Final CTC 328
Which ot the following file extensions are associated with VMware virtual machine? a. _vmx, log, and _nvram b. _vdi, ova, and _r0 c. _vmx, TO, and _xml-prev d. .vbox, .vdi, and -log
.vmx, .log, and .nvram
How many bits are required to create a pixel capable of displaying 65,536 different colors? a. 8 bit b. 16 bit c 32 bit d. 64 bit
16 bit
In VidualBox, different types of virtual network adapters are possible, such as AMD and Intel Pro adapters a 2 b 4 c 6 d 8
6
Which graphics file format below is rarely compressed? a. GIF b. JPEG c BMP D. None ot the above
BMP
When do zero day attacks occur? (Choose all that apply) a. On the day the application or OS is released b. Before a patch is available c. Before the vendor is aware of the vulnerability d. On the day the patch is created
Before a patch is available Before the vendor is aware of the vulnerability
The is responsible for analyzing data and determining when another specialist should be called in to assist with analysis. a. Digital Evidence Specialist b. Digital Evidence Analyst c Digital Evidence Examiner d. Digital Evidence First Responder
Digital Evidence Specialist
Which of the following is not considered to be a non standard graphics tile format? a. .dxf b. .tga c .rtl d. .psd
.dxf
In older versions of exchange, what type of file was responsible for massages formatted with Messaging Application Programming Interface, and served as the database file a. .ost b edp c .edb d. .edi
.edb
Which of the following types of files can provide useful intormation when you're examining an e-mail server? a. dbf files b. _emx files c. .log files d. .sltfiles
.log files
In Microsoft Outlook, what are the email storage files typically found on a client computer? a. .pst and .ost b resl _log and res2_lag c. PU020102 db .d _evolution
.pst and .ost
What kind of files are created by Exchange while converting binary data ta readable text in order to prevent lass of data a. txt b. .tmp c. .exe d. .log
.tmp
VirtualBox a(n) ??? In file contains settings for virtual hard drives a. .vox-prev b. ovf c. .vbox d. log
.vbox
The disk image file format is associated with the VirtualBax hyper-visor a. .vmdk b. had c. .vhd d. .vdi
.vdi
What format below is used tor VMware images? a. _vhd b. .vmdk c _s01 d. aff
.vmdk
What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine a. .nvram b. .vmen c. .vmpage d. .vmx
.vmen
Which option below is the correct path to the sendmail configuration file a. /var/etc/sendmail.cf b. /var/mail/sendmail cf c. /usrflocal/sendmail.ct d. /etc/mail/sendmail.cf
/etc/mail/sendmail.cf
Syslog is generally configured to put all e-mail related log intonation into what tile a. /usr/log/mail]og b. /var/log/message c /proc/mail d. /var/log/maillog
/var/log/maillog
Where does the Postfix IJNIX mail server store e-mail a. /home/username/mail b. /var/mail/posttix c /var/spool/postfix d. /etc/posttlx
/var/spool/postfix
What hexadecimal cade below identifies an NTFS file system in the partition table? a 05 b. 07 c 1B d A5
07
a master boot record (MBR) partition table marks the first partition starting at what offset? a. 0x1CE b. 0x1BE c. 0x1AE d. 0x1DE
0X1BE
In order to qualify for the ceftified computer crime Investigator, basic level certification, candidates must provide documentation ot at least ??? cases in which they participated. a 5 b. 10 c 15 d. 20
10
The SANS Investigative Forensics Toolkit (SIFT) appliance can currently only be installed on what version ot Ubuntu a. 12.04 b 13.11 c 14.04 d 14.11
12.04
Within Windows Vista and later, partition gaps are bytes in length a. 64 b 128 c. 256 d 512
128
How many words should be in the abstract ot a report? a. 50 to 100 words b. 100 to 150 words c 150 to 299 words d. 200 to 250 words
150 to 299 words
How many different colors can be displayed by a 24 bit colored pixel? a. 256 b. 65,536 c 16,77,216 d 4,294,697,296
16,77,216
Which IDO standard below is followed by the ASCLD? a. 17025:2005 b 17026:2007 c 12075 2007 d 12076:2005
17025:2005
How long ara computing components designed to last in a normal business environment? a. 12 to 16 months b 14 to 26 months c 18 to 36 months d 6 to 90 months
18 to 36 months
What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact a. iNet b. ARIN c. Google d. ERIN
ARIN
E-mail headers contain which af the following information? (Choose all that apply.) a. The sender and receiver e-mail address b. An ESMTP number or reference number c The e-mail servers the message traveled through to reach its destination d. The IP address of the receiving server e. All of the above
All of the above
Logging options on many email servers can be: a. Disabled by the administrator b Set up in a circular logging configuration c Configured to a specified size before being overwritten d All of the above
All of the above
What letter should be typed into DiskEdit in order to mark a goad sector as bad? a M b B c T d D
B
The ReFs storage engine uses a ??? access to large data sets. a. A+-tree b. B+-tree c reverse d.numerical
B+-tree
When searching a victim's computer for a crime committed with a specific email, what provides information for determining the emails originator? (Choose all that apply) a. E-mail header b. Username and password c. Firewall log d. All at the above
E-mail header Firewall log
Select the program below that can be used to analyze mail from Outlook, Thunderbird7 and Eudora a. AccessData FTK b. DataNuman c. R-Tools R-Mail d. Fookes Aid4Mail
Fookes Aid4Mail
The NSA's defense in depth (DiD) strategy contains three modes ot protection. Which option below IS not one of the three modes a. People b Technology c. Operations d. Management
Management
Phishing does which otthe following? a. Uses DNS poisoning b. Lures users with false promises c Takes people to fake websites d. Uses DHCP
Lures users with false promises
Select below the utility that is not a lossless compression utility a. PKZip b. WinZip c. Stufflt d. Lzip
Lzip
Which of the following is a current formatting standard for e_mail? a. SMTP b. MIME c. Outlook d. HTML
MIME
An evidence custody form does not usually contain a. the nature of the case b. a description ot evidence c vendor names for computer components d. a witness list
a witness list
What term below describes a column of tracks on two or more disk platters? a. sector b. cluster c cylinder d header
cylinder
What term is used to describe a disk's logical structure of platters, tracks, and sectors? a. cylinder b trigonometry c geometry d mapping
geometry
Which Microsoft OS below is the least intrusive to disks in terms ot changing data? a. windows 95 b. windows XP c windows 7 d. ms-dos 6.22
ms-dos 6.22
The is a good tool for extracting information from large Libpcap files; you simply specify the time frame you want to exam•ne a. Tcpdstat b. Tcpslice c. Ngrep d. tcpdump
tcpslice
How you format is less important than being consistent In applying formatting_ a. words b. text c. paragraphs d. sections
text
Which of the following formats is not considered to be a standard graphics file format? a. gif b. jpeg c. dxt d. tga
tga
What does the MTF header field at offset 0x00 contain? a. the MFT record identifier FILE b the size of the MET record c the length of the header d. the update sequence array
the MFT record identifier FILE
A disaster recovery plan ensures that workstations and tile servers can be restored to their original condition in the event of a catastrophe. t,ff
true
A report can provide justification for collecting more evidence and be used at a probable cause hearing a. true 5. false
true
Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific files or sectors_ t/t
true
All email headers contain the same types of information True/False
true
Graphics files are created and saved in a graphics editor, such as Microsoft Paint, Adobe Freehand MX, Adobe Photoshop, or Gnome GIMP t/f
true
Most digital investigations in the private sector involve misuse of computing assets True False
true
One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you collect is essential for presenting evidence in court t/f
true
Specially trained system and network administrators are often a CSPs first responders. a. true b. false
true
State public disclosure laws apply to state records, but FOIA (Freedom of Information Act) allows citizens to request copies of public documents created by federal agencies
true
The advantage of recording hash values is that you can determine whether data has changed. t/f
true
The capability of type 1 hypervisors is limited only by the amount of available RAM, storage, and throughput
true
The first 3 bytes of an XIF file are exactly the same as a TIF file t/f
true
The honeynet Project was developed to make information widely available in an attempt to thwart intemet and network attackers
true
True/ False Linus live CDs and WinFe disks do not automatically mount hard drives, but can b used to view file systems
true
TrueFalse An experts opinion is governed by FRCP, Rule 26, and the corresponding rule in many states.
true
User groups for a specific type of system can be very useful in a forensics investigation. t/f
true
When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space
true
Which court case established that it is not necessary for computer programmers to testify in order to authenticate computer-generated records? a. united states v wong b. united states v carey c. united states v salgado d. united states v walser
united states v salgado
Which option below is not one of the recommended practices tor maintaining a keyed padlock? a. appoint a key custodian b. take inventory af all keys when the custodian changes c use a master key d. change locks and keys annually
use a master key
After the evidence has been presented in a trial by jury, the jury must deliver a(n) a. exhibit b. affidavit c. allegation d. verdict
verdict
What's the main piece of information you look for in an email message you're Investigating? a. Sender or receivers e-mail address b. Originating e-mail domain or IP address c. Subject line content d. Message number
Originating e-mail domain or IP address
Virtual Machine Extension (VMX) are pan of which of the following? a. Type 1 hypervisors b. Type 2 hypervisors c Intel Virtualized Technology d. AMD Virtualized Technology
Type 2 hypervisors
When seizing digital evidence in criminal investigations, whose standards should be followed? a. U.S. DOJ b ISO/IEC c. IEEE d ITU
U.S. DOJ
is the process of opposing attorneys seeking information from each other a. Subpoena b. Warranting c. Discovery d. Digging
discovery
In Windows, the command can be used to both hide and reveal partitions within Explorer. a. format b. fdisk c grub d. diskpart
diskpart
A chain-of-evidence form, which is used to document what has and has not been done with the original evidence and forensic copies of the evidence, is also known as a(n) Answers: a. evidence tracking form b. evidence custody form c single-evidence form d. multi-evidence form
evidence custody form
Most digital cameras use the bitmap format to store photos t/f
false
All TIF files start at offset 0 with what 6 hexadecimal characters? a. IA 49 48 b. FF 26 9B c. 49 49 2A d. AC 49
49 49 2A
Which technology below is not a hot-swappable technology? a. usb-3 b firewire 1394A c. SATA d IDE
IDE
What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume? a. $MgyMirr b. $TransAct c $LogFile d. $Backup
$LogFile
On a UNIX system, where is a user'S mail stored by default a. /var/mail b. "varllog/mail c tusemame/mail d. /home/username/mail
/home/username/mail
Federal courts, as a matter of rule, require all fact or expert witnesses to provide a report trial in civil cases_
before
A report using the system divides material into sections and restarts numbering with each main section.
decimal numbering
A report using the system divides material into sections and restatts numbering with each main section_ a. numerically ordered b. hierarchical c. decimal numbering d. number formatted
decimal numbering
Which tool below is not recommended for use in a forensics lab? a. 2_5-inch adapters for drives b. firewwe and usb adapters c. SCSI card d. degusser
degusser
Libraries of previous given testimony that law firms can access_
deposition banks
After a judge approves and signs a search warrant, the ?99 is responsible tor the collection ot evidence as defined by the warrant a. digital evidence recorder b. digital evidence specialist c. digital evidence first responder d. digital evidence scene investigator
digital evidence first responder
The fourth amendment state that only warrants "particularly describing the place to be searched and the persons or things to Oe seized" can be issued. The courts have determined that this phrase means a warrant can authorize a search af a specific place far anything.
false
The shielding ot sensitive computing systems and prevention of electronic eavesdropping of any computer emissions is known as FAUST by the U.S. department of defense. t/f
false
True / False FAT32 is used on older Microsoft OSs, such as ms-dos 3.0 through 6.22, windows 95 (first release), and windows NT 3.3 and 4.0
false
True / False FTK imager software can acquire a drive's host protected area
false
True / False Someone who wants to hide data can create hidden partitions or void-large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities
false
decause attorneys do not have the right ot tull discovery ot digital evidence, it is not possible for new evidence to come to light while complying with a defense request for full discovery. t/f
false
in private sector cases, like criminal and Civil cases, the scope is always defined by a search warrant. t/f
false
Which file system below is utilized by the xb0K gaming system? a. NTFS b. Reg-S c EXT d. FATX
fatx
Signed into law in 1973 the was/were created to ensure consistency in tederal proceedings. a. federal proceeding law b. federal rules of evidence c federal consistency standards d. federal proceedings rules
federal rules of evidence
What does FRE stand for? a. federal rules of evidence b. federal regulations tor evidence c. federal rights for everyone d. federal rules tor equipment
federal rules of evidence
What command below could be used on a UNIX system to help locate log directories a. show log b. detail c. search d. find
find
Which operating system listed below is not a distribution of the Linux OS? a. minix b. debian c. slackwar d. fedora
minix
As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state? a. the power cable should be pulled b. the system should be shut down gracefully c. the power should be left on d. the decision should be left to the digital evidence first responder (DEFR)
the decision should be left to the digital evidence first responder (DEFR)
Tcpslice can be used to retneve specific timeframes ot packet captures. True/False?
true
You can view e-mail headers in Notepad with all popular e-mail clients. True/False
true
What act defines precisely how copyright laws pertain to graphics? a. 1988 image ownership act b. 1976 copyright act c. 1923 patented image act d. 1976 computer fraud and abuse act
1976 copyright act
In what year was the computer fraud and abuse act passed? a. 1976 b. 1980 c. 1986 d. 1996
1986
When using a target drive that is FAT32 formatted, what is the maximum size limitation tor split files? a. 512 mg b. 2gb c 1 tb d. 1 pb
2 gb
In order to quality tor the certified computer forensic technician, basic level certification, how many hours of computer forensics training are required? a. 10 b 20 c. 30 d 40
40
A typical disk drive stores how many bytes in a single sector? a 8 b. 512 c. 1024 d 4096
512
What percentage of consumers utilize intel and AMD PCs? a. 60 b. 70 c 80 d. 90
90
To trace an IP address in an email header, what type ot lookup service can you use? (Choose all that apply) a. Intelius Inc's AnyWho online directory b. Verizon's http://suparpages.com c. A Domain lookup service, such as www.arin.net, www_internic_comw,or ww _whoiswnet d. Any Web search engine
A Domain lookup service, such as www.arin.net, www_internic_comw,or ww _whoiswnet Any Web search engine
Which option below is not a disk management tool? a. Partition Magic b. Partition Master c GRUB d. HexEdit
HexEdit
Which option below is not a hashing function used for validation checks? a. RC4 b MD5 c. SHA-I d CRC32
RC4
is not recommended for a digital forensics workstation. Answers: a A write-blocker device b Remote access software C A text editor tool d An SCSI card
Remote access software
At what layers of the OSI model do most packet analyzers function a. layer 1 or 2 b. layer 2 or 3 c. layer 3 or 4 d. layer 4 or 5
SYN flood
In a attack, the attacker keeps asking your server to establish a connection, with the intent of overloading a server with established connections a. smull b. SYN flood c. spoof d. ghost
SYN flood
Router logs can be used to verify what types of email data? a. Message content b. Content of Attached files c. Tracking flows through e-mail server ports d. Finding blind copies
Tracking flows through e-mail server ports
In simple terms, compression discards bits in much the same way rounding off decimal values discards numbers. a. Huffman b. Lempel-Ziv-Welch (LZW) c. Vector Quantization d. Adaptive Quanization
Vector Quantization
Which type of report typically takes place in an attorney's office? a. Examination Plan b. Written Report c. Preliminary Report d. Verbal Report
Verbal Report
What processor instruction set is required in order to utilize virtualization software a. AMD-VT b. Intel VirtualBit c. Virtual Machine Extensions (VMX) d. Virtual HardwareExtensions (VHX)
Virtual Machine Extensions (VMX)
Which open-source acquisition format is capable of producing compressed or uncompressed image tiles, and uses the afd extension for segmented image files? a. advanced forensics disk b. advanced forensic format c. advanced capture mage d. advanced open capture
advanced forensic format
If a police officer or Investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit a(n) a. exhibit b. verdict c. affidavit d. memo
affidavit
Which of the following scenanos should be covered in a disaster recovery plan? a. damage caused by lightning strikes b. damage caused by flood c damage caused by a virus contamination d. all of the above
all of the above
describes an accusation of fact that a crime has been committed. a. attrition b. attribution c. allegation d. assignment
allegation
Provides additional resource material not included in the body of the report_
appendix
E-mail administrators may make use ot ??? , which ovewrites a log file when it reaches a specified size or at the end af a specified time frame a. log recycling b. circular logging c. log purging d. log cycling
circular logging
The is not one of the three stages of a typical criminal case a. complaint b. prosecution c investigation d civil suit
civil suit
Because they are outdated, ribbon cables should nat be considered tor use within a forensics lab. t/f
false
Computer-stored records are data the system maintains, such as system log files and proxy server logs
false
In an e-mail address, everything before the @ symbol represents the domain name
false
True/ False A computer stores system configuration and date and time information in the BIOS when power to the system is off
false
In order to qualify for the advanced certified computer forensic technician certification, a candidate must have years ot hands-on experience in computer torensics investigations. a. two b. three c five d. six
five
The numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect of the report, and each Arabic numeral is an important piece of supporting infdrmation_ a. decimal b. ordered-sequential c legal-sequential d. reverse-orde
legal-sequential
The term ??? is used to describe someone who might be a suspect of someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest a. criminal b. potential data source c. person of interest d. witness
person of interest
QQQ is a common cause for lost or corrupted evidence a. public access b. not having enough people on the processing team c having an undefined security perimeter d. professional curiosity
professional curiosity
The ??? format is a proprietary format used by Adobe Photoshop a. _tga b fhll c. svg d. psd
psd
which RAID type provides increased speed and data storage capability, but lacks redundancy? a. RAID O b. RAID 1 c. RAID 0+1 d. RAID 5
raid 0
Which RAID type utilizes mirrored providing fast access and redundancy? a. RAID 1 b RAID 3 c. RAID 5 d RAID 10
raid 10
Which RAID type utilizes a parity bit and allows for the failure of ane drive without losing data? a. RAID 1 b RAID 2 c. RAID 3 d RAID 5
raid 5
Which of the following is not a type of graphic file that is created by a graphics program? a. bitmap images b. vector graphics c. metafile graphics d. raster graphics
raster graphics
Referred to as a digital negative, the is typically used on many higher-end digital cameras. a. raster file format b. bitmap file format c jpeg file format d. raw file format
raw file format
??? is responsible for creating an monitoring lab policies for staff! and provides a sate, and provides a sate and secure workplace for staff and evidence_ a. the lab manager b. the lab investigator c. the lab secretary d. the lab steward
the lab manager
When using the file allocation table (FAT), where is the FAT database typically written to? a. the innermost track b. the outermost track c the first sector d. the first partition
the outermost track
What information is not typically included in an e-mail header a. the sender's physical location b. the originating IP address c. the unique ID ot the e-mail d. the originating domain
the sender's physical location
Lawyers may request af previous testimony by their own potential experts to ensure that the experts havent previously testified to a contrary position. a. warrants b. transcripts c. subpoenas d. evidence
transcripts
A torensic image ot a VM includes all snapshots. True/False
true
An emergency situation under the PATRIOT Act is defined as the immediate risk of death or personal injury, such as finding a bomb threat in an e-mail_
true
Internet e-mail accessed with a Web brower leaves files in temporary folders True/False
true
It you turn evidence over to law enforcement and begin working under their direction, you have become an agent of law enforcement, and are subject to the same restrictions on search and seizure as a law enforcement agent t/f
true
The DomainKey identitied Mail service is a way to verity the names of domains a message is flowing through and was developed as a way to cut down an spam
true
The Pagefile_sys file on a computer can contain message fragments from instant messaging applications
true
To investigate employees suspected of improper use of company digital assets, a company policy statement about misuse ot digital assets allows corporate investigators to conduct convert surveillance with little or no cause, and access company computer systems and digital devices without a warrant_
true
True / False Each MFT record starts with a header identifying it as a resident or nonresident attribute
true
True False A torensics investigator should verity that acquisition tools can copy data In the HPA of a disk drive
true
True/ False Hardware and software errors or incompatibilities are a common problem when dealing with older hard drives
true
True/ False the image usb utility can be used to create a bootable flash drive
true
Each graphics file type has a unique header value. t/f
true
What intormation is NOT in an e-mail header? (Choose all that apply) a. Blind copy (Bcc) addresses b. Internet addresses c. Domain name d. Contents of the message e. Type af e-mail server used to send the email
Blind copy (Bcc) addresses Contents of the message
When you access your email, what type ot computer architecture are you using? a. Mainframe and minicomputers b. Domain c. Client/Server d. None of the above
Client/Server
What type of media has a 30-year lifespanQ a. DVD-rs b. DLT magnetic tape c hard drive d. usb thumb drive
DLT magnetic tape
Which e-mail recovery program below can recover files from VMware and VirtualPC virtual machines, as well as ISOS and other types of file backups a. Fookes Aid4mail b DataNumen Outlook Repair c. EnCase Forensics d. AccessData FTK
DataNumen Outlook Repair
Which service below does not put log information into /var/log/maillog a. SMTP b. Exchange c. 'MAP d. POP
Exchange
In which tile system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters? a. NTFS b FAT c. HFSX d Ext3fs
FAT
For all JPEG files, the ending hexadecimal marker, also known as the end of image (EOI), is a. FFD0 b FFD8 c. FFD9 d FFFF
FFD9
For EXIF JPEG files, the hexadecimal value starting at offset 2 is a. FFE0 b_ FEE1 c. FFD8 d. FFD9
FFE1
An expert's opinion is governed by and the corresponding rule In many states_
FRCP 26
Which amendment to the U.S. Constitution protects everyone's right to be secure in their person, residence, and property from search and seizure? a Fifth Amendment b Second Amendment C First Amendment d Fourth Amendment
Fourth Amendment
The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery; the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the padicular field in which it belongs", was established in what court case? a. Daubert v_ Merrell Dow Pharmaceuticals, Inc b. Smith v. LJnited States c. Frye v. United States d. Dillon v. United States
Frye v. United States
In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network adapters a. Slow-NetworkAdapters b. Query-ipconfig c. Get-VMNetworkAdapter d. Dump-Betconfig
Get-VMNetworkAdapter
In order to retrieve logs from exchange the Powershell cmdlet ??? can be used a. GetExchangeLogs_psl b. GetLoglnfa_psl c ShowExchangeHistrory_psl d. GetTransactionLogStats_psl
GetTransactionLogStats_psl
In cases that involve dangerous setting, what kind of team should be used to recover evidence from the scene? a. B-Team b. HAZMAT c. CDC First Responders d. SWAT
HAZMAT
Which Registry key contains associations tor tile extensions? a. HALE CLASSES ROOT b. HKEY CLASSES ROOT c HE-ILE EXTENSIONS d. HKEY CLASSES FILE
HKEY_CLASSES_ROOT
What Windows Registry key contains associations for file extensions a. HKEY CLASSES ROOT . b HKEY USERS c. HKEY LOCAL MACHINE d HKEY CURRENT CONFIG
HKEY_CLASSES_ROOT .
What tool, currently maintained by tha IRS Criminal Investigation Division and limited to use by law enforcement, can analyze and read special files that are copies ot a disk? a. ILook b. Photorec c. DeepScan d. AccessData Forensic Toolkit
ILook
??? are a special category of private sector businesses, due to their ability to investigate computer abuse committed by employees only, but not customers. a. hospitals b. ISPs (Internet Service Provider) c. law firms d. news networks
ISPs (Internet Service Provider)
A layered network defense strategy puts the most valuable data where? a. In the DMZ b. In the outermost layer c. In the innermost layer d. None of the above
In the innermost layer
The tool is an updated version of BackTrack, and contains more than 300 tools, such as password crackers, network sniffersr and freeware forensics tools a. Kali Linux b. Ubuntu c. OSForensics d. Sleuth Kit
Kali Linux
The AccessData program has a hashing database which is available only with FTK, and can be used ta filter known program files from view and contains the hash values of known illegal files a. DeepScan Filter b. unknown File Filter CUFF) c. Known File Filter (KFF) d. FTK Hash Imager
Known File Filter (KFF)
A person whose testimony is based on personal observation; not considered to be an expert in a particular field_
Lay Witness
Packet analyzers examine what layers of the OSI model? a. Layers 2 and 4 b. Layers 4 through 7 c. Layers 2 and 3 d. All layers
Layers 2 and 3
The is the version of Pcap available for Linux based operating systems a. Wincap b. Libcap . c Tcpcap d. Netcap
Libcap
The term "via Frontend Transport" in a header indicates that the e-mail is on which of the following? a. UNIX server b Older NetWare Server c. Microsoft Exchange Server d Mac Server
Microsoft Exchange Server
Exchange uses and Exchange database and is based on the ???, which uses several tiles in ditterent combinations to provide e-mail service a. Microsoft Mail Storage Engine (MSE) b. Microsoft Stored Mail Extension (SME) c. Microsoft Extended Mail Storage (EMS) d. Microsoft Extensible Storage Engine (ESE)
Microsoft Extensible Storage Engine (ESE)
describes the characteristics of a safe storage container a. IS02960 b. NISPOM c. sso ego d. STORSEC
NISPOM
The maintains a national database of updated file hash values for a variety of OSS, applications, and images, but does not list hash values of known illegal files a. Open Hash Database b. HashKeeper Online c National Hashed Software Referenced_ d. National Software Reference Library
National Software Reference Library
What type of Facebook profile is usually only given to law enforcement with a warrant a. private profile b. advanced profile c. basic profile d_Neoprint profile
Neoprint profile
What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and VI ruses a. tcpdump b. Argus c. Ngrep d. Tcpslice
Ngrep
One of the most noteworthy e-mail scams was 4191 otherwise known as the ??? a. Nigerian Scam b. Lake Venture Scam c. Conticker virus d. Iloveyou Scam
Nigerian Scam
can be used to restore backup files directly to a workstation. a. belarc advisor b. Norton ghost c prodiscover d. photorec
Norton ghost
Select the tool below that does not use dictionary attacks or brute torce attacks to crack passwords: a. Last Bit b. AccessData PRTK c OSForensics d. Passware
OSForensics
Select below the option that is not common type 1 hypervisor a. VMwar vSphere b. Microsoft Hyper-V c. Citirix XenServer d. Oracle virtualBox
Oracle virtualBox
is the utility used by the ProDiscover program for remote access. a. SubSe7en b 10pht c. PDServer d VNCServer
PDServer
The tcpdump and Wireshark utilities both use what well known packet capture format a. Netcap b. Pcap c. Packetd d. RAW
Pcap
Select below the program within the Ps Tools suite that allows you to run processes remotely a. PsService b PsPasswd c PsRemote d PsExec
PsExec
??? creates a vidual volume of a RAID image file, and then makes repairs on the virtual volume, which can then be restored to the original RAID a. Runtime Software b. RaidRestore c R-Tools R-Studio d. FixitRaid
R-Tools R-Studio
When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do? a. Search available log files tor any tomarded messages b. Restore the e-mail server from a backup c. Check the current database tiles tor an existing copy ot the email d. Do nothing because after the file has been deleted, it can no longer be recovered.
Restore the e-mail server from a backup
The report generator in ProD1scover detaults to which can be opened by most word processors a. HyperTe',ä Markup Language (HTML) b. Rich Text Format (RTF) c. Extensible Markup Language (XML) d. Microsoft Word document format
Rich Text Format (RTF)
What registry file contains user account management and security settings? a. default.dat b. software.dat c SAM.dat d Ntuser.dat
SAM.dat
Which option below is not a standard systems analysis step? a. Mitigate or minimize the risks. b Obtain and copy an evidence drive c Share evidence with experts outside of the investigation. d. Determine a preliminary design or approach to the case.
Share evidence with experts outside of the investigation.
Which option below is not a standard systems analysis step? a. Mitigate or minimize the risks b. Obtain and copy an evidence drive. c Determine a preliminary design or approach to the case. d Share evidence with experts outside of the investigation.
Share evidence with experts outside of the investigation.
You can expect to find a type 2 hypervisor on what type ot device? (Choose all that apply) a. Desktop b. Smartphone c. Tablet d. Network Server
Smartphone Tablet
When pedorming a static acquisition, what should be done after the hardware on a suspect's computer has bean inventoried and documented? a. Inventory and documentation information should be stored on a drive and then the drive should be reformatted. b. Stan the suspect's computer and begin collecting evidence c The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS. d. Connect the suspect's computer to the local network so that up to date forensics utilities can ba utilized
The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.
What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive? a. PP full disk encryption b. voltage SecureFile c BestCrypt d. TrueCrypt
TrueCrypt
Which of the following is not a valid Unicode? a. UTE-8 b. UTF-16 c. UTF-32 d. UTF-64
UTF-64
Which option below is not a Linus live CD meant for use as a digital torensics tool? a. penguin sleuth b. kali Linux c Ubuntu d. caine
Ubuntu
Which of the following is a clue that a virtual machine has been installed on a host system? a. Network Lags b Virtual network adapter c. Virtualization Software d. USB Drive
Virtual network adapter
What viltual machine software supports all Windows and Linux OSS as well as Macintosh and Solaris, and is provided as shareware? a. KVM b. Parallels c. Microsoft Virtual PC d. VirtualBox
VirtualBox
In what state is sending unsolicited email illegal a. Florida b. Washington c Maine d. New York
Washington
Which of the following file systems can't be analyzed by OSForensics? a. FAT12 b. Ext2fs c. HFS+ d. XFS
XFS
As with any research paper, write the last. a. appendix b. body c acknowledgements d. abstract
abstract
If a report is long and complex, you should include a(n) a. appendix b abstract c glossary d table of contents
abstract
Which system below can be used to quickly and accurately match fingerprints In a database? a. fingerprint identification database (FID) b. systemic fingerprint database (SFD) c. automated fingerprint Identification system (AFIS) d. dynamic fingerprint matching system (DFMS)
automated fingerprint Identification system (AFIS)
Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses as a way to hide its malicious code from antivirus tools. a. hashing b. bit-shifting c registry edits d. slack space
bit-shifting
What is the name of the Microsoft solution for whole disk encryption? a. drivecrypt b. truecrypt c. bitlocker d. securedrive
bitlocker
Which password recovery method uses every possible letter, number, and character found on a keyboard? a. rainbow table b. dictionary attack c. hybrid attack d. brute-force attack
brute-force attack
What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations? a. certified computer crime investigator b. certified torensic computer examiner c certified cyber forensics professional d. encase certified examiner
certified cyber forensics professional
Candidates who complete the ISCIS test successfully are designated as a a. certified forensic computer examiner (CFCE) b. certified forensics investigator (CFI) c. CeÄitied investigative forensics examiner (CIFE) d. certified investigative examiner (CIE)
certified forensic computer examiner (CFCE)
The section ot a report starts by referring to the report's purpose, states the main points, draws conclusions, and possibly renders an opinion. a. body b. conclusion c. appendix d. reference
conclusion
QQQ is not one of the functions of the investigations triad_ a. digital investigations b. data recovery c vulnerability threat assessment and risk management d. newvork intrusion detection and incident response
data recovery
The ??? command was developed by Nicholas harbor of the detense computer torensics laboratory. a. dd b. split c dcfldd d. echo
dcfldd
A ??? image file containing software is intended to be bit-stream copied to floppy disks or other external media. a. tdlSk b. format c. dd d. DiskEdit
dd
The Linux command QQQ can be used to write bit-stream data ta files a. write b. dd c. cat d. dump
dd
The ??? command insets a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry a. delete b. edit c. update d clear
delete
The process of convening raw picture data to another format is called a. splicing b. caring c demosaicing d. vector quanization
demosaicing
The ??? IS responsible for analyzing data and determining when another specialist should be called in to assist with analysis. a. digital evidence recorder b. digital evidence specialist c. digital evidence analyst d. digital evidence examiner
digital evidence specialist
Which of the following commands creates an alternate data stream? a. echo text > myfile. txt_syream_name b. ads create myfile. txt(stream name) 'text' c. cat text myfile. txt=stream_name d. echo text
echo text > myfile. txt_syream_name
What command below can be used to decrypt EFS files? a. cipher b copy c efsrecvr d decrypt
efsrecvr
How often should hardware be replace within a forensics lab? a. every 6 to 12 months b. every 12 to 18 months c. every 18 to 24 months d. every 24 to 30 months
every 12 to 18 months
A chain-of-evidence form, which is used to document what has and has not been done with the original evidence and torensic copies ot the evidence, is also known as a(n) a evidence tracking form b evidence custody form c emulti-evidence torm d.single-evidence torm
evidence custody form
Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital extended capacity (SDCX), and memory sticks a. FAT12 b. FAT32 c. exFAT d. VFAT
exFAT
An is a document that serves as a guideline for knowing what questions to expect when you're testifying a. testimony procedure b. examination plan c. planned questionnaire d. testimony excerpt
examination plan
QQQ must be included in an affidavit to support an allegation in order to justify a warrant. a. verdicts b. witnesses c. exhibits d. subpoenas
exhibits
must be Included in an affidavit to support an allegation in order to justify a warrant Answers: a. Exhibits b. Witnesses c. Verdicts d. Subpoenas
exhibits
What format was developed as a standard for storing metadata in image files? a. Jpeg b. tif c exif d. bitmap
exif
According to the national institute of standards and technology (NIST), digital forensics involves scientifically examimng and analyzing data trom computer storage media so that it can be used as evidence in court_ tit
false
All suspected industrial espionage cases should be treated as civil case investigations. t/f
false
All suspected industrial espionage cases should be treated as civil case investigations. True or False
false
An Intemet e-mail is generally part ot a local network, and is maintained and managed by an administrator for internal use by a specific company
false
An expert's opinion is governed by FRCP, Rule 26, and the corresponding rule in many states. a. true b. false
false
Committing crimes with e-mail is uncommon, and investigators are not generally tasked with linking suspects to e-mail
false
Expert witnesses are not required to submit a written repart for civil cases. a. true b. talse
false
Forensics tools can't directly mount VMS as external drives
false
The Sysinternals Handle utility shows only file system activity, but does not show what processes are using files an the file system
false
Type 2 hyper-visors are typically loaded on servers or workstations with a lot ot RAM and storage
false
When you decompress data that uses a lossy compression algorithm, you regain data lost by compression. t/f
false
You must abide by the Q?? while collecting evidence a. fourth amendment b. federal rules of evidence c state's rules of evidence d. fifth amendment
fourth amendment
??? is the term for a statement that is made by someone other than an actual witness to the event while testifying at a hearing a. second-party evidence b. rumor c. fiction d. hearsay
hearsay
Assists readers in scanning the text quickly by highlighting the main points and logical development of information.
high risk document
the branches in HKEY_LOCAL_MACHINE/software consist of SAM security, components, and system a. registry b. storage c hive
hive
A ??? is not a private sector organization a. small to medium business b. large corporation c. on-government organization d. hospital
hospital
The sale of sensitive or confidential company information to a competitor is known as a industrial betrayal b industrial espionage c industrial sabotage d industrial collusion
industrial espionage
The ??? copies evidence of Intrusions to an investigation workstation automatically for further analysis over the network a. intrusion detection system b. active defense mechanism c. total awareness system d. intrusion monitoring system
intrusion detection system
is a specialized viewer software program a. fastview b. irfanview c. thumbsloader d. absee
irfanview
What file type starts at offset 0 with a hexidecimal value of FFD8? a. tiff b. Jpeg c xdg d. bmp
jpeg
Many commercial encryption programs use a technology called which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure_ a. key vault b. key escrow c bump key d. master key
key escrow
In order to aid a forensics investigation, a hardware or software can be utilized to capture keystrokes remotely. a. keygrabber b. keylogger c. packet capture d. protocol analyzer
keylogger
would not be found in an initial-response field kit a. computer evidence bags (antistatic bags) b. leather gloves and disposable gloves c a digital camera with extra batteries or 35mm camera with tilm and flash d. external usb devices or a poftable hard drive
leather gloves and disposable gloves
Addresses that allow the MFT to link to nonresident files are known as ??? a. virtual cluster numbers b. logical cluster numbers c sequential cluster numbers d. polarity cluster numbers
logical cluster numbers
The Lempel-Ziv-Welch (LZW) algorithm is used in compression. a. lossy b. lossless c. vector quantization d. adaptive
lossless
A user with programming experience may use an assembler program (also called a ) on a file to scramble bits, In order to secure the information contained inside. a. compiler b. shifter c. macro d. scnpt
macro
What should you do while copying data on a suspect's computer that is still live? a. open files to view contents b. make notes regarding everything you do c conduct a google search of unknown extensions using the computer d. check facebook tor additional suspects
make notes regarding everything you do
What kind of graphics file combines bitmap and vector graphics types? a. metafile b. bitmap c. jpeg d. tif
metafile
When looking at a byte of information In binary, such as 1 1101100, what is the first bit on the left referred to as? a. major significant bit (MSB) b. least significant bit (LSB) c most significant bit (MSB) d. leading significant bit (LSB)
most significant bit (MSB)
If practical, ?? team(s) should collect and catalog digital evidence at a crime scene or lab a. two b. five c. one d. three
one
Select the file below that is used in Virtua180x to create a virtual machine a. _vdi b. _vbox c r0 d. ova
ova
Within the fdisk interactive menu, what character should be entered to view existing partitions? a 1 b p c o d d
p
When writing a report, group related ideas and sentences into a. chapters b. sections c paragraphs d. separate reports
paragraphs
The term describes a database containing information records about crimes that have been committed previously by a criminal. a. police ledger b. police blotter c. police blogger d. police recorder
police blotter
The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient ??? a. probable cause b. due diligence c. accusations d. reliability
probable cause
Within a computing investigation, the ability to perform a series of steps again and again to produce the same results IS known as a. verifiable reporting b repeatable findings c. reloadable steps d evidence repofiing
repeatable findings
WhiCh option below is not a recommendation for securing storage containers? a. the container should be located in a restricted area b. only authorized access should be allowed, and it should be kept to a minimum c, evidence containers should remain locked when they aren't under direct supervision d. rooms with evidence containers should have a secured wireless network
rooms with evidence containers should have a secured wireless network
What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a copy of the expert's written report that includes all opinions, the basis for the opinions, and the intormation considered in coming to those opinions? a. rule 24 b. rule 35 c rule 36 d. rule 26
rule 26
What technique IS designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords? a. salted passwords b. scrambled passwords c. indexed passwords d. master passwords
salted passwords
The utility can be used to repair ost and _pst files, and IS included with Microsoft Outlook a. fixmail.exe b. scanpst.exe c. repairpst.exe d. rebuildpstexe
scanpst.exe
The goal of recovering as much information as possible can result in , in which an investigation expands beyond the original description because of unexpected evidence found. a. litigation b. scope creep c criminal charges d. violations
scope creep
Sendmail uses which file far instructions an processing an e-mail message? a. sendmail.cf b. syslogd_conf c mese.ese d. mapi.log
sendmail.cf
the term ??? describes rooms filled with extremely large disk systems that are typically used by large business data centers a. storage room b. server farm c. data well d. storage hub
server farm
Which of the following is not done when preparing tor a case? a. describe the nature of the case b. identity the type of OS c set up covert surveillance d. determine whether you can seize the computer or digital device
set up covert surveillance
A TEMPEST tacility IS designed to accomplish which otthe following goals? a. prevent data loss by maintaining consistent backups b. shield sensitive computing systems and prevent electronic eavesdropping of computer emission c. ensure net,vork security trom the internet using comprehensive security software d. protect the integrity of data
shield sensitive computing systems and prevent electronic eavesdropping of computer emission
A written report containing sensitive information that could create an opening for the opposing attorney to discredit you
signpost
What registry file contains installed programs' settings and associated usernames and passwords? a. default.dat b. software.dat c sam.dat d ntuser.dat
software.dat
??? does not recover data in free or slack space a. raw format acquisition b. live acquisition c. static acquisition d. sparse acquisition
sparse acquisition
If a preliminary report is written, destroying the preliminary report atter the final report is complete could be considered a. proper data security b. spoliation c. beneficial d. necessary
spoliation
The Suni Munshani v. Singal Lake Venture Fund Il, LP et al case is an example of a case that involves e-mail ??? a. destruction b. spamming c. spoofing d theft
spoofing
The term for detecting and analyzing steganography files is a. carving b steganalogy c steganalysis d steganomics
steganalysis
means the tone of language you use to address the reader. a. Style b. Format c Outline d. Prose
style
On a Unix-like system, which tile specifies where to save different types of e-mail log files? a. maillog b. /var/spool/log c. syslog.conf d. log
syslog.conf
The command line program is a common way of examining network traffic, which provides records of network activity while it IS running, and produce hundreds ot thousands of records a. netstat b. Is c. ifconfig d. tcpdump
tcpdump
In addition to opinions and exhibits, the must specify fees paid for the expert's setvices and list all other Civil or criminal cases in which the expert has testified a. verbal report b. informal report c. written report d. preliminary report
written report
When using the PassMark software to find forensic intormation in e-mails, messages that appear to be suspicious should be flagged a. yellow b. green c. red d. orange
yellow
Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks? a. disk track recording (DTR) b. zone based areal density (ZBAD) c. zone bit recording (ZBR) d cylindrical head calculation (CHC)
zone bit recording (ZBR)
