Computer Forensics
Computer investigations and forensics fall into the same category: public investigations. True False
F
Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True False
F
Digital forensics and data recovery refer to the same activities. True False
F
Digital forensics facilities always have windows. A. True B. False
F
Evidence storage containers should have several master keys. True False
F
FTK Imager can acquire data in a drive's host protected area. True False
F
For daily work production, several examiners can work together in a large open area, as long as they all have different levels of authority and access needs. False True
F
When determining which data acquisition method to use you should not consider how long the acquisition will take. True False
F
You should always prove the allegations made by the person who hired you. True False
F
You shouldn't include a narrative of what steps you took in your case report True False
F
For digital evidence, an evidence bag is typically made of antistatic material. True False
T
You should have at least one copy of your backups on site and a duplicate or a previous copy of your backups stored in a safe ____ facility. A. off-site B. in-site C. storage D. online
A
The EMR from a computer monitor can be picked up as far away as ____ mile. A. 1/2 B. 3/4 C. 1 D. 1/4
A. 1/2
Most remote acquisitions have to be done as ____ acquisitions. A. live B. static C. sparse D. hot
A. Live
For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets. A. RAID B. ISDN C. WAN D. TEMPEST
A. RAID
A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock. A.steel B. wood C. expanded metal D. gypsum
A. Steel
In general, a criminal case follows three stages: the complaint, the investigation, and the ____. A. prosecution B. blotter C. allegation D.litigation
A.Prosecution
A(n) ____ is a person using a computer to perform routine tasks other than systems administration. A. user banner B. complainant C. end user D. investigator
C
Before enlisting in a certification program, thoroughly research the requirements, ________, and acceptability in your area of employment. A. Number of students B. Business hours C. Cost D. Location
C
Name the three formats for digital forensics data acquisitions. A. Raw, AICIS, and AFF B. EnCase format, Raw, and dd C. Raw format, proprietary formats, and AFF D. dd, Raw, and AFF
C
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive. A. dd and Expert Witness B. dd and EnCase C. X-Ways Forensics and dd D. EnCase and X-Ways Forensics
D
Policies can address rules for which of the following? A. When you can log on to a company network from home B. The amount of personal e-mail you can send C. The Internet sites you can or can't access D. Any of the above
D
The manager of a digital forensics lab is responsible for which of the following? A. Ensuring that staff members have enough training to do the job B. Knowing the lab objectives C. Making necessary changes in lab procedures and software D. All of the above
D
What is one of the necessary components of a search warrant? A. Professional ethics B. Professional codes C. Standards of behavior D. Signature of an impartial judicial officer
D
What's the most critical aspect of digital evidence? A. Compression B. Redundancy C. Contingency D. Validation
D
Commonly, proprietary format acquisition files can compress the acquisition data and segment acquisition output files into smaller volumes. True False
T
Computing systems in a forensics lab should be able to process typical cases in a timely manner. True False
T
Embezzlement is a type of digital investigation typically conducted in a business environment. True False
T
FTK Imager requires that you use a device such as a USB dongle for licensing. True False
T
One way to determine the resources needed for an investigation is based on the OS of the suspect computer, list the software needed for the examination. True False
T
List three items that should be on an evidence custody form. A. Case number, name of the investigator and nature of the case B. Name of the investigator, affidavit and name of the judge assigned to the case C. Affidavit, search warrant, and description of the evidence D. Description of the evidence, location of the evidence and search warrant
A
The ____ command displays pages from the online help manual for information on Linux commands and their options. A. inst B. man C. cmd D. hlp
B
Typically, a(n) ________ lab has a separate storage area or room for evidence. A. Federal B. Regional C. State D. Research
B
What does a sparse acquisition collect for an investigation? A. Only specific files of interest to the case B. Fragments of unallocated data in addition to the logical allocated data C. Only the logical allocated data D. Only fragments of unallocated data
B
What term refers to labs constructed to shield EMR emissions? A. ASQ B. TEMPEST C. NISPOM D. SCADA
B
____, or mirrored striping with parity, is a combination of RAID 1 and RAID 5. A. RAID 0 B. RAID 15 C. RAID 10 D. RAID 16
B
Why should evidence media be write-protected? A. To speed up the imaging process B. To make sure data isn't altered C. To make image files smaller in size D. To comply with Industry standards
B.
In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation. A. civil B. criminal C. fourth amendment D. corporate
B. Criminal
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. A. Network forensics B. Data recovery C. Disaster recovery D. Computer forensics
B. Data Recovery
Published company policies provide a(n) ____ for a business to conduct internal investigations. A. allegation resource B. line of authority C. line of allegation D. litigation path
B. Line of Authority
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools. A. AFF B. proprietary C. raw D. AFD
B. Proprietary
Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses. A. line of right B. right of privacy C. line of authority D. line of privacy
B. Right of Privacy
One way to investigate older and unusual computing systems is to keep track of ____ that you can find through an online search. A.Minix B. uniform reports C. forums and blogs D. AICIS lists
C
The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true. A.challenged B. examined C. notarized D. recorded
C
To determine the types of operating systems needed in your lab, list two sources of information you could use. A. ANAB and IACIS B. EnCE and ACE C. Uniform Crime Report statistics and a list of cases handled in your area D. Local police reports and ISFCE reports
C
The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime. A.litigation B. network intrusion detection C. digital investigations D. incident response
C. Digital investigations
____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment. A. Change management B. Configuration management C. Risk management D. Risk configuration
C. Risk Management
Why is physical security so critical for digital forensics labs? A. To ensure continuous funding B. To make sure unwanted data isn't retained on the drive C. To protect trade secrets D. To prevent data from being lost, corrupted, or stolen
D
Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility. A. oath B. professional policy C. line of authority D. professional conduct
D
It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant. A. litigation B. prosecution C. reports D. exhibits
D. Exhibits
If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. True False
F
In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. So, the following dcfldd is command correct. dcfldd if=image_file.img of=/dev/hda1 True False
F
Slower data transfer speeds and dealing with minor data errors are two disadvantages of the raw format True False
F
The ANAB mandates the procedures established for a digital forensics lab. True False
F
Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True False
F
A separate manual validation is recommended for all raw acquisitions at the time of analysis. False True
T
After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant. False True
T
Of all the proprietary formats, which one is the unofficial standard? A. Expert Witness B. AFF C. Uncompress dd D. Segmented dd
A
The triad of computing security includes which of the following? A. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation B. Vulnerability assessment, intrusion response, and monitoring C. Detection, response, and monitoring D. Vulnerability assessment, detection, and monitoring
A
What do you call a list of people who have had physical possession of the evidence? A. Chain of custody B. Affidavit C. Evidence log D. Evidence record
A
Why is professional conduct important? A. It includes ethics, morals, and standards of behavior B. It helps with an investigation C. It saves a company from using warning banners D. All of the above
A
Why should you critique your case after it's finished? A. To improve your work B. To list problems that might happen when conducting an investigation C. To maintain chain of custody D. To maintain a professional conduct
A
A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. A. right banner B. warning banner C. line of authority D. right of privacy
B
Police in the United States must use procedures that adhere to which of the following? A. Third Amendment B. Fourth Amendment C. First Amendment D. None of the above
B
The most common and flexible data-acquisition method is ____. A. Disk-to-network copy B. Disk-to-image file copy C. Disk-to-disk copy D. Sparse data copy
B
Which forensics tools can connect to a suspect's remote computer and run surreptitiously? A. ddfldd and ProDiscover Incident Response B. EnCase Enterprise and ProDiscover Incident Response C. dd and ddfldd D. dd and EnCase Enterprise
B
In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations. A. line of right B. authority of line C. authorized requester D. authority of right
C. Authorized Requester
After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant. True False
T
An employer can be held liable for e-mail harassment. True False
T
What's the maximum file size when writing data to a FAT32 drive? 2 GB 3 GB 4 GB 6 GB
2 GB
Why should you do a standard risk assessment to prepare for an investigation? A. To obtain a search warrant B. To list problems that might happen when conducting an investigation C. To obtain an affidavit D. To discuss the case with the opposing counsel
B
Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed. A.litigation B. allegation C. prosecution D. blotter
B Allegation
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____. A. litigation report B. affidavit C. exhibit report D. blotter
B. Affidavit
If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available. A. static B. live C. local D. passive
B. Live
Why is it a good practice to make two images of a suspect drive in a critical investigation? A. To speed up the process B. To have one compressed and one uncompressed copy C. To ensure at least one good copy of the forensically collected data in case of any failures D. None of the above
C
To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe. A. secure workstation B. protected PC C. secure facility D. secure workbench
C. Secure facility
Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example. A. online B. real-time C. static D. live
C. static
A forensic workstation should always have a direct broadband connection to the Internet. True False
F
A warning banner should never state that the organization has the right to monitor what users do. True False
F
ASQ and ANAB are two popular certification programs for digital forensics. True False
F
If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately. True False
False
In ____, two or more disk drives become one large volume, so the computer views the disks as a single disk. RAID 0 RAID 6 RAID 5 RAID 1
RAID 0
A hashing algorithm is a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk. True False
T
A logical acquisition collects only specific files of interest to the case. True False
T
A forensics analysis of a 6 TB disk, for example, can take several days or weeks. False True
True
A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks. False True
True
Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized. True False
True
Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive. True False
True
The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure. True False
True
The lab manager sets up processes for managing cases and reviews them regularly. False True
True
The police blotter provides a record of clues to crimes that have been committed previously. False True
True
There's no simple method for getting an image of a RAID server's disks. False True
True
To be a successful computer forensics investigator, you must be familiar with more than one computing platform. False True
True
____, or mirrored striping, is a combination of RAID 1 and RAID 0. A. RAID 5 B. RAID 6 C. RAID 0 D. RAID 10
D. RAID 10
If your time is limited, consider using a logical acquisition or ____ acquisition data copy method. A. lossless B. disk-to-image C. disk-to-disk D. sparse
D. Sparse
The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions. A.man B.fdisk C.raw D.dd
D. dd
____ often work as part of a team to secure an organization's computers and networks. A. Network monitors B. Computer analysts C. Forensics investigators D. Data recovery engineers
?Not B?
In the Linux dcfldd command, which three options are used for validating data? A. hash, hashlog, and vf B. h, hl, and vf C. hash, log, and hashlog D. vf, of, and vv
A
What are two concerns when acquiring data from a RAID server? A. Data transfer speeds and type of RAID B. Type of RAID and antivirus software C. Amount of data storage needed and type of RAID D. Split RAID and Redundant RAID
C
What's the purpose of an affidavit? A. To specify who, what, when, and where—that is, specifics on place, time, items being searched for, and so forth B. To list problems that might happen when conducting an investigation C. To provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant D. To determine the OS of the suspect computer and list the software needed for the examination
C
Which organization has guidelines on how to operate a digital forensics lab? A. TEMPEST B. NISPOM C. ANAB D. SCADA
C
Which organization provides good information on safe storage containers? A. TEMPEST B. ASCLD C. NISPOM D. ASQ
C
With remote acquisitions, what problems should you be aware of? A.Data transfer speeds B.Access permissions over the network C. Antivirus, antispyware, and firewall programs D. The password of the remote computer's user
C.
A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing. A .configuration management B. risk management C. security D. disaster recovery
D
Building a business case can involve which of the following? A. Procedures for gathering evidence B. Testing software C. Protecting trade secrets D. All of the above
D
During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____. A. RAID B. NISPOM C. EMR D. TEMPEST
D
Large digital forensics labs should have at least ________ exits. A. 5 B. 7 C. 4 D. 2
D
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools. A. AFF B. raw C. AFD D. proprietary
D
The main goal of a static acquisition is the preservation of digital evidence. True False
T
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file. False True
T
The purpose of maintaining a network of digital forensics specialists is to develop a list of colleagues who specialize in areas different from your own specialties in case you need help on an investigation. True False
T
With newer Linux kernel distributions, USB devices are automatically mounted, which can alter data on it. True False
T
Your business plan should include physical security items. True False
T