical machine's OS.

Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.

Which of the following describes plist files? You must have a special editor to view them. They require special installers. They're found only in Linux file systems. None of the above

You must have a special editor to view them.

Large digital forensics labs should have at least ________ exits. a. 2 b. 5 c. 4 d. 7

a. 2

When validating the results of a forensic analysis, you should do which of the following? a. Calculate the hash value with two different tools. b. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. c. Use a command-line tool and then a GUI tool. d. None of the above

a. Calculate the hash value with two different tools.

If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? a. Coordinate with the HAZMAT team. b. Determine a way to obtain the suspect's computer. c. Assume the suspect's computer is contaminated. d. Do not enter alone.

a. Coordinate with the HAZMAT team.

The standards for testing forensics tools are based on which criteria? a. ISO 17025 b. ASTD 1975 c. U.S. Title 18 d. All of the above

a. ISO 17025

Why is professional conduct important? a. It includes ethics, morals, and standards of behavior b. It saves a company from using warning banners c. It helps with an investigation d. All of the above

a. It includes ethics, morals, and standards of behavior

List two hashing algorithms commonly used for forensic purposes. a. MD5 and SHA-1 b. MD5 and AES c. RSA and RC5 d. AES and SHA-2

a. MD5 and SHA-1

What is one of the necessary components of a search warrant? a. Signature of an impartial judicial officer b. Professional ethics c. Standards of behavior d. Professional codes

a. Signature of an impartial judicial officer

According to ISO standard 27037, which of the following is an important factor in data acquisition? a. The DEFR's competency b. The DEFR's skills in using the command line c. Conditions at the acquisition setting . None of the above

a. The DEFR's competency

An employer can be held liable for e-mail harassment. a. True b. False

a. True

An encrypted drive is one reason to choose a logical acquisition. a. True b. False

a. True

Data viewing, keyword searching, decompressing are three subfunctions of the extraction function. a. True b. False

a. True

For digital evidence, an evidence bag is typically made of antistatic material. a. True b. False

a. True

The primary hashing algorithm the NSRL project uses is SHA-1. a. True b. False

a. True

Hashing, filtering, and file header analysis make up which function of digital forensics tools? a. Validation and verification b. Acquisition c. Extraction d. Reconstruction

a. Validation and verification

The triad of computing security includes which of the following? a. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation b. Vulnerability assessment, intrusion response, and monitoring c. Vulnerability assessment, detection, and monitoring d. Detection, response, and monitoring

a. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation

As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? a. You begin to take orders from a police detective without a warrant or subpoena. b. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. c. Your internal investigation begins. d. None of the above.

a. You begin to take orders from a police detective without a warrant or subpoena.

What do you call a list of people who have had physical possession of the evidence? a. chain of custody b. evidence log c. evidence record d. affidavit

a. chain of custody

Which of the following techniques might be used in covert surveillance (Choose All That Apply)? a. keylogging b. data sniffing c. network logs d. all of the above

a. keylogging and b. data sniffing

Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? a. most companies keep inventory databases of all hardware and software used b. the investigator doesn't have to get a warrant c. the investigator has to get a warrant d. users can load whatever they want on their machines

a. most companies keep inventory databases of all hardware and software used

Commingling evidence means that sensitive or confidential information being mixed with data collected as evidence. a. true b. false

a. true

Computer peripherals or attachments can contain DNA evidence. a. true b. false

a. true

Embezzlement is a type of digital investigation typically conducted in a business environment. a. true b. false

a. true

If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. a. true b. false

a. true

If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. a. true b. flase

a. true

In forensic hashes, a collision occur when two different files have the same hash value. a. true b. false

a. true

In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. a. true b. false

a. true

One way to determine the resources needed for an investigation is based on the OS of the suspect computer, list the software needed for the examination. a. true b. false

a. true

The purpose of maintaining a network of digital forensics specialists is to develop a list of colleagues who specialize in areas different from your own specialties in case you need help on an investigation. a. true b. false

a. true

You should videotape or sketch anything at a digital crime scene that might be of interest to the investigation. a. true b. false

a. true

Your business plan should include physical security items. a. true b. false

a. true

Which organization has guidelines on how to operate a digital forensics lab? a. NISPOM b. ANAB c. TEMPEST d. SCADA

b. ANAB

List three items that should be on an evidence custody form. a. Name of the investigator, affidavit and name of the judge assigned to the case b. Case number, name of the investigator and nature of the case c. Description of the evidence, location of the evidence and search warrant d. Affidavit, search warrant, and description of the evidence

b. Case number, name of the investigator and nature of the case

A live acquisition can be replicated. a. True b. False

b. False

Building a forensic workstation is more expensive than purchasing one. a. True b. False

b. False

Digital forensics and data recovery refer to the same activities. a. True b. False

b. False

Evidence storage containers should have several master keys. a. True b. False

b. False

Hardware acquisition tools typically have built-in software for data analysis. a. True b. False

b. False

The ANAB mandates the procedures established for a digital forensics lab. a. True b. False

b. False

Police in the United States must use procedures that adhere to which of the following? a. third amendment b. Fourth Amendment c. First Amendment d. None of the above

b. Fourth Amendment

What term refers to labs constructed to shield EMR emissions? a. ASQ b. TEMPEST c. NISPOM d. SCADA

b. TEMPEST

Which of the following is true of most drive-imaging tools? a. They perform the same function as a backup. b. They ensure that the original drive doesn't become corrupt and damage the digital evidence. c. They must be run from the command line. d. All of the above

b. They ensure that the original drive doesn't become corrupt and damage the digital evidence.

Why should you do a standard risk assessment to prepare for an investigation? a. To discuss the case with the opposing counsel b. To list problems that might happen when conducting an investigation c. To obtain a search warrant d. To obtain an affidavit

b. To list problems that might happen when conducting an investigation

Why should evidence media be write-protected? a. To make image files smaller in size b. To make sure data isn't altered c. To speed up the imaging process d. To comply with Industry standards

b. To make sure data isn't altered

What's the purpose of an affidavit? a. To list problems that might happen when conducting an investigation b. To provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant c. To determine the OS of the suspect computer and list the software needed for the examination d. To specify who, what, when, and where—that is, specifics on place, time, items being searched for, and so forth

b. To provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant

A forensic workstation should always have a direct broadband connection to the Internet. a. true b. false

b. false

A warning banner should never state that the organization has the right to monitor what users do. a. true b. false

b. false

ASQ and ANAB are two popular certification programs for digital forensics. a. true b. false

b. false

An initial-response field kit does not contain evidence bags. a. true b. false

b. false

Data can't be written to disk with a command-line tool. a. true b. false

b. false

Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. a. true b. false

b. false

Digital forensics facilities always have windows. a. true b. false

b. false

If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. a. true b. false

b. false

In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. a. true b. false

b. false

Small companies rarely need investigators. a. true b. false

b. false

The plain view doctrine in computer searches is well-established law. a. true b. false

b. false

Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. a. true b. false

b. false

When using a write-blocking device you can't remove and reconnect drives without having to shut down your workstation. a. true b. false

b. false

You should always answer questions from onlookers at a crime scene. a. true b. false

b. false

You should always prove the allegations made by the person who hired you. a. true b. false

b. false

You shouldn't include a narrative of what steps you took in your case report a. true b. false

b. false

You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you? a. extensive response kit b. initial response kit c. lightweight kit d. car crash kit

b. initial response kit

What are the three rules for a forensic hash? a.Fast, reliable, and the hash value should be at least 2048 bits b. Produce collisions, should be at least 2048 bits, and it can't be predicted c. It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes d. It can be predicted, fast and reliable

c. It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes

Which organization provides good information on safe storage containers? a. ASCLD b. ASQ c. NISPOM d. TEMPEST

c. NISPOM

The verification function does which of the following? a. Proves that a tool performs as intended b. Creates segmented files c. Proves that two sets of data are identical via hash values d. Verifies hex editors

c. Proves that two sets of data are identical via hash values

To determine the types of operating systems needed in your lab, list two sources of information you could use. a. ANAB and IACIS b. EnCE and ACE c. Uniform Crime Report statistics and a list of cases handled in your area d. Local police reports and ISFCE reports

c. Uniform Crime Report statistics and a list of cases handled in your area

A log report in forensics tools does which of the following? a. tracks file types b. monitors network intrusion attempts c. records an investigator's actions in examining case d. lists known good files

c. records an investigator's actions in examining case

Building a business case can involve which of the following? a. Procedures for gathering evidence b. Testing software c. Protecting trade secrets d. All of the above

d. All of the above

The reconstruction function is needed for which of the following purposes? a. Re-create a suspect drive to show what happened. b. Create a copy of a drive for other investigators. c. Re-create a drive compromised by malware. d. All of the above

d. All of the above

Policies can address rules for which of the following? a. The Internet sites you can or can't access b. When you can log on to a company network from home c. The amount of personal e-mail you can send d. Any of the above

d. Any of the above

Forensics software tools are grouped into ______ and ______ applications. a. mobile, pc b. portable, desktop c. local, remote d. GUI, command-line

d. GUI, command-line

Why is physical security so critical for digital forensics labs? a. To ensure continuous funding b. To make sure unwanted data isn't retained on the drive c. To protect trade secrets d. To prevent data from being lost, corrupted, or stolen

d. To prevent data from being lost, corrupted, or stolen

Hash values are used for which of the following purposes? a. Determining file size b. Filling disk slack c. Reconstructing file fragments d. Validating that the original data hasn't changed

d. Validating that the original data hasn't changed

The manager of a digital forensics lab is responsible for which of the following? a. ensuring that staff members have enough training to do the job b. knowing the lab objectives c. making necessary changes in lab procedures and software d. all of the above

d. all of the above

Before enlisting in a certification program, thoroughly research the requirements, ________, and acceptability in your area of employment. a. business hours b. number of students c. location d. cost

d. cost

Typically, a(n) ________ lab has a separate storage area or room for evidence. a. federal b. research c. state d. regional

d. regional

Why should you critique your case after it's finished? a. To list problems that might happen when conducting investigation b. to maintain professional conduct c. to maintain chain of custody d. to improve your work

d. to improve your work

When you arrive at the scene, why should you extract only those items you need to acquire evidence? a. to conceal trade secrets b. to preserver your physical security c. to speed up the acquisition process d. to minimize how much you have to keep track of at the scene

d. to minimize how much you have to keep track of at the scene

In the Linux dcfldd command, which three options are used for validating data? hash, hashlog, and vf h, hl, and vf hash, log, and hashlog vf, of, and vv

hash, hashlog, and vf

To recover a password in macOS, which tool do you use? PRTK Password Access Finder Keychain Access

keychain access

In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive? 5% 10% 15% None of the above

none of the above

In Linux, which of the following is the home directory for the superuser? super /home/superuser home root

root