Data Forensic I Final Exam

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

When was the Freedom of Information Act originally enacted?

1960s

When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action?

80 degrees or higher

What usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will?

A warning banner

What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?

A warrant

Which term refers to an accusation or supposition of fact that a crime has been committed and is made by the complainant, based on the incident?

Allegation

What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?

An affidavit

What will allow the investigator to arrive at a scene, acquire the needed data, and return to the lab as quickly as possible?

An initial-response field kit

Where should your computer backups be kept?

An off-site facility

Power should not be cut during an investigation involving a live computer, unless it is what type of system?

An older Windows or MS-DOS system

What term refers to the number of bits in one square inch of a disk platter?

Areal density

How frequently should floors and carpets in the computer forensic lab be cleaned to help minimize dust that can cause static electricity?

At least once a week

What term refers to the individual who has the power to conduct digital forensic investigations?

Authorized requester

In what process is the acquisition of newer and better resources for investigation justified?

Building a business case

Which Pacific Northwest agency meets to discuss problems that digital forensics examiners encounter?

CTIN

When confidential business data are included with the criminal evidence, what are they referred to as?

Commingled data

What process refers to recording all the updates made to a workstation?

Configuration management

A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?

Data recovery

The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. What are these cluster addresses called?

Data runs

Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?

Digital investigations

What type of plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing?

Disaster recovery

What term refers to a person using a computer to perform routine tasks other than systems administration?

End user

Which group often works as part of a team to secure an organization's computers and networks?

Forensics investigators

What organization was created by police officers in order to formalize credentials for digital investigators?

IACIS

Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes?

Investigating and controlling the scene is much easier in private sector environments.

What must be done, under oath, to verify that the information in the affidavit is true?

It must be notarized.

What do published company policies provide for a business that enables them to conduct internal investigations?

Line of authority

What term refers to Linux ISO images that can be burned to a CD or DVD?

Linux Live CDs

What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?

Live

What type of acquisition is used for most remote acquisitions?

Live

What is on an NTFS disk immediately after the Partition Boot Sector?

MFT

What are records in the MFT called?

Metadata

What is most often the focus of digital investigations in the private sector?

Misuse of digital assets

Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS?

NTBootdd.sys

Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr?

NTDetect.com

Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?

NTFS

Which filename refers to the Windows XP system service dispatch stubs to executables functions and internal support functions?

Ntdll.dll

What type of evidence do courts consider evidence data in a computer to be?

Physical

The presence of police officers and other professionals who aren't part of the crime scene-processing team may result in the loss or corruption of data through which process?

Professional curiosity

What is the third stage of a criminal case, after the complaint and the investigation?

Prosecution

Which activity involves determining how much risk is acceptable for any process or operation?

Risk management

If your time is limited, what type of acquisition data copy method should you consider?

Sparse

Which technique can be used for extracting evidence from large systems?

Sparse acquisition

Under what circumstances are digital records considered admissible?

They are business records

When seizing computer evidence in criminal investigations, which organization's standards should be followed?

U.S. DOJ

Which filename refers to a core Win32 subsystem DLL file?

User32.sys

How do most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks?

ZBR

What command works similarly to the dd command but has many features designed for computer forensics acquisitions?

dcfldd

What command creates a raw format file that most computer forensics analysis tools can read?

dd

What option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512?

hash

What command displays pages from the online help manual for information on Linux commands and their options?

man


Ensembles d'études connexes

Chapter 13 (The Bureaucracy) study guide 2

View Set

Maternity and Women's Health- Pregnancy, Uncomplicated

View Set

Unrelated, directly, inversely, reciprocal

View Set

Critical thinking/ Review Questions- Ch 17, 5, 6, 9 for Exam 1

View Set