CYSE 407 - Digital Forensics

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

What is the name of the Microsoft solution for whole disk encryption?

BitLocker

When seizing digital evidence in criminal investigations, whose standards should be followed?

U.S. DOJ

Many commercial encryption programs use a technology called _____________, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure.

key escrow

In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes remotely.

keylogger

Which utility below is not a lossless compression utility?

lzip

What should you do while copying data on a suspect's computer that is still live?

make notes regarding everything you do

Which of the following formats is not considered to be a standard graphics file format?

tga

What is the purpose of the reconstruction function in a forensics investigation?

to re-create a suspect's drive to show what happened during a crime or incident

The _____________ format is a proprietary format used by Adobe Photoshop.

.psd

An investigator wants to capture all data on a SATA drive connected to a Linux system. What should the investigator use for the "if=" portion of the dcfldd command?

/dev/sda

Within Windows Vista and later, partition gaps are _____________ bytes in length.

128

Which ISO standard below is followed by the ASCLD?

17025:2005

All TIF files start at offset 0 with what 6 hexadecimal characters?

49 49 2A

Which amendment to the U.S. Constitution protects everyone's right to be secure in their person, residence, and property from search and seizure?

4th

A typical disk drive stores how many bytes in a single sector?

512

_______ describes an accusation of fact that a crime has been committed.

Allegation

Which graphics file format below is rarely compressed?

BMP

How often should hardware be replaced within a forensics lab?

Every 12-18 months

In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters?

FAT

What does FRE stand for?

Federal Rules of Evidence

_______ is the term for a statement that is made by someone other than an actual witness to the event while testifying at a hearing.

Hearsay

The _________ branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and System.

Hive

The _______ copies evidence of intrusions to an investigation workstation automatically for further analysis over the network.

Intrusion detection system

A data acquisition method used when a suspect computer can't be shut down to perform a static acquisition

Live acquisitions

A data acquisition method that captures only specific files of interest to the case or specific types of files, such as Outlook .pst files

Logical acquisitions

_______ is the utility used by the ProDiscover program for remote access.

PDServer

Which RAID type utilizes mirrored striping, providing fast access and redundancy?

RAID 10

Which option below is not a recommendation for securing storage containers?

Rooms with evidence containers should have a secured wireless network.

What registry file contains user account management and security settings?

SAM.dat

Which option below is not a standard systems analysis step?

Share evidence with experts outside of the investigation.

_______ does not recover data in free or slack space.

Sparse acquisition

A data acquisition method that captures only specific files of interest to a case, but also collects fragments of unallocated (deleted) data

Sparse acquisitions

As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state?

The decision should be left to the Digital Evidence First Responder (DEFR).

When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and documented?

The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.

_______ is responsible for creating and monitoring lab policies for staff, and provides a safe and secure workplace for staff and evidence.

The lab manager

Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files?

advanced forensic format

Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses ________________ as a way to hide its malicious code from antivirus tools.

bit-shifting

Which password recovery method uses every possible letter, number, and character found on a keyboard?

brute-force attack

Reconstructing fragments of files that have been deleted from a suspect drive, is known as ____________ in North America.

carving

The _______ is not one of the three stages of a typical criminal case.

civil suit

Which of the following is not a type of graphic file that is created by a graphics program? a. bitmap images b. vector graphics c. metafile graphics d. raster graphics

d

The Linux command _____ can be used to write bit-stream data to files.

dd

The process of converting raw picture data to another format is called _________________.

demosaicing

In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer.

diskpart

Which of the following commands creates an alternate data stream?

echo text > myfile.txt:stream_name

What format was developed as a standard for storing metadata in image files?

exif

A keyword search is part of the analysis process within what forensic function?

extraction

In order to qualify for the Advanced Certified Computer Forensic Technician certification, a candidate must have _______ years of hands-on experience in computer forensics investigations.

five

You must abide by the _______ while collecting evidence.

fourth amendment

What term is used to describe a disk's logical structure of platters, tracks, and sectors?

geometry

Passwords are typically stored as one-way _____________ rather than in plaintext.

hashes

The sale of sensitive or confidential company information to a competitor is known as _______.

industrial espionage

If practical, _______ team(s) should collect and catalog digital evidence at a crime scene or lab.

one

In what temporary location below might passwords be stored?

pagefile.sys

The term _______ is used to describe someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest.

person of interest

The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient _______.

probable cause

Referred to as a digital negative, the _______ is typically used on many higher-end digital cameras.

raw file format

What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords?

salted passwords

The term for detecting and analyzing steganography files is _________________.

steganalysis


Ensembles d'études connexes

CCNA Routing & Switching 200-125 Free Dumps Questions | Dumpsbase

View Set

Personal Finance- Unit 3- check endorsements, and checking account

View Set