Final Review-CIS 462

अब Quizwiz के साथ अपने होमवर्क और परीक्षाओं को एस करें!

ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable. Answer 70 83 96 100

100

If you must write a preliminary report, use words such as "preliminary copy,""draft copy," or "working draft." Answer True False

False

The American Bar Association (ABA) is a licensing body. Answer True False

False

When intruders break into a network, they rarely leave a trail behind. Answer True False

False

The primary hash algorithm used by the NSRL project is ____. Answer MD5 SHA-1 CRC-32 RC4

SHA-1

SafeBack performs a(n) ____ calculation for each sector copied to ensure data integrity Answer SHA-1 MC5 SHA-256 MC4

SHA-256

When Microsoft introduced Windows 2000, it added built-in encryption to NTFS called ____. Answer EFS VFAT LZH RAR

EFS

The ____ DOS program En.exe requires using a forensic MS-DOS boot floppy or CD and a network crossover cable. Answer ProDiscover ILook DIBS USA EnCase

EnCase

Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Windows File System. Answer NTFS ext3 FAT24 ext2

NTFS

In software acquisition, there are three types of data-copying methods. Answer True False

False

One advantage with live acquisitions is that you are able to perform repeatable processes. Answer True False

False

Operating systems do not have tools for recovering image files. Answer True False

False

Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses. Answer True False

False

Steganography cannot be used with file formats other than image files. Answer True False

False

The Windows platforms have long been the primary command-line interface OSs. Answer True False

False

With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk. command-line shell-based prompt-based GUI

GUI

The ABA's ____ contains provisions limiting the fees experts can receive for their services. Answer Code 703 Model Code Rule 26 Code 26-1.a

Model Code

____ is a written list of objections to certain testimony or exhibits. Answer Defendant Empanelling the jury Plaintiff Motion in limine

Motion in limine

By the early 1990s, the ____ introduced training on software for forensics investigations. Answer IACIS FLETC CERT DDBIA

IACIS

The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____. Answer NSRL CFTT FS-TST PARTAB

NSRL

____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS. Answer Hal.dll NTBootdd.sys Boot.ini Ntoskrnl.exe

NTBootdd.sys

In the following list, ____ is the only steg tool. Answer EnCase iLook DriveSpy Outguess

Outguess

____ increases the time and resources needed to extract,analyze,and present evidence. Answer Investigation plan Scope creep Litigation path Court order for discovery

Scope creep

The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03. Answer TIFF XIF JPEG GIF

XIF

____ is how most manufacturers deal with a platter's inner tracks being shorter than its outer tracks. Answer Head skew Cylinder skew ZBR Areal density

ZBR

A ____ differs from a trial testimony because there is no jury or judge. Answer rebuttal plaintiff civil case deposition

deposition

Attorneys search ____ for information on expert witnesses. Answer disqualification banks deposition banks examination banks cross-examination banks

deposition banks

Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack. Answer ISPs soldiers zombies pawns

zombies

Ext2fs can support disks as large as ____ TB and files as large as 2 GB. Answer 4 8 10 12

4

FRE ____ describes whether basis for the testimony is adequate. Answer 700 701 702 703

703

An expert's opinion is governed by FRE, Rule ____, and the corresponding rule in many states. Answer 705 755 805 855

705

Maintaining ____ means you must form and sustain unbiased opinions of your cases. Answer confidentiality objectivity integrity credibility

objectivity

You should have at least one copy of your backups on site and a duplicate copy or a previous copy of your backups stored in a safe ____ facility. Answer in-site storage off-site online

off-site

Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity. Answer once twice three times four times

once

Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony. Answer setup open-ended compound rapid-fire

open-ended

Many password recovery tools have a feature that allows generating potential lists for a ____ attack. Answer brute-force password dictionary birthday salting

password dictionary

Courts consider evidence data in a computer as ____ evidence. Answer physical invalid virtual logical

physical

Under copyright laws, maps and architectural plans may be registered as ____. Answer pantomimes and choreographic works artistic works literary works pictorial, graphic, and sculptural works

pictorial, graphic, and sculptural works

A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____. Answer stationary workstation field workstation lightweight workstation portable workstation

portable workstation

For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command. Answer prn print prnt prt

print

____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment. Answer Risk configuration Change management Configuration management Risk management

Risk management

____ is a popular network intrusion detection system that performs packet capture and analysis in real time. Answer Ethereal Snort Tcpdump john

Snort

____ is a good tool for extracting information from large Libpcap files. Answer Nmap Tcpslice Pcap TCPcap

Tcpslice

As an expert witness, you have opinions about what you have found or observed. Answer True False

True

Bitmap images are collections of dots, or pixels, that form an image. Answer True False

True

By the 1970s, electronic crimes were increasing, especially in the financial sector. Answer True False

True

Chain of custody is also known as chain of evidence. Answer True False

True

Experts should be paid in full for all previous work and for the anticipated time required for testimony. Answer True False

True

FTK Imager requires that you use a device such as a USB or parallel port dongle for licensing. Answer True False

True

GPL and BSD variations are examples of open-source software. Answer True False

True

PsList from PsTools allows you to list detailed information about processes. Answer True False

True

You can use ____ to boot to Windows without writing any data to the evidence disk. Answer a SCSI boot up disk a Windows boot up disk a write-blocker Windows XP

a write-blocker

Regarding a trial, the term ____ means rejecting potential jurors. Answer voir dire rebuttal strikes venireman

strikes

Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file's contents. Answer testing, compressed scanning, text testing, pdf testing, doc

testing, compressed

A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. Answer warning banner right of privacy line of authority right banner

warning banner

Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of OSs. Answer 1989 1991 1994 1995

1995

Computer forensics tools are divided into ____ major categories. Answer 2 3 4 5

2

GroupWise has ____ ways of organizing the mailboxes on the server. Answer 2 3 4 5

2

There are ____ searching options for keywords which FTK offers. Answer 2 3 4 5

2

When cases go to trial, you as a forensics examiner can play one of ____ roles. Answer 2 3 4 5

2

The abstract should be one or two paragraphs totaling about 150 to ____ words. Answer 200 250 300 350

200

IACIS requires recertification every ____ years to demonstrate continuing work in the field of computer forensics. Answer 2 3 4 5

3

If your CV is more than ____ months old, you probably need to update it to reflect new cases and additional training. Answer 2 3 4 5

3

In general, forensics workstations can be divided into ____ categories. Answer 2 3 4 5

3

Most packet sniffers operate on layer 2 or ____ of the OSI model. Answer 1 3 5 7

3

Computing components are designed to last 18 to ____ months in normal business operations. Answer 24 30 36 42

36

____ components define the file system on UNIX. Answer 2 3 4 5

4

The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients. Answer ISFCE IACIS ABA HTCIA

ABA

The ____ Ethics Code cautions psychologists about the limitations of assessment tools. Answer ABA's APA's AMA's ADA's

APA's

People who want to hide data can also use advanced encryption programs, such as PGP or ____. Answer NTI BestCrypt FTK PRTK

BestCrypt

____ images store graphics information as grids of individual pixels. Answer Bitmap Raster Vector Metafiles

Bitmap

____, located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version. Answer Boot.ini BootSec.dos NTDetect.com NTBootdd.sys

Boot.ini

____ attacks use every possible letter, number, and character found on a keyboard when cracking a password. Answer Brute-force Dictionary Profile Statistics

Brute-force

All e-mail servers are databases that store multiple users' e-mails. Answer True False

False

As data is added, the MFT can expand to take up 75% of the NTFS disk. Answer True False

False

Computer investigations and forensics fall into the same category: public investigations. Answer True False

False

Corporate investigators always have the authority to seize all computers equipments during a corporate investigation. Answer True False

False

Create a formal checklist of your procedures that's applied to all your cases or include such a checklist in your report. Answer True False

False

Expert opinions cannot be presented without stating the underlying factual basis. Answer True False

False

FTK cannot analyze data from image files from other vendors. Answer True False

False

FTK cannot perform forensics analysis on FAT12 file systems. Answer True False

False

ISPs can investigate computer abuse committed by their customers. Answer True False

False

If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately. Answer True False

False

Like a job resume, your CV should be geared for a specific trial. Answer True False

False

Network forensics is a fast, easy process. Answer True False

False

Ngrep cannot be used to examine e-mail headers or IRC chats. Answer True False

False

Older Macintosh computers use the same type of BIOS firmware commonly found in PC-based systems. Answer True False

False

The first 5 bytes (characters) for all MFT records are MFTR0. Answer True False

False

The law of search and seizure protects the rights of all people, excluding people suspected of crimes. Answer True False

False

Under ISO 9660 for DVDs, the Micro-UDF (M-UDF) function has been added to allow for long filenames. Answer True False

False

Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume. Answer True False

False

When writing a report, use a formal, technical style. Answer True False

False

You can always rely on the return path in an e-mail header to show the source account of an e-mail message. Answer True False

False

You cannot use both multi-evidence and single-evidence forms in your investigation. Answer True False

False

The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers. Answer Honeynet Honeypot Honeywall Honeyweb

Honeynet

____ questions can give you the factual structure to support and defend your opinion. Answer Setup Compound Rapid-fire Hypothetical

Hypothetical

____ was created by police officers who wanted to formalize credentials in computing investigations. Answer HTCN NISPOM TEMPEST IACIS

IACIS

The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems. Answer Apple Atari Commodore IBM

IBM

The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible. Answer ISO 3657 ISO 5321 ISO 5725 ISO 17025

ISO 5725

____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program. Answer Replacement Append Substitution Insertion

Insertion

A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10. Answer EPS BMP GIF JPEG

JPEG

AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data. Answer KFF PKFT NTI NSRL

KFF

EnCase Enterprise is set up with an Examiner workstation and a Secure Authentication for EnCase (____) workstation Answer ILook SAFE Incident Response Investigator

SAFE

One way to investigate older and unusual computing systems is to keep track of ____ that still use these systems. Answer AICIS lists uniform reports SIGs Minix

SIGs

In a(n) ____ attack, the attacker keeps asking your server to establish a connection. Answer SYN flood ACK flood brute-force attack PCAP attack

SYN flood

____ is the only automated disk-to-disk tool that allows you to copy data to a slightly smaller target drive than the original suspect's drive. Answer SafeBack EnCase SnapCopy SMART

SnapCopy

____ has also been used to protect copyrighted material by inserting digital watermarks into a file. Answer Encryption Steganography Compression Archiving

Steganography

____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there. Answer Bit shifting Encryption Marking bad clusters Steganography

Steganography

____ is the art of hiding information inside image files. Answer Steganography Steganalysis Graphie Steganos

Steganography

____ steganography replaces bits of the host file with other bits of data. Answer Insertion Replacement Substitution Append

Substitution

Defense contractors during the Cold War were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____. Answer TEMPEST RAID NISPOM EMR

TEMPEST

The image format XIF is derived from the more common ____ file format. Answer GIF JPEG BMP TIFF

TIFF

A common way of examining network traffic is by running the ____ program. Answer Netdump Slackdump Coredump Tcpdump

Tcpdump

____ is the text version of Ethereal, a packet sniffer tool. Answer Tcpdump Ethertext Etherape Tethereal

Tethereal

Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication. Answer True False

True

Many acquisition tools don't copy data in the host protected area (HPA) of a disk drive. Answer True False

True

Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several thousand pages of data. Answer True False

True

One way to examine a partition's physical level is to use a disk editor, such as Norton DiskEdit, WinHex, or Hex Workshop. Answer True False

True

Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise. Answer True False

True

People need ethics to help maintain their balance, especially in difficult and contentious situations. Answer True False

True

Performing a forensic analysis of a disk 200 GB or larger can take several days and often involves running imaging software overnight and on weekends. Answer True False

True

The defense request for full discovery of digital evidence applies only to criminal cases in the United States. Answer True False

True

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file. Answer True False

True

The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location. Answer True False

True

The type of file system an OS uses determines how data is stored on the disk. Answer True False

True

To be a successful computer forensics investigator, you must be familiar with more than one computing platform. Answer True False

True

To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. Answer True False

True

When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support. Answer True False

True

With many computer forensics tools, you can open files with external viewers. Answer True False

True

With the Knoppix STD tools on a portable CD, you can examine almost any network system. Answer True False

True

When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data. Answer Homeland Security Department Patriot Act U.S. DoJ U.S. DoD

U.S. DoJ

Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers. Answer USB IDE LCD PCMCIA

USB

A ____ is a bit-by-bit copy of the original storage medium. Answer preventive copy recovery copy backup copy bit-stream copy

bit-stream copy

To create an exact image of an evidence disk, copying the ____ to a target work disk that's identical to the evidence disk is preferable. Answer removable copy backup copy bit-stream image backup image

bit-stream image

FTK and other computer forensics programs use ____ to tag and document digital evidence. Answer tracers hyperlinks bookmarks indents

bookmarks

Helix operates in two modes:Windows Live (GUI or command line) and ____. Answer command Windows remote GUI command Linux bootable Linux

bootable Linux

Generally, computer records are considered admissible if they qualify as a ____ record. Answer hearsay business computer-generated computer-stored

business

In the ____, you justify acquiring newer and better resources to investigate computer forensics cases. Answer risk evaluation business case configuration plan upgrade policy

business case

Records in the MFT are referred to as ____. Answer hyperdata metadata inodes infodata

metadata

Most computer investigations in the private sector involve ____. Answer e-mail abuse misuse of computing assets Internet abuse VPN abuse

misuse of computing assets

Investigating and controlling computer incident scenes in the corporate environment is ____ in the criminal environment. Answer much easier than as easy as as difficult as more difficult than

much easier than

The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true. Answer notarized examined recorded challenged

notarized

SnapBack DatArrest can perform a data copy of an evidence drive in ____ ways. Answer two three four five

three

Exchange logs information about changes to its data in a(n) ____ log. Answer checkpoint communication transaction tracking

transaction

A ____ allows you to create a representation of another computer on an existing physical computer. Answer virtual file logic drive logic machine virtual machine

virtual machine

As with any research paper, write the report abstract last. Answer True False

True

The uppercase letter ____ has a hexadecimal value of 41. Answer "A" "C" "G" "Z"

"A"

Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab. Answer evidence custody form FOIA form affidavit warrant

warrant

Microsoft has recently added ____ in its Vista Ultimate and Enterprise editions, which makes performing static acquisitions more difficult. Answer whole disk encryption backup utilities recovery wizards NTFS

whole disk encryption

A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute). Answer written report verbal report examination plan cross-examination report

written report

____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names. Answer www.freeality.com www.google.com www.whatis.com www.juno.com

www.freeality.com

Files with extension ____ are created using Microsoft Outlook Express. Answer .sxc .doc .dbx .ods

.dbx

In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____. Answer .ost .eml .msg .pst

.pst

Files with extensions .ods and ____ are created using OpenOffice Calc. Answer .sxc .xls .dcx .qpr

.sxc

On a Linux computer, ____ is the path for the first partition on the primary master IDE disk drive. Answer /dev/sda1 /dev/hdb1 /dev/hda1 /dev/ide1

/dev/hda1

____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside. Answer /etc/sendmail.cf /etc/syslog.conf /etc/var/log/maillog /var/log/maillog

/etc/sendmail.cf

Typically, UNIX installations are set to store logs such as maillog in the ____ directory. Answer /etc/Log /log /etc/var/log /var/log

/var/log

To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of ____. Answer -1 0 1 2

0

The EMR from a computer monitor can be picked up as far away as ____ mile. Answer 1/4 1/2 3/4 1

1/2

In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each. Answer 1024 1512 2048 2512

1024

Jurors typically average just over ____ years of education and an eighth-grade reading level. Answer 9 10 11 12

12

The FOIA was originally enacted in the ____. Answer 1940s 1950s 1960s 1970s

1960s

All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard ____ ribbon or shielded cable. Answer 40-pin 60-pin 80-pin 120-pin

40-pin

Image files can be reduced by as much as ____% of the original. Answer 15 25 30 50

50

If a microphone is present during your testimony, place it ____ to eight inches from you. Answer 3 4 5 6

6

The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is ____. Answer 32,768 45,353 58,745 65,535

65,535

FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful. Answer 702 703 704 705

702

When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to prevent a hard disk from overheating to prevent damage. Answer 80 90 95 105

80

There are ____ tracks available for the program area on a CD. Answer 45 50 99 100

99

In an e-mail address, everything after the ____ symbol represents the domain name. Answer # . @ -

@

____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities. Answer AMA's law ABA's Model Rule APA's Ethics Code ABA's Model Codes

APA's Ethics Code

The ____ provides several software drivers that allow communication between the OS and the SCSI component. Answer International Organization of Standardization (ISO) Advanced SCSI Programming Interface (ASPI) CLV EIDE

Advanced SCSI Programming Interface (ASPI)

____ provide additional resource material not included in the body of the report. Answer Conclusion References Discussion Appendixes

Appendixes

____ refers to the number of bits in one square inch of a disk platter. Answer Head skew Areal density Cylinder skew ZBR

Areal density

____ is a batch file containing customized settings for MS-DOS that runs automatically. Answer Autoexec.bat Config.sys Io.sys Command.com

Autoexec.bat

For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you're constantly enhancing your skills through training, teaching, and experience. Answer testimony CV examination plan deposition

CV

What HTCN certification level requires candidates have three years of investigative experience in any discipline from law enforcement or corporate or have a college degree with one year of experience in investigations? Answer Certified Computer Crime Investigator, Basic Level Certified Computer Crime Investigator, Advanced Level Certified Computer Forensic Technician, Basic Certified Computer Forensic Technician, Advanced

Certified Computer Forensic Technician, Basic

____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size. Answer Continuous logging Automatic logging Circular logging Server logging

Circular logging

The ____ file provides a command prompt when booting to MS-DOS mode (DPMI). Answer Io.sys Autoexec.bat Config.sys Command.com

Command.com

The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence. Answer Federal Rules of Evidence (FRE) Department of Defense Computer Forensics Laboratory (DCFL) DIBS Computer Analysis and Response Team (CART)

Computer Analysis and Response Team (CART)

____ records are data the system maintains, such as system log files and proxy server logs. Answer Computer-generated Business Computer-stored Hearsay

Computer-generated

____ is a text file containing commands that typically run only at system startup to enhance the computer's DOS configuration. Answer Autoexec.bat Config.sys BootSect.dos Io.sys

Config.sys

____ is an attempt by opposing attorneys to prevent you from serving on an important case. Answer Conflict of interest Warrant Deposition Conflicting out

Conflicting out

When working on a Windows environment you can press ____ to copy the selected text to the clipboard. Answer Ctrl+A Ctrl+C Ctrl+V Ctrl+Z

Ctrl+C

____ has developed the Rapid Action Imaging Device (RAID) to make forensically sound disk copies. Answer DIBS USA EnCase ProDiscover ILook

DIBS USA

Macintosh OS X is built on a core called ____. Answer Phantom Panther Darwin Tiger

Darwin

____ can be the most time-consuming task, even when you know exactly what to look for in the evidence. Evidence recovery Data recovery Data analysis Evidence recording

Data analysis

____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. Answer Data recovery Network forensics Computer forensics Disaster recovery

Data recovery

____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the %system-root%\Windows\System32\Drivers folder. Answer Hal.dll Pagefile.sys Ntoskrnl.exe Device drivers

Device drivers

In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network. Answer Dir ls Copy owner

Dir

____ involves preventing data loss by using backups, uninterruptible power supply (UPS) devices, and off-site monitoring. Answer Computer forensics Data recovery Disaster recovery Network forensics

Disaster recovery

____ of data involves sorting and searching through all investigation data. Answer Validation Discrimination Acquisition Reconstruction

Discrimination

The most common and flexible data-acquisition method is ____. Answer Disk-to-disk copy Disk-to-network copy Disk-to-image file copy Sparse data copy

Disk-to-image file copy

____ investigations typically include spam, inappropriate and offensive message content, and harassment or threats. Answer VPN Internet E-mail Phone

E-mail

The majority of digital cameras use the ____ format to store digital pictures. Answer EXIF TIFF PNG GIF

EXIF

Certain files, such as the ____ and Security log in Windows XP, might lose essential network activity records if the power is terminated without a proper shutdown. Answer Password log Word log Io.sys Event log

Event log

____ evidence is evidence that exonerates or diminishes the defendant's liability. Answer Rebuttal Plaintiff Inculpatory Exculpatory

Exculpatory

The standard Linux file system is ____. Answer NTFS Ext3fs HFS+ Ext2fs

Ext2fs

Marking bad clusters data-hiding technique is more common with ____ file systems. Answer NTFS FAT HFS Ext2fs

FAT

____ is the file structure database that Microsoft originally designed for floppy disks. Answer NTFS FAT32 VFAT FAT

FAT

____ is a simple drive-imaging station. Answer F.R.E.D. SPARC FIRE IDE DiskSpy

FIRE IDE

A UNIX or Linux computer has two boot blocks, which are located on the main hard disk. Answer True False

False

A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible. Answer True False

False

A nonsteganographic graphics file has a different size than an identical steganographic graphics file. Answer True False

False

A verbal report is more structured than a written report. Answer True False

False

IDE ATA controller on an old 486 PC doesn't recognize disk drives larger than 8.4 ____. Answer KB MB GB TB

GB

Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement. Answer AIX BSD GPL GRUB

GPL

The GroupWise logs are maintained in a standard log format in the ____ folders. Answer MIME mbox QuickFinder GroupWise

GroupWise

The Novell e-mail server software is called ____. Answer Sendmail GroupWise Sawmill Guardian

GroupWise

____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer's file system. Answer HDHOST DiskHost DiskEdit HostEditor

HDHOST

Reports and logs generated by forensic tools are typically in plaintext format, a word processor format, or ____ format. Answer PDF HTML PS TXT

HTML

____ can be used to create a bootable forensic CD and perform a live acquisition. Answer Helix DTDD Inquisitor Neon

Helix

____ hide the most valuable data at the innermost part of the network. Answer Layered network defense strategies Firewalls Protocols NAT

Layered network defense strategies

LILO uses a configuration file named ____ located in the /Etc directory. Answer Lilo.conf Boot.conf Lilo.config Boot.config

Lilo.config

____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search. Answer Online Inline Active Live

Live

Linux ISO images are referred to as ____. Answer ISO CDs Live CDs Forensic Linux Linux in a Box

Live CDs

____ compression compresses data by permanently discarding bits of information in the file. Answer Redundant Lossy Huffman Lossless

Lossy

On an NTFS disk, immediately after the Partition Boot Sector is the ____. Answer FAT HPFS MBR MFT

MFT

SafeBack and SnapCopy must run from a(n) ____ system. Answer UNIX MS-DOS Linux Solaris

MS-DOS

SnapBack DatArrest runs from a true ____ boot floppy. Answer UNIX Linux Mac OS X MS-DOS

MS-DOS

To make a disk acquisition with En.exe requires only a PC running ____ with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable. Answer UNIX MAC OS X Linux MS-DOS

MS-DOS

On older Macintosh OSs all information about the volume is stored in the ____. Answer Master Directory Block (MDB) Volume Control Block (VCB) Extents Overflow File (EOF) Volume Bitmap (VB)

Master Directory Block (MDB)

____ are the experts who testify most often. Answer Civil engineers Computer forensics experts Chemical engineers Medical professionals

Medical professionals

____ is a hidden text file containing startup options for Windows 9x. Answer Pagefile.sys Hal.dll Msdos.sys Ntoskrnl.exe

Msdos.sys

The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software. Answer CFTT NIST FS-TST NSRL

NIST

____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to NTLDR. Answer Hal.dll Boot.ini NTDetect.com BootSect.dos

NTDetect.com

____ was introduced when Microsoft created Windows NT and is the primary file system for Windows Vista. Answer FAT32 VFAT NTFS HPFS

NTFS

____ forensics is the systematic tracking of incoming and outgoing traffic on your network. Answer Network Computer Criminal Server

Network

____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program. Answer Broadcast forensics Network forensics Computer forensics Traffic forensics

Network forensics

One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it. Answer Norton DiskEdit PartitionMagic System Commander LILO

Norton DiskEdit

To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click ____to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header. Answer Options Details Properties Message Source

Options

Most packet sniffer tools can read anything captured in ____ format. Answer SYN DOPI PCAP AIATP

PCAP

____ are devices and/or software placed on a network to monitor traffic. Answer Packet sniffers Bridges Hubs Honeypots

Packet sniffers

____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or computer lab. Answer An antistatic wrist band Padding An antistatic pad

Padding

____ recovery is a fairly easy task in computer forensic analysis. Answer Data Partition Password Image

Password

Attorneys can now submit documents electronically in many courts; the standard format in federal courts is ____. Answer Microsoft Word (DOC) Portable Document Format (PDF) Encapsulated Postscript (EPS) Postscript (PS)

Portable Document Format (PDF)

1. Forensics tools such as ____ can retrieve deleted files for use as evidence. Answer ProDiscover Basic ProDelete FDisk GainFile

ProDiscover Basic

____ from Technology Pathways is a forensics data analysis tool. You can use it to acquire and analyze data from several different file systems. Answer Guidance EnCase NTI SafeBack DataArrest SnapCopy ProDiscover Basic

ProDiscover Basic

____ is facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed. Answer Reasonable cause Probable cause A subpoena A warrant

Probable cause

The PSTools ____ kills processes by name or process ID. Answer PsExec PsList PsKill PsShutdown

PsKill

____ is a suite of tools created by Sysinternals. Answer EnCase PsTools R-Tools Knoppix

PsTools

For labs using high-end ____ servers (such as Digital Intelligence F.R.E.D.C. or F.R.E.D.M.), you must consider methods for restoring large data sets. Answer RAID ISDN WAN TEMPEST

RAID

____ from both plaintiff and defense is an optional phase of the trial. Generally, it's allowed to cover an issue raised during cross-examination. Answer Rebuttal Plaintiff Closing arguments Opening statements

Rebuttal

____ is a Sysinternals command that shows all Registry data in real time on a Windows computer. Answer PsReg RegExplorer RegMon RegHandle

RegMon

1. When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____. Answer IniRecord Inidata Registry Metadata

Registry

____ are handy when you need to image the drive of a computer far away from your location or when you don't want a suspect to be aware of an ongoing investigation. Answer Scope creeps Remote acquisitions Password recovery tools Key escrow utilities

Remote acquisitions

A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks. Answer True False

True

A judge can exclude evidence obtained from a poorly worded warrant. Answer True False

True

After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant. Answer True False

True

After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools. Answer True False

True

As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers. Answer True False

True

Besides presenting facts, reports can communicate expert opinion. Answer True False

True

Computing systems in a forensics lab should be able to process typical cases in a timely manner. Answer True False

True

Data streams can obscure valuable evidentiary data, intentionally or by coincidence. Answer True False

True

E-mail programs either save e-mail messages on the client computer or leave them on the server. Answer True False

True

Employees surfing the Internet can cost companies millions of dollars. Answer True False

True

For computer investigators, tracking intranet e-mail is relatively easy because the accounts use standard names established by the network or e-mail administrator. Answer True False

True

For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses. Answer True False

True

If a corporate investigator follows police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement. Answer True False

True

If a file contains information, it always occupies at least one allocation block. Answer True False

True

If a graphics file is fragmented across areas on a disk, first you must recover all the fragments to re-create the file. Answer True False

True

In the United States, there's no state or national licensing body for computer forensics examiners. Answer True False

True

____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed. Answer HTCN reports IDE reports Uniform crime reports ASCLD reports

Uniform crime reports

____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. Answer Bitmap images Metafile graphics Vector graphics Line-art images

Vector graphics

With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data. Answer Extents overflow file Volume Bitmap Master Directory Block Volume Control Block

Volume Bitmap

During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system. Answer Windows XP Windows 9x Windows NT Windows Me

Windows 9x

____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk. Answer Drive-imaging Disk editors Workstations Write-blockers

Write-blockers

If a report is long and complex, you should provide a(n) ____. Answer appendix glossary table of contents abstract

abstract

A(n) ____ hearing generally addresses the administrative agency's subject matter and seeks evidence in your testimony on a subject for which it's contemplating making a rule. Answer administrative judicial legislative direct

administrative

A written report is frequently a(n) ____ or a declaration. Answer subpoena affidavit deposition perjury

affidavit

In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____. Answer blotter exhibit report litigation report affidavit

affidavit

Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed. Answer litigation allegation blotter prosecution

allegation

If necessary, you can include ____ containing material such as raw data, figures not used in the body of the report, and anticipated exhibits. Answer conclusions discussions references appendixes

appendixes

In the main section of your report, you typically cite references with the ____ enclosed in parentheses. Answer year of publication and author's last name author's last name author's last name and year of publication year of publication

author's last name and year of publication

In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations. Answer authorized requester authority of line line of right authority of right

authorized requester

Recovering pieces of a file is called ____. Answer carving slacking saving rebuilding

carving

The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court. Answer acquisition plan chain of custody evidence path evidence custody

chain of custody

The basic plan for your investigation includes gathering the evidence, establishing the ____, and performing the forensic analysis. Answer risk assessment nature of the case chain of custody location of the evidence

chain of custody

The most common computer-related crime is ____. Answer homicide check fraud car stealing sniffing

check fraud

In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk. Answer tracking checkpoint temporary milestone

checkpoint

The Knoppix STD tool ____ enables you to reset passwords on a Windows computer, including the administrator password Answer chntpw john oinkmaster memfetch

chntpw

E-mail messages are distributed from one central server to many connected client computers, a configuration called ____. Answer client/server architecture central distribution architecture client architecture peer-to-peer architecture

client/server architecture

Confidential business data included with the criminal evidence are referred to as ____ data. Answer commingled exposed public revealed

commingled

Sometimes opposing attorneys ask several questions inside one question; this practice is called ____ questions. Answer leading hypothetical compound rapid-fire

compound

A ____ is where you conduct your investigations, store evidence, and do most of your work. Answer forensic workstation computer forensics lab storage room workbench

computer forensics lab

The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime. Answer network intrusion detection computer investigations incident response litigation

computer investigations

Save broader generalizations and summaries for the report's ____. Answer appendixes introduction conclusion discussion

conclusion

The report's ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements. Answer abstract conclusion introduction reference

conclusion

The files that provide helpful information to an e-mail investigation are log files and ____ files. Answer batch configuration scripts .rts

configuration

In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery. Answer configuration management risk assessment recovery logging change management

configuration management

To begin conducting an investigation, you start by ____ the evidence using a variety of methods. Answer copying analyzing opening reading

copying

When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations. Answer international forensics copyright civil

copyright

In a ____ case, a suspect is tried for a criminal offense, such as burglary, murder, or molestation. Answer corporate civil criminal fourth amendment

criminal

After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and ____. Answer critique the case repeat the case present the case read the final report

critique the case

A ____ is a column of tracks on two or more disk platters. Answer cylinder sector track head

cylinder

For computer forensics, ____ is the task of collecting digital evidence from electronic media. Answer hashing data acquisition lossy compression lossless compression

data acquisition

The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive. Answer superblock data block boot block inode block

data block

The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are referred to as ____. Answer virtual runs metada metaruns data runs

data runs

The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions. Answer raw bitcopy dcfldd man

dcfldd

____ is the U.S. DoD computer forensics lab's version of the dd command that comes with Knoppix-STD. Answer chntpw john memfetch dcfldd

dcfldd

Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command. Answer rawcp dd d2dump dhex

dd

The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions. Answer fdisk dd man raw

dd

A report using the ____ numbering system divides material into sections and restarts numbering with each main section. Answer roman-sequential decimal legal-sequential indent

decimal

The process of converting raw picture data to another format is referred to as ____. Answer JEIDA rastering demosaicing rendering

demosaicing

You provide ____ testimony when you answer questions from the attorney who hired you. Answer direct cross examination rebuttal

direct

The ____ is the most important part of testimony at a trial. Answer cross-examination direct examination rebuttal motions in limine

direct examination

A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing. Answer disaster recovery risk management configuration management security

disaster recovery

Remember that anything you write down as part of your examination for a report is subject to ____ from the opposing attorney. Answer subpoena discovery publishing deposition

discovery

There are two types of depositions: ____ and testimony preservation. Answer examination discovery direct rebuttal

discovery

One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex. Answer disk imager write-blocker bit-stream copier disk editor

disk editor

The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk. Answer partition-to-partition image-to-partition disk-to-disk image-to-disk

disk-to-disk

A(n) ____ is a person using a computer to perform routine tasks other than systems administration. Answer complainant user banner end user investigator

end user

Use ____ to secure and catalog the evidence contained in large computer components. Answer Hefty bags regular bags paper bags evidence bags

evidence bags

A(n) ____ helps you document what has and has not been done with both the original evidence and forensic copies of the evidence. Answer evidence custody form risk assessment form initial investigation form evidence handling form

evidence custody form

A(n) ____ is a document that lets you know what questions to expect when you are testifying. Answer written report affidavit examination plan subpoena

examination plan

You can use the ____ to help your attorney learn the terms and functions used in computer forensics. Answer verbal report preliminary report final report examination plan

examination plan

It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant. Answer litigation prosecution exhibits reports

exhibits

Computer forensics examiners have two roles: scientific/technical witness and ____ witness. Answer expert direct discovery professional

expert

A(n) ____ should include all the tools you can afford to take to the field. Answer initial-response field kit extensive-response field kit forensic lab forensic workstation

extensive-response field kit

On Mac OSs, File Manager uses the ____ to store any information not in the MDB or Volume Control Block (VCB). Answer volume information block extents overflow file catalog master directory block

extents overflow file

A bit-stream image is also known as a(n) ____. Answer backup copy forensic copy custody copy evidence copy

forensic copy

To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as a ____. Answer mobile workstation forensic workstation forensic lab recovery workstation

forensic workstation

When you write your final report, state what you did and what you ____. Answer did not do found wanted to do could not do

found

You use ____ to create, modify, and save bitmap, vector, and metafile graphics files. Answer graphics viewers image readers image viewers graphics editors

graphics editors

Validate your tools and verify your evidence with ____ to ensure its integrity. Answer hashing algorithms watermarks steganography digital certificates

hashing algorithms

If you can't open an image file in an image viewer, the next step is to examine the file's ____. Answer extension name header data size

header data

Most federal courts have interpreted computer records as ____ evidence. Answer conclusive regular hearsay direct

hearsay

The simplest way to access a file header is to use a(n) ____ editor Answer hexadecimal image disk text

hexadecimal

Getting a hash value with a ____ is much faster and easier than with a(n) ____. Answer high-level language, assembler HTML editor, hexadecimal editor computer forensics tool, hexadecimal editor hexadecimal editor, computer forensics tool

hexadecimal editor, computer forensics tool

Data ____ involves changing or manipulating a file to conceal information. Answer recovery creep integrity hiding

hiding

A written preliminary report is considered a ____ document because opposing counsel can demand discovery on it. Answer low-risk middle-risk high-risk no-risk

high-risk

A ____ is a computer set up to look like any other machine on your network, but it lures the attacker to it. Answer honeywall honeypot honeynet honeyhost

honeypot

In the past, the method for expressing an opinion has been to frame a ____ question based on available factual evidence. Answer hypothetical nested challenging contradictory

hypothetical

Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____. Answer backup file firmware image file recovery copy

image file

In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period. Answer live indexed active inline

indexed

With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible. Answer bit-stream copy utility extensive-response field kit initial-response field kit seizing order

initial-response field kit

Linux is unique in that it uses ____, or information nodes, that contain descriptive information about each file or directory. Answer xnodes extnodes infNodes inodes

inodes

You begin any computer forensics case by creating a(n) ____. Answer investigation plan risk assessment report evidence custody form investigation report

investigation plan

Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure. Answer steganography key escrow password backup key splitting

key escrow

Typically, report writers use one of two numbering systems: decimal numbering or ____ numbering. Answer legal-sequential roman-sequential arabic-sequential letter-sequential

legal-sequential

Published company policies provide a(n) ____ for a business to conduct internal investigations. Answer litigation path allegation resource line of allegation line of authority

line of authority

Under copyright laws, computer programs may be registered as ____. Answer literary works motion pictures architectural works audiovisual works

literary works

If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available. Answer passive static live local

live

The ____ command displays pages from the online help manual for information on Linux commands and their options. Answer cmd hlp inst man

man

By using ____ to attract new customers or clients, you can justify future budgets for the lab's operation and staff. Answer pricing marketing budgeting changing

marketing

Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format. Answer POP3 mbox MIME SMTP

mbox

Your ____ as a computer investigation and forensics analyst is critical because it determines your credibility. Answer professional policy oath line of authority professional conduct

professional conduct

Evidence is commonly lost or corrupted through ____, which involves police officers and other professionals who aren't part of the crime scene processing team. Answer onlookers HAZMAT teams FOIA laws professional curiosity

professional curiosity

One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools. Answer proprietary raw AFF AFD

proprietary

In general, a criminal case follows three stages: the complaint, the investigation, and the ____. Answer litigation allegation blotter prosecution

prosecution

Lab costs can be broken down into daily, ____, and annual expenses. Answer weekly monthly bimonthly quarterly

quarterly

Every business or organization must have a well defined process that describes when an investigation can be initiated. At a minimum, most corporate policies require that employers have a ____ that a law or policy is being violated. Answer confirmed suspicion proof court order stating reasonable suspicion

reasonable suspicion

When analyzing digital evidence, your job is to ____. Answer recover the data destroy the data copy the data load the data

recover the data

The purpose of the ____ is to provide a mechanism for recovering encrypted files under EFS if there's a problem with the user's original private key. Answer certificate escrow recovery certificate administrator certificate root certificate

recovery certificate

In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____. Answer checked values verification evidence backup repeatable findings

repeatable findings

To complete a forensic disk analysis and examination, you need to create a ____. Answer forensic disk copy risk assessment budget plan report

report

In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored. Answer resource node blocks inodes

resource

Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses. Answer line of authority right of privacy line of privacy line of right

right of privacy

The most important laws applying to attorneys and witnesses are the ____. Answer professional codes of conduct rules of ethics rules of evidence professional ethics

rules of evidence

Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime. Answer legal safety corporate physical

safety

To preserve the integrity of evidence data, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe. Answer secure workstation secure workbench protected PC secure facility

secure facility

Leading questions such as "Isn't it true that forensics experts always destroy their handwritten notes?" are referred to as ____ questions. Answer hypothetical attorney setup nested

setup

Current distributions of Linux include two hashing algorithm utilities: md5sum and ____. Answer rcsum shasum hashsum sha1sum

sha1sum

Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer. Answer silver-tree gold-tree silver-platter gold-platter

silver-platter

Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server. Answer poisoning sniffing blocking preventing

sniffing

If your time is limited, consider using a logical acquisition or ____ acquisition data copy method. Answer lossless disk-to-disk sparse disk-to-image

sparse

One technique for extracting evidence from large systems is called ____. Answer RAID copy RAID imaging large evidence file recovery sparse acquisition

sparse acquisition

The list of problems you normally expect in the type of case you are handling is known as the ____. Answer standard risk assessment chain of evidence standard problems form problems checklist form

standard risk assessment

When preparing a case, you can apply ____ to problem solving. Answer standard programming rules standard police investigation standard systems analysis steps bottom-up analysis

standard systems analysis steps

Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example. Answer live online real-time static

static

A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock. Answer gypsum steel wood expanded metal

steel

The term ____ comes from the Greek word for"hidden writing." Answer creep steganography escrow hashing

steganography

The ____ search feature allows you to look for words with extensions such as "ing,""ed," and so forth. Answer fuzzy stemming permutation similar-sounding

stemming

In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover. Answer risk assessment reports investigation plans scope creeps subpoenas

subpoenas

When you give ____ testimony, you present this evidence and explain what it is and how it was obtained. Answer technical/scientific expert lay witness deposition

technical/scientific


संबंधित स्टडी सेट्स

Chapter 4 Mastering Biology (Bio 1030)

View Set