Chapter 14
Older versions of Internet Explorer stores web browsing information in a file called index.dat. True or False
True
The Windows Registry contains a list of USB devices that have been connected to the machine. True or False
True
The Windows Registry lists USB devices that have been connected to the machine. True or False
True
The chain of custody accounts for the handling of evidence from the moment of seizure until it is presented in court, and documents that handling. True or False
True
Windows logging can be turned on and off with a tool called auditpol.exe. True or False
True
Mahmoud is using a range of Windows utilities to extract information from a computer he is triaging. He has just used the Openfiles command. The command Openfiles shows what? a. Any shared files that are opened b. Any files that are opened c. Any files open with ADS d. Any system files that are opened
a. Any shared files that are opened
In Linux the command to set up a target forensics server to receive a copy of a drive is dd. True or False
False
Most Windows logs are turned on automatically. True or False
False
The Windows command fc lists all active sessions to the computer. True or False
False
netstat is a command you can use with a forensic copy of a machine to compare two files. True or False
False
Frequently the first responder to a computer crime is the network administrator. True or False
True
In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court? a. Chain of custody b. Policy of separation c. Rules of evidence d. Law of probability
a. Chain of custody
In Windows the log that contains events collected from remote computers is the ____________ log. a. Forwarded Events b. Application c. Applications and services d. System
a. Forwarded Events
Pedro is examining a Windows 7 computer. He has extracted the index.dat file and is examining that file. What is in the Index.dat file? a. General Internet history, file browsing history, and so on for a Windows machine b. All web history for Firefox c. General Internet history, file browsing history, and so on for a Linux machine d. Internet Explorer information
a. General Internet history, file browsing history, and so on for a Windows machine
Why should you note all cable connections for a computer you want to seize as evidence? a. In case other devices were connected b. To know what peripheral devices exist c. To know what outside connections existed d. To know what hardware existed
a. In case other devices were connected
If you fail to handle evidence properly ___________. a. It may be unusable in court. b. You will be part of crime. c. Law enforcement may not look at it. d. You may damage the hard drive.
a. It may be unusable in court.
Usually, the first thing you do to a computer to prevent further tampering is to _________. a. Take it offline b. Lock it in a secure room. c. Make a copy d. Make a backup
a. Take it offline
What is the name of the Standard Linux command that is also available as a Windows application that can be used to create bitstream images and make a forensic copy? a. dd b. MD5 c. mcopy d. image
a. dd
Using Linux to backup your hard drive, if you want to create a hash, you would use the command-line command ___________. a. md5sum b. nd c. dd d. cc
a. md5sum
Ian is performing a forensic examination on a Linux server. He is trying to recover emails. Where does Linux store email server logs? a. /etc/log/mail.* b. /var/log/mail.* c. /mail/log/mail.* d. /server/log/mail.*
b. /var/log/mail.*
_______ is a free tool that can be used to recover Windows files. a. Outlook b. Disk Digger c. FileRecover d. SearchIt
b. Disk Digger
In Windows, the log that stores events from a single application or component rather than events that might have system wide impact is the ____________ log. a. ForwardedEvents b. System c. Applications and services d. Application
c. Applications and services
Documentation of every person who had access to evidence, how they interacted with it, and where it was stored is called the ________________. a. Hiking trail b. Audit trail c. Chain of custody d. Forensic trail
c. Chain of custody
"Interesting data" is what a. Pornography b. Documents, spreadsheets, and databases c. Data relevant to your investigation d. Schematics or other economic-based information
c. Data relevant to your investigation
You may use Linux to make a ______________ of the hard drive. a. New version b. Screen shot c. Forensically valid copy d. Bootable copy
c. Forensically valid copy
Using Linux to wipe the target drive, the command-line command would be ___ . a. cc b. nd c. dd d. md5sum
c. dd
Windows stores information on web address, search queries, and recently opened files in a file called___________. a. internet.txt b. default.dat c. index.dat d. explore.exe
c. index.dat
The Windows command to list any shared files that are currently open is ___________. a. fc b. ping c. opennfiles d. netstat
c. opennfiles
The Linux log file that contains activity related to the web server is ______. a. /var/log/kern.log b. /var/log/apport.log c. /var/log/lighttpd/* d. /var/log/apaches/*
d. /var/log/apaches/*
The Linux log file that can reveal attempts to compromise the system or the presence of a virus or spyware is ______________. a. /var/log/kern.log b. /var/log/lighttpd/* c. /var/log/apache2/* d. /var/log/apport.log
d. /var/log/apport.log
Which of the following are important to the investigator regarding logging? a. The logging methods b. Log retention c. Location of stored logs d. All of the above
d. All of the above
_________ can include logs, portable storage, emails, tablets, and cell phones a. Security kit b. Network devices c. Ancillary hardware d. Computer evidence
d. Computer evidence
When cataloging digital evidence, the primary goal is to do what? a. Prohibit the computer from being turned off b. Avoid removing the evidence from the scene c. Make bitstream images of all hard drives. d. Preserve evidence integrity
d. Preserve evidence integrity
Frequently the first responder to a computer crime is ________. a. A law enforcement officer b. The news media c. College students d. The network administrator.
d. The network administrator.
