Guide To Computer Forensics And Investigations - All Chapter Reviews

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

​When using the PassMark software to find forensic information in e-mails, messages that appear to be suspicious should be flagged __________. yellow green red orange

yellow

​Select the tool below that does not use dictionary attacks or brute force attacks to crack passwords: Last Bit AccessData PRTK OSForensics Passware

​OSForensics

Which password recovery method uses every possible letter, number, and character found on a keyboard?​ rainbow table dictionary attack hybrid attack brute-force attack

​brute-force attack

​In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer. format fdisk grub diskpart

​diskpart

Many commercial encryption programs use a technology called _____________, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure.​ key vault key escrow bump key master key

​key escrow

Which of the following types of files can provide useful information when you're examining an e-mail server? .dbf files .emx files .log files .slf files

.log files

In Microsoft Outlook, what are the email storage files typically found on a client computer? .pst and .ost res1.log and res2.log PU020102.db .evolution

.pst and .ost

What kind of files are created by Exchange while converting binary data to readable text in order to prevent loss of data .txt .tmp .exe .log

.tmp

The ___ disk image file format is associated with the VirtualBox hypervisor .vmdk .had .vhd .vdi

.vdi

What format below is used for VMware images? .vhd .vmdk .s01 .aff

.vmdk

Which of the following file extensions are associated with VMware virtual machine? .vmx, .log, and .nvram .vdi, .ova, and .r0 .vmx, .r0, and .xml-prev .vbox, .vdi, and .log

.vmx, .log, and .nvram

Which of the following Linux system files contains hashed passwords for the local system? /var/log/dmesg /etc/passwd /var/log/syslog /etc/shadow

/etc/shadow

Which of the following is a new file added in macOS? (Choose all that apply). /private/var/db /private/db /var/db/diagnostics /var/db/uuid.text

/var/db/diagnostics /var/db/uuid.text

Syslog is generally configured to put all e-mail related log information into what file /usr/log/mail.log /var/log/message /proc/mail /var/log/maillog

/var/log/maillog

Where does the Postfix UNIX mail server store e-mail /home/username/mail /var/mail/postfix /var/spool/postfix /etc/postfix

/var/spool/postfix

At what offset is a prefetch file's create date & time located 0x88 0x80 0x98 0x90

0x80

In a prefetch file, the application's last access date and time are at offset ??? 0x80 0x88 0xD4 0x90

0x90

When cases go to trial, you as a forensics examiner can play one of ____ roles. 2 3 4 5

2

What's the maximum file size when writing data to a FAT32 drive?

2 GB

In FAT32, a 123-KB file uses how many sectors? 123 185 246 255

246

On a Windows system, sectors typically contain how many bytes? 256 512 1024 2048

512

If a microphone is present during your testimony, place it ____ to eight inches from you. 3 4 5 6

6

In VirtualBox, ___ different types of virtual network adapters are possible, such as AMD and Intel Pro adapters 2 4 6 8

6

Where is the snapshot database created by Google Drive located in Windows? C:/Program Files/Google/Drive C:/Users/username/AppData/Local//Google/Drive C:/Users/username/Google/Google drive C:/Google/drive

C:/Users/username/AppData/Local//Google/Drive

Select the folder below that is most likely to contain Dropbox files for a specific user C:/User/username/AppData/Dropbox C:/Dropbos C:/Users/Dropbox C:/Users/username/Dropbox

C:/Users/username/Dropbox

Within NIST guidelines for mobile forensics methods, the ______________ method requires physically removing flash memory chips and gathering information at the binary level.​ Chip-off Logical extraction Micro read Manual extraction

Chip-off

​In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters? NTFS FAT HFSX Ext3fs

FAT

​An expert's opinion is governed by ________________ and the corresponding rule in many states. FRE, Rule 705 FRE, Rule 507 FRCP 26 FRCP 62

FRE, Rule 705

The ??? tool can be used by bypass a virtual machine's hypervisor, and can be used with OpenStack Openforensics FROST WinHex ARC

FROST

An expert's opinion is governed by FRCP, Rule 26, and the corresponding rule in many states. True False

False

Any text editor can be used to read Dropbox files. True or False

False

BIOS boot firmware was developed to provide better protection against malware than EFI does developed? True or False

False

Because attorneys do not have the right of full discovery of digital evidence, it is not possible for new evidence to come to light while complying with a defense request for full discovery.​ True or False

False

Building a forensic workstation is more expensive than purchasing one. True or False?

False

Codes of professional conduct or responsibility set the highest standards for professionals' expected performance. True or False?

False

Commingled data isn't a concern when acquiring cloud datTrue/False

False

Committing crimes with e-mail is uncommon, and investigators are not generally tasked with linking suspects to e-mail True or False

False

Copyright laws don't apply to Web sites. True or False?

False

Data can't be written to disk with a command-line tool. True or False?

False

Digital forensics and data recovery refer to same the activities. True or False?

False

Digital forensics facilities always have windows. True or False?

False

Ethical obligations are duties that you owe only to others. True or False?

False

Evidence storage containers should have several master keys. True or False?

False

Expert witnesses are not required to submit a written report for civil cases.​ True False

False

FTK Imager can acquire data in a drive's host protected area. True or False?

False

Forensics tools can't directly mount VMs as external drives True or False

False

Graphics files stored on a computer can't be recovered after they are deleted. True or False?

False

Hardware acquisition tools typically have built-in software for data analysis. True or False

False

If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. True or False?

False

In an e-mail address, everything before the @ symbol represents the domain name True or False

False

In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant.​ True or False

False

Linux is the only OS that has a kernel. True or False?

False

Only one file format can compress graphics files. True or False?

False

Password recovery is included in all forensics tools. True/False

False

Small companies rarely need investigators. True or False?

False

The ANAB mandates the procedures established for a digital forensics lab. True or False?

False

To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server's internal operations. True/False

False

Type 2 hypervisors are typically loaded on servers or workstations with a lot of RAM and storage True or False

False

Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?

False

When acquiring a mobile device at an investigation scene, you should leave it connected to a PC so that you can observe synchronization as it takes place. True/False

False

When investigating graphics files, you should convert them into one standard format. True or False?

False

You should always answer questions from onlookers at a crime scene. True or False?

False

You should always prove the allegations made by the person who hired you. True or False?

False

You should create a formal checklist of your procedures that's applied to all your cases or include such a checklist in your report. True or False

False

Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. True False

False

What is professional conduct, and why is it important?

Professional conduct includes ethics, morals, and standards of behavior. Your professional conduct as a digital investigator is critical because it determines your credibility.

Where is the OS stored on a smartphone? RAM Microprocessor ROM Read/write flash

ROM

What should you consider when determining which data acquisition method to use?

Size of the source drive Whether the source drive is retained as evidence How long the acquisition will take Where the disk evidence is located

You can expect to find a type 2 hypervisor on what type of device? (Choose all that apply) Desktop Smartphone Tablet Network Server

Smartphone Tablet

__________________ means the tone of language you use to address the reader.​ Style Format Outline Prose

Style

What term refers to labs constructed to shield EMR emissions?

TEMPEST

What are the necessary components of a search warrant?

The notarized affidavit and the exhibits (evidence).

Commingling evidence means what in a private-sector setting?

True

Computer peripherals or attachments can contain DNA evidence. True or False?

True

Data blocks contain actual files and directories and are linked directly to inodes. True or False

True

Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False?

True

Hard links work in only one partition or volume. True or False?

True

In the United State, the Electronic Communications Privacy Act (ECPA) describes 5 mechanisms the government can use to get electronic information from a provider True or False

True

In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. True or False?

True

In the United States, no state or national licensing body specifically licenses forensics examiners. True or False?

True

MFT stands for Master File Table. True False

True

One reason to choose a logical acquisition is an encrypted drive. True or False?

True

SIM card readers can alter evidence by showing that a message has been read when you view it? True/False

True

Search and seizure procedures for mobile devices are as important as procedures for computers.​ True False

True

The DomainKey identified Mail service is a way to verity the names of domains a message is flowing through and was developed as a way to cut down on spam True or False

True

The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET). True or False

True

The Pagefile.sys file on a computer can contain message fragments from instant messaging applications True or False

True

What's the main goal of a static acquisition?

If disk evidence is preserved correctly, static acquisitions are repeatable.

The honeynet Project was developed to make information widely available in an attempt to thwart internet and network attackers True or False

True

List two features NTFS has that FAT does not. MRU records and file attributes Master File Table and MRU records Unicode characters and better security MRU records and less fragmentation

Unicode characters and better security

To determine the types of operating systems needed in your lab, list two sources of information you could use.

Uniform Crime Report statistics for your area A list of cases handled in your area or at your company.

A ____________ image file containing software is intended to be bit-stream copied to floppy disks or other external media.​ fdisk format dd DiskEdit

dd

Hashing, filtering, and file header analysis make up which function of digital forensics tools? Validation and verification Acquisition Extraction Reconstruction

Validation and verification

Which of the following is the main challenge in acquiring an image of a system running macOS? (Choose all that apply.) Most commercial software doesn't support macOS. Vendor training is needed. The macOS is incompatible with most write-blockers. You need special tools to remove drives from a system running macOS or open its case.

Vendor training is needed. You need special tools to remove drives from a system running macOS or open its case.

Which type of report typically takes place in an attorney's office? Examination Plan Written Report Preliminary Report Verbal Report

Verbal Report

In what state is sending unsolicited email illegal Florida Washington Maine New York

Washington

Which of the following file systems can't be analyzed by OSForensics? FAT12 Ext2fs HFS+ XFS

XFS

What cloud service listed below provides a freeware type 1 hypervisor used for public and private clouds HP Helion Amazon EC2 XenServer and XenCenter Windows Management Console Cisco Cloud Computing

XenServer and XenCenter Windows Management Console

What are some risks of using tools you have created yourself? The tool might not perform reliably. The judge might be suspicious of the validity of results from the tool. You might have to share the tool's source code with opposing counsel for review. The tool doesn't generate reports in a standard format.

You might have to share the tool's source code with opposing counsel for review.

A ____ differs from a trial testimony because there is no jury or judge. rebuttal plaintiff civil case deposition

deposition

You provide ____ testimony when you answer questions from the attorney who hired you. direct cross examination rebuttal

direct

What's the Disk Arbitration feature used for in macOS?

It's used to disable and enable automatic mounting when a drive is connected via a USB or FireWire device.

​The ___________________ technology is designed for GSM and Universal Mobile Telecommunications Systems (UMTS) technology, supports 45 Mbps to 144 Mbps transmission speeds. WiMAX LTE MIMO UMB

LTE

Which of the following represents known files you can eliminate from an investigation? (Choose all that apply) Any graphics files Files associated with an application System files the OS uses Any files pertaining to the company

Files associated with an application System files the OS uses

Police in the United States must use procedures that adhere to which of the following? Third Amendment Fourth Amendment First Amendment None of the above

Fourth Amendment

What does a sparse acquisition collect for an investigation?

Fragments of unallocated data in addition to the logical allocated data

What Windows Registry key contains associations for file extensions HKEY_CLASSES_ROOT HKEY_USERS HKEY_LOCAL_MACHINE HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

Which Registry key contains associations for file extensions? HFILE_CLASSES_ROOT HKEY_CLASSES_ROOT HFILE_EXTENSIONS HKEY_CLASSES_FILE

HKEY_CLASSES_ROOT

​Select below the option that is not a typical feature of smartphones on the market today: Microprocessor Flash ROM Hard drive

Hard drive

In the Linux dcfldd command, which three options are used for validating data?

Hash Hashlog VF

Which of the NIST guidelines below requires using a modified boot loader to access RAM for analysis?​ Chip-off Manual extraction Hex dumping Micro read

Hex dumping

Which option below is not a disk management tool?​ Partition Magic​ Partition Master GRUB HexEdit

HexEdit

Steganography is used for which of the following purposes? Validating data Hiding data Accessing remote computers Creating strong passwords

Hiding Data

What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?

Lossless Compression

Phishing does which of the following? Uses DNS poisoning Lures users with False promises Takes people to fake websites Uses DHCP

Lures users with False promises

List two hashing algorithms commonly used for forensic purposes

MD5 and SHA-1

Which of the following is a current formatting standard for e-mail? SMTP MIME Outlook HTML

MIME

What does the Ntuser.dat file contain? File and directory names Starting cluster numbers File attributes MRU files list

MRU files list

When using graphics while testing, which of the following guidelines applies? (Choose all that apply) Make sure the jury can see your graphics Practice using charts for courtroom testimony Your exhibits must be clear and easy to understand Make sure you have plenty of extra graphics, in case you have to explain more complex supporting issues.

Make sure the jury can see your graphics Practice using charts for courtroom testimony Your exhibits must be clear and easy to understand

The manager of a digital forensics lab is responsible for which of the following? (Choose all that apply.) Making necessary changes in lab procedures and software Ensuring that staff members have enough training to do the job Knowing the lab objectives None of the above

Making necessary changes in lab procedures and software Ensuring that staff members have enough training to do the job Knowing the lab objectives

The term "via Frontend Transport" in a header indicates that the e-mail is on which of the following? UNIX server Older NetWare Server Microsoft Exchange Server Mac Server

Microsoft Exchange Server

Exchange uses and Exchange database and is based on the ???, which uses several files in different combinations to provide e-mail service Microsoft Mail Storage Engine (MSE) Microsoft Stored Mail Extension (SME) Microsoft Extended Mail Storage (EMS) Microsoft Extensible Storage Engine (ESE)

Microsoft Extensible Storage Engine (ESE)

Which component of cell communication is used to route digital packets for the network and relies on a database to support subscribers?​ Base station controller (BSC) Base transceiver station (BTS) Base transceiver controller (BTC) Mobile switching center (MSC)

Mobile switching center (MSC)

With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?

Newer Linux distributions automatically mount the USB device, which could alter data on it.

Describe an unethical technique opposing counsel might use to make a deposition difficult for you.

Opposing counsel might attempt to make discovery depositions physically uncomfortable. Other tactics include the attorney who has set the deposition neglecting to have payment ready for you.

Select below the option that is not common type 1 hypervisor. VMwar vSphere Microsoft Hyper-V Citirix XenServer Oracle VirtualBox

Oracle VirtualBox

Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses ________________ as a way to hide its malicious code from antivirus tools.​ hashing bit-shifting registry edits slack space

bit-shifting

What's the main piece of information you look for in an email message you're investigating? Sender or receivers e-mail address Originating e-mail domain or IP address Subject line content Message number

Originating e-mail domain or IP address

E-mail administrators may make use of ???, which overwrites a log file when it reaches a specified size or at the end of a specified time frame log recycling circular logging log purging log cycling

circular logging

An ___________________ is a document that serves as a guideline for knowing what questions to expect when you're testifying. testimony procedure examination plan planned questionnaire testimony excerpt

examination plan

____ evidence is evidence that exonerates or diminishes the defendant's liability. rebuttal plaintiff inculpatory exculpatory

exculpatory

What information below is not something recorded in Google Drive's snapshot.db file modified and created times? URL pathnames file access records file SHA values and sizes

file SHA values and sizes

What command below could be used on a UNIX system to help locate log directories show log detail search find

find

What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords?​ salted passwords scrambled passwords indexed passwords master passwords

salted passwords

Sendmail uses which file for instructions on processing an e-mail message? sendmail.cf syslogd.conf mese.ese mapi.log

sendmail.cf

Leading questions such as "Isn't it True that forensics experts always destroy their handwritten notes?" are referred to as ____ questions. hypothetical attorney setup nested

setup

With cloud systems running in a virtual environment, ??? can give you valuable information before, during, and after an incident carving live acquisition RAM snapshot

snapshot

The Google drive file ??? contains a detailed list of a user's cloud transactions loggedtransactions.log sync_log.log transact_user.db history.db

sync_log.log

On a Unix-like system, which file specifies where to save different types of e-mail log files? maillog /var/spool/log syslog.conf log

syslog.conf

____ is a written list of objections to certain testimony or exhibits. defendant b empanelling the jury plaintiff motion in limine

motion in limine

Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony. setup open-ended compound repid-fire

open-ended

What method below is NOT an effective method for isolating a mobile device from receiving signals? placing the device into a plastic evidence bag placing the device into a paint can, preferable one previously containing radio-wave blocking paint placing the device into airplane mode turning the device off

placing the device into a plastic evidence bag

In Linux, which of the following is the home directory for the superuser? home root super /home/superuser

root

Clusters in Windows always begin numbering at what number? 1 2 3 4

2

What's the most critical aspect of digital evidence?

Validation

To trace an IP address in an email header, what type of lookup service can you use? (Choose all that apply) Intelius Inc's AnyWho online directory Verizon's http://superpages.com A Domain lookup service, such as www.arin.net, www.internic.com.,or ww.whois.net Any Web search engine

A Domain lookup service, such as www.arin.net, www.internic.com.,or ww.whois.net Any Web search engine

Which organization has guidelines on how to operate a digital forensics lab?

ANAB

What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact iNet ARIN Google ERIN

ARIN

Which of the following is an example of a written report? A search warrant An affidavit Voir Dire Any of the above

An affidavit

List three items that should be on an evidence custody form.

Any three of the following: Case number Name of the investigator assigned to the case Nature of the case Location evidence was obtained Description of the evidence

List three items that should be in your case report.

Any three of the following: An explanation of basic computer and network processes A narrative of what steps you took A description of your findings Log files generated from your analysis tools

List three items that should be in an initial-response field kit.

Any three of the following: Small computer tool kit Large capacity drive IDE ribbon cables Forensic boot media Laptop or portable computer.

List two types of digital investigations typically conducted in a business environment.

Any two of the following: Abuse or misuse of digital assets E-mail abuse Internet abuse

List two items that should appear on a warning banner.

Any two of the following: Access to this system and network is restricted. Use of this system and network is for official business only. Systems and networks are subject to monitoring at any time by the owner. Using this system implies consent to monitoring by the owner. Unauthorized or illegal users of this system or network will be subject to discipline or prosecution. Users of this system agree that they have no expectation of privacy relating to all activity performed on this system.

List two popular certification programs for digital forensics.

Any two of the following: IACIS Certification ISFCE Certification GIAC Certification EnCE Certification ACE Certification

Describe two types of ethical standards.

Any two of the following: Your internal values (ethics) The codes of professional associations you belong to The codes of certifying bodies that have granted you a certification Your employer's rules of professional conduct

The _______________ component is made up of radio transceiver equipment that defines cells and communicates with mobile phones; sometimes referred to as a "cell phone tower".​ Vase station controller (BSC) Mobile switching center (MSC) Base transceiver controller (BTC) Base transceiver station (BTS)

Base transceiver station (BTS)

When do zero day attacks occur? (Choose all that apply) On the day the application or OS is released Before a patch is available Before the vendor is aware of the vulnerability On the day the patch is created

Before a patch is available Before the vendor is aware of the vulnerability

Which organization provides good information on safe storage containers?

NISPOM

Block-wise hashing has which of the following benefits for forensics examiners? Allows validating sector comparisons between known files Provides a faster way to shift bits in a block or sector of data Verifies the quality of OS files Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive

Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive.

Select below the program within the Ps Tools suite that allows you to run processes remotely PsService PsPasswd PsRemote PsExec

PsExec

Which of the following cloud deployment methods typically offers no security? Hybrid Cloud Public Cloud Community cloud Private Cloud

Public Cloud

you simply specify the time frame you want to examine Tcpdstat Tcpslice Ngrep tcpdump

Tcpslice

The __________ is a good tool for extracting information from large Libpcap files. Tcpdstatb Tcpslicec Ngrepd tcpdump

Tcpslicec

Which of the following describes expert witness testimony? (Choose all that apply.) Testimony designed to assist the jury in determining matters beyond the ordinary person's scope of knowledge Testimony that defines issues of the case for determination by the jury Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience. Testimony designed to raise doubt about facts or witnesses' credibility

Testimony designed to assist the jury in determining matters beyond the ordinary person's scope of knowledge Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience.

If you're giving an answer that you think your attorney should follow up on, what should you do? Change the tone of your voice Argue with the attorney who asked the question Use an agreed-on expression to alert the attorney to follow up on the question Try to include as much information in your answer as you can.

Use an agreed-on expression to alert the attorney to follow up on the question

The ________________ technology uses the IEEE 802.16e standard and Orthogonal Frequency Division Multiple Access (OFDMA) and supports transmission speeds of 12 Mbps​ WiMAX CDMA UMB MIMO

WiMAX

this practice is called a ____ question. leading hypothetical compound rapid-fire

compound

E-mail headers contain which of the following information? (Choose all that apply.) The sender and receiver e-mail address An ESMTP number or reference number The e-mail servers the message traveled through to reach its destination The IP address of the receiving server e. All of the above

e. All of the above

At what layers of the OSI model do most packet analyzers function layer 1 or 2 layer 2 or 3 layer 3 or 4 layer 4 or 5

layer 2 or 3

​The _________________ numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect of the report, and each Arabic numeral is an important piece of supporting information. decimal ordered-sequential legal-sequential reverse-order

legal-sequential

__________ from both plaintiff and defense is an optional phase of the trial. Generally, it's allowed to cover an issue raised during cross-examination. rebuttal plaintiff closing arguments opening statements

rebuttal

​In addition to opinions and exhibits, the ______________ must specify fees paid for the expert's services and list all other civil or criminal cases in which the expert has testified. verbal report informal report written report preliminary report

written report

In older versions of exchange, what type of file was responsible for massages formatted with Messaging Application Programming Interface, and served as the database file .ost edp .edb .edi

.edb

What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine .nvram .vmen .vmpage .vmx

.vmen

Which option below is the correct path to the sendmail configuration file /var/etc/sendmail.cf /var/mail/sendmail.cf /usr/local/sendmail.cf /etc/mail/sendmail.cf

/etc/mail/sendmail.cf

On a UNIX system, where is a user's mail stored by default /var/mail /var/log/mail /username/mail /home/username/mail

/home/username/mail

On most Linux systems, current user login information is in which of the following locations? /var/log/dmesg /var/log/wmtp /var/log/usr /var/log/utmp

/var/log/utmp

Jurors typically average just over ____ years of education and an eighth-grade reading level. 9 10 11 12

12

The SANS Investigative Forensics Toolkit (SIFT) appliance can currently only be installed on what version of Ubuntu 12.04 13.11 14.04 14.11

12.04

​Within Windows Vista and later, partition gaps are _____________ bytes in length. 64 128 256 512

128

How many words should be in the abstract of a report?​ 50 to 100 words 100 to 150 words 150 to 299 words 200 to 250 words

150 to 299 words

If your CV (curriculum vitae) is more than __________ months old, you probably need to update it to reflect new cases and additional training. 2 3 4 5

3

How many sectors are typically in a cluster on a disk drive? 1 2 or more 4 or more 8 or more

4 or more

SD cards have a capacity up to which of the following? 100 MB 4 MB 64 GB 500 MB

64 GB

What frequencies can be used by GSM with the TDMA technique 1200 to 1500 MHz 2.4 GHz to 5.0 GHZ 600 to 1000 MHz 800 to 1000 MHZ

800 to 1000 MHZ

The National Software Reference Library provides what type of resources for digital forensics examiners? A list of digital forensics tools that make examinations easier A list of MD5 and SHA1 hash values for all known OSs and applications Reference books and materials for digital forensics A repository for software vendors to register their developed applications

A list of MD5 and SHA1 hash values for all known OSs and applications

Your curriculum vitae is which of the following? (Choose all that apply) A necessary tool to be an expert witness A generally required document to be made available before your testimony A detailed record of your experience, education, and training Focused on your skills as they apply to the current case

A necessary tool to be an expert witness A generally required document to be made available before your testimony A detailed record of your experience, education, and training

What is the motion in limine? A motion to discuss the case THe movement of molecules in a random fashion A pretrial motion for the purpose of excluding certain evidence A pretrial motion to revise the case schedule

A pretrial motion for the purpose of excluding certain evidence

What's a hashing algorithm?

A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk

Hard links are associated with which of the following? Dot notation A specific inode An absolute path to a file Hidden files

A specific inode

The term TDMA refers to which of the following? (Choose all that apply) A technique of dividing a radio frequencies so that multiple users share the same channel A proprietary protocol developed by Motorola A specific cellular network standard A technique of spreading the signal across many channels

A technique of dividing a radio frequencies so that multiple users share the same channel A specific cellular network standard.

Which of the following is not a valid source for cloud forensics training Sans Cloud Forensics with F-Response A+ Security INFOSEC Intitute (ISC)2 Certified Cyber Forensics Professional

A+ Security

What are two advantages and disadvantages of the raw format?

Advantages faster data transfer speeds ignores minor data errors most forensics analysis tools compatibility. Disadvantages requires equal or greater target disk space doesn't contain hash values in the raw file (metadata) might have to run a separate hash program to validate raw format data might not collect marginal (bad) blocks.

An expert witness can give an opinion in which the following situations. The opinion, inferences, or conclusions depend on a special knowledge, skills, or training not within the ordinary experience of lay people The witness is shown to be qualified as a True expert in the field The witness testifies to a reasonable degree of certainty (probability) about his or her opinion, inference, or conclusion. All of the above

All of the above

Building a business case can involve which of the following? Procedures for gathering evidence Testing software Protecting trade secrets All of the above

All of the above

Logging options on many email servers can be: Disabled by the administrator Set up in a circular logging configuration Configured to a specified size before being overwritten All of the above

All of the above

Policies can address rules for which of the following? When you can log on to a company network from home The Internet sites you can or can't access The amount of personal e-mail you can send Any of the above

All of the above

What are two concerns when acquiring data from a RAID server?

Amount of data storage needed Type of RAID server Whether the acquisition tool can handle RAID acquisitions Whether the analysis tool can handle RAID data Whether the analysis tool can split RAID data into separate disk drives, making it easier to distribute large data sets

List four steps you should take, in the correct order, to handle a deposition in which physical circumstances are uncomfortable.

Ask the attorney to correct the situation. If the situation is not corrected, note these conditions into the record, and repeat noting them as long as the conditions persist. After you have noted the problem into the record, you can refuse to continue with the deposition. Generally, you should consult with an attorney before taking this step. If you think the behavior was serious enough that you can justify refusing to continue, consider reporting the attorney to his/her state bar association.

What letter should be typed into DiskEdit in order to mark a good sector as bad?​ M B T D

B

What information is _NOT_ in an e-mail header? (Choose all that apply) Blind copy (Bcc) addresses Internet addresses Domain name Contents of the message e. Type of e-mail server used to send the email

Blind copy (Bcc) addresses Contents of the message

For which of the following reasons should you wipe a target drive? To ensure the quality of digital evidence you acquire To make sure unwanted data isn't retained on the drive Neither Both

Both

Explain the differences in resource and data forks used in macOS.

Both contain a file's resource map and header information, window locations, and icons. The data fork stores a file's actual data, however, and the resource fork contains file metadata and application information.

When working for a prosecutor, what should you do if the evidence you found appears to be exculpatory and isn't being released to the defense? Keep the information on file for later review Bring the information to the attention of the prosecutor, then his or her supervisor and finally to the judge (the court) Destroy the evidence Five the evidence to the defense attorney

Bring the information to the attention of the prosecutor, then his or her supervisor and finally to the judge (the court)

If a suspect computer is running Windows 10, which of the following can you perform safely? Browsing open applications Disconnecting power Either of the above None of the above

Browsing open applications

How does macOS reduce file fragmentation?

By using clumps, which are groups of contiguous allocation blocks. As a file increases in size, it occupies more of the clump. Volume fragmentation is kept to a minimum by adding more clumps to larger files.

What digital network technology was developed during World War II? TDMA CDMA GSM iDEN

CDMA

For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you're constantly enhancing your skills through training, teaching, and experience. testimony CV (curriculum vitae) examination plan deposition

CV (curriculum vitae)

When validating the results of a forensic analysis, you should do which of the following? (Choose all that apply.) Calculate the hash value with two different tools. Use a different tool to compare the results of evidence you find. Repeat the steps used to obtain the digital evidence, using the same tool,and recalculate the hash value to verify the results. Use a command-line tool and then a GUI tool.

Calculate the hash value with two different tools Use a different tool to compare the results of evidence you find

Which of the following categories of information is stored on a SIM card? (Choose all that apply.) Volatile Memory Call data Service-related data None of the above

Call data Service-related data

List two features common with proprietary format acquisition files.

Can compress or not compress the acquisition data Can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD Case metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or files

What do you call a list of people who have had physical possession of the evidence?

Chain of Custody

When you access your email, what type of computer architecture are you using? Mainframe and minicomputers Domain Client/Server None of the above

Client/server

The __________ is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for privacy agreements, security measures, questionnaires, and more. OpenStack Framework Alliance Cloud Security Advisory Panel Cloud Security Alliance Cloud Architecture Group

Cloud Security Alliance

Forensic software tools are grouped into ____________ and _______________ applications.

Command-line & GUI

Sometimes opposing attorneys ask several questions inside one question; this practice is called a __________ question.

Compund

Describe what should be videotaped or sketched at a digital crime scene.

Computers, cable connections, overview of scene—anything that might be of interest to the investigation

When writing a report, what's the most important aspect of formatting? A neat appearance Size of the font Clear use of symbols and abbreviations Consistency

Consistency

If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? Coordinate with the HAZMAT team. Determine a way to obtain the suspect's computer. Assume the suspect's computer is contaminated. Do not enter alone.

Coordinate with the HAZMAT team Assume the suspect's computer is contaminated

Before testifying, you should do which of the following? (Choose all that apply) Create an examination plan with your attorney. Make sure you've been paid for your services and the estimated fee for the deposition or trial. Get a haircut Type all the draft notes you took during your investigation

Create an examination plan with your attorney. Make sure you've been paid for your services and the estimated fee for the deposition or trial.

​What digital network technology is a digital version of the original analog standard for cell phones? GSM CDMA iDEN D-AMPS

D-AMPS

What are the two states of encrypted data in a secure cloud? RC4 and RC5 CRC-32 and UTF-16 Homomorphic and AES Data in motion and data at rest

Data in motion and data at rest

With remote acquisitions, what problems should you be aware of? (Choose all that apply.) Data transfer speeds Access permissions over the network Antivirus, antispyware, and firewall programs The password of the remote computer's user

Data transfer speeds Access permissions over the network Antivirus, antispyware, and firewall programs

List three subfunctions of the extraction function.

Data viewing keyword sharing carving bookmarking decrypting decompressing

Which e-mail recovery program below can recover files from VMware and VirtualPC virtual machines, as well as ISOs and other types of file backups Fookes Aid4mail DataNumen Outlook Repair EnCase Forensics AccessData FTK

DataNumen Outlook Repair

The process of converting raw images to another format is called which of the following? Data conversion Transmogrification Transfiguring Demosaicing

Demosaicing

What are some ways to determine the resources needed for an investigation?

Determine the OS of the suspect computer List the necessary software to use for the examination.

When you perform an acquisition at a remote location, what should you consider to prepare for this task?

Determine whether there's enough electrical power and lighting and check the temperature and humidity at the location

_______________ is the process of opposing attorneys seeking information from each other.​ Subpoena Warranting Discovery Digging

Discovery

Maintain eye contact with the jury Pay close attention to what your attorney is objecting to. Pay close attention to opposing counsel's questions. Answer opposing counsel's questions as briefly as is practical

During your cross-examination, you should do which of the following? (Choose all that apply) Maintain eye contact with the jury Pay close attention to what your attorney is objecting to. Help the attorneys, judge, and jury in understanding the case, even if you have to go a bit beyond the scope of your expertise Pay close attention to opposing counsel's questions. Answer opposing counsel's questions as briefly as is practical

When searching a victim's computer for a crime committed with a specific email, what provides information for determining the emails originator? (Choose all that apply) E-mail header Username and password Firewall log All of the above

E-mail header Firewall log

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.

EnCase SafeBack SnapCopy

Which forensics tools can connect to a suspect's remote computer and run surreptitiously?

EnCase Enterprise ProDiscover Incident Response

Why is physical security so critical for digital forensics labs?

Evidence integrity

Explain how to identify an unknown graphics file format that your digital forensics tool doesn't recognize.

Examine a copy of the file with a hexadecimal editor to find the hex code for the first several bytes of the file.

Which service below does not put log information into /var/log/maillog SMTP Exchange IMAP POP

Exchange

Of all the proprietary formats, which one is the unofficial standard?

Expert Witness

Which forensic image file format creates or incorporates a validation hash value in the image file? (Choose all that apply) Expert Witness SMART AFF dd

Expert Witness SMART AFF

Automated tools help you collect and report evidence, but you're responsible for doing which of the following? Explaining your formatting choices Explaining the significance of the evidence Explaining in detail how the software works All of the above

Explaining the significance of the evidence

Which of the following rules or laws requires an expert to prepare and submit a report? FRCP 26 FRE 801 Neither Both

FRCP 26

What kind of information do fact witnesses provide during testimony? (Choose all that apply) Their professional opinion on the significance of evidence Definitions of issues to be determined bu the founder of the fact Facts only Observations of the results of tests they performed.

Facts only Observations of the results of tests they performed.

A JPEG file is an example of a vector graphic. True or False?

False

A forensic workstation should always have a direct broadband connection to the Internet. True or False?

False

A live acquisition can be replicated. True or False?

False

A search warrant can be used in any kind of case, either civil or criminal True or False

False

After you shift a file's bits, the hash value remains the same. True/False

False

All expert witnesses must be members of associations that license them. True or False?

False

An Internet e-mail is generally part of a local network, and is maintained and managed by an administrator for internal use by a specific company True or False

False

Because mobile phones are seized at the time of arrest, a search warrant is not necessary to examine the device for information.​ True False

False

In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True or False?

False

Like a job resume, your CV (curriculum viate) should be geared for a specific trial. True False

False

Most Code Division Multiple Access networks conform to IS-95. The systems are referred to as CDMAOne, and when they went to 3G service, they became CDMAThree True False

False

The Sysinternals Handle utility shows only file system activity, but does not show what processes are using files on the file system. True or False

False

The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect. True or False

False

The plain view doctrine in computer searches is well-established law. True or False?

False

EFS can encrypt which of the following? Files, folders, and volumes Certificates and private keys The global Registry Network servers

Files, folders, and volumes

The Known File Filter (KFF) can be used for which of the following purposes? (Choose all that apply) Filter known program file from view Calculate hash values of image files Compare hash values of known files with evidence files Filter out evidence that doesn't relate to our investigation

Filter known program file from view Filter out evidence that doesn't relate to our investigation

Hash values are used for which of the following purposes? (Choose all that apply.) Determining file size Filtering known good files from potentially suspicious data Reconstructing file fragments Validating that the original data hasn't changed

Filtering known good files from potentially suspicious data Validating that the original data hasn't changed

Select the program below that can be used to analyze mail from Outlook, Thunderbird, and Eudora AccessData FTK DataNumen R-Tools R-Mail Fookes Aid4Mail

Fookes Aid4Mail

The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery; the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in which it belongs", was established in what court case?​ Daubert v. Merrell Dow Pharmaceuticals, Inc Smith v. United States Frye v. United States Dillon v. United States

Frye v. United States

In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network adapters Slow-NetworkAdapters Query-ipconfig Get-VMNetworkAdapter Dump-Betconfig

Get-VMNetworkAdapter

In order to retrieve logs from exchange, the Powershell cmdlet __________ can be used. GetExchangeLogs.psl GetLogInfo.psl ShowExchangeHistrory.psl GetTransactionLogStats.psl

GetTransactionLogStats.psl

What standard introduced sleep mode to enhance battery life, and is used with TDMA?​ IS-99 IS-140 IS-136 IS-95

IS-136

​​Most Code Division Multiple Access (CDMA) networks conform to ____________ , created by the Telecommunications Industry Association (TIA). TS-95 802.11 IS-95 IS-136

IS-95

List three organizations that have a code of ethics or conduct.

ISFCE IACIS AMA APA ABA

The standards for testing forensics tools are based on which criteria? U.S. Title 18 ASTD 1975 ISO 17025 All of the above

ISO 17025

​What organization is responsible for the creation of the requirements for carriers to be considered 4G? IEEE ITU-R ISO TIA

ITU-R

What should you do if you realize you have made a mistake or misstatement during a deposition? (Choose all that apply) If the deposition is still in session, refer back to the error and correct it. Decide weather the error is minor, and if so, ignor it If the deposition if over, make the correction on the corrections page of the copy provided for your signature Call the opposing attorney and inform him of your mistake or misstatement e. Request an opportunity to make the correction at trial.

If the deposition is still in session, refer back to the error and correct it. If the deposition if over, make the correction on the corrections page of the copy provided for your signature

A layered network defense strategy puts the most valuable data where? In the DMZ In the outermost layer In the innermost layer None of the above

In the innermost layer

You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?

Initial-response kit

What methods do steganography programs use to hide data in graphics files? (Choose all that apply.) Insertion Substitution Masking Carving

Insertion Substitution

Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation? Criminal investigation because subpoenas can be issued to acquire any needed evidence quickly. Criminal investigation because law enforcement agencies have more resources at their disposal Internal corporate investigation because corporate investigators typically have ready access to company records. Internal corporate investigation because ISPs almost always turn over email and access logs when requested by a large corporation

Internal corporate investigation because corporate investigators typically have ready access to company records.

What methods are used for digital watermarking? (Choose all that apply.) Implanted subroutines that link to a central Web server automatically when the watermarked file is accessed Invisible modification of the LSBs in the file Layering visible symbols on top of the image Using a hex editor to alter the image data

Invisible modification of the LSBs in the file Layering visible symbols on top of the image

What are the major improvements in the Linux Ext4 file system?

It added support for partitions larger than 16 TB, improved management of large files, and offered a more flexible approach to adding file system features.

What purpose does making your own recording during a deposition serve? It shows the court reporter that you don't trust him or her. It assists you with reviewing the transcript of the deposition. It allows you to review your testimony with your attorney during breaks. It prevents opposing counsel from intimidating you.

It allows you to review your testimony with your attorney during breaks.

What are the three rules for a forensic hash?

It can't be predicted No two files can have the same hash value If the file changes, the hash value changes

Which of the following statements about the legal-sequential numbering system in report writing is True? It's favorable because it's easy to organize and understand It's most effective for shorter reports It doesn't indicate the relative importance of information It's required for reports submitted in federal court

It doesn't indicate the relative importance of information

What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?

It enables you to remove and reconnect drives without having to shut down your workstation, which saves time in processing the evidence drive.

The ___ tool is an updated version of BackTrack, and contains more than 300 tools, such as password crackers, network sniffers, and freeware forensics tools Kali Linux Ubuntu OSForensics Sleuth Kit

Kali Linux

To recover a password in macOS, which tool do you use? Finder PRTK Keychain Access Password Access

Keychain Access

Which of the following techniques might be used in covert surveillance? Keylogging Data sniffing Network logs All of the above

Keylogging Data sniffing

The AccessData program has a hashing database, ________________, which is available only with FTK, and can be used to filter known program files from view and contains the hash values of known illegal files.​ DeepScan Filter Unknown File Filter (UFF) Known File Filter (KFF) FTK Hash Imager

Known File Filter (KFF)

Externally enforced ethical rules, with sanctions that can restrict a professional's practice, are more accurately described as which of the following? Laws Objectives A higher calling All of the above.

Laws

Packet analyzers examine what layers of the OSI model? Layers 2 and 4 Layers 4 through 7 Layers 2 and 3 All layers

Layers 2 and 3

The ___ is the version of Pcap available for Linux based operating systems Wincap Libcap Tcpcap Netcap

Libcap

Bitmap (.bmp) files use which of the following types of compression? WinZip Lossy Lzip Lossless

Lossless

A JPEG file uses which type of compression? WinZip Lossy Lzip Lossless

Lossy

Metadata in a prefetch file contains an application's ??? times in UTC format and a counter of how many times the application has run since the prefect file was created startup / access log event ACL MAC

MAC

Which of the following relies on a central database that tracks across data, location data and subscriber information? BTS MSC BSC None of the above

MSC (Mobile Switching Center)

The NSA's defense in depth (DiD) strategy contains three modes of protection. Which option below is not one of the three modes People Technology Operations Management

Management

​What type of mobile forensics method listed by NIST guidelines involves looking at a device's content page by page and taking pictures? Manual extraction Chip-off Micro read Logical extraction

Manual extraction

Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? Most companies keep inventory databases of all hardware and software used. The investigator doesn't have to get a warrant. The investigator has to get a warrant. Users can load whatever they want on their machines.

Most companies keep inventory databases of all hardware and software used.

Some clues left on a drive that might indicate steganography include which of the following? (Choose all that apply.) Multiple copies of a graphics file Graphics files with the same name but different file sizes Steganography programs in the suspect's All Programs list Graphics files with different timestamps

Multiple copies of a graphics file Graphics files with the same name but different file sizes Steganography programs in the suspect's All Programs list

The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but does not list hash values of known illegal files.​ Open Hash Database HashKeeper Online National Hashed Software Referenced. National Software Reference Library

National Software Reference Library

What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses? tcpdump Argus Ngrep Tcpslice

Ngrep

One of the most noteworthy e-mail scams was 419, otherwise known as the ??? Nigerian Scam Lake Venture Scam Conficker virus Iloveyou Scam

Nigerian Scam

In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/sha1

No. This command reads the image_file.img file and writes it to the evidence drive's /dev/hda1 partition. The correct command is dcfldd if=/dev/hda1 of=image_file.img.

In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive? 5% 10% 15% None of the above

None of the above

Which of the following Windows 8 files contains user-specific information? User.dat Ntuser.dat System.dat SAM.dat

Ntuser.dat

Areal density refers to which of the following? Number of bits per disk Number of bits per partition Number of bits per square inch of a disk platter Number of bits per platter

Number of bits per square inch of a disk platter

In JPEG files, what's the starting offset position for the JFIF label? Offset 0 Offset 2 Offset 6 Offset 4

Offset 6

What does a logical acquisition collect for an investigation?

Only specific files of interest to the case

Which of the following is the standard format for filed reports in electronically in federal courts? Word Excel PDF HTML e. Any of the above

PDF

The tcpdump and Wireshark utilities both use what well known packet capture format Netcap Pcap Packetd RAW

Pcap

Nonvolatile memory on a mobile device can contain OS files and stored user data, such as a __________________ and backed-up files. Professional Data Holder Personal Assistant Organizer Personal Data Manager Personal Information Manager

Personal Information Manager

What items should your business plan include?

Physical security items, such as evidence lockers Number of machines are needed What OSs your lab commonly examines Why you need certain software How your lab will benefit the company (such as being able to quickly exonerate employees or discover whether they're guilty)

The most reliable way to ensure that jurors recall testimony is to do which of the following? Present evidence using oral testimony supported by hand gestures and facial expressions Present evidence combining oral testimony and graphics that support the testimony Wear bright colored clothing to attract juror's attention Emphasize your points with humorous anecdotes e. Memorize your testimony carefully

Present evidence combining oral testimony and graphics that support the testimony

List three obvious ethical errors.

Presenting false or altered data. Reporting work that was not done. Ignoring available contradictory data. Working beyond your expertise or competence. Failing to report a possible conflict of interest. Reaching a conclusion before you have done complete research.

The verification function does which of the following? Proves that a tool performs as intended Creates segmented files Proves that two sets of data are identical via hash values Verifies hex editors

Proves that two sets of data are identical via hash values

Rainbow tables serve what purpose for digital forensics examinations? Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords. Rainbow tables are a supplement to the NIST NSRL library of hash tables. Rainbow tables are designed to enhance the search capability of many digital forensics examination tools. Rainbow tables provide a scoring system for probable search terms.

Rainbow tables contain computed hashes of possible passwords that some password- recovery programs can use to crack passwords.

Which of the following is not a type of peripheral memory card used in PDAs?​ Secure Digital (SD) Compact Flash (CF) Multimedia Card (MMC) RamBus (RB)

RamBus (RB)

Name the three formats for digital forensics data acquisitions.

Raw Format Proprietary Formats Advanced Forensic Format (AFF)

The reconstruction function is needed for which of the following purposes? (Choose all that apply.) Re-create a suspect drive to show what happened. Create a copy of a drive for other investigators. Recover file headers. Re-create a drive compromised by malware.

Re-create a suspect drive to show what happened. Create a copy of a drive for other investigators. Re-create a drive compromised by malware.

List three sound reasons for offering a different opinion from one you testified to in a previous case.

Recent developments in technology. New tools with new capabilities. The facts of the current case being distinguishable from a previous case.

When you carve a graphics file, recovering the image depends on which of the following skills? Recovering the image from a tape backup Recognizing the pattern of the data content Recognizing the pattern of the file header content Recognizing the pattern of a corrupt file

Recognizing the pattern of the file header content

A log report in forensics tools does which of the following? Tracks file types Monitors network intrusion attempts Records an investigator's actions in examining a case Lists known good files

Records an investigator's actions in examining a case

When you begin a conversation with an attorney about a specific case, what should you do? (Choose all that apply.) Ask to meet with the attorney. Answer his or her questions in as much detail as possible. Ask who the parties in the case are. Refuse to discuss details until a retainer agreement is returned.

Refuse to discuss details until a retainer agreement is returned.

Typically, a(n) __________ lab has a separate storage area or room for evidence.

Regional

Remote wiping of a mobile device can result in which of the following? (Choose all that apply) Removing account information Enabling GPS beacon to track the thief Returning the phone to the original factory settings Deleting contacts

Removing account information Returning the phone to the original factory settings Deleting contacts

What three items should you research before enlisting in a certification program?

Requirements Cost Acceptability in your chosen area of employment.

When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do? Search available log files for any forwarded messages Restore the e-mail server from a backup Check the current database files for an existing copy of the email Do nothing because after the file has been deleted, it can no longer be recovered.

Restore the e-mail server from a backup

The report generator in ProDiscover defaults to ______________________, which can be opened by most word processors.​ HyperText Markup Language (HTML) Rich Text Format (RTF) Extensible Markup Language (XML) Microsoft Word document format

Rich Text Format (RTF)

In which of the following cases did the U.S. Supreme Court require using a search warrant to examine the contents of mobile devices? Miles v. North Dakota Smith v. Oregon Riley v. California Dearborn v. Ohio

Riley v California

GSM refers to mobile phones as "mobile stations" and divides a station into two parts, the __________ and the mobile equipment (ME).​ antenna SIM card radio transceiver

SIM card

In a ___ attack, the attacker keeps asking your server to establish a connection, with the intent of overloading a server with established connections smurf SYN flood spoof ghost

SYN flood

Evidence of cloud access found on a smartphone usually means which cloud service level was in use? IaaS HaaS PaaS SaaS

SaaS

What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing Amazon EC2 IBM Cloud Salesforce HP Helion

Salesforce

If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords? There are no concerns because salting doesn't affect password-recovery tools. Salting can make password recovery extremely difficult and time consuming. Salting applies only to OS startup passwords, so there are no serious concerns for examiners. The effect on the computer's CMOS clock could alter files' date and time values.

Salting can make password recovery extremely difficult and time consuming.

Digital pictures use data compression to accomplish which of the following goals? (Choose all that apply.) Save space on a hard drive. Provide a crisp and clear image. Eliminate redundant data. Produce a file that can be e-mailed or posted on the Internet.

Save space on a hard drive. Produce a file that can be e-mailed or posted on the Internet.

Which of the following describes fact testimony? Scientific or technical testimony describing information recovered during an examination Testimony by law enforcement officers Testimony based on observations by lay witnesses None of the above

Scientific or technical testimony describing information recovered during an examination

Which of the following describes the superblock's function in the Linux file system? (Choose all that apply.) Stores bootstrap code Specifies the disk geometry and available space Manages the file system, including configuration information Contains links between inodes

Specifies the disk geometry and available space Manages the file system, including configuration information

Which of the following is a mechanism the ECPA describes for the government to get electronic information from a provider? (Choose all that apply) Subpoenas with prior notice Temporary restraining orders Search warrants Court orders

Subpoenas with prior notice Search warrants Court orders

What expressions are acceptable to use in testimony to respond to a question for which you have no answer? (Choose all that apply) No Comment That's beyond the scope of my expertise I don't want to answer that questino I was not requested to investigate that e. That is beyond the scope of my investigation

That's beyond the scope of my expertise I was not requested to investigate that e. That is beyond the scope of my investigation

According to ISO standard 27037, which of the following is an important factor in data acquisition? (Choose all that apply.) The DEFR's competency The DEFR's skills in using the command line Use of validated tools Conditions at the acquisition setting

The DEFR's competency Use of validated tools

Which of the following certifies when an OS meets UNIX requirements? IEEE UNIX Users Group The Open Group SUSE Group

The Open Group

In steganalysis, cover-media is which of the following? The content of a file used for a steganography message The type of steganographic method used to conceal a message The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file A specific type of graphics file used only for hashing steganographic files

The file a steganalysis tool uses to host a hidden message, such as a JPEG or an MP3 file

What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? The file can no longer be encrypted. EFS protection is maintained on the file. The file is unencrypted automatically. Only the owner of the file can continue to access it.

The file is unencrypted automatically.

When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and documented?​ Inventory and documentation information should be stored on a drive and then the drive should be reformatted. Start the suspect's computer and begin collecting evidence. The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.​ Connect the suspect's computer to the local network so that up to date forensics utilities can be utilized.

The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.​

In answering a question about the size of a hard drive, which of the following responses is appropriate? (Choose all that apply.) It's a very large hard drive. The technical data sheet indicates it's a 3 terabyte hard drive. It's a 3 terabyte hard drive configured with 2.78 terabytes of accessible storage. I was unable to determine the drive size because it was so badly damaged.

The technical data sheet indicates it's a 3 terabyte hard drive. It's a 3 terabyte hard drive configured with 2.78 terabytes of accessible storage. I was unable to determine the drive size because it was so badly damaged.

this is what you'd expect to see. The drive is formatted incorrectly

There's a hidden partition

Which of the following is true of most drive-imaging tools? (Choose all that apply.) They perform the same function as a backup. They ensure that the original drive doesn't become corrupt and damage the digital evidence. They create a copy of the original drive They must be run from the command line.

They ensure that the original drive doesn't become corrupt and damage the digital evidence They create a copy of the original drive

Which of the following is true about JPEG and TIF files? They have identical values for the first 2 bytes of their file headers. They have different values for the first 2 bytes of their file headers. They differ from other graphics files because their file headers contain more bits. They differ from other graphics files because their file headers contain fewer bits.

They have different values for the first 2 bytes of their file headers.

Why should you critique your case after it's finished?

To determine what improvements you made during each case, what could have been done differently, and how to apply those lessons to future cases.

Why is it a good practice to make two images of a suspect drive in a critical investigation?

To ensure at least one good copy of the forensically collected data in case of any failures

For what purpose have hypothetical questions traditionally been used in litigation? To frame the factual context of rendering an expert witness's opinion. To define the case issues for the finder of fact to determine To stimulate discussion between consulting expert and expert witnesses To deter a witness from expanding the scope of his or her investigation beyond the case requirements. e. All of the above

To frame the factual context of rendering an expert witness's opinion.

What's the purpose of maintaining a network of digital forensics specialists?

To have the option of calling on diversified specialists to help with a case.

Why should you do a standard risk assessment to prepare for an investigation?

To list the problems you normally expect in the type of case you're handling.

Why should evidence media be write-protected?

To make sure the data isn't altered.

When you arrive at the scene, why should you extract only those items you need to acquire evidence?

To minimize how much you have to keep track of at the scene

What's the purpose of an affidavit?

To provide a sworn statement of support of facts about evidence of a crime this is submitted to a judge with the request for a search warrant before seizing evidence.

Router logs can be used to verify what types of email data? Message content Content of Attached files Tracking flows through e-mail server ports Finding blind copies

Tracking flows through email server ports

A forensic image of a VM includes all snapshots. True/False

True

A report can provide justification for collecting more evidence and be used at a probable cause hearing.​ True False

True

A virtual cluster number represents the assigned clusters of files that are nonresident in the MFT. True False

True

Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific files or sectors. ​ True or False

True

All email headers contain the same types of information. True/False

True

Amazon was an early provider of Web-based services that eventually developed into the cloud concept. True or False

True

An employer can be held liable for e-mail harassment. True or False?

True

An image of a suspect drive can be loaded on a virtual machine. True False

True

As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers. True False

True

As an expert witness, you have opinions about what you have found or observed. True False

True

CHS stands for cylinders, heads, and sectors. True False

True

Device drivers contain instructions for the OS on how to interface with hardware devices. True False

True

Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or False?

True

EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?

True

File and directory names are some of the items stored in the FAT database. True False

True

For digital evidence, an evidence bag is typically made of antistatic material. True or False?

True

If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False?

True

If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?

True

If you were a lay witness at a previous trail. You shouldn't list that case in your written report. True/False

True

In NTFS, files smaller than 512 bytes are stored in the MFT. True False

True

Internet e-mail accessed with a Web brower leaves files in temporary folders. True/False

True

One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you collect is essential for presenting evidence in court.​ True or False

True

Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise. True False

True

Specially trained system and network administrators are often a CSP's first responders True or False

True

Specially trained system and network administrators are often a CSP's first responders.​ True False

True

Tcpslice can be used to retrieve specific timeframes of packet captures. True/False?

True

Technical terms, if included in a report, should be defined in ordinary language such that lawyers, judges, and jurors can understand them.​ True False

True

The advantage of recording hash values is that you can determine whether data has changed.​ True or False

True

The capability of type 1 hypervisors is limited only by the amount of available RAM, storage, and throughput True or False

True

The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False

True

The multitenancy nature of cloud environments means conflicts in private laws can occur. True/False

True

The primary hashing algorithm the NSRL project uses is SHA-1. True or False?

True

The use of smart phones for illicit activities is becoming more prevalent.​ True False

True

To see Google Drive synchronization files, you need a SQL viewer. True/False

True

Typically, you need a search warrant to retrieve information from a service provider. True/False

True

Voir dire is the process of qualifying a witness as an expert. True or False?

True

When investigating social media content, evidence artifacts can vary, depending on the social media channel and the device. True/False

True

When recovering a file with ProDiscover, your first objective is to recover cluster values. True or False?

True

When viewing a file header, you need to include hexadecimal information to view the image. True or False?

True

While travelling internationally with a GSM phone, you can pop in a SIM card for the country you're currently in, rather than get a new phone. True False

True

You can view e-mail headers in Notepad with all popular e-mail clients. True/False

True

Large digital forensics labs should have at least ___ exits.

Two

Virtual Machine Extension (VMX) are part of which of the following? Type 1 hypervisors Type 2 hypervisors Intel Virtualized Technology AMD Virtualized Technology

Type 2 hypervisor

What is the space on a drive called when a file is deleted? Disk space Unallocated space Drive space None of the above

Unallocated space

What processor instruction set is required in order to utilize virtualization software AMD-VT Intel VirtualBit Virtual Machine Extensions (VMX) Virtual HardwareExtensions (VHX)

Virtual Machine Extensions (VMX)

Virtual machines have which of the following limitations when running on a host computer? Internet connectivity is restricted to virtual Web sites. Applications can be run on the virtual machine only if they're resident on the physical machine. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. Virtual machines can run only OSs that are older than the physical machine's OS.

Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.

Which of the following is a clue that a virtual machine has been installed on a host system? Network Logs Virtual network adapter Virtualization Software USB Drive

Virtual network adapter

What virtual machine software supports all Windows and Linux OSs as well as Macintosh and Solaris, and is provided as shareware? KVM Parallels Microsoft Virtual PC VirtualBox

VirtualBox

Which of the following is NOT a service level for the cloud Platform as a service Infrastructure as a service Virtualization as a service Software as a service

Virtualization as a service

The triad of computing security includes which of the following? Detection, response, and monitoring Vulnerability assessment, detection, and monitoring Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation Vulnerability assessment, intrusion response, and monitoring

Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation

When should a temporary restraining order be requested for cloud environment? When cloud customers need immediate access to their data To enforce a court order When anti-forensics techniques are suspected When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case.

When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case.

Contingency fees can be used to compensate an expert under which circumstances? When the expert is too expensive to compensate at the hourly rate When the expert is willing to accept a contingency fee arrangement When the expert is acting only as a consultant, not a witness All of the above

When the expert is acting only as a consultant, not a witness

In forensic hashes, when does a collision occur?

When two different files have the same hash value

As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? You begin to take orders from a police detective without a warrant or subpoena. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. Your internal investigation begins. None of the above.

You begin to take orders from a police detective without a warrant or subpoena.

Which of the following describes plist files? (Choose all that apply.) You must have a special editor to view them. They're found only in Linux file systems. They're preference files for applications. They require special installers.

You must have a special editor to view them. They're preference files for applications.

At trial as a fact or expert witness, what must you always remember about your testimony? You're responsible for the outcome of the case Your duty is to report your technical or scientific findings or render an honest opinion Avoid mentioning how much you were paid for your services All of the above

Your duty is to report your technical or scientific findings or render an honest opinion

As with any research paper, write the ___________________ last. appendix body acknowledgements abstract

abstract

If a report is long and complex, you should include a(n) _____________.​ appendix abstract glossary table of contents

abstract

Discuss any potential problems with your attorney ____ a deposition. before after during during direct examination at

before

The ________________ section of a report starts by referring to the report's purpose, states the main points, draws conclusions, and possibly renders an opinion.​ body conclusion appendix reference

conclusion

___ is an attempt by opposing attorneys to prevent you from serving on an important case. conflict of interest warrant deposition conflicting out

conflicting out

A ??? is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities court order temporary restraining order warrant subpoena

court order

What type of Facebook profile is usually only given to law enforcement with a warrant private profile advanced profile basic profile d.Neoprint profile

d.Neoprint profile

​A report using the _________________ system divides material into sections and restarts numbering with each main section. numerically ordered hierarchical decimal numbering number formatted

decimal numbering

The ____ is the most important part of testimony at a trial. cross-examination direct examination rebuttal motions in limine

direct examination

There are two types of depositions: ____ and testimony preservation. examination discovery direct rebuttal

discovery

The ??? Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system read_filejournal filetx.log filecache.dbx filecache.dll

filecache.dbx

Validate your tools and verify your evidence with __________ to ensure its integrity. hashing algorithms watermarks steganography digital certificates

hashing algorithms

​On what mobile device platform does Facebook use a SQLite database containing friends, their ID numbers, and phone numbers as well as files that tracked all uploads, including pictures? Android Blackberry Windows RT iPhone

iPhone

​In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes remotely. keygrabber keylogger packet capture protocol analyzer

keylogger

it's accessed through the application's Web interface configuration manager management plane backdoor programming language

management plane

Select the file below that is used in VirtualBox to create a virtual machine .vdi .vbox .r0 ova

ova

When writing a report, group related ideas and sentences into ___________________,​ chapters sections paragraphs separate reports

paragraphs

To reduce the time it takes to start applications, Microsoft has created ??? files, which contain the DLL pathnames and metadata used by application temp cache config prefetch

prefetch

What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a copy of the expert's written report that includes all opinions, the basis for the opinions, and the information considered in coming to those opinions?​ rule 24 rule 35 rule 36 rule 26

rule 26

The ??? utility can be used to repair .ost and .pst files, and is included with Microsoft Outlook fixmail.exe scanpst.exe repairpst.exe rebuildpst.exe

scanpst.exe

The goal of recovering as much information as possible can result in __________, in which an investigation expands beyond the original description because of unexpected evidence found.​ litigation scope creep criminal charges violations

scope creep

Which of the following is NOT one of the five mechanisms the government can use to get electronic information from a provider search warrants subpoenas court orders seizure order

seizure order

If a preliminary report is written, destroying the preliminary report after the final report is complete could be considered ______________.​ proper data security spoliation beneficial necessary

spoliation

The Suni Munshani v. Singal Lake Venture Fund II, LP et al case is an example of a case that involves e-mail ??? destruction spamming spoofing theft

spoofing

The term for detecting and analyzing steganography files is _________________.​ carving steganology steganalysis steganomics

steganalysis

Regarding a trial, the term ____ means rejecting potential jurors. voir dire rebuttal strikes venireman

strikes

Which is not a valid method of deployment for a cloud community public targeted private

targeted

The ___ command line program is a common way of examining network traffic, which provides records of network activity while it is running, and produce hundreds of thousands of records netstat ls ifconfig tcpdump

tcpdump

When you give __________ testimony, you present this evidence and explain what it is and how it was obtained. technical/scientific expert lay witness deposition

technical/scientific

How you format _____________ is less important than being consistent in applying formatting.​ words text paragraphs sections

text

What information is not typically included in an e-mail header? the sender's physical location the originating IP address the unique ID of the e-mail the originating domain

the sender's physical location

Lawyers may request _________________ of previous testimony by their own potential experts to ensure that the experts haven't previously testified to a contrary position.​ warrants transcripts subpoenas evidence

transcripts

In VirtualBox, a(n) ______ file contains settings for virtual hard drives. .vox-prev .ovf .vbox .log

vbox

A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in order to secure the information contained inside.​ compiler shifter macro script

​macro


Ensembles d'études connexes

Chapter 2: The Chemical Context of Life (Multiple-Choice Questions)

View Set

Chapter 4: Purposes of Texts and Graphic Sources

View Set

ISYS 316 Advanced Java Programming Chapter 32 Java Database Programming

View Set