Guide To Computer Forensics And Investigations - All Chapter Reviews
When using the PassMark software to find forensic information in e-mails, messages that appear to be suspicious should be flagged __________. yellow green red orange
yellow
Select the tool below that does not use dictionary attacks or brute force attacks to crack passwords: Last Bit AccessData PRTK OSForensics Passware
OSForensics
Which password recovery method uses every possible letter, number, and character found on a keyboard? rainbow table dictionary attack hybrid attack brute-force attack
brute-force attack
In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer. format fdisk grub diskpart
diskpart
Many commercial encryption programs use a technology called _____________, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure. key vault key escrow bump key master key
key escrow
Which of the following types of files can provide useful information when you're examining an e-mail server? .dbf files .emx files .log files .slf files
.log files
In Microsoft Outlook, what are the email storage files typically found on a client computer? .pst and .ost res1.log and res2.log PU020102.db .evolution
.pst and .ost
What kind of files are created by Exchange while converting binary data to readable text in order to prevent loss of data .txt .tmp .exe .log
.tmp
The ___ disk image file format is associated with the VirtualBox hypervisor .vmdk .had .vhd .vdi
.vdi
What format below is used for VMware images? .vhd .vmdk .s01 .aff
.vmdk
Which of the following file extensions are associated with VMware virtual machine? .vmx, .log, and .nvram .vdi, .ova, and .r0 .vmx, .r0, and .xml-prev .vbox, .vdi, and .log
.vmx, .log, and .nvram
Which of the following Linux system files contains hashed passwords for the local system? /var/log/dmesg /etc/passwd /var/log/syslog /etc/shadow
/etc/shadow
Which of the following is a new file added in macOS? (Choose all that apply). /private/var/db /private/db /var/db/diagnostics /var/db/uuid.text
/var/db/diagnostics /var/db/uuid.text
Syslog is generally configured to put all e-mail related log information into what file /usr/log/mail.log /var/log/message /proc/mail /var/log/maillog
/var/log/maillog
Where does the Postfix UNIX mail server store e-mail /home/username/mail /var/mail/postfix /var/spool/postfix /etc/postfix
/var/spool/postfix
At what offset is a prefetch file's create date & time located 0x88 0x80 0x98 0x90
0x80
In a prefetch file, the application's last access date and time are at offset ??? 0x80 0x88 0xD4 0x90
0x90
When cases go to trial, you as a forensics examiner can play one of ____ roles. 2 3 4 5
2
What's the maximum file size when writing data to a FAT32 drive?
2 GB
In FAT32, a 123-KB file uses how many sectors? 123 185 246 255
246
On a Windows system, sectors typically contain how many bytes? 256 512 1024 2048
512
If a microphone is present during your testimony, place it ____ to eight inches from you. 3 4 5 6
6
In VirtualBox, ___ different types of virtual network adapters are possible, such as AMD and Intel Pro adapters 2 4 6 8
6
Where is the snapshot database created by Google Drive located in Windows? C:/Program Files/Google/Drive C:/Users/username/AppData/Local//Google/Drive C:/Users/username/Google/Google drive C:/Google/drive
C:/Users/username/AppData/Local//Google/Drive
Select the folder below that is most likely to contain Dropbox files for a specific user C:/User/username/AppData/Dropbox C:/Dropbos C:/Users/Dropbox C:/Users/username/Dropbox
C:/Users/username/Dropbox
Within NIST guidelines for mobile forensics methods, the ______________ method requires physically removing flash memory chips and gathering information at the binary level. Chip-off Logical extraction Micro read Manual extraction
Chip-off
In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters? NTFS FAT HFSX Ext3fs
FAT
An expert's opinion is governed by ________________ and the corresponding rule in many states. FRE, Rule 705 FRE, Rule 507 FRCP 26 FRCP 62
FRE, Rule 705
The ??? tool can be used by bypass a virtual machine's hypervisor, and can be used with OpenStack Openforensics FROST WinHex ARC
FROST
An expert's opinion is governed by FRCP, Rule 26, and the corresponding rule in many states. True False
False
Any text editor can be used to read Dropbox files. True or False
False
BIOS boot firmware was developed to provide better protection against malware than EFI does developed? True or False
False
Because attorneys do not have the right of full discovery of digital evidence, it is not possible for new evidence to come to light while complying with a defense request for full discovery. True or False
False
Building a forensic workstation is more expensive than purchasing one. True or False?
False
Codes of professional conduct or responsibility set the highest standards for professionals' expected performance. True or False?
False
Commingled data isn't a concern when acquiring cloud datTrue/False
False
Committing crimes with e-mail is uncommon, and investigators are not generally tasked with linking suspects to e-mail True or False
False
Copyright laws don't apply to Web sites. True or False?
False
Data can't be written to disk with a command-line tool. True or False?
False
Digital forensics and data recovery refer to same the activities. True or False?
False
Digital forensics facilities always have windows. True or False?
False
Ethical obligations are duties that you owe only to others. True or False?
False
Evidence storage containers should have several master keys. True or False?
False
Expert witnesses are not required to submit a written report for civil cases. True False
False
FTK Imager can acquire data in a drive's host protected area. True or False?
False
Forensics tools can't directly mount VMs as external drives True or False
False
Graphics files stored on a computer can't be recovered after they are deleted. True or False?
False
Hardware acquisition tools typically have built-in software for data analysis. True or False
False
If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. True or False?
False
In an e-mail address, everything before the @ symbol represents the domain name True or False
False
In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant. True or False
False
Linux is the only OS that has a kernel. True or False?
False
Only one file format can compress graphics files. True or False?
False
Password recovery is included in all forensics tools. True/False
False
Small companies rarely need investigators. True or False?
False
The ANAB mandates the procedures established for a digital forensics lab. True or False?
False
To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server's internal operations. True/False
False
Type 2 hypervisors are typically loaded on servers or workstations with a lot of RAM and storage True or False
False
Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?
False
When acquiring a mobile device at an investigation scene, you should leave it connected to a PC so that you can observe synchronization as it takes place. True/False
False
When investigating graphics files, you should convert them into one standard format. True or False?
False
You should always answer questions from onlookers at a crime scene. True or False?
False
You should always prove the allegations made by the person who hired you. True or False?
False
You should create a formal checklist of your procedures that's applied to all your cases or include such a checklist in your report. True or False
False
Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. True False
False
What is professional conduct, and why is it important?
Professional conduct includes ethics, morals, and standards of behavior. Your professional conduct as a digital investigator is critical because it determines your credibility.
Where is the OS stored on a smartphone? RAM Microprocessor ROM Read/write flash
ROM
What should you consider when determining which data acquisition method to use?
Size of the source drive Whether the source drive is retained as evidence How long the acquisition will take Where the disk evidence is located
You can expect to find a type 2 hypervisor on what type of device? (Choose all that apply) Desktop Smartphone Tablet Network Server
Smartphone Tablet
__________________ means the tone of language you use to address the reader. Style Format Outline Prose
Style
What term refers to labs constructed to shield EMR emissions?
TEMPEST
What are the necessary components of a search warrant?
The notarized affidavit and the exhibits (evidence).
Commingling evidence means what in a private-sector setting?
True
Computer peripherals or attachments can contain DNA evidence. True or False?
True
Data blocks contain actual files and directories and are linked directly to inodes. True or False
True
Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False?
True
Hard links work in only one partition or volume. True or False?
True
In the United State, the Electronic Communications Privacy Act (ECPA) describes 5 mechanisms the government can use to get electronic information from a provider True or False
True
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. True or False?
True
In the United States, no state or national licensing body specifically licenses forensics examiners. True or False?
True
MFT stands for Master File Table. True False
True
One reason to choose a logical acquisition is an encrypted drive. True or False?
True
SIM card readers can alter evidence by showing that a message has been read when you view it? True/False
True
Search and seizure procedures for mobile devices are as important as procedures for computers. True False
True
The DomainKey identified Mail service is a way to verity the names of domains a message is flowing through and was developed as a way to cut down on spam True or False
True
The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET). True or False
True
The Pagefile.sys file on a computer can contain message fragments from instant messaging applications True or False
True
What's the main goal of a static acquisition?
If disk evidence is preserved correctly, static acquisitions are repeatable.
The honeynet Project was developed to make information widely available in an attempt to thwart internet and network attackers True or False
True
List two features NTFS has that FAT does not. MRU records and file attributes Master File Table and MRU records Unicode characters and better security MRU records and less fragmentation
Unicode characters and better security
To determine the types of operating systems needed in your lab, list two sources of information you could use.
Uniform Crime Report statistics for your area A list of cases handled in your area or at your company.
A ____________ image file containing software is intended to be bit-stream copied to floppy disks or other external media. fdisk format dd DiskEdit
dd
Hashing, filtering, and file header analysis make up which function of digital forensics tools? Validation and verification Acquisition Extraction Reconstruction
Validation and verification
Which of the following is the main challenge in acquiring an image of a system running macOS? (Choose all that apply.) Most commercial software doesn't support macOS. Vendor training is needed. The macOS is incompatible with most write-blockers. You need special tools to remove drives from a system running macOS or open its case.
Vendor training is needed. You need special tools to remove drives from a system running macOS or open its case.
Which type of report typically takes place in an attorney's office? Examination Plan Written Report Preliminary Report Verbal Report
Verbal Report
In what state is sending unsolicited email illegal Florida Washington Maine New York
Washington
Which of the following file systems can't be analyzed by OSForensics? FAT12 Ext2fs HFS+ XFS
XFS
What cloud service listed below provides a freeware type 1 hypervisor used for public and private clouds HP Helion Amazon EC2 XenServer and XenCenter Windows Management Console Cisco Cloud Computing
XenServer and XenCenter Windows Management Console
What are some risks of using tools you have created yourself? The tool might not perform reliably. The judge might be suspicious of the validity of results from the tool. You might have to share the tool's source code with opposing counsel for review. The tool doesn't generate reports in a standard format.
You might have to share the tool's source code with opposing counsel for review.
A ____ differs from a trial testimony because there is no jury or judge. rebuttal plaintiff civil case deposition
deposition
You provide ____ testimony when you answer questions from the attorney who hired you. direct cross examination rebuttal
direct
What's the Disk Arbitration feature used for in macOS?
It's used to disable and enable automatic mounting when a drive is connected via a USB or FireWire device.
The ___________________ technology is designed for GSM and Universal Mobile Telecommunications Systems (UMTS) technology, supports 45 Mbps to 144 Mbps transmission speeds. WiMAX LTE MIMO UMB
LTE
Which of the following represents known files you can eliminate from an investigation? (Choose all that apply) Any graphics files Files associated with an application System files the OS uses Any files pertaining to the company
Files associated with an application System files the OS uses
Police in the United States must use procedures that adhere to which of the following? Third Amendment Fourth Amendment First Amendment None of the above
Fourth Amendment
What does a sparse acquisition collect for an investigation?
Fragments of unallocated data in addition to the logical allocated data
What Windows Registry key contains associations for file extensions HKEY_CLASSES_ROOT HKEY_USERS HKEY_LOCAL_MACHINE HKEY_CURRENT_CONFIG
HKEY_CLASSES_ROOT
Which Registry key contains associations for file extensions? HFILE_CLASSES_ROOT HKEY_CLASSES_ROOT HFILE_EXTENSIONS HKEY_CLASSES_FILE
HKEY_CLASSES_ROOT
Select below the option that is not a typical feature of smartphones on the market today: Microprocessor Flash ROM Hard drive
Hard drive
In the Linux dcfldd command, which three options are used for validating data?
Hash Hashlog VF
Which of the NIST guidelines below requires using a modified boot loader to access RAM for analysis? Chip-off Manual extraction Hex dumping Micro read
Hex dumping
Which option below is not a disk management tool? Partition Magic Partition Master GRUB HexEdit
HexEdit
Steganography is used for which of the following purposes? Validating data Hiding data Accessing remote computers Creating strong passwords
Hiding Data
What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?
Lossless Compression
Phishing does which of the following? Uses DNS poisoning Lures users with False promises Takes people to fake websites Uses DHCP
Lures users with False promises
List two hashing algorithms commonly used for forensic purposes
MD5 and SHA-1
Which of the following is a current formatting standard for e-mail? SMTP MIME Outlook HTML
MIME
What does the Ntuser.dat file contain? File and directory names Starting cluster numbers File attributes MRU files list
MRU files list
When using graphics while testing, which of the following guidelines applies? (Choose all that apply) Make sure the jury can see your graphics Practice using charts for courtroom testimony Your exhibits must be clear and easy to understand Make sure you have plenty of extra graphics, in case you have to explain more complex supporting issues.
Make sure the jury can see your graphics Practice using charts for courtroom testimony Your exhibits must be clear and easy to understand
The manager of a digital forensics lab is responsible for which of the following? (Choose all that apply.) Making necessary changes in lab procedures and software Ensuring that staff members have enough training to do the job Knowing the lab objectives None of the above
Making necessary changes in lab procedures and software Ensuring that staff members have enough training to do the job Knowing the lab objectives
The term "via Frontend Transport" in a header indicates that the e-mail is on which of the following? UNIX server Older NetWare Server Microsoft Exchange Server Mac Server
Microsoft Exchange Server
Exchange uses and Exchange database and is based on the ???, which uses several files in different combinations to provide e-mail service Microsoft Mail Storage Engine (MSE) Microsoft Stored Mail Extension (SME) Microsoft Extended Mail Storage (EMS) Microsoft Extensible Storage Engine (ESE)
Microsoft Extensible Storage Engine (ESE)
Which component of cell communication is used to route digital packets for the network and relies on a database to support subscribers? Base station controller (BSC) Base transceiver station (BTS) Base transceiver controller (BTC) Mobile switching center (MSC)
Mobile switching center (MSC)
With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?
Newer Linux distributions automatically mount the USB device, which could alter data on it.
Describe an unethical technique opposing counsel might use to make a deposition difficult for you.
Opposing counsel might attempt to make discovery depositions physically uncomfortable. Other tactics include the attorney who has set the deposition neglecting to have payment ready for you.
Select below the option that is not common type 1 hypervisor. VMwar vSphere Microsoft Hyper-V Citirix XenServer Oracle VirtualBox
Oracle VirtualBox
Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses ________________ as a way to hide its malicious code from antivirus tools. hashing bit-shifting registry edits slack space
bit-shifting
What's the main piece of information you look for in an email message you're investigating? Sender or receivers e-mail address Originating e-mail domain or IP address Subject line content Message number
Originating e-mail domain or IP address
E-mail administrators may make use of ???, which overwrites a log file when it reaches a specified size or at the end of a specified time frame log recycling circular logging log purging log cycling
circular logging
An ___________________ is a document that serves as a guideline for knowing what questions to expect when you're testifying. testimony procedure examination plan planned questionnaire testimony excerpt
examination plan
____ evidence is evidence that exonerates or diminishes the defendant's liability. rebuttal plaintiff inculpatory exculpatory
exculpatory
What information below is not something recorded in Google Drive's snapshot.db file modified and created times? URL pathnames file access records file SHA values and sizes
file SHA values and sizes
What command below could be used on a UNIX system to help locate log directories show log detail search find
find
What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords? salted passwords scrambled passwords indexed passwords master passwords
salted passwords
Sendmail uses which file for instructions on processing an e-mail message? sendmail.cf syslogd.conf mese.ese mapi.log
sendmail.cf
Leading questions such as "Isn't it True that forensics experts always destroy their handwritten notes?" are referred to as ____ questions. hypothetical attorney setup nested
setup
With cloud systems running in a virtual environment, ??? can give you valuable information before, during, and after an incident carving live acquisition RAM snapshot
snapshot
The Google drive file ??? contains a detailed list of a user's cloud transactions loggedtransactions.log sync_log.log transact_user.db history.db
sync_log.log
On a Unix-like system, which file specifies where to save different types of e-mail log files? maillog /var/spool/log syslog.conf log
syslog.conf
____ is a written list of objections to certain testimony or exhibits. defendant b empanelling the jury plaintiff motion in limine
motion in limine
Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony. setup open-ended compound repid-fire
open-ended
What method below is NOT an effective method for isolating a mobile device from receiving signals? placing the device into a plastic evidence bag placing the device into a paint can, preferable one previously containing radio-wave blocking paint placing the device into airplane mode turning the device off
placing the device into a plastic evidence bag
In Linux, which of the following is the home directory for the superuser? home root super /home/superuser
root
Clusters in Windows always begin numbering at what number? 1 2 3 4
2
What's the most critical aspect of digital evidence?
Validation
To trace an IP address in an email header, what type of lookup service can you use? (Choose all that apply) Intelius Inc's AnyWho online directory Verizon's http://superpages.com A Domain lookup service, such as www.arin.net, www.internic.com.,or ww.whois.net Any Web search engine
A Domain lookup service, such as www.arin.net, www.internic.com.,or ww.whois.net Any Web search engine
Which organization has guidelines on how to operate a digital forensics lab?
ANAB
What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact iNet ARIN Google ERIN
ARIN
Which of the following is an example of a written report? A search warrant An affidavit Voir Dire Any of the above
An affidavit
List three items that should be on an evidence custody form.
Any three of the following: Case number Name of the investigator assigned to the case Nature of the case Location evidence was obtained Description of the evidence
List three items that should be in your case report.
Any three of the following: An explanation of basic computer and network processes A narrative of what steps you took A description of your findings Log files generated from your analysis tools
List three items that should be in an initial-response field kit.
Any three of the following: Small computer tool kit Large capacity drive IDE ribbon cables Forensic boot media Laptop or portable computer.
List two types of digital investigations typically conducted in a business environment.
Any two of the following: Abuse or misuse of digital assets E-mail abuse Internet abuse
List two items that should appear on a warning banner.
Any two of the following: Access to this system and network is restricted. Use of this system and network is for official business only. Systems and networks are subject to monitoring at any time by the owner. Using this system implies consent to monitoring by the owner. Unauthorized or illegal users of this system or network will be subject to discipline or prosecution. Users of this system agree that they have no expectation of privacy relating to all activity performed on this system.
List two popular certification programs for digital forensics.
Any two of the following: IACIS Certification ISFCE Certification GIAC Certification EnCE Certification ACE Certification
Describe two types of ethical standards.
Any two of the following: Your internal values (ethics) The codes of professional associations you belong to The codes of certifying bodies that have granted you a certification Your employer's rules of professional conduct
The _______________ component is made up of radio transceiver equipment that defines cells and communicates with mobile phones; sometimes referred to as a "cell phone tower". Vase station controller (BSC) Mobile switching center (MSC) Base transceiver controller (BTC) Base transceiver station (BTS)
Base transceiver station (BTS)
When do zero day attacks occur? (Choose all that apply) On the day the application or OS is released Before a patch is available Before the vendor is aware of the vulnerability On the day the patch is created
Before a patch is available Before the vendor is aware of the vulnerability
Which organization provides good information on safe storage containers?
NISPOM
Block-wise hashing has which of the following benefits for forensics examiners? Allows validating sector comparisons between known files Provides a faster way to shift bits in a block or sector of data Verifies the quality of OS files Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive
Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive.
Select below the program within the Ps Tools suite that allows you to run processes remotely PsService PsPasswd PsRemote PsExec
PsExec
Which of the following cloud deployment methods typically offers no security? Hybrid Cloud Public Cloud Community cloud Private Cloud
Public Cloud
you simply specify the time frame you want to examine Tcpdstat Tcpslice Ngrep tcpdump
Tcpslice
The __________ is a good tool for extracting information from large Libpcap files. Tcpdstatb Tcpslicec Ngrepd tcpdump
Tcpslicec
Which of the following describes expert witness testimony? (Choose all that apply.) Testimony designed to assist the jury in determining matters beyond the ordinary person's scope of knowledge Testimony that defines issues of the case for determination by the jury Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience. Testimony designed to raise doubt about facts or witnesses' credibility
Testimony designed to assist the jury in determining matters beyond the ordinary person's scope of knowledge Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience.
If you're giving an answer that you think your attorney should follow up on, what should you do? Change the tone of your voice Argue with the attorney who asked the question Use an agreed-on expression to alert the attorney to follow up on the question Try to include as much information in your answer as you can.
Use an agreed-on expression to alert the attorney to follow up on the question
The ________________ technology uses the IEEE 802.16e standard and Orthogonal Frequency Division Multiple Access (OFDMA) and supports transmission speeds of 12 Mbps WiMAX CDMA UMB MIMO
WiMAX
this practice is called a ____ question. leading hypothetical compound rapid-fire
compound
E-mail headers contain which of the following information? (Choose all that apply.) The sender and receiver e-mail address An ESMTP number or reference number The e-mail servers the message traveled through to reach its destination The IP address of the receiving server e. All of the above
e. All of the above
At what layers of the OSI model do most packet analyzers function layer 1 or 2 layer 2 or 3 layer 3 or 4 layer 4 or 5
layer 2 or 3
The _________________ numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect of the report, and each Arabic numeral is an important piece of supporting information. decimal ordered-sequential legal-sequential reverse-order
legal-sequential
__________ from both plaintiff and defense is an optional phase of the trial. Generally, it's allowed to cover an issue raised during cross-examination. rebuttal plaintiff closing arguments opening statements
rebuttal
In addition to opinions and exhibits, the ______________ must specify fees paid for the expert's services and list all other civil or criminal cases in which the expert has testified. verbal report informal report written report preliminary report
written report
In older versions of exchange, what type of file was responsible for massages formatted with Messaging Application Programming Interface, and served as the database file .ost edp .edb .edi
.edb
What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine .nvram .vmen .vmpage .vmx
.vmen
Which option below is the correct path to the sendmail configuration file /var/etc/sendmail.cf /var/mail/sendmail.cf /usr/local/sendmail.cf /etc/mail/sendmail.cf
/etc/mail/sendmail.cf
On a UNIX system, where is a user's mail stored by default /var/mail /var/log/mail /username/mail /home/username/mail
/home/username/mail
On most Linux systems, current user login information is in which of the following locations? /var/log/dmesg /var/log/wmtp /var/log/usr /var/log/utmp
/var/log/utmp
Jurors typically average just over ____ years of education and an eighth-grade reading level. 9 10 11 12
12
The SANS Investigative Forensics Toolkit (SIFT) appliance can currently only be installed on what version of Ubuntu 12.04 13.11 14.04 14.11
12.04
Within Windows Vista and later, partition gaps are _____________ bytes in length. 64 128 256 512
128
How many words should be in the abstract of a report? 50 to 100 words 100 to 150 words 150 to 299 words 200 to 250 words
150 to 299 words
If your CV (curriculum vitae) is more than __________ months old, you probably need to update it to reflect new cases and additional training. 2 3 4 5
3
How many sectors are typically in a cluster on a disk drive? 1 2 or more 4 or more 8 or more
4 or more
SD cards have a capacity up to which of the following? 100 MB 4 MB 64 GB 500 MB
64 GB
What frequencies can be used by GSM with the TDMA technique 1200 to 1500 MHz 2.4 GHz to 5.0 GHZ 600 to 1000 MHz 800 to 1000 MHZ
800 to 1000 MHZ
The National Software Reference Library provides what type of resources for digital forensics examiners? A list of digital forensics tools that make examinations easier A list of MD5 and SHA1 hash values for all known OSs and applications Reference books and materials for digital forensics A repository for software vendors to register their developed applications
A list of MD5 and SHA1 hash values for all known OSs and applications
Your curriculum vitae is which of the following? (Choose all that apply) A necessary tool to be an expert witness A generally required document to be made available before your testimony A detailed record of your experience, education, and training Focused on your skills as they apply to the current case
A necessary tool to be an expert witness A generally required document to be made available before your testimony A detailed record of your experience, education, and training
What is the motion in limine? A motion to discuss the case THe movement of molecules in a random fashion A pretrial motion for the purpose of excluding certain evidence A pretrial motion to revise the case schedule
A pretrial motion for the purpose of excluding certain evidence
What's a hashing algorithm?
A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk
Hard links are associated with which of the following? Dot notation A specific inode An absolute path to a file Hidden files
A specific inode
The term TDMA refers to which of the following? (Choose all that apply) A technique of dividing a radio frequencies so that multiple users share the same channel A proprietary protocol developed by Motorola A specific cellular network standard A technique of spreading the signal across many channels
A technique of dividing a radio frequencies so that multiple users share the same channel A specific cellular network standard.
Which of the following is not a valid source for cloud forensics training Sans Cloud Forensics with F-Response A+ Security INFOSEC Intitute (ISC)2 Certified Cyber Forensics Professional
A+ Security
What are two advantages and disadvantages of the raw format?
Advantages faster data transfer speeds ignores minor data errors most forensics analysis tools compatibility. Disadvantages requires equal or greater target disk space doesn't contain hash values in the raw file (metadata) might have to run a separate hash program to validate raw format data might not collect marginal (bad) blocks.
An expert witness can give an opinion in which the following situations. The opinion, inferences, or conclusions depend on a special knowledge, skills, or training not within the ordinary experience of lay people The witness is shown to be qualified as a True expert in the field The witness testifies to a reasonable degree of certainty (probability) about his or her opinion, inference, or conclusion. All of the above
All of the above
Building a business case can involve which of the following? Procedures for gathering evidence Testing software Protecting trade secrets All of the above
All of the above
Logging options on many email servers can be: Disabled by the administrator Set up in a circular logging configuration Configured to a specified size before being overwritten All of the above
All of the above
Policies can address rules for which of the following? When you can log on to a company network from home The Internet sites you can or can't access The amount of personal e-mail you can send Any of the above
All of the above
What are two concerns when acquiring data from a RAID server?
Amount of data storage needed Type of RAID server Whether the acquisition tool can handle RAID acquisitions Whether the analysis tool can handle RAID data Whether the analysis tool can split RAID data into separate disk drives, making it easier to distribute large data sets
List four steps you should take, in the correct order, to handle a deposition in which physical circumstances are uncomfortable.
Ask the attorney to correct the situation. If the situation is not corrected, note these conditions into the record, and repeat noting them as long as the conditions persist. After you have noted the problem into the record, you can refuse to continue with the deposition. Generally, you should consult with an attorney before taking this step. If you think the behavior was serious enough that you can justify refusing to continue, consider reporting the attorney to his/her state bar association.
What letter should be typed into DiskEdit in order to mark a good sector as bad? M B T D
B
What information is _NOT_ in an e-mail header? (Choose all that apply) Blind copy (Bcc) addresses Internet addresses Domain name Contents of the message e. Type of e-mail server used to send the email
Blind copy (Bcc) addresses Contents of the message
For which of the following reasons should you wipe a target drive? To ensure the quality of digital evidence you acquire To make sure unwanted data isn't retained on the drive Neither Both
Both
Explain the differences in resource and data forks used in macOS.
Both contain a file's resource map and header information, window locations, and icons. The data fork stores a file's actual data, however, and the resource fork contains file metadata and application information.
When working for a prosecutor, what should you do if the evidence you found appears to be exculpatory and isn't being released to the defense? Keep the information on file for later review Bring the information to the attention of the prosecutor, then his or her supervisor and finally to the judge (the court) Destroy the evidence Five the evidence to the defense attorney
Bring the information to the attention of the prosecutor, then his or her supervisor and finally to the judge (the court)
If a suspect computer is running Windows 10, which of the following can you perform safely? Browsing open applications Disconnecting power Either of the above None of the above
Browsing open applications
How does macOS reduce file fragmentation?
By using clumps, which are groups of contiguous allocation blocks. As a file increases in size, it occupies more of the clump. Volume fragmentation is kept to a minimum by adding more clumps to larger files.
What digital network technology was developed during World War II? TDMA CDMA GSM iDEN
CDMA
For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you're constantly enhancing your skills through training, teaching, and experience. testimony CV (curriculum vitae) examination plan deposition
CV (curriculum vitae)
When validating the results of a forensic analysis, you should do which of the following? (Choose all that apply.) Calculate the hash value with two different tools. Use a different tool to compare the results of evidence you find. Repeat the steps used to obtain the digital evidence, using the same tool,and recalculate the hash value to verify the results. Use a command-line tool and then a GUI tool.
Calculate the hash value with two different tools Use a different tool to compare the results of evidence you find
Which of the following categories of information is stored on a SIM card? (Choose all that apply.) Volatile Memory Call data Service-related data None of the above
Call data Service-related data
List two features common with proprietary format acquisition files.
Can compress or not compress the acquisition data Can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD Case metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or files
What do you call a list of people who have had physical possession of the evidence?
Chain of Custody
When you access your email, what type of computer architecture are you using? Mainframe and minicomputers Domain Client/Server None of the above
Client/server
The __________ is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for privacy agreements, security measures, questionnaires, and more. OpenStack Framework Alliance Cloud Security Advisory Panel Cloud Security Alliance Cloud Architecture Group
Cloud Security Alliance
Forensic software tools are grouped into ____________ and _______________ applications.
Command-line & GUI
Sometimes opposing attorneys ask several questions inside one question; this practice is called a __________ question.
Compund
Describe what should be videotaped or sketched at a digital crime scene.
Computers, cable connections, overview of scene—anything that might be of interest to the investigation
When writing a report, what's the most important aspect of formatting? A neat appearance Size of the font Clear use of symbols and abbreviations Consistency
Consistency
If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? Coordinate with the HAZMAT team. Determine a way to obtain the suspect's computer. Assume the suspect's computer is contaminated. Do not enter alone.
Coordinate with the HAZMAT team Assume the suspect's computer is contaminated
Before testifying, you should do which of the following? (Choose all that apply) Create an examination plan with your attorney. Make sure you've been paid for your services and the estimated fee for the deposition or trial. Get a haircut Type all the draft notes you took during your investigation
Create an examination plan with your attorney. Make sure you've been paid for your services and the estimated fee for the deposition or trial.
What digital network technology is a digital version of the original analog standard for cell phones? GSM CDMA iDEN D-AMPS
D-AMPS
What are the two states of encrypted data in a secure cloud? RC4 and RC5 CRC-32 and UTF-16 Homomorphic and AES Data in motion and data at rest
Data in motion and data at rest
With remote acquisitions, what problems should you be aware of? (Choose all that apply.) Data transfer speeds Access permissions over the network Antivirus, antispyware, and firewall programs The password of the remote computer's user
Data transfer speeds Access permissions over the network Antivirus, antispyware, and firewall programs
List three subfunctions of the extraction function.
Data viewing keyword sharing carving bookmarking decrypting decompressing
Which e-mail recovery program below can recover files from VMware and VirtualPC virtual machines, as well as ISOs and other types of file backups Fookes Aid4mail DataNumen Outlook Repair EnCase Forensics AccessData FTK
DataNumen Outlook Repair
The process of converting raw images to another format is called which of the following? Data conversion Transmogrification Transfiguring Demosaicing
Demosaicing
What are some ways to determine the resources needed for an investigation?
Determine the OS of the suspect computer List the necessary software to use for the examination.
When you perform an acquisition at a remote location, what should you consider to prepare for this task?
Determine whether there's enough electrical power and lighting and check the temperature and humidity at the location
_______________ is the process of opposing attorneys seeking information from each other. Subpoena Warranting Discovery Digging
Discovery
Maintain eye contact with the jury Pay close attention to what your attorney is objecting to. Pay close attention to opposing counsel's questions. Answer opposing counsel's questions as briefly as is practical
During your cross-examination, you should do which of the following? (Choose all that apply) Maintain eye contact with the jury Pay close attention to what your attorney is objecting to. Help the attorneys, judge, and jury in understanding the case, even if you have to go a bit beyond the scope of your expertise Pay close attention to opposing counsel's questions. Answer opposing counsel's questions as briefly as is practical
When searching a victim's computer for a crime committed with a specific email, what provides information for determining the emails originator? (Choose all that apply) E-mail header Username and password Firewall log All of the above
E-mail header Firewall log
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.
EnCase SafeBack SnapCopy
Which forensics tools can connect to a suspect's remote computer and run surreptitiously?
EnCase Enterprise ProDiscover Incident Response
Why is physical security so critical for digital forensics labs?
Evidence integrity
Explain how to identify an unknown graphics file format that your digital forensics tool doesn't recognize.
Examine a copy of the file with a hexadecimal editor to find the hex code for the first several bytes of the file.
Which service below does not put log information into /var/log/maillog SMTP Exchange IMAP POP
Exchange
Of all the proprietary formats, which one is the unofficial standard?
Expert Witness
Which forensic image file format creates or incorporates a validation hash value in the image file? (Choose all that apply) Expert Witness SMART AFF dd
Expert Witness SMART AFF
Automated tools help you collect and report evidence, but you're responsible for doing which of the following? Explaining your formatting choices Explaining the significance of the evidence Explaining in detail how the software works All of the above
Explaining the significance of the evidence
Which of the following rules or laws requires an expert to prepare and submit a report? FRCP 26 FRE 801 Neither Both
FRCP 26
What kind of information do fact witnesses provide during testimony? (Choose all that apply) Their professional opinion on the significance of evidence Definitions of issues to be determined bu the founder of the fact Facts only Observations of the results of tests they performed.
Facts only Observations of the results of tests they performed.
A JPEG file is an example of a vector graphic. True or False?
False
A forensic workstation should always have a direct broadband connection to the Internet. True or False?
False
A live acquisition can be replicated. True or False?
False
A search warrant can be used in any kind of case, either civil or criminal True or False
False
After you shift a file's bits, the hash value remains the same. True/False
False
All expert witnesses must be members of associations that license them. True or False?
False
An Internet e-mail is generally part of a local network, and is maintained and managed by an administrator for internal use by a specific company True or False
False
Because mobile phones are seized at the time of arrest, a search warrant is not necessary to examine the device for information. True False
False
In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True or False?
False
Like a job resume, your CV (curriculum viate) should be geared for a specific trial. True False
False
Most Code Division Multiple Access networks conform to IS-95. The systems are referred to as CDMAOne, and when they went to 3G service, they became CDMAThree True False
False
The Sysinternals Handle utility shows only file system activity, but does not show what processes are using files on the file system. True or False
False
The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect. True or False
False
The plain view doctrine in computer searches is well-established law. True or False?
False
EFS can encrypt which of the following? Files, folders, and volumes Certificates and private keys The global Registry Network servers
Files, folders, and volumes
The Known File Filter (KFF) can be used for which of the following purposes? (Choose all that apply) Filter known program file from view Calculate hash values of image files Compare hash values of known files with evidence files Filter out evidence that doesn't relate to our investigation
Filter known program file from view Filter out evidence that doesn't relate to our investigation
Hash values are used for which of the following purposes? (Choose all that apply.) Determining file size Filtering known good files from potentially suspicious data Reconstructing file fragments Validating that the original data hasn't changed
Filtering known good files from potentially suspicious data Validating that the original data hasn't changed
Select the program below that can be used to analyze mail from Outlook, Thunderbird, and Eudora AccessData FTK DataNumen R-Tools R-Mail Fookes Aid4Mail
Fookes Aid4Mail
The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery; the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in which it belongs", was established in what court case? Daubert v. Merrell Dow Pharmaceuticals, Inc Smith v. United States Frye v. United States Dillon v. United States
Frye v. United States
In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network adapters Slow-NetworkAdapters Query-ipconfig Get-VMNetworkAdapter Dump-Betconfig
Get-VMNetworkAdapter
In order to retrieve logs from exchange, the Powershell cmdlet __________ can be used. GetExchangeLogs.psl GetLogInfo.psl ShowExchangeHistrory.psl GetTransactionLogStats.psl
GetTransactionLogStats.psl
What standard introduced sleep mode to enhance battery life, and is used with TDMA? IS-99 IS-140 IS-136 IS-95
IS-136
Most Code Division Multiple Access (CDMA) networks conform to ____________ , created by the Telecommunications Industry Association (TIA). TS-95 802.11 IS-95 IS-136
IS-95
List three organizations that have a code of ethics or conduct.
ISFCE IACIS AMA APA ABA
The standards for testing forensics tools are based on which criteria? U.S. Title 18 ASTD 1975 ISO 17025 All of the above
ISO 17025
What organization is responsible for the creation of the requirements for carriers to be considered 4G? IEEE ITU-R ISO TIA
ITU-R
What should you do if you realize you have made a mistake or misstatement during a deposition? (Choose all that apply) If the deposition is still in session, refer back to the error and correct it. Decide weather the error is minor, and if so, ignor it If the deposition if over, make the correction on the corrections page of the copy provided for your signature Call the opposing attorney and inform him of your mistake or misstatement e. Request an opportunity to make the correction at trial.
If the deposition is still in session, refer back to the error and correct it. If the deposition if over, make the correction on the corrections page of the copy provided for your signature
A layered network defense strategy puts the most valuable data where? In the DMZ In the outermost layer In the innermost layer None of the above
In the innermost layer
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?
Initial-response kit
What methods do steganography programs use to hide data in graphics files? (Choose all that apply.) Insertion Substitution Masking Carving
Insertion Substitution
Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation? Criminal investigation because subpoenas can be issued to acquire any needed evidence quickly. Criminal investigation because law enforcement agencies have more resources at their disposal Internal corporate investigation because corporate investigators typically have ready access to company records. Internal corporate investigation because ISPs almost always turn over email and access logs when requested by a large corporation
Internal corporate investigation because corporate investigators typically have ready access to company records.
What methods are used for digital watermarking? (Choose all that apply.) Implanted subroutines that link to a central Web server automatically when the watermarked file is accessed Invisible modification of the LSBs in the file Layering visible symbols on top of the image Using a hex editor to alter the image data
Invisible modification of the LSBs in the file Layering visible symbols on top of the image
What are the major improvements in the Linux Ext4 file system?
It added support for partitions larger than 16 TB, improved management of large files, and offered a more flexible approach to adding file system features.
What purpose does making your own recording during a deposition serve? It shows the court reporter that you don't trust him or her. It assists you with reviewing the transcript of the deposition. It allows you to review your testimony with your attorney during breaks. It prevents opposing counsel from intimidating you.
It allows you to review your testimony with your attorney during breaks.
What are the three rules for a forensic hash?
It can't be predicted No two files can have the same hash value If the file changes, the hash value changes
Which of the following statements about the legal-sequential numbering system in report writing is True? It's favorable because it's easy to organize and understand It's most effective for shorter reports It doesn't indicate the relative importance of information It's required for reports submitted in federal court
It doesn't indicate the relative importance of information
What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?
It enables you to remove and reconnect drives without having to shut down your workstation, which saves time in processing the evidence drive.
The ___ tool is an updated version of BackTrack, and contains more than 300 tools, such as password crackers, network sniffers, and freeware forensics tools Kali Linux Ubuntu OSForensics Sleuth Kit
Kali Linux
To recover a password in macOS, which tool do you use? Finder PRTK Keychain Access Password Access
Keychain Access
Which of the following techniques might be used in covert surveillance? Keylogging Data sniffing Network logs All of the above
Keylogging Data sniffing
The AccessData program has a hashing database, ________________, which is available only with FTK, and can be used to filter known program files from view and contains the hash values of known illegal files. DeepScan Filter Unknown File Filter (UFF) Known File Filter (KFF) FTK Hash Imager
Known File Filter (KFF)
Externally enforced ethical rules, with sanctions that can restrict a professional's practice, are more accurately described as which of the following? Laws Objectives A higher calling All of the above.
Laws
Packet analyzers examine what layers of the OSI model? Layers 2 and 4 Layers 4 through 7 Layers 2 and 3 All layers
Layers 2 and 3
The ___ is the version of Pcap available for Linux based operating systems Wincap Libcap Tcpcap Netcap
Libcap
Bitmap (.bmp) files use which of the following types of compression? WinZip Lossy Lzip Lossless
Lossless
A JPEG file uses which type of compression? WinZip Lossy Lzip Lossless
Lossy
Metadata in a prefetch file contains an application's ??? times in UTC format and a counter of how many times the application has run since the prefect file was created startup / access log event ACL MAC
MAC
Which of the following relies on a central database that tracks across data, location data and subscriber information? BTS MSC BSC None of the above
MSC (Mobile Switching Center)
The NSA's defense in depth (DiD) strategy contains three modes of protection. Which option below is not one of the three modes People Technology Operations Management
Management
What type of mobile forensics method listed by NIST guidelines involves looking at a device's content page by page and taking pictures? Manual extraction Chip-off Micro read Logical extraction
Manual extraction
Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? Most companies keep inventory databases of all hardware and software used. The investigator doesn't have to get a warrant. The investigator has to get a warrant. Users can load whatever they want on their machines.
Most companies keep inventory databases of all hardware and software used.
Some clues left on a drive that might indicate steganography include which of the following? (Choose all that apply.) Multiple copies of a graphics file Graphics files with the same name but different file sizes Steganography programs in the suspect's All Programs list Graphics files with different timestamps
Multiple copies of a graphics file Graphics files with the same name but different file sizes Steganography programs in the suspect's All Programs list
The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but does not list hash values of known illegal files. Open Hash Database HashKeeper Online National Hashed Software Referenced. National Software Reference Library
National Software Reference Library
What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses? tcpdump Argus Ngrep Tcpslice
Ngrep
One of the most noteworthy e-mail scams was 419, otherwise known as the ??? Nigerian Scam Lake Venture Scam Conficker virus Iloveyou Scam
Nigerian Scam
In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/sha1
No. This command reads the image_file.img file and writes it to the evidence drive's /dev/hda1 partition. The correct command is dcfldd if=/dev/hda1 of=image_file.img.
In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive? 5% 10% 15% None of the above
None of the above
Which of the following Windows 8 files contains user-specific information? User.dat Ntuser.dat System.dat SAM.dat
Ntuser.dat
Areal density refers to which of the following? Number of bits per disk Number of bits per partition Number of bits per square inch of a disk platter Number of bits per platter
Number of bits per square inch of a disk platter
In JPEG files, what's the starting offset position for the JFIF label? Offset 0 Offset 2 Offset 6 Offset 4
Offset 6
What does a logical acquisition collect for an investigation?
Only specific files of interest to the case
Which of the following is the standard format for filed reports in electronically in federal courts? Word Excel PDF HTML e. Any of the above
The tcpdump and Wireshark utilities both use what well known packet capture format Netcap Pcap Packetd RAW
Pcap
Nonvolatile memory on a mobile device can contain OS files and stored user data, such as a __________________ and backed-up files. Professional Data Holder Personal Assistant Organizer Personal Data Manager Personal Information Manager
Personal Information Manager
What items should your business plan include?
Physical security items, such as evidence lockers Number of machines are needed What OSs your lab commonly examines Why you need certain software How your lab will benefit the company (such as being able to quickly exonerate employees or discover whether they're guilty)
The most reliable way to ensure that jurors recall testimony is to do which of the following? Present evidence using oral testimony supported by hand gestures and facial expressions Present evidence combining oral testimony and graphics that support the testimony Wear bright colored clothing to attract juror's attention Emphasize your points with humorous anecdotes e. Memorize your testimony carefully
Present evidence combining oral testimony and graphics that support the testimony
List three obvious ethical errors.
Presenting false or altered data. Reporting work that was not done. Ignoring available contradictory data. Working beyond your expertise or competence. Failing to report a possible conflict of interest. Reaching a conclusion before you have done complete research.
The verification function does which of the following? Proves that a tool performs as intended Creates segmented files Proves that two sets of data are identical via hash values Verifies hex editors
Proves that two sets of data are identical via hash values
Rainbow tables serve what purpose for digital forensics examinations? Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords. Rainbow tables are a supplement to the NIST NSRL library of hash tables. Rainbow tables are designed to enhance the search capability of many digital forensics examination tools. Rainbow tables provide a scoring system for probable search terms.
Rainbow tables contain computed hashes of possible passwords that some password- recovery programs can use to crack passwords.
Which of the following is not a type of peripheral memory card used in PDAs? Secure Digital (SD) Compact Flash (CF) Multimedia Card (MMC) RamBus (RB)
RamBus (RB)
Name the three formats for digital forensics data acquisitions.
Raw Format Proprietary Formats Advanced Forensic Format (AFF)
The reconstruction function is needed for which of the following purposes? (Choose all that apply.) Re-create a suspect drive to show what happened. Create a copy of a drive for other investigators. Recover file headers. Re-create a drive compromised by malware.
Re-create a suspect drive to show what happened. Create a copy of a drive for other investigators. Re-create a drive compromised by malware.
List three sound reasons for offering a different opinion from one you testified to in a previous case.
Recent developments in technology. New tools with new capabilities. The facts of the current case being distinguishable from a previous case.
When you carve a graphics file, recovering the image depends on which of the following skills? Recovering the image from a tape backup Recognizing the pattern of the data content Recognizing the pattern of the file header content Recognizing the pattern of a corrupt file
Recognizing the pattern of the file header content
A log report in forensics tools does which of the following? Tracks file types Monitors network intrusion attempts Records an investigator's actions in examining a case Lists known good files
Records an investigator's actions in examining a case
When you begin a conversation with an attorney about a specific case, what should you do? (Choose all that apply.) Ask to meet with the attorney. Answer his or her questions in as much detail as possible. Ask who the parties in the case are. Refuse to discuss details until a retainer agreement is returned.
Refuse to discuss details until a retainer agreement is returned.
Typically, a(n) __________ lab has a separate storage area or room for evidence.
Regional
Remote wiping of a mobile device can result in which of the following? (Choose all that apply) Removing account information Enabling GPS beacon to track the thief Returning the phone to the original factory settings Deleting contacts
Removing account information Returning the phone to the original factory settings Deleting contacts
What three items should you research before enlisting in a certification program?
Requirements Cost Acceptability in your chosen area of employment.
When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do? Search available log files for any forwarded messages Restore the e-mail server from a backup Check the current database files for an existing copy of the email Do nothing because after the file has been deleted, it can no longer be recovered.
Restore the e-mail server from a backup
The report generator in ProDiscover defaults to ______________________, which can be opened by most word processors. HyperText Markup Language (HTML) Rich Text Format (RTF) Extensible Markup Language (XML) Microsoft Word document format
Rich Text Format (RTF)
In which of the following cases did the U.S. Supreme Court require using a search warrant to examine the contents of mobile devices? Miles v. North Dakota Smith v. Oregon Riley v. California Dearborn v. Ohio
Riley v California
GSM refers to mobile phones as "mobile stations" and divides a station into two parts, the __________ and the mobile equipment (ME). antenna SIM card radio transceiver
SIM card
In a ___ attack, the attacker keeps asking your server to establish a connection, with the intent of overloading a server with established connections smurf SYN flood spoof ghost
SYN flood
Evidence of cloud access found on a smartphone usually means which cloud service level was in use? IaaS HaaS PaaS SaaS
SaaS
What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing Amazon EC2 IBM Cloud Salesforce HP Helion
Salesforce
If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords? There are no concerns because salting doesn't affect password-recovery tools. Salting can make password recovery extremely difficult and time consuming. Salting applies only to OS startup passwords, so there are no serious concerns for examiners. The effect on the computer's CMOS clock could alter files' date and time values.
Salting can make password recovery extremely difficult and time consuming.
Digital pictures use data compression to accomplish which of the following goals? (Choose all that apply.) Save space on a hard drive. Provide a crisp and clear image. Eliminate redundant data. Produce a file that can be e-mailed or posted on the Internet.
Save space on a hard drive. Produce a file that can be e-mailed or posted on the Internet.
Which of the following describes fact testimony? Scientific or technical testimony describing information recovered during an examination Testimony by law enforcement officers Testimony based on observations by lay witnesses None of the above
Scientific or technical testimony describing information recovered during an examination
Which of the following describes the superblock's function in the Linux file system? (Choose all that apply.) Stores bootstrap code Specifies the disk geometry and available space Manages the file system, including configuration information Contains links between inodes
Specifies the disk geometry and available space Manages the file system, including configuration information
Which of the following is a mechanism the ECPA describes for the government to get electronic information from a provider? (Choose all that apply) Subpoenas with prior notice Temporary restraining orders Search warrants Court orders
Subpoenas with prior notice Search warrants Court orders
What expressions are acceptable to use in testimony to respond to a question for which you have no answer? (Choose all that apply) No Comment That's beyond the scope of my expertise I don't want to answer that questino I was not requested to investigate that e. That is beyond the scope of my investigation
That's beyond the scope of my expertise I was not requested to investigate that e. That is beyond the scope of my investigation
According to ISO standard 27037, which of the following is an important factor in data acquisition? (Choose all that apply.) The DEFR's competency The DEFR's skills in using the command line Use of validated tools Conditions at the acquisition setting
The DEFR's competency Use of validated tools
Which of the following certifies when an OS meets UNIX requirements? IEEE UNIX Users Group The Open Group SUSE Group
The Open Group
In steganalysis, cover-media is which of the following? The content of a file used for a steganography message The type of steganographic method used to conceal a message The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file A specific type of graphics file used only for hashing steganographic files
The file a steganalysis tool uses to host a hidden message, such as a JPEG or an MP3 file
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? The file can no longer be encrypted. EFS protection is maintained on the file. The file is unencrypted automatically. Only the owner of the file can continue to access it.
The file is unencrypted automatically.
When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and documented? Inventory and documentation information should be stored on a drive and then the drive should be reformatted. Start the suspect's computer and begin collecting evidence. The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS. Connect the suspect's computer to the local network so that up to date forensics utilities can be utilized.
The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.
In answering a question about the size of a hard drive, which of the following responses is appropriate? (Choose all that apply.) It's a very large hard drive. The technical data sheet indicates it's a 3 terabyte hard drive. It's a 3 terabyte hard drive configured with 2.78 terabytes of accessible storage. I was unable to determine the drive size because it was so badly damaged.
The technical data sheet indicates it's a 3 terabyte hard drive. It's a 3 terabyte hard drive configured with 2.78 terabytes of accessible storage. I was unable to determine the drive size because it was so badly damaged.
this is what you'd expect to see. The drive is formatted incorrectly
There's a hidden partition
Which of the following is true of most drive-imaging tools? (Choose all that apply.) They perform the same function as a backup. They ensure that the original drive doesn't become corrupt and damage the digital evidence. They create a copy of the original drive They must be run from the command line.
They ensure that the original drive doesn't become corrupt and damage the digital evidence They create a copy of the original drive
Which of the following is true about JPEG and TIF files? They have identical values for the first 2 bytes of their file headers. They have different values for the first 2 bytes of their file headers. They differ from other graphics files because their file headers contain more bits. They differ from other graphics files because their file headers contain fewer bits.
They have different values for the first 2 bytes of their file headers.
Why should you critique your case after it's finished?
To determine what improvements you made during each case, what could have been done differently, and how to apply those lessons to future cases.
Why is it a good practice to make two images of a suspect drive in a critical investigation?
To ensure at least one good copy of the forensically collected data in case of any failures
For what purpose have hypothetical questions traditionally been used in litigation? To frame the factual context of rendering an expert witness's opinion. To define the case issues for the finder of fact to determine To stimulate discussion between consulting expert and expert witnesses To deter a witness from expanding the scope of his or her investigation beyond the case requirements. e. All of the above
To frame the factual context of rendering an expert witness's opinion.
What's the purpose of maintaining a network of digital forensics specialists?
To have the option of calling on diversified specialists to help with a case.
Why should you do a standard risk assessment to prepare for an investigation?
To list the problems you normally expect in the type of case you're handling.
Why should evidence media be write-protected?
To make sure the data isn't altered.
When you arrive at the scene, why should you extract only those items you need to acquire evidence?
To minimize how much you have to keep track of at the scene
What's the purpose of an affidavit?
To provide a sworn statement of support of facts about evidence of a crime this is submitted to a judge with the request for a search warrant before seizing evidence.
Router logs can be used to verify what types of email data? Message content Content of Attached files Tracking flows through e-mail server ports Finding blind copies
Tracking flows through email server ports
A forensic image of a VM includes all snapshots. True/False
True
A report can provide justification for collecting more evidence and be used at a probable cause hearing. True False
True
A virtual cluster number represents the assigned clusters of files that are nonresident in the MFT. True False
True
Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific files or sectors. True or False
True
All email headers contain the same types of information. True/False
True
Amazon was an early provider of Web-based services that eventually developed into the cloud concept. True or False
True
An employer can be held liable for e-mail harassment. True or False?
True
An image of a suspect drive can be loaded on a virtual machine. True False
True
As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers. True False
True
As an expert witness, you have opinions about what you have found or observed. True False
True
CHS stands for cylinders, heads, and sectors. True False
True
Device drivers contain instructions for the OS on how to interface with hardware devices. True False
True
Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or False?
True
EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?
True
File and directory names are some of the items stored in the FAT database. True False
True
For digital evidence, an evidence bag is typically made of antistatic material. True or False?
True
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False?
True
If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?
True
If you were a lay witness at a previous trail. You shouldn't list that case in your written report. True/False
True
In NTFS, files smaller than 512 bytes are stored in the MFT. True False
True
Internet e-mail accessed with a Web brower leaves files in temporary folders. True/False
True
One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you collect is essential for presenting evidence in court. True or False
True
Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise. True False
True
Specially trained system and network administrators are often a CSP's first responders True or False
True
Specially trained system and network administrators are often a CSP's first responders. True False
True
Tcpslice can be used to retrieve specific timeframes of packet captures. True/False?
True
Technical terms, if included in a report, should be defined in ordinary language such that lawyers, judges, and jurors can understand them. True False
True
The advantage of recording hash values is that you can determine whether data has changed. True or False
True
The capability of type 1 hypervisors is limited only by the amount of available RAM, storage, and throughput True or False
True
The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False
True
The multitenancy nature of cloud environments means conflicts in private laws can occur. True/False
True
The primary hashing algorithm the NSRL project uses is SHA-1. True or False?
True
The use of smart phones for illicit activities is becoming more prevalent. True False
True
To see Google Drive synchronization files, you need a SQL viewer. True/False
True
Typically, you need a search warrant to retrieve information from a service provider. True/False
True
Voir dire is the process of qualifying a witness as an expert. True or False?
True
When investigating social media content, evidence artifacts can vary, depending on the social media channel and the device. True/False
True
When recovering a file with ProDiscover, your first objective is to recover cluster values. True or False?
True
When viewing a file header, you need to include hexadecimal information to view the image. True or False?
True
While travelling internationally with a GSM phone, you can pop in a SIM card for the country you're currently in, rather than get a new phone. True False
True
You can view e-mail headers in Notepad with all popular e-mail clients. True/False
True
Large digital forensics labs should have at least ___ exits.
Two
Virtual Machine Extension (VMX) are part of which of the following? Type 1 hypervisors Type 2 hypervisors Intel Virtualized Technology AMD Virtualized Technology
Type 2 hypervisor
What is the space on a drive called when a file is deleted? Disk space Unallocated space Drive space None of the above
Unallocated space
What processor instruction set is required in order to utilize virtualization software AMD-VT Intel VirtualBit Virtual Machine Extensions (VMX) Virtual HardwareExtensions (VHX)
Virtual Machine Extensions (VMX)
Virtual machines have which of the following limitations when running on a host computer? Internet connectivity is restricted to virtual Web sites. Applications can be run on the virtual machine only if they're resident on the physical machine. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. Virtual machines can run only OSs that are older than the physical machine's OS.
Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.
Which of the following is a clue that a virtual machine has been installed on a host system? Network Logs Virtual network adapter Virtualization Software USB Drive
Virtual network adapter
What virtual machine software supports all Windows and Linux OSs as well as Macintosh and Solaris, and is provided as shareware? KVM Parallels Microsoft Virtual PC VirtualBox
VirtualBox
Which of the following is NOT a service level for the cloud Platform as a service Infrastructure as a service Virtualization as a service Software as a service
Virtualization as a service
The triad of computing security includes which of the following? Detection, response, and monitoring Vulnerability assessment, detection, and monitoring Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation Vulnerability assessment, intrusion response, and monitoring
Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation
When should a temporary restraining order be requested for cloud environment? When cloud customers need immediate access to their data To enforce a court order When anti-forensics techniques are suspected When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case.
When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case.
Contingency fees can be used to compensate an expert under which circumstances? When the expert is too expensive to compensate at the hourly rate When the expert is willing to accept a contingency fee arrangement When the expert is acting only as a consultant, not a witness All of the above
When the expert is acting only as a consultant, not a witness
In forensic hashes, when does a collision occur?
When two different files have the same hash value
As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? You begin to take orders from a police detective without a warrant or subpoena. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. Your internal investigation begins. None of the above.
You begin to take orders from a police detective without a warrant or subpoena.
Which of the following describes plist files? (Choose all that apply.) You must have a special editor to view them. They're found only in Linux file systems. They're preference files for applications. They require special installers.
You must have a special editor to view them. They're preference files for applications.
At trial as a fact or expert witness, what must you always remember about your testimony? You're responsible for the outcome of the case Your duty is to report your technical or scientific findings or render an honest opinion Avoid mentioning how much you were paid for your services All of the above
Your duty is to report your technical or scientific findings or render an honest opinion
As with any research paper, write the ___________________ last. appendix body acknowledgements abstract
abstract
If a report is long and complex, you should include a(n) _____________. appendix abstract glossary table of contents
abstract
Discuss any potential problems with your attorney ____ a deposition. before after during during direct examination at
before
The ________________ section of a report starts by referring to the report's purpose, states the main points, draws conclusions, and possibly renders an opinion. body conclusion appendix reference
conclusion
___ is an attempt by opposing attorneys to prevent you from serving on an important case. conflict of interest warrant deposition conflicting out
conflicting out
A ??? is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities court order temporary restraining order warrant subpoena
court order
What type of Facebook profile is usually only given to law enforcement with a warrant private profile advanced profile basic profile d.Neoprint profile
d.Neoprint profile
A report using the _________________ system divides material into sections and restarts numbering with each main section. numerically ordered hierarchical decimal numbering number formatted
decimal numbering
The ____ is the most important part of testimony at a trial. cross-examination direct examination rebuttal motions in limine
direct examination
There are two types of depositions: ____ and testimony preservation. examination discovery direct rebuttal
discovery
The ??? Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system read_filejournal filetx.log filecache.dbx filecache.dll
filecache.dbx
Validate your tools and verify your evidence with __________ to ensure its integrity. hashing algorithms watermarks steganography digital certificates
hashing algorithms
On what mobile device platform does Facebook use a SQLite database containing friends, their ID numbers, and phone numbers as well as files that tracked all uploads, including pictures? Android Blackberry Windows RT iPhone
iPhone
In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes remotely. keygrabber keylogger packet capture protocol analyzer
keylogger
it's accessed through the application's Web interface configuration manager management plane backdoor programming language
management plane
Select the file below that is used in VirtualBox to create a virtual machine .vdi .vbox .r0 ova
ova
When writing a report, group related ideas and sentences into ___________________, chapters sections paragraphs separate reports
paragraphs
To reduce the time it takes to start applications, Microsoft has created ??? files, which contain the DLL pathnames and metadata used by application temp cache config prefetch
prefetch
What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a copy of the expert's written report that includes all opinions, the basis for the opinions, and the information considered in coming to those opinions? rule 24 rule 35 rule 36 rule 26
rule 26
The ??? utility can be used to repair .ost and .pst files, and is included with Microsoft Outlook fixmail.exe scanpst.exe repairpst.exe rebuildpst.exe
scanpst.exe
The goal of recovering as much information as possible can result in __________, in which an investigation expands beyond the original description because of unexpected evidence found. litigation scope creep criminal charges violations
scope creep
Which of the following is NOT one of the five mechanisms the government can use to get electronic information from a provider search warrants subpoenas court orders seizure order
seizure order
If a preliminary report is written, destroying the preliminary report after the final report is complete could be considered ______________. proper data security spoliation beneficial necessary
spoliation
The Suni Munshani v. Singal Lake Venture Fund II, LP et al case is an example of a case that involves e-mail ??? destruction spamming spoofing theft
spoofing
The term for detecting and analyzing steganography files is _________________. carving steganology steganalysis steganomics
steganalysis
Regarding a trial, the term ____ means rejecting potential jurors. voir dire rebuttal strikes venireman
strikes
Which is not a valid method of deployment for a cloud community public targeted private
targeted
The ___ command line program is a common way of examining network traffic, which provides records of network activity while it is running, and produce hundreds of thousands of records netstat ls ifconfig tcpdump
tcpdump
When you give __________ testimony, you present this evidence and explain what it is and how it was obtained. technical/scientific expert lay witness deposition
technical/scientific
How you format _____________ is less important than being consistent in applying formatting. words text paragraphs sections
text
What information is not typically included in an e-mail header? the sender's physical location the originating IP address the unique ID of the e-mail the originating domain
the sender's physical location
Lawyers may request _________________ of previous testimony by their own potential experts to ensure that the experts haven't previously testified to a contrary position. warrants transcripts subpoenas evidence
transcripts
In VirtualBox, a(n) ______ file contains settings for virtual hard drives. .vox-prev .ovf .vbox .log
vbox
A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in order to secure the information contained inside. compiler shifter macro script
macro
