Computers and Forensics exam2
The defense request for full discovery of digital evidence applies only to criminal cases in the United States. True False
?
A forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation is also known as a ____. A. portable workstation B. lightweight workstation C. field workstation D. stationary workstation
A
According to ISO standard 27037, which of the following is an important factor in data acquisition? A. The DEFR's competency B. The DEFR's skills in using the command line C. Conditions at the acquisition setting D. None of the above
A
As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? A. You begin to take orders from a police detective without a warrant or subpoena. B. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. C. Your internal investigation begins. D. None of the above.
A
Bitmap (.bmp) files use which of the following types of compression? A. Lossless B. Lzip C. Lossy D. WinZip
A
Courts consider evidence data in a computer as ____ evidence. a physical b virtual c logical d invalid
A
EFS can encrypt which of the following? A. Files, folders, and volumes B. Certificates and private keys C. The global Registry D. Network servers
A
Hard links are associated with which of the following? A. A specific inode B. Dot notation C. An absolute path to a file D. Hidden files
A
Hashing, filtering, and file header analysis make up which function of digital forensics tools? A. Validation and verification B. Acquisition C. Extraction D. Reconstruction
A
If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? A. Coordinate with the HAZMAT team. B. Determine a way to obtain the suspect's computer. C. Assume the suspect's computer is contaminated. D. Do not enter alone.
A
In Linux, which of the following is the home directory for the superuser? A. root B. super C. home D. /home/superuser
A
In steganalysis, cover-media is which of the following? A. The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file B. A specific type of graphics file used only for hashing steganographic files C. The content of a file used for a steganography message D. The type of steganographic method used to conceal a message
A
On most Linux systems, current user login information is in which of the following locations? A. /var/run/utmp B. /var/log/wmtp C. /var/log/usr D. /var/log/dmesg
A
Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? A. Most companies keep inventory databases of all hardware and software used. B. The investigator doesn't have to get a warrant. C. The investigator has to get a warrant. D. Users can load whatever they want on their machines.
A
Records in the MFT are called ____. A. metadata B. hyperdata C. infodata D. inodes
A
Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation? A. Internal corporate investigation because corporate investigators typically have ready access to company records B. Internal corporate investigation because ISPs almost always turn over e-mail and access logs when requested by a large corporation C. Criminal investigation because law enforcement agencies have more resources at their disposal D. Criminal investigation because subpoenas can be issued to acquire any needed evidence quickly
A
The JFIF ____ format has a hexadecimal value of FFD8 FFE0 in the first four bytes. A. JPEG B. GIF C. BMP D. EPS
A
The National Software Reference Library provides what type of resource for digital forensics examiners? A. A list of MD5 and SHA1 hash values for all known OSs and applications B. Reference books and materials for digital forensics C. A list of digital forensics tools that make examinations easier D. A repository for software vendors to register their developed applications
A
The early standard Linux file system was ____. A. Ext2 B. Ext3 C. HFS+ D. NTFS
A
When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data. A. U.S. DOJ B. Homeland Security Department C. Patriot Act D. U.S. DoD
A
When validating the results of a forensic analysis, you should do which of the following? A. Calculate the hash value with two different tools. B. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. C. Use a command-line tool and then a GUI tool. D.None of the above
A
Which of the following is the main challenge in acquiring an image of a system running macOS? A. Vendor training is needed. B. The macOS is incompatible with most write-blockers. C. Most commercial software doesn't support macOS. D. None of the above
A
Which of the following represents known files you can eliminate from an investigation? A. Files associated with an application B. Any files pertaining to the company C. Any graphics files D. All of the above
A
With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible. A. initial-response field kit B. bit-stream copy utility C. extensive-response field kit D. seizing order
A
You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information? A. There's a hidden partition. B. The drive is formatted incorrectly. C. Nothing; this is what you'd expect to see. D. The disk is corrupted.
A
____ images store graphics information as grids of pixels. a Bitmap b Vector c Raster d Metafiles
A
If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords? A. Salting can make password recovery extremely difficult and time consuming. B. There are no concerns because salting doesn't affect password-recovery tools. C. The effect on the computer's CMOS clock could alter files' date and time values. D. Salting applies only to OS startup passwords, so there are no serious concerns for examiners.
A.
A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment. A. virtual file B. virtual machine C. logic machine D. logic drive
B
A(n) ____ should include all the tools you can afford to take to the field. A. initial-response field kit B. extensive-response field kit C. forensic lab D. forensic workstation
B
Block-wise hashing has which of the following benefits for forensics examiners? A. Verifies the quality of OS files B. Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive C.Allows validating sector comparisons between known files D. Provides a faster way to shift bits in a block or sector of data
B
Clusters in Windows always begin numbering at what number? A. 1 B. 2 C. 3 D. 4
B
Data ____ involves changing or manipulating a file to conceal information. A. integrity B. hiding C. creep D. recovery
B
During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system. A.Linux B. Windows C. MacOS D. Android
B
Forensics software tools are grouped into ______ and ______ applications. A. Portable, Desktop B. GUI, command-line C. Local, remote D. Mobile, PC
B
In JPEG files, what's the starting offset position for the JFIF label? A, Offset 2 B. Offset 6 C. Offset 4 D. Offset 0
B
In Windows 2000 and later, the ____ command shows you the file owner if you have multiple users on the system or network. A. ls B. dir C. owner D. Copy
B
In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each. A. 1512 B. 1024 C. 2512 D. 2048
B
On a Linux computer, ____ contains group memberships for the local system. A. /etc/shadow B. /etc/group C. /etc/fstab D. /etc/passwd
B
On a Windows system, sectors typically contain how many bytes? A. 256 B. 512 C. 1024 D. 2048
B
Under copyright laws, computer programs may be registered as ____. A. architectural works B. literary works C. motion pictures D. audiovisual works
B
What is the space on a drive called when a file is deleted? A. Disk space B. Unallocated space C. Drive space D. None of the above
B
Which of the following Windows 8 files contains user-specific information? A. User.dat B. Ntuser.dat C. System.dat D. SAM.dat
B
Which of the following certifies when an OS meets UNIX requirements? A. UNIX Users Group B. The Open Group C. SUSE Group D. IEEE
B
Which of the following describes plist files? A. They require special installers. B. You must have a special editor to view them. C. They're found only in Linux file systems. D. None of the above
B
Which of the following is true of most drive-imaging tools? A. They perform the same function as a backup. B. They ensure that the original drive doesn't become corrupt and damage the digital evidence. C. They must be run from the command line. D. All of the above
B
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you? A. Extensive-response kit B. Initial-response kit C. Lightweight kit D. Car crash kit
B
___ alters hash values, which makes cracking passwords more difficult. A. Hybrid attack B. Salting passwords C. PRTK D. Rainbow table
B
____ compression compresses data by permanently discarding bits of information in the file. A. Lossless B. Lossy C. Redundant D. Huffman
B
____ is the file structure database that Microsoft originally designed for floppy disks. A. FAT32 B. FAT C. NTFS D. VFAT
B
____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program. A. Substitution B. Insertion C. Append D. Replacement
B
A log report in forensics tools does which of the following? A. Tracks file types B. Monitors network intrusion attempts C. Records an investigator's actions in examining a case D. Lists known good files
C
Areal density refers to which of the following? A. Number of bits per disk B. Number of bits per partition C. Number of bits per square inch of a disk platter D. Number of bits per platter
C
Digital pictures use data compression to accomplish which of the following goals? A. Provide a crisp and clear image. B. Eliminate redundant data. C. Save space on a hard drive. D. All of the above
C
For which of the following reasons should you wipe a target drive? a: To ensure the quality of digital evidence you acquire b: To make sure unwanted data isn't retained on the drive C. Both a and b D. Neither of the above
C
How does macOS reduce file fragmentation? A. By using 256 bit sectors B. By using clusters C. By using clumps D. By using 128 bit sectors
C
How many sectors are typically in a cluster on a disk drive? A. 1 B. 2 or more C. 4 or more D. 8 or more
C
In FAT32, a 123-KB file uses how many sectors? A. 123 B. 185 C. 246 D. 255
C
In a files's inode, the first 10 pointers are called ____ pointers. A. double B. triple C. indirect D. direct
C
List two features NTFS has that FAT does not. A. MRU records and file attributes B. Master File Table and MRU records C. Unicode characters and better security D. MRU records and less fragmentation
C
Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0 and 3.0, SATA, PATA, and SCSI controllers. A. PCMCIA B. LCD C. USB D. IDE
C
Steganography is used for which of the following purposes? A. Accessing remote computers B. Creating strong passwords C. Hiding data D. Validating data
C
The standards for testing forensics tools are based on which criteria? A. ASTD 1975 B. U.S. Title 18 C. ISO 17025 D.All of the above
C
The verification function does which of the following? A. Proves that a tool performs as intended B. Creates segmented files C. Proves that two sets of data are identical via hash values D. Verifies hex editors
C
To recover a password in macOS, which tool do you use? A. PRTK B. Password Access C. Keychain Access D. Finder
C
Virtual machines have which of the following limitations when running on a host computer? A. Internet connectivity is restricted to virtual Web sites. B. Applications can be run on the virtual machine only if they're resident on the physical machine. C. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. D. Virtual machines can run only OSs that are older than the physical machine's OS.
C
What are the three rules for a forensic hash? A. Fast, reliable, and the hash value should be at least 2048 bits B. Produce collisions, should be at least 2048 bits, and it can't be predicted C. It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes D. It can be predicted, fast and reliable
C
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? A. The file can no longer be encrypted. B. EFS protection is maintained on the file. C. The file is unencrypted automatically. D. Only the owner of the file can continue to access it.
C
What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data? A. Recursive B. Lossy C. Lossless D. Vector quantization
C
When you carve a graphics file, recovering the image depends on which of the following skills? A. Recognizing the pattern of a corrupt file B. Recognizing the pattern of the data content C. Recognizing the pattern of the file header content D. Recovering the image from a tape backup
C
Which of the following Linux system files contains hashed passwords for the local system? A. /etc/passwd B. /var/log/syslog C. /etc/shadow D. /var/log/dmesg
C
Which of the following describes the superblock's function in the Linux file system? A. Contains links between inodes B. Stores bootstrap code C. Manages the file system, including configuration information D. All of the above
C
Which of the following is a new file added in macOS? A. /var/db/uuid.text B. /var/db/diagnostics C. Either of the above D. None of the above
C
You use ____ to create, modify, and save bitmap, vector, and metafile graphics. A. graphics viewers B. image readers C. graphics editors D. image viewers
C
___ records are data the system maintains, such as system log files and proxy server logs. A. Hearsay B. Business C. Computer-generated D. Computer-stored
C
A JPEG file uses which type of compression? A. WinZip B. Lossless C. Lzip D. Lossy
D
Focus In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive? A. 5% B. 10% C. 15% D. None of the above
D
Hash values are used for which of the following purposes? A. Determining file size B. Filling disk slack C. Reconstructing file fragments D. Validating that the original data hasn't changed
D
In macOS, volumes have allocation blocks and ____ blocks. A. clustered B. clumped C. master D. logical
D
In macOS, when you're working with an application file, the ____ fork contains additional information, such as menus, dialog boxes, icons, executable code, and controls. a. system b. application c. data d. resource
D
Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab. A. FOIA form B. affidavit C.evidence custody form D. warrant
D
List two hashing algorithms commonly used for forensic purposes. A. RSA and RC5 B. MD5 and AES C. AES and SHA-2 D. MD5 and SHA-1
D
One way to compare results and verify your a new tool is by using a ____, such as HexWorkshop, or WinHex. A. bit-stream copier B. disk imager C. write-blocker D. disk editor
D
Rainbow tables serve what purpose for digital forensics examinations? A. Rainbow tables are a supplement to the NIST NSRL library of hash tables. B. Rainbow tables are designed to enhance the search capability of many digital forensics examination tools. C. Rainbow tables provide a scoring system for probable search terms. D. Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords.
D
Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____. A. recovery copy B. firmware C. backup file D. image file
D
Some clues left on a drive that might indicate steganography include which of the following? A. Multiple copies of a graphics file B. Steganography programs in the suspect's All Programs list C. Graphics files with the same name but different file sizes D. All of the above
D
The Known File Filter (KFF) can be used for which of the following purposes? a: Filter known program files from view. b: Calculate hash values of image files. c: Compare hash values of known files with evidence files. D.Both a and c
D
The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software. A. FS-TST B. NSRL C. CFTT D. NIST
D
The process of converting raw images to another format is called which of the following? A. Transmogrification B. Transfiguring C. Data conversion D. Demosaicing
D
The reconstruction function is needed for which of the following purposes? A. Re-create a suspect drive to show what happened. B. Create a copy of a drive for other investigators. C. Re-create a drive compromised by malware. D. All of the above
D
What does the Ntuser.dat file contain? A. File and directory names B. Starting cluster numbers C. File attributes D. MRU files list
D
What methods are used for digital watermarking? A.Using a hex editor to alter the image data B. Nothing; this is what you'd expect to see. C. Implanted subroutines that link to a central Web server automatically when the watermarked file is accessed D. Invisible modification of the LSBs in the file
D
When you arrive at the scene, why should you extract only those items you need to acquire evidence? A.To conceal trade secrets B. To preserver your physical security C. To speed up the acquisition process D. To minimize how much you have to keep track of at the scene
D
Which forensic image file format creates or incorporates a validation hash value in the image file? A. SMART B. AFF C. Expert Witness D. All of the above
D
Which of the following is true about JPEG and TIF files? A. They differ from other graphics files because their file headers contain fewer bits. B. They differ from other graphics files because their file headers contain more bits. C. They have identical values for the first 2 bytes of their file headers. D. They have different values for the first 2 bytes of their file headers.
D
Which of the following techniques might be used in covert surveillance? A. Keylogging B. Data sniffing C. Network logs D. All of the above
D
____ contain file and directory metadata and provide a mechanism for linking data stored in data blocks. a. Extnodes b. Xnodes c. InfNodes d. Inodes
D
____ have some limitations in performing hashing, however, so using advanced ____ is necessary to ensure data integrity. A. HTML editors, hexadecimal editors B. High-level languages, assembler C. Hexadecimal editors, digital forensics tools D. Digital forensics tools, hexadecimal editors
D
____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest. A. A subpoena B. Reasonable cause C. A warrant D. Probable cause
D
A JPEG file is an example of a vector graphic. True False
F
A live acquisition can be replicated. True False
F
After you shift a file's bits, the hash value remains the same. True False
F
An initial-response field kit does not contain evidence bags. True False
F
BIOS boot firmware was developed to provide better protection against malware than EFI does developed? True False
F
Building a forensic workstation is more expensive than purchasing one. True False
F
Copyright laws don't apply to Web sites. True False
F
Corporate investigators always have the authority to seize all computer equipment during a corporate investigation. True False
F
Data can't be written to disk with a command-line tool. True False
F
From a network forensics standpoint, there are no potential issues related to using virtual machines. True False
F
Graphics files stored on a computer can't be recovered after they are deleted. True False
F
Hardware acquisition tools typically have built-in software for data analysis. True False
F
In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True False
F
Linux is the only OS that has a kernel. True False
F
Only one file format can compress graphics files. True False
F
Password recovery is included in all forensics tools. True False
F
Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which always get funding from the government or other agencies.
F
Small companies rarely need investigators. True False
F
The first 5 bytes (characters) for all MFT records are FILE. True False
F
The plain view doctrine in computer searches is well-established law. True False
F
The validation function is the most challenging of all tasks for computer investigators to master. False True
F
When investigating graphics files, you should convert them into one standard format. True False
F
When using a write-blocking device you can't remove and reconnect drives without having to shut down your workstation. True False
F
When viewing two files that look the same, but one has an invisible digital watermark, they appear to be the same file, except for their sizes. False True
F
Windows OSs do not have a kernel. False True
F
You should always answer questions from onlookers at a crime scene. True False
F
Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. True False
F
With ____, Macintosh moved to the Intel processor and became UNIX based. High Sierra Lion OS X El Capitan
OS X
A judge can exclude evidence obtained from a poorly worded warrant. False True
T
A virtual cluster number represents the assigned clusters of files that are nonresident in the MFT. True False
T
After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools. True False
T
All disks have more storage capacity than the manufacturer states. True False
T
Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence. True False
T
Although a disk editor gives you the most flexibility in testing, it might not be capable of examining a compressed file's contents. True False
T
An encrypted drive is one reason to choose a logical acquisition. True False
T
An image of a suspect drive can be loaded on a virtual machine. True False
T
Bitmap images are collections of dots, or pixels, in a grid format that form a graphic. True False
T
CHS stands for cylinders, heads, and sectors. True False
T
Commercial encryption programs often rely on key escrow technology to recover files if a password or passphrase is lost. True False
T
Commingling evidence means that sensitive or confidential information being mixed with data collected as evidence. True False
T
Computer peripherals or attachments can contain DNA evidence. True False
T
Computers used several OSs before Windows and MS-DOS dominated the market. False True
T
Data blocks contain actual files and directories and are linked directly to inodes. True False
T
Data viewing, keyword searching, decompressing are three subfunctions of the extraction function. True False
T
Device drivers contain instructions for the OS on how to interface with hardware devices. True False
T
Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack. False True
T
File and directory names are some of the items stored in the FAT database. True False
T
Focus MFT stands for Master File Table. A. True B. False
T
For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses. True False
T
Hard links work in only one partition or volume. True False
T
If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy. False True
T
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True False
T
If a file contains information, it always occupies at least one allocation block. False True
T
If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file. False True
T
If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True False
T
In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors. False True
T
In NTFS, files smaller than 512 bytes are stored in the MFT. True False
T
In forensic hashes, a collision occur when two different files have the same hash value. True False
T
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. True False
T
It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows. True False
T
One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop. False True
T
Private-sector cases, such as employee abuse investigations, might not specify limitations in recovering data. True False
T
Scope creep happens when an investigation goes beyond the bounds of its original description. True False
T
Several password-cracking tools are available for handling password-protected data or systems. True False
T
Software forensic tools are grouped into command-line applications and GUI applications. False True
T
Some cases involve dangerous settings. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene. True False
T
The Disk Arbitration feature in macOS is used to disable and enable automatic mounting when a drive is connected via a USB or FireWire device. True False
T
The Internet is the best source for learning more about file formats and their extensions. True False
T
The Linux Ext4 file system added support for partitions larger than 16 TB. True False
T
The data fork stores a file's actual data, however, and the resource fork contains file metadata and application information. True False
T
The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True False
T
The most common computer-related crime is check fraud. False True
T
The primary hashing algorithm the NSRL project uses is SHA-1. True False
T
The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location. True False
T
The type of file system an OS uses determines how data is stored on the disk. True False
T
To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. False True
T
To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. True False
T
To identify an unknown graphics file format you need to examine a copy of the unknown file with a hexadecimal editor to find the hex code for the first several bytes of the file. True False
T
Under copyright laws, maps and architectural plans may be registered as pictorial, graphic, and sculptural works. False True
T
When viewing a file header, you need to include hexadecimal information to view the image. True False
T
When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support. False True
T
You should videotape or sketch anything at a digital crime scene that might be of interest to the investigation. True False
T
Criminal investigations are limited to finding data defined in the search ____. a warrant b order c scope d rule
a
Many password-protected OS and applications store passwords in the form of ____ or SHA hash values. a MD5 b AES c SSL d SSH
a
One technique for extracting evidence from large systems is called ____. a sparse acquisition b large evidence file recovery c RAID copy d RAID imaging
a
The simplest method of duplicating a disk drive is using a tool that makes a direct ____ copy from the suspect disk to the target location. a disk-to-image b image-to-disk c partition-to-partition d image-to-partition
a
The simplest way to access a file header is to use a(n) ____ editor a hexadecimal b disk c image d text
a
The term ____ is often used when discussing Linux because technically, Linux is only the core of the OS. a kernel b root c module d GRUB
a
____ can be software or hardware and are used to protect evidence disks by preventing data from being written to them. a Write-blockers b Disk editors c Workstations d Drive-imaging
a
____ has been used to protect copyrighted material by inserting digital watermarks into a file. a Steganography b Archiving c Compression d Encryption
a
____ steganography replaces bits of the host file with other bits of data. a Substitution b Insertion c Append d Replacement
a
Confidential business data included with the criminal evidence are referred to as ____ data. a public b commingled c exposed d revealed
b
Generally, digital records are considered admissible if they qualify as a ____ record. a computer-generated b business c hearsay d computer-stored
b
If you can't open a graphics file in an image viewer, the next step is to examine the file's ____. a size b header data c name d extension
b
Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain ____. a conclusive b hearsay c regular d direct
b
Recovering fragments of a file is called ____. a slacking b carving c rebuilding d saving
b
The primary hash algorithm used by the NSRL project is ____. a MD5 b SHA-1 c RC4 d CRC-32
b
When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations. a international b copyright c civil d forensics
b
____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the systemroot\Windows\System32\Drivers folder. a Hal.dll b Device drivers c Ntoskrnl.exe d Pagefile.sys
b
In older versions of macOS, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored. a inodes b node c resource d blocks
c
Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes. a more difficult than b as easy as c much easier than d as difficult as
c
On a Linux computer, ____ represents file systems exported to remote hosts. a /var/run/utmp b /var/log/wtmp c /etc/exports d /etc/fstab
c
Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server. a preventing b poisoning c sniffing d blocking
c
The data-hiding technique ____ changes data from readable code to data that looks like binary executable code. a partition hiding b partition-shifting c bit-shifting d marking bad clusters
c
The raw data format, typically created with the Linux ____ command, is a simple bit-for-bit copy of a data file, a disk partition, or an entire drive. a d2dump b dhex c dd d rawcp
c
Under copyright laws, computer programs may be registered as ____. a architectural works b audiovisual works c literary works d motion pictures
c
What methods do steganography programs use to hide data in graphics files? A. Insertion B. Substitution C. Either of the above D. None of the above
c
You begin a digital forensics case by creating a(n) ____. a risk assessment report b investigation report c investigation plan d evidence custody form
c
____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. a Line-art images b Bitmap images c Vector graphics d Metafile graphics
c
____ attacks use every possible letter, number, and character found on a keyboard when cracking a password. a Dictionary b Profile c Brute-force d Statistics
c
____ increases the time and resources needed to extract, analyze, and present evidence. a Litigation path b Court order for discovery c Scope creep d Investigation plan
c
____ involves sorting and searching through investigation findings to separate good data and suspicious data. a Acquisition b Validation c Filtering d Reconstruction
c
____ is defined as hiding messages in such a way that only the intended recipient knows the message is there. a Bit shifting b Encryption c Steganography d Marking bad clusters
c
____ recovery is becoming more common in digital forensic analysis. a Image b Data c Password d Partition
c
____ was introduced when Microsoft created Windows NT and is still the main file system in Windows 10. a HPFS b FAT32 c NTFS d VFAT
c
A ____ is a column of tracks on two or more disk platters. a sector b track c head d cylinder
d
Certain files, such as the ____ and Security log in Windows, might lose essential network activity records if power is terminated without a proper shutdown. a Word log b Io.sys c Password log d Event log
d
Every business or organization must have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a ____ that a law or policy is being violated. a confirmed suspicion b proof c court order stating d reasonable suspicion
d
In Linux most system configuration files are stored in the ____ directory. A. /var B. /home C. /dev D. /etc
d
In Linux, most applications and commands are in the ____ directory or its subdirectories bin and sbin. a /var b /etc c /home d /usr
d
In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover. a scope creeps b risk assessment reports c investigation plans d subpoenas
d
In macOS, the ____ fork typically contains data the user creates. a resource b content c user d data
d
Marking bad clusters data-hiding technique is more common with ____ file systems. a HFS b NTFS c Ext2fs d FAT
d
Steganalysis tools are also called ____. a image tools b image editors c hexadecimal editors d steg tools
d
The process of converting raw picture data to another format is referred to as ____. A. rastering B. rendering C. JEIDA D. demosaicing
d
The term ____ comes from the Greek word for "hidden writing." a. escrow b. hashing c. creep d. steganography
d
To complete a forensic disk analysis and examination, you need to create a ____. a budget plan b forensic disk copy c risk assessment d report
d
WinHex provides several hashing algorithms, such as MD5 and ____. a CRC b RC4 c AES d SHA-1
d
____ is a data-hiding technique that uses host files to cover the contents of a secret message. a Graphie b Steganalysis c Steganos d Steganography
d
ISPs can investigate computer abuse committed by their customers. True False
f
In macOS volume fragmentation is kept to a minimum by removing clumps from larger files. True False
f
Operating systems do not have tools for recovering image files. True False
f
When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant, which allows the police present all evidence together. False True
f
Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True False
t
If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement. False True
t
The two major forms of steganography are insertion and substitution. True False
t
Under copyright laws, maps and architectural plans may be registered as pictorial, graphic, and sculptural works. False True
t
With many computer forensics tools, you can open files with external viewers. True False
t
