IT 226 - FINAL EXAM

In Microsoft Outlook, what file extension is used with saved sent, drafted, deleted, and received e-mails?

.pst

The Enhanced Data GSM Environment (EDGE) standard was developed specifically for which type of service?

3G

What document, issued by a judge, compels the recipient to do or not do something?

A court order

Which type of order requires that the government offer specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation?

A court order

What type of laws should computer investigators be especially aware of when working with image files in order to avoid infringement violations?

Copyright

Which numbering system is being used if the report writer divides material into sections and restarts numbering with each main section?

Decimal

What is the process of converting raw picture data to another format called?

Demosaicing

What resource might attorneys use to search for information on expert witnesses?

Deposition banks

What is the most important part of an investigator's testimony at a trial?

Direct examination

Anything an investigator writes down as part of examination for a report in a civil litigation case is subject to which action from the opposing attorney?

Discovery

Which type of deposition is used to give an opposing attorney the chance to conduct what amounts to a direct examination and cross-examination of a witness?

Discovery

Where do phones typically store system data?

EEPROM

In which format are most digital photographs stored?

EXIF

If a graphics file cannot be opened in an image viewer, what should the next step be?

Examining the file's header data

Forensic examiners may serve as what types of witnesses?

Fact and expert

A graphics program creates and saves one of three types of image files: bitmap, vector, or XIF

False

A search warrant can be used in any kind of case, either civil or criminal.

False

All TIF files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 3B.

False

As an expert witness, you can't testify if you weren't present when the event occurred.

False

Expert opinions cannot be presented without stating the underlying factual basis

False

For civil cases, including those involving digital forensics investigations, U.S. district courts consider optional that expert witnesses submit written reports.

False

In the cloud, remote acquisitions are often easier because you're usually dealing with large volumes of data.

False

Operating systems do not have tools for recovering image files

False

The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect.

False

To retrieve e-mail headers in Microsoft Outlook, what option should be clicked after the e-mail has been selected?

File, Properties

Which JFIF format has a hexadecimal value of FFD8 FFE0 in the first four bytes?

JPEG

Which files provide helpful information to an e-mail investigation?

Log and configuration files

What files, created by Microsoft, contain the DLL pathnames and metadata used by applications and reduce the time it takes to start applications?

Prefetch

What are the most important laws applying to attorneys and witnesses?

Rules of evidence

What type of cards, consisting of a microprocessor and internal memory, are usually found in GSM devices?

SIM

A government entity must show that there is probable cause to believe the contents of a wire communication, an electronic communication, or other records are relevant to an ongoing criminal investigation to obtain which type of order?

Search warrant

To view Gmail Web e-mail headers, what should be clicked after the e-mail has been opened and the down arrow next to the Reply circular arrow has been clicked?

Show Original

With cloud systems running in a virtual environment, what can be used to give the investigator valuable information before, during, and after an incident?

Snapshot

In which cloud service level are applications delivered via the Internet?

Software as a service

What technique has been used to protect copyrighted material by inserting digital watermarks into a file?

Steganography

Which term comes from the Greek word for "hidden writing"?

Steganography

Which term refers to a data-hiding technique that uses host files to cover the contents of a secret message?

Steganography

In addition to search warrants, what defines the scope of civil and criminal cases?

Subpoenas

Which data-hiding technique replaces bits of the host file with other bits of data?

Substitution

Which type of digital network divides a radio frequency into time slots?

TDMA

From which file format is the image format XIF derived?

TIF

In which type of testimony does the investigator present evidence and explain what it is and how it was obtained?

Technical/scientific

Which standard states that, to provide reliable and valid testimony, the expert has the "ethical responsibility to present a complete and unbiased picture of the . . . research relevant to the case at hand?"

The Daubert standard

What is the main information being sought when examining e-mail headers?

The originating e-mail's domain name or an IP address

What is reduced by knowing who the parties in a case are?

The possibility of conflict of interest

What does the SIM file structure begin with?

The root of the system (MF)

What limits the data that can be sought in a criminal investigation?

The search warrant

What technique, in which multiple phones take turns sharing a channel, does the Global System for Mobile Communications (GSM) use?

Time Division Multiple Access

Bitmap images are collections of dots, or pixels, in a grid format that form a graphic.

True

If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file.

True

In the United States, there's no state or national licensing body for digital forensics examiners.

True

Lawyers use services called deposition banks (libraries), which store examples of expert witnesses' previous testimony.

True

The chain of custody of evidence supports the integrity of your evidence.

True

The two major forms of steganography are insertion and substitution

True

There are inherent conflicts between the goals of attorneys and the goals of scientists or technicians (experts).

True

What kinds of images are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes?

Vector Graphics

To view e-mail headers on Yahoo!, what should be clicked on after "More" has been selected?

View Raw Message

Which document is sworn to under oath and penalty of perjury, or a comparable false swearing statute?

Written Report

Which header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03?

XIF

What should you use to verify evidence and thus ensure its integrity?

hash algorithms

What method might be used by opposing attorneys to prevent an investigator from serving on an important case?

Conflicting out

Which document offers comprehensive guidance for psychologists, with an entire section devoted to forensics activities?

APA's Ethics Code

What should be created in order to begin a digital forensics case?

An Investigation Plan

A written report is often submitted as what type of document?

An affidavit

Which document serves as a guideline for knowing what questions an investigator should expect when testifying?

An examination plan

Under FRCP, Rule 26, where must the investigator's curriculum vitae be placed unless the bona fides are integrated elsewhere?

Appendixes

Which program has an indexed version of the NIST NSRL of MD5 hashes that can be imported to enhance searching for and eliminating known OS and application files?

Autopsy

Which data-hiding technique changes data from readable code to data that looks like binary executable code?

Bit Shifting

Which images store graphics information as grids of pixels?

Bitmap

What technology, developed during WWII, uses the full radio spectrum to define channels and is now used in the U.S. by Sprint, U.S. Cellular, and Verizon?

CDMA

What term refers to recovering fragments of a file?

Carving

What name is used for the configuration typically used for e-mail messages that are distributed from a central server to many connected client computers?

Client/server architecture

In which discipline do professionals listen to voice recordings to determine who's speaking or read e-mail and other writings known to be by a certain person and determine whether that person wrote the e-mail or letter in question?

Forensic linguistics

What tools are used to create, modify, and save bitmap, vector, and metafile graphics?

Graphics Editors

What is the simplest way to access a file header?

Hexadecimal editor

Because digital forensics tools have limitations in performing hashing, what tools should be used to ensure data integrity?

Hexadecimal editors

What structure is used for the file system for a SIM card?

Hierarchical

Which data-hiding technique places data from the secret file into the host file without displaying the secret data when the host file is viewed in its associated program?

Insertion

Which type of compression compresses data permanently by discarding bits of information in the file?

Lossy

Metadata in a prefetch file contains an application's ____ times in UTC format and a counter of how many times the application has run since the prefect file was created.

MAC