Chp 5-9 Computer forensics and Investigations

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

In NTFS, files smaller than 512 bytes are stored in the MFT. True or False

True

List two features NTFS has that FAT does not.

Unicode characters, security, journaling.

Building a forensic workstation is more expensive than purchasing one. True or False?

False

Device drivers contain what kind of information?

Instructions for the OS on how to interface with hardware devices.

Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or False?

True

The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False?

True

When recovering a file with ProDiscover, your first objective is to recover cluster values. True or False?

True

When viewing a file header, you need to include hexadecimal information to view the image. True or False?

True

Hashing, filtering, and file header analysis make up which function of digital forensics tools?

Validation and verification

A live acquisition can be replicated. True or False?

False

Clusters in Windows always begin numbering at what number?

2

In FAT32, a 123 KB file uses how many sectors?

246 Sectors. 123 x 1024 bytes per KB = 125,925 total bytes in the file. 125,952 bytes / 512 sectors per cluster = 246 sectors

How many sectors are typically in a cluster on a disk drive?

4 or more

On a Windows system, sectors typically contain how many bytes?

512

What methods do steganography programs use to hide data in graphics files? (Choose all that apply.) A. Insertion B. Substitution C. Masking D. Carving

A. Insertion and B. Substitution

Rainbow tables serve what purpose for digital forensics examinations? a. Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords. b. Rainbow tables are a supplement to the NIST NSRL library of hash tables. c. Rainbow tables are designed to enhance the search capability of many digital forensics examination tools. d. Rainbow tables provide a scoring system for probable search terms.

A. Rainbow tables contain computed hashes of possible passwords that some password recovery programs can use to crack passwords

Digital pictures use data compression to accomplish which of the following goals? (Choose all that apply.) A. Save space on a hard drive. B. Provide a crisp and clear image. C. Eliminate redundant data. D. Produce a file that can be e-mailed or posted on the Internet.

A. Save space on a hard drive and D.Produce a file that can be e-mailed or posted on the internet

The National Software Reference Library provides what type of resource for digital forensics examiners? a. A list of digital forensics tools that make examinations easier b. A list of MD5 and SHA1 hash values for all known OSs and applications c. Reference books and materials for digital forensics d. A repository for software vendors to register their developed applications

B. A list of MD5 and SHA1 hash values for all known Os's and applications

Which of the following represents known files you can eliminate from an investigation? (Choose all that apply.) A. Any graphics files B. Files associated with an application C. System files the OS uses D. Any files pertaining to the company

B. Files associated with an application and C. System files the OS uses

Some clues left on a drive that might indicate steganography include which of the following? (Choose all that apply.) A. Multiple copies of a graphics file B. Graphics files with the same name but different file sizes C. Steganography programs in the suspect's All Programs list D. Graphics files with different timestamps

B. Graphics files with the same name but different file sizes C. Stegonography programs in the suspect's All Programs list and A. Multiple copies of a graphics file

Steganography is used for which of the following purposes? A. Validating data B. Hiding data C. Accessing remote computers D. Creating strong passwords

B. Hiding data

What methods are used for digital watermarking? (Choose all that apply.) A. Implanted subroutines that link to a central Web server automatically when the watermarked file is accessed B. Invisible modification of the LSBs in the file C. Layering visible symbols on top of the image D. Using a hex editor to alter the image data

B. Invisible modification of the LSB's in the file and C. Layering visible symbols on top of the image

A JPEG file uses which type of compression? A. WinZip B. Lossy C. Lzip D. Lossless

B. Lossy

If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords? a. There are no concerns because salting doesn't affect password-recovery tools. b. Salting can make password recovery extremely difficult and time consuming. c. Salting applies only to OS startup passwords, so there are no serious concerns for examiners. d. The effect on the computer's CMOS clock could alter files' date and time values.

B. Salting can make password recovery extremely difficult and time consuming

You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information? A. The disk is corrupted. B. There's a hidden partition. C. Nothing; this is what you'd expect to see. D. The drive is formatted incorrectly.

B. There's a hidden partition

Which of the following is true of most drive-imaging tools? (Choose all that apply.) A. They perform the same function as a backup. B. They ensure that the original drive doesn't become corrupt and damage the digital evidence. C. They create a copy of the original drive. D. They must be run from the command line.

B. They ensure that the original drive doesn't become corrupt and damage the digital evidence and C. They create a copy of the original drive

Which of the following is true about JPEG and TIF files? A. They have identical values for the first 2 bytes of their file headers. B. They have different values for the first 2 bytes of their file headers. C. They differ from other graphics files because their file headers contain more bits. D. They differ from other graphics files because their file headers contain fewer bits.

B. They have different values for the first 2 bytes of their file headers

When validating the results of a forensic analysis, you should do which of the following? (Choose all that apply.) A. Calculate the hash value with two different tools. B. Use a different tool to compare the results of evidence you find. C. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. D. Use a command-line tool and then a GUI tool.

B. Use a different tool to compare the results of evidence you find and A. Calculate the hash value with two different tools

Virtual machines have which of the following limitations when running on a host computer? a. Internet connectivity is restricted to virtual Web sites b. Applications can be run on the virtual machine only if they're resident on the physical machine c. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices d. Virtual machines can run only OS's that are older than the physical machine's OS

B. and C.

Which forensic image file format creates or incorporates a validation hash value in the image file? (Choose all that apply.) a. Expert Witness b. SMART c. AFF d. dd

C. AFF A. Expert Witness and B. SMART

The standards for testing forensics tools are based on which criteria? A. U.S. Title 18 B. ASTD 1975 C. ISO 17025 D. All of the above

C. ISO 17025

Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation? A. Criminal investigation because subpoenas can be issued to acquire any needed evidence quickly B. Criminal investigation because law enforcement agencies have more resources at their disposal C. Internal corporate investigation because corporate investigators typically have ready access to company records D. Internal corporate investigation because ISPs almost always turn over e-mail and access logs when requested by a large corporation

C. Internal corporate investigation because corporate investigators typically have ready access to company records

In JPEG files, what's the starting offset position for the JFIF label? A. Offset 0 B. Offset 2 C. Offset 6 D. Offset 4

C. Offset 6

The verification function does which of the following? A. Proves that a tool performs as intended B. Creates segmented files C. Proves that two sets of data are identical via hash values D. Verifies hex editors

C. Proves that two sets of data are identical via hash values

When you carve a graphics file, recovering the image depends on which of the following skills? A. Recovering the image from a tape backup B. Recognizing the pattern of the data content C. Recognizing the pattern of the file header content D. Recognizing the pattern of a corrupt file

C. Recognizing the pattern of a corrupt file.

A log report in forensics tools does which of the following? A. Tracks file types B. Monitors network intrusion attempts C. Records an investigator's actions in examining a case D. Lists known good files

C. Records an investigator's actions in examining a case

In steganalysis, cover-media is which of the following? A. The content of a file used for a steganography message B. The type of steganographic method used to conceal a message C. The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file D. A specific type of graphics file used only for hashing steganographic files

C. The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file

According to ISO standard 27037, which of the following is an important factor in data acquisitions? A. The DEFR's competency B. The DEFT's skils in using the command line C. Use of validated tools D. Conditions at the acquisition setting

C. Use of validated tools and A. The DEFR's competency

Forensics software tools are grouped into what categories?

Command line and GUI applications

What does CHS stand for?

Cylinders, Heads, Sectors

For which of the following reasons should you wipe a target drive? A. To ensure the quality of digital evidence you acquire B. To make sure unwanted data isn't retained on the drive C. Neither of the above D. Both a and b

D. Both a and b

Bitmap (.bmp) files use which of the following types of compression? A. WinZip B. Lossy C. Lzip D. Lossless

D. Lossless

Block-wise hashing has which of the following benefits for forensics examiners? A. Allows validating sector comparisons between known files B. Provides a faster way to shift bits in a block or sector of data C. Verifies the quality of OS files D. Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive

D. Provides a method for hashing sectors of a knwon good file that can be used to search for data remnants on a suspect's drive

The reconstruciton function is needed for which of the following purposes? A. Re-create a suspect drive to show what happened. B. Create a copy of a drive for other investigators. C. Recover file headers. D. Re-create a drive compromised by malware.

D. Re-create a drive compromised by Malware and B. Create a copy of a drive for other investigators

Hash values are used for which of the following purposes? A. Determining file size B. Filtering known good files from potentially suspicious data C. Reconstructing file fragments D. Validating that the original data hasn't changed

D. Validating that the original data hasn't changed and B. Filtering known good files from potentially suspicious data

The process of converting raw images to another format is called which of the following? A. Data conversion B. Transmogrification C. Transfiguring D. Demosaicing

D.Demosaicing

List three subfunctions of the extraction function

Data viewing, keyword searching, bookmarking, decompressing, decryption, and carving

4. Password recovery is included in all forensics tools. True or False?

False

A JPEG file is an example of a vector graphic. True or False?

False

Copyright laws don't apply to Web sites. True or False?

False

Data can't be written to the disk with a command-line tool. True or False?

False

Graphics files stored on a computer can't be recovered after they are deleted. True or False?

False

Hardware acquisition tools typically have built-in software for data analysis. True or False?

False

In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True or False?

False

Only one file format can compress graphics files. True or False?

False

The primary hashing algorithm the NSRL project uses is SHA-1. True or False?

False

When investigating graphics files, you should convert them into one standard format. True or False?

False

Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. True or False?

False

List three items stored in FAT database.

File attribute, date and time stamps, and starting cluster numbers

What is the space on a drive called when a file is deleted?

Free space and unallocated space

What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?

It can be removed

What's a virtual cluster number?

It represents the assigned clusters of files that are nonresident in the MFT.

Commercial encryption programs often rely on technology to recover files if a password or passphrase is lost.

Key Estro

Explain how to identify an unknown graphics file format that your digital forensics tool doesn't recognize.

Look up hex values, google it, or see if similar he values are found on another file on the computer

What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?

Lossless

What does MFT stand for?

Master File Table

In windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?

No data is located into RAM slack

Which of the following windows files contains user specific information? a. User.dat b. Ntuser.dat c. System.dat d. SAM.dat

Ntuser.dat

Areal density refers to which of the following?

Number of bits per square inch of a disk platter

_______ happens when an investigation goes beyond the bounds of its original description.

Scope Creep

Why was EFI boot firmware developed?

To provide better protection against malware than the bios

An encrypted drive is one reason to choose a logical acquisition. True or False?

True

An image of a suspect drive can be loaded on a virtual machine. True or false?

True

What does the Ntuser.dat file contain?

a user protected storage area that contains an mru file and user settings.

EFS can encrypt which of the following? a. Files, folders, and volumes b. Certificates and private keys c. The global Registry d. Network Servers

a. Files, folders, and volumes


Ensembles d'études connexes

WileyPLUS Chapter 8 Concept Check Questions

View Set

AP Econ Sumer Reading Study Guide

View Set

Music Theory Fundamentals Chapter 1-2

View Set

MGMT 470: Ch. 2 - Small Business Entrepreneurs: Characteristics & Competencies

View Set

Exam 2 Program Design for resistance training

View Set

Chapter 17 - Immunologic Disorders

View Set