Combined 1-8 Review Questions

What are two advantages and disadvantages of the raw format?

+ Fast transfers + Most tools can read it + Ignores minor data read errors - Requires as much space as the original, suspect drive - Some tools (mostly freeware) might skip bad sectors

As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? 1. You begin to take orders from a police detective without a warrant or subpoena. 2. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. 3. Your internal investigation begins. 4. None of the above.

1

If a suspect computer is running Windows 10, which of the following can you safely perform? 1. Browsing open applications 2. Disconnecting power 3. Either of the above 4. None of the above

1

Which of the following is true of most drive-imaging tools? (Choose all that apply.) 1. They perform the same function as a backup 2. They ensure that the original drive doesn't become corrupt and damage the digital evidence. 3. They create a copy of the original drive. 4. They must be run from the command line.

1, 2, 3

Which of the following techniques might be used in covert surveillance? 1. Keylogging 2. Data sniffing 3. Network logs 4. None of the above

1, 2, 3

When validating the results of a forensic analysis, you should do which of the following? (Choose all that apply) 1. Calculate the hash value with two different tools. 2. Use a different tool to compare the results of evidence you find. 3. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. 4. Use a command-line tool and then a GUI tool.

1, 2, 3 (?)

The reconstruction function is needed for which of the following purposes? (Choose all that apply.) 1. Re-create a suspect drive to show what happened. 2. Create a copy of a drive for other investigators. 3. Recover file headers. 4. Re-create a drive compromised by malware.

1, 2, 4

What items should your business plan include?

1. Justification 2. Budget - including facility costs, hardware and software requirements, as well as misc. 3. Approval/Acquisition Methods - w/ risk analysis and the number of investigations you plan on pursuing and their average length 4. Implementation - how to incorporate and install all approved items and a timeline for delivery/installation/and inspection of the facility 5. Acceptance Testing - making sure everything works 6. Correction for Acceptance 7. Production

List three items that should be in an initial-response field kit.

1. Laptop 2. Camera 3. Flash light 4. Digital forensics kit Note - The list given here is not extensive. Ref Loc 5293 for a full list

List two features common with proprietary format acquisition files

1. Option to compress 2. Ability to split images for archival purposes 3. Ability to integrate metadata into the image

Name the three formats for computer forensics data acquisitions.

1. Raw 2. Proprietary 3. AFF (Advanced Forensics Format)

What three items should you research before enlisting in a certification program?

1. Requirements 2. Cost 3. Acceptability in your area of employment

What are the two main concerns when acquiring data from a RAID server?

1. Size 2. Configuration

List two items that should appear on a warning banner.

1. That the connection is restricted to authorized users 2. That the organization has a right to inspect and monitor computer and network usage

To determine the types of operating systems needed in your lab, list two sources of information you could use.

1. The Uniform Crime Report (UCR) 2. A list of crimes in your area or company

Policies can address rules for which of the following? 1. When you can log on to a company network from home 2. The Internet sites you can or can't access 3. The amount of personal e-mail you can send 4. Any of the above

4. Any of the above

Explain the differences in resource and data forks used in macOs.

A resource fork is where file metadata and application information is stored, such as as menus, dialog boxes, icons, executable codes, and controls. The data fork is where the data itself is stored, such as user created text or spreadsheets.

Forensics software tools are grouped into ____ and ____ applications.

Command line and GUI

Describe what should be videotaped or sketched at a computer crime scene

Computers, cable connections, overview of the scene—anything that might be of interest to the investigation.

What does CHS stand for?

Cylinders, Heads, Sectors

With remote acquisitions, what problems should you be aware of? a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. All of the above

D. All of them

When you arrive at the scene, why should you extract only those items you need to acquire evidence?

Doing so protects your equipment and minimizes how many items you have to keep track of at the scene.

Which forensic tools can connect to a suspect's computer and run surreptitiously?

Encase ProDiscover

A JPEG file is an example of a vector graphic. True or False?

False

Building a forensic workstation is more expensive than purchasing one. True or False?

False

Copyright laws don't apply to Web sites. True or False?

False

Data can't be written to the disk with a command-line tool. True or False?

False

The ANAB mandates the procedures established for a digital forensics lab. True or False?

False(?)

Evidence storage containers should have several master keys. True or False?

False. In order to maintain security, the less number of keys available, the better.

Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?

False. It's not until the private-sector investigator starts working at the direction of law enforcement that they are considered an agent of law enforcement.

In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True or False?

False. That is "repeatable results".

Digital forensics facilities always have windows. True or False?

False. They do not have windows in order to protect the privacy and integrity of the investigation.

You should always prove the allegations made by the person who hired you. True or False?

False. You must always maintain an unbiased perspective and be objective in your fact-finding.

List three items stored in the FAT database.

File and directory names, starting cluster numbers, file attributes, date and time stamps.

Police in the United States must use procedures that adhere to which of the following? 1. Third Amendment 2. Fourth Amendment 3. First Amendment 4. None of the above

Fourth Amendment

Why should you do a standard risk assessment to prepare for an investigation?

Identifying the risks can help mitigate or minimize any foreseeable issues with the investigation.

You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?

Initial-response field kit

What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?

Lossless

Which organization provides good information on safe storage containers?

NISPOM (National Industrial Security Program Operating Manual) - Chapter 5, Section 3

What's the main goal of static acquisition?

Preservation of digital evidence

What does a logical acquisition collect for an investigation?

Specific files or file types

What does a sparse acquisition collect for an investigation?

Specific files or file types, as well as fragments from unallocated areas

What do you call a list of people who have had physical possession of the evidence?

The Chain of Custody

What should you consider when determining which data acquisition method to use?

The circumstance of the investigation. Namely, the scope and length of possession.

With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?

The device is automatically mounted and access. This likely alters the metadata.

What are the necessary components of a search warrant?

The suspect's computer and its components. 1. It must be filled in good faith by a law enforcement officer 2. It must be based on reliable information showing probable cause to search 3. It must be issued by a neutral and detached magistrate 4. It must state specifically the place to be searched and the items to be seized

Why is physical security so critical for digital forensics labs?

To maintain chain of custody and prevent data from being lost, corrupted, or stolen

An encrypted drive is one reason to choose a logical acquisition. True or False?

True

An image of a suspect drive can be loaded on a virtual machine. True or False?

True

Computer peripherals or attachments can contain DNA evidence. True or False?

True

Data blocks contain actual files and directories and are linked directly to inodes. True or False?

True

Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or false?

True

EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?

True

Hardware acquisition tools typically have built-in software for data analysis. True or False?

True

If a company doesn't distribute a computing use policy stating an employer's rights to inspect employee's computers freely, including e-mail and web use, employees have an expectation of privacy. True or False?

True

For digital evidence, an evidence bag is typically made of antistatic material. True or False?

True.

An employer can be held liable for e-mail harassment. True or False?

True. An employer is responsible for preventing and investigating harassment of employees and nonemployees associated with the workplace.

List two features NTFS has that FAT does not.

Unicode characters, security, journaling.

What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?

You can remove and reconnect drives without having to restart the workstation.

What methods do steganography programs use to hide data in graphics files? (Choose all that apply) a. Insertion b. Substitution c. Masking d. Carving

a, b

The manager of a digital forensics lab is responsible for which of the following? (Choose all that apply) a. Making necessary changes in lab procedures and software b. Ensuring that staff members have enough training to do the job c. Knowing the lab objectives d. None of the above

a, b, c

Digital pictures use data compression to accomplish which of the following goals? (choose all that apply.) a. Save space on a hard drive b. Provide a crisp and clear image c. Eliminate redundant data d. Produce a file that can be emailed or posted on the internet.

a, c

Which of the following describes plist files? (Choose all that apply.) a. You must have a special editor to view them. b. They're found only in Linux file systems c. They're preference files for applications d. They require special installers

a, c

Which of the following is the main challenge in acquiring an image of a system running macOs? (Choose all that apply) a. Most commercial software doesn't support macOs. b. Vendor training is needed. c. The macOS is incompatible with most write-blockers. d. You need special tools to remove drives from a system running macOS or open its case.

a, d (?)

A JPEG file uses which type of compression? a. WinZip b. Lossy c. Lzip d. Lossless

b

In JPEG files, what's the starting offset position for the JFiF label? a. Offset 0 b. Offset 2 c. Offset 6 d. Offset 4

c

To recover a password in macOS, which tool do you use? a. Finder b. PRTK c. Keychain Access d. Password Access

c

Which of the following certifies when an OS meets UNIX requirements? a. IEEE b. UNIX Users Group c. The Open Group d. SUSE Group

c

Which of the following Linux system files contains hashed passwords for the local system? a. /var/log/dmesg b. /etc/passwd c. /var/log/syslog d. /etc/shadow

d

Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? 1. Most companies keep inventory databases of all hardware and software used. 2. The investigator doesn't have to get a warrant. 3. The investigator has to get a warrant. 4. Users can load whatever they want on their machines.

1, 2

If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? 1. Coordinate with the HAZMAT team. 2. Determine a way to obtain the suspect's computer. 3. Assume the suspect's computer is contaminated. 4. Do not enter alone.

1, 3

The verification function does which of the following? 1. Proves that a tool performs as intended 2. Creates segmented files 3. Proves that two sets of data are identical via hash values 4. Verifies hex editors

1.

List two popular certification programs for digital forensics.

1. CFCE - Certified Forensic Computer Examiner 2. CCFP - Certified Cyber Forensic Professional

List three items that should be on an evidence custody form.

1. Case number 2. Investigating organization 3. Investigator's name 4. Nature of the case 5. Location where the evidence was obtained 6. Description of the evidence 7. Vendor's name 8. Model number or serial number 9. Who the evidence was recovered by 10. Date and time evidence was taken into custody 11. Evidence placed in which locker and when it was placed there 12. Item #/Evidence processed by/Disposition of evidence/Data/Time 13. Page #

List three subfunctions of the extraction function.

1. Data viewing 2. Keyword searching 3. Decompressing or uncompressing 4. Carving 5. Decrypting 6. Bookmarking or tagging

List two types of digital investigations typically conducted in a business environment.

1. Employee termination cases 2. Internet abuse investigations 3. E-mail abuse investigations 4. Attorney-Client privilege investigations 5. Industrial espionage investigations

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive

1. EnCase 2. X-Way Forensics

In the Linux dcfldd command, which three options are used for validating data?

1. Hashing via MD5, SHA-1, SHA-256, SHA-384, SHA-512 2. Verifying with the original disk or media data 3. Logging of errors to an output file for analysis and review 4. Referring to a status display indicating acquisition's progress in bytes

What are the three rules for a forensic hash?

1. It can't be predicted. 2. No two files can have the same hash value 3. If the file changes, the hash value changes.

When you preform an acquisition at a remote location, what should you consider to prepare for the task?

1. The advanced privileges that are requires to push the agent application to the remote system 2. The antivirus, antispyware, or firewall applications that can be programmed to ignore remote access programs 3. That the suspect could have security tools that trigger an alarm on remote access intrusions

Hashing, filtering, and file header analysis make up which function of computer forensics tools? 1. Validation and verification 2. Acquisition 3. Extraction 4. Reconstruction

1. Validation and verification

List three items that should be in your case report.

1. What you did 2. What you found 3. Answer: Who, What, When, Where, How 4. Know your target reader and write for them 5. Provide an explanation for processes and how systems and their components work

Large digital forensics labs should have at least ______ exits.

2

What is the maximum file size when writing to FAT32 drives?

2 GB

Hash values are used for which of the following purposes? (Choose all that apply.) 1. Determining file size 2. Filtering known good files from potentially suspicious data 3. Reconstructing file fragments 4. Validating that the original data hasn't changed.

2, 4

A log report in forensics tools does which of the following? 1. Tracks file types 2. Monitors network intrusion attempts 3. Records an investigator's actions in examining a case 4. Lists known good files

3. Records an investigator's actions in examining a case

The standards for testing forensics tools are based on which criteria? 1. U.S. Title 18 2. ASTD 1975 3. ISO 17025 4. All of the above

3. USI 17025

According to ISO standard 27037, which of the following is an important factor in data acquisition? (Choose all that apply) 1. The DEFR's competency 2. The DEFR's skills in using the command line 3. Use of validated tools 4. Conditions at the acquisition setting

3. Use validated tools

The triad of computing security includes which of the following? 1. Detection, response, and monitoring 2. Vulnerability assessment, detection, and monitoring 3. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation 4. vulnerability assessment, intrusion response, and monitoring

3. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation

What's a hashing algorithm?

A way of creating a binary or hexadecimal number that represents the uniqueness of the drive or data set; it's "digital fingerprint"

Which organization has guidelines on how to operate a digital forensics lab?

ANAB (ANSI-ASQ National Accreditation Board)

What are some ways to determine the resources needed for an investigation?

Bases on the OS of the computer you're investigating, list the software you plan to use for the investigation, noting other software, tools, or expert assistance you might need.

Why should evidence media be write-protected?

Because it maintains the quality and integrity of the evidence you're trying to preserve.

Why should you critique your case after it's finished?

Because self-evaluation and peer review are essential parts of professional growth. When a case is complete, review it to identify successful decisions and actions and determine how you could have improved your performance.

How does macOS reduce file fragmentation?

By using clumps, which are groups of contiguous allocation blocks. As a file increases in size, it occupies more of the clump. Volume fragmentation is kept to a minimum by adding more clumps to larger files.

Of all of the proprietary formats, which is the unofficial standard?

Expert Witness Compression format

Explain how to identify an unknown graphics file format the your digital forensics tool doesn't recognize.

Explain how to identify an unknown graphics file format that your digital forensics tool doesn't recognize.

FTK Imager can acquire data in a drive's host protected area. True or False?

False

Graphics files stored on a computer can't be recovered after they are deleted. True or false?

False

Linux is the only OS that has a kernel. True or False?

False

Only one file format can compress graphics files. True or False?

False

Small companies rarely need investigators. True or False?

False

The plain view doctrine in computer searches is well-established law. True or False?

False

When investigating graphics files, you should convert them into one standard format. True or False?

False

You should always answer questions from onlookers at a crime scene. True or False?

False

A live acquisition can be replicated. True or False?

False, due to volatile memory.

Digital forensics and data recovery refer to the activities. True or False?

False.

If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. True or False?

False. All visitors must sign the log in order to ensure accountability and security.

Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product work. True or False?

False. Any information discovered before the memo is issued can be used in discovery by the opposition.

A forensic workstation should always have a direct broadband connection to the Internet. True or False?

False. If Internet access is needed, a second, non-Forensic workstation should be used to access the Internet.

Device drivers contain what kind of information?

Instructions for the OS on how to interface with hardware devices.

What's a virtual cluster number?

It represents the assigned clusters of files that are nonresident in the MFT. If a file has become fragmented, it can have two or more VCNs. The first VCN for a nonresident file is listed as 0.

Why is it good practice to make two images of a suspect drive in a critical investigation?

It's helpful in making sure that data has been copied correctly. It also protects against loss and minimizes the risk of failure in the investigation.

What does MFT stand for?

Master File Table

In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1

No! if is "input file". This process is reversed of what is should be.

What is professional conduct, and why is it important?

Professional conduct is the ethics, morals, and standards by which you conduct yourself and you business. It is important because it determines your credibility.

Typically, a(n) ______ lab has a separate storage area or room for evidence

Regional

List two hashing algorithms commonly used for forensic purposes.

SHA-1 (and its variants), MD5

Commingling evidence means what in a private-sector setting?

Sensitive business information is mixed with the data that is collected as evidence.

What are the major improvements in the Linux Ext4 file system?

Support for partitions larger than 16TB, improved management of large files, offers a more flexible approach to adding file system features.

What term refers to labs constructed to shield EMR (electromagnetic radiation) emissions?

TEMPEST

What's the purpose of maintaining a network of digital forensics specialists?

To supplement your knowledge and be able to get referrals and information when needed

What's the purpose of an affidavit?

To support facts about or evidence of a crime, in order to secure a warrant for seizure

If you discover a criminal act while investigating a company police abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?

True

In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. True or False?

True

The primary hashing algorithm the NSRL project uses is SHA-1. True or False?

True

When recovering a file with ProDiscover, your first objective is to recover cluster values. True or False?

True

When viewing a file header, you need to include hexadecimal information to view the image. True or false?

True

Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. True or False?

True

Hard Links work in only one partition or volume. True or False?

True (?)

What's the most critical aspect of digital evidence?

Validating

In forensic hashes, when does a collision occur?

When the hash value is equivalent to another hash value generated from a different data set. These collisions are rare and have really only been detected on supercomputers.

EFS can encrypt which of the following? a. Files, folders, and volumes b. Certificates and private keys c. The global registry d. Network servers

a.

Hard links are associated with which of the following? a. Dot notation b. A specific inode c. An absolute path to a file d. Hidden files

b

In Linux, which of the following is the home directory for the superuser? a. home b. root c. super d. /home/superuser

b

When you carve a graphics file, recovering the image depends on which of the following skills? a. Recovering the image from a tape backup b. Recognizing the pattern of the data content c. Recognizing the pattern of the file header content d. Recognizing the pattern of a corrupt file

b

Which of the following is true about JPEG and TIF files? a. They have identical values for the first 2 bytes of their file headers b. They have different values for the first 2 bytes of their file headers. c. They differ from other graphics files because their file headers contain more bits. d. They differ from other graphics files because their file headers contain fewer bits.

b

Some clues left on a drive that might indicate steganography include which of the following? (Choose all that apply) a. Multiple copies of a graphics file b. Graphics files with the same name but different file sizes c. Steganography programs in the suspect's All Programs list d. Graphics files with different timestamps

b, c

What methods are used for digital watermarking? (Choose all that apply) a. Implanted subroutines that link to a central Web server automatically when the watermarked file is accessed b. Invisible modification of the LSBs in the file c. Layering visible symbols on top of the image d. Use a hex editor to alter the image data

b, c

Which of the following describes the superblock's function in the Linux file system? (Choose all that apply.) a. Stores bootstrap code b. Specifies the disk geometry c. Manages the file system, including configuration information d. Contains links between inodes

b, c

Which of the following is a new file added in macOS? (Choose all that apply.) a. /private/var/db b. /private/db c. /var/db/diagnostics d. /var/db/uuid.text

c, d

Virtual machines have which of the following limitations when running on a host computer? a. Internet connectivity is restricted to virtual websites b. Applications can be run on the virtual machines only if they're resident on the physical machine. c. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. d. Virtual machines can run only OSs that are older than the physical machine's OS.

c.

What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? a. The file can no longer be encrypted b. EFS protection is maintained on the file c. The file is unencrypted automatically d. Only the owner of the file can continue to access it

c.

Areal density refers to which of the following? a. Number of bits per disk, b. Number of bits per partition, c. Number of bits per square inch of a disk platter, d. Number of bits per platter

c. Number of bits per square inch of a disk platter

Bitmap (.bmp) Files use which of the following types of compression? a. WinZip b. Lossy c. Lzip d. Lossless

d

On most Linux systems, current user login information is in which of the following locations? a. /var/log/dmesg b. /var/log/wmtp c. /var/log/usr d. /var/log/utmp

d

The process of converting raw images to another format is called which of the following? a. Data conversion b. Transmogrification c. Transfiguring d. Demosaicing

d

Building a business case can involve which of the following? a. Procedures for gathering evidence b. Testing software c. Protecting trade secrets d. All of the above

d. All of the above

What's the Disk Arbitration feature used for in macOS?

macOS feature for disabling and enabling automatic mounting when a drive is connected via USB or FireWire.