CYB 365 Midterm review
In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.
1024
Computing components are designed to last 18 to ____ months in normal business operations.
36
True
A judge can exclude evidence obtained from a poorly worded warrant.
True
Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized.
True
After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant.
True
After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.
What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?
An affidavit
What term refers to the individual who has the power to conduct digital forensic investigations?
Authorized requester
Many password recovery tools have a feature for generating potential lists for a ____ attack.
Brute-force
Generally, digital records are considered admissible if they qualify as a ____ record.
Business
In the ____, you justify acquiring newer and better resources to investigate digital forensics cases.
Business Case
Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence?
Computer Analysis and Response team
True
Computing systems in a forensics lab should be able to process typical cases in a timely manner.
In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery.
Configuration management
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are called ____.
Data runs
A ____ is where you conduct your investigations, store evidence, and do most of your work.
Digital Forensics Lab
A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.
Disaster Recovery
The most common and flexible data-acquisition method is ____.
Disk-to-Image file
When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____.
EFS
____ involves sorting and searching through investigation findings to separate good data and suspicious data.
Filtering
true
For daily work production, several examiners can work together in a large open area, as long as they all have different levels of authority and access needs.
False
From a network forensics standpoint, there are no potential issues related to using virtual machines.
____ was created by police officers who wanted to formalize credentials in digital investigations.
IACIS
False
ISPs can investigate computer abuse committed by their customers.
True
If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.
False
If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.
Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.
Image file
True
In Autopsy and many other forensics tools raw format image files don't contain metadata.
What do published company policies provide for a business that enables them to conduct internal investigations?
Line of Authority
On an NTFS disk, immediately after the Partition Boot Sector is the ____
MFT
AXIOM
Magnet ____ enables you to acquire the forensic image and process it in the same step.
True
Maintaining credibility means you must form and sustain unbiased opinions of your cases
Records in the MFT are called ____.
Metadata
Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes.
Much easier than
Courts consider evidence data in a computer as ____ evidence.
Physical
False
Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which always get funding from the government or other agencies.
____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.
Probable cause
What investigator characteristic, which includes ethics, morals, and standards of behavior, determines the investigator's credibility?
Professional conduct
Evidence is commonly lost or corrupted through ____, which involves the presence of police officers and other professionals who aren't part of the crime scene-processing team.
Professional curiosity
One major disadvantage of ____ format acquisitions is the inability to share
Proprietary
Lab costs can be broken down into monthly, ____, and annual expenses.
Quarterly
For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets.For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets.
RAID
____, or mirrored striping, is a combination of RAID 1 and RAID 0.
RAID 10
____, or mirrored striping with parity, is a combination of RAID 1 and RAID 5.
RAID 15
The purpose of the ____ is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key.
Recovery certificate
____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment.
Risk Management
To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe.
Secure Facility
Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.
Sha1 sum
true
Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
True
Some cases involve dangerous settings. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene
If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.
Sparse
One technique for extracting evidence from large systems is called ____.
Sparse acquisition
A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.
Steel
True
The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.
True
The lab manager sets up processes for managing cases and reviews them regularly.
True
The police blotter provides a record of clues to crimes that have been committed previously.
true-breeding
The type of file system an OS uses determines how data is stored on the disk.
False
The validation function is the most challenging of all tasks for computer investigators to master.
True
There's no simple method for getting an image of a RAID server's disks.
True
To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.
A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.
True
It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.
True
Software forensic tools are grouped into command-line applications and GUI applications.
True
When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data.
US DOJ
____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.
Uniform crime reports
A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment.
Virtual Machine
What usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will?
Warning Banner
Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab.
Warrant
False
When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant, which allows the police present all evidence together.
True
When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.
Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.
Whole disk encryption
During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system.
Windows
A(n) ____ should include all the tools you can afford to take to the field.
extensive-response field kit