Computer forensics exam 1
With newer Linux kernel distributions, USB devices are automatically mounted, which can alter data on it.
true
Policies can address rules for which of the following?
All
Evidence storage containers should have several master keys.
FALSE
The ANAB mandates the procedures established for a digital forensics lab.
FALSE
____ often work as part of a team to secure an organization's computers and networks.
FORENSIC INVESTIGATORS
A warning banner should never state that the organization has the right to monitor what users do.
False
ASQ and ANAB are two popular certification programs for digital forensics.
False
Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule.
False
Slower data transfer speeds and dealing with minor data errors are two disadvantages of the raw format
False
The ANAB mandates the procedures established for a digital forensics lab.
False
You should always prove the allegations made by the person who hired you.
False
You shouldn't include a narrative of what steps you took in your case report
False
What does a sparse acquisition collect for an investigation?
Fragments of unallocated data in addition to the logical allocated data
Why is it a good practice to make two images of a suspect drive in a critical investigation?
To ensure at least one good copy of the forensically collected data in case of any failures
Embezzlement is a type of digital investigation typically conducted in a business environment.
True
One way to determine the resources needed for an investigation is based on the OS of the suspect computer, list the software needed for the examination.
True
The purpose of maintaining a network of digital forensics specialists is to develop a list of colleagues who specialize in areas different from your own specialties in case you need help on an investigation.
True
To determine the types of operating systems needed in your lab, list two sources of information you could use.
Uniform Crime Report statistics and a list of cases handled in your area
What's the most critical aspect of digital evidence?
Validation
The triad of computing security includes which of the following?
Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation
A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.
disaster recovery
It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant.
exhibits
A forensic workstation should always have a direct broadband connection to the Internet.
fALSE
Computer investigations and forensics fall into the same category: public investigations.
false
Digital forensics facilities always have windows.
false
FTK Imager can acquire data in a drive's host protected area.
false
For daily work production, several examiners can work together in a large open area, as long as they all have different levels of authority and access needs.
false
If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.
false
Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
true
The lab manager sets up processes for managing cases and reviews them regularly.
true
Which organization has guidelines on how to operate a digital forensics lab?
ANAB
List three items that should be on an evidence custody form.
Case number, name of the investigator and nature of the case
ASQ and ANAB are two popular certification programs for digital forensics.
FALSE
A logical acquisition collects only specific files of interest to the case.
true
What are two concerns when acquiring data from a RAID server?
Amount of data storage needed and type of RAID
Why is professional conduct important?
It includes ethics, morals, and standards of behavior
Which organization provides good information on safe storage containers?
NISPOM
For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets.
RAID
____, or mirrored striping with parity, is a combination of RAID 1 and RAID 5.
RAID 15
The police blotter provides a record of clues to crimes that have been committed previously.
TRUE
There's no simple method for getting an image of a RAID server's disks.
TRUE
In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. So, the following dcfldd is command correct. dcfldd if=image_file.img of=/dev/hda1
false
When determining which data acquisition method to use you should not consider how long the acquisition will take.
false
One way to investigate older and unusual computing systems is to keep track of ____ that you can find through an online search.
forums and blogs
In the Linux dcfldd command, which three options are used for validating data?
hash, hashlog, and vf
Published company policies provide a(n) ____ for a business to conduct internal investigations.
line of authority
Most remote acquisitions have to be done as ____ acquisitions.
live
The ____ command displays pages from the online help manual for information on Linux commands and their options.
man
You should have at least one copy of your backups on site and a duplicate or a previous copy of your backups stored in a safe ____ facility.
offsite
The EMR from a computer monitor can be picked up as far away as ____ mile.
1/2 mile
Large digital forensics labs should have at least ________ exits.
2
What's the maximum file size when writing data to a FAT32 drive? Commonly, proprietary format acquisition files can compress the acquisition data and segment acquisition output files into smaller volumes.
2gb
The manager of a digital forensics lab is responsible for which of the following?
ALL
With remote acquisitions, what problems should you be aware of?
Antivirus, antispyware, and firewall programs
Before enlisting in a certification program, thoroughly research the requirements, ________, and acceptability in your area of employment.
COST
What do you call a list of people who have had physical possession of the evidence?
Chain of custody
Which forensics tools can connect to a suspect's remote computer and run surreptitiously?
EnCase Enterprise and ProDiscover Incident Response
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.
EnCase and X-Ways Forensics
Digital forensics and data recovery refer to the same activities.
False
If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log.
False
Police in the United States must use procedures that adhere to which of the following?
Fourth amendment
Name the three formats for digital forensics data acquisitions.
Raw format, proprietary formats, and AFF
Typically, a(n) ________ lab has a separate storage area or room for evidence.
Regional
What is one of the necessary components of a search warrant?
Signature of an impartial judicial officer
What term refers to labs constructed to shield EMR emissions?
TEMPEST
An employer can be held liable for e-mail harassment.
TRUE
The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.
TRUE
Your business plan should include physical security items.
TRUE
Why should you critique your case after it's finished?
To improve your work
Why should you do a standard risk assessment to prepare for an investigation?
To list problems that might happen when conducting an investigation
Why should evidence media be write-protected?
To make sure data isn't altered
Why is physical security so critical for digital forensics labs?
To prevent data from being lost, corrupted, or stolen
What's the purpose of an affidavit?
To provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant
Building a business case can involve which of the following?
aLL
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____.
affidavit
Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.
allegation
Before enlisting in a certification program, thoroughly research the requirements, ________, and acceptability in your area of employment.
cost
The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime.
digital investigations
Of all the proprietary formats, which one is the unofficial standard?
expert witness
Under normal circumstances, a private-sector investigator is considered an agent of law enforcement.
false
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.
propitary
A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.
warning banner
A forensics analysis of a 6 TB disk, for example, can take several days or weeks.
true
Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility.
professional conduct
In general, a criminal case follows three stages: the complaint, the investigation, and the ____.
prosecution
____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment.
risk management
Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.
static
A secure storage container or cabinet shoA secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock. uld be made of ____ and include an internal cabinet lock or external padlock.
steel
A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.
true
A hashing algorithm is a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk.
true
A separate manual validation is recommended for all raw acquisitions at the time of analysis.
true
Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized.
true
After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant.
true
Commonly, proprietary format acquisition files can compress the acquisition data and segment acquisition output files into smaller volumes.
true
Computing systems in a forensics lab should be able to process typical cases in a timely manner.
true
FTK Imager requires that you use a device such as a USB dongle for licensing.
true
For digital evidence, an evidence bag is typically made of antistatic material.
true
One way to determine the resources needed for an investigation is based on the OS of the suspect computer, list the software needed for the examination.
true
The main goal of a static acquisition is the preservation of digital evidence.
true
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.
true
The purpose of maintaining a network of digital forensics specialists is to develop a list of colleagues who specialize in areas different from your own specialties in case you need help on an investigation.
true
There's no simple method for getting an image of a RAID server's disks.
true
To be a successful computer forensics investigator, you must be familiar with more than one computing platform.
true
