more stuff
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. Choices: Data recovery Network forensics Computer forensics Disaster recovery
Data recovery
The most common and flexible data-acquisition method is ____. Choices: Disk-to-disk copy Disk-to-network copy Disk-to-image file copy Sparse data copy
Disk-to-image file copy
When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____. Choices: EFS VFAT LZH RAR
EFS
____ is the file structure database that Microsoft originally designed for floppy disks. Choices: NTFS FAT32 VFAT FAT
FAT
Computer investigations and forensics fall into the same category: public investigations.
False
If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.
False
If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available.
False
Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.
False
The first 5 bytes (characters) for all MFT records are FILE.
False
The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
False
____ often work as part of a team to secure an organization's computers and networks. Choices: Computer analysts Data recovery engineers Forensics investigators Network monitors
Forensics investigators
Linux ISO images that can be burned to a CD or DVD are referred to as ____. Choices: ISO CDs Linux Live CDs Forensic Linux Linux in a Box
Linux Live CDs
On an NTFS disk, immediately after the Partition Boot Sector is the ____. Choices: FAT HPFS MBR MFT
MFT
Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System. Choices: NTFS ext3 FAT24 ext2
NTFS
When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____. Choices: IniRecord Inidata Registry Metadata
Registry
A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.
True
Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized.
True
After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.
True
One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop.
True
The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.
True
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.
True
The police blotter provides a record of clues to crimes that have been committed previously.
True
The type of file system an OS uses determines how data is stored on the disk.
True
There's no simple method for getting an image of a RAID server's disks.
True
To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.
True
When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.
True
Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0 and 3.0, SATA, PATA, and SCSI controllers. Choices: USB IDE LCD PCMCIA
USB
____ can be software or hardware and are used to protect evidence disks by preventing data from being written to them. Choices: Drive-imaging Disk editors Workstations Write-blockers
Write-blockers
____ is how most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks. Choices: Head skew Cylinder skew ZBR Areal density
ZBR
Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed. Choices: litigation allegation blotter prosecution
allegation
In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation. Choices: corporate civil criminal fourth amendment
criminal
A ____ is a column of tracks on two or more disk platters. Choices: cylinder sector track head
cylinder
The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions. Choices: fdisk dd man raw
dd
The raw data format, typically created with the Linux ____ command, is a simple bit-for-bit copy of a data file, a disk partition, or an entire drive. Choices: rawcp dd d2dump dhex
dd
The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime. Choices: network intrusion detection digital investigations incident response litigation
digital investigations
A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing. Choices: disaster recovery risk management configuration management security
disaster recovery
If your time is limited, consider using a logical acquisition or ____ acquisition data copy method. Choices: lossless disk-to-disk sparse disk-to-image
disk-to-image
The simplest method of duplicating a disk drive is using a tool that makes a direct ____ copy from the suspect disk to the target location. Choices: partition-to-partition image-to-partition disk-to-image image-to-disk
disk-to-image
A(n) ____ is a person using a computer to perform routine tasks other than systems administration. Choices: complainant user banner end user investigator
end user
Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____. Choices: backup file firmware image file recovery copy
image file
Most remote acquisitions have to be done as ____ acquisitions. Choices: static live sparse hot
live
Records in the MFT are called ____. Choices: hyperdata metadata inodes infodata
metadata
You should have at least one copy of your backups on site and a duplicate or a previous copy of your backups stored in a safe ____ facility. Choices: in-site storage off-site online
off-site
Many password recovery tools have a feature for generating potential lists for a ____ attack. Choices: brute-force password dictionary birthday salting
password dictionary
A forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation is also known as a ____. Choices: stationary workstation field workstation lightweight workstation portable workstation
portable workstation
Current distributions of Linux include two hashing algorithm utilities: md5sum and ____. Choices: rcsum shasum hashsum sha1sum
sha1sum
If your time is limited, consider using a logical acquisition or ____ acquisition data copy method. Choices: lossless disk-to-disk sparse disk-to-image
sparse
