CYB 365 Midterm review

In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.

1024

Computing components are designed to last 18 to ____ months in normal business operations.

36

True

A judge can exclude evidence obtained from a poorly worded warrant.

True

Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized.

True

After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant.

True

After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.

What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?

An affidavit

What term refers to the individual who has the power to conduct digital forensic investigations?

Authorized requester

Many password recovery tools have a feature for generating potential lists for a ____ attack.

Brute-force

Generally, digital records are considered admissible if they qualify as a ____ record.

Business

In the ____, you justify acquiring newer and better resources to investigate digital forensics cases.

Business Case

Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence?

Computer Analysis and Response team

True

Computing systems in a forensics lab should be able to process typical cases in a timely manner.

In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery.

Configuration management

The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are called ____.

Data runs

A ____ is where you conduct your investigations, store evidence, and do most of your work.

Digital Forensics Lab

A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.

Disaster Recovery

The most common and flexible data-acquisition method is ____.

Disk-to-Image file

When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____.

EFS

____ involves sorting and searching through investigation findings to separate good data and suspicious data.

Filtering

true

For daily work production, several examiners can work together in a large open area, as long as they all have different levels of authority and access needs.

False

From a network forensics standpoint, there are no potential issues related to using virtual machines.

____ was created by police officers who wanted to formalize credentials in digital investigations.

IACIS

False

ISPs can investigate computer abuse committed by their customers.

True

If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.

False

If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.

Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.

Image file

True

In Autopsy and many other forensics tools raw format image files don't contain metadata.

What do published company policies provide for a business that enables them to conduct internal investigations?

Line of Authority

On an NTFS disk, immediately after the Partition Boot Sector is the ____

MFT

AXIOM

Magnet ____ enables you to acquire the forensic image and process it in the same step.

True

Maintaining credibility means you must form and sustain unbiased opinions of your cases

Records in the MFT are called ____.

Metadata

Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes.

Much easier than

Courts consider evidence data in a computer as ____ evidence.

Physical

False

Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which always get funding from the government or other agencies.

____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.

Probable cause

What investigator characteristic, which includes ethics, morals, and standards of behavior, determines the investigator's credibility?

Professional conduct

Evidence is commonly lost or corrupted through ____, which involves the presence of police officers and other professionals who aren't part of the crime scene-processing team.

Professional curiosity

One major disadvantage of ____ format acquisitions is the inability to share

Proprietary

Lab costs can be broken down into monthly, ____, and annual expenses.

Quarterly

For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets.For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets.

RAID

____, or mirrored striping, is a combination of RAID 1 and RAID 0.

RAID 10

____, or mirrored striping with parity, is a combination of RAID 1 and RAID 5.

RAID 15

The purpose of the ____ is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key.

Recovery certificate

____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment.

Risk Management

To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe.

Secure Facility

Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.

Sha1 sum

true

Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive.

True

Some cases involve dangerous settings. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene

If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.

Sparse

One technique for extracting evidence from large systems is called ____.

Sparse acquisition

A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.

Steel

True

The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.

True

The lab manager sets up processes for managing cases and reviews them regularly.

True

The police blotter provides a record of clues to crimes that have been committed previously.

true-breeding

The type of file system an OS uses determines how data is stored on the disk.

False

The validation function is the most challenging of all tasks for computer investigators to master.

True

There's no simple method for getting an image of a RAID server's disks.

True

To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.

A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.

True

It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.

True

Software forensic tools are grouped into command-line applications and GUI applications.

True

When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data.

US DOJ

____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.

Uniform crime reports

A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment.

Virtual Machine

What usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will?

Warning Banner

Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab.

Warrant

False

When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant, which allows the police present all evidence together.

True

When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.

Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.

Whole disk encryption

During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system.

Windows

A(n) ____ should include all the tools you can afford to take to the field.

extensive-response field kit