FINAL EXAM

In Microsoft Exchange, which file is responsible for messages formatted with MAPI?

.edb

Which location contains configuration information for Sendmail?

/etc/sendmail.cf

In which directory do UNIX installations typically store logs?

/var/log

At what offset are the application's last access date and time located in a prefetch file?

0x90

How many years of education does the typical juror have?

12

How many roles might a forensics examiner play in a trial?

2

There are inherent conflicts between the goals of attorneys and the goals of scientists or technicians (experts).

2

How close should a microphone be to the person testifying?

6 to 8 inches

Which uppercase letter has a hexadecimal value 41?

A

What document, issued by a judge, compels the recipient to do or not do something?

A court order

Which type of tool has application programming interfaces (APIs) that allow reconfiguring a cloud on the fly and is accessed through the application's Web interface?

A management plane

A government entity must show that there is probable cause to believe the contents of a wire communication, an electronic communication, or other records are relevant to an ongoing criminal investigation to obtain which type of order?

A search warrant

Which activity involves changing or manipulating a file to conceal information?

Data hiding

Which numbering system is being used if the report writer divides material into sections and restarts numbering with each main section?

Decimal

Which network defense strategy, developed by the National Security Agency (NSA), has three modes of protection?

Defense in Depth

What is the process of converting raw picture data to another format called?

Demosaicing

What resource might attorneys use to search for information on expert witnesses?

Deposition banks

What are packet analyzers?

Devices or software placed on a network to monitor traffic

Which action isn't usually punitive, but can be embarrassing for the professional and potentially for the attorney who retained the professional?

Disqualification

Which outcome, when caused by an ethical lapse, could effectively be a death sentence for a career as an expert witness?

Disqualification

Where do phones typically store system data?

EEPROM

In which format are most digital photographs stored?

EXIF

A honeywall is a computer set up to look like any other machine on your network, but it lures the attacker to it.

FALSE

All e-mail servers use databases that store multiple users' e-mails.

FALSE

Autopsy for Windows cannot analyze data from image files from other vendors.

FALSE

Autopsy for Windows cannot perform forensics analysis on FAT file systems.

FALSE

For civil cases, including those involving digital forensics investigations, U.S. district courts consider optional that expert witnesses submit written reports.

FALSE

Gaming consoles such as the Sony PlayStation and Xbox are safe because they don't contain information hackers might try to intercept and collect.

FALSE

If you must write a preliminary report, use words such as "preliminary copy," "draft copy," or "working draft."

FALSE

Operating systems do not have tools for recovering image files.

FALSE

The decimal numbering system is frequently used when writing pleadings.

FALSE

When writing a report, use a formal, technical style.

FALSE

The data-hiding technique involving marking bad clusters is more commonly used with what type of file system?

FAT

To retrieve e-mail headers in Microsoft Outlook, what option should be clicked after the e-mail has been selected?

File, Properties

What technology is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure?

Key escrow

Which type of strategy hides the most valuable data at the innermost part of the network?

Layered network defense

How many words should an abstract contain?

Question 71 options: 150 to 200

What type of cards, consisting of a microprocessor and internal memory, are usually found in GSM devices?

SIM

In which type of attack does the attacker keep asking the server to establish a connection?

SYN flood

Leading questions such as "Isn't it true that forensics experts always destroy their handwritten notes" are referred to as what type of questions?

Setup

What technique has been used to protect copyrighted material by inserting digital watermarks into a file?

Steganography

In addition to search warrants, what defines the scope of civil and criminal cases?

Subpoenas

Which type of digital network divides a radio frequency into time slots?

TDMA

A challenge with using social media data in court is authenticating the author and the information.

TRUE

As an expert witness, you have opinions about what you have found or observed.

TRUE

Besides presenting facts, reports can communicate expert opinion.

TRUE

Bitmap images are collections of dots, or pixels, in a grid format that form a graphic.

TRUE

Experts should be paid in full for all previous work and for the anticipated time required for testimony.

TRUE

If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file.

TRUE

In the United States, the Electronic Communications Privacy Act (ECPA) describes five mechanisms the government can use to get electronic information from a provider.

TRUE

Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication.

TRUE

Network logs record traffic in and out of a network.

TRUE

No single source offers a definitive code of ethics for expert witnesses, so you must draw on standards from other organizations to form your own ethical standards.

TRUE

Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise.

TRUE

Portability of information is what makes SIM cards so versatile.

TRUE

Research on wearable computers has been conducted at MIT labs for more than a decade, and these computers are now moving into working reality.

TRUE

Signposts assist readers in scanning the text quickly by highlighting the main points and logical development of information.

TRUE

The chain of custody of evidence supports the integrity of your evidence.

TRUE

Under copyright laws, maps and architectural plans may be registered as pictorial, graphic, and sculptural works.

TRUE

Virtual machines (VMs) help offset hardware costs for companies.

TRUE

Whether you're serving as an expert witness or a fact witness, be professional and polite when presenting yourself to any attorney or the court.

TRUE

Which network protocol analyzer can be programmed to examine TCP headers to find the SYN flag?

Tethereal

What section of a report should contain broader generalizations?

The conclusion

What section of a report should restate the objectives, aims, and key questions and summarize the findings with clear, concise statements?

The conclusion

What is the main information being sought when examining e-mail headers?

The originating e-mail's domain name or an IP address

What limits the data that can be sought in a criminal investigation?

The search warrant

In which log does Exchange log information about changes to its data?

Transaction

Which Cellebrite mobile forensics tool is often used by law enforcement and the military?

UFED Reader

How much internal memory do mobile devices have?

Up to 64 GB

To view e-mail headers on Yahoo!, what should be clicked on after "More" has been selected?

View Raw Message

In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous contact with an opposing party?

Wang Laboratories, Inc. v. Toshiba Corp

Which header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03?

XIF

What cloud service provides a freeware type 1 hypervisor used for public and private clouds?

XenServer and XenCenter Windows Management Console

What term is used for the machines used in a DDoS attack?

Zombies

Which Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system?

filecache.dbx

Which Google Drive file contains a detailed list of a user's cloud transactions?

sync_log.log

Which organization has developed resource documentation for cloud service providers and their staff and provides guidance for privacy agreements, security measures, and other issues?

Cloud Security Alliance

Which organization has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients?

ABA

Which document offers comprehensive guidance for psychologists, with an entire section devoted to forensics activities?

APA's Ethics Code

A written report is often submitted as what type of document?

An affidavit

Which information from Facebook simply tells you the last time a person logged on, the person's e-mail address and mobile number, and whether the account can be viewed publicly?

Basic subscriber

How can an investigator minimize any challenges an opposing attorney could make to discredit the investigator's report or testimony?

Be as thorough as possible during the forensic examination

Which data-hiding technique changes data from readable code to data that looks like binary executable code?

Bit-shifting

What type of attacks use every possible letter, number, and character found on a keyboard when cracking a password?

Brute-force

Which folder is most likely to contain Dropbox files for a specific user?

C:\Users\username\Dropbox

What technology, developed during WWII, uses the full radio spectrum to define channels and is now used in the U.S. by Sprint, U.S. Cellular, and Verizon?

CDMA

What should you use to verify evidence and thus ensure its integrity?

Hash algorithms

What should the forensics specialist keep updated and complete in order to support his or her role as an expert and document enhancement of skills through training, teaching, and experience?

His or her CV

What type of questions can give the investigator the factual structure to support and defend his or her opinion?

Hypothetical

What does scope creep typically do?

Increases the time and resources needed to extract, analyze, and present data

Which data-hiding technique places data from the secret file into the host file without displaying the secret data when the host file is viewed in its associated program?

Insertion

Which type of compression compresses data permanently by discarding bits of information in the file?

Lossy

Many password-protected OSs and applications store passwords in the form of which type of hash values?

MD5

Which forensics software tool contains a built-in write blocker?

MOBILedit

Which tool lists all open network sockets, including those hidden by rootkits?

Memoryze

Which motion provides a written list of objections to certain testimony or exhibits?

Motion in limine

In a Windows environment, what is the default storage location used by BitPim?

My Documents\BitPim

Which cloud forensics training program is limited to law enforcement personnel?

National Institute of Justice Digital Forensics Training

Which tool was designed as an easy-to-use interface for inspecting and analyzing large tcpdump files?

Netdude