Guide to Computer Forensics and Investigations CH 9-16
What format below is used for VMware images? - .s01 - .vhd - .vmdk - .aff
.vmdk
Syslog is generally configured to put all e-mail related log information into what file? - /proc/mail - /var/log/maillog - /var/log/messages - /usr/log/mail.log
/var/log/maillog
At what offset is a prefetch file's create date & time located? - 0x88 - 0x98 - 0x80 - 0x90
0x80
The SANS Investigative Forensics Toolkit (SIFT) appliance can currently only be installed on what version of Ubuntu? - 14.11 - 12.04 - 13.11 - 14.04
12.04
Within Windows Vista and later, partition gaps are _____________ bytes in length. - 512 - 128 - 64 - 256
128
On NTFS drives, Unicode values are how many bits in length? - 16 bits - 8 bits - 32 bits - 64 bits
16 bits
If a microphone is present during your testimony, place it ____ to eight inches from you. - 6 - 5 - 4 - 3
6
FRE ____ describes whether basis for the testimony is adequate. - 702 - 703 - 701 - 700
703
Currently, expert witnesses testify in more than __ percent of trials. - 92 - 80 - 55 - 76
80
____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities. - AMA's law - APA's Ethics Code - ABA's Model Rule - ABA's Model Codes
APA's Ethics Code
What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact? - Google - ERIN - iNet - ARIN
ARIN
Within NIST guidelines for mobile forensics methods, the ______________ method requires physically removing flash memory chips and gathering information at the binary level. - Manual extraction - Micro read - Logical extraction - Chip-off
Chip-off
What digital network technology is a digital version of the original analog standard for cell phones? - D-AMPS - CDMA - iDEN - GSM
D-AMPS
_______________ is the process of opposing attorneys seeking information from each other. - Discovery - Subpoena - Warranting - Digging
Discovery
An expert's opinion is governed by ________________ and the corresponding rule in many states. - FRE, Rule 507 - FRCP 62 - FRE, Rule 705 - FRCP 26
FRE, Rule 705
The ______________ tool can be used to bypass a virtual machine's hypervisor, and can be used with OpenStack - OpenForensics - FROST - WinHex - ARC
FROST
Because mobile phones are seized at the time of arrest, a search warrant is not necessary to examine the device for information. (T or F)
False
Expert opinions cannot be presented without stating the underlying factual basis. (T or F)
False
Forensics tools can't directly mount VMs as external drives. (T or F)
False
In an e-mail address, everything before the @ symbol represents the domain name. (T or F)
False
In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant. (T or F)
False
Like a job resume, your CV should be geared for a specific trial. (T or F)
False
The Sysinternals Handle utility shows only file system activity, but does not show what processes are using files on the file system. (T or F)
False
The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery; the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in which it belongs", was established in what court case? - Daubert v. Merrell Dow Pharmaceuticals, Inc. - Dillon v. United States - Smith v. United States - Frye v. United States
Frye v. United States
Which option below is not a disk management tool? - GRUB - Partition Master - HexEdit - Partition Magic
HexEdit
____ questions can give you the factual structure to support and defend your opinion. - Compound - Setup - Hypothetical - Rapid-fire
Hypothetical
The ___________________ technology is designed for GSM and Universal Mobile Telecommunications Systems (UMTS) technology, supports 45 Mbps to 144 Mbps transmission speeds. - UMB - WiMAX - LTE - MIMO
LTE
Exchange uses an Exchange database and is based on the _______________________, which uses several files in different combinations to provide e-mail service. - Microsoft Extensible Storage Engine (ESE) - Microsoft Mail Storage Engine (MSE) - Microsoft Extended Mail Storage (EMS) - Microsoft Stored Mail Extensions (SME)
Microsoft Extensible Storage Engine (ESE)
What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses? - Argus - tcpdump - Tcpslice - Ngrep
Ngrep
The tcpdump and Wireshark utilities both use what well known packet capture format? - Packetd - RAW - Netcap - Pcap
Pcap
Nonvolatile memory on a mobile device can contain OS files and stored user data, such as a __________________ and backed-up files. - Personal Information Manager - Personal Assistant Organizer - Personal Data Manager - Professional Data Holder
Personal Information Manager
Where is the OS stored on a smartphone? - Microprocessor - ROM - RAM - Read/write flash
ROM
Which of the following is not a type of peripheral memory card used in PDAs? - Compact Flash (CF) - Secure Digital (SD) - RamBus (RB) - MultiMediaCard (MMC)
RamBus (RB)
GSM refers to mobile phones as "mobile stations" and divides a station into two parts, the __________ and the mobile equipment (ME). - radio - SIM card - antenna - transceiver
SIM card
In a __________ attack, the attacker keeps asking your server to establish a connection, with the intent of overloading a server with established connections. - ghost - spoof - smurf - SYN flood
SYN flood
What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing? - Amazon EC2 - IBM Cloud - Salesforce - HP Helion
Salesforce
The goal of recovering as much information as possible can result in ________________, in which an investigation expands beyond the original description because of unexpected evidence found. - violations - scope creep - litigation - criminal charges
Scope Creep
The ___________________ is a good tool for extracting information from large Libpcap files; you simply specify the time frame you want to examine. - Tcpslice - Tcpdstat - tcpdump - Ngrep
Tcpslice
Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific files or sectors. (T or F)
True
As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers. (T or F)
True
One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you collect is essential for presenting evidence in court. (T or F)
True
Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise. (T or F)
True
Technical terms, if included in a report, should be defined in ordinary language such that lawyers, judges, and jurors can understand them. (T or F)
True
The DomainKeys Identified Mail service is a way to verify the names of domains a message is flowing through and was developed as a way to cut down on spam. (T or F)
True
The Honeynet Project was developed to make information widely available in an attempt to thwart Internet and network attackers. (T or F)
True
The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET). (T or F)
True
The advantage of recording hash values is that you can determine whether data has changed. (T or F)
True
What processor instruction set is required in order to utilize virtualization software? - Intel VirtualBit - Virtual Hardware Extensions (VHX) - Virtual Machine Extensions (VMX) - AMD-VT
Virtual Machine Extensions (VMX)
In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous contact with an opposing party? - Tidemann v. Toshiba Corp - Wang Laboratories, Inc. v. Toshiba Corp - Tidemann v. Nadler Golf Car Sales, Inc. - Hewlett-Packard Co. v. EMC Corp
Wang Laboratories, Inc. v. Toshiba Corp
In what state is sending unsolicited e-mail illegal? - New York - Maine - Washington - Florida
Washington
Discuss any potential problems with your attorney ____ a deposition. - after - during - during direct examination at - before
before
E-mail administrators may make use of _________________, which overwrites a log file when it reaches a specified size or at the end of a specified time frame. - circular logging - log cycling - log purging - log recycling
circular logging
Sometimes opposing attorneys ask several questions inside one question; this practice is called a ____ question. - compound - rapid-fire - leading - hypothetical
compound
The ________________ section of a report starts by referring to the report's purpose, states the main points, draws conclusions, and possibly renders an opinion. - conclusion - reference - appendix - body
conclusion
A ________________ is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities. - temporary restraining order - court order - warrant - subpoena
court order
A report using the _________________ system divides material into sections and restarts numbering with each main section. - hierarchical - number formatted - numerically ordered - decimal numbering
decimal numbering
A ____ differs from a trial testimony because there is no jury or judge. - plaintiff - civil case - deposition - rebuttal
deposition
Attorneys search ____ for information on expert witnesses. - cross-examination banks - examination banks - deposition banks - disqualification banks
deposition banks
You provide ____ testimony when you answer questions from the attorney who hired you. - cross - examination - direct - rebuttal
direct
There are two types of depositions: ____ and testimony preservation. - discovery - examination - rebuttal - direct
discovery
The __________________ Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system. - read_filejournal - filetx.log - filecache.dbx - filecache.dll
filecache.dbx
A _________________ is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it's accessed through the application's Web interface. - configuration manager - programming language - backdoor - management plane
management plane
What method below is not an effective method for isolating a mobile device from receiving signals? - placing the device into a plastic evidence bag - placing the device into airplane mode - placing the device into a paint can, preferably one previously containing radio-wave blocking paint - turning the device off
placing the device into a plastic evidence bag
The _______________ utility can be used to repair .ost and .pst files, and is included with Microsoft Outlook. - repairpst.exe - fixmail.exe - rebuildpst.exe - scanpst.exe
scanpst.exe
Which of the following is not one of the five mechanisms the government can use to get electronic information from a provider? - court orders - subpoenas - seizure order - search warrants
seizure order
With cloud systems running in a virtual environment, _______________ can give you valuable information before, during, and after an incident. - snapshot - live acquisition - carving - RAM
snapshot
The term for detecting and analyzing steganography files is _________________. - carving - steganomics - steganology - steganalysis
steganalysis
The Google drive file _________________ contains a detailed list of a user's cloud transactions. - loggedtransactions.log - transact_user.db - history.db - sync_log.log
sync_log.log
When you give ____ testimony, you present this evidence and explain what it is and how it was obtained. - technical/scientific - expert - deposition - lay witness
technical/scientific
Lawyers may request _________________ of previous testimony by their own potential experts to ensure that the experts haven't previously testified to a contrary position. - transcripts - warrants - subpoenas - evidence
transcripts
In addition to opinions and exhibits, the ______________ must specify fees paid for the expert's services and list all other civil or criminal cases in which the expert has testified. - preliminary report - written report - informal report - verbal report
written report
Which of the following options would represent a valid retainer? - complete discussion of an ongoing case - 2 to 8 hours of your usual billable rate - dissemination of evidence - a verbal agreement
2 to 8 hours of your usual billable rate
Which service below does not put log information into /var/log/maillog? - POP - Exchange - SMTP - IMAP
Exchange
In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network adapters? - Query-ipconfig - Get-VMNetworkAdapter - Dump-Netconfig - Show-NetworkAdapters
Get-VMNetworkAdapter
Select below the option that is not a typical feature of smartphones on the market today: - ROM - Flash - Microprocessor - Hard drive
Hard drive
Which password recovery method uses every possible letter, number, and character found on a keyboard? - dictionary attack - rainbow table - brute-force attack - hybrid attack
brute-force attack
When converting plain text to hexadecimal for use with ProDiscover, you need to place ____________ between each character's hexadecimal values. - space (A0) values - blank (00) values - null (FF) values - null (00) values
null (00) values
When writing a report, group related ideas and sentences into ___________________. - sections - separate reports - paragraphs - chapters
paragraphs
What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a copy of the expert's written report that includes all opinions, the basis for the opinions, and the information considered in coming to those opinions? - rule 35 - rule 24 - rule 36 - rule 26
rule 26
The Suni Munshani v. Signal Lake Venture Fund II, LP et al case is an example of a case that involves e-mail ____________. - spoofing - destruction - spamming - theft
spoofing
