DFR 1001 Quiz 2 review
E-mail accessed with a Web browser leaves files in temporary folders. True or False?
True
Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or False?
True
The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False?
True
To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server's internal operations. True or False?
True
When recovering a file with ProDiscover, your first objective is to recover cluster values. True or False?
True
When viewing a file header, you need to include hexadecimal information to view the image. True or False?
True
In JPEG files, what's the starting offset position for the JFIF label?
c. Offset 6
Some clues left on a drive that might indicate steganography include which of the following? (Choose all that apply.)
-multiple copies of a graphics file -graphics files with the same name but different sizes -graphic files with different file stamps
A forensic linguist can determine an author's gender by analyzing chat logs and social media communications. True or False?
False
A JPEG file is an example of a vector graphic. True or False?
False
Copyright laws don't apply to Web sites. True or False?
False
Graphics files stored on a computer can't be recovered after they are deleted. True or False?
False
Only one file format can compress graphics files. True or False?
False
When investigating graphics files, you should convert them into one standard format. True or False?
False
You can view e-mail headers in Notepad with all popular e-mail clients. True or False?
False
What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?
Lossless Compression uses an algorithm that allows viewing the graphics file without losing any portion of the data.
A JPEG file uses which type of compression?
Lossy
Rainbow tables serve what purpose for digital forensics examinations?
Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords
When you carve a graphics file, recovering the image depends on which of the following skills?
Recognizing the pattern of the file header content
________________ happens when an investigation goes beyond the bounds of its original description.
Scope creep
Explain how to identify an unknown graphics file format that your digital forensics tool doesn't recognize.
To identify an unknown graphics format that the DFR tools don't recognize, one should examine a copy of that file with a hexadecimal editor to find the hex code for the first several bytes of the file.
After examining e-mail headers to find an e-mail's originating address, investigators use forward lookups to track an e-mail to a suspect. True or False?
True
In Microsoft Outlook, what are the e-mail storage files typically found on a client computer?
a. .pst and .ost
What information is not in an e-mail header? (Choose all that apply.)
a. Blind copy (bcc) addresses b. Internet addresses d. Contents of the message e. Type of e-mail server used to send the e-mail 487
When searching a victim's computer for a crime committed with a specific e-mail, which of the following provides information for determining the e-mail's originator? (Choose all that apply.)
a. E-mail header c. Firewall log
The Known File Filter (KFF) can be used for which of the following purposes? (Choose all that apply.)
a. Filter known program files from view. c. Compare hash values of known files with evidence files.
What methods do steganography programs use to hide data in graphics files? (Choose all that apply.)
a. Insertion b. Substitution
E-mail headers contain which of the following information? (Choose all that apply.)
a. The sender and receiver e-mail addresses b. An ESMTP number or reference number c. The e-mail servers the message traveled through to reach its destination
Sendmail uses which file for instructions on processing an e-mail message?
a. sendmail.cf
Which forensic image file format creates or incorporates a validation hash value in the image file? (Choose all that apply.)
a. Expert Witness b. SMART c. AFF
For which of the following reasons should you wipe a target drive?
a. To ensure the quality of digital evidence you acquire b. To make sure unwanted data isn't retained on the drive Both a and b
Digital pictures use data compression to accomplish which of the following goals? (Choose all that apply.)
a.Save space on a hard drive. d.Produce a file that can be e-mailed or posted on the Internet.
The National Software Reference Library provides what type of resource for digital forensics examiners?
b. A list of MD5 and SHA1 hash values for all known OSs and applications
Which of the following represents known files you can eliminate from an investigation? (Choose all that apply.)
b. Files associated with an application c. System files the OS uses
Steganography is used for which of the following purposes?
b. Hiding data
Phishing does which of the following?
b. Lures users with false promises
Which of the following is a current formatting standard for e-mail?
b. MIME
What's the main piece of information you look for in an e-mail message you're investigating?
b. Originating e-mail domain or IP address
When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do?
b. Restore the e-mail server from a backup.
If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords?
b. Salting can make password recovery extremely difficult and time consuming.
Logging options on e-mail servers can be which of the following? (Choose all that apply.)
b. Set up in a circular logging configuration c. Configured to a specified size before being overwritten
You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?
b. There's a hidden partition.
Which of the following is true about JPEG and TIF files?
b. They have different values for the first 2 bytes of their file headers.
What methods are used for digital watermarking? (Choose all that apply.)
b.Invisible modification of the LSBs in the file c.Layering visible symbols on top of the image
Which of the following types of files can provide useful information when you're examining an e-mail server?
c. .log files
To trace an IP address in an e-mail header, what type of lookup service can you use? (Choose all that apply.)
c. A domain lookup service, such as www.arin.net, www.internic.com, or www.whois.net d. Any Web search engine
When you access your e-mail, what type of computer architecture are you using?
c. Client/server
Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?
c. Internal corporate investigation because corporate investigators typically have ready access to company records
13. In steganalysis, cover-media is which of the following?
c. The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file
On a UNIX-like system, which file specifies where to save different types of e-mail log files?
c. syslog.conf
Router logs can be used to verify what types of e-mail data?
c. Tracking flows through e-mail server ports
Bitmap (.bmp) files use which of the following types of compression?
d. Lossless
Block-wise hashing has which of the following benefits for forensics examiners?
d. Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive
The process of converting raw images to another format is called which of the following?
d. Demosaicing
After you shift a file's bits, the hash value remains the same. True or False?
false
Password recovery is included in all forensics tools. True or False?
false
Commercial encryption programs often rely on _______________ technology to recover files if a password or passphrase is lost
key escrow
