Unit 1

Digital Forensics

A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?

Reasonable suspicion that a law or policy is being violated

At a minimum, what do most company policies require that employers have in order to initiate an investigation?

1/2 mile

At what distance can the EMR from a computer monitor be picked up?

Monthly, quarterly, and annually

At what levels should lab costs be broken down?

The digital forensics lab

At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work?

requires the time and skills necessary to support the chosen hardware.

Building your own forensics workstation:

50%

By what percentage can lossless compression reduce image file size?

USB 2.0/3.0

Devices used to prevent data from being written to a disk can connect to a computer through FireWire, SATA, PATA, and SCSI controllers as well as which other type of controller?

TEMPEST

During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. What did the U.S. Department of Defense call this special computer-emission shielding?

TIF

From which file format is the image format XIF derived

ZBR

How do most manufacturers deal with a platter's inner tracks having smaller circumference than its outer tracks?

Every 3 years

How frequently does IACIS require recertification to demonstrate continuing work in the field of computer forensics?

at least once a week

How frequently should floors and carpets in the computer forensics lab be cleaned to help minimize dust that can cause static electricity?

As literary works

How may computer programs be registered under copyright laws?

Examining the file header data

If a graphics file cannot be opened in an image viewer, what should the next step be?

dir

In Windows 2000 and later, which command shows you the file owner if you have multiple users on a system or network?

NTFS

In addition to FAT16, FAT32, and Resilient File System, which file system can windows hard disks also use?

RAID 1

In addition to RAID 0, what type of RAID configuration is available for windows XP, 2000, and NT servers and workstations?

safety

In addition to environmental issues, what issues are the investigator's primary concerns when working at the scene to gather information about an incident or a crime?

sha1sum

In addition to md5sum, which hashtag algorithm utility is included with current distributions of Linux?

1024

In the NTFS MFT, all files and folders are stored in separate records of how many bytes each?

Exif

In what format are most digital photographs stored?

Building a business case

In what process is the acquisition of newer and better resources for investigation justified?

RAID 0

In which RAID configuration do two or more disk drives become one large volume, so the computer views the disks as a single disk?

RAID 15

In which RAID configuration offers the greatest access speed and the most robust data recovery capability?

RAID 10

In which RAID configuration, also called mirrored striping, is a combination of RAID 1 and RAID 0?

password dictionary

Many password recovery tools have a feature for generating potential password lists for which type of attack?

RAID

Methods for restoring large data sets are important for labs using which type of servers?

An older Windows or MS-DOS system

Power should not be cut during an investigation involving a love computer, unless it is what type of system?

data runs

The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. What are these cluster addresses called?

IBM

The first MS-DOS tools that analyzed and extracted data from floppy disks and hard disks were used with which type of PC file systems?

professional curiosity

The presence of police officers and other professionals who are not part of the crime scene-processing team may result in the loss or corruption of data through which process?

They are business records

Under what circumstances are digital records considered admissible?

Certified Computer Forensic Technician, Basic

What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases?

dd

What Linux command is used to create the raw data format?

Hyperdata, Metadata, Infodata

What are records in the MFT called?

dd

What command creates a raw format file that most computer forensics analysis tools can read?

man

What command displays pages from the online help manual for information on Linux commands and their options?

dcfldd

What command works similarly to the dd command but has many features designed for computer forensics acquisitions?

Device Drivers

What contains instructions for the OS for hardware devices, such as the keyboard, mouse, and video card?

Whole Disk Encryption

What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult?

A warrant

What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?

Line of authority

What do published company policies provide for a business that enables them to conduct internal investigations?

A portable workstation

What do you call a forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation?

MD5

What does Autopsy use to validate an image?

an affidavit

What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?

Virtual Machine

What enables the user to run another OS on an existing physical computer by emulating a computer's hardware environment?

Professional conduct

What investigator characteristic, which includes ethics, morals, and standards of behavior, determines the investigator's credibility?

steg tools

What is another term for steganalysis tools?

misuse of digital assets

What is most often the focus of digital investigations in the private sector?

MFT

What is on an NTFS disk immediately after the Partition Boot Sector?

Sniffing data transmissions between a suspect's computer and network server.

What is required for real-time surveillance of a suspect's computer activity?

Write-blockers

What is the general term for software or hardware that is used to protect evidence disks by preventing data from being written to them?

36 months

What is the maximum amount of time computing components are designed to last in normal business hours?

Disk-to-image file copy

What is the most common and flexible data-acquisition method?

EFS

What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced?

SHA-1

What is the primary hash algorithm used by the NIST project created to collect all known hash values for commercial software and OS files?

Demosaicing

What is the process of converting raw picture data to another format called?

Use a hexadecimal editor

What is the simplest way to access a file header?

prosecution

What is the third stage of a criminal case, after the complaint and the investigation?

secure facility

What kind of forensic investigation lab best preserves the integrity of evidence?

Vector Graphics

What kinds of images are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes?

Steel

What material is recommended for secure storage containers and cabinets?

A report

What must be created to complete a forensic disk analysis and examination?

It must be notarized

What must be done, under oath, to verify that the information in the affidavit is true?

DriveSpace

What older Microsoft disk compression tool eliminates only slack disk space between files?

IACIS

What organization was created by police officers in order to formalize credentials for digital investigators?

Configuration management

What process refers to recording all the updates made to a workstation?

Uniform crime reports

What reports are generated at the local, state, and federal levels to show the types and frequency of crimes committed?

Boot.ini

What specifies the Windows XP path installation and contains options for selecting the Windows version?

probable cause

What standard is used to determine whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest?

Steganography

What technique has been used to protect copyrighted material by inserting digital watermarks into a file?

Linux Live CDs

What term refers to Linux ISO images that can be burned to a CD or DVD?

cylinder

What term refers to a column of tracks on two or more disk platters?

End user

What term refers to a person using a computer to perform routine tasks other than systems administration?

carving

What term refers to recovering fragments of a file?

authorized requester

What term refers to the individual who has the power to conduct digital forensic investigations?

areal density

What term refers to the number of bits in one square inch of a disk platter?

Graphics editors

What tools are used to create, modify, and save bitmap, vector and metafile graphics?

Live

What type of acquisition is used for most remote acquisitions?

SPARC

What type of disk is commonly used with Sun Solaris systems?

physical

What type of evidence do courts consider evidence data in a computer to be?

Event Logs

What type of files might lose essential network activity records if power is terminated without proper shutdown?

An extensive-response field kit

What type of kit should include all the tools the investigator can afford to take to the field?

Copyright

What type of laws should computer investigators be especially aware of when working with image files in order to avoid infringement violations?

Disaster Recovery

What type of plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing?

computer-stored records

What type of records are considered data that the system maintains, such as system log files and proxy server logs?

A warning banner

What usually appears when a computer starts or connects to the company intranet, networks, or VPN and informs end users that the organization reserves the right to inspect computer systems and network traffic at will?

An initial-response field kit

What will allow the investigator to arrive at the scene, acquire the needed data, and return to the lab as quickly as possible?

The registry

When Microsoft created Windows 95, into what were initialization (.ini) files consolidated?

Exhibits

When an investigator seeks a search warrant, which of the following must be included in an affidavit to support the allegation of a crime?

commingled data

When confidential business data are included with the criminal evidence, what are they referred to as?

Business Records Exception

When federal courts are evaluating digital evidence from computer-generated records, what exception is applied to hearsay?

80 degrees or higher

When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action?

US DOJ

When seizing computer evidence in criminal investigations, which organization's standards should be followed?

1960s

When was the Freedom of Information Act originally enacted?

An image file

Where do software forensic tools copy data from a suspect's disk drive?

An off-site facility

Where should your computer backups be kept?

JPEG

Which JFIF format has a hexadecimal value of FFD8 FFE0 in the first four bytes?

CFTT

Which NIST project manages research on froensics tools?

CTIN

Which Pacific Northwest agency meets to discuss problems that digital forensics examiners encounter?

FAT

Which acronym refers to the file structure database that Microsoft originally designed for floppy disks?

NTFS

Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?

Risk management

Which activity involves determining how much risk is acceptable for any process or operation?

Filtering

Which activity involves sorting and searching through investigation findings to separate good data and suspicious data?

IACIS (International Association of Computer Investigative Specialists)

Which agency introduced training on software for forensics investigations by the early 1990s?

recovery certificate

Which certificate provides a mechanism for recovering files encrypted with EFS if there is a problem with the user's original private key?

Insertion

Which data-hiding technique places data from the secret file into the host file without displaying the secret data when the host file is viewed in its associated program?

Substitution

Which data-hiding technique replaces bits of the host file with other bits of data?

Tableau T35es-R2 SATA/IDE eSATA bridge

Which digital forensics tool is categorized as a single-purpose hardware component?

Silver Platter Doctrine

Which doctrine, found to be unconstitutional, was used to allow a civilian or private-sector investigative agent to deliver evidence obtained in a manner that violated the Fourth Amendment to a law enforcement agency?

NIST

Which entity publishes articles, provides tools, and creates procedures for testing and validating computer forensics software?

Computer Analysis and Response Team (CART)

Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence?

Ntdetect.com

Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr?

User32.sys

Which filename refers to a core Win32 subsystem DLL file?

Ntdll.dll

Which filename refers to the Windows XP system service dispatch stubs to executable functions and internal support functions?

NTBootdd.sys

Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that are not related to the BIOS?

Ntkrnlpa.exe

Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM?

Digital investigations

Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?

Forensics investigators

Which group often works as part of a team to secure an organization's computers and networks?

XIF

Which header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 6E 64 20 03?

Bitmap

Which images store graphics information as grids of pixels?

Investigating and controlling the scene is much easier in private sector environments

Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes?

forums and blogs

Which resource can be helpful when investigating older and unusual computing systems?

ISO 5725

Which standards document demands accuracy for all aspects of the testing process?

Sparse acquisition

Which technique can be used to extracting evidence from large systems?

Steganography

Which term refers to a data-hiding technique that uses host files to cover the contents of a secret message?

Allegation

Which term refers to an accusation or supposition of fact that a crime has been committed and is made by the complainant, based on the incident?

Magnet AXIOM

Which tool enables the investigator to acquire the forensic image and process it in the same step?

criminal

Which type of case involves charges such as burglary, murder, or molestation?

Lossy

Which type of compression compresses data permanently by discarding bits of information in the file?

Disk-to-image

Which type of copy from the suspect disk to a target location does the simplest method of duplicating a disk drive make?

disk editor

Which type of tool can be used to compare results and verify a new tool by viewing data in its raw format?

"A"

Which uppercase letter has a hexadecimal value of 41?

Privacy

Without a warning banner, what right might employees assume they have when using a company's computer systems and network accesses?

sparse

if your time is limited, what type of acquisition data copy method should you consider?

hash

what option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512?

Live

which type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?

static

which type of acquisition is typically done on a computer seized during a police raid?

Proprietary

which type of format acquisition leaves the investigator unable to share an image between different vendors' computer forensics analysis tools?