Test 1 Cyber Forensics

How long are computing components designed to last in a normal business environment?​

18 to 36 months

The _____________ provides guidelines to members for managing a forensics lab and acquiring crime and forensics lab accreditation.​

American Society of Crime Laboratory Directors (ASCLD)

The bit-by-bit copy technique creates simple sequential flat files of a suspect drive or data set.

False

The extensive-response field kit should be lightweight and easy to transport.

False

The law of search and seizure protects the rights of all people, excluding people suspected of crimes.

False

Linux ISO images are referred to as ____.

Live CDs

In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation.

criminal

What should you do while copying data on a suspect's computer that is still live?​

Make notes regarding everything you do.

The EMR from a computer monitor can be picked up as far away as ____ mile.

1/2

Which option below is not a recommendation for securing storage containers?

Rooms with evidence containers should have a secured wireless network.

A facility that can be locked and allows limited access to the room's contents.

Secured facility

A Uniform Crime Report can provide all of the following information, EXCEPT____________.

Software tools to analyze the crimes.

_______ does not recover data in free or slack space.

Sparse acquisition

Which of the following DOES NOT apply to a TEMPEST-qualified lab?

Special wood molding for all doors.

With probable cause, a police officer can obtain a search warrant from a judge that authorizes a search and the seizure of specific evidence related to the criminal complaint.

True

When seizing computer evidence in criminal or civil investigations, you need to follow the _____ standards for seizing digital data.

US Department of Justice

In the Pacific Northwest, ____ meets to discuss problems that digital forensics examiners encounter.

CTIN

What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations?

Certified Cyber Forensics Professional

Candidates who complete the IACIS test successfully are designated as a _______.

Certified Forensic Computer Examiner (CFCE)

Which of the following scenarios should be covered in a disaster recovery plan?​

Damage caused by a virus contamination, ​damage caused by flood, damage caused by lightning strikes

____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.

Data recovery

A lab dedicated to computing investigations; typically, it has a variety of computers, OSs, and forensics software.

Digital forensic lab

How often should hardware be replaced within a forensics lab?

Every ​12 to 18 months

All U.S. courts require that all digital evidence be printed out to be presented in court.

False

Analyzing, identifying, and organizing evidence e is not one of the general tasks that investigators perform when working with digital evidence.

False

Computer investigations and forensics fall into the same category: public investigations.

False

Courts have consistently ruled that computer forensics investigators must be subject matter experts on the tools that they use.

False

ISPs can investigate computer abuse committed by their employees and their customers.

False

If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.

False

Maintaining credibility means you must form and sustain unbiased opinions of your cases.

False

_______ is the term for a statement that is made by someone other than an actual witness to the event while testifying at a hearing.

Hearsay

_______ is a specialized viewer software program.

IrfanView

Which of the following is FALSE regarding the creation of disk-to-image file?

It is most suitable for acquiring images from older drives.

For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets.

RAID

____, or mirrored striping, is a combination of RAID 1 and RAID 0.

RAID 10

Which option below is not a hashing function used for validation checks?

RC4

A data acquisition format that creates simple sequential flat files of a suspect drive or data set.

Raw format

Every business or organization must have a well defined process that describes when an investigation can be initiated. At a minimum, most corporate policies require that employers have a ____ that a law or policy is being violated.

Reasonable suspicion

Two or more disks combined into one large drive in several configurations for special needs

Redundant array of independent disks

A term referring to facilities that have been hardened so that electrical signals from computers, the computer network, and telephone systems can't be monitored or accessed easily by someone outside the facility.

TEMPEST

A hash algorithm utility is used to create a digital fingerprint of the captured image. Correct!

True

A law enforcement officer can search for and seize criminal evidence only with probably cause.

True

A live acquisition is often performed on a a computer that has an encrypted drive and the password or passphrase is available.

True

After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant.

True

By the 1970s, electronic crimes were increasing, especially in the financial sector.

True

Commingled data refers to data that are illegally obtained for criminal cases.

True

FTK Imager requires that you use a device such as a USB or parallel port dongle for licensing.

True

One test to prove that computer-stored records are authentic is to demonstrate that a specific person created the records.

True

Plain view doctrine occurs when you find evidence related to the crime but not in the location the warrant specifies or if you find evidence of another unrelated crime.

True

The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.

True

The definition of digital forensics has evolved over the years from simply involving securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases.

True

The hash value is a unique hexadecimal code value that identifies a file or drive.

True

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.

True

The police blotter provides a record of clues to crimes that have been committed previously.

True

To investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct covert surveillance with little or no cause, and access company computer systems and digital devices without a warrant.​

True

When seizing computer evidence in criminal or civil investigations, you need to follow the US DOJ standards for seizing digital data.

True

An encryption technique that performs a sector-by-sector encryption of an entire drive; each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method.

Whole disk encryption

_______ can be used to restore backup files directly to a workstation.

_______ can be used to restore backup files directly to a workstation.

In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____.

affidavit

In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations.

authorized requester

In the ____, you justify acquiring newer and better resources to investigate digital forensics cases.

business case

General tasks investigators perform when working with digital evidence include ____.

collecting, preserving, and documenting evidence

Which of the following is NOT a method to collect data?

create a image-to-image file

For computer forensics, ____ is the task of collecting digital evidence from electronic media.

data acquisition

A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.

disaster recovery

A(n) ____ is a person using a computer to perform routine tasks other than systems administration.

end user

It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant.

exhibits

The Linux command _______ can be used to list the current disk devices connected to the computer.

fdisk -l

One way to investigate older and unusual computing systems is to keep track of ____ that you can find through an online search.

forums and blogs

A logical acquisition is most suitable for collecting data in all of the following situations, EXCEPT ____________.

from a jump drive.

Published company policies provide a(n) ____ for a business to conduct internal investigations.

line of authority

Most digital investigations in the private sector involve ____.

misuse of digital assets

Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility.

professional conduct

One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.

proprietary

In general, a criminal case follows three stages: the complaint, the investigation, and the ____.

prosecution

To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe.

secure facility

Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.

sha1sum

If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.

sparse

A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.

steel

A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.

warning banner

Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.

whole disk encryption

Which of the following is a major disadvantage of proprietary format acquisitions?

the inability to share an image between different vendors' computer forensics analysis tools.