final exam cist 2612

On a Macintosh, the __________ folder maintains the preferences of programs that have been deleted.

/Users/<user>/Library/Preferences/

In__________, Steve Wozniak and Steve Jobs finished the prototype of the first Apple computer

1975

The typical sector size of a modern hard drive is _______ bytes.

4,096

The total number of possible keys for Data Encryption Standard (DES) is _________, which a modern computer system can break in a reasonable amount of time.

56

The Apple I had a built-in video terminal and sockets for __________ kilobytes of onboard random access memory (RAM).

8

__________ is the cyber equivalent of vandalism.

A denial of service (DoS) attack

Regarding incident response, what step aims to limit an incident?

Containment

The distribution of illegally copied materials via the Internet is known as __________.

Data piracy

Which of the following is true of hard drives?

File systems look at clusters, not sectors.

The Windows Registry is organized into five sections. The __________ section is critical to forensic investigations. It has profiles for all the users, including their settings.

HKEY_USERS (HKU)

__________ is a Windows file that is an interface for hardware.

Hal.dll

Which of the following requires certification candidates to take an approved training course, pass a written test, and submit to a review of the candidate's work history?

High Tech Crime Network certifications

A port is a number that identifies a channel in which communication can occur. Which port does Simple Mail Transfer Protocol over Secure Sockets Layer (SMTP over SSL) use to secure email sending?

Port 465

A port is a number that identifies a channel in which communication can occur. Which port does POP3 Secure use for encrypted POP3?

Port 995

__________ is the process of analyzing a file or files for hidden content

Steganalysis

Windows uses __________ on each system as a "scratch pad" to write data when additional random access memory (RAM) is needed.

a swap file

The basic repair tool in Windows is _______.

chkdsk

The Linux/UNIX command __________ can be used to search for files or contents of files.

grep

The email __________ keeps a record of the message's journey as it travels through a communications network.

header

Which Linux shell command lists all currently running processes (programs or daemons) that the user has started?

ps

The Electronic Communications Privacy Act requires an investigator to have a wiretap order to acquire ___________ information from an Internet service provider (ISP).

real-time access

On a Macintosh, the __________ folder contains information about system and software updates.

/Library/Receipts

On a Macintosh, the __________ directory contains information about servers, network libraries, and network properties.

/Network

On a Macintosh, the _________ directory contains information about mounted devices.

/Volumes

The __________ directory in Linux is different from any other directory in that it is not really stored on the hard disk. It is created in memory and keeps information about currently running processes.

/proc

If you need to know what documents have been printed from a Macintosh, the __________ folder can give you that information.

/var/spool/cups

With respect to phishing, a good fictitious email gets a __________ response rate, according to the Federal Bureau of Investigation (FBI).

1 to 3 percent

__________ aims at perpetrators who attempt to hide the pornographic nature of their websites, often to make it more accessible to minors.

18 U.S.C. 2252B

The basis of Moore's Law found that the number of components in integrated circuits doubled every __________ and each doubling of capacity was done at half the cost.

18 to 24 months

A business impact analysis indicates an organization cannot operate without its web server for more than 5 days and still recover. The mean time to repair is 3 days. How many days do you have after a disaster to initiate repairs or the organization will not be able to recover?

2

When Apple released the Macintosh in 1984, it had a __________ megahertz Motorola processor.

8

__________ has a source and destination port number, but it lacks a sequence number and synchronization bits.

A User Datagram Protocol (UDP) header

Which of the following is NOT true of chain of custody forms?

A chain of custody form is a federal form and is therefore universal.

What is the definition of Feistel function?

A cryptographic function that splits blocks of data into two parts; it forms the basis for many block ciphers

__________ is designed to render a target unreachable by legitimate users, not to provide the attacker access to the site

A denial of service (DoS) attack

After a computer incident or disaster, staff must take actions to preserve forensic information. In what situation is determining the cause of an incident irrelevant to forensics?

A drive that failed due to water damage from a sprinkler system

What is the definition of stream cipher?

A form of cryptography that encrypts the data as a stream, one bit at a time

What is the definition of hash?

A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions

What is meant by symmetric cryptography?

A method in which the same key is used to encrypt and decrypt plaintext

__________ contains remnants of word processing documents, emails, Internet browsing activity, database entries, and almost any other work that has occurred during past Windows sessions

A swap file

What is meant by zero-knowledge analysis?

A technique for file system repair that involves recovering data from a damaged partition with limited knowledge of the file system

The Transmission Control Protocol (TCP) header has synchronization bits that are used to establish and terminate communications across a network between two communicating parties. The __________ bit acknowledges the attempt to synchronize communications.

ACK

What is meant by distributed denial of service (DDoS) attack?

An attack in which the attacker seeks to infect several machines, and use those machines to overwhelm the target system to achieve a denial of service

The process of sending an email message to an anonymizer is the definition of what?

Anonymous remailing

Susan is a hacker. After breaking into a computer system and running some hacking tools, she deleted several files she created to cover her tracks. What general term describes Susan's actions?

Anti-forensics

The _________ is used with any PowerPC-based Mac. Intel-based Macs can mount and use a drive formatted with this, but cannot boot from the device. PowerPC-based Macs can both mount and use a drive formatted with this, and can also use it as a start-up device

Apple Partition Map

__________ is cryptography wherein two keys are used: one to encrypt the message and another to decrypt it.

Asymmetric cryptography

The __________ cipher is a Hebrew code that substitutes the first letter of the alphabet for the last letter and the second letter for the second-to-last letter, and so forth.

Atbash

__________ is information at the level of 1s and 0s stored in computer memory or on a storage device.

Bit-level information

Paige is attempting to recover data from a failed hard disk. She removed the failed drive from the system on which it was installed, and then connected it to a test system. She made the connection by simply connecting the data and power cables but did not actually install the failed drive. What step should she perform next?

Boot the test system from its own internal drive.

Linux offers many different shells. Each shell is designed for a different purpose. __________ is the most commonly used shell in Linux.

Bourne-again shell

What is the process whereby the disaster recovery team contemplates likely disasters and what impact each would have on the organization?

Business impact analysis

Cloud computing, in which resources, services, and applications are located remotely instead of on a local server, affects digital forensics in several ways. What is NOT true of cloud computing?

Cloud computing makes data acquisition impossible

The __________ is a federal wiretap law for traditional wired telephony that was expanded to include wireless, voice over internet protocol (VoIP), and other forms of electronic communications

Communications Assistance for Law Enforcement Act of 1994

_______ is an industry certification that focuses on knowledge of PC hardware.

CompTIA A+

The __________ was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information.

Computer Security Act of 1987

What name is given to a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification?

Consistency checking

RFC 3864 describes message header field names. Information about how the message is to be displayed, usually a Multipurpose Internet Mail Extensions (MIME) type, refers to which header field?

Content-Type

There are four layers to iOS, the operating system used by the iPhone, iPod, and iPad. The _________ layer is the heart of the operating system.

Core OS

There are four layers to iOS, the operating system used by the iPhone, iPod, and iPad. The__________ layer is how applications interact with iOS.

Core Services

Ben was browsing reviews on a sporting goods website from which he purchased items in the past. He saw a comment that read "Great price on camping gear! Read my review." When he clicked the associated link, a new window appeared and prompted him to log in again. What type of attack is most likely underway?

Cross-site scripting (XSS)

The program that handles tasks like creating threads, console windows, and so forth in Windows is __________.

Crss.exe

What term describes a method of using techniques other than brute force to derive a cryptographic key?

Cryptanalysis

__________ obfuscates a message so that it cannot be read.

Cryptography

The __________ requires that scientific evidence presented in court be generally accepted in the relevant scientific field. This means it is unlikely that a new tool will be released and immediately utilized in court.

Daubert Standard

Ed is an expert witness providing testimony in court. He uses a high-tech computer animation to explain a technical concept to the judge and jury. What type of evidence is Ed using?

Demonstrative

Which forensic software tool provider offers Blade, HstEx, and NetAnalysis?

Digital Detective

Identification, preservation, collection, examination, analysis, and presentation are six classes in the matrix of the __________.

Digital Forensic Research Workshop (DFRWS) framework

Which forensic tool provider offers DRIVESPY, IMAGE, PART, PDBlock, and PDWipe?

Digital Intelligence

__________ is information that has been processed and assembled to be relevant to an investigation, and that supports a specific finding or determination.

Digital evidence

__________ is a free utility that comes as a graphical user interface for use with Windows operating systems. When you first launch the utility, it presents you with a cluster-by-cluster view of your hard drive in hexadecimal form.

Disk Investigator

The basic repair tool in Mac OS is _______.

Disk Utility

__________ is data stored as written matter, on paper or in electronic files.

Documentary evidence

Jan is entering the digital forensics field and wants to pursue a general forensics certification. Which certification is BEST to start with?

EC-Council Certified Hacking Forensic Investigator (CHFI)

Guidance Software offers Enterprise, eDiscovery, Forensic, and Portable. They are all _________ products.

EnCase

The __________ format is a proprietary file format defined by Guidance Software for use in its forensic tool to store hard drive images and individual files.

EnCase

At which phase of incident response does computer forensics begin?

Eradication

__________ describes the total number of coprime numbers; two numbers are considered coprime if they have no common factors.

Euler's Totient

What is a formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted?

Expert report

T/F? (ISC)2 offers the GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Reverse Engineering Malware (GREM) certifications.

FALSE

T/F? A forensic server must be able to accommodate many gigabytes of data to store images of suspect machines.

FALSE

T/F? Forensic examiners are exempt from Health Insurance Portability and Accountability Act (HIPAA) rules regarding disclosure of protected health information (PHI) when working on a crime investigation.

FALSE

T/F? One of the earliest digital crimes was taking the "half-way measure," wherein the criminal would use the half-cent variance resulting from calculating an individual's pay and move that rounded-off variation to his or her own account.

FALSE

T/F? Software that a provider licenses to customers as a service on demand through a subscription model is known as software on demand.

FALSE

T/F? The Electronic Communications Privacy Act extended the consent exception guideline to email monitoring, which states that one party to a conversation must give consent.

FALSE

T/F? The EnCase Certified Examiner (EnCE) certification is open only to the private sector.

FALSE

The Transmission Control Protocol (TCP) header has synchronization bits that are used to establish and terminate communications across a network between two communicating parties. The __________ bit indicates that there is no more data from the sender.

FIN

What are attributes of a solid-state drive (SSD)?

Flash memory and microchips

__________ is a U.S. law that prescribes procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between foreign powers and agents of foreign powers, which may include American citizens and permanent residents suspected of espionage or terrorism.

Foreign Intelligence Surveillance Act (FISA)

The __________ standard developed by the European Telecommunications Standards Institute (ETSI) is basically a 2G network.

Global System for Mobile (GSM) communications

The Windows Registry is organized into five sections. The __________ section stores information about drag-and-drop rules, program shortcuts, the user interface, and related items.

HKEY_CLASSES_ROOT (HKCR)

The Windows Registry is organized into five sections. The __________ section contains those settings common to the entire machine, regardless of the individual user.

HKEY_LOCAL_MACHINE (HKLM)

Suppose a virus takes a company's main web server offline. What would NOT be part of a business continuity plan (BCP) in this case?

Having a full web server, equivalent to the failed server, back online and running at full capacity

Jim is a forensic specialist. He seized a suspect computer from a crime scene, removed the hard drive and bagged it, documented and labeled the equipment, took photographs, completed a chain of custody form, and locked the computer in his car. On the way to the lab, he stopped to purchase supplies to use at the next crime scene. What did Jim do wrong?

He left the computer unattended while shopping for supplies.

What was designed as an area where computer vendors could store data that is shielded from user activities and operating system utilities, such as delete and format?

Host protected area (HPA)

Jennifer sends a threatening email to Rachel, a classmate, to bully her. What type of computer security incident is being described?

Inappropriate usage

Samuel provided illegal copies of software to others through a peer-to-peer (P2P) file-sharing service. The P2P software caused data leakage, resulting in private data from Sam's computer being shared on the Internet with anyone else using the same P2P software. What type of network security incident is being described?

Inappropriate usage

The subscriber identity module (SIM) is a memory chip that stores the __________.

International Mobile Subscriber Identity (IMSI)

Which of the following are subclasses of fraud?

Investment offers and data piracy

What is NOT true of cyberstalking?

Is not a criminal offense

What is NOT true of random access memory (RAM)?

It cannot be changed

__________ is the process whereby the file system keeps a record of what file transactions take place so that in the event of a hard drive crash, the files can be recovered.

Journaling

__________ is a Linux Live CD that you use to boot a system and then use the tools. It is a free Linux distribution, making it attractive to schools teaching forensics or laboratories on a strict budget

Kali Linux

What name is given to a method of attacking polyalphabetic substitution ciphers? This method can be used to deduce the length of the keyword used in a polyalphabetic substitution cipher.

Kasiski examination

Packets exist in the Open Systems Interconnection (OSI) model at __________.

Layer 3

Which operating system uses the ext file system natively?

Linux

What is the process of searching memory in real time, typically for working with compromised hosts or to identify system abuse?

Live system forensics

What term describes analysis performed on an evidence disk or a forensic duplicate using the native operating system?

Logical analysis

The number 22 for SSH (Secure Shell) and 80 for Hypertext Transfer Protocol (HTTP) are examples of ________.

Logical port numbers

The __________ standard for wireless communication of high-speed data for mobile devices is what is commonly called 4G.

Long Term Evolution (LTE)

The release of __________, was meant to be more in synch with the style of other Apple systems, such as iOS and WatchOS.

Mac OS X v10.12 in 2017, named Sierra

The release of _____________, had over 300 new features, support for Intel x86 chips, and support for the new G3 processor.

Mac OS X v10.5 in 2007, called Leopard

Malcolm uses a USB thumb drive at home to store music and videos he downloaded from the Internet. One day he inserts it into a work computer to show a co-worker a funny video. In doing so, a malicious file on the thumb drive infects the computer. What type of computer security incident is being described?

Malicious code

Company AZ hosts an e-commerce server with a large hard drive. The manufacturer claims the drive is guaranteed to perform properly for 100,000 hours. What is this measure most closely related to?

Mean time before failure (MTBF)

What term describes data about information, such as disk partition structures and file tables?

Metadata

Files with .pst extensions belong to which email client?

Microsoft Outlook

What is the switching system for the cellular network?

Mobile switching center (MSC)

Windows 2000 and newer Windows operating systems use the __________ file system

NTFS

__________ is a storage controller device driver in Windows.

Ntbootdd.sys

Which tool uses a brute-force approach to enumerating processes and threads in a memory dump from a Windows system?

PTFinder

One principal of evidence gathering is to avoid changing the evidence. Which of the following is NOT true of evidence gathering?

Photograph seized equipment after you set it up in the lab.

__________ is offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system.

Physical analysis

A port is a number that identifies a channel in which communication can occur. Which port does Post Office Protocol Version 3 (POP3) use to retrieve email?

Port 110

A port is a number that identifies a channel in which communication can occur. Which port does the Internet Message Access Protocol (IMAP) email service use?

Port 143

A port is a number that identifies a channel in which communication can occur. Which port does SSH (Secure Shell) use to remotely and securely log on to a system?

Port 22

A port is a number that identifies a channel in which communication can occur. Which port does SMTP (Simple Mail Transfer Protocol) use to send email?

Port 25

A port is a number that identifies a channel in which communication can occur. Which port does Whois use, a command that queries a target IP address for information?

Port 43

A port is a number that identifies a channel in which communication can occur. Which port does HTTPS (Hypertext Transfer Protocol Secure) use for secure web browser communication?

Port 443

A port is a number that identifies a channel in which communication can occur. Which port does Domain Name Service (DNS) use to translate uniform resource locators into web addresses?

Port 53

A port is a number that identifies a channel in which communication can occur. Which port does Hypertext Transfer Protocol (HTTP) use to display webpages?

Port 80

What term is used to describe a protocol used to receive email that works on port 110?

Post Office Protocol version 3 (POP3)

What common email header field is commonly used with the values "bulk," "junk," or "list"; or used to indicate that automated "vacation" or "out of office" responses should not be returned for the mail?

Precedence

The __________ protects journalists from being required to turn over to law enforcement any work product and documentary material, including sources, before it is disseminated to the public.

Privacy Protection Act of 1980

Which tool can tell you system uptime (time since last reboot), operating system details, and other general information about a Windows system?

PsInfo

Which tool lets you view process and thread statistics on a Windows system?

PsList

Priyanka is a forensic investigator. She is at an office where a Macintosh computer was used in a suspected crime. The computer is still running. Priyanka wants to image the disk before transporting the computer to the forensic lab. She also wants to avoid accidentally altering information on the computer's hard disk. What should she do first?

Put the computer in Target Disk Mode.

When seizing evidence from a mobile device, the __________ utility allows you to unlock a locked iPod Touch.

Pwnage

BlackBerry uses its own proprietary operating system, BlackBerry 10. It is based on the __________ operating system.

QRNX

What version of RAID involves three or more striped disks with parity that protect data against the loss of any one disk?

RAID 3 or 4

The Windows swap file is used to augment the __________.

RAM

The __________ cipher is a single-alphabet substitution cipher that is a permutation of the Caesar cipher. All characters are rotated 13 characters through the alphabet.

ROT13

_________ is the method used by password crackers who work with pre-calculated hashes of all passwords possible within a certain character space.

Rainbow table

What common email header field includes tracking information generated by mail servers that have previously handled a message, in reverse order?

Received

Regarding incident response, what step involves restoring software and data from a backup source that has been verified to be free from the malware infection?

Recovery

What is the repository of all the information on a Windows system?

Registry

Apple Computer's three founders were Steve Jobs, Steve Wozniak, and __________

Ronald Wayne

__________ govern whether, when, how, and why proof of a legal case can be placed before a judge or jury.

Rules of evidence

Which of the following BEST defines rules of evidence?

Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury

The __________ contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies.

Sarbanes-Oxley Act of 2002

The Windows __________ log contains successful and unsuccessful logon events.

Security

What name is given to a protocol used to send email that works on port 25?

Simple Mail Transfer Protocol (SMTP)

Which denial of service (DoS) attack generates a large number of ICMP echo requests from a single request, acting like an amplifier and causing a traffic jam in the target network?

Smurf attack

What uses microchips that retain data in non-volatile memory chips and contains no moving parts?

Solid-state drive (SSD)

What is a type of targeted phishing attack in which the criminal targets a specific group; for example, IT staff at a bank?

Spear phishing

__________ involves making an email message appear to come from someone or someplace other than the real sender or location.

Spoofing

Aditya is a digital forensics specialist. He is investigating the computer of an identity theft victim. What should he look for first?

Spyware

________ is the art and science of writing hidden messages.

Steganography

__________ is a term that refers to hiding messages in sound files.

Steganophony

T/F? A hard drive failure, accidental data deletion, or similar small-scale incident will not prevent a redundant network server or storage area network from continuing to provide data and services to end users.

TRUE

T/F? According to Moore's Law, a component that cost $100 would have twice the capability but would cost only $50 within 18 to 24 months.

TRUE

T/F? According to the USA Patriot Act, a "protected computer" is any computer at a financial institution or a government agency

TRUE

T/F? An organization needs to store far more data than any single server can accommodate. One solution is to deploy a storage area network.

TRUE

T/F? Forensic labs should use the highest-capacity cabling available, such as optical cable, to efficiently move drive images across a network to storage.

TRUE

T/F? In September 2005, the Communications Assistance to Law Enforcement Act of 1996 (CALEA) was extended to the Web and broadband access for the purpose of wiretap ability.

TRUE

T/F? It is very common for criminal enterprises to intentionally construct their own clouds with data stored in jurisdictions with rules and laws that make data retrieval for the purpose of forensics difficult or impossible.

TRUE

T/F? One of the earliest uses of digital systems was to compute payroll.

TRUE

T/F? Storage as a service (SaaS) allows a computer in one place to connect to actual storage embedded in the cloud.

TRUE

T/F? The EC-Council offers the Certified Hacking Forensic Investigator (CHFI) certification.

TRUE

T/F? The Health Insurance Portability and Accountability Act (HIPAA) contains the Privacy Rule, which covers the disclosure of personally identifiable protected health information (PHI).

TRUE

T/F? The International Association of Computer Investigative Specialists (IACIS) is a membership organization aimed at system forensic examiners in law enforcement and the government.

TRUE

T/F? Today, a typical low-end mobile phone has more capability and capacity than the UNIVAC I, the first digital computer.

TRUE

In which denial of service (DoS) attack does the attacker send fragments of packets with bad values in them, causing the target system to crash when it tries to reassemble the fragments?

Teardrop attack

What term describes data that an operating system creates and overwrites without the computer user directly saving this data?

Temporary data

What term describes information that forensic specialists use to support or interpret real or documentary evidence? For example, a specialist might demonstrate that the fingerprints found on a keyboard are those of a specific individual.

Testimonial evidence

It is a common practice to keep Linux kernel images in which directory?

The /boot directory

Which Linux log records application crashes?

The /var/log/apport.log log

__________ was the first law meant to curtail unsolicited email. However, the law has many loopholes.

The CAN-SPAM Act

__________ is the concept that any scientific evidence presented in a trial has to have been reviewed and tested by the relevant scientific community.

The Daubert Standard

__________ sets standards for digital evidence processing, analysis, and diagnostics.

The DoD Cyber Crime Center (DC3)

The American Academy of Forensic Sciences is a multidisciplinary professional organization that aims to promote integrity, competency, education, research, practice, and collaboration in forensics. It produces which of the following journals?

The Journal of Forensic Sciences

__________ is a free suite of command-line tools and has the ability to search for fragments of deleted tools. The graphical user interface (GUI) for the suite is called Autopsy

The Sleuth Kit

The __________ has significantly reduced restrictions on law enforcement agencies' gathering of intelligence within the United States. It has also expanded the Secretary of the Treasury's authority to regulate financial transactions, particularly those involving foreign individuals and entities

The USA Patriot Act

Storage as a service allows a computer in one place to connect to data storage embedded in the cloud. What is NOT true of storage as a service?

The data has no evidentiary value in a forensic investigation

What is a home location register (HLR) in a cellular network?

The database used by the mobile switching center (MSC) for subscriber data and service information

What is meant by maximum tolerable downtime (MTD)?

The length of time a system can be down before the business cannot recover

According to NIST 800-61, what is NOT typically included in an incident response plan?

The mean time to repair (MTTR) of key equipment

Which phase of disaster recovery is about discovering if the disaster was caused by some weakness in the system?

The post recovery follow-up

What is meant by "slurred image"?

The result of acquiring a file as it is being updated

In steganography, what is meant by carrier?

The signal, stream, or data file in which the payload is hidden

What is the definition of transposition in terms of cryptography?

The swapping of blocks of ciphertext

The process of connecting to a server and exchanging packets containing acknowledgment (ACK) and synchronize (SYN) flags is called:

Three-way handshake

Which open source alternative to PC Anywhere allows program users to legitimately log on to a remote system and work just like they were sitting in front of the desktop?

Timbuktu

When gathering systems evidence, what is NOT a common principle?

Trust only virtual evidence.

Which Linux distribution is highly popular with beginners?

Ubuntu

_______ is the area of a hard drive that has never been allocated for file storage.

Unallocated space

__________ is a 3G standard based on Global System for Mobile (GSM) communications.

Universal Mobile Telecommunications System (UMTS)

What kind of data changes rapidly and may be lost when the machine that holds it is powered down?

Volatile data

According to the order of volatility in RFC 3227, what evidence should you collect first on a typical system?

Volatile data, then file slack

__________ is a live-system forensic technique in which you collect a memory dump and perform analysis in an isolated environment.

Volatile memory analysis

This is the space that remains on a hard drive if the partitions do not use all the available space.

Volume slack

A common approach for manually managed backups is the Grandfather-Father-Son scheme. Consider a server using traditional tape backup that is backed up daily. At the end of the week, a weekly backup is made. At the end of the month, there is a monthly backup made. Which of the following is NOT true of the Grandfather-Father-Son scheme?

Weekly backups are not reused, only sons and grandfathers.

__________ refers to phishing with a specific, high-value target in mind. For example, the attacker may target the president or CEO of a company.

Whaling

The software as a service (SaaS) model is important to forensic analysis because it affects these areas of an investigation, EXCEPT:

When the software was purchased

A symbolic link in Linux is similar to a ____________.

Windows shortcut

Which of the following is NOT true of file carving?

You can perform file carving on Windows and Linux files systems, but not Mac OS.

When attempting to recover a failed drive, which of the following is NOT true?

You should connect the failed drive to a test system and make the failed drive bootable.

China Eagle Union is __________.

a Chinese cyberterrorism group

How you will gather evidence and which tools are most appropriate for a specific investigation are part of ___________.

a forensic analysis plan

EIDE is _________.

a type of magnetic drive

What is the definition of a virus, in relation to a computer?

any software that self-replicates

In a cellular network, the __________ is a central controller coordinating the other pieces of the base station system (BSS).

base station controller (BSC)

The __________ is a set of radio transceiver equipment that enables communications between cellular devices and the mobile switching center (MSC).

base station system (BSS)

What part of a cellular network is responsible for communications between a mobile phone and the network switching system?

base transceiver station (BTS)

Use of __________ enables an investigator to reconstruct file fragments if files have been deleted or overwritten.

bit-level tools

In the Linux boot process, the master boot record (MBR) loads up a(n) __________ program, such as GRUB or LILO.

boot loader

In Linux, as with Windows, the first sector on any disk is called the __________.

boot sector

Linux is often used on embedded systems. In such cases, when the system is first powered on, the first step is to load the __________.

bootstrap environment

One must be able to show the whereabouts and custody of evidence, how it was handled, stored and by whom, from the time the evidence is first seized by a law enforcement officer or civilian investigator until the moment it is shown in court. This is referred to as ________.

chain of custody

The __________ is the continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered.

chain of custody

An environment that has a controlled level of contamination, such as from dust, microbes, and other particles is the definition of a __________.

clean room

A network where resources, services, and applications are located remotely instead of on a local server is referred to as __________.

cloud computing

The file allocation table is a list of entries that map to each __________ on the disk partition.

cluster

The two NTFS files of most interest to forensics are the Master File Table (MFT) and the __________.

cluster bitmap

Which Linux shell command performs a textual comparison of two files and reports the difference between the two?

cmp

Generally, __________ is considered to be the use of analytical and investigative techniques to identify, collect, examine, and preserve evidence or information that is magnetically stored or encoded.

computer forensics

The use of electronic communications to harass or threaten another person is the definition of __________.

cyberstalking

Maintaining __________ is a problem with live system forensics in which data is not acquired at a unified moment.

data consistency

The Linux __________ shell command makes a physical image of what is live in memory.

dd

A SYN flood is an example of a(n) _______.

denial of service (DoS) attack

The term ______ refers to testimony taken from a witness or party to a case before a trial.

deposition

A plan for returning the business to full normal operations is the definition of ________.

disaster recovery plan (DRP)

The Linux __________ shell command shows all the messages that were displayed during the boot process.

dmesg

The __________ is a unique identification number for identifying code division multiple access (CDMA) cell phones

electronic serial number (ESN)

Which Linux shell command lists various partitions?

fdisk

The unused space between the logical end of file and the physical end of file is known as __________.

file slack

Any attempt to gain financial reward through deception is called

fraud

Hard drives eventually age and begin to encounter problems. It is also possible that a suspect hard drive may have some issues preventing a full forensic analysis. Use the Linux __________ command to help with that.

fsck

The basic repair tool in Linux is _______.

fsck

As part of a disaster recovery plan, __________ provides continuous online backup by using optical or tape "jukeboxes."

hierarchical storage management (HSM)

The Windows Registry is organized into five sections referred to as __________.

hives

In a cellular network, the __________ is a database used by the mobile switching center (MSC) that contains subscriber data and service information.

home location register (HLR)

Most often, criminals commit __________ in order to perpetrate some kind of financial fraud.

identity theft

A(n) __________ is a data structure in the Linux file system that stores all the information about a file except its name and actual data.

inode

Malware that executes damage when a specific condition is met is the definition of __________.

logic bomb

In Mac OS X, the __________ shell command lists the current device files that are in use.

ls /dev/disk?

The Linux __________ command can be used to quickly catalog a suspect drive.

lsass.exe

The Windows program that handles security and logon policies is __________.

lsass.exe

The amount of time a system can be down before it is impossible for the organization to recover is addressed by __________.

maximum tolerable downtime (MTD)

An organization has two servers that are connected and are exactly alike. Should one server fail for any reason, all traffic is diverted to the other server. This configuration is called __________.

mirrored servers

The National Institute of Standards and Technology (NIST) guidelines list four different states a mobile device can be in when you extract data. Devices are in the __________ state when received from the manufacturer.

nascent

A Windows program that queries the computer for basic device or configuration data like time/date from CMOS, system bus types, ports, and so on is __________.

ntdetect.com

Two of the easiest things to extract during __________ are a list of all website uniform resource locators (URLs) and a list of all email addresses on the computer.

physical analysis

The __________ command is used to send a test network packet, or echo packet, to a machine to determine if the machine is reachable and how long the packet takes to reach the machine.

ping

A system forensics specialist has three basic tasks related to handling evidence: find evidence, preserve evidence, and __________ evidence.

prepare

People try to thwart investigators by using encryption to scramble information or _________ to hide information, or both together.

steganography

If you type the __________ command at the Linux shell, you are asked for the root password. If you successfully supply it, you will then have root privileges.

su

On a Windows computer, the __________ is a special place on the hard drive where items from memory can be temporarily stored for fast retrieval.

swap file

In Mac OS X, the __________ shell command returns the hardware information for the host system. This provides information useful for the basic documentation of the system prior to beginning your forensic examination.

system_profiler SPHardwareDataType

In Mac OS X, the __________ shell command returns information about the operating system.

system_profiler SPSoftwareDataType

In FAT and NTFS file systems, a __________ is used to map files to specific clusters where they are stored on the disk.

table

The only requirement of __________ is that the sender must provide some mechanism

the CAN-SPAM Act

whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out.

the Electronic Communications Privacy Act (ECPA)

On a Macintosh, in the __________ folder, you will find a subfolder named app profile. This contains lists of recently opened applications as well as temporary data used by applications.

var/vm

A __________is a software program that appears to be a physical computer and executes programs as if it were a physical computer.

virtual machine

In a cellular network, the __________ database contains subscriber data and service information for roaming phones.

visitor location register (VLR)

What is the definition of business continuity plan (BCP)?

A plan for maintaining minimal operations until the business can return to full normal operations

What is the definition of Post Office Protocol version 3 (POP3)?

A protocol used to receive email that works on port 110

What is Internet Message Access Protocol (IMAP)?

A protocol used to receive email that works on port 143

What is Simple Mail Transfer Protocol (SMTP)?

A protocol used to send email that works on port 25

Which forensic certification is open to both the public and private sectors and is specific to the use and mastery of FTK?

AccessData Certified Examiner

The __________ certification is open to the public and private sectors. This certification focuses on the use and mastery of FTK. Requirements for taking the exam include completing a boot camp and Windows forensic courses.

AccessData Certified Examiner (ACE)

Which certification is open only to law enforcement personnel and government employees working as system forensics examiners?

Certified Forensic Computer Examiner (CFCE)

Which forensic tool provider offers Professional and Forensic Examiner?

ComputerCOP

A suspect stores data where an investigator is unlikely to find it. What is this technique called?

Data hiding

What is a modern and widely used Linux boot loader?

GRUB

The __________ is used primarily with computers that have an Intel-based processor. It requires Mac OS X v10.4 or later

GUID Partition Table

Which denial of service (DoS) attack sends a tremendous number of ICMP packets to the target, hoping to overwhelm it?

Ping flood

What is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity? It combines the features of two legacy utilities, Filemon and Regmon, and adds an extensive list of enhancements.

Process Monitor

__________ is perhaps the most widely used public key cryptography algorithm in existence today.

RSA

__________ occurs when a SIM card's identifying information is copied to a different SIM card.

SIM cloning

T/F? Because a variety of laws define what is or is not a cybercrime, forensic examiners must become familiar with the laws in their own jurisdiction.

TRUE

T/F? Moore's Law applies to some of the drivers of computing capability, including storage capacity and processor speed.

TRUE

The __________ cipher is a method of encrypting alphabetic text by using a series of different monoalphabetic ciphers selected based on the letters of a keyword.

Vigenère

_____________ takes snapshots of websites and saves them for posterity.

Visual TimeAnalyzer

As part of a disaster recovery plan, __________ captures changes since the last backup of any type.

an incremental backup

n) __________ is an email server that strips identifying information from an email message before forwarding it with the third-party mailing computer's IP address.

anonymizer

Forensic investigators who collect data as evidence must understand the __________ of information, which refers to how long it is valid

life span

Information that is sent across a network is divided into chunks called __________.

packets

Packets are divided into two parts, the header and the __________.

payload

Regarding cellular phones, the __________ is a code used to reset a forgotten PIN.

personal unlocking code (PUK)

The National Institute of Standards and Technology (NIST) guidelines list four different states a mobile device can be in when you extract data. The __________ state is a dormant mode that conserves battery life while maintaining user data and performing other background functions.

quiescent

Which Linux shell command is used to delete or remove a file?

rm

Which file recovery tool works in Linux and Mac OS, and in Windows if you compile the source code?

scalpel

An example of volatile data is __________.

state of network connections

In World War II, the Germans made use of an electromechanical rotor-based cipher system known as __________.

the Enigma machine

The type of medium used to hide data in steganography is referred to as __________. This may be a photo, video, sound file, or Voice over IP, for example.

the channel

The Linux __________ command displays a list of all users currently logged in to a system.

who

The Linux __________ directory holds compiled files and may include malware.

/bin

On a Macintosh, the __________ directory is where configuration files are located.

/etc