Forensic Computing Final
Which of the following measures is defined as the number of bits per square inch on a platter? Seek time Tracki density Bit density Areal density
Areal density
Serah, a forensic investigator, was tasked with analyzing the disk layout with details such as locations of the partition area as well as the partition table and its backup copies. In this process, she executed a command to parse the GPTs of both types of hard disks and analyzed the first sector of the hard drive, determined the formatting type used, and then parsed the GPT. Identify the cmdlet utilized by Serah in the above scenario. Sleuth Kit mmls Get-GPT Get-BootSector Get-Partition Table
Get-BootSector
Hudson, a forensic expert, was investigating an active computer that was executing various processes. Hudson wanted to check whether this system was used in an incident that occurred earlier. He started inspecting and gathering the contents of RAM, cache, and DLLs to identify incident signatures. Which of the following data acquisition methods has Hudson initiated in the above scenario? Static data acquisition Live data acquisition Non-volatile data acquisition Dead data acquisition
Live data acquisition
Gael, a forensic expert, was working on a case related to fake email broadcasting. Gael extracted the data from the victim system to investigate and find the source of the email server. In this process, Gael extracted only ".ost" files from the system as they can provide potential information about the incident. Which of the following types of data acquisition has Gael performed in the above scenario? Logical acquisition Sparse acquisition Bit-stream disk-to-image file Bit-stream disk-to-disk
Logical acquisition
Identify the consideration that recommends maintaining a log register at the entrance of a lab to record visitor data such as the address and name of the visitor, date, time, and purpose of the visit, and name of the contact person. Physical and structural design considerations Work area considerations Physical security considerations Human resource considerations
Physical security considerations
Which of the following phases of the forensics investigation process involves setting up a computer forensics lab, building a forensics workstation, developing an investigation toolkit, building an investigation team, and obtaining approval from the relevant authority? Investigation phase Post-investigation phase Preparatory phase Pre-investigation phase
Pre-investigation phase
Abin, a forensic investigator, was tasked with investigating a Windows system through which an online attack was performed. As part of the investigation, Abin scanned some files that store details about previously installed, executed, and deleted applications on the system, which can assist him in further investigation. Which of the following files has Abin scanned in the above scenario? Rp.log files Prefetch files Image files Change.log.x files
Prefetch files
Which of the following can be classified as the most volatile type of data that persists only for nanoseconds? Network topology Disk Archival media Processor cache
Processor cache
Identify the tool that displays basic information about the running processes on a system, including the amount of time each process has been running for in both kernel and user modes. nbstat net file PsList netstat
PsList
In which of the following forensic data acquisition steps do the investigators overwrite the data by applying a code of sequential zeroes or ones to protect it from recovery? Planning for contingency Sanitize the target media Validating data acquisition Acquiring volatile data
Sanitize the target media
Identify the smallest physical storage unit on a hard disk drive that normally stores 512 bytes of data for HDDs and 2048 bytes for CD-ROMs and DVD-ROMs. Track Platter Cluster Sector
Sector
Tyler, a forensic officer, was investigating a crime scene. After collecting a suspected laptop from the spot, Tyler started inspecting a specific portion of the drive where the criminal had saved the victim's data while performing a malicious activity. Tyler collected files required for the investigation as well as fragments of deleted data. Which of the following data acquisition methods did Tyler perform in the above scenario? Logical acquisition Bit-stream imaging Sparse acquisition Bit-stream disk-to-disk
Sparse acquisition
Which of the following techniques is referred to as the art of hiding data or a message "behind" other data without the target's knowledge, thereby hiding the existence of the message itself? Trail obfuscation Artifact wiping Steganography Password protection
Steganography
Which of the following types of cells in the Windows Registry structure comprises a series of indexes pointing to the parent key cell? Value cell Security descriptor cell Value list cell Subkey list cell
Subkey list cell
Which of the following is a library and collection of command-line tools that assist in the investigation of disk images? OSR Framework The Sleuth Kit Nmap OSINT Framework
The Sleuth Kit
Identify the mandatory requirement for every tool used for the disk imaging process. The tool must log I/O errors in an unreadable form. The tool must not acquire all visible and hidden data sectors from the digital source. The tool must alter or make minute changes to the original content. The tool must be able to compare the source and destination and alert the user if the destination is smaller than the source.
The tool must be able to compare the source and destination and alert the user if the destination is smaller than the source.
Which of the following measures helps security professionals defend against anti-forensics techniques? Use latest and updated CFTs and test them for vulnerabilities. Never validate the results of examination using multiple tools. Never use intelligent decompression libraries. Replace strong file identification techniques with weaker ones
Use latest and updated CFTs and test them for vulnerabilities.
Identify the AFF4 object that stores segments that are indivisible blocks of data. RDF statement Stream Volume Graph
Volume
Identify the functionality of Autopsy, which extracts history, bookmarks, and cookies from Firefox, Chrome, and Internet Explorer. Hash filtering Multimedia Web artifacts Timeline analysis
Web artifacts
Which of the following tools is mainly used to inspect and edit all types of files as well as to recover deleted files or lost data from hard drives with corrupt file systems or from memory cards of digital cameras? HOIC Shodan WinHex Wireshark
WinHex
Which of the following information will be present in the "Investigation process" section of the forensics investigation report? Purpose of investigation Case number Allotted investigators Significant findings
allotted investigators
Which of the following will be present in the "Supporting Files" section of a forensics investigation report? Investigative techniques Data and time the incident allegedly occurred Attachments and appendices Preservation of the evidence
attachments and appendices
Charles, a forensics team member familiar with all the applicable laws, participated in a crime investigation process. The role of Charles in the team was to assist the forensic investigators by providing legal advice on how to conduct the investigation and address the legal issues involved in various tasks. Which of the following roles did Charles play in the above scenario? Evidence manager Evidence examiner Attorney Expert witness
attorney
Which of the following is a built-in Windows utility that helps detect errors in the file system and disk media? chkdsk command dd command Get-GPT command mmls command
chkdsk command
Identify the forensics investigation report section that includes investigative techniques used during the investigation process. Evaluation and analysis process Details of the incident Investigation process Evidence information
evaluation and analysis process
Identify the forensics investigation report section that includes the tools and techniques used for collecting the evidence during the investigation process. Evaluation and analysis process Investigation process Evidence information Executive summary
evidence information
Harrison, a forensic investigator, was working on a criminal case in which he had to extract all the possible data related to criminal activity on a device running Windows OS. For this purpose, Harrison wanted to view the detailed partition layout for the GPT disk, along with the MBR details. Which of the following commands will help Harrison in the above scenario? tcpdump nc -l nmap mmls
mmls
Which of the following is a search and seizure step that involves seeking consent, obtaining witness signatures, obtaining a warrant for search and seizure, and collecting incident information? Planning of the search and seizure Evidence preservation Evidence seizure at the crime scene Data acquisition
planning of the search and seizure
Xavier, a security specialist, was appointed to investigate a crime scene at an organization. He completed the investigation process successfully and created a document that includes all the individual tasks performed in resolving the case. Which of the following forensics investigation phases is Xavier currently in? Post-investigation phase Investigation phase Preparatory phase Pre-investigation phase
post-investigation phase
Steve, a professional hacker, performed malicious activities using a compromised system of an organization. To maintain persistence and hide the traces of attack, he employed an anti-forensics tool that helped him keep his malicious files or code untraceable. Identify the tool employed by Steve in the above scenario. Nmap wbStego Ettercap Cain and Abel
wbStego
Which of the following is an anti-forensics tool that helps attackers destroy or hide traces of illegal activities, hindering the forensics investigation process? wbStego Nessus Nmap Wireshark
wbStego
George, a forensic expert, was investigating a cybercrime. As part of the investigation, he examined a system running Windows OS based on NTFS to discover any malicious events. George accessed and analyzed the file system's metadata files stored in the root directory; the metadata files contain a record for every file in the file system. Which of the following system files has George accessed in the above scenario? $mft $mftmirr $volume $logfile
$mft
Identify the anti-forensics command that deletes a file from a Linux machine but retains the file on the disk until it is overwritten with new data. dd /bin/rm net file 'copy'
/bin/rm
Which of the following techniques uses a program that attempts every combination of characters until the correct password is discovered? Trail obfuscation Rule-based attack Brute-forcing attack Dictionary attack
Brute-forcing attack
Identify the AFF4 object that includes collections of RDF statements. Data objects Graphs Streams Volumes
Graphs
A data acquisition format creates a bit-by-bit copy of the suspected drive, and images in this format are usually obtained using the dd command. Identify this data acquisition format. Proprietary format Raw format Advanced Forensics Format Advanced Forensic Framework 4
Raw format
Erick, a forensics expert, was tasked with investigating a compromised machine that had been involved in various online attacks. In this process, Erick identified a corrupted file in the system. He scanned the Recycle Bin folder for the metadata of that file, but it was deleted from that location. Subsequently, he used a command to recover the deleted file. Identify the command that Erick used to recover the deleted file. /bin/rm copy < $R chkdsk Get-GPT
copy < $R
Which of the following is a process of imaging or collecting information from various media in accordance with certain standards for analyzing its forensic value? Reporting Testimony as an expert witness Evidence preservation Data acquisition
data acquisition
Identify the process that involves examining, identifying, separating, converting, and modeling data to isolate useful information. Data acquisition Case analysis Data analysis Evidence preservation
data analysis
Kayden, a forensic team member, was instructed to handle an infected system. He was assigned the responsibility of analyzing and extracting all the possible data from the suspected Linux machine without altering the original data on the system. Kayden carefully analyzed the suspected machine and executed a Linux command to create a backup and restore MBR. Which of the following commands did Kayden execute in the above scenario? dd command mmls command chkdsk command Get-GPT command
dd command
A company, Finance Miracle, hired Harry for a role in a forensics investigation team. Harry is responsible for examining incidents as per their type, how they affect the systems, the different threats, and the vulnerabilities associated with them. Identify the designation of Harry in the investigation team. Evidence examiner Evidence manager Incident analyzer Photographer
incident analyzer
Robert, a forensics team member, was tasked with investigating an attack on a system. He investigated the attack based on the evidence, identified its type, determined how it affected the system, and identified other threats and vulnerabilities associated with the target system. What was the designation of Robert in the investigation team? Evidence manager Evidence examiner Incident analyzer Photographer
incident analyzer
Gavin, a forensic expert, was analyzing a Linux system with an FHS file system that was affected by a security incident. Gavin suspected that an unauthorized removable storage device is plugged into the system, providing remote access to the system. Which of the following FHS directories can help Gavin in identifying mount points for removable storage devices? /etc /root /media /boot
/media
Rhett, a forensic expert, was inspecting a suspected Linux system with an FHS file system. In this process, he listed all the binary files present in the system and extracted these binary files from the root directory of the system. In which of the following directories of FHS did Rhett identify the binary files? /sbin /tmp /mnt /srv
/sbin
Which of the following values of EnablePrefetcher corresponds to "Application prefetching is enabled"? 1 3 0 2
1
Given below are the different phases involved in the UEFI boot process: 1. Security phase 2. Boot Device Selection phase 3. Driver Execution Environment phase 4. Pre-EFI initialization phase 5. Runtime phase What is the correct sequence of phases involved in the UEFI boot process? 1 -> 2 -> 3 -> 4 -> 5 2 -> 3 -> 4 -> 1 -> 5 1 -> 4 -> 3 -> 2 -> 5 2 -> 5 -> 4 -> 3 -> 1
1 -> 4 -> 3 -> 2 -> 5
Given below are various activities involved in the computer forensics investigation methodology. 1. Evidence preservation 2. Documentation of the electronic crime scene 3. Search and seizure 4. Case analysis 5. Reporting 6. Data analysis 7. Testimony as an expert witness 8. Data acquisition What is the correct sequence of activities involved in the computer forensics investigation methodology? 2 -> 3 -> 1 -> 8 -> 6 -> 4 -> 5 -> 7 2 -> 3 -> 4 -> 1 -> 5 -> 7 -> 6 -> 8 2 -> 5 -> 4 -> 8 -> 3 -> 6 -> 7 -> 1 1 -> 2 -> 3 -> 4 -> 5 -> 6 -> 7 -> 8
2 -> 3 -> 1 -> 8 -> 6 -> 4 -> 5 -> 7
Given below are the various steps involved in the dead acquisition process. 1. Run any forensic acquisition tool suitable for acquiring/collecting data. 2. Write-block the hard disk to ensure that it provides only read-only access to the hard drive and prevents any modification or tampering of its contents. 3. Connect the hard drive to a forensic workstation to perform the acquisition. 4. Remove the hard drive from the suspected drive. Identify the correct sequence of steps involved in the dead acquisition process. 2 -> 1 -> 4 -> 3 1 -> 2 -> 3 -> 4 2 -> 3 -> 4 -> 1 4 -> 3 -> 2 -> 1
4 -> 3 -> 2 -> 1
Which of the following data acquisition formats is created by Michael Cohen, Simson Garfinkel, and Bradly Schatz and is designed to support storage media with large capacities? Advanced Forensic Framework 4 Proprietary format Advanced Forensics Format Raw format
Advanced Forensic Framework 4
An open-source data acquisition format stores disk images and related metadata, and the objective behind the development of the format was to create an open disk imaging format that provides users an alternative to being locked into a proprietary format. Identify this data acquisition format. Advanced Forensics Format Advanced Forensic Framework 4 Proprietary format Raw format
Advanced Forensics Format
Which of the following is a set of techniques that attackers use to avert or sidetrack the forensics investigation process or increase its difficulty? Data analysis Anti-forensics Case analysis Forensic readiness
Anti-forensics
Identify the evidence source that contains the least volatile data as the digital information in such data sources does not automatically change, unless it is damaged under physical force. Registers Routing table Kernel statistics Archival media
Archival media
Graham, a forensic expert, was analyzing raw data extracted from a suspected Windows system. In this process, he employed an automated tool to extract and analyze the deleted files. Which of the following tools did Graham employ in the above scenario? OWASP ZAP Burp Suite Autopsy Wireshark
Autopsy
Ronan, a forensic investigator, was tasked with investigating a system based on NTFS. After thoroughly examining the system's hard drive, he discovered that most files were recently deleted from the file system but were recoverable. Ronan employed an automated tool to recover the deleted files from the hard disk. Identify the tool that Ronan used to recover the deleted files from the drive. Autopsy Cain & Abel L0phtCrack RainbowCrack
Autopsy
Sherin, a forensic investigator, is attempting to recover deleted files and data from a suspected system. To recover the deleted files and data, he used an automated tool that scans the system's hard drive. Which of the following tools was utilized by Sherin in the above scenario? BitLocker Web Data Extractor Netcraft Autopsy
Autopsy
In which of the following data acquisition techniques can the geometry of the target disk, including its head, cylinder, and track configuration, be modified to align with the suspected drive? Bit-stream disk-to-disk Bit-stream disk-to-image file Logical acquisition Sparse acquisition
Bit-stream disk-to-disk
George, a forensics specialist, was investigating a suspected machine found at a crime scene. He started inspecting the storage media of the device by creating a bit-by-bit copy of it but failed to do so as the suspected drive was very old and incompatible with the imaging software he was using. Which of the following data acquisition methods failed in the above scenario because the suspect system drive was old? Sparse acquisition Bit-stream disk-to-disk Logical acquisition Bit-stream disk-to-image file
Bit-stream disk-to-image file
Arnold, a crime investigator, wants to retrieve all the deleted files and folders in the suspected media without affecting the original files. For this purpose, he uses a method that involves the creation of a cloned copy of the entire media and prevents the contamination of the original media. Identify the method utilized by Arnold in the above scenario. Bit-stream imaging Drive decryption Sparse acquisition Logical acquisition
Bit-stream imaging
Lennox, a security specialist, was attempting to recover the data from an encrypted drive of a compromised system. Lennox suspected that the system might contain potential evidence related to the attack. For this purpose, he employed a technique using which he tried every possible key to recover the data and files stored in the drive. Identify the technique employed by Lennox to recover the encrypted drive. Hybrid attack Rule-based attack Dictionary attack Brute-force attack
Brute-force attack
Hendrix, a forensic investigator, was appointed to investigate cybercrime. As part of this investigation, he was examining a forensically cloned hard disk. Hendrix identified that most of the files on the hard disk were password protected. He employed a password cracking tool to read and recover the password-protected files. Identify the tool that Hendrix used to recover the password-protected files. OllyDbg Cain & Abel Process Explorer Wireshark
Cain & Abel
Ryder, a computer user, has a system running on Windows OS with a FAT file system. He encountered a blue screen issue; as a result, he turned off the system without closing the running applications. Ryder employed a Windows built-in utility to check for any bad sectors and lost clusters on his hard disk to overcome this issue. Identify the utility employed by Ryder in the above scenario. procexp.exe Chkdsk.exe ProcMon.exe Sysmon.exe
Chkdsk.exe
Williams, a forensic specialist, was appointed to perform data acquisition on a victim system that was involved in cybercrime related to a phishing campaign. As the system was in a powered-off state, Williams extracted static data from the hard disk. Identify the static data recovered by Williams in the above scenario. Cookies Running processes Current configuration Routing tables
Cookies
Jude, a forensic professional in an investigation department, was tasked with analyzing a suspected Windows machine. During the investigation, Jude found that some of the drive's volumes were encrypted and needed to be decrypted for further investigation. Which of the following tools can help Jude in decrypting the drive? DBAN DeepSound CrypTool Data Stash
CrypTool
Which of the following is a volatile form of memory, requires power to retain data, and is included in an SSD to increase its read/write performance? NAND flash memory Controller DRAM Host interface
DRAM
Which of the following functionalities of Autopsy recovers deleted files from unallocated space using PhotoRec? Indicators of compromise Data carving Web artifacts Hash filtering
Data carving
Martha, a forensic investigator, was collecting forensic evidence from a suspected system that was powered off. In this process, she removed the hard disk from the system and then acquired its forensic image. Which of the following techniques was utilized by Martha in the above scenario? Live acquisition Data backup Dead acquisition Volatile data acquisition
Dead acquisition
Harry, a professional hacker, targeted Johana's official email to gain access and view her banking transactions. To crack the password, Harry used a text file that contained several predetermined character combinations, which allowed him to log into her account. Which of the following techniques was employed by Harry in the above scenario? Cryptanalytic attack Dictionary attack Brute-force attack Keylogger attack
Dictionary attack
Which of the following is a process by which a strong magnetic field is applied to a storage device, resulting in a device devoid of any previously stored data? File carving Disk degaussing Disk formatting Trail obfuscation
Disk degaussing
Identify the technique that includes the disintegration, incineration, pulverizing, shredding, and melting of digital media to make evidentiary data unavailable to forensics investigators. Disk-wiping utilities Disk formatting Disk destruction File wiping utilities
Disk destruction
To solve a case, Steve, a digital forensics investigator, was inspecting a disk from which the attacker wiped all the data using a technique that deletes only address tables and unlinks all the files in the file system. Steve used an automated tool to recover the erased data from the disk. Identify the artifact wiping technique employed by the attacker in the above scenario. Disintegration Disk degaussing Disk destruction Disk formatting
Disk formatting
Identify the part in the MBR structure that is located at the end of the MBR, holds only 2 bytes of data, and is required by BIOS during booting? Partition table Boot strap Disk signature Master boot code
Disk signature
Sam, a forensic specialist, was investigating a Windows 10 system based on NTFS. While analyzing the data, Sam discovered that some important files were deleted from the file system but can be recovered from Recycle Bin. Identify the location of Recycle Bin in the Windows 10 system. local/share/Trash Drive:\RECYCLER\<SID> Drive:\$Recycle.Bin\<SID> Drive:\RECYCLED
Drive:\$Recycle.Bin\<SID>
Which of the following components of EFS uses CryptoAPI to extract the file encryption key (FEK) for a data file and uses it to encode the FEK to produce the DDF? EFS FSRTL EFS Service EFS Driver Win32 API
EFS Service
Russell, a forensics expert, was tasked with investigating a system found at a crime scene. During the investigation, Russell discovered some .jpeg images in a locked folder that were suspected to be loaded by the attacker. Russell employed a tool to extract the metadata associated with those images for further investigation. Which of the following tools assisted Russell in the above scenario? Hping3 Nmap ExifTool Splunk
ExifTool
Bryson, a forensic investigator, was tasked with analyzing a hard disk containing Windows OS. As details about the hard disk were scarcely available, Bryson extracted the GUID partition table and its backup copies to analyze the hard disk layout through Windows PowerShell. Identify the cmdlet used by Bryson in the above scenario. Get-Process Get-GPT Get-EventLog Get-Service
Get-GPT
Which of the following Windows registry hives contains configuration information related to the applications used to open various system files? HKEY_USERS HKEY_CURRENT_CONFIG HKEY_CURRENT_USER HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
Which of the following registry hives contains file extension association information and programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data? HKEY_CLASSES_ROOT HKEY_USERS HKEY_CURRENT_CONFIG HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
Williams, a forensic investigator, was tasked with analyzing an image file. In this process, he identified that the metadata of the image file was deleted; therefore, he could only recover the files using the file header signature, which is a constant numeric or text value. Which of the following tools can help Williams identify and recover the files using the file header signatures? Wireshark Hex Editor Neo IDA Pro OllyDbg
Hex Editor Neo
While verifying the file format of evidence files, Patrick, a forensic investigator, detected that the suspect had changed the file extensions of some files from .jpg to .dll. Patrick used an automated tool to verify the file formats. Identify the tool employed by Patrick in the above scenario. ophcrack Hexinator FTK Imager BitLocker
Hexinator
Which of the following file systems is developed by Apple Computer, Inc. to support Mac OS in its proprietary Macintosh system and as a replacement for the Macintosh File System (MFS)? Fourth Extended File System Journaling File System Hierarchical File System Encrypting File Systems
Hierarchical File System
Joshua, a certified forensic expert, built a forensic lab for conducting a computer-based investigation. To make the investigation processes effective, he recruited experienced individuals and experts. Joshua then assigned job roles to each team member. Which of the following considerations is illustrated in the above scenario? Physical and structural design considerations Human resource considerations Work area considerations Physical security considerations
Human resource considerations
Identify the hidden file in Windows that is crucial for the recovery of data and contains various details of deleted files such as their original file names, original file sizes, date and time of deletion, unique identifying number, and the drive number in which the files were stored. RECYCLED Drive:\RECYCLER\<SID> INFO2 Drive:\$Recycle.Bin
INFO2
Which of the following practices is NOT a countermeasure to defend against anti-forensic techniques? Impose strict laws against legal use of anti-forensics tools Validate the results of examination using multiple tools Use latest and updated CFTs and test them for vulnerabilities Train and educate the forensic investigators about anti-forensics
Impose strict laws against legal use of anti-forensics tools
In which of the following investigation phases does the forensic officer perform data acquisition, preservation, and analysis of evidentiary data to identify the source of a crime and the culprit? Preparatory phase Investigation phase Pre-investigation phase Post-investigation phase
Investigation phase
Thomas, a forensic investigator, was working on a suspected machine to gather potential evidence. In this process, he went through all the evidence sources such as logs, configuration files, and cookies. Subsequently, he analyzed the evidentiary data to identify the criminal. Identify the forensics investigation phase demonstrated in the above scenario. Pre-investigation phase Investigation phase Post-investigation phase Preparatory phase
Investigation phase
Williams, a forensic expert, was performing an investigation on a system that was suspected to be involved in spreading adult content over the Internet. The attacker accessed various adult sites using the Mozilla Firefox browser and shared associated links with other individuals. Williams employed a forensic tool that helped him extract the list of websites accessed from the system to confirm this suspicion. Which of the following tools has Williams employed in the above scenario? MZHistoryView ChromeHistoryView IECacheView MZCacheView
MZHistoryView
Lincoln, a forensic investigator, collected evidence from a crime scene. He used some hardware and software tools to complete the investigation process. Lincoln then created a report and documented all the actions performed during the investigation. Identify the investigation phase Lincoln is currently in. Investigation phase Post-investigation phase Pre-investigation phase Preparatory phase
Post-investigation phase
Before investigating a cybercrime, Joyce, a forensic investigator, sets up a computer forensics lab, builds a forensics workstation, develops an investigation toolkit, and secures the case perimeter and involved devices. Identify the investigation phase Joyce is currently in. Investigation phase Pre-investigation phase Preparatory phase Post-investigation phase
Pre-investigation phase
Which of the following tools allows forensic investigators to analyze memory, detect malicious activities that occurred on the system, and construct the timeline and scope of a cybercrime incident? ShredIt Hexinator BitLocker Redline
Redline
In which of the following phases of the UEFI boot process does the system clear the UEFI program from memory and transfer it to the OS? Driver Execution Environment phase Pre-EFI initialization phase Runtime phase Security phase
Runtime phase
Carlos, a forensic expert, was working on a criminal case. He started the investigation by collecting and analyzing a suspected device at the crime scene. After copying all the evidentiary information, he used cross-cut shredding to physically destroy the previously stored digital data for ensuring that it cannot be recovered by any other party. In which of the following steps of the forensic data acquisition methodology did Carlos perform the above operation? Validating data acquisition Sanitizing the target media Acquiring non-volatile data Acquiring volatile data
Sanitizing the target media
Which of the following measures helps security professionals defend against anti-forensics techniques? Replace strong file identification techniques with weaker ones. Save data in secure locations. Never test CFTs for vulnerabilities. Never impose strict laws against the illegal use of anti-forensics tools.
Save data in secure locations.
Identify the smallest physical storage unit on a hard-disk platter that is a mathematical term denoting a pie-shaped part of a circle and is enclosed by the perimeter of the circle and two radii. Track Sector addressing Track numbering Sector
Sector
Which of the following characteristics of a hard disk represents the time taken by a hard-disk controller to identify a particular piece of data? Rotational delay Data transfer rate Seek time Rotational latency
Seek time
Identify the term that refers to the portions of a hard drive that may contain either data from a previously deleted file or space unused by the currently allocated file. Windows Registry Crash dump Memory dump Slack space
Slack space
Which of the following is the wasted area of a disk cluster lying between the end of a file and the end of the cluster and is created when the file system allocates a full cluster to a file smaller than the cluster size? BIOS parameter block Lost cluster Slack space Master boot record
Slack space
Which of the following tools helps a perpetrator delete and modify the metadata of files to confuse forensic investigators? DriveSpace ophcrack SafeBack Timestomp
Timestomp
In which of the following anti-forensics techniques do attackers mislead investigators via log tampering, false e-mail header generation, timestamp modification, and the modification of various file headers? Steganography Trail obfuscation Artifact wiping Data overwriting
Trail obfuscation
Which of the following steps of the forensic data acquisition methodology involves calculating the target media's hash value and comparing it with the forensic counterpart to ensure that the data have been completely acquired? Which of the following steps of the forensic data acquisition methodology involves calculating the target media's hash value and comparing it with the forensic counterpart to ensure that the data have been completely acquired? Acquiring volatile data Planning for contingency Validating data acquisition Sanitizing the target media
Validating data acquisition
Austin, a forensic investigator, was tasked with examining a crime scene. In this process, he identified a few devices that were affected during the attack process. Austin secured all these devices in a lawful manner for further investigation. Identify the investigation phase Austin is currently performing in the above scenario. Case analysis Search and seizure Data analysis Data acquisition
search and seizure