Study for exam 1 computer forensics
What process refers to recording all the updates made to a workstation? a.Configuration management c.Recovery logging b.Risk minimization d.Change logging
A
What term refers to a column of tracks on two or more disk platters? a.Cylinder c.Track b.Sector d.Head
A
A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing? a.Data recovery c.Digital forensics b.Disk restoration d.Disaster recovery
A
During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. What did the U.S. Department of Defense call this special computer-emission shielding? a.TEMPEST c.NISPOM b.RAID d.EMR
A
How frequently should floors and carpets in the computer forensic lab be cleaned to help minimize dust that can cause static electricity? a.At least once a week c.At least three times a week b.At least twice a week d.At least four times a week
A
In addition to FAT16, FAT32, and Resilient File System, which file system can Windows hard disks also use? a.NTFS c.FAT24 b.ext3 d.ext2
A
In addition to RAID 0, what type of RAID configuration is available for Windows XP, 2000, and NT servers and workstations? a.RAID 1 c.RAID 2 b.RAID 4 d.RAID 5
A
In the NTFS MFT, all files and folders are stored in separate records of how many bytes each? a.1024 c.2048 b.1512 d.2512
A
Methods for restoring large data sets are important for labs using which type of servers? a.RAID c.WAN b.ISDN d.TEMPEST
A
What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult? a.Whole disk encryption c.Recovery wizards b.Backup utilities d.NTFS
A
What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant? a.A blotter c.A litigation report b.An exhibit report d.An affidavit
A
What is on an NTFS disk immediately after the Partition Boot Sector? a.FAT c.MBR b.HPFS d.MFT
A
What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced? a.EFS c.LZH b.VFAT d.RAR
A
What specifies the Windows XP path installation and contains options for selecting the Windows version? a.Boot.ini c.NTDetect.com b.BootSec.dos d.NTBootdd.sys
A
What term refers to the individual who has the power to conduct digital forensic investigations? a.Authorized requester c.Corporate investigator b.Security chief d.Independent ombudsperson
A
What type of evidence do courts consider evidence data in a computer to be? a.Physical c.Virtual b.Invalid d.Logical
A
What type of plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you?7're analyzing? a.Disaster recovery c.Configuration management b.Risk management d.Security
A
What type of records are considered data that the system maintains, such as system log files and proxy server logs? a.Computer-generated c.Computer-stored b.Business d.Hearsay
A
When confidential business data are included with the criminal evidence, what are they referred to as? a.Commingled data c.Public data b.Exposed data d.Revealed data
A
When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action? a.80 degrees or higher c.95 degrees or higher b.90 degrees or higher d.105 degrees or higher
A
Which agency introduced training on software for forensics investigations by the early 1990s? a.IACIS c.CERT b.FLETC d.DDBIA
A
Which filename refers to the Windows XP system service dispatch stubs to executables functions and internal support functions? a.Ntdll.dll c.Advapi32.dll b.User32.dll d.Gdi32.dll
A
Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes? a.Investigating and controlling the scene is much easier in private sector environments. b.Investigating and controlling the scene is equally easy in both environments. c.Investigating and controlling the scene is equally difficult in both environments. d.Investigating and controlling the scene is more difficult in private sector environments.
A
rWhat usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will? a.A warning banner b.A statement of responsibilities c.An alarm trigger d.A consent authorization
A
At what distance can the EMR from a computer monitor be picked up? a.1/4 mile c.3/4 mile b.1/2 mile d.1 mile
B
At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work? a.The forensic workstation c.The data management room b.The digital forensics lab d.The computer analysis lab
B
In addition to environmental issues, what issues are the investigator's primary concerns when working at the scene to gather information about an incident or a crime? a.Legal c.Corporate b.Safety d.Interpersonal
B
Power should not be cut during an investigation involving a live computer, unless it is what type of system? a.A Linux or FreeBSD system c.An Android or iOS system b.An older Windows or MS-DOS system d.A macOS or SkyOS system
B
Under what circumstances are digital records considered admissible? a.They are hearsay records c.They are computer-generated records b.They are business records d.They are computer-stored records
B
What command creates a raw format file that most computer forensics analysis tools can read? a.fdisk c.man b.dd d.raw
B
What does Autopsy use to validate an image? a.RC4 c.AFF b.MD5 d.AFD
B
What is most often the focus of digital investigations in the private sector? a.E-mail abuse c.Internet abuse b.Misuse of digital assets d.VPN abuse
B
What is required for real-time surveillance of a suspect?7's computer activity? a.Poisoning data transmissions between a suspect?7's computer and a network server. b.Sniffing data transmissions between a suspect?7's computer and a network server. c.Blocking data transmissions between a suspect?7's computer and a network server. d.Preventing data transmissions between a suspect?7's computer and a network server.
B
What standard is used to determine whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest? a.Reasonable cause c.Reasonable suspicion b.Probable cause d.Burden of Proof
B
What term refers to Linux ISO images that can be burned to a CD or DVD? a.ISO CDs c.Forensic Linux b.Linux Live CDs d.Linux in a Box
B
What term refers to the number of bits in one square inch of a disk platter? a.Head skew c.Cylinder skew b.Areal density d.ZBR
B
What type of acquisition is used for most remote acquisitions? a.Static c.Sparse b.Live d.Hot
B
Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren?7't related to the BIOS? a.Hal.dll c.Boot.ini b.NTBootdd.sys d.Ntoskrnl.exe
B
Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime? a.Network intrusion detection b.Digital investigations c.Incident response d.Litigation
B
Which term refers to an accusation or supposition of fact that a crime has been committed and is made by the complainant, based on the incident? a.Assertion c.Declaration b.Allegation d.Contention
B
Which type of kit should include all the tools the investigator can afford to take to the field? a.An initial-response field kit c.A forensic lab kit b.An extensive-response field kit d.A forensic workstation kit
B
Without a warning banner, what right might employees assume they have when using a company?7's computer systems and network accesses? a.Authority c.Consent b.Privacy d.Anonymity
B
How do most manufacturers deal with a platter?7's inner tracks having a smaller circumference than its outer tracks? a.Head skew c.ZBR b.Cylinder skew d.Areal density
C
If your time is limited, what type of acquisition data copy method should you consider? a.Lossless c.Sparse b.Disk-to-disk d.Disk-to-image
C
What command works similarly to the dd command but has many features designed for computer forensics acquisitions? a.raw c.dcfldd b.bitcopy d.man
C
What is the maximum amount of time computing components are designed to last in normal business operations? a.24 months c.36 months b.30 months d.42 months
C
What is the most common and flexible data-acquisition method? a.Disk-to-disk copy c.Disk-to-image file copy b.Disk-to-network copy d.Sparse data copy
C
What reports are generated at the local, state, and federal levels to show the types and frequency of crimes committed? a.Officer activity reports c.Uniform crime reports b.Cooperative agreement reports d.Mandated crime reports
C
What term refers to a person using a computer to perform routine tasks other than systems administration? a.Complainant c.End user b.Consumer d.Customer
C
What will allow the investigator to arrive at a scene, acquire the needed data, and return to the lab as quickly as possible? a.A bit-stream copy utility c.An initial-response field kit b.An extensive-response field kit d.A seizing order
C
When Microsoft created Windows 95, into what were initialization (.ini) files consolidated? a.The inirecord c.The registry b.The inidata d.The metadata
C
When an investigator seeks a search warrant, which of the following must be included in an affidavit to support the allegation of a crime? a.Subpoena c.Exhibits b.Exculpatory evidence d.Authorized requester
C
When federal courts are evaluating digital evidence from computer-generated records, what exception is applied to hearsay? a.Digital-records authenticity exception c.Business-records exception b.Computer-generated records exception d.Best-evidence rule exception
C
When seizing computer evidence in criminal investigations, which organization's standards should be followed? a.Department of Homeland Security c.U.S. DOJ b.NSA d.U.S. DoD
C
When was the Freedom of Information Act originally enacted? a.1940s c.1960s b.1950s d.1970s
C
Which RAID configuration offers the greatest access speed and most robust data recovery capability? a.RAID 0 c.RAID 15 b.RAID 10 d.RAID 16
C
Which doctrine, found to be unconstitutional, was used to allow a civilian or private-sector investigative agent to deliver evidence obtained in a manner that violated the Fourth Amendment to a law enforcement agency? a.Silver-tree c.Silver-platter b.Gold-tree d.Gold-platter
C
Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr? a.Hal.dll c.NTDetect.com b.Boot.ini d.BootSect.dos
C
Which filename refers to a core Win32 subsystem DLL file? a.Pagefile.sys c.User32.sys b.Hal.dll d.Ntoskrnl.exe
C
Which group often works as part of a team to secure an organization?7's computers and networks? a.Computer analysts c.Forensics investigators b.Data recovery engineers d.Network monitors
C
Which type of case involves charges such as burglary, murder, or molestation? a.Corporate b.Civil c.Criminal d.Judicial
C
At a minimum, what do most company policies require that employers have in order to initiate an investigation? a.Confirmed suspicion that a law or policy is being violated. b.Proof that a law or policy is being violated. c.Court order stating that a law or policy is being violated. d.Reasonable suspicion that a law or policy is being violated.
D
In addition to md5sum, which hashing algorithm utility is included with current distributions of Linux? a.sha386sum c.SHAKE b.md1deep d.sha1sum
D
The presence of police officers and other professionals who aren?7't part of the crime scene-processing team may result in the loss or corruption of data through which process? a.Deliberate destruction c.Data drift b.Police malfeasance d.Professional curiosity
D
What contains instructions for the OS for hardware devices, such as the keyboard, mouse, and video card? a.Hal.dll c.Ntoskrnl.exe b.Pagefile.sys d.Device drivers
D
What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab? a.An evidence custody form c.An affidavit b.A FOIA form d.A warrant
D
What do published company policies provide for a business that enables them to conduct internal investigations? a.Absolute process c.Legitimate justification b.Judicial authorization d.Line of authority
D
What enables the user to run another OS on an existing physical computer (known as the host computer) by emulating a computer?7's hardware environment? a.A virtual file c.A logic machine b.A logic drive d.A virtual machine
D
What investigator characteristic, which includes ethics, morals, and standards of behavior, determines the investigator's credibility? a.Investigatory acumen c.Line of authority b.Fidelity to oath of office d.Professional conduct
D
What is the third stage of a criminal case, after the complaint and the investigation? a.Resolution c.Negotiation b.Allegation d.Prosecution
D
What kind of forensic investigation lab best preserves the integrity of evidence? a.A shielded enclosure c.A fortified workplace b.A protected entity d.A secure facility
D
What must be done, under oath, to verify that the information in the affidavit is T? a.It must be notarized. c.It must be recorded. b.It must be examined. d.It must be challenged.
D
What option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512? a.md5sum c.checksum b.hashlog d.hash
D
What organization was created by police officers in order to formalize credentials for digital investigators? a.HTCN c.TEMPEST b.NISPOM d.IACIS
D
What type of acquisition is typically done on a computer seized during a police raid? a.Live c.Real-time b.Online d.Static
D
What type of files might lose essential network activity records if power is terminated without a proper shutdown? a.Password logs c.Io.sys files b.Word logs d.Event logs
D
Which RAID configuration, also called mirrored striping, is a combination of RAID 1 and RAID 0? a.RAID 0 c.RAID 5 b.RAID 6 d.RAID 10
D
Which activity involves determining how much risk is acceptable for any process or operation? a.Risk configuration c.Risk control b.Risk analysis d.Risk management
D
Which resource can be helpful when investigating older and unusual computing systems? a.AICIS lists c.Forums and blogs b.Uniform reports d.Minix
D
Which technique can be used for extracting evidence from large systems? a.RAID copy c.Large evidence file recovery b.RAID imaging d.Sparse acquisition
D
As data is added, the MFT can expand to take up 75% of the NTFS disk.
False
Corporate investigators always have the authority to seize all computer equipment during a corporate investigation.
False
Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized.
True
Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.
True
If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.
True
Maintaining credibility means you must form and sustain unbiased opinions of your cases.
True
Some cases involve dangerous settings. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene.
True
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.
True
The type of file system an OS uses determines how data is stored on the disk.
True
To be a successful computer forensics investigator, you must be familiar with more than one computing platform.
True
