Final Exam - Computer Forensic Methods
Hexadecimal Units
A Hash value is an alphanumeric value represented in:
Bits
A algorithm is an alphanumeric value represented in:
copy, original
A bit-stream copy is a bit-by-bit _________ (also known as a "forensic copy") of the ________ drive or storage medium and is an exact duplicate
True
A bit-stream copy is a bit-by-bit copy also know as a sector copy of the original drive or storage medium and is an exact duplicate.
file, copy
A bit-stream image is the _____ containing the bit-stream ____ of all data on a disk or disk partition.
True
A bit-stream image is the file containing the bit-stream copy of all data on a disk or disk partition.
False
A raw format integrates metadata into the image file.
affidavit , search warrant
A(n) ________ provides the facts to support the evidence of a crime to submit before a judge when requesting a ________ __________
All of the above
According to the author of the textbook, clusters are specific to:
Chain of custody
According to the author, what do you call a list of people who have had physical possession of the evidence?
False
Advanced Forensic Format (AFF) is a proprietary format.
False
Backup software can copy deleted files and recover file fragments.
FFD8 FFE1
Choose the correct header value for the file type of an EXIF JPEG file.
0
Clusters are numbered sequentially, starting at ___ in File Allocation Table (FAT).
False
Digital forensics and data recovery refer to the same activities.
none of the above
Drive slack includes which of the following?
Inculpatory
Evidence that indicates a suspect is guilty of a crime is:
True
Exculpatory evidence might clear the suspect.
False
FTK Imager can acquire a drive's HPA and the device configuration overlay (DCO).
three
FTK Imager offers ______ modes for previewing electronic data
False
File slack is the unused space in a cluster between the end of an active file and the end of the cluster.
False
For the three (3) types of acquisitions, data can be collected with five methods.
False
Forensic copy is another name for streaming video
False
In an effort to reduce the relationship with firmware, Intel developed EFI, which defines the interface between a computer's firmware and the operating system.
True
Inculpatory evidence might be incriminating.
encryption, unreadable
Making a physical acquisition of a drive with ____ can result in _____ data.
Clusters
Microsoft operating systems allocate disk space for files by:
False
Private investigations involve government agencies responsible for criminal investigations and prosecution
All of the above
The ____ of an e-mail message contains unique identifying numbers, such as the IP address of the server that sent the message
Automatic
The _______ mode automatically chooses the best method for previewing a file's contents, according to the file type.
False
The bootstrap process, which is contained in RAM, tells the computer how to proceed, when the digital forensics specialists must boot to a forensically configured USB drive.
False
The data a forensics acquisition tool collects is stored as a bit-stream copy, typically in an open source or proprietary format.
True
The unused space between sectors is called the partition gap.
False
There are three (3) types of data acquisition methods for computer forensics.
hashing
Validating digital evidence requires using a _______ algorithm utility.
Fourth
What Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.
Chain of Custody
What do you call a list of people who have had physical possession of the evidence?
Hardware and Software
When a digital forensics specialists needs to create a forensic copy of the suspects computer or inspect data related to the investigation, the specialists should be familiar with both the computer's (what and what)
Find Answer
Where would the investigator of an e-mail crime find the IP address of sending server?
Arin,internic or whois
Which is a tool used for the whois lookup program to search for the owner of an Internet Protocol Address?
None of the above
Which of the following file systems did Microsoft specifically design for floppy disks.
.e01
Which of the following formats is FTK Imager designed to read?F
Find Answer
Which of the following formats is FTK imager designed to read?
static
Which of the following is "not" a storage format for digital evidence?
dd
Which of the following is "not" a type of data acquisition
Sectors
Which of the following terms refers to a section on a track?
live
Which type of acquisition method is performed if the computer has an encrypted drive and the power is on and logged on by the suspect?
False
Yahoo is a service provider for e-mail and access to the Internet.
Disaster recovery
________ involves preventing data loss by using backups, uninterruptible power supply (UPS) devices, and off-site monitoring.
False
exculpatory evidence indicates the suspect is guilty of the crime.
False
inculpatory evidence indicates the suspect is innocent of the crime.
Data recovery
involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash.
