ITSY-2343 Mid Term Review
____ is the file structure database that Microsoft originally designed for floppy disks. a. NTFS b. FAT32 c. VFAT d. FAT
FAT
In ____, two or more disk drives become one large volume, so the computer views the disks as a single disk. a. RAID 0 b. RAID 1 c. RAID 5 d. RAID 6
a. RAID 0
____ is a data-hiding technique that uses host files to cover the contents of a secret message. a. Steganography b. Steganalysis c. Graphie d. Steganos
a. Steganography
Image files can be reduced by as much as ____% of the original when using lossless compression. a. 15 b. 25 c. 30 d. 50
d. 50
The uppercase letter ____ has a hexadecimal value 41. a. "A" b. "C" c. "G" d. "Z"
a. "A"
For Windows XP, 2000, and NT servers and workstations, RAID 0 or ____ is available. a. 1 b. 4 c. 2 d. 5
a. 1
Digital forensics tools are divided into ____ major categories. a. 2 b. 3 c. 4 d. 5
a. 2
____ was created by police officers who wanted to formalize credentials in digital investigations. a. HTCN b. NISPOM c. TEMPEST d. IACIS
IACIS
____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program. a. Replacement b. Append c. Substitution d. Insertion
Insertion
When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to avoid damage to the drive from overheating. a. 80 b. 90 c. 95 d. 105
a. 80
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. a. Data recovery b. Network forensics c. Computer forensics d. Disaster recovery
a. Data recovery
When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____. a. EFS b. VFAT c. LZH d. RAR
a. EFS
By the early 1990s, the ____ introduced training on software for forensics investigations. a. IACIS b. FLETC c. CERT d. DDBIA
a. IACIS
Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System. a. NTFS b. ext3 c. FAT24 d. ext2
a. NTFS
The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03. a. TIFF b. XIF c. JPEG d. GIF
b. XIF
Generally, digital records are considered admissible if they qualify as a ____ record. a. hearsay b. business c. computer-generated d. computer-stored
b. business
In the ____, you justify acquiring newer and better resources to investigate digital forensics cases. a. risk evaluation b. business case c. configuration plan d. upgrade policy
b. business case
The raw data format, typically created with the Linux ____ command, is a simple bit-for-bit copy of a data file, a disk partition, or an entire drive. a. rawcp b. dd c. d2dump d. dhex
b. dd
A ____ is where you conduct your investigations, store evidence, and do most of your work. a. forensic workstation b. digital forensics lab c. storage room d. workbench
b. digital forensics lab
A(n) ____ should include all the tools you can afford to take to the field. a. initial-response field kit b. extensive-response field kit c. forensic lab d. forensic workstation
b. extensive-response field kit
Most remote acquisitions have to be done as ____ acquisitions. a. static b. live c. sparse d. hot
b. live
Records in the MFT are called ____. a. hyperdata b. metadata c. inodes d. infodata
b. metadata
Most digital investigations in the private sector involve ____. a. e-mail abuse b. misuse of digital assets c. Internet abuse d. VPN abuse
b. misuse of digital assets
Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses. a. line of authority b. right of privacy c. line of privacy d. line of right
b. right of privacy
A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock. a. gypsum b. steel c. wood d. expanded metal
b. steel
The most common and flexible data-acquisition method is ____. a. Disk-to-disk copy b. Disk-to-network copy c. Disk-to-image file copy d. Sparse data copy
c. Disk-to-image file copy
____ was introduced when Microsoft created Windows NT and is still the main file system in Windows 10. a. FAT32 b. VFAT c. NTFS d. HPFS
NTFS
____ is Windows XP system service dispatch stubs to executables functions and internal support functions. a. Ntdll.dll b. User32.dll c. Advapi32.dll d. Gdi32.dll
Ntdll.dll
Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0 and 3.0, SATA, PATA, and SCSI controllers. a. USB b. IDE c. LCD d. PCMCIA
a. USB
In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations. a. authorized requester b. authority of line c. line of right d. authority of right
a. authorized requester
A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing. a. disaster recovery b. risk management c. configuration management d. security
a. disaster recovery
The simplest way to access a file header is to use a(n) ____ editor a. hexadecimal b. image c. disk d. text
a. hexadecimal
Under copyright laws, computer programs may be registered as ____. a. literary works b. motion pictures c. architectural works d. audiovisual works
a. literary works
Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes. b. as easy as c. as difficult as d. more difficult than
a. much easier than
Courts consider evidence data in a computer as ____ evidence. a. physical b. invalid c. virtual d. logical
a. physical
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools. a. proprietary b. raw c. AFF d. AFD
a. proprietary
A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. a. warning banner b. right of privacy c. line of authority d. right banner
a. warning banner
Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult. a. whole disk encryption b. backup utilities c. recovery wizards d. NTFS
a. whole disk encryption
The EMR from a computer monitor can be picked up as far away as ____ mile. a. 1/4 b. 1/2 c. 3/4 d. 1
b. 1/2
In general, forensics workstations can be divided into ____ categories. a. 2 b. 3 c. 4 d. 5
b. 3
____ involves sorting and searching through investigation findings to separate good data and suspicious data. a. Validation b. Filtering c. Acquisition d. Reconstruction
b. Filtering
____ compression compresses data by permanently discarding bits of information in the file. a. Redundant b. Lossy c. Huffman d. Lossless
b. Lossy
Autopsy uses ____ to validate an image. a. RC4 b. MD5 c. AFF d. AFD
b. MD5
____ is the physical address support program for accessing more than 4 GB of physical RAM. a. Hal.dll b. Ntkrnlpa.exe c. BootSect.dos d. Io.sys
b. Ntkrnlpa.exe
The primary hash algorithm used by the NSRL project is ____. a. MD5 b. SHA-1 c. CRC-32 d. RC4
b. SHA-1
____ disks are commonly used with Sun Solaris systems. a. F.R.E.D. b. SPARC c. FIRE IDE d. DiskSpy
b. SPARC
____ has been used to protect copyrighted material by inserting digital watermarks into a file. a. Encryption b. Steganography c. Compression d. Archiving
b. Steganography
____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr. a. Hal.dll b. Boot.ini c. NTDetect.com d. BootSect.dos
c. NTDetect.com
____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed. a. HTCN reports b. IDE reports c. Uniform crime reports d. ASCLD reports
c. Uniform crime reports
____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. a. Bitmap images b. Metafile graphics c. Vector graphics d. Line-art images
c. Vector graphics
The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions. a. raw b. bitcopy c. dcfldd d. man
c. dcfldd
It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant. a. litigation b. prosecution c. exhibits d. reports
c. exhibits
If you can't open a graphics file in an image viewer, the next step is to examine the file's ____. a. extension b. name c. header data d. size
c. header data
Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain ____. a. conclusive b. regular c. hearsay d. direct
c. hearsay
With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible. a. bit-stream copy utility b. extensive-response field kit c. initial-response field kit d. seizing order
c. initial-response field kit
If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available. a. passive b. static c. live d. local
c. live
You should have at least one copy of your backups on site and a duplicate or a previous copy of your backups stored in a safe ____ facility. a. in-site b. storage c. off-site d. online
c. off-site
Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer. a. silver-tree b. gold-tree c. silver-platter d. gold-platter
c. silver-platter
____ records are data the system maintains, such as system log files and proxy server logs. a. Computer-generated b. Business c. Computer-stored d. Hearsay
computer generated
Magnet ____ enables you to acquire the forensic image and process it in the same step. a. DEFR b. FTK c. dd d. AXIOM
d. AXIOM
The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence. a. Federal Rules of Evidence (FRE) b. Department of Defense Computer Forensics Laboratory (DCFL) c. DIBS d. Computer Analysis and Response Team (CART)
d. Computer Analysis and Response Team (CART)
____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the a. Hal.dll b. Pagefile.sys c. Ntoskrnl.exe d. Device drivers
d. Device drivers
The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems. a. Apple b. Atari c. Commodore d. IBM
d. IBM
The JFIF ____ format has a hexadecimal value of FFD8 FFE0 in the first four bytes. a. EPS b. BMP c. GIF d. JPEG
d. JPEG
On an NTFS disk, immediately after the Partition Boot Sector is the ____. a. FAT b. HPFS c. MBR d. MFT
d. MFT
____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment. a. Risk configuration b. Change management c. Configuration management d. Risk management
d. Risk management
The image format XIF is derived from the more common ____ file format. a. GIF b. JPEG c. BMP d. TIF
d. TIF
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____. a. blotter b. exhibit report c. litigation report d. affidavit
d. affidavit
One way to compare results and verify your a new tool is by using a ____, such as HexWorkshop, or WinHex. a. disk imager b. write-blocker c. bit-stream copier d. disk editor
d. disk editor
You use ____ to create, modify, and save bitmap, vector, and metafile graphics. a. graphics viewers b. image readers c. image viewers d. graphics editors
d. graphics editors
Published company policies provide a(n) ____ for a business to conduct internal investigations. a. litigation path b. allegation resource c. line of allegation d. line of authority
d. line of authority
The ____ command displays pages from the online help manual for information on Linux commands and their options. a. cmd b. hlp c. inst d. man
d. man
Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility. a. professional policy b. oath c. line of authority d. professional conduct
d. professional conduct
Evidence is commonly lost or corrupted through ____, which involves the presence of police officers and other professionals who aren't part of the crime scene-processing team. a. onlookers b. HAZMAT teams c. FOIA laws d. professional curiosity
d. professional curiosity
In general, a criminal case follows three stages: the complaint, the investigation, and the ____. a. litigation b. allegation c. blotter d. prosecution
d. prosecution
Every business or organization must have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a ____ that a law or policy is being violated. a. confirmed suspicion b. proof c. court order stating d. reasonable suspicion
d. reasonable suspicion
To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe. a. secure workstation b. secure workbench c. protected PC d. secure facility
d. secure facility
One technique for extracting evidence from large systems is called ____. a. RAID copy b. RAID imaging c. large evidence file recovery d. sparse acquisition
d. sparse acquisition
Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example. a. live b. online c. real-time d. static
d. static
Steganalysis tools are also called ____. a. image editors b. image tools c. hexadecimal editors d. steg tools
d. steg tools