cOMPUTER 2

On a Linux computer, ____ represents file systems exported to remote hosts.

/etc/exports

In Linux, most applications and commands are in the ____ directory or its subdirectories bin and sbin.

/usr

In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.

1024

____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.

Brute force

____ records are data the system maintains, such as system log files and proxy server logs.

COMPUTER-GENERATED

The simplest method of duplicating a disk drive is using a tool that makes a direct ____ copy from the suspect disk to the target location.

DISK TO IMAGE

____ have some limitations in performing hashing, however, so using advanced ____ is necessary to ensure data integrity.

Digital forensics tools, hexadecimal editors

When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant, which allows the police present all evidence together.

FALSE

Windows OSs do not have a kernel.

FALSE

From a network forensics standpoint, there are no potential issues related to using virtual machines.

False

Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which always get funding from the government or other agencies.

False

You use ____ to create, modify, and save bitmap, vector, and metafile graphics.

GRAPHICS EDITOR

Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain ____.

Hearsay

The simplest way to access a file header is to use a(n) ____ editor

Hexadecimal

Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.

IMAGE FILE

In a files's inode, the first 10 pointers are called ____ pointers.

INDIRECT

____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.

INSERTION

The JFIF ____ format has a hexadecimal value of FFD8 FFE0 in the first four bytes.

JPEG

The term ____ is often used when discussing Linux because technically, Linux is only the core of the OS.

KERNEL

Many password-protected OSs and applications store passwords in the form of ____ or SHA hash values.

MD5

Records in the MFT are called ____.

Metadata

____ was introduced when Microsoft created Windows NT and is still the main file system in Windows 10.

NTFS

With ____, Macintosh moved to the Intel processor and became UNIX based.

OSX

The primary hash algorithm used by the NSRL project is ____.

SHA-1

WinHex provides several hashing algorithms, such as MD5 and ____.

SHA-1

____ is a data-hiding technique that uses host files to cover the contents of a secret message.

STEGANOGRAPHY

____ steganography replaces bits of the host file with other bits of data.

SUBSITUTUON

____ increases the time and resources needed to extract, analyze, and present evidence.

Scope creep

All disks have more storage capacity than the manufacturer states.

TRUE

Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.

TRUE

Although a disk editor gives you the most flexibility in testing, it might not be capable of examining a compressed file's contents.

TRUE

Computers used several OSs before Windows and MS-DOS dominated the market.

TRUE

Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.

TRUE

For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.

TRUE

If a file contains information, it always occupies at least one allocation block.

TRUE

In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.

TRUE

It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.

TRUE

One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop.

TRUE

Some encryption schemes are so complex that the time to crack them can be measured in days, weeks, years, and even decades.

TRUE

The defense request for full discovery of digital evidence applies only to criminal cases in the United States.

TRUE

The most common computer-related crime is check fraud.

TRUE

The two major forms of steganography are insertion and substitution.

TRUE

The type of file system an OS uses determines how data is stored on the disk.

TRUE

To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.

TRUE

When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.

TRUE

To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.

True

When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data.

US DOJ

Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0 and 3.0, SATA, PATA, and SCSI controllers.

USB

A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment.

VIRTUAL MACHINE

____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.

Vector graphics

____ can be software or hardware and are used to protect evidence disks by preventing data from being written to them.

WRITE-BLOCKERS

The data-hiding technique ____ changes data from readable code to data that looks like binary executable code.

bit-shifting

____ images store graphics information as grids of pixels.

bitmap

Recovering fragments of a file is called ____.

carving

Confidential business data included with the criminal evidence are referred to as ____ data.

commingled

The raw data format, typically created with the Linux ____ command, is a simple bit-for-bit copy of a data file, a disk partition, or an entire drive.

dd

____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the systemroot\Windows\System32\Drivers folder.

device drivers

In Windows 2000 and later, the ____ command shows you the file owner if you have multiple users on the system or network.

dir

One way to compare results and verify your a new tool is by using a ____, such as HexWorkshop, or WinHex.

disk editor

Certain files, such as the ____ and Security log in Windows, might lose essential network activity records if power is terminated without a proper shutdown.

event log

The early standard Linux file system was ____.

ext2

Corporate investigators always have the authority to seize all computer equipment during a corporate investigation.

false

ISPs can investigate computer abuse committed by their customers.

false

In macOS volume fragmentation is kept to a minimum by removing clumps from larger files.

false

Operating systems do not have tools for recovering image files.

false

The first 5 bytes (characters) for all MFT records are FILE.

false

The validation function is the most challenging of all tasks for computer investigators to master.

false

When viewing two files that look the same, but one has an invisible digital watermark, they appear to be the same file, except for their sizes.

false

You use ____ to create, modify, and save bitmap, vector, and metafile graphics.

graphics editor

Data ____ involves changing or manipulating a file to conceal information.

hiding

Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.

image file

In a files's inode, the first 10 pointers are called ____ pointers.

indirect

With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible.

initial-response field kit

____ contain file and directory metadata and provide a mechanism for linking data stored in data blocks.

inodes

____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.

insertion

In macOS, volumes have allocation blocks and ____ blocks.

logical

____ compression compresses data by permanently discarding bits of information in the file.

lossy

Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes.

much easier than

The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.

nist

Courts consider evidence data in a computer as ____ evidence.

physical

A forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation is also known as a ____.

portable workstation

____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.

probable cause

Every business or organization must have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a ____ that a law or policy is being violated.

reasonable suspicion

To complete a forensic disk analysis and examination, you need to create a ____.

report

In macOS, when you're working with an application file, the ____ fork contains additional information, such as menus, dialog boxes, icons, executable code, and controls.

resource

____ alters hash values, which makes cracking passwords more difficult.

salting passwords

One technique for extracting evidence from large systems is called ____.

sparse aquisistion

____ is defined as hiding messages in such a way that only the intended recipient knows the message is there.

steganography

In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover.

subpoenas

A judge can exclude evidence obtained from a poorly worded warrant.

true

Bitmap images are collections of dots, or pixels, in a grid format that form a graphic.

true

Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.

true

For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.

true

If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.

true

If a file contains information, it always occupies at least one allocation block.

true

If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file.

true

If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.

true

It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.

true

Private-sector cases, such as employee abuse investigations, might not specify limitations in recovering data.

true

Several password-cracking tools are available for handling password-protected data or systems.

true

Software forensic tools are grouped into command-line applications and GUI applications.

true

The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location.

true

The type of file system an OS uses determines how data is stored on the disk.

true

Under copyright laws, maps and architectural plans may be registered as pictorial, graphic, and sculptural works.

true

With many computer forensics tools, you can open files with external viewers.

true

Criminal investigations are limited to finding data defined in the search ____.

warrant

During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system.

windows