Exam 2 Digital Forensics

Which of the listed date/time stamps is updated whenever a file is accessed by the file system? Created Modified Accessed None of the Above

Accessed

Which of the following are forensic image formats .E01 .001 .AD1 All of the Above

All of the Above

Which of the following are possible solutions with protecting cell phones from network signals? Aluminum Foil Paint Can Faraday Bag All of the Above

All of the Above

Which of the following element(s) ensure valid and reliable results are produced and justice is served in all types of lab setups? Standard Operating Procedures & Quality of Assurance Accreditation & Certification All of the Above None of the Above

All of the Above

Which of the following meets a series of strict legal requirements before evidence is presented in court? Chain of Logs Chain of Custody Notes All of the Above

Chain of Custody

Legal authority can be negotiated before taking a computer off-premises in: Criminal Cases Civil Cases All of the Above None of the Above

Civil Cases

Which of the listed date/time stamps frequently indicates when a file or folder was created on a particular piece of media? Created Modified Accessed None of the Above

Created

Which of the following represents an image of a document to be printed? SHA-1 MD5 EMF ROM

EMF

A tool validation process clearly demonstrates that the tool is licensed

False

According to the author any writes to the evidence will not comprise it's integrity and/or jeopardize it's admissibility

False

According to the author interacting with a running computer, in any way, will not cause changes to the system

False

According to the author, a forensic clone is a backup copy of a hard drive

False

Active data is classified as deleted or partially overwritten.

False

Improving the quality of lab services provided to the social media system is an objective of ASCLD/LAB

False

Sectors are comprised of multiple clusters

False

The File Allocation Table (FAT) can be expressed as FATX, FAT32, NTFS, FAT16, and FAT12

False

The NTUSER.DAT file is located in the subfolder config

False

The Windows operating system can see data in unallocated space

False

The registry consist of both NTUSER.DAT and the five (5) root-level keys or hives

False

There are 512 bits in each sector

False

Which of the following week out a charge will read a zero? Magnetic Disks and Flash Memory Magnetic Disks Flash Memory Optical Storage All of the Above None of the Above

Flash Memory

Which of the following, in the examiners report, can assist out intended audience wade through any unfamiliar jargon and acronyms? Forms Notes Glossary All of the Above

Glossary

Which of the following is where we start to see some potential investigative benefit? Sleep Hibernation Sleep and Hibernation None of the Above

Hibernation

Which of the following test is conducted by the agency? Output Input External Internal

Internal

According to the author, the most common hash functions used in digital forensics are: CRC SJA2 SJA1 MD5

MD5

Which of the listed date/time stamps are set when a file is altered in any way and then saved? Created Modified Accessed None of the Above

Modified

Which of the following has launched the Computer Forensic Tool Testing Project (CFTT)? HWB NIST NIJ none of the above

NIST

Which of the following applies when the analyst is aware of being tested? External Oral Open Closed

Open

Which of the storage items/terms below involves spaces or lands? Magnetic Disks and Flash Memory Magnetic Disks Flash Memory Optical Storage All of the Above None of the Above

Optical Storage

Which of the following is not a type of quality assurance proficiency tests? Oral External Internal Blind

Oral

The first "link" in the chain of custody is: Person Recording the Evidence Person Receiving the Evidence Person Collection the Evidence All of the Above

Person Collecting the Evidence

Which of the following plays a crucial role in the operation of a PC? Sleep Hibernation Sleep and Registry Registry

Registry

The shadow copies provide the source data for _____ Registry Files Link Files Prefetch Files Restore Points All of the Above None of the Above

Restore Points

Which of the following are snapshots of key system settings and configurations at a specific moment in time? Registry Files Link Files Prefetch Files Restore Points All of the Above None of the Above

Restore Points

The virtual lab arrangement allows for a distinct _____ access Role-Playing Proprietary-Role Fundamental-Role Role-Based

Role-Based

Which of the following are the most volatile evidence to collect first? Routing Table and ARP Cache Temporary Files System and Swap Space Remotely Logged Data Data on the Hard Drive

Routing Table and ARP Cache

A bitstream or forensic image is required to collect latent data

True

A computer's operating system only stores data as clusters.

True

A forensic examination may be conducted on the original evidence in exigent circumstances

True

RAM stores all the data currently being worked on by the Central Processing Unit (CPU)

True

The tool validation process is an aspect of our digital forensics that is committed to paper

True