CIS 282 Fall 2022 - Final Studyguide
What term refers to the number of bits in one square inch of a disk platter?
Areal density
Where do phones typically store system data? A.) ROM B.) EEPROM C.) EROM D.) PROM
EEPROM
In which format are most digital photographs stored?
EXIF
Which term is often used when discussing Linux because technically, Linux is only the core of the OS?
Kernel
Which agency introduced training on software for forensics investigations by the early 1990s?
IACIS
Remote acquisitions are often easier because you're usually dealing with large volumes of data.
False
Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses. A.) True B.) False
False
At what levels should lab costs be broken down?
Monthly, quarterly, and annually
Which motion provides a written list of objections to certain testimony or exhibits?
Motion in limine
What organization was created by police officers in order to formalize credentials for digital investigators?
IACIS
ow do most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks?
ZBR
In macOS, in addition to allocation blocks, what kind of blocks do volumes have?
Logical blocks
In older versions of macOS, in which fork are file metadata and application information stored?
Resource
In which cloud service level are applications delivered via the Internet?
Software as a service
As an expert witness, you have opinions about what you have found or observed. A.) True B.) False
True
Bitmap images are collections of dots, or pixels, in a grid format that form a graphic.
True
By the 1970s, electronic crimes were increasing, especially in the financial sector. A.) True B.) False
True
Computers used several OSs before Windows and MS-DOS dominated the market. A.) True B.) False
True
Experts should be paid in full for all previous work and for the anticipated time required for testimony.
True
Which program can be used to examine network traffic? A.) tcpdump B.) netdump C.) slackdump D.) coredump
tcpdump
The Enhanced Data GSM Environment (EDGE) standard was developed specifically for which type of service? A.) OFDM B.) CDMA C.) D-AMPS D.) 3G
3G
Which organization has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients?
ABA
Which document offers comprehensive guidance for psychologists, with an entire section devoted to forensics activities?
APA's Ethics Code
Which images store graphics information as grids of pixels?
Bitmap
When federal courts are evaluating digital evidence from computer-generated records, what exception is applied to hearsay? A.) Computer-generated records exception B.) Best-evidence rule exception C.) Business-records exception D.) Digital-records authenticity exception
Business-records exception
What technology, developed during WWII, uses the full radio spectrum to define channels and is now used in the U.S. by Sprint, U.S. Cellular, and Verizon?
CDMA
As data is added, the MFT can expand to take up 75% of the NTFS disk. A.) True B.) False
False
Autopsy for Windows cannot perform forensics analysis on FAT file systems. A.) True B.) False
False
Computer investigations and forensics fall into the same category: public investigations. A.) True B.) False
False
Corporate investigators always have the authority to seize all computer equipment during a corporate investigation. A.) True B.) False
False
E-mail crimes and violations rarely depend on the city, state, and country in which the e-mail originated.
False
Expert opinions cannot be presented without stating the underlying factual basis.
False
ISPs can investigate computer abuse committed by their customers.
False
If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately. A.) True B.) False
False
If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available.
False
If you must write a preliminary report, use words such as "preliminary copy," "draft copy," or "working draft."
False
In software acquisition, there are three types of data-copying methods. A.) True B.) False
False
Investigating crimes or policy violations involving e-mail is different than investigating other types of computer abuse and crimes.
False
Investigating smartphones and other mobile devices is a relatively easy task in digital forensics. A.) True B.) False
False
Most basic phones use the same OSs as PCs. A.) True B.) False
False
Network forensics is a fast, easy process. A.) True B.) False
False
Operating systems do not have tools for recovering image files. A.) True B.) False
False
Steganography cannot be used with file formats other than image files.
False
The first 5 bytes (characters) for all MFT records are FILE.
False
The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
False
The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect. A.) True B.) False
False
Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume. A.) True B.) False
False
When intruders break into a network, they rarely leave a trail behind. A.) True B.) False
False
When two files look the same when viewed but one has an invisible digital watermark, they appear to be the same file except for their sizes.
False
Windows OSs do not have a kernel.
False
You should create a formal checklist of your procedures that's applied to all your cases or include such a checklist in your report.
False
macOS is built with the new Apple File System (APFS). The current version offers better security, encryption, and performance speeds, but users can't mount HFS+ drives.
False
Which activity involves sorting and searching through investigation findings to separate good data and suspicious data? A.) Filtering B.) Acquisition C.) Reconstruction D.) Validation
Filtering
Which tool enables the investigator to acquire the forensic image and process it in the same step?
Magnet AXIOM
What does scope creep typically do?
Increases the time and resources needed to extract, analyze, and present data
Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes? A.) Investigating and controlling the scene is more difficult in private sector environments. B.) Investigating and controlling the scene is equally difficult in both environments. C.) Investigating and controlling the scene is equally easy in both environments. D.) Investigating and controlling the scene is much easier in private sector environments.
Investigating and controlling the scene is much easier in private sector environments.
What type of cards, consisting of a microprocessor and internal memory, are usually found in GSM devices?
SIM
With cloud systems running in a virtual environment, what can be used to give the investigator valuable information before, during, and after an incident?
Snapshots
What type of acquisition is typically done on a computer seized during a police raid? A.) Static B.) Real-Time C.) Live D.) Online
Static
In addition to search warrants, what defines the scope of civil and criminal cases?
Subpoenas
Which digital forensics tool is categorized as a single-purpose hardware component?
Tableau T35es-R2 SATA/IDE eSATA bridge
Which standard states that, to provide reliable and valid testimony, the expert has the "ethical responsibility to present a complete and unbiased picture of the . . . research relevant to the case at hand?" A.) The APA standard B.) The ABA standard C.) The IACIS standard D.) The Daubert standard
The Daubert standard
Suppose you have been hired to determine whether a corrupted file was intentionally altered or altered by a virus. Your forensic examination did not find evidence of a virus and did not find evidence of intentional alteration. What conclusion can you offer? A.) The cause of the file's corruption is unknown. B.) The file was corrupted by a software malfunction. C.) The file was accidentally corrupted. D.) The file was corrupted by unknown malware.
The cause of the file's corruption is unknown.
At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work?
The digital forensics lab
Many people store more information on smartphones and tablets than on computers.
True
One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop. A.) True B.) False
True
Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise.
True
People need ethics to help maintain their balance, especially in difficult and contentious situations. A.) True B.) False
True
Portability of information is what makes SIM cards so versatile.
True
Several password-cracking tools are available for handling password-protected data or systems. A.) True B.) False
True
Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
True
Some notable UNIX distributions included Silicon Graphics, Inc. (SGI) IRIX, Santa Cruz Operation (SCO) UnixWare, Sun Solaris, IBM AIX, and HP-UX A.) True B.) False
True
Specially trained system and network administrators are often a CSP's first responders.
True
The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET).
True
The chain of custody of evidence supports the integrity of your evidence.
True
The defense request for full discovery of digital evidence applies only to criminal cases in the United States.
True
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file. A.) True B.) False
True
The pipe (|) character redirects the output of the command preceding it.
True
The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location. A.) True B.) False
True
The type of file system an OS uses determines how data is stored on the disk. A.) True B.) False
True
To be a successful computer forensics investigator, you must be familiar with more than one computing platform.
True
To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. A.) True B.) False
True
Virtual machines are now common for both personal and business use. A.) True B.) False
True
When searching for specific record information, sometimes you see duplicate files with the same name that have different data runs, meaning the file was written to disk more than once on separate occasions.
True
When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.
True
With many computer forensics tools, you can open files with external viewers.
True
What reports are generated at the local, state, and federal levels to show the types and frequency of crimes committed?
Uniform crime reports
As with any research paper, write the report abstract last. A.) True B.) False
True
How many years of education does the typical juror have?
12
When was the Freedom of Information Act originally enacted? A.) 1960s B.) 1940s C.) 1950s D.) 1970s
1960s
In an e-mail address, what symbol separates the domain name from the rest of the address?
@
What document, issued by a judge, compels the recipient to do or not do something?
A court order
What type of software runs virtual machines?
A hypervisor
What should be provided if a report is long and complex?
An abstract
A written report is often submitted as what type of document?
An affidavit
What is most appropriately used to help an attorney learn the terms and functions used in digital forensics?
An examination plan
Which document serves as a guideline for knowing what questions an investigator should expect when testifying?
An examination plan
Where do software forensics tools copy data from a suspect's disk drive?
An image file
What should be created in order to begin a digital forensics case?
An investigation plan
How often should the document describing your expertise and used to quality your testimony be updated to reflect new cases and additional training?
At least every three months
How can an investigator minimize any challenges an opposing attorney could make to discredit the investigator's report or testimony?
Be as thorough as possible during the forensic examination (?)
What name is used for the configuration typically used for e-mail messages that are distributed from a central server to many connected client computers?
Client/server architecture
Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence?
Computer Analysis and Response Team
What type of records are considered data that the system maintains, such as system log files and proxy server logs?
Computer-generated
What term refers to a column of tracks on two or more disk platters?
Cylinder
Which activity involves changing or manipulating a file to conceal information?
Data hiding
A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?
Data recovery
Which network defense strategy, developed by the National Security Agency (NSA), has three modes of protection?
Defense in Depth
Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?
Digital investigations
What is the most common and flexible data-acquisition method?
Disk-to-image file copy
Which type of digital network is a faster version of GSM, designed to deliver data?
EDGE
Macintosh moved to the Intel processor and became UNIX based with which operating system?
El Capitan
What term refers to evidence that exonerates or diminishes the defendant's liability? A.) Direct B.) Inculpatory C.) Rebuttal D.) Exculpatory
Exculpatory
What was the early standard Linux file system?
Ext2
Which acronym refers to the file structure database that Microsoft originally designed for floppy disks? A.) VFAT B.) FAT C.) NTFS D.) FAT32
FAT
A search warrant can be used in any kind of case, either civil or criminal.
False
A verbal report is more structured than a written report.
False
In which discipline do professionals listen to voice recordings to determine who's speaking or read e-mail and other writings known to be by a certain person and determine whether that person wrote the e-mail or letter in question? A.) Forensic linguistics B.) Communication forensics C.) Communication linguistics D.) Linguistic analysis
Forensic linguistics
Which group often works as part of a team to secure an organization's computers and networks? A.) Computer analysts B.) Network monitors C.) Forensics investigators D.) Data recovery engineers
Forensics investigators
In what type of e-mail programs can the user copy an e-mail message by dragging the message to a storage medium, such as a folder or drive?
GUI
What tools are used to create, modify, and save bitmap, vector, and metafile graphics?
Graphics editors
Because digital forensics tools have limitations in performing hashing, what tools should be used to ensure data integrity?
Hexadecimal editors
Which type of strategy hides the most valuable data at the innermost part of the network?
Layered network defense
What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?
Live
Which type of compression compresses data permanently by discarding bits of information in the file?
Lossy
Metadata in a prefetch file contains an application's ____ times in UTC format and a counter of how many times the application has run since the prefect file was created.
MAC
In addition to FAT16, FAT32, and Resilient File System, which file system can Windows hard disks also use?
NTFS
Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?
NTFS
Which type of forensics can help you determine whether a system is truly under attack or a user has inadvertently installed an untested patch or custom program? A.) Traffic forensics B.) Intrusion forensics C.) DDoS forensics D.) Network forensics
Network forensics
What is the standard format in U.S. federal courts for the electronic submission of documents?
Portable Document Format (PDF) (?)
What files, created by Microsoft, contain the DLL pathnames and metadata used by applications and reduce the time it takes to start applications?
Prefetch
Which type of format acquisition leaves the investigator unable to share an image between different vendors' computer forensics analysis tools?
Proprietary
What optional phase of a trial typically involves an issue raised during cross-examination of a witness?
Rebuttal
What is the main information being sought when examining e-mail headers? A.) The types of encryption being used B.) The originating e-mail's domain name or an IP address C.) The date and time the e-mail was sent D.) The type of attachments included, if any
The originating e-mail's domain name or an IP address
Under what circumstances are digital records considered admissible?
They are business records
A challenge with using social media data in court is authenticating the author and the information. A.) True B.) False
True
A forensics analysis of a 6 TB disk, for example, can take several days or weeks.
True
A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks A.) True B.) False
True
A judge can exclude evidence obtained from a poorly worded warrant. A.) True B.) False
True
After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant. A.) True B.) False
True
After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.
True
Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence. A.) True B.) False
True
As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.
True
Because bring your own device (BYOD) has become a business standard, investigators must consider how to keep employees' personal data separate from case evidence. A.) True B.) False
True
Before attempting to install a type 2 hypervisor, you need to enable virtualization in the BIOS before attempting to create a VM. A.) True B.) False
True
Besides presenting facts, reports can communicate expert opinion. A.) True B.) False
True
Computing systems in a forensics lab should be able to process typical cases in a timely manner. A.) True B.) False
True
For digital investigators, tracking intranet e-mail is easier because accounts use standard names the administrator establishes. A.) True B.) False
True
For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses. A.) True B.) False
True
Forensic linguistics encompasses civil cases, criminal cases, cyberterrorism cases, and other legal proceedings. A.) True B.) False
True
If a file contains information, it always occupies at least one allocation block. A.) True B.) False
True
If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file.
True
If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.
True
In Autopsy and many other forensics tools raw format image files don't contain metadata. A.) True B.) False
True
In network forensics, you have to restore the drive to see how malware that attackers have installed on the system works. A.) True B.) False
True
In the United States, there's no state or national licensing body for digital forensics examiners.
True
Lawyers use services called deposition banks (libraries), which store examples of expert witnesses' previous testimony. A.) True B.) False
True
What kinds of images are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes? A.) Metafile graphics B.) Vector graphics C.) Bitmap images D.) Line-art images
Vector graphics
What Linux command is used to create the raw data format?
dd
What command creates a raw format file that most computer forensics analysis tools can read?
dd