IS381 Module 3 Quiz
A logical acquisition collects only specific files of interest to the case. True False
True
What's the maximum file size when writing data to a FAT32 drive? 2 GB 3 GB 4 GB 6 GB
2GB
What are two concerns when acquiring data from a RAID server? 1. Data transfer speeds and type of RAID 2. Type of RAID and antivirus software 3. Amount of data storage needed and type of RAID 4. Split RAID and Redundant RAID
Amount of data storage needed and type of RAID
With remote acquisitions, what problems should you be aware of? 1. Data transfer speeds 2. Access permissions over the network 3. Antivirus, antispyware, and firewall programs 4. The password of the remote computer's user
Antivirus, antispyware, and firewall programs
Which forensics tools can connect to a suspect's remote computer and run surreptitiously? 1. ddfldd and ProDiscover Incident Response 2. EnCase Enterprise and ProDiscover Incident Response 3. dd and ddfldd 4. dd and EnCase Enterprise
EnCase Enterprise and ProDiscover Incident Response
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive. 1. dd and Expert Witness 2. dd and EnCase 3. X-Ways Forensics and dd 4. EnCase and X-Ways Forensics
EnCase and X-Ways
Of all the proprietary formats, which one is the unofficial standard? 1. Expert Witness 2. AFF 3. Uncompress dd 4. Segmented dd
Expert Witness
FTK Imager can acquire data in a drive's host protected area. True False
False
In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. So, the following dcfldd is command correct. dcfldd if=image_file.img of=/dev/hda1 True False
False
Slower data transfer speeds and dealing with minor data errors are two disadvantages of the raw format True False
False
When determining which data acquisition method to use you should not consider how long the acquisition will take. True False
False
What does a sparse acquisition collect for an investigation? 1. Only specific files of interest to the case 2. Fragments of unallocated data in addition to the logical allocated data 3. Only the logical allocated data 4. Only fragments of unallocated data
Fragments of unallocated data in addition to the logical allocated data
Name the three formats for digital forensics data acquisitions. 1. Raw, AICIS, and AFF 2. EnCase format, Raw, and dd 3. Raw format, proprietary formats, and AFF 4. dd, Raw, and AFF
Raw format, proprietary formats, and AFF
Why is it a good practice to make two images of a suspect drive in a critical investigation? 1. To speed up the process 2. To have one compressed and one uncompressed copy 3. To ensure at least one good copy of the forensically collected data in case of any failures 4. None of the above
To ensure at least one good copy of the forensically collected data in case of any failures
A hashing algorithm is a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk. True False
True
Commonly, proprietary format acquisition files can compress the acquisition data and segment acquisition output files into smaller volumes. True False
True
FTK Imager requires that you use a device such as a USB dongle for licensing. True False
True
The main goal of a static acquisition is the preservation of digital evidence. True False
True
With newer Linux kernel distributions, USB devices are automatically mounted, which can alter data on it. True False
True
What's the most critical aspect of digital evidence? 1. Compression 2. Redundancy 3. Contingency 4. Validation
Validation
In the Linux dcfldd command, which three options are used for validating data? 1. hash, hashlog, and vf 2. h, hl, and vf 3. hash, log, and hashlog 4. vf, of, and vv
hash, hashlog, and vf
