475 Exam 1: 1-6
What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume?
$LogFile
The ProDiscover utility makes use of the proprietary _______________ file format.
.eve
What hexadecimal code below identifies an NTFS file system in the partition table?
07
A Master Boot Record (MBR) partition table marks the first partition starting at what offset?
0x1BE
At what distance can the EMR from a computer monitor be picked up?
1/4 mile
When was the Freedom of Information Act originally enacted?
1960s
What is the maximum amount of time computing components are designed to last in normal business operations?
24 months
By what percentage can lossless compression reduce image file size?
50%
A typical disk drive stores how many bytes in a single sector?
512
When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action?
80 degrees or higher
In general, what would a lightweight forensics workstation consist of?
A laptop computer built into a carrying case with a small selection of peripheral options
What kind of forensic investigation lab best preserves the integrity of evidence?
A secure facility
What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?
A warrant
Which term refers to an accusation or supposition of fact that a crime has been committed and is made by the complainant, based on the incident?
Allegation
What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?
An affidavit
Which type of kit should include all the tools the investigator can afford to take to the field?
An extensive-response field kit
What will allow the investigator to arrive at a scene, acquire the needed data, and return to the lab as quickly as possible?
An initial-response field kit
Where should your computer backups be kept?
An off-site facility
What term refers to the individual who has the power to conduct digital forensic investigations?
Authorized requester
What program serves as the GUI front end for accessing Sleuth Kit's tools?
Autopsy
The ReFS storage engine uses a __________ sort method for fast access to large data sets.
B+-tree
What option below is an example of a platform specific encryption tool?
BitLocker
In what process is the acquisition of newer and better resources for investigation justified?
Building a business case
When federal courts are evaluating digital evidence from computer-generated records, what exception is applied to hearsay?
Business-records exception
What is the goal of the NSRL project, created by NIST?
Collect known hash values for commercial software and OS files using SHA hashes.
When confidential business data are included with the criminal evidence, what are they referred to as?
Commingled data
Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence?
Computer Analysis and Response Team
What type of records are considered data that the system maintains, such as system log files and proxy server logs?
Computer-generated
What process refers to recording all the updates made to a workstation?
Configuration management
At a minimum, what do most company policies require that employers have in order to initiate an investigation?
Confirmed suspicion that a law or policy is being violated.
Which Pacific Northwest agency meets to discuss problems that digital forensics examiners encounter?
Criminal
A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?
Data recovery
Which of the following is stated within the ISO 27037 standard?
Digital Evidence First Responders should use validated tools.
Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?
Digital investigations
What is the most common and flexible data-acquisition method?
Disk-to-image file copy
What term refers to a person using a computer to perform routine tasks other than systems administration?
End user
How frequently does IACIS require recertification to demonstrate continuing work in the field of computer forensics?
Every 2 years
What hex value is the standard indicator for jpeg graphics files?
FF D8
Which group often works as part of a team to secure an organization's computers and networks?
Forensics investigators
What organization was created by police officers in order to formalize credentials for digital investigators?
IACIS
Which agency introduced training on software for forensics investigations by the early 1990s?
IACIS
Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes?
Investigating and controlling the scene is much easier in private sector environments.
What must be done, under oath, to verify that the information in the affidavit is true?
It must be notarized.
The __________ Linux Live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep, and utilizes a KDE interface.
Kali
What algorithm is used to decompress Windows files?
Lempel-Ziv
What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?
Live
What type of acquisition is used for most remote acquisitions?
Live
What does Autopsy use to validate an image?
MD5
What is most often the focus of digital investigations in the private sector?
Misuse of digital assets
In addition to FAT16, FAT32, and Resilient File System, which file system can Windows hard disks also use?
NTFS
What tool below was written for MS-DOS and was commonly used for manual digital investigations?
Norton DiskEdit
In what temporary location below might passwords be stored?
Pagefile.sys
What type of evidence do courts consider evidence data in a computer to be?
Physical
Without a warning banner, what right might employees assume they have when using a company's computer systems and network accesses?
Privacy
What standard is used to determine whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest?
Probable cause
The presence of police officers and other professionals who aren't part of the crime scene-processing team may result in the loss or corruption of data through which process?
Professional curiosity
Which type of format acquisition leaves the investigator unable to share an image between different vendors' computer forensics analysis tools?
Proprietary
What is the third stage of a criminal case, after the complaint and the investigation?
Prosecution
Methods for restoring large data sets are important for labs using which type of servers?
RAID
Which RAID configuration, also called mirrored striping, is a combination of RAID 1 and RAID 0?
RAID 10
Which RAID configuration offers the greatest access speed and most robust data recovery capability?
RAID 5
In addition to RAID 0, what type of RAID configuration is available for Windows XP, 2000, and NT servers and workstations?
RAID1
What is the purpose of the reconstruction function in a forensics investigation?
Re-create a suspect's drive to show what happened during a crime or incident
What registry file contains user account management and security settings?
SAM.dat
In addition to environmental issues, what issues are the investigator's primary concerns when working at the scene to gather information about an incident or a crime?
Safety
In what mode do most write-blockers run?
Shell mode
What registry file contains installed programs' settings and associated usernames and passwords?
Software.dat
If your time is limited, what type of acquisition data copy method should you consider?
Sparse
What type of acquisition is typically done on a computer seized during a police raid?
Static
What material is recommended for secure storage containers and cabinets?
Steel
When an investigator seeks a search warrant, which of the following must be included in an affidavit to support the allegation of a crime?
Subpoena
During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. What did the U.S. Department of Defense call this special computer-emission shielding?
TEMPEST
What does the MFT header field at offset 0x00 contain?
The MFT record identifier FILE
At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work?
The digital forensics lab
When using the File Allocation Table (FAT), where is the FAT database typically written to?
The outermost track
Under what circumstances are digital records considered admissible?
They are business records
What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive?
TrueCrypt
Which of the following is not a valid configuration of Unicode?
UTF-64
What reports are generated at the local, state, and federal levels to show the types and frequency of crimes committed?
Uniform crime reports
_______________ proves that two sets of data are identical by calculating hash values or using another similar method.
Verification
What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult?
Whole disk encryption
Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks?
Zone Bit Recording (ZBR)
The physical data copy subfunction exists under the ______________ function.
acquisition
How frequently should floors and carpets in the computer forensic lab be cleaned to help minimize dust that can cause static electricity?
at least once a week
Reconstructing fragments of files that have been deleted from a suspect drive, is known as ____________ in North America.
carving
What term below describes a column of tracks on two or more disk platters?
cylinder
What command works similarly to the dd command but has many features designed for computer forensics acquisitions?
dcfldd
What command creates a raw format file that most computer forensics analysis tools can read?
dd
When performing disk acquisition, the raw data format is typically created with the UNIX/Linux _____________ command.
dd
The ___________ command inserts a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry.
delete
Which of the following commands creates an alternate data stream?
echo text > myfile.txt:stream_name
What command below can be used to decrypt EFS files?
efsrecvr
Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks:
exFAT
A keyword search is part of the analysis process within what forensic function?
extraction
What term is used to describe a disk's logical structure of platters, tracks, and sectors?
geometry
The _________ branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and System.
hive
Addresses that allow the MFT to link to nonresident files are known as _______________.
logical cluster numbers
Which of the following options is not a subfunction of extraction?
logical data copy
. In addition to md5sum, which hashing algorithm utility is included with current distributions of Linux?
sha1sum
Passwords are typically stored as one-way _____________ rather than in plaintext.
variables