DF242 Exam questions from quizzes + Exam Possible Questions

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

A file system has a default cluster size of 4KB. A file is 2KB in size. How many clusters will the file occupy?

1 Cluster

A file system has a default cluster size of 4KB. There are 15 clusters available. What is the largest file that can be stored in kilobytes. Do not enter 'KB' after your answer.

60

What is the definition of hash? Select one: A. A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions B. The art and science of writing hidden messages C. An analysis involving using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data D. A utility that cleans unallocated space

A. A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions

Which of the following is true of hard drives? Select one: A. File systems look at clusters, not sectors. B. Today, sectors are referred to as allocation units. C. The sector size on hard drives is either 1,024 or 2,048 bytes. D. Clusters are always contiguous on a hard disk.

A. File systems look at clusters, not sectors.

Which operating system uses the ext file system natively? Select one: A. Linux B. Windows C. Mac OS D. UNIX

A. Linux

When gathering systems evidence, what is NOT a common principle? Select one: A. Search throughout a device. B. Determine when evidence was created. C. Trust only virtual evidence. D. Avoid changing the evidence.

A. Search throughout a device.

The unused space between the logical end of file and the physical end of file is known as __________. Select one: A. file slack B. a segment C. bit-level information D. a cluster

A. file slack

The basic repair tool in Linux is _______. Select one: A. fsck B. the TestDisk utility C. Disk Utility D. chkdsk

A. fsck

In FAT and NTFS file systems, a __________ is used to map files to specific clusters where they are stored on the disk. Select one: A. table B. partition C. node D. cluster

A. table

_____________ is designed to render a target unreachable by legitimate users, not to provide the attacker access to the site. A. A logic bomb B. A denial of service (DOS) attack C. Identify theft D. A distributed denial of service (DDOS) attack

B. A denial of service (DOS) attack

Which of the following should be used for packaging of digital evidence? A. Plastic storage totes B. Antistatic containers C. Paper bags D. Plastic evidence bags E. Cardboard boxes F. Paper envelopes

B. Antistatic containers C. Paper bags E. Cardboard boxes F. Paper envelopes

A SYN flood is an example of a(n) .... A. Distributed denial of service (DDOS) attack B. Denial of service (DoS) attack C. SQL injection D. Virus

B. Denial of Service (DOS) attack

The term ________ refers to testimony taken from a witness or a party to a case before a trial. A. Real evidence B. Deposition C. Expert report D. Documentary evidence

B. Deposition

The basic repair tool in Mac OS is _______. Select one: A. the TestDisk utility B. Disk Utility C. chkdsk D. fsck

B. Disk Utility

What was designed as an area where computer vendors could store data that is shielded from user activities and operating system utilities, such as delete and format? Select one: A. Volume slack B. Host protected area (HPA) C. Master boot record (MBR) D. File slack

B. Host protected area (HPA)

__________ is offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system. Select one: A. Logical analysis B. Physical analysis C. Steganography D. Encryption

B. Physical analysis

Which of the following BEST defines rules of evidence? Select one: A. A term that refers to how long evidence will last B. Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury C. Information that has been processed and assembled so that it is relevant to an investigation and supports a specific finding or determination D. A formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted as well as the specialist's own curriculum vitae (CV)

B. Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury

What term describes data that an operating system creates and overwrites without the computer user directly saving this data? Select one: A. Scrubbed data B. Temporary data C. Metadata D. Persistent data

B. Temporary data

__________ sets standards for digital evidence processing, analysis, and diagnostics. Select one: A. CompTIA B. The DoD Cyber Crime Center (DC3) C. The American Society of Crime Laboratory Directors (ASCLD) D. New Technologies Incorporated (NTI)

B. The DoD Cyber Crime Center (DC3)

Use of __________ enables an investigator to reconstruct file fragments if files have been deleted or overwritten. Select one: A. a null modem cable B. bit-level tools C. digital forensics framework D. the rules of evidence

B. bit-level tools

Any attempt to gain financial reward through deception is called ______. Select one: A. cyberterrorism B. fraud C. social engineering D. identity theft

B. fraud

What is the definition of Feistel function? Select one: A. A method of using techniques other than brute force to derive a cryptographic key B. An attack in which the attacker tries to decrypt a message by simply applying every possible key in the keyspace C. A cryptographic function that splits blocks of data into two parts; it forms the basis for many block ciphers D. The method of cryptography in which someone chooses a number by which to shift each letter of a text in the alphabet and substitute the new letter for the letter being encrypted

C. A cryptographic function that splits blocks of data into two parts; it forms the basis for many block cipher

The __________ cipher is a Hebrew code that substitutes the first letter of the alphabet for the last letter and the second letter for the second-to-last letter, and so forth. Select one: A. Caesar B. Scytale C. Atbash D. ROT13

C. Atbash

What is NOT true of random access memory (RAM)? Select one: A. It retains items in memory for as long as the computer has power supplied to it. B. It stores programs and data that are currently open. C. It cannot be changed. D. It is volatile memory

C. It cannot be changed.

What is the process of searching memory in real time, typically for working with compromised hosts or to identify system abuse? Select one: A. Internet forensics B. Network forensics C. Live system forensics D. Disk forensics

C. Live system forensics

According to the order of volatility in RFC 3227, what evidence should you collect first on a typical system? Select one: A. Registry, then volatile data B. Memory dumps, then file system C. Volatile data, then file slack D. System state backup, then Registry

C. Volatile data, then file slack

EIDE is _________. Select one: A. a file format B. a type of running process C. a type of magnetic drive D. an operating system

C. a type of magnetic drive

The two NTFS files of most interest to forensics are the Master File Table (MFT) and the __________. Select one: A. Master Boot Record B. routing table C. cluster bitmap D. inode

C. cluster bitmap

Which file recovery tool works in Linux and Mac OS, and in Windows if you compile the source code? Select one: A. Diskdigger B. WinUndelete C. scalpel D. extundelete

C. scalpel

What name is given to a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification? Select one: A. File allocation checking B. Inode scan C. Logical checking D. Consistency checking

D. Consistency checking

Jim is a forensic specialist. He seized a suspect computer from a crime scene, removed the hard drive and bagged it, documented and labeled the equipment, took photographs, completed a chain of custody form, and locked the computer in his car. On the way to the lab, he stopped to purchase supplies to use at the next crime scene. What did Jim do wrong? Select one: A. He made the drive susceptible to demagnetization by bagging it. B. He should have performed drive analysis at the scene. C. He should not have removed the hard drive at the scene. D. He left the computer unattended while shopping for supplies.

D. He left the computer unattended while shopping for supplies.

The number 22 for SSH (Secure Shell) and 80 for Hypertext Transfer Protocol (HTTP) are examples of ________. Select one: A. IP addresses B. MAC addresses C. Physical ports D. Logical port numbers

D. Logical port numbers

__________ govern whether, when, how, and why proof of a legal case can be placed before a judge or jury. Select one: A. General principles B. Common practices C. Forensic specialists D. Rules of evidence

D. Rules of evidence

What uses microchips that retain data in non-volatile memory chips and contains no moving parts? Select one: A. Serial Advanced Technology Attachment (SATA) B. Integrated Drive Electronics (IDE) C. Parallel Advanced Technology Attachment (PATA) D. Solid-state drive (SSD)

D. Solid-state drive (SSD)

What is the definition of transposition in terms of cryptography? Select one: A. The art and science of writing hidden messages B. A method of using techniques other than brute force to derive a cryptographic key C. The determination of whether a file or communication hides other information D. The swapping of blocks of ciphertext

D. The swapping of blocks of ciphertext

Which of the following is NOT true of file carving? Select one: A. File carving is often used to recover data from a disk where there has been some damage or where the file itself is corrupt. B. File carving is a common method of data recovery particularly when the file metadata has been damaged. C. Most file carving utilities look for file headers or footers, and then pull out data that is found between these two boundaries. D. You can perform file carving on Windows and Linux files systems, but not Mac OS.

D. You can perform file carving on Windows and Linux files systems, but not Mac OS.

When attempting to recover a failed drive, which of the following is NOT true? Select one: A. If the failed drive's disks are spinning, that's an indication that a catastrophic failure has not occurred. B. If the failed drive installs properly on a test system, copy all directories and files to a different hard drive on the test system. C. If the drive fails on one system but installs on another, the drive may have failed because of a power supply failure or corruption of the operating system. D. You should connect the failed drive to a test system and make the failed drive bootable.

D. You should connect the failed drive to a test system and make the failed drive bootable.

A brute-force attack on a polyalphabetic substitution cipher can deduce the length of the keyword used in the cipher. Select one: True or False

False

A court must issue a chain of custody order before evidence can be collected. Select one: True or False

False

A pen/trap device captures email contents. Select one: True or False

False

A symbolic link is an inode that links directly to a specific file. Select one: True or False

False

Damage to how data is stored on a disk, such as file system corruption, is the definition of physical damage. Select one: True or False

False

Data Encryption Standard (DES) is a stream cipher. Select one: True or False

False

In Windows, files that are moved to the Recycle Bin are permanently deleted. Select one: True or False

False

Making two copies of a suspect's drive, using two different imaging tools, can help to prove that evidence is accurate. Select one: True or False

False

Many USB drives come with a switch to put them in read-only mode. Select one: True or False

False

The Electronics Communication Privacy Act applies to private companies seeking to obtain subscriber information about their employees. True or false

False

The FAT file system has the ability to assign access control lists to files and directories. Select one: True or False

False

The only way to clean random access memory (RAM) is with cleansing devices known as sweepers or scrubbers. Select one: True or False

False

The start-up time for solid-state drives (SSDs) is usually much slower than for magnetic storage drives. Select one: True or False

False

The term transposition refers to the art and science of writing hidden messages. Select one: True or False

False

With the consistency checking file system repair technique, a computer's file system is rebuilt from scratch using knowledge of an undamaged file system structure. Select one: True or False

False

generally speaking, the fourth amendment applies to non-government actions. True or false

False

A DVD is a type of optical media. Select one: True or False

True

A file that is deleted can be recovered. Select one: True or False

True

A forensic certification is meant to demonstrate a baseline of competence. Select one: True or False

True

A pen/trap device captures "to" and "from" information from emails. Select one: True or False

True

After imaging a drive, you must always create a hash of the original and the copy. Select one: True or False

True

All modern block-cipher algorithms use both substitution and transposition. Select one: True or False

True

Before imaging a drive, you must forensically wipe the target drive to ensure no residual data remains. Select one: True or False

True

Digital evidence imaging should be done before latent, trace, or biological evidence processes are conducted on the evidence. True or false

True

Email evidence would be useful for investigating cyberstalking but not a denial of service (DoS) attack. True or false

True

File slack and slack space are the same thing. Select one: True or False

True

If you encounter a device that is powered off at a crime scene, you should leave it powered off. Select one: True or False

True

In a forensics lab, the machines being examined should not be connected to the Internet. Select one: True or False

True

In general, evidence may be returned to its owner upon completion of a case. Select one: True or False

True

Logical damage to a disk is damage to how data is stored, for example, file system corruption. Select one: True or False

True

Logical damage to a file system is more common than physical damage. Select one: True or False

True

Only those who are properly trained in examining digital evidence should do so. True or false

True

Spyware software is legal, if used correctly. True or False

True

The Federal Rules of Evidence (FRE) governs the admission of facts by which parties in the U.S. federal court system may prove their cases. Select one: True or False

True

The first step in any computer forensic investigation is to make a copy of the suspected storage device. Select one: True or False

True

The life span of information may be as short as milliseconds to longer than one year. Select one: True or False

True

The term scrubber refers to software that cleans unallocated drive space. Select one: True or False

True

To avoid changing a computer system while examining it, make a forensics copy and work with that copy. True or false

True

USB, or universal serial bus, is actually a connectivity technology, not a storage technology. Select one: True or False

True

Which of the following processes requires evidence to be fully documented? Select one: a. All of these are correct. b. storage c. seizure d. transportation

a. All of these are correct.

The wiretap act: Select one: a. generally and broadly prohibits anyone in the United States from intercepting the contents of wire, oral, or electronic communications. b. prohibits certain types of communications between parties. c. allows ISPs to monitor communications between customers. d. permits law enforcement to intercept communications without a warrant

a. generally and broadly prohibits anyone in the United States from intercepting the contents of wire, oral, or electronic communications

Which of the following are true regarding handheld devices? Select one: a. Digital evidence may be lost if power is not maintained. b. All of these are true. c. Data can be overwritten if the device remains active. d. Devices can be rendered remotely wiped of evidence.

b. All of these are true.

Which of the following needs to be completed when transporting evidence? Select one: a. evidence intake form b. chain of custody c. expense reimbursement form d. change of custody form

b. chain of custody

Which of the following is NOT a type of hard drive: Select one: a. SCSI b. IDE c. LED d. SATA

c. LED

Which of the following is your first priority when arriving on a crime scene? Select one: a. interviewing witnesses b. preservation of evidence c. life safety d. photographing the evidence

c. life safety

A "trap and trace" device: Select one: a. outgoing connection information. b. records the contents of a communication between one or more people. c. records incoming connection information. d. records both incoming and outgoing connection information.

c. records incoming connection information.

Which of the following is the smallest unit on a disk that can hold a file? Select one: a. Block b. Spindle c. Sector d. Cluster

d. Cluster

Which of the following governs the real-time acquisition of dialing, routing, addressing, and signaling information relating to communications? Select one: a. Wiretap Act b. Smith-Bailey Act c. ISP Montioring Act d. Pen/Trap statue

d. Pen/Trap statue

Which of the following pertains to "interception of the content of communications while they are in transit?" Select one: a. Pen Trap & Trace Act b. Gramm-Leach-Bliley Act c. ISP Monitoring Act d. Wiretap Act

d. Wiretap Act

The term "pen register" refers to Select one: a. a device that records the contents of a communication. b. a device that records incoming connection information. c. a device that captures the telephone number of the party who is call the individual under surveillance. d. a device that records outgoing connection information.

d. a device that records outgoing connection information.

Data Encryption Standard (DES) is often used to allow parties to exchange a symmetric key through some insecure medium, such as the Internet. Select one: True or False

false

The word cryptography is derived from the word kryptós, which means hidden, and the verb gráfo, which means picture. Select one: True or False

false

A test system is a functional system compatible with the hard drive from which someone is trying to recover data. Select one: True or False

true

An expert witness who leaves information out of an expert report usually cannot testify about the information at trial. Select one: True or False

true

Incriminating evidence shows, or tends to show, a person's involvement in an act, or evidence that can establish guilt. Select one: True or False

true

Infinitely recursing directories is a symptom of logical damage to a file system. Select one: True or False

true

Linux file systems use hard links and symbolic links. Select one: True or False

true

RAID 1 mirrors the contents of disks. Select one: True or False

true

SHA1 and SHA2 are currently the most widely used hashing algorithms. Select one: True or False

true

Solid-state drives (SSDs) are often used in tablets and in some laptops. Select one: True or False

true

The Caesar cipher shifts each letter of a message by a certain number and substitutes the new alphabetic letter for the letter you are encrypting. Select one: True False

true

The Linux dd command is commonly used to forensically wipe a drive. Select one: True or False

true

Turning off a computer while it is booting or shutting down can lead to logical damage of its file system. Select one: True or False

true


Set pelajaran terkait

Chapter 22: Immune System and the Body's Defense

View Set

Chapter 10: Personality - Exam #4

View Set

HONORS PHYSICAL SCIENCE FINAL EXAM

View Set

Data Collection, Behavior, and Decisions Relias (BCBA)

View Set

EDU 300 - CHAPTER 11 Learners Who Are Deaf or Hard of Hearing

View Set

1 - State Exam Simulator - 150 Practice Exam Questions

View Set