cist 2612
What term describes data that an operating system creates and overwrites without the computer user directly saving this data?
A. Metadata B. Persistent data C. Scrubbed data D. Temporary data
What version of RAID involves three or more striped disks with parity that protect data against the loss of any one disk?
A. RAID 3 or 4 B. RAID 1 C. RAID 1+0 D. RAID 0
What is a formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted?
A. Rules of evidence B. Expert witness C. Curriculum vitae (CV) D. Expert report
Identification, preservation, collection, examination, analysis, and presentation are six classes in the matrix of the __________.
A. TEMPEST program B. Federal Rules of Evidence (FRE) C. Digital Forensic Research Workshop (DFRWS) framework D. Forensic Toolkit
__________ contains remnants of word processing documents, emails, Internet browsing activity, database entries, and almost any other work that has occurred during past Windows sessions.
A. The master boot record (MBR) B. The basic input/output system (BIOS) C. A swap file D. Metadata
A CPU cache is not volatile, whereas a CD-ROM is volatile.
True False
A swap file is an example of persistent data.
True False
Before imaging a drive, you must forensically wipe the target drive to ensure no residual data remains.
True False
File slack and slack space are the same thing.
True False
From the perspective of digital forensics, changing the time or date stamp on a file does not alter the file.
True False
Helix is a customized Linux Live CD used for computer forensics
True False
In a forensics lab, the machines being examined should not be connected to the Internet.
True False
Life span refers to how long information is accurate.
True False
Making two copies of a suspect's drive, using two different imaging tools, can help to prove that evidence is accurate.
True False
Many USB drives come with a switch to put them in read-only mode.
True False
Offline analysis is another term for live analysis.
True False
Residual information in file slack is always overwritten when a new file is created.
True False
Storage servers in a forensics lab should be backed up at least once a month.
True False
The Linux dd command is commonly used to forensically wipe a drive.
True False
The Linux netcat command reads and writes bits over a network connection.
True False
The benefit of using automated forensic systems is that you do not have to know how to perform all forensic processes manually.
True False
The information in a routing table is more volatile than a network topology.
True False
The only way to clean random access memory (RAM) is with cleansing devices known as sweepers or scrubbers.
True False
The start-up time for solid-state drives (SSDs) is usually much slower than for magnetic storage drives.
True False
The term scrubber refers to software that cleans unallocated drive space.
True False
To achieve American Society of Crime Laboratory Directors (ASCLD) accreditation, a lab must meet about 40 criteria.
True False
When seizing a suspect computer, you need to remove drives only if they are currently attached to cabling.
True False
You can make a bit-level copy of a computer hard drive using basic Linux commands.
True False
__________ is information at the level of 1s and 0s stored in computer memory or on a storage device.
A. File slack B. Bit-level information C. A segment D. A cluster
This is the space that remains on a hard drive if the partitions do not use all the available space.
A. File slack B. Host protected area C. Volume slack D. Unallocated space
Which of the following requires certification candidates to take an approved training course, pass a written test, and submit to a review of the candidate's work history?
A. AccessData Certified Examiner B. EC-Council Certified Hacking Forensic Investigator (CHFI) C. GIAC certifications D. High Tech Crime Network certifications
The __________ format is a proprietary file format defined by Guidance Software for use in its forensic tool to store hard drive images and individual files.
A. EnCase B. The Advanced Forensic Format C. The Generic Forensic Zip D. IXimager
One principal of evidence gathering is to avoid changing the evidence. Which of the following is NOT true of evidence gathering?
A. Transport items carefully and avoid touching hard disks or CDs. B. Label wires and sockets so you can put everything back as it was once you get computers and other equipment into the lab. C. Photograph seized equipment after you set it up in the lab. D. Make exact bit-by-bit copies and store them on a medium such as a write-once CD.
When gathering systems evidence, what is NOT a common principle?
A. Trust only virtual evidence. B. Avoid changing the evidence. C. Search throughout a device. D. Determine when evidence was created.
EIDE is _________.
A. a file format B. a type of magnetic drive C. a type of running process D. an operating system
Windows uses __________ on each system as a "scratch pad" to write data when additional random access memory (RAM) is needed.
A. a partition B. an installed operating system C. metadata D. a swap file
Use of __________ enables an investigator to reconstruct file fragments if files have been deleted or overwritten.
A. digital forensics framework B. the rules of evidence C. bit-level tools D. a null modem cable
Two of the easiest things to extract during __________ are a list of all website uniform resource locators (URLs) and a list of all email addresses on the computer.
A. evidence determination B. logical analysis C. computer shutdown D. physical analysis
People try to thwart investigators by using encryption to scramble information or _________ to hide information, or both together.
A. sweepers B. running processes C. scrubbers D. steganography
How you will gather evidence and which tools are most appropriate for a specific investigation are part of ___________.
A. the rules of evidence B. a forensic analysis plan C. the expert report D. a curriculum vitae