Final Review-CIS 462
ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable. Answer 70 83 96 100
100
If you must write a preliminary report, use words such as "preliminary copy,""draft copy," or "working draft." Answer True False
False
The American Bar Association (ABA) is a licensing body. Answer True False
False
When intruders break into a network, they rarely leave a trail behind. Answer True False
False
The primary hash algorithm used by the NSRL project is ____. Answer MD5 SHA-1 CRC-32 RC4
SHA-1
SafeBack performs a(n) ____ calculation for each sector copied to ensure data integrity Answer SHA-1 MC5 SHA-256 MC4
SHA-256
When Microsoft introduced Windows 2000, it added built-in encryption to NTFS called ____. Answer EFS VFAT LZH RAR
EFS
The ____ DOS program En.exe requires using a forensic MS-DOS boot floppy or CD and a network crossover cable. Answer ProDiscover ILook DIBS USA EnCase
EnCase
Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Windows File System. Answer NTFS ext3 FAT24 ext2
NTFS
In software acquisition, there are three types of data-copying methods. Answer True False
False
One advantage with live acquisitions is that you are able to perform repeatable processes. Answer True False
False
Operating systems do not have tools for recovering image files. Answer True False
False
Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses. Answer True False
False
Steganography cannot be used with file formats other than image files. Answer True False
False
The Windows platforms have long been the primary command-line interface OSs. Answer True False
False
With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk. command-line shell-based prompt-based GUI
GUI
The ABA's ____ contains provisions limiting the fees experts can receive for their services. Answer Code 703 Model Code Rule 26 Code 26-1.a
Model Code
____ is a written list of objections to certain testimony or exhibits. Answer Defendant Empanelling the jury Plaintiff Motion in limine
Motion in limine
By the early 1990s, the ____ introduced training on software for forensics investigations. Answer IACIS FLETC CERT DDBIA
IACIS
The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____. Answer NSRL CFTT FS-TST PARTAB
NSRL
____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS. Answer Hal.dll NTBootdd.sys Boot.ini Ntoskrnl.exe
NTBootdd.sys
In the following list, ____ is the only steg tool. Answer EnCase iLook DriveSpy Outguess
Outguess
____ increases the time and resources needed to extract,analyze,and present evidence. Answer Investigation plan Scope creep Litigation path Court order for discovery
Scope creep
The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03. Answer TIFF XIF JPEG GIF
XIF
____ is how most manufacturers deal with a platter's inner tracks being shorter than its outer tracks. Answer Head skew Cylinder skew ZBR Areal density
ZBR
A ____ differs from a trial testimony because there is no jury or judge. Answer rebuttal plaintiff civil case deposition
deposition
Attorneys search ____ for information on expert witnesses. Answer disqualification banks deposition banks examination banks cross-examination banks
deposition banks
Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack. Answer ISPs soldiers zombies pawns
zombies
Ext2fs can support disks as large as ____ TB and files as large as 2 GB. Answer 4 8 10 12
4
FRE ____ describes whether basis for the testimony is adequate. Answer 700 701 702 703
703
An expert's opinion is governed by FRE, Rule ____, and the corresponding rule in many states. Answer 705 755 805 855
705
Maintaining ____ means you must form and sustain unbiased opinions of your cases. Answer confidentiality objectivity integrity credibility
objectivity
You should have at least one copy of your backups on site and a duplicate copy or a previous copy of your backups stored in a safe ____ facility. Answer in-site storage off-site online
off-site
Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity. Answer once twice three times four times
once
Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony. Answer setup open-ended compound rapid-fire
open-ended
Many password recovery tools have a feature that allows generating potential lists for a ____ attack. Answer brute-force password dictionary birthday salting
password dictionary
Courts consider evidence data in a computer as ____ evidence. Answer physical invalid virtual logical
physical
Under copyright laws, maps and architectural plans may be registered as ____. Answer pantomimes and choreographic works artistic works literary works pictorial, graphic, and sculptural works
pictorial, graphic, and sculptural works
A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____. Answer stationary workstation field workstation lightweight workstation portable workstation
portable workstation
For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command. Answer prn print prnt prt
____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment. Answer Risk configuration Change management Configuration management Risk management
Risk management
____ is a popular network intrusion detection system that performs packet capture and analysis in real time. Answer Ethereal Snort Tcpdump john
Snort
____ is a good tool for extracting information from large Libpcap files. Answer Nmap Tcpslice Pcap TCPcap
Tcpslice
As an expert witness, you have opinions about what you have found or observed. Answer True False
True
Bitmap images are collections of dots, or pixels, that form an image. Answer True False
True
By the 1970s, electronic crimes were increasing, especially in the financial sector. Answer True False
True
Chain of custody is also known as chain of evidence. Answer True False
True
Experts should be paid in full for all previous work and for the anticipated time required for testimony. Answer True False
True
FTK Imager requires that you use a device such as a USB or parallel port dongle for licensing. Answer True False
True
GPL and BSD variations are examples of open-source software. Answer True False
True
PsList from PsTools allows you to list detailed information about processes. Answer True False
True
You can use ____ to boot to Windows without writing any data to the evidence disk. Answer a SCSI boot up disk a Windows boot up disk a write-blocker Windows XP
a write-blocker
Regarding a trial, the term ____ means rejecting potential jurors. Answer voir dire rebuttal strikes venireman
strikes
Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file's contents. Answer testing, compressed scanning, text testing, pdf testing, doc
testing, compressed
A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. Answer warning banner right of privacy line of authority right banner
warning banner
Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of OSs. Answer 1989 1991 1994 1995
1995
Computer forensics tools are divided into ____ major categories. Answer 2 3 4 5
2
GroupWise has ____ ways of organizing the mailboxes on the server. Answer 2 3 4 5
2
There are ____ searching options for keywords which FTK offers. Answer 2 3 4 5
2
When cases go to trial, you as a forensics examiner can play one of ____ roles. Answer 2 3 4 5
2
The abstract should be one or two paragraphs totaling about 150 to ____ words. Answer 200 250 300 350
200
IACIS requires recertification every ____ years to demonstrate continuing work in the field of computer forensics. Answer 2 3 4 5
3
If your CV is more than ____ months old, you probably need to update it to reflect new cases and additional training. Answer 2 3 4 5
3
In general, forensics workstations can be divided into ____ categories. Answer 2 3 4 5
3
Most packet sniffers operate on layer 2 or ____ of the OSI model. Answer 1 3 5 7
3
Computing components are designed to last 18 to ____ months in normal business operations. Answer 24 30 36 42
36
____ components define the file system on UNIX. Answer 2 3 4 5
4
The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients. Answer ISFCE IACIS ABA HTCIA
ABA
The ____ Ethics Code cautions psychologists about the limitations of assessment tools. Answer ABA's APA's AMA's ADA's
APA's
People who want to hide data can also use advanced encryption programs, such as PGP or ____. Answer NTI BestCrypt FTK PRTK
BestCrypt
____ images store graphics information as grids of individual pixels. Answer Bitmap Raster Vector Metafiles
Bitmap
____, located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version. Answer Boot.ini BootSec.dos NTDetect.com NTBootdd.sys
Boot.ini
____ attacks use every possible letter, number, and character found on a keyboard when cracking a password. Answer Brute-force Dictionary Profile Statistics
Brute-force
All e-mail servers are databases that store multiple users' e-mails. Answer True False
False
As data is added, the MFT can expand to take up 75% of the NTFS disk. Answer True False
False
Computer investigations and forensics fall into the same category: public investigations. Answer True False
False
Corporate investigators always have the authority to seize all computers equipments during a corporate investigation. Answer True False
False
Create a formal checklist of your procedures that's applied to all your cases or include such a checklist in your report. Answer True False
False
Expert opinions cannot be presented without stating the underlying factual basis. Answer True False
False
FTK cannot analyze data from image files from other vendors. Answer True False
False
FTK cannot perform forensics analysis on FAT12 file systems. Answer True False
False
ISPs can investigate computer abuse committed by their customers. Answer True False
False
If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately. Answer True False
False
Like a job resume, your CV should be geared for a specific trial. Answer True False
False
Network forensics is a fast, easy process. Answer True False
False
Ngrep cannot be used to examine e-mail headers or IRC chats. Answer True False
False
Older Macintosh computers use the same type of BIOS firmware commonly found in PC-based systems. Answer True False
False
The first 5 bytes (characters) for all MFT records are MFTR0. Answer True False
False
The law of search and seizure protects the rights of all people, excluding people suspected of crimes. Answer True False
False
Under ISO 9660 for DVDs, the Micro-UDF (M-UDF) function has been added to allow for long filenames. Answer True False
False
Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume. Answer True False
False
When writing a report, use a formal, technical style. Answer True False
False
You can always rely on the return path in an e-mail header to show the source account of an e-mail message. Answer True False
False
You cannot use both multi-evidence and single-evidence forms in your investigation. Answer True False
False
The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers. Answer Honeynet Honeypot Honeywall Honeyweb
Honeynet
____ questions can give you the factual structure to support and defend your opinion. Answer Setup Compound Rapid-fire Hypothetical
Hypothetical
____ was created by police officers who wanted to formalize credentials in computing investigations. Answer HTCN NISPOM TEMPEST IACIS
IACIS
The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems. Answer Apple Atari Commodore IBM
IBM
The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible. Answer ISO 3657 ISO 5321 ISO 5725 ISO 17025
ISO 5725
____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program. Answer Replacement Append Substitution Insertion
Insertion
A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10. Answer EPS BMP GIF JPEG
JPEG
AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data. Answer KFF PKFT NTI NSRL
KFF
EnCase Enterprise is set up with an Examiner workstation and a Secure Authentication for EnCase (____) workstation Answer ILook SAFE Incident Response Investigator
SAFE
One way to investigate older and unusual computing systems is to keep track of ____ that still use these systems. Answer AICIS lists uniform reports SIGs Minix
SIGs
In a(n) ____ attack, the attacker keeps asking your server to establish a connection. Answer SYN flood ACK flood brute-force attack PCAP attack
SYN flood
____ is the only automated disk-to-disk tool that allows you to copy data to a slightly smaller target drive than the original suspect's drive. Answer SafeBack EnCase SnapCopy SMART
SnapCopy
____ has also been used to protect copyrighted material by inserting digital watermarks into a file. Answer Encryption Steganography Compression Archiving
Steganography
____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there. Answer Bit shifting Encryption Marking bad clusters Steganography
Steganography
____ is the art of hiding information inside image files. Answer Steganography Steganalysis Graphie Steganos
Steganography
____ steganography replaces bits of the host file with other bits of data. Answer Insertion Replacement Substitution Append
Substitution
Defense contractors during the Cold War were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____. Answer TEMPEST RAID NISPOM EMR
TEMPEST
The image format XIF is derived from the more common ____ file format. Answer GIF JPEG BMP TIFF
TIFF
A common way of examining network traffic is by running the ____ program. Answer Netdump Slackdump Coredump Tcpdump
Tcpdump
____ is the text version of Ethereal, a packet sniffer tool. Answer Tcpdump Ethertext Etherape Tethereal
Tethereal
Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication. Answer True False
True
Many acquisition tools don't copy data in the host protected area (HPA) of a disk drive. Answer True False
True
Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several thousand pages of data. Answer True False
True
One way to examine a partition's physical level is to use a disk editor, such as Norton DiskEdit, WinHex, or Hex Workshop. Answer True False
True
Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise. Answer True False
True
People need ethics to help maintain their balance, especially in difficult and contentious situations. Answer True False
True
Performing a forensic analysis of a disk 200 GB or larger can take several days and often involves running imaging software overnight and on weekends. Answer True False
True
The defense request for full discovery of digital evidence applies only to criminal cases in the United States. Answer True False
True
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file. Answer True False
True
The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location. Answer True False
True
The type of file system an OS uses determines how data is stored on the disk. Answer True False
True
To be a successful computer forensics investigator, you must be familiar with more than one computing platform. Answer True False
True
To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. Answer True False
True
When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support. Answer True False
True
With many computer forensics tools, you can open files with external viewers. Answer True False
True
With the Knoppix STD tools on a portable CD, you can examine almost any network system. Answer True False
True
When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data. Answer Homeland Security Department Patriot Act U.S. DoJ U.S. DoD
U.S. DoJ
Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers. Answer USB IDE LCD PCMCIA
USB
A ____ is a bit-by-bit copy of the original storage medium. Answer preventive copy recovery copy backup copy bit-stream copy
bit-stream copy
To create an exact image of an evidence disk, copying the ____ to a target work disk that's identical to the evidence disk is preferable. Answer removable copy backup copy bit-stream image backup image
bit-stream image
FTK and other computer forensics programs use ____ to tag and document digital evidence. Answer tracers hyperlinks bookmarks indents
bookmarks
Helix operates in two modes:Windows Live (GUI or command line) and ____. Answer command Windows remote GUI command Linux bootable Linux
bootable Linux
Generally, computer records are considered admissible if they qualify as a ____ record. Answer hearsay business computer-generated computer-stored
business
In the ____, you justify acquiring newer and better resources to investigate computer forensics cases. Answer risk evaluation business case configuration plan upgrade policy
business case
Records in the MFT are referred to as ____. Answer hyperdata metadata inodes infodata
metadata
Most computer investigations in the private sector involve ____. Answer e-mail abuse misuse of computing assets Internet abuse VPN abuse
misuse of computing assets
Investigating and controlling computer incident scenes in the corporate environment is ____ in the criminal environment. Answer much easier than as easy as as difficult as more difficult than
much easier than
The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true. Answer notarized examined recorded challenged
notarized
SnapBack DatArrest can perform a data copy of an evidence drive in ____ ways. Answer two three four five
three
Exchange logs information about changes to its data in a(n) ____ log. Answer checkpoint communication transaction tracking
transaction
A ____ allows you to create a representation of another computer on an existing physical computer. Answer virtual file logic drive logic machine virtual machine
virtual machine
As with any research paper, write the report abstract last. Answer True False
True
The uppercase letter ____ has a hexadecimal value of 41. Answer "A" "C" "G" "Z"
"A"
Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab. Answer evidence custody form FOIA form affidavit warrant
warrant
Microsoft has recently added ____ in its Vista Ultimate and Enterprise editions, which makes performing static acquisitions more difficult. Answer whole disk encryption backup utilities recovery wizards NTFS
whole disk encryption
A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute). Answer written report verbal report examination plan cross-examination report
written report
____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names. Answer www.freeality.com www.google.com www.whatis.com www.juno.com
www.freeality.com
Files with extension ____ are created using Microsoft Outlook Express. Answer .sxc .doc .dbx .ods
.dbx
In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____. Answer .ost .eml .msg .pst
.pst
Files with extensions .ods and ____ are created using OpenOffice Calc. Answer .sxc .xls .dcx .qpr
.sxc
On a Linux computer, ____ is the path for the first partition on the primary master IDE disk drive. Answer /dev/sda1 /dev/hdb1 /dev/hda1 /dev/ide1
/dev/hda1
____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside. Answer /etc/sendmail.cf /etc/syslog.conf /etc/var/log/maillog /var/log/maillog
/etc/sendmail.cf
Typically, UNIX installations are set to store logs such as maillog in the ____ directory. Answer /etc/Log /log /etc/var/log /var/log
/var/log
To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of ____. Answer -1 0 1 2
0
The EMR from a computer monitor can be picked up as far away as ____ mile. Answer 1/4 1/2 3/4 1
1/2
In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each. Answer 1024 1512 2048 2512
1024
Jurors typically average just over ____ years of education and an eighth-grade reading level. Answer 9 10 11 12
12
The FOIA was originally enacted in the ____. Answer 1940s 1950s 1960s 1970s
1960s
All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard ____ ribbon or shielded cable. Answer 40-pin 60-pin 80-pin 120-pin
40-pin
Image files can be reduced by as much as ____% of the original. Answer 15 25 30 50
50
If a microphone is present during your testimony, place it ____ to eight inches from you. Answer 3 4 5 6
6
The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is ____. Answer 32,768 45,353 58,745 65,535
65,535
FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful. Answer 702 703 704 705
702
When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to prevent a hard disk from overheating to prevent damage. Answer 80 90 95 105
80
There are ____ tracks available for the program area on a CD. Answer 45 50 99 100
99
In an e-mail address, everything after the ____ symbol represents the domain name. Answer # . @ -
@
____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities. Answer AMA's law ABA's Model Rule APA's Ethics Code ABA's Model Codes
APA's Ethics Code
The ____ provides several software drivers that allow communication between the OS and the SCSI component. Answer International Organization of Standardization (ISO) Advanced SCSI Programming Interface (ASPI) CLV EIDE
Advanced SCSI Programming Interface (ASPI)
____ provide additional resource material not included in the body of the report. Answer Conclusion References Discussion Appendixes
Appendixes
____ refers to the number of bits in one square inch of a disk platter. Answer Head skew Areal density Cylinder skew ZBR
Areal density
____ is a batch file containing customized settings for MS-DOS that runs automatically. Answer Autoexec.bat Config.sys Io.sys Command.com
Autoexec.bat
For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you're constantly enhancing your skills through training, teaching, and experience. Answer testimony CV examination plan deposition
CV
What HTCN certification level requires candidates have three years of investigative experience in any discipline from law enforcement or corporate or have a college degree with one year of experience in investigations? Answer Certified Computer Crime Investigator, Basic Level Certified Computer Crime Investigator, Advanced Level Certified Computer Forensic Technician, Basic Certified Computer Forensic Technician, Advanced
Certified Computer Forensic Technician, Basic
____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size. Answer Continuous logging Automatic logging Circular logging Server logging
Circular logging
The ____ file provides a command prompt when booting to MS-DOS mode (DPMI). Answer Io.sys Autoexec.bat Config.sys Command.com
Command.com
The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence. Answer Federal Rules of Evidence (FRE) Department of Defense Computer Forensics Laboratory (DCFL) DIBS Computer Analysis and Response Team (CART)
Computer Analysis and Response Team (CART)
____ records are data the system maintains, such as system log files and proxy server logs. Answer Computer-generated Business Computer-stored Hearsay
Computer-generated
____ is a text file containing commands that typically run only at system startup to enhance the computer's DOS configuration. Answer Autoexec.bat Config.sys BootSect.dos Io.sys
Config.sys
____ is an attempt by opposing attorneys to prevent you from serving on an important case. Answer Conflict of interest Warrant Deposition Conflicting out
Conflicting out
When working on a Windows environment you can press ____ to copy the selected text to the clipboard. Answer Ctrl+A Ctrl+C Ctrl+V Ctrl+Z
Ctrl+C
____ has developed the Rapid Action Imaging Device (RAID) to make forensically sound disk copies. Answer DIBS USA EnCase ProDiscover ILook
DIBS USA
Macintosh OS X is built on a core called ____. Answer Phantom Panther Darwin Tiger
Darwin
____ can be the most time-consuming task, even when you know exactly what to look for in the evidence. Evidence recovery Data recovery Data analysis Evidence recording
Data analysis
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. Answer Data recovery Network forensics Computer forensics Disaster recovery
Data recovery
____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the %system-root%\Windows\System32\Drivers folder. Answer Hal.dll Pagefile.sys Ntoskrnl.exe Device drivers
Device drivers
In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network. Answer Dir ls Copy owner
Dir
____ involves preventing data loss by using backups, uninterruptible power supply (UPS) devices, and off-site monitoring. Answer Computer forensics Data recovery Disaster recovery Network forensics
Disaster recovery
____ of data involves sorting and searching through all investigation data. Answer Validation Discrimination Acquisition Reconstruction
Discrimination
The most common and flexible data-acquisition method is ____. Answer Disk-to-disk copy Disk-to-network copy Disk-to-image file copy Sparse data copy
Disk-to-image file copy
____ investigations typically include spam, inappropriate and offensive message content, and harassment or threats. Answer VPN Internet E-mail Phone
The majority of digital cameras use the ____ format to store digital pictures. Answer EXIF TIFF PNG GIF
EXIF
Certain files, such as the ____ and Security log in Windows XP, might lose essential network activity records if the power is terminated without a proper shutdown. Answer Password log Word log Io.sys Event log
Event log
____ evidence is evidence that exonerates or diminishes the defendant's liability. Answer Rebuttal Plaintiff Inculpatory Exculpatory
Exculpatory
The standard Linux file system is ____. Answer NTFS Ext3fs HFS+ Ext2fs
Ext2fs
Marking bad clusters data-hiding technique is more common with ____ file systems. Answer NTFS FAT HFS Ext2fs
FAT
____ is the file structure database that Microsoft originally designed for floppy disks. Answer NTFS FAT32 VFAT FAT
FAT
____ is a simple drive-imaging station. Answer F.R.E.D. SPARC FIRE IDE DiskSpy
FIRE IDE
A UNIX or Linux computer has two boot blocks, which are located on the main hard disk. Answer True False
False
A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible. Answer True False
False
A nonsteganographic graphics file has a different size than an identical steganographic graphics file. Answer True False
False
A verbal report is more structured than a written report. Answer True False
False
IDE ATA controller on an old 486 PC doesn't recognize disk drives larger than 8.4 ____. Answer KB MB GB TB
GB
Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement. Answer AIX BSD GPL GRUB
GPL
The GroupWise logs are maintained in a standard log format in the ____ folders. Answer MIME mbox QuickFinder GroupWise
GroupWise
The Novell e-mail server software is called ____. Answer Sendmail GroupWise Sawmill Guardian
GroupWise
____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer's file system. Answer HDHOST DiskHost DiskEdit HostEditor
HDHOST
Reports and logs generated by forensic tools are typically in plaintext format, a word processor format, or ____ format. Answer PDF HTML PS TXT
HTML
____ can be used to create a bootable forensic CD and perform a live acquisition. Answer Helix DTDD Inquisitor Neon
Helix
____ hide the most valuable data at the innermost part of the network. Answer Layered network defense strategies Firewalls Protocols NAT
Layered network defense strategies
LILO uses a configuration file named ____ located in the /Etc directory. Answer Lilo.conf Boot.conf Lilo.config Boot.config
Lilo.config
____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search. Answer Online Inline Active Live
Live
Linux ISO images are referred to as ____. Answer ISO CDs Live CDs Forensic Linux Linux in a Box
Live CDs
____ compression compresses data by permanently discarding bits of information in the file. Answer Redundant Lossy Huffman Lossless
Lossy
On an NTFS disk, immediately after the Partition Boot Sector is the ____. Answer FAT HPFS MBR MFT
MFT
SafeBack and SnapCopy must run from a(n) ____ system. Answer UNIX MS-DOS Linux Solaris
MS-DOS
SnapBack DatArrest runs from a true ____ boot floppy. Answer UNIX Linux Mac OS X MS-DOS
MS-DOS
To make a disk acquisition with En.exe requires only a PC running ____ with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable. Answer UNIX MAC OS X Linux MS-DOS
MS-DOS
On older Macintosh OSs all information about the volume is stored in the ____. Answer Master Directory Block (MDB) Volume Control Block (VCB) Extents Overflow File (EOF) Volume Bitmap (VB)
Master Directory Block (MDB)
____ are the experts who testify most often. Answer Civil engineers Computer forensics experts Chemical engineers Medical professionals
Medical professionals
____ is a hidden text file containing startup options for Windows 9x. Answer Pagefile.sys Hal.dll Msdos.sys Ntoskrnl.exe
Msdos.sys
The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software. Answer CFTT NIST FS-TST NSRL
NIST
____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to NTLDR. Answer Hal.dll Boot.ini NTDetect.com BootSect.dos
NTDetect.com
____ was introduced when Microsoft created Windows NT and is the primary file system for Windows Vista. Answer FAT32 VFAT NTFS HPFS
NTFS
____ forensics is the systematic tracking of incoming and outgoing traffic on your network. Answer Network Computer Criminal Server
Network
____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program. Answer Broadcast forensics Network forensics Computer forensics Traffic forensics
Network forensics
One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it. Answer Norton DiskEdit PartitionMagic System Commander LILO
Norton DiskEdit
To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click ____to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header. Answer Options Details Properties Message Source
Options
Most packet sniffer tools can read anything captured in ____ format. Answer SYN DOPI PCAP AIATP
PCAP
____ are devices and/or software placed on a network to monitor traffic. Answer Packet sniffers Bridges Hubs Honeypots
Packet sniffers
____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or computer lab. Answer An antistatic wrist band Padding An antistatic pad
Padding
____ recovery is a fairly easy task in computer forensic analysis. Answer Data Partition Password Image
Password
Attorneys can now submit documents electronically in many courts; the standard format in federal courts is ____. Answer Microsoft Word (DOC) Portable Document Format (PDF) Encapsulated Postscript (EPS) Postscript (PS)
Portable Document Format (PDF)
1. Forensics tools such as ____ can retrieve deleted files for use as evidence. Answer ProDiscover Basic ProDelete FDisk GainFile
ProDiscover Basic
____ from Technology Pathways is a forensics data analysis tool. You can use it to acquire and analyze data from several different file systems. Answer Guidance EnCase NTI SafeBack DataArrest SnapCopy ProDiscover Basic
ProDiscover Basic
____ is facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed. Answer Reasonable cause Probable cause A subpoena A warrant
Probable cause
The PSTools ____ kills processes by name or process ID. Answer PsExec PsList PsKill PsShutdown
PsKill
____ is a suite of tools created by Sysinternals. Answer EnCase PsTools R-Tools Knoppix
PsTools
For labs using high-end ____ servers (such as Digital Intelligence F.R.E.D.C. or F.R.E.D.M.), you must consider methods for restoring large data sets. Answer RAID ISDN WAN TEMPEST
RAID
____ from both plaintiff and defense is an optional phase of the trial. Generally, it's allowed to cover an issue raised during cross-examination. Answer Rebuttal Plaintiff Closing arguments Opening statements
Rebuttal
____ is a Sysinternals command that shows all Registry data in real time on a Windows computer. Answer PsReg RegExplorer RegMon RegHandle
RegMon
1. When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____. Answer IniRecord Inidata Registry Metadata
Registry
____ are handy when you need to image the drive of a computer far away from your location or when you don't want a suspect to be aware of an ongoing investigation. Answer Scope creeps Remote acquisitions Password recovery tools Key escrow utilities
Remote acquisitions
A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks. Answer True False
True
A judge can exclude evidence obtained from a poorly worded warrant. Answer True False
True
After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant. Answer True False
True
After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools. Answer True False
True
As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers. Answer True False
True
Besides presenting facts, reports can communicate expert opinion. Answer True False
True
Computing systems in a forensics lab should be able to process typical cases in a timely manner. Answer True False
True
Data streams can obscure valuable evidentiary data, intentionally or by coincidence. Answer True False
True
E-mail programs either save e-mail messages on the client computer or leave them on the server. Answer True False
True
Employees surfing the Internet can cost companies millions of dollars. Answer True False
True
For computer investigators, tracking intranet e-mail is relatively easy because the accounts use standard names established by the network or e-mail administrator. Answer True False
True
For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses. Answer True False
True
If a corporate investigator follows police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement. Answer True False
True
If a file contains information, it always occupies at least one allocation block. Answer True False
True
If a graphics file is fragmented across areas on a disk, first you must recover all the fragments to re-create the file. Answer True False
True
In the United States, there's no state or national licensing body for computer forensics examiners. Answer True False
True
____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed. Answer HTCN reports IDE reports Uniform crime reports ASCLD reports
Uniform crime reports
____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. Answer Bitmap images Metafile graphics Vector graphics Line-art images
Vector graphics
With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data. Answer Extents overflow file Volume Bitmap Master Directory Block Volume Control Block
Volume Bitmap
During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system. Answer Windows XP Windows 9x Windows NT Windows Me
Windows 9x
____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk. Answer Drive-imaging Disk editors Workstations Write-blockers
Write-blockers
If a report is long and complex, you should provide a(n) ____. Answer appendix glossary table of contents abstract
abstract
A(n) ____ hearing generally addresses the administrative agency's subject matter and seeks evidence in your testimony on a subject for which it's contemplating making a rule. Answer administrative judicial legislative direct
administrative
A written report is frequently a(n) ____ or a declaration. Answer subpoena affidavit deposition perjury
affidavit
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____. Answer blotter exhibit report litigation report affidavit
affidavit
Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed. Answer litigation allegation blotter prosecution
allegation
If necessary, you can include ____ containing material such as raw data, figures not used in the body of the report, and anticipated exhibits. Answer conclusions discussions references appendixes
appendixes
In the main section of your report, you typically cite references with the ____ enclosed in parentheses. Answer year of publication and author's last name author's last name author's last name and year of publication year of publication
author's last name and year of publication
In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations. Answer authorized requester authority of line line of right authority of right
authorized requester
Recovering pieces of a file is called ____. Answer carving slacking saving rebuilding
carving
The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court. Answer acquisition plan chain of custody evidence path evidence custody
chain of custody
The basic plan for your investigation includes gathering the evidence, establishing the ____, and performing the forensic analysis. Answer risk assessment nature of the case chain of custody location of the evidence
chain of custody
The most common computer-related crime is ____. Answer homicide check fraud car stealing sniffing
check fraud
In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk. Answer tracking checkpoint temporary milestone
checkpoint
The Knoppix STD tool ____ enables you to reset passwords on a Windows computer, including the administrator password Answer chntpw john oinkmaster memfetch
chntpw
E-mail messages are distributed from one central server to many connected client computers, a configuration called ____. Answer client/server architecture central distribution architecture client architecture peer-to-peer architecture
client/server architecture
Confidential business data included with the criminal evidence are referred to as ____ data. Answer commingled exposed public revealed
commingled
Sometimes opposing attorneys ask several questions inside one question; this practice is called ____ questions. Answer leading hypothetical compound rapid-fire
compound
A ____ is where you conduct your investigations, store evidence, and do most of your work. Answer forensic workstation computer forensics lab storage room workbench
computer forensics lab
The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime. Answer network intrusion detection computer investigations incident response litigation
computer investigations
Save broader generalizations and summaries for the report's ____. Answer appendixes introduction conclusion discussion
conclusion
The report's ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements. Answer abstract conclusion introduction reference
conclusion
The files that provide helpful information to an e-mail investigation are log files and ____ files. Answer batch configuration scripts .rts
configuration
In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery. Answer configuration management risk assessment recovery logging change management
configuration management
To begin conducting an investigation, you start by ____ the evidence using a variety of methods. Answer copying analyzing opening reading
copying
When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations. Answer international forensics copyright civil
copyright
In a ____ case, a suspect is tried for a criminal offense, such as burglary, murder, or molestation. Answer corporate civil criminal fourth amendment
criminal
After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and ____. Answer critique the case repeat the case present the case read the final report
critique the case
A ____ is a column of tracks on two or more disk platters. Answer cylinder sector track head
cylinder
For computer forensics, ____ is the task of collecting digital evidence from electronic media. Answer hashing data acquisition lossy compression lossless compression
data acquisition
The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive. Answer superblock data block boot block inode block
data block
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are referred to as ____. Answer virtual runs metada metaruns data runs
data runs
The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions. Answer raw bitcopy dcfldd man
dcfldd
____ is the U.S. DoD computer forensics lab's version of the dd command that comes with Knoppix-STD. Answer chntpw john memfetch dcfldd
dcfldd
Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command. Answer rawcp dd d2dump dhex
dd
The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions. Answer fdisk dd man raw
dd
A report using the ____ numbering system divides material into sections and restarts numbering with each main section. Answer roman-sequential decimal legal-sequential indent
decimal
The process of converting raw picture data to another format is referred to as ____. Answer JEIDA rastering demosaicing rendering
demosaicing
You provide ____ testimony when you answer questions from the attorney who hired you. Answer direct cross examination rebuttal
direct
The ____ is the most important part of testimony at a trial. Answer cross-examination direct examination rebuttal motions in limine
direct examination
A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing. Answer disaster recovery risk management configuration management security
disaster recovery
Remember that anything you write down as part of your examination for a report is subject to ____ from the opposing attorney. Answer subpoena discovery publishing deposition
discovery
There are two types of depositions: ____ and testimony preservation. Answer examination discovery direct rebuttal
discovery
One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex. Answer disk imager write-blocker bit-stream copier disk editor
disk editor
The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk. Answer partition-to-partition image-to-partition disk-to-disk image-to-disk
disk-to-disk
A(n) ____ is a person using a computer to perform routine tasks other than systems administration. Answer complainant user banner end user investigator
end user
Use ____ to secure and catalog the evidence contained in large computer components. Answer Hefty bags regular bags paper bags evidence bags
evidence bags
A(n) ____ helps you document what has and has not been done with both the original evidence and forensic copies of the evidence. Answer evidence custody form risk assessment form initial investigation form evidence handling form
evidence custody form
A(n) ____ is a document that lets you know what questions to expect when you are testifying. Answer written report affidavit examination plan subpoena
examination plan
You can use the ____ to help your attorney learn the terms and functions used in computer forensics. Answer verbal report preliminary report final report examination plan
examination plan
It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant. Answer litigation prosecution exhibits reports
exhibits
Computer forensics examiners have two roles: scientific/technical witness and ____ witness. Answer expert direct discovery professional
expert
A(n) ____ should include all the tools you can afford to take to the field. Answer initial-response field kit extensive-response field kit forensic lab forensic workstation
extensive-response field kit
On Mac OSs, File Manager uses the ____ to store any information not in the MDB or Volume Control Block (VCB). Answer volume information block extents overflow file catalog master directory block
extents overflow file
A bit-stream image is also known as a(n) ____. Answer backup copy forensic copy custody copy evidence copy
forensic copy
To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as a ____. Answer mobile workstation forensic workstation forensic lab recovery workstation
forensic workstation
When you write your final report, state what you did and what you ____. Answer did not do found wanted to do could not do
found
You use ____ to create, modify, and save bitmap, vector, and metafile graphics files. Answer graphics viewers image readers image viewers graphics editors
graphics editors
Validate your tools and verify your evidence with ____ to ensure its integrity. Answer hashing algorithms watermarks steganography digital certificates
hashing algorithms
If you can't open an image file in an image viewer, the next step is to examine the file's ____. Answer extension name header data size
header data
Most federal courts have interpreted computer records as ____ evidence. Answer conclusive regular hearsay direct
hearsay
The simplest way to access a file header is to use a(n) ____ editor Answer hexadecimal image disk text
hexadecimal
Getting a hash value with a ____ is much faster and easier than with a(n) ____. Answer high-level language, assembler HTML editor, hexadecimal editor computer forensics tool, hexadecimal editor hexadecimal editor, computer forensics tool
hexadecimal editor, computer forensics tool
Data ____ involves changing or manipulating a file to conceal information. Answer recovery creep integrity hiding
hiding
A written preliminary report is considered a ____ document because opposing counsel can demand discovery on it. Answer low-risk middle-risk high-risk no-risk
high-risk
A ____ is a computer set up to look like any other machine on your network, but it lures the attacker to it. Answer honeywall honeypot honeynet honeyhost
honeypot
In the past, the method for expressing an opinion has been to frame a ____ question based on available factual evidence. Answer hypothetical nested challenging contradictory
hypothetical
Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____. Answer backup file firmware image file recovery copy
image file
In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period. Answer live indexed active inline
indexed
With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible. Answer bit-stream copy utility extensive-response field kit initial-response field kit seizing order
initial-response field kit
Linux is unique in that it uses ____, or information nodes, that contain descriptive information about each file or directory. Answer xnodes extnodes infNodes inodes
inodes
You begin any computer forensics case by creating a(n) ____. Answer investigation plan risk assessment report evidence custody form investigation report
investigation plan
Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure. Answer steganography key escrow password backup key splitting
key escrow
Typically, report writers use one of two numbering systems: decimal numbering or ____ numbering. Answer legal-sequential roman-sequential arabic-sequential letter-sequential
legal-sequential
Published company policies provide a(n) ____ for a business to conduct internal investigations. Answer litigation path allegation resource line of allegation line of authority
line of authority
Under copyright laws, computer programs may be registered as ____. Answer literary works motion pictures architectural works audiovisual works
literary works
If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available. Answer passive static live local
live
The ____ command displays pages from the online help manual for information on Linux commands and their options. Answer cmd hlp inst man
man
By using ____ to attract new customers or clients, you can justify future budgets for the lab's operation and staff. Answer pricing marketing budgeting changing
marketing
Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format. Answer POP3 mbox MIME SMTP
mbox
Your ____ as a computer investigation and forensics analyst is critical because it determines your credibility. Answer professional policy oath line of authority professional conduct
professional conduct
Evidence is commonly lost or corrupted through ____, which involves police officers and other professionals who aren't part of the crime scene processing team. Answer onlookers HAZMAT teams FOIA laws professional curiosity
professional curiosity
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools. Answer proprietary raw AFF AFD
proprietary
In general, a criminal case follows three stages: the complaint, the investigation, and the ____. Answer litigation allegation blotter prosecution
prosecution
Lab costs can be broken down into daily, ____, and annual expenses. Answer weekly monthly bimonthly quarterly
quarterly
Every business or organization must have a well defined process that describes when an investigation can be initiated. At a minimum, most corporate policies require that employers have a ____ that a law or policy is being violated. Answer confirmed suspicion proof court order stating reasonable suspicion
reasonable suspicion
When analyzing digital evidence, your job is to ____. Answer recover the data destroy the data copy the data load the data
recover the data
The purpose of the ____ is to provide a mechanism for recovering encrypted files under EFS if there's a problem with the user's original private key. Answer certificate escrow recovery certificate administrator certificate root certificate
recovery certificate
In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____. Answer checked values verification evidence backup repeatable findings
repeatable findings
To complete a forensic disk analysis and examination, you need to create a ____. Answer forensic disk copy risk assessment budget plan report
report
In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored. Answer resource node blocks inodes
resource
Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses. Answer line of authority right of privacy line of privacy line of right
right of privacy
The most important laws applying to attorneys and witnesses are the ____. Answer professional codes of conduct rules of ethics rules of evidence professional ethics
rules of evidence
Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime. Answer legal safety corporate physical
safety
To preserve the integrity of evidence data, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe. Answer secure workstation secure workbench protected PC secure facility
secure facility
Leading questions such as "Isn't it true that forensics experts always destroy their handwritten notes?" are referred to as ____ questions. Answer hypothetical attorney setup nested
setup
Current distributions of Linux include two hashing algorithm utilities: md5sum and ____. Answer rcsum shasum hashsum sha1sum
sha1sum
Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer. Answer silver-tree gold-tree silver-platter gold-platter
silver-platter
Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server. Answer poisoning sniffing blocking preventing
sniffing
If your time is limited, consider using a logical acquisition or ____ acquisition data copy method. Answer lossless disk-to-disk sparse disk-to-image
sparse
One technique for extracting evidence from large systems is called ____. Answer RAID copy RAID imaging large evidence file recovery sparse acquisition
sparse acquisition
The list of problems you normally expect in the type of case you are handling is known as the ____. Answer standard risk assessment chain of evidence standard problems form problems checklist form
standard risk assessment
When preparing a case, you can apply ____ to problem solving. Answer standard programming rules standard police investigation standard systems analysis steps bottom-up analysis
standard systems analysis steps
Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example. Answer live online real-time static
static
A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock. Answer gypsum steel wood expanded metal
steel
The term ____ comes from the Greek word for"hidden writing." Answer creep steganography escrow hashing
steganography
The ____ search feature allows you to look for words with extensions such as "ing,""ed," and so forth. Answer fuzzy stemming permutation similar-sounding
stemming
In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover. Answer risk assessment reports investigation plans scope creeps subpoenas
subpoenas
When you give ____ testimony, you present this evidence and explain what it is and how it was obtained. Answer technical/scientific expert lay witness deposition
technical/scientific
