Data Forensic I Final Exam
When was the Freedom of Information Act originally enacted?
1960s
When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action?
80 degrees or higher
What usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will?
A warning banner
What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?
A warrant
Which term refers to an accusation or supposition of fact that a crime has been committed and is made by the complainant, based on the incident?
Allegation
What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?
An affidavit
What will allow the investigator to arrive at a scene, acquire the needed data, and return to the lab as quickly as possible?
An initial-response field kit
Where should your computer backups be kept?
An off-site facility
Power should not be cut during an investigation involving a live computer, unless it is what type of system?
An older Windows or MS-DOS system
What term refers to the number of bits in one square inch of a disk platter?
Areal density
How frequently should floors and carpets in the computer forensic lab be cleaned to help minimize dust that can cause static electricity?
At least once a week
What term refers to the individual who has the power to conduct digital forensic investigations?
Authorized requester
In what process is the acquisition of newer and better resources for investigation justified?
Building a business case
Which Pacific Northwest agency meets to discuss problems that digital forensics examiners encounter?
CTIN
When confidential business data are included with the criminal evidence, what are they referred to as?
Commingled data
What process refers to recording all the updates made to a workstation?
Configuration management
A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?
Data recovery
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. What are these cluster addresses called?
Data runs
Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?
Digital investigations
What type of plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing?
Disaster recovery
What term refers to a person using a computer to perform routine tasks other than systems administration?
End user
Which group often works as part of a team to secure an organization's computers and networks?
Forensics investigators
What organization was created by police officers in order to formalize credentials for digital investigators?
IACIS
Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes?
Investigating and controlling the scene is much easier in private sector environments.
What must be done, under oath, to verify that the information in the affidavit is true?
It must be notarized.
What do published company policies provide for a business that enables them to conduct internal investigations?
Line of authority
What term refers to Linux ISO images that can be burned to a CD or DVD?
Linux Live CDs
What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?
Live
What type of acquisition is used for most remote acquisitions?
Live
What is on an NTFS disk immediately after the Partition Boot Sector?
MFT
What are records in the MFT called?
Metadata
What is most often the focus of digital investigations in the private sector?
Misuse of digital assets
Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS?
NTBootdd.sys
Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr?
NTDetect.com
Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?
NTFS
Which filename refers to the Windows XP system service dispatch stubs to executables functions and internal support functions?
Ntdll.dll
What type of evidence do courts consider evidence data in a computer to be?
Physical
The presence of police officers and other professionals who aren't part of the crime scene-processing team may result in the loss or corruption of data through which process?
Professional curiosity
What is the third stage of a criminal case, after the complaint and the investigation?
Prosecution
Which activity involves determining how much risk is acceptable for any process or operation?
Risk management
If your time is limited, what type of acquisition data copy method should you consider?
Sparse
Which technique can be used for extracting evidence from large systems?
Sparse acquisition
Under what circumstances are digital records considered admissible?
They are business records
When seizing computer evidence in criminal investigations, which organization's standards should be followed?
U.S. DOJ
Which filename refers to a core Win32 subsystem DLL file?
User32.sys
How do most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks?
ZBR
What command works similarly to the dd command but has many features designed for computer forensics acquisitions?
dcfldd
What command creates a raw format file that most computer forensics analysis tools can read?
dd
What option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512?
hash
What command displays pages from the online help manual for information on Linux commands and their options?
man