CIS 230 Exam Chapters 1 - 5
The most common and flexible data-acquisition method is ________ . a.) Disk-to-network copy b.) Disk-to-image file copy c.) Sparse data copy d.) Disk-to-disk copy
b.) Disk-to-image file copy
In general, a criminal case follows three stages: the complaint, the investigation, and this. a.) allegation b.) litigation c.) blotter d.) prosecution
d.) prosecution
The unused space between partitions is called the unallocated gap.
False
Image files can be reduced by as much as ____% of the original. a.) 50 b.) 15 c.) 25 d.) 30
a.) 50
The first rule for all digital investigations is to: a.) Make a forensic copy using your forensic workstation b.) Preserve the evidence c.) Investigate the data your recover d.) Critique your case
b.) Preserve the evidence
Defense contractors during the Cold War were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ___________ . a.) NISPOM b.) TEMPEST c.) EMR d.) RAID
b.) TEMPEST
This is the route the evidence takes from the time you find it until the case is closed or goes to court. a.) evidence path b.) acquisition plan c.) chain of custody d.) evidence custody
c.) chain of custody
A forensic lab doesn't need to be physically secure as long as the forensic workstation is secured with a strong password.
False
A digital forensic lab is where you conduct investigations, store evidence, and do most of your work.
True
A way of categorizing computer records is by dividing them into computer-generated records and computer-stored records.
True
All forensic acquisition tools have a method for verification of the data-copying process that compares the original drive with the image.
True
Digital Evidence can be ANY information stored or transmitted in digital form.
True
Forensic data acquisitions are stored in three formats, raw, proprietary, and AFF.
True
Validating digital evidence is the most critical aspect of computer forensics.
True
This was created by police officers who wanted to formalize credentials in computing investigations. a.) IACIS b.) NISPOM c.) HTCN d.) TEMPEST
a.) IACIS
This is facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed. a.) Probable cause b.) A subpoena c.) Reasonable cause d.) A warrant
a.) Probable cause
These records are data the system maintains, such as system log files and proxy server logs. a.) Hearsay b.) Computer-stored c.) Computer-generated d.) Business
c.) Computer-generated
Data acquisition is the process of copying data. How many different types of data acquisition are there? a.) 7 b.) 1 c.) 6 d.) 2
d.) 2
All forensic acquisition tools can copy data in the host protected area (HPA) of a disk drive.
False
An officer trained as a Digital Evidence First Responder (DEFR) has the skill to analyze the data and determine when another specialist should be called in to assist with the analysis.
False
Clusters in Windows always begin numbering at one in NTFS and 3 in FAT.
False
Exculpatory evidence, in essence, is the same as inculpatory evidence, meaning it tends to clear the suspect.
False
ISPs can investigate computer abuse committed by their customers.
False
The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
False
In a NTFS file system, the partition table is located in the Master Boot Record, located at sector 0.
True
Law enforcement can confiscate anything an arrested person is carrying and log that device, such as a smartphone, was on the person, they don't necessarily have the right or authority to search the device.
True
One advantage of using command-line tools for an investigation is that they require few system resources because they're designed to run in minimal configurations.
True
The plain view doctrine applies when investigators find evidentiary items that aren't specified in a warrant or under probable cause.
True
When attorneys challenge digital evidence, often they raise the issue of whether computer-generated records were altered or damaged after they were created.
True
Your professional conduct as a digital investigator is critical because it determines your credibility.
True
This involved recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. a.) Data recovery b.) Computer forensics c.) Network forensics d.) Disaster recovery
a.) Data recovery
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit this. a.) affidavit b.) litigation report c.) blotter d.) exhibit
a.) affidavit
Evidence is commonly lost or corrupted through this, which involves police officers and other professionals who aren't part of the crime scene processing team. a.) professional curiosity b.) HAZMAT teams c.) FOIA law d.) onlookers
a.) professional curiosity
Environmental and __________ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime. a.) safety b.) legal c.) physical d.) corporate
a.) safety
The Federal Rules of Evidence (FRE), signed into law in 1973, was created for what purpose? a.) To deter unprofessional conduct b.) To ensure consistency in federal proceedings c.) As a guideline for forensic procedures d.) In response to the overwhelming cyber crimes
b.) To ensure consistency in federal proceedings
Areal density refers to which of the following? a.) Number of bits per platter b.) Number of bits per disk c.) Number of bits per square inch of a disk platter d.) Number of bits per partition
c.) Number of bits per square inch of a disk platter
Write-blockers protect evidence disks by preventing data from being written to them and can be divided into which two types? a.) Analog and Digital b.) Weak and strong c.) Software and Hardware d.) Command line and GUI
c.) Software and Hardware
Confidential business data included with the criminal evidence are referred to as this kind of data. a.) public b.) exposed c.) commingled d.) revealed
c.) commingled
For computer forensics, this is the task of collecting digital evidence from electronic media. a.) lossless compression b.) hashing c.) data acquisition d.) lossy compression
c.) data acquisiton
Which of the following are not common computer forensics tools functions? a.) Acquisition and extraction b.) Validation and discrimination c.) Reconstruction and reporting d.) Command-line applications and GUI applications
d.) Command-line applications and GUI applications
The FBI formed this in 1984 to handle the increasing number of cases involving digital evidence. a.) Department of Defense Computer Forensics Laboratory (DCFL) b.) DIBS c.) Federal Rules of Evidence (FRE) d.) Computer Analysis and Response Team (CART)
d.) Computer Analysis and Response Team (CART)
The verification function does which of the following? a.) Verifies hex editors b.) Creates segmented files c.) Proves that a tool performs as intended d.) Proves that two sets of data are identical by calculating the hash values.
d.) Proves that two sets of data are identical by calculating hash values
When seizing computer evidence in criminal investigations, follow the _______ standards for seizing digital data. a.) Homeland Security Department b.) U.S. DoD c.) Patriot Act d.) U.S. DoJ
d.) U.S. DoJ
What is the space on a drive called when a file is deleted? a.) Partition gap b.) Drive space c.) Free space d.) Unallocated space
d.) Unallocated space
During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ______ or MS-DOS system. a.) Windows Vista b.) Windows 7 c.) Windows 8 d.) Windows XP
d.) Windows XP
To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as this. a.) recovery workstation b.) mobile workstation c.) forensic lab d.) forensic workstation
d.) forensic workstation
Courts consider evidence data in a computer as _______ evidence. a.) virtual b.) invalid c.) logical d.) physical
d.) physical
Without a warning banner, employees might have an assumed ____________ when using a company's computer systems and network accesses. a.) line of privacy b.) line of authority c.) line of right d.) right of privacy
d.) right of privacy
Real-time surveillance requires _______ data transmissions between a suspect's computer and a network server. a.) preventing b.) poisoning c.) blocking d.) sniffing
d.) sniffing
Microsoft has added ______ with BitLocker to its newer operating systems, such as Windows 7 and 8, which makes performing static acquisitions more difficult. a.) built in forensic utilities b.) backup utilities c.) hashing utilities d. whole disk encryption
d.) whole disk encryption
