CYSE 407 - Digital Forensics
What is the name of the Microsoft solution for whole disk encryption?
BitLocker
When seizing digital evidence in criminal investigations, whose standards should be followed?
U.S. DOJ
Many commercial encryption programs use a technology called _____________, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure.
key escrow
In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes remotely.
keylogger
Which utility below is not a lossless compression utility?
lzip
What should you do while copying data on a suspect's computer that is still live?
make notes regarding everything you do
Which of the following formats is not considered to be a standard graphics file format?
tga
What is the purpose of the reconstruction function in a forensics investigation?
to re-create a suspect's drive to show what happened during a crime or incident
The _____________ format is a proprietary format used by Adobe Photoshop.
.psd
An investigator wants to capture all data on a SATA drive connected to a Linux system. What should the investigator use for the "if=" portion of the dcfldd command?
/dev/sda
Within Windows Vista and later, partition gaps are _____________ bytes in length.
128
Which ISO standard below is followed by the ASCLD?
17025:2005
All TIF files start at offset 0 with what 6 hexadecimal characters?
49 49 2A
Which amendment to the U.S. Constitution protects everyone's right to be secure in their person, residence, and property from search and seizure?
4th
A typical disk drive stores how many bytes in a single sector?
512
_______ describes an accusation of fact that a crime has been committed.
Allegation
Which graphics file format below is rarely compressed?
BMP
How often should hardware be replaced within a forensics lab?
Every 12-18 months
In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters?
FAT
What does FRE stand for?
Federal Rules of Evidence
_______ is the term for a statement that is made by someone other than an actual witness to the event while testifying at a hearing.
Hearsay
The _________ branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and System.
Hive
The _______ copies evidence of intrusions to an investigation workstation automatically for further analysis over the network.
Intrusion detection system
A data acquisition method used when a suspect computer can't be shut down to perform a static acquisition
Live acquisitions
A data acquisition method that captures only specific files of interest to the case or specific types of files, such as Outlook .pst files
Logical acquisitions
_______ is the utility used by the ProDiscover program for remote access.
PDServer
Which RAID type utilizes mirrored striping, providing fast access and redundancy?
RAID 10
Which option below is not a recommendation for securing storage containers?
Rooms with evidence containers should have a secured wireless network.
What registry file contains user account management and security settings?
SAM.dat
Which option below is not a standard systems analysis step?
Share evidence with experts outside of the investigation.
_______ does not recover data in free or slack space.
Sparse acquisition
A data acquisition method that captures only specific files of interest to a case, but also collects fragments of unallocated (deleted) data
Sparse acquisitions
As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state?
The decision should be left to the Digital Evidence First Responder (DEFR).
When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and documented?
The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.
_______ is responsible for creating and monitoring lab policies for staff, and provides a safe and secure workplace for staff and evidence.
The lab manager
Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files?
advanced forensic format
Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses ________________ as a way to hide its malicious code from antivirus tools.
bit-shifting
Which password recovery method uses every possible letter, number, and character found on a keyboard?
brute-force attack
Reconstructing fragments of files that have been deleted from a suspect drive, is known as ____________ in North America.
carving
The _______ is not one of the three stages of a typical criminal case.
civil suit
Which of the following is not a type of graphic file that is created by a graphics program? a. bitmap images b. vector graphics c. metafile graphics d. raster graphics
d
The Linux command _____ can be used to write bit-stream data to files.
dd
The process of converting raw picture data to another format is called _________________.
demosaicing
In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer.
diskpart
Which of the following commands creates an alternate data stream?
echo text > myfile.txt:stream_name
What format was developed as a standard for storing metadata in image files?
exif
A keyword search is part of the analysis process within what forensic function?
extraction
In order to qualify for the Advanced Certified Computer Forensic Technician certification, a candidate must have _______ years of hands-on experience in computer forensics investigations.
five
You must abide by the _______ while collecting evidence.
fourth amendment
What term is used to describe a disk's logical structure of platters, tracks, and sectors?
geometry
Passwords are typically stored as one-way _____________ rather than in plaintext.
hashes
The sale of sensitive or confidential company information to a competitor is known as _______.
industrial espionage
If practical, _______ team(s) should collect and catalog digital evidence at a crime scene or lab.
one
In what temporary location below might passwords be stored?
pagefile.sys
The term _______ is used to describe someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest.
person of interest
The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient _______.
probable cause
Referred to as a digital negative, the _______ is typically used on many higher-end digital cameras.
raw file format
What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords?
salted passwords
The term for detecting and analyzing steganography files is _________________.
steganalysis