ITN 276 Midterm (Chapter 1 - 7)
RFC 3864 describes message header field names. Information about how the message is to be displayed, usually a Multipurpose Internet Mail Extensions (MIME) type, refers to which header field?
Content-Type
__________ is a U.S. law that prescribes procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between foreign powers and agents of foreign powers, which may include American citizens and permanent residents suspected of espionage or terrorism.
Foreign Intelligence Surveillance Act (FISA)
__________ is a Linux Live CD that you use to boot a system and then use the tools. It is a free Linux distribution, making it attractive to schools teaching forensics or laboratories on a strict budget.
Kali Linux
Which operating system uses the ext file system natively?
Linux
__________ is perhaps the most widely used public key cryptography algorithm in existence today.
RSA
__________ was the first law meant to curtail unsolicited email. However, the law has many loopholes.
The CAN-SPAM Act
__________ sets standards for digital evidence processing, analysis, and diagnostics.
The DoD Cyber Crime Center (DC3)
A symbolic link in Linux is similar to a ____________.
Windows shortcute
China Eagle Union is __________.
a Chinese cyberterrorism group
Which of the following is NOT true of chain of custody forms?
a chain of custody form is a federal form and is therefore universal
__________ is designed to render a target unreachable by legitimate users, not to provide the attacker access to the site.
a denial of service (DoS) attack
__________ is the cyber equivalent of vandalism.
a denial of service (DoS) attack
How you will gather evidence and which tools are most appropriate for a specific investigation are part of ___________.
a forensic analysis plan
What is the definition of stream cipher?
a form of cryptography that encrypts the data as a stream, one bit at a time
What is meant by symmetric cryptography?
a method in which the same key is used to encrypt and decrypt plaintext
What is the definition of Post Office Protocol version 3 (POP3)?
a protocol used to receive email that works on port 110
What is Internet Message Access Protocol (IMAP)?
a protocol used to receive email that works on port 143
Windows uses __________ on each system as a "scratch pad" to write data when additional random access memory (RAM) is needed.
a swap file
__________ contains remnants of word processing documents, emails, Internet browsing activity, database entries, and almost any other work that has occurred during past Windows sessions.
a swap file
EIDE is _________.
a type of magnetic drive
A(n) __________ is an email server that strips identifying information from an email message before forwarding it with the third-party mailing computer's IP address.
anonymizer
The process of sending an email message to an anonymizer is the definition of what?
anonymous remailing
Susan is a hacker. After breaking into a computer system and running some hacking tools, she deleted several files she created to cover her tracks. What general term describes Susan's actions?
anti-forensics
What is the definition of a virus, in relation to a computer?
any software that self-replicates
__________ is cryptography wherein two keys are used: one to encrypt the message and another to decrypt it.
asymmetric cryptography
The __________ cipher is a Hebrew code that substitutes the first letter of the alphabet for the last letter and the second letter for the second-to-last letter, and so forth.
atbash
Use of __________ enables an investigator to reconstruct file fragments if files have been deleted or overwritten.
bit-level tools
Secure versions of email protocols are encrypted with Transport Layer Security (TLS).
True
You can make a bit-level copy of a computer hard drive using basic Linux commands.
True
Paige is attempting to recover data from a failed hard disk. She removed the failed drive from the system on which it was installed, and then connected it to a test system. She made the connection by simply connecting the data and power cables but did not actually install the failed drive. What step should she perform next?
booth the test system from its own internal drive
One must be able to show the whereabouts and custody of evidence, how it was handled, stored and by whom, from the time the evidence is first seized by a law enforcement officer or civilian investigator until the moment it is shown in court. This is referred to as ________.
chain of custody
The __________ is the continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered.
chain of custody
The basic repair tool in Windows is _______.
chkdsk
An environment that has a controlled level of contamination, such as from dust, microbes, and other particles is the definition of a __________.
clean room
The file allocation table is a list of entries that map to each __________ on the disk partition.
cluster
The two NTFS files of most interest to forensics are the Master File Table (MFT) and the __________.
cluster bitmap
Generally, __________ is considered to be the use of analytical and investigative techniques to identify, collect, examine, and preserve evidence or information that is magnetically stored or encoded.
computer forensics
The __________ was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information.
computer security act of 1987
An inode is a data structure in the Windows NTFS file system that stores all information about a file except its name and its actual data.
false
Consistency checking analysis is usually much slower than zero-knowledge analysis.
false
Damage to how data is stored on a disk, such as file system corruption, is the definition of physical damage.
false
Data Encryption Standard (DES) is a stream cipher.
false
Data Encryption Standard (DES) is often used to allow parties to exchange a symmetric key through some insecure medium, such as the Internet.
false
Denial of service (DoS) attack refers to the type of password crackers that work with pre-calculated hashes of all passwords available within a certain character space.
false
Disk Investigator is a Linux Live CD that you use to boot a system and then use the tools.
false
Disk forensics refers to the process of examining malicious computer code.
false
During an attack, hackers break into computer systems and steal secret defense plans of the United States. This is an example of a Trojan horse.
false
Email programs use different email formats, depending on the operating system upon which they run.
false
Essentially, the ROT13 cipher is a multialphabet cipher, consisting of 13 possible letters.
false
From the perspective of digital forensics, changing the time or date stamp on a file does not alter the file.
false
Identity theft refers to any software that monitors activity on a computer.
false
If you change the extension of a file so it looks like some other type of file, you also change the file structure itself.
false
In Windows, files that are moved to the Recycle Bin are permanently deleted.
false
Internet forensics is the study of the source and content of email as evidence.
false
It is legal to monitor the computers of adult relatives as long as they are living in your home.
false
Kasiski examination is a nontechnical means of obtaining information you would not normally have access to.
false
Kerckhoffs' principle states that the security of a cryptographic algorithm depends only on the secrecy of the algorithm.
false
Life span refers to how long information is accurate.
false
Logical damage control is a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification.
false
Malware forensics is also known as Internet forensics.
false
Malware that executes damage when a specific condition is met is the definition of a Trojan horse.
false
Offline analysis is another term for live analysis.
false
Once you receive an email, it no longer exists on the sending server.
false
Ophcrack uses cross-site scripting to crack passwords.
false
Post Office Protocol version 3 (POP3) is a protocol used to send email. It typically operates on port 143.
false
Residual information in file slack is always overwritten when a new file is created.
false
Spyware software is legal, if used correctly.
false
Storage servers in a forensics lab should be backed up at least once a month.
false
The Communications Assistance to Law Enforcement Act states that whoever knowingly uses a misleading domain name on the Internet with the intent to deceive a person into viewing material constituting obscenity shall be fined or imprisoned not more than 2 years, or both.
false
The Electronic Communications Privacy Act of 1986 protects children 13 years of age and younger from the collection and use of their personal information by websites.
false
The Federal Bureau of Investigation (FBI) is the premier federal agency tasked with combating cybercrime.
false
The Feistel function encrypts data as a stream, one bit at a time.
false
The Patriot Act requires that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities.
false
The Tribal Flood Network (TFN) is one of the most widely deployed viruses.
false
The benefit of using automated forensic systems is that you do not have to know how to perform all forensic processes manually.
false
The main advantage of POP3 over IMAP is it allows the client to download only the email headers to the machine, so that the user can choose which messages are to be downloaded completely.
false
The only way to clean random access memory (RAM) is with cleansing devices known as sweepers or scrubbers.
false
The process of acquiring and analyzing information stored on physical storage media, such as computer hard drives or smartphones is the definition of anti-forensics.
false
The start-up time for solid-state drives (SSDs) is usually much slower than for magnetic storage drives.
false
The term distributed denial of service (DDoS) attack describes the process of connecting to a server that involves three packets being exchanged.
false
The term transposition refers to the art and science of writing hidden messages.
false
The tracert command provides reliable, consistent, and accurate routing information for an email.
false
The underlying operating system of Mac OS X is based on Windows.
false
The word cryptography is derived from the word kryptós, which means hidden, and the verb gráfo, which means picture.
false
To achieve American Society of Crime Laboratory Directors (ASCLD) accreditation, a lab must meet about 40 criteria.
false
Two techniques are common for recovering data after physical damage: consistency checking and zero-knowledge analysis.
false
Viruses are difficult to locate but easy to trace back to the creator.
false
When a file on a Windows drive is deleted, the data is removed from the drive.
false
When seizing a suspect computer, you need to remove drives only if they are currently attached to cabling.
false
With the consistency checking file system repair technique, a computer's file system is rebuilt from scratch using knowledge of an undamaged file system structure.
false
You can view the header of an email in Microsoft Outlook but not Google Gmail.
false
a SYN flood is software that self-replicates.
false
computer forensics is the exclusive domain of law enforcement.
false
The unused space between the logical end of file and the physical end of file is known as __________.
file slack
Which of the following is true of hard drives?
file systems look at clusters, not sectors
What are attributes of a solid-state drive (SSD)?
flash memory and microchips
Any attempt to gain financial reward through deception is called ______.
fraud
The basic repair tool in Linux is _______.
fsck
The Linux/UNIX command __________ can be used to search for files or contents of files.
grep
__________ is offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system.
physical analysis
The __________ command is used to send a test network packet, or echo packet, to a machine to determine if the machine is reachable and how long the packet takes to reach the machine.
ping
What common email header field is commonly used with the values "bulk," "junk," or "list"; or used to indicate that automated "vacation" or "out of office" responses should not be returned for the mail?
precedence
A system forensics specialist has three basic tasks related to handling evidence: find evidence, preserve evidence, and __________ evidence.
prepare
The __________ protects journalists from being required to turn over to law enforcement any work product and documentary material, including sources, before it is disseminated to the public.
privacy protection act of 1980
_________ is the method used by password crackers who work with pre-calculated hashes of all passwords possible within a certain character space.
rainbow table
The Electronic Communications Privacy Act requires an investigator to have a wiretap order to acquire ___________ information from an Internet service provider (ISP).
real-time access
What common email header field includes tracking information generated by mail servers that have previously handled a message, in reverse order?
received
Which file recovery tool works in Linux and Mac OS, and in Windows if you compile the source code?
scalpel
When gathering systems evidence, what is NOT a common principle?
search throughout a device
What uses microchips that retain data in non-volatile memory chips and contains no moving parts?
solid-state drive (SSD)
What is a type of targeted phishing attack in which the criminal targets a specific group; for example, IT staff at a bank?
spear phising
__________ involves making an email message appear to come from someone or someplace other than the real sender or location.
spoofing
Aditya is a digital forensics specialist. He is investigating the computer of an identity theft victim. What should he look for first?
spyware
An example of volatile data is __________.
state of network connections
__________ is the process of analyzing a file or files for hidden content.
steganalysis
People try to thwart investigators by using encryption to scramble information or _________ to hide information, or both together.
steganography
________ is the art and science of writing hidden messages.
steganography
__________ is a term that refers to hiding messages in sound files.
steganophony
In FAT and NTFS file systems, a __________ is used to map files to specific clusters where they are stored on the disk.
table
What term describes data that an operating system creates and overwrites without the computer user directly saving this data?
temporary data
What term describes information that forensic specialists use to support or interpret real or documentary evidence? For example, a specialist might demonstrate that the fingerprints found on a keyboard are those of a specific individual.
testimonial evidence
The only requirement of __________ is that the sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out.
the CAN-SPAM act
If an Internet service provider (ISP) or any other communications network stores an email, retrieval of that evidence must be analyzed under __________. This creates statutory restrictions on government access to such evidence from ISPs or other electronic communications service providers.
the Electronic Communications Privacy Act (ECPA)
The type of medium used to hide data in steganography is referred to as __________. This may be a photo, video, sound file, or Voice over IP, for example.
the channel
__________ is the concept that any scientific evidence presented in a trial has to have been reviewed and tested by the relevant scientific community.
the daubert standard
In World War II, the Germans made use of an electromechanical rotor-based cipher system known as __________.
the enigma machine
In steganography, what is meant by carrier?
the signal, stream, or data file in which the payload is hidden
What is the definition of transposition in terms of cryptography?
the swapping of blocks of ciphertext
The process of connecting to a server and exchanging packets containing acknowledgment (ACK) and synchronize (SYN) flags is called:
three-way handshake
A DVD is a type of optical media.
true
A block cipher is a form of cryptography that encrypts data in blocks.
true
A denial of service (DoS) attack typically does NOT harm data on the target server.
true
A distributed denial of service (DDoS) attack is possible with traditional telephone systems by using an automatic dialer to tie up target phone lines.
true
A forensic certification is meant to demonstrate a baseline of competence.
true
A mail server is like an electronic post office: It sends and receives electronic mail.
true
A person who uses anonymous remailing sends an email message to an anonymizer.
true
A test system is a functional system compatible with the hard drive from which someone is trying to recover data.
true
According to RFC 2822, an email message header must include the From and Date fields.
true
Advanced Encryption Standard (AES) is also known as the Rijndael block cipher.
true
Advanced Encryption Standard (AES) with a 256-bit key is secure enough for commercial applications.
true
After imaging a drive, you must always create a hash of the original and the copy.
true
All modern block-cipher algorithms use both substitution and transposition.
true
An MD5 hash taken when a computer drive is acquired is used to check for changes, alterations, or errors.
true
An attacker may distribute a logic bomb via a Trojan horse.
true
An expert witness who leaves information out of an expert report usually cannot testify about the information at trial.
true
As an email message is routed through one or more mail servers, each server adds its own information to the message header.
true
Before imaging a drive, you must forensically wipe the target drive to ensure no residual data remains.
true
Clusters in a Windows NTFS system are more likely to be overwritten as more time elapses after deletion.
true
Demonstrative evidence means information that helps explain other evidence. An example of demonstrative evidence is a chart that explains a technical concept to the judge and jury.
true
Email evidence would be useful for investigating cyberstalking but not a denial of service (DoS) attack.
true
Email tracing involves examining email header information to look for clues about where a message has been.
true
File slack and slack space are the same thing.
true
Forensically scrubbing a file or folder may involve overwriting data with random characters seven times.
true
Fraud refers to a broad category of crime that can encompass many different activities, but essentially, any attempt to gain financial reward through deception.
true
Helix is a customized Linux Live CD used for computer forensics.
true
If a hard drive has been demagnetized, there is no way to recover the data.
true
If an attacker doesn't spoof a MAC address, each packet sent in a denial of service (DoS) attack contains evidence of the machine from which it was launched.
true
If an email message resides on a sender's or recipient's computer or other device, the Fourth Amendment to the U.S. Constitution and state requirements govern the seizure and collection of the message.
true
In a forensics lab, the machines being examined should not be connected to the Internet.
true
In steganography, the term payload describes data to be covertly communicated. In other words, it is the message you want to hide.
true
Incriminating evidence shows, or tends to show, a person's involvement in an act, or evidence that can establish guilt.
true
Infinitely recursing directories is a symptom of logical damage to a file system.
true
Investigators must authenticate documentary evidence.
true
Linux file systems use hard links and symbolic links.
true
Linux stores file content in blocks, which are similar to clusters in Windows NTFS.
true
Logical damage to a disk is damage to how data is stored, for example, file system corruption.
true
Logical damage to a file system is more common than physical damage.
true
Macro and polymorphic are types of viruses.
true
Making two copies of a suspect's drive, using two different imaging tools, can help to prove that evidence is accurate.
true
Many USB drives come with a switch to put them in read-only mode.
true
Modern cryptography is separated into two distinct groups: symmetric cryptography and asymmetric cryptography.
true
Multialphabet ciphers are more secure than single-alphabet substitution ciphers; however, they are still not acceptable for modern cryptographic usage.
true
One way to obscure information is to scramble it by encryption.
true
One way to send fake emails is to use a temporary, bogus email account.
true
Ophcrack is a tool that cracks local passwords on Windows systems.
true
RAID 1 mirrors the contents of disks.
true
Real evidence means physical objects that can be touched, held, or directly observed, such as a laptop with a suspect's fingerprints on it.
true
SHA1 and SHA2 are currently the most widely used hashing algorithms.
true
Solid-state drives (SSDs) are often used in tablets and in some laptops.
true
The Caesar and Atbash ciphers are simple substitution ciphers.
true
The Caesar cipher shifts each letter of a message by a certain number and substitutes the new alphabetic letter for the letter you are encrypting.
true
The Federal Rules of Evidence (FRE) governs the admission of facts by which parties in the U.S. federal court system may prove their cases.
true
The Linux dd command is commonly used to forensically wipe a drive.
true
The Linux netcat command reads and writes bits over a network connection.
true
The USA Patriot Act includes domestic terrorism.
true
The Windows Registry is essentially a repository of all settings, software, and parameters for Windows.
true
The act of wrongfully obtaining another person's personal data is a crime, with or without stealing any money.
true
The first step in any computer forensic investigation is to make a copy of the suspected storage device.
true
The information in a routing table is more volatile than a network topology.
true
The known plaintext attack is one method used to crack modern encryption.
true
The life span of information may be as short as milliseconds to longer than one year.
true
The objective in computer forensics is to recover, analyze, and present computer-based material in such a way that it can be used as evidence in a legal proceeding.
true
The purpose of file carving is to extract the data from a single file from the larger set of data, that is, the entire disk or partition.
true
The secure version of Simple Mail Transfer Protocol (SMTP) is SMTPS on port 465.
true
The software program used to compose and read email messages is the email client.
true
The standard for email format, including headers, is RFC 2822.
true
The term scrubber refers to software that cleans unallocated drive space.
true
To avoid changing a computer system while examining it, make a forensic copy and work with that copy.
true
Turning off a computer while it is booting or shutting down can lead to logical damage of its file system.
true
USB, or universal serial bus, is actually a connectivity technology, not a storage technology.
true
Volatile memory is computer memory that requires power to maintain the data it holds.
true
When determining when evidence was created, a forensic specialist should not trust a computer's internal clock or activity logs.
true
When gathering evidence in a forensic investigation, working with a drive image is safer than working with the original drive.
true
When two files claim to share the same allocation unit (or cluster), one of the files is almost certain to lose data.
true
a warrant is not needed when evidence is in plain sight.
true
_______ is the area of a hard drive that has never been allocated for file storage.
unallocated space
What kind of data changes rapidly and may be lost when the machine that holds it is powered down?
volatile data
According to the order of volatility in RFC 3227, what evidence should you collect first on a typical system?
volatile data, then file slack
This is the space that remains on a hard drive if the partitions do not use all the available space.
volume slack
__________ refers to phishing with a specific, high-value target in mind. For example, the attacker may target the president or CEO of a company.
whaling
Which of the following is NOT true of file carving?
you can perform file carving on Windows and Linux file systems, but not Mac OS.
When attempting to recover a failed drive, which of the following is NOT true?
you should connect the failed drive to a test system and make the failed drive bootable
With respect to phishing, a good fictitious email gets a __________ response rate, according to the Federal Bureau of Investigation (FBI).
1 to 3 percent
__________ aims at perpetrators who attempt to hide the pornographic nature of their websites, often to make it more accessible to minors.
18 U.S.C. 2252B
The typical sector size of a modern hard drive is _______ bytes.
4,096
The total number of possible keys for Data Encryption Standard (DES) is _________, which a modern computer system can break in a reasonable amount of time.
56
What is the definition of Feistel function?
A cryptographic function that splits blocks of data into two parts; it forms the basis for many block ciphers
What is the definition of hash?
A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions
What is Simple Mail Transfer Protocol (SMTP)?
A protocol used to send email that works on port 25
What is meant by zero-knowledge analysis?
A technique for file system repair that involves recovering data from a damaged partition with limited knowledge of the file system
Which forensic certification is open to both the public and private sectors and is specific to the use and mastery of FTK?
AccessData Certified Examiner
What is meant by distributed denial of service (DDoS) attack?
An attack in which the attacker seeks to infect several machines, and use those machines to overwhelm the target system to achieve a denial of service
The __________ is a federal wiretap law for traditional wired telephony that was expanded to include wireless, voice over internet protocol (VoIP), and other forms of electronic communications.
Communications Assistance for Law Enforcement Act of 1994
_______ is an industry certification that focuses on knowledge of PC hardware.
CompTIA A+
__________ is a free utility that comes as a graphical user interface for use with Windows operating systems. When you first launch the utility, it presents you with a cluster-by-cluster view of your hard drive in hexadecimal form.
Disk Investigator
The basic repair tool in Mac OS is _______.
Disk Utility
Jan is entering the digital forensics field and wants to pursue a general forensics certification. Which certification is BEST to start with?
EC-Council Certified Hacking Forensic Investigator (CHFI)
The __________ format is a proprietary file format defined by Guidance Software for use in its forensic tool to store hard drive images and individual files.
EnCase
__________ describes the total number of coprime numbers; two numbers are considered coprime if they have no common factors.
Euler's Totient
Which of the following requires certification candidates to take an approved training course, pass a written test, and submit to a review of the candidate's work history?
High Tech Crime Network certifications
What was designed as an area where computer vendors could store data that is shielded from user activities and operating system utilities, such as delete and format?
Host protected area (HPA)
Files with .pst extensions belong to which email client?
Microsoft Outlook
Windows 2000 and newer Windows operating systems use the __________ file system.
NTFS
One principal of evidence gathering is to avoid changing the evidence. Which of the following is NOT true of evidence gathering?
Photograph seized equipment after you set it up in the lab
What term is used to describe a protocol used to receive email that works on port 110?
Post Office Protocol version 3 (POP3)
What version of RAID involves three or more striped disks with parity that protect data against the loss of any one disk?
RAID 3 or 4
The __________ cipher is a single-alphabet substitution cipher that is a permutation of the Caesar cipher. All characters are rotated 13 characters through the alphabet.
ROT13
__________ govern whether, when, how, and why proof of a legal case can be placed before a judge or jury.
Rules of evidence
Which of the following BEST defines rules of evidence?
Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury
The __________ contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies.
Sarbanes-Oxley Act of 2002
What name is given to a protocol used to send email that works on port 25?
Simple Mail Transfer Protocol (SMTP)
The __________ has significantly reduced restrictions on law enforcement agencies' gathering of intelligence within the United States. It has also expanded the Secretary of the Treasury's authority to regulate financial transactions, particularly those involving foreign individuals and entities.
The USA Patriot Act
The __________ cipher is a method of encrypting alphabetic text by using a series of different monoalphabetic ciphers selected based on the letters of a keyword.
Vigenère
__________ is information at the level of 1s and 0s stored in computer memory or on a storage device.
bit-level information
What name is given to a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification?
consistency checking
Ben was browsing reviews on a sporting goods website from which he purchased items in the past. He saw a comment that read "Great price on camping gear! Read my review." When he clicked the associated link, a new window appeared and prompted him to log in again. What type of attack is most likely underway?
cross-site scripting (XSS)
What term describes a method of using techniques other than brute force to derive a cryptographic key?
cryptanalysis
__________ obfuscates a message so that it cannot be read.
cryptography
The use of electronic communications to harass or threaten another person is the definition of __________.
cyberstalking
Advanced Encryption Standard (AES) can have three different key sizes: 256, 512, or 1024 bits.
false
a suspect stores data where an investigator is unlikely to find it. What is this technique called?
data hiding
The distribution of illegally copied materials via the Internet is known as __________.
data piracy
Ed is an expert witness providing testimony in court. He uses a high-tech computer animation to explain a technical concept to the judge and jury. What type of evidence is Ed using?
demonstrative
A SYN flood is an example of a(n) _______.
denial of service (DoS) attack
The term ______ refers to testimony taken from a witness or party to a case before a trial.
deposition
__________ is information that has been processed and assembled to be relevant to an investigation, and that supports a specific finding or determination.
digital evidence
Identification, preservation, collection, examination, analysis, and presentation are six classes in the matrix of the __________.
digital forensic research workshop (DFRWS)
__________ is data stored as written matter, on paper or in electronic files.
documentary evidence
What is a formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted?
expert report
A CPU cache is not volatile, whereas a CD-ROM is volatile.
false
A brute-force attack on a polyalphabetic substitution cipher can deduce the length of the keyword used in the cipher.
false
A sector is the basic unit of data storage on a hard disk, which is usually 64 KB.
false
A swap file is an example of persistent data.
false
A symbolic link is an inode that links directly to a specific file.
false
Jim is a forensic specialist. He seized a suspect computer from a crime scene, removed the hard drive and bagged it, documented and labeled the equipment, took photographs, completed a chain of custody form, and locked the computer in his car. On the way to the lab, he stopped to purchase supplies to use at the next crime scene. What did Jim do wrong?
he left the computer unattended while shopping for supplies
The email __________ keeps a record of the message's journey as it travels through a communications network.
header
Most often, criminals commit __________ in order to perpetrate some kind of financial fraud.
identity theft
A(n) __________ is a data structure in the Linux file system that stores all the information about a file except its name and actual data.
inode
Which of the following are subclasses of fraud?
investment offers and data piracy
What is NOT true of cyberstalking?
is not a criminal offense
What is NOT true of random access memory (RAM)?
it cannot be changed
What name is given to a method of attacking polyalphabetic substitution ciphers? This method can be used to deduce the length of the keyword used in a polyalphabetic substitution cipher.
kasiki examination
Forensic investigators who collect data as evidence must understand the __________ of information, which refers to how long it is valid.
life span
What is the process of searching memory in real time, typically for working with compromised hosts or to identify system abuse?
live system forensics
Malware that executes damage when a specific condition is met is the definition of __________.
logic bomb
What term describes analysis performed on an evidence disk or a forensic duplicate using the native operating system?
logical analysis
The number 22 for SSH (Secure Shell) and 80 for Hypertext Transfer Protocol (HTTP) are examples of ________.
logical port numbers
What term describes data about information, such as disk partition structures and file tables?
metadata
Two of the easiest things to extract during __________ are a list of all website uniform resource locators (URLs) and a list of all email addresses on the computer.
physical analysis
