Digital Forensics Bulk Review

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

The ____ command displays pages from the online help manual for information on Linux commands and their options.

'man'

Which of the following types of files can provide useful information when you're examining an e-mail server?

.log files

In Microsoft Outlook, e-mails are typically stored in which of the following?

.pst and .ost files

____ contains configuration information for Sendmail, helping the investigator to determine where the log files reside.

/etc/sendmail.cf

In a prefetch file, the application's last access date and time are at offset ____.

0x90

Clusters in Windows always begin numbering at what number?

2

Large digital forensics labs should have at least ________ exits.

2

What's the maximum file size when writing data to a FAT32 drive?

2 GB

In FAT32, a 123-KB file uses how many sectors?

246

How many sectors are typically in a cluster on a disk drive?

4 or more

On a Windows system, sectors typically contain how many bytes?

512

SD cards have a capacity up to which of the following?

64gb

On the Linux localhost, the __________ ports are used to access the Autopsy Forensic Browser.

9999

To trace an IP address in an e-mail header, what type of lookup service can you use?

A domain lookup service, such as www.arin.net, www.internic.com, or www.whois.net

The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients.

ABA

Which organization has guidelines on how to operate a digital forensics lab?

ANAB

Which of the following is a mechanism the ECPA describes for the government to get electronic information from a provider? Search warrants Court orders Subpoenas with prior notice All of the above

All of the Above

According to SANS DFIR Forensics, which of the following tasks should you perform if a mobile device is on and unlocked? Isolate the device from the network. Remove the passcode. Disable the screen lock. All of the above

All of the above

Building a business case can involve which of the following? -Procedures for gathering evidence -Testing software -Protecting trade secrets -All of the above

All of the above

E-mail headers contain which of the following information? An ESMTP number or reference number The sender and receiver e-mail addresses The e-mail servers the message traveled through to reach its destination All of the above

All of the above

NIST document SP 500-322 defines more than 75 cloud services, including which of the following? Drupal as a service Security as a service Backup as a service All of the above

All of the above

Remote wiping of a mobile device can result in which of the following? Returning the phone to the original factory settings Removing account information Deleting contacts All of the above

All of the above

Some clues left on a drive that might indicate steganography include which of the following? Multiple copies of a graphics file Graphics files with the same name but different file sizes Steganography programs in the suspect's All Programs list All of the above

All of the above

The manager of a digital forensics lab is responsible for which of the following? -Knowing the lab objectives -Making necessary changes in lab procedures and software -Ensuring that staff members have enough training to do the job -All of the above

All of the above

What capabilities should a forensics tool have to acquire data from a cloud? Examine virtual systems. Expand and contract data storage capabilities as needed for service changes. Identify and acquire data from the cloud. All of the above

All of the above

Which of the following is a mobile forensics method listed in NIST guidelines? Hex dumping Physical extraction Logical extraction All of the above

All of the above

What are two concerns when acquiring data from a RAID server?

Amount of data storage needed and type of RAID

With remote acquisitions, what problems should you be aware of?

Antivirus, antispyware, and firewall programs

Policies can address rules for which of the following? - When you can log on to a company network from home - The Internet sites you can or can't access - The amount of personal e-mail you can send

Any of the above

In Task 2, you worked with Sleuth Kit and Autopsy which rely on the Linux Web service called __________.

Apache

____ provide additional resource material not included in the body of the report.

Appendixes

Which of the following forensics tools is freeware? ProDiscover Encase Autopsy OS Forensics

Autotopsy

What information is not in an e-mail header?

Blind copy (bcc) addresses

____, located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version.

Boot.ini

The term TDMA refers to which of the following? (Choose all that apply.) a: A technique of dividing a radio frequency so that multiple users share the same channel b: A proprietary protocol developed by Motorola c: A specific cellular network standard Both a and c

Both A and C

When searching a victim's computer for a crime committed with a specific e-mail, which of the following provides information for determining the e-mail's originator? a: E-mail header b: Username and password c: Firewall log Both a and c

Both a and c

Logging options on e-mail servers can be which of the following? a: Disabled by users b: Set up in a circular logging configuration c: Configured to a specified size before being overwritten Both b and c

C

Which of the following categories of information is stored on a SIM card? a: Call data b: Service-related data Both a and b None of the above

C

Recovering fragments of a file is called ____.

Carving

List three items that should be on an evidence custody form.

Case number, name of the investigator and nature of the case

What do you call a list of people who have had physical possession of the evidence?

Chain of Custody

When you access your e-mail, what type of computer architecture are you using?

Client/server

Confidential business data included with the criminal evidence are referred to as ____ data

Commingled

The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence.

Computer Analysis and Response Team (CART)

____ records are data the system maintains, such as system log files and proxy server logs.

Computer-Generated

If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following?

Coordinate with the Hazmat team

Before enlisting in a certification program, thoroughly research the requirements, ________, and acceptability in your area of employment.

Cost

____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.

Data Recovery

What are the two states of encrypted data in a secure cloud?

Data in motion and data at rest

____ is a layered network defense strategy developed by the National Security Agency (NSA).

Defense in Depth

The process of converting raw images to another format is called which of the following?

Demosaicing

The ____ digital network, a faster version of GSM, is designed to deliver data.

EDGE

What methods do steganography programs use to hide data in graphics files?

Either of the above

Which forensics tools can connect to a suspect's remote computer and run surreptitiously?

EnCase Enterprise and ProDiscover Incident Response

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.

EnCase and X-Ways Forensics

Of all the proprietary formats, which one is the unofficial standard?

Expert Witness

On Mac OSs, the ____ stores any file information not in the MDB or Volume Control Block (VCB).

Extents overflow file

Marking bad clusters data-hiding technique is more common with ____ file systems.

FAT

____ is the file structure database that Microsoft originally designed for floppy disks.

FAT

The ____ tool can be used to bypass a virtual machine's hypervisor, and can be used with OpenStack.

FROST

A JPEG file is an example of a vector graphic. (True or False)

False

A forensic linguist can determine an author's gender by analyzing chat logs and social media communications. (True or False)

False

A forensic workstation should always have a direct broadband connection to the Internet. (True or False)

False

A warning banner should never state that the organization has the right to monitor what users do. (True or False)

False

ASQ and ANAB are two popular certification programs for digital forensics. (True or False)

False

An initial-response field kit does not contain evidence bags. (True or False)

False

BIOS boot firmware was developed to provide better protection against malware than EFI does developed? (True or false)

False

Commingled data isn't a concern when acquiring cloud data. (True or False)

False

Copyright laws don't apply to Web sites. (True or False)

False

Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. (True or False)

False

Digital forensics and data recovery refer to the same activities. (True or False)

False

Digital forensics facilities always have windows. (True or False)

False

Evidence storage containers should have several master keys. (True or False)

False

FTK Imager can acquire data in a drive's host protected area. (True or False)

False

Graphics files stored on a computer can't be recovered after they are deleted. (True or False)

False

IETF is the organization setting standards for 5G devices. (True or False)

False

If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. (True or False)

False

In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. So, the following dcfldd is command correct. dcfldd if=image_file.img of=/dev/hda1 (True or False)

False

Only one file format can compress graphics files. True or False?

False

Slower data transfer speeds and dealing with minor data errors are two disadvantages of the raw format (True or False)

False

Small companies rarely need investigators. (True or False)

False

The ANAB mandates the procedures established for a digital forensics lab. (True or False)

False

The plain view doctrine in computer searches is well-established law. (True or False)

False

The uRLLC 5G category focuses on communications in smart cities. (True or False)

False

Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. (True or False)

False

When acquiring a mobile device at an investigation scene, you should leave it connected to a laptop or tablet so that you can observe synchronization as it takes place. (True or False)

False

When determining which data acquisition method to use you should not consider how long the acquisition will take. (True or False)

False

When investigating graphics files, you should convert them into one standard format. (True or False)

False

You can view e-mail headers in Notepad with all popular e-mail clients. (True or False)

False

You should always answer questions from onlookers at a crime scene. (True or False)

False

You should always prove the allegations made by the person who hired you. (True or False)

False

You shouldn't include a narrative of what steps you took in your case report (True or False)

False

Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. (True or False)

False

EFS can encrypt which of the following?

Files, folders, and volumes

Police in the United States must use procedures that adhere to which of the following?

Fourth Amendment

What does a sparse acquisition collect for an investigation?

Fragments of unallocated data in addition to the logical allocated data

What's the most commonly used cellular network worldwide?

GSM

You use ____ to create, modify, and save bitmap, vector, and metafile graphics.

Graphics Editors

In which cloud service level can customers rent hardware and install whatever OSs and applications they need?

IaaS

Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.

Image File

You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?

Initial-response kit

What methods are used for digital watermarking?

Invisible modification of the LSBs in the file

What are the three rules for a forensic hash?

It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes

Why is professional conduct important?

It includes ethics, morals, and standards of behavior

Which of the following techniques might be used in covert surveillance (Choose All That Apply)?

Keylogging Data sniffing

Which of the following digital forensics tools require the MOST expertise?

Linux 'dd' command line tool

Under copyright laws, computer programs may be registered as ____.

Literary Works

Bitmap (.bmp) files use which of the following types of compression?

Lossless

What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?

Lossless

A JPEG file uses which type of compression?

Lossy

____ compression compresses data by permanently discarding bits of information in the file.

Lossy

Phishing does which of the following?

Lures users with false promises

List two hashing algorithms commonly used for forensic purposes.

MD5 and SHA-1

The SIM file structure begins with the root of the system (____).

MF

Which of the following is a current formatting standard for e-mail?

MIME

What does the Ntuser.dat file contain?

MRU files list

Which of the following relies on a central database that tracks account data, location data, and subscriber information?

MSC

Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons?

Most companies keep inventory databases of all hardware and software used.

Which organization provides good information on safe storage containers?

NISPOM

Which of the following organisations have a standard for verifying digital forensics tools?

NIST

In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?

None of the above

Which of the following Windows 8 files contains user-specific information?

Ntuser.dat

Areal density refers to which of the following?

Number of bits per square inch of a disk platter

All of the following are popular Linux distributions, except:

OSX

With ____, Macintosh moved to the Intel processor and became UNIX based.

OSX

Which of the following are NOT functions necessary for digital forensics tools?

Obfuscation

In JPEG files, what's the starting offset position for the JFIF label?

Offset 6

A typical forensics lab should include all of the following EXCEPT?

Old computers

What's the main piece of information you look for in an e-mail message you're investigating?

Originating e-mail domain or IP address

In general, a criminal case follows three stages: the complaint, the investigation, and the ____.

Prosecution

Which of the following cloud deployment methods typically offers no security?

Public Cloud

Lab costs can be broken down into monthly, ____, and annual expenses.

Quarterly

Name the three formats for digital forensics data acquisitions.

Raw format, proprietary formats, and AFF

____ from both the plaintiff's and defense's attorneys is an optional phase of the trial. Generally, it's allowed to cover an issue raised during cross-examination of a witness.

Rebuttal

When you carve a graphics file, recovering the image depends on which of the following skills?

Recognizing the pattern of the file header content

Typically, a(n) ________ lab has a separate storage area or room for evidence.

Regional

When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do?

Restore the e-mail server from a backup.

In which of the following cases did the U.S. Supreme Court require using a search warrant to examine the contents of mobile devices?

Riley v. California

GSM divides a mobile station into ______ and ______. RAM and ME SIM card and ME SIM card and EEPROM RAM and SIM

SIM card and ME

____ disks are commonly used with Sun Solaris systems.

SPARC

Evidence of cloud access found on a smartphone usually means which cloud service level was in use?

SaaS

What are the three levels of cloud services defined by NIST?

SaaS, PaaS, and IaaS

Digital pictures use data compression to accomplish which of the following goals? Eliminate redundant data. Save space on a hard drive. Provide a crisp and clear image. All of the above

Save space on the hard drive

What is one of the necessary components of a search warrant?

Signature of an impartial judicial officer*******

During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____.

TEMPEST

What term refers to labs constructed to shield EMR emissions?

TEMPEST

What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?

The file is unencrypted automatically.

Which of the following is true about JPEG and TIF files?

They have different values for the first 2 bytes of their file headers.

Most SIM cards allow ______ access attempts before locking you out.

Three

Why is it a good practice to make two images of a suspect drive in a critical investigation?

To ensure at least one good copy of the forensically collected data in case of any failures

Why should you critique your case after it's finished?

To improve your work

Why should you do a standard risk assessment to prepare for an investigation?

To list problems that may happen while conducting the investigation

Why should evidence media be write-protected?

To make sure data isn't altered

When you arrive at the scene, why should you extract only those items you need to acquire evidence?

To minimize how much you have to keep track of at the scene

Why is physical security so critical for digital forensics labs?

To prevent data from being lost, corrupted, or stolen

What's the purpose of an affidavit?

To provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant

Router logs can be used to verify what types of e-mail data?

Tracking flows through e-mail server ports

A CSP's incident response team typically consists of system administrators, network administrators, and legal advisors. (True or False)

True

A hashing algorithm is a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk. (True or False)

True

A logical acquisition collects only specific files of interest to the case. (True or False)

True

A virtual cluster number represents the assigned clusters of files that are nonresident in the MFT. (True or False)

True

A(n) CSA or cloud service agreement is a contract between a CSP and the customer that describes what services are being provided and at what level. (True or False)

True

After examining e-mail headers to find an e-mail's originating address, investigators use forward lookups to track an e-mail to a suspect. (True or False)

True

Amazon was an early provider of Web-based services that eventually developed into the cloud concept. (True or False)

True

An employer can be held liable for e-mail harassment (True or False)

True

An image of a suspect drive can be loaded on a virtual machine. (True or False)

True

CHS stands for cylinders, heads, and sectors. (True or False)

True

Commingling evidence means that sensitive or confidential information being mixed with data collected as evidence. (True or False)

True

Commonly, proprietary format acquisition files can compress the acquisition data and segment acquisition output files into smaller volumes. (True or False)

True

Computer peripherals or attachments can contain DNA evidence. (True or False)

True

Device drivers contain instructions for the OS on how to interface with hardware devices. (True or False)

True

E-mail accessed with a Web browser leaves files in temporary folders. (True or False)

True

Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. (True or False)

True

FTK Imager requires that you use a device such as a USB dongle for licensing. (True or False)

True

File and directory names are some of the items stored in the FAT database. (True or False)

True

For digital evidence, an evidence bag is typically made of antistatic material. (True or False)

True

If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. (True or False)

True

If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. (True or False)

True

In NTFS, files smaller than 512 bytes are stored in the MFT. (True or False)

True

In forensic hashes, a collision occur when two different files have the same hash value. (True or False)

True

In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. (True or False)

True

MFT stands for Master File Table. (True or False)

True

Mobile device information might be stored on the internal memory or the SIM card. (True or False)

True

One way to determine the resources needed for an investigation is based on the OS of the suspect computer, list the software needed for the examination. (True or False)

True

Placing it in paint cans and using Faraday bags are two ways you can isolate a mobile device from incoming signals. (True or False)

True

Public cloud services such as Dropbox and OneDrive use Sophos SafeGuard and Sophos Mobile Control as their encryption applications (True or False)

True

SIM card readers can alter evidence by showing that a message has been read when you view it. (True or False)

True

The Internet of Things includes radio frequency identification (RFID) sensors as well as wired, wireless, and mobile devices. (True or False)

True

The cloud services Dropbox, Google Drive, and OneDrive have Registry entries. (True or False)

True

The main goal of a static acquisition is the preservation of digital evidence. (True or False)

True

The multitenancy nature of cloud environments means conflicts in privacy laws can occur. (True or False)

True

The purpose of maintaining a network of digital forensics specialists is to develop a list of colleagues who specialize in areas different from your own specialties in case you need help on an investigation. (True or False)

True

To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server's internal operations. (True or False)

True

To identify an unknown graphics file format you need to examine a copy of the unknown file with a hexadecimal editor to find the hex code for the first several bytes of the file. (True or False)

True

To see Google Drive synchronization files, you need a SQL viewer. (True or False)

True

Typically, you need a search warrant to retrieve information from a service provider. (True or False)

True

Updates to the EU Data Protection Rules will affect how data is moved during an investigation regardless of location. (True or False)

True

When viewing a file header, you need to include hexadecimal information to view the image. (True or False)

True

With newer Linux kernel distributions, USB devices are automatically mounted, which can alter data on it. (True or False)

True

You begin to take orders from a police detective without a warrant or subpoena. (True or False)

True

You should videotape or sketch anything at a digital crime scene that might be of interest to the investigation. (True or False)

True

Your business plan should include physical security items. (True or False)

True

Embezzlement is a type of digital investigation typically conducted in a business environment. (True or False)

True*******

What is the space on a drive called when a file is deleted?

Unallocated space

List two features NTFS has that FAT does not.

Unicode characters and better security

To determine the types of operating systems needed in your lab, list two sources of information you could use.

Uniform Crime Report statistics and a list of cases handled in your area

What's the most critical aspect of digital evidence?

Validation

Virtual machines have which of the following limitations when running on a host computer?

Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.

Intel ____ has responded to the need for security and performance by producing different CPU designs.

Virtualization Technology (VT)

When should a temporary restraining order be requested for cloud environments?

When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case

Which of the following prevents contamination of evidence?

Write-blockers

As a private-sector investigator, you can become an agent of law enforcement when which of the following happens?

You begin to take orders from a police detective without a warrant or subpoena.

The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.

dd

In the Linux dcfldd command, which three options are used for validating data?

hash, hashlog, and vf

Sendmail uses which file for instructions on processing an e-mail message?

sendmail.cf

On a UNIX-like system, which file specifies where to save different types of e-mail log files?

syslog.conf


Ensembles d'études connexes

Lewis: Chapter 51: Breast Disorders

View Set

Geology Lab: Topographic Maps and Profiles

View Set

Test 2: Chapter 6 Analyzing the Audience

View Set

20th Century Final Exam Dr. Green Covenant College

View Set

Pharmacology Chapter 10 "Antibercular Drugs"

View Set