master forensics .5

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

The ____________ format is a proprietary format used by Adobe Photoshop.

.psd

What is the name of the Microsoft solution for whole disk encryption?

BitLocker

What option below is an example of a platform specific encryption tool?

BitLocker

Chapter 8 Most digital cameras use the bitmap format to store photos.​ t/f

False

____________ is a specialized carving tool that can read many image file formats, such as RAW and Expert Witness

Foremost

Adding the _____________ flag to the ls -l file command has the effect of showing all the files beginning with the "." character in addition to other files.

-a

Chapter 1 The term ??? describes a database containing information records about crimes that have been committed previously by a criminal. a. police ledger b. police blotter c. police blogger d. police recorder

b. police blotter

If practical, ________ team(s) should collect and catalog digital evidence at a crime or lab.

One

In what mode do most write-blockers run?

Shell mode

A RAID 3 array uses distributed data and distributed parity in a manner similar to a RAID 5 array

TRUE

Each graphics file type has a unique header value.

TRUE

The only pieces of metadata not in an inode are the filename and path.

TRUE

The term "kernel" is often used when discussing Linux because technically, Linux is only the core of the OS.

TRUE

When seizing digital evidence in criminal investigations, whose standards should be followed?

U.S. DOJ

18. Which of the following is not a valid configuration of Unicode?

UFT-64

The Mac OS reduces file fragmentation by using ____________

clumps

Chapter 6 When performing disk acquisition, the raw data format is typically created with the UNIX/Linux ??? command a. format b. tar c. dump d. dd

d. dd

Chapter 2 Which tool below is not recommended for use in a forensics lab? a. 2.5-inch adapters for drives b. firewire and usb adapters c. SCSI card d. degusser

d. degusser

6) What format was developed as a standard for storing metadata in image files?

exif

13. In what temporary location below might passwords be stored?

pagefile.sys

In general, what would a lightweight forensics workstation consist of?

A laptop computer build into a carrying case with a small selection of peripheral options

Which of the following is stated within the ISO 27037 standard?

Digital Evidence First Responders should use validated tools.

What ISO standard below is followed by the ASCLD?

ISO17025:2005

What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume?

$LogFile

Chapter 7 Adding the _____________ flag to the ls -l command has the effect of of showing all files beginning with the "." character in addition to other files.

-a

The _______ switch can be used with the split command to adjust the size of segmented volumes created by the dd command.

-b

The _________ switch can be used with the split command to adjust the size of segmented volumes created by the dd command.

-b

Which of the following is not considered to be a non-standard graphics file format?

.dxf

The ProDiscover utility makes use of the proprietary __________ file format.

.eve

An investigator wants to capture all the data on a SATA drive connected to a Linux system. What should the investigator use for the "if=" portion of the dcfldd command?

/dev/sda

​An investigator wants to capture all data on a SATA drive connected to a Linux system. What should the investigator use for the "if=" portion of the dcfldd command?

/dev/sda

Chapter 7 Where is the root user's home directory located on a Mac OS X file system?

/private/var/root

Where is the root user's home directory located on a Mac OS X file system?

/private/var/root

As part of a forensics investigation, you need to recover the logon and logoff history information on a Linux based OS. Where can this information be found?

/var/log/wtmp

Chapter 7 As part of a forensics investigation, you need to recover the logon and logoff history information on a Linux based OS. Where can this information be found?

/var/log/wtmp

What hexadecimal code below identifies an NTFS file system in the partition table?

07

A Master Boot Record (MBR) partition table marks the first partition starting at what offset?

0x1BE

Chapter 4 ??? are a special category of private sector businesses, due to their ability to investigate computer abuse committed by employees only, but not customers. a. hospitals b. ISPs c. law firms d. news networks

b. ISPs

Chapter 2 ??? describes the characteristics of a safe storage container. a. ISO2960 b. NISPOM c. SSO 990 d. STORSEC

b. NISPOM

Chapter 1 The ??? is responsible for analyzing data and determining when another specialist should be called in to assist with analysis. a. digital evidence recorder b. digital evidence specialist c. digital evidence analyst d. digital evidence examiner

b. digital evidence specialist

Chapter 2 How often should hardware be replace within a forensics lab? a. every 6 to 12 months b. every 12 to 18 months c. every 18 to 24 months d. every 24 to 30 months

b. every 12 to 18 months

Chapter 6 What option below is an example of a platform specific encryption tool? a. GnuPG b. TrueCrypt c. BitLocker d. Pretty Good Privacy (PGP)

c. BitLocker

Chapter 3 Which option below is not a Linus live CD meant for use as a digital forensics tool? a. penguin sleuth b. kali Linux c. Ubuntu d. caine

c. Ubuntu

9. Reconstructing fragments of files that have been deleted from a suspect drive, is known as ______ in North America.

carving

The ___________ command inserts a HEX E5 (0xE5)in a filename's first letter position in the associated directory entry.

delete

The process of converting raw picture data to another format is called _______.

demosaicing

Which of the following commands creates an alternate data stream?

echo text > myfile.txt:stream_name

The Linux command ________ can be used to list the current disk devices connected to the computer.

fdisk -1

How long are computing components designed to last in a normal business environment?

18-36 months

What act defines precisely how copyright laws pertain to graphics?

1976 Copyright Act

When using a target drive that is FAT32 formatted, what is the maximum size limitation for split files?

2 GB

Chapter 7 Within the /etc/shadow file, what field contains the password hash for a user account if one exists?

2nd field

Within the /etc/shadow file, what field contains the password hash for a user account if one exists?

2nd field

In order to qualify for the CCFT basic level certification, how many hours of computer forensics training are required?

40

All TIF files start at offset 0 with what 6 hexadecimal characters?

49 49 2A

20. In order to qualify for the advanced certified forensic technician certification, a candidate must have ____ of hands-on experience in computer forensics investigations

5 years

A typical disk drive stores how many bytes in a single sector?

512

Chapter 7 What is the minimum size of a block in UNIX/Linux filesystems?

512

What is the minimum size of a block in UNIX/Linux filesystems?

512 bytes

What percentage of consumers utilize Intel and AMD PCs?

90%

What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigation?

Certified Cyber Forensics Professional

What is the goal of the NSRL project created by NIST?

Collect known hash values for commercial software and OS files using SHA hashes.

What type of media has a 30-year lifespan?

DLT magnetic tape

Which tool below is not recommended for use in forensics lab?

Degausser

A computer stores system configuration and date and time information in the BIOS when power to the system is off.

FALSE

Because they are outdated, ribbon cables should not be considered for use within a forensics lab

FALSE

Capitalization, or lack thereof, makes no difference with UNIX and Linux commands.

FALSE

FAT32 is used on older Microsoft Oss, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.3 and 4.0.

FALSE

FTK Imager software can acquire a drive's host protected area.

FALSE

In UNIX and Linux, everything except monitors are considered files.

FALSE

Linux is a certified UNIX operating system.

FALSE

Making a logical acquisition of a drive with whole disk encryption can result in unreadable files.

FALSE

Most digital cameras use the bitmap format to store photos.

FALSE

Physically copying the entire drive is the only type of data-copying method used in software acquisitions.

FALSE

Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.

FALSE

The Fourth Amendment starts the only warrants "particularly describing the place to be searched and the persons or things to be seized" can be issued. The courts have determined that this phrase means a warrant can authorize a search of specific place for anything.

FALSE

The shielding of sensitive computing systems and prevention of electronic eavesdropping of any computer emission is known as FAUST by the U.S. Department of Defense

FALSE

When you decompress data that uses a lossy compression algorithm, you regain data lost by compression.

FALSE

Which file system below is utilized by the Xbox gaming system?

FATX

What hex value is the standard indicator for jpeg graphic files?

FF D8

For all JPEG files, the ending hexadecimal marker, also known as the end of image (EOI), is _________.

FFD9

For EXIF JPEG files, the hexadecimal value starting at offset 2 is ________.

FFE1

Chapter 1 All suspected industrial espionage cases should be treated as civil case investigations. t/f

False

Chapter 3 FTK imager software can acquire a drive's host protected area t/f

False

Chapter 4 Computer-stored records are data the system maintains, such as system log files and proxy server logs. t/f

False

Chapter 4 The fourth amendment state that only warrants "particularly describing the place to be searched and the persons or things to be seized" can be issued. The courts have determined that this phrase means a warrant can authorize a search of a specific place for anything. t/f

False

Chapter 5 A computer stores system configuration and date and time information in the BIOS when power to the system is off t/f

False

Chapter 5 Someone who wants to hide data can create hidden partitions or void-large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities t/f

False

Chapter 6 Making a logical acquisition of a drive with whole disk encryption can result in unreadable files t/f

False

Chapter 6 Physically copying the entire drive is the only type of data-copying method used in software acquisition t/f

False

Chapter 7 In UNIX and Linux, everything except monitors are considered files.

False

Chapter 7 Linux is a certified UNIX operating system.

False

Chapter 8 When you decompress ​data that uses a lossy compression algorithm, you regain data lost by compression. t/f

False

_________ is the term for a statement that is made by someone other than an actual witness to the event while terrifying at a hearing.

Hearsay

A _______ is not a private sector organization

Hospital

Which technology below is not a hot-swappable technology?

IDE

______ are a special category of private sector businesses, due to their ability to investigate computer abuse committed by employees only, but not customers.

ISPs

______ creates a virtual volume of a RAID image file, and then makes repairs on the virtual volume, which can then be restored to the original RAID?

R-Tools R-Studio

Which RAID type provides increased speed and data storage capability, but lacks redundancy?

RAID 0

Which RAID type utilizes mirrored stripping, providing fast access and redundancy?

RAID 10

Which RAID type utilizes a parity bit and allows for the failure of one drive without losing data?

RAID 5

Which option below is not a hashing function used for validation checks?

RC4

What is the purpose of the reconstruction function in a forensics investigation?

Re-create a suspect's drive to show what happened during crime or incident

Which option below is not a recommendation for securing storage containers?

Rooms with evidence containers should have a secured wireless network

What registry file contains user account management and security settings?

SAM.dat

A hash that begins with "$6" in the shadow file indicates that it is a hash from what hashing algorithm?

SHA-512

Chapter 7 A hash that begins with "$6" in the shadow file indicates that it is a hash from what hashing algorithm? 2

SHA-512

The term _______ describes rooms filled with extremely large disk systems that are typically used by large business data centers

Server farm

Which of the following is not done when preparing for a case?

Set up convert surveillance

What file under the /etc folder contains the hasned passwords for a local system?

Shadow

A TEMPEST facility is designed to accomplish which of the following goals?

Shield sensitive computing systems and prevent electronic eavesdropping of computer emissions

What registry file contains installed programs' settings and associated usernames and passwords?

Software.dat

A disaster recovery plan ensures that workstation and file servers can be restored to their original condition in the event of a catastrophe

TRUE

A forensic investigator should verify that acquisition tools can copy data in the HPA of a disk drive.

TRUE

All forensics acquisitions tools have a method for verification of the data-copying process that compares the original drive with the image.

TRUE

An emergency situation under the PATRIOT Act is defined as the immediate risk of death or personal injury, such as finding a bomb threat in an e-mail.

TRUE

Candidates who complete the IACIS test successfully are designated as a certified forensics computer examiner

TRUE

Computer-stored records are data the system maintains, such as a system log files and proxy server logs.

TRUE

Each MFT record starts with a header identifying it as a resident or nonresident attribute.

TRUE

Graphics files are created and saved in a graphics editor, such as Microsoft Paint, Adobe Freehand MX, Adobe Photoshop, or Gnome GIMP.

TRUE

Hardware and software errors or incompatibilities are a common problem when dealing with older hard drives.

TRUE

ISO standard 27037 states that the most important factors in data acquisitions are the DEFR's competency and the use of validated tools.

TRUE

Software forensics tools are grouped into command-line applications and GUI applications.

TRUE

State public disclosure laws apply to state records, but FOIA allows citizens to request copies of public documents created by federal agencies.

TRUE

The ImageUSB utility can be used to create a bootable flash drive

TRUE

The first 3 bytes of an XIF file are exactly the same as a TIF file.

TRUE

The investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct covert surveillance with little or no cause, and access company computer systems and digital devices without a warrant.

TRUE

The recording of all updates made to a workstation or a machine is referred to as configuration management

TRUE

When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space.

TRUE

Chapter 1 If you turn evidence over to law enforcement and begin working under their direction, you have become an agent of law enforcement, and are subject to the same restrictions on search and seizure as a law enforcement agent. t/f

True

Chapter 1 Most digital investigations in the private sector involve misuse of computing assets. t/f

True

Chapter 1 User groups for a specific type of system can be very useful in a forensics investigation. t/f

True

Chapter 2 A disaster recovery plan ensures that workstations and file servers can be restored to their original condition in the event of a catastrophe. t/f

True

Chapter 2 Linus live CDs and WinFe disks do not automatically mount hard drives, but can b used to view file systems. t/f

True

Chapter 2 The recording of all updates made to a workstation or machine is referred to as configuration management. t/f

True

Chapter 3 A forensics investigator should verify that acquisition tools can copy data in the HPA of a disk drive t/f

True

Chapter 3 Hardware and software errors or incompatibilities are a common problem when dealing with older hard drives t/f

True

Chapter 3 the image usb utility can be used to create a bootable flash drive t/f

True

Chapter 4 An emergency situation under the PATRIOT Act is defined as the immediate risk of death or personal injury, such as finding a bomb threat in an e-mail. t/f

True

Chapter 4 State public disclosure laws apply to state records, but FOIA allows citizens to request copies of public documents created by federal agencies. t/f

True

Chapter 4 To investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct convert surveillance with little or no cause, and access company computer systems and digital devices without a warrant. t/f

True

Chapter 5 When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space t/f

True

Chapter 6 All forensics acquisition tools have a method for verification of the data-copying process that compares the original drive with the image t/f

True

Chapter 6 ISO standard 23037 states that the most important factors in data acquisition are the DEFR's competency and the use of validated tools t/f

True

Chapter 6 Software forensics tool are grouped into command-line applications and GUI applications t/f

True

Chapter 7 The only pieces of metadata not in an inode are the filename and path. T/F

True

Chapter 7 The term "kernel" is often used when discussing Linux because technically, Linus is only the core of the OS.

True

Chapter 8 Each graphics file type has a unique header value.​ t/f

True

Chapter 8 Graphics files are created and saved in a graphics editor, such as Microsoft Paint, Adobe Freehand MX, Adobe Photoshop, or Gnome GIMP.​ t/f

True

Chapter 8 The first 3 bytes of an XIF file are exactly the same as a TIF file.​ t/f

True

Linux Live CDs and WinFE disks do not automatically mount hard drives, but can be used to file systems.

True

Chapter 5 Each MFT record starts with a header identifying it as a resident or nonresident attribute t/f

True Page 200: Each MFT record starts with a header identifying it as a resident or non-resident attribute.

What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive?

TrueCrypt

Which option below is not a Linux Live CD meant for use as a digital forensics tool?

Ubuntu

Which court case established that is not necessary for computer programmers to testify in order to authenticate computer-generated records?

United States v. Salgado

Which option below is not one of the recommended practices for maintaining a keypad padlock?

Use a master key

In simple terms, _________ compression discards bits in much the same way rounding off decimal values discards numbers.

Vector Quantization

________ proves that two sets of data are identical by calculating hash values or using another similar method.

Verification

Chapter 6 Reconstructing fragments of files that have been deleted from a suspect drive, is know as ??? in North America a. carving b. scraping c salvaging d. sculpting

a. carving

Chapter 2 Candidates who complete the IACIS test successfully are designated as a ??? a. certified forensic computer examiner (CFCE) b. certified forensics investigator (CFI) c. Certified investigative forensics examiner (CIFE) d. certified investigative examiner (CIE)

a. certified forensic computer examiner (CFCE)

Chapter 2 Candidates who complete the ISCIS test successfully are designated as a ??? a. certified forensic computer examiner (CFCE) b. certified forensics investigator (CFI) c. Certified investigative forensics examiner (CIFE) d. certified investigative examiner (CIE)

a. certified forensic computer examiner (CFCE)

Chapter 6 Which of the following is stated within the ISO 27037 standard? a. hardware acquisition tools can only use CRC-32 hashing b digital evidence first responders should use validated tools c. software forensics tools must provide a GUI interface d. software forensics tools must use the windows OS

b digital evidence first responders should use validated tools

Chapter 5 What hexadecimal code below identifies an NTFS file system in the partition table? a. 05 b. 07 c. 1B d. A5

b. 07

Chapter 5 a master boot record (MBR) partition table marks the first partition starting at what offset? a. 0x1CE b. 0x1BE c. 0x1AE d. 0x1DE

b. 0x1BE

Chapter 2 In order to qualify for the certified computer crime investigator, basic level certification, candidates must provide documentation of at least ??? cases in which they participated. a. 5 b. 10 c. 15 d. 20

b. 10

Chapter 8 ​How many bits are required to create a pixel capable of displaying 65,536 different colors? a. 8 bit b. 16 bit c. 32 bit d. 64 bit

b. 16 bit

Chapter 8 What act defines precisely how copyright laws pertain to graphics? a. 1988 image ownership act b. 1976 copyright act c. 1923 patented image act d. 1976 computer fraud and abuse act

b. 1976 copyright act

Chapter 3 When using a target drive that is FAT32 formatted, what is the maximum size limitation for split files? a. 512 mg b. 2 gb c. 1 tb d. 1 pb

b. 2 gb

Chapter 5 A typical disk drive stores how many bytes in a single sector? a. 8 b. 512 c. 1024 d. 4096

b. 512

Chapter 5 The ReFs storage engine uses a ??? sort method for fast access to large data sets. a. A+-tree b. B+-tree c. reverse d. numerical

b. B+-tree

Chapter 4 What type of media has a 30-year lifespan? a. DVD-rs b. DLT magnetic tape c. hard drive d. usb thumb drive

b. DLT magnetic tape

Chapter 8 ​For EXIF JPEG files, the hexadecimal value starting at offset 2 is _____________. a. FFE0 b. FFE1 c. FFD8 d. FFD9

b. FFE1

Chapter 4 In cases that involve dangerous setting, what kind of team should be used to recover evidence from the scene? a. B-Team b. HAZMAT c. CDC First Responders d. SWAT

b. HAZMAT

Chapter 6 What tool below was written for ms-dos and was commonly used for manual digital investigations? a. SMART b. Norton DiskEdit c. ByteBack d. DataLifter

b. Norton DiskEdit

Chapter 2 ??? can be used to restore backup files directly to a workstation. a. belarc advisor b. Norton ghost c. prodiscover d. photorec

b. Norton ghost

Chapter 4 Which system below can be used to quickly and accurately match fingerprints in a database? a. fingerprint identification database (FID) b. systemic fingerprint database (SFD) c. automated fingerprint identification system (AFIS) d. dynamic fingerprint matching system (DFMS)

c. automated fingerprint identification system (AFIS)

Chapter 5 What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume? a. $MgyMirr b. $TransAct c. $LogFile d. $Backup

c. $LogFile

Chapter 8 How many different colors can be displayed by a 24 bit colored pixel?​ a. 256 b. 65,536 c. 16,777,216 d. 4, 294,967,296

c. 16,777,216

Chapter 2 How long are computing components designed to last in a normal business environment? a. 12 to 16 months b. 14 to 26 months c. 18 to 36 months d. 6 to 90 months

c. 18 to 36 months

Chapter 1 In what year was the computer fraud and abuse act passed? a. 1976 b. 1980 c. 1986 d. 1996

c. 1986

Chapter 8 All TIF files start at offset 0 with what 6 hexadecimal characters?​ a. 2A 49 48 b. FF 26 9B c. 49 49 2A d. AC 49 2A

c. 49 49 2A

Chapter 8 Which graphics file format below is rarely compressed? a. GIF b. JPEG c. BMP D. None of the above

c. BMP

Chapter 8 For all JPEG files, the ending hexadecimal marker, also known as the end of image (EOI), is ____________.​ a. FFD0 b. FFD8 c. FFD9 d. FFFF

c. FFD9

Chapter 1 What tool, currently maintained by the IRS criminal investigation division and limited to use by law enforcement, can analyze and read special files that are copies of a disk? a. AccessData forensic toolkit b. DeepScan c. ILook d. Photorect

c. ILook

Chapter 3 ??? is the utility used by the ProDiscover program for remote access. a. SubSe7en b. 10pht c. PDServer d. VNCServer

c. PDServer

Chapter 3 ??? creates a virtual volume of a RAID image file, and then makes repairs on the virtual volume, which can then be restored to the original RAID. a. Runtime Software b. RaidRestore c. R-Tools R-Studio d. FixitRaid

c. R-Tools R-Studio

Chapter 5 What registry file contains user account management and security settings? a. default.dat b. software.dat c. SAM.dat d Ntuser.dat

c. SAM.dat

Chapter 6 In what mode do most software write-blockers run? a. RW mode b. Ala mode c. Shell mode d. GUI mode

c. Shell mode

Chapter 8 In simple terms, _____________ compression ​discards bits in much the same way rounding off decimal values discards numbers. a. Huffman b. Lempel-Ziv-Welch (LZW) c. Vector Quantization d. Adaptive Quanization

c. Vector Quantization

Chapter 1 If a police officer or investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit a(n) ??? a. exhibit b. verdict c. affidavit d. memo

c. affidavit

Chapter 1 ??? describes an accusation of fact that a crime has been committed. a. attrition b. attribution c. allegation d. assignment

c. allegation

Chapter 3 What is the name of the Microsoft solution for whole disk encryption? a. drivecrypt b. truecrypt c. bitlocker d. securedrive

c. bitlocker

Chapter 2 What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations? a. certified computer crime investigator b. certified forensic computer examiner c. certified cyber forensics professional d. encase certified examiner

c. certified cyber forensics professional

Chapter 8 When looking at a byte of information in binary, such as 11101100, what is the first bit on the left referred to as?​ a. major significant bit (MSB) b. least significant bit (LSB) c. most significant bit (MSB) d. leading significant bit (LSB)

c. most significant bit (MSB)

Chapter 4 If practical, ??? team(s) should collect and catalog digital evidence at a crime scene or lab a. two b. five c. one d. three

c. one

Chapter 4 The term ??? is used to describe someone who might be a suspect of someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest a. criminal b. potential data source c. person of interest d. witness

c. person of interest

Chapter 4 Which of the following is not done when preparing for a case? a. describe the nature of the case b. identify the type of OS c. set up covert surveillance d. determine whether you can seize the computer or digital device

c. set up covert surveillance

Chapter 1 Which option below is not a standard systems analysis step? a. determine a preliminary design or approach to the case. b. obtain and copy an evidence drive c. share evidence with experts outside of the investigation d. mitigate or minimize the risks

c. share evidence with experts outside of the investigation

Chapter 4 Which court case established that it is not necessary for computer programmers to testify in order to authenticate computer-generated records? a. united states v wong b. united states v carey c. united states v salgado d. united states v walser

c. united states v salgado

Chapter 2 Which option below is not one of the recommended practices for maintaining a keyed padlock? a. appoint a key custodian b. take inventory of all keys when the custodian changes c. use a master key d. change locks and keys annually

c. use a master key

Chapter 5 Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks? a. disk track recording (DTR) b. zone based areal density (ZBAD) c. zone bit recording (ZBR) d. cylindrical head calculation (CHC)

c. zone bit recording (ZBR)

What command below can be used to decrypt EFS files?

cipher

Chapter 7 The Mac OS reduces file fragmentation by using _______________.

clumps

What term below describes a column of tracks on two or more disk platters?

cylinder

Chapter 1 Which Microsoft OS below is the least intrusive to disks in terms of changing data? a. windows 95 b. windows xp c. windows 7 d. ms-dos 6.22

d. ms-dos 6.22

Chapter 6 In what temporary location below might passwords be stored? a. system32.dll b. CD-ROM drive c. sindows registry d. pagefile.sys

d. pagefile.sys

Chapter 4 ??? is a common cause for lost or corrupted evidence a. public access b. not having enough people on the processing team c. having an undefined security perimeter d. professional curiosity

d. professional curiosity

Chapter 8 ​The _____________ format is a proprietary format used by Adobe Photoshop. a. .tga b. fhll c. svg d. psd

d. psd

Chapter 8 Which of the following is not a type of graphic file that is created by a graphics program?​ a. bitmap images b. vector graphics c. metafile graphics d. raster graphics

d. raster graphics

Chapter 8 Referred to as a digital negative, the _______ is typically used on many higher-end digital cameras.​ a. raster file format b. bitmap file format c. jpeg file format d. raw file format

d. raw file format

Chapter 1 ??? is not recommended for a digital forensics workstation. a. a text editor tool b. a write-blocker device c. an SCSI card d. remote access software

d. remote access software

What file is used to store any file information that is not in the MDV or a VCB?

extents overflow file

A keyword search is part of the analysis process within what forensics function?

extraction

What term is used to describe a disk's logical structure of platters, tracks, and sectors?

geometry

Passwords are typically stored as one-way ____ rather than in plaintext.

hashes

The _________ branches in HKEY_LOCAL_MACHINES\Software consist of SAM, Security, Components, and System.

hive

Chapter 7 The ______________ command can be used to see network interfaces.

ifconfig

The ___________ command can be used to see network interfaces.

ifconfig

Chapter 7 In a B*tree file system, what node stores link information to previous and next nodes?

index node

In a B*-tree file system, what node stores link information to previous and next nodes?

index node

The ________ copies evidence of intrusions to an investigation workstation automatically for further analysis over the network.

intrusion detection system

What file type starts at offset 0 with a hexadecimal value of FFD8?

jpeg

Chapter 7 What command below will create a symbolic link to a file?

ln -s

What command below will create a symbolic link to a file?

ln -s

Addresses that allow the MFT to link to nonresident files are known as _________.

logical cluster numbers

Which of the following options is not a subfunction of extraction?

logical data copy

The Lemple-Ziv-Welch (LZW) algorithm is used in __________ compression.

lossless

What kind of graphics file combines bitmap and vector graphics types?

metafile

When looking at a byte of information in binary, such as 11101100, what is the first bit on the left referred to as?

most significant bit (MSB)

​To create a new primary partition within the fdisk interactive utility, which letter should be typed?

n

To create a new primary partition within the fdisk interactive utility, which letter should be typed?

p

Within the fdisk interactive menu, what character should be entered to view existing partitions?

p

Which of the following is not a type of graphic file that is created by a graphics program?

raster graphics

Referred to as a digital negative, the _________ is typically used on many higher-end digital cameras.

raw file format

_______ can be used with the dcfldd command to compare an image file to the original medium.

vf

Which operating system listed below is not a distribution of the Linux OS?

Minix

The physical data copy subfunction exists under the ______ function.

acquisition

21. In order to qualify for the certified computer crime investigator basic level candidates must provide documentation of at least _____ in which they participated.

10 cases

How often should hardware be replace within a forensics lab?

12-18 months

How many bits are required to create a pixel capable of displaying 65,536 different colors?

16 bits

How many different colors can be displayed by a 24 bit colored pixel?

16,777,216

Which graphics file format below is rarely compressed?

BMP

Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files?

Advanced Forensics Format

Which of the following scenarios should be covered in a disaster recovery plan?

All of the above

Which system below can be used to quickly and accurately match fingerprints in a database?

Automated Fingerprint Identification System (AFIS)

What program serves as the GUI front end for accessing Sleuth Kit's tools?

Autopsy

The ReFS storage engine uses a ________ sort of method for fast access to large data sets.

B+-tree

Chapter 1 According to the national institute of standards and technology (NIST), digital forensics involves scientifically examining and analyzing data from computer storage media so that it can be used as evidence in court. t/f

False - Digital forensics is defined as the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. Page 4

Chapter 5 FAT32 is used on older Microsoft OSs, such as ms-dos 3.0 through 6.22, windows 95 (first release), and windows NT 3.3 and 4.0 t/f

False - FAT32 was implemented when technology improved and disks larger than 2 GB were developed.

Chapter 7 Capitalization, or lack thereof, makes no difference with UNIX and Linux commands.

False - Linux commands ARE case sensitive

Chapter 2 The shielding of sensitive computing systems and prevention of electronic eavesdropping of any computer emissions is known as FAUST by the U.S. department of defense. t/f

False - This is called TEMPEST

Chapter 2 Because they are outdated, ribbon cables should not be considered for use within a forensics lab. t/f

False - because you might be dealing with older computers it is a good idea to keep a wide assortment of cables and peripherals to interface with outdated equipment.

What does FRE stand for?

Federal Rules of Evidence

Chapter 7 On Mac OS X systems, what utility can be used to encrypt / decrypt a user's home directory?

FileVault

On Mac OS X systems, what utility can be used to encrypt/decrypt a user's home directory?

FileVault

Chapter 7 ________________ is a specialized carving tool that can read many image file formats, such as RAW and Expert Witness.

Foremost

You must abide by the ________ while collecting evidence.

Fourth Amendment

In cases that involve dangerous settings, what kind of team should be used to recover evidence from the scene?

HAZMAT

Chapter 7 _______________ contain file and directory metadata and provide a mechanism for linking data stored in data blocks.

Inodes

___________ contain file and directory metadata and provide a mechanism for linking data stored in data blocks.

Inodes

is a specialized viewer software program.

IrfanView

The ______ Linux Live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep, and utilizes a KDE interface

Kali

______ would not be found in an initial response field kit.

Leather gloves and disposable latex gloves

What algorithm is used to decompress Windows files?

Lempel-Ziv

Chapter 7 Who is the current maintainer of the Linux kernel?

Linus Torvalds

Who is the current maintainer of the Linux kernel?

Linus Torvalds

______ does not recover data in free or slack space.

Live acquisition

Select below the utility that is not a lossless compression utility:

Lzip

What should you do while copying data on a suspect's computer that is still live?

Make notes regarding everything you do

describes the characteristics of a safe storage container

NISPOM

What tool below was written for MS-DOS and was commonly used for manual digital investigations?

Norton DiskEdit

can be used to restore backup files directly to a workstation.

Norton Ghost

_____ is the utility used by the ProDiscover program for remote access.

PDServer

The term ______ is used to describe someone who might be a suspect or someone with additional knowledge that can provide evidence of probable for search warrant or arrest.

Person of interest

The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient

Probable cause

________ is a common cause for lost or corrupted evidence.

Professional curiosity

What does the MFT header field at offset 0x00 contain?

The MFT record identifier FILE

As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered....

The decision should be left to the Digital Evidence First Responder (DEFR)

Chapter 7 What information below is not included within an inode?

The file's or directory's path

What information below is not included within the inode?

The file's or directory's path

is responsible for creating and monitoring lab policies for staff, and provides a safe and secure workplace for staff and evidence.

The lab manager

Id a file has 510 bytes of data, what is byte 510?

The logical EOF

Chapter 7 If a file has 510 bytes of data, what is byte 510?

The logical EOF (End of File)

When using the File Allocation Table (FAT), where is the FAT database typically written to?

The outermost track

Most manufactures use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks?

Zone Bit Recording (ZBR)

Chapter 8 Which of the following is not considered to be a non-standard graphics file format?​ a. .dxf b. .tga c. .rtl d. .psd

a. .dxf

Chapter 2 Which IDO standard below is followed by the ASCLD? a. 17025:2005 b. 17026:2007 c. 12075:2007 d. 12076:2005

a. 17025:2005

Chapter 6 What hex value is the standard indicator for jpeg graphics files? a. FF D8 b. FF D9 c. F8 D8 d. AB CD

a. FF D8

Chapter 3 which RAID type provides increased speed and data storage capability, but lacks redundancy? a. RAID 0 b. RAID 1 c. RAID 0+1 d. RAID 5

a. RAID 0

Chapter 3 Which option below is not a hashing function used for validation checks? a. RC4 b. MD5 c. SHA-1 d. CRC32

a. RC4

Chapter 4 When seizing digital evidence in criminal investigations, whose standards should be followed? a. U.S. DOJ b. ISO/IEC c. IEEE d. ITU

a. U.S. DOJ

Chapter 6 What is the goal of the NSRL project, created by NIST? a. collect know hash values for commercial software and OS files using SHA hashes b. search for collisions in hash values, and contribute to fixing hashing programs c. create hash values for illegal files and distribute the information to law enforcement d. collect known hash values for commercial software and OS files using MD5 hashes

a. collect know hash values for commercial software and OS files using SHA hashes

Chapter 5 The ??? command insets a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry a. delete b. edit c. update d. clear

a. delete

Chapter 5 Which of the following commands creates an alternate data stream? a. echo text > myfile. txt:syream_name b. ads create myfile.txt(stream_name) "text" c. cat text myfile.txt=stream_name d. echo text

a. echo text > myfile. txt:syream_name

Chapter 4 What does FRE stand for? a. federal rules of evidence b. federal regulations for evidence c. federal rights for everyone d. federal rules for equipment

a. federal rules of evidence

Chapter 4 You must abide by the ??? while collecting evidence a. fourth amendment b. federal rules of evidence c. state's rules of evidence d. fifth amendment

a. fourth amendment

Chapter 3 The ??? copies evidence of intrusions to an investigation workstation automatically for further analysis over the network. a. intrusion detection system b. active defense mechanism c. total awareness system d. intrusion monitoring system

a. intrusion detection system

Chapter 6 The ??? Linux live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, memfetch, and mboxgrep, and utilizes a kde interface a. kali b. arch c. Ubuntu d. helix3

a. kali

Chapter 6 Which of the following options is not a subfunction of extraction? a. logical data copy b. decrypting c. bookmarking d. carving

a. logical data copy

Chapter 8 What kind of graphics file combines bitmap and vector graphics types?​ a. metafile b. bitmap c. jpeg d. tif

a. metafile

Chapter 2 Which operating system listed below is not a distribution of the Linux OS? a. minix b. debian c. slackwar d. fedora

a. minix

Chapter 4 The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient ??? a. probable cause b. due diligence c. accusations d. reliability

a. probable cause

Chapter 6 What is the purpose of the reconstruction function in a forensics investigation? a. re-create a suspect's drive to show what happened during a crime or incident b. prove that two sets of data are identical c. copy all information from a suspect's drive, including information that may have been hidden d. generate reports or logs that detail the processes undertaken by a forensics investigator

a. re-create a suspect's drive to show what happened during a crime or incident

Chapter 1 Within a computing investigation, the ability to perform a series of steps again and again to produce the same results is known as ??? a. repeatable findings b. reloadable steps c. verifiable reporting d. evidence reporting

a. repeatable findings

Chapter 5 What does the MTF header field at offset 0x00 contain? a. the MFT record identifier FILE b. the size of the MFT record c. the length of the header d. the update sequence array

a. the MFT record identifier FILE

Chapter 2 ??? is responsible for creating an monitoring lab policies for staff, and provides a safe, and provides a safe and secure workplace for staff and evidence. a. the lab manager b. the lab investigator c. the lab secretary d. the lab steward

a. the lab manager

Chapter 6 ??? proves that two sets of data are identical by calculating hash values or using another similar method a. verification b. validation c. integration d. compliation

a. verification

Chapter 7 What file is used to store any file information that is not in the MDB or a VCB?

extents overflow file

Chapter 6 In general, what would a lightweight forensics workstation consist of? a. a tablet with peripherals and forensics apps b. a laptop computer built into a carrying case with a small election of peripheral options c. a laptop computer with almost as many bays and peripherals as a tower d. a tower with several bays and many peripheral devices

b. a laptop computer built into a carrying case with a small election of peripheral options

Chapter 3 Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files? a. advanced forensics disk b. advanced forensic format c. advanced capture image d. advanced open capture

b. advanced forensic format

Chapter 6 What program serves as the GUI front end for accessing sleuth kit's tools? a. detectiveGUI b. autopsy c. kde d. smart

b. autopsy

Chapter 1 ??? is not one of the functions of the investigations triad. a. digital investigations b. data recovery c. vulnerability threat assessment and risk management d. network intrusion detection and incident response

b. data recovery

Chapter 3 The Linux command ??? can be used to write bit-stream data to files. a. write b. dd c. cat d. dump

b. dd

Chapter 2 How often should hardware be replaced within a forensics lab? a. every 6 to 12 months b. every 12 to 18 months c. every 18 to 24 months d. every 24 to 30 months

b. every 12 to 18 months

Chapter 1 Signed into law in 1973, the ??? was/were created to ensure consistency in federal proceedings. a. federal proceeding law b. federal rules of evidence c. federal consistency standards d. federal proceedings rules

b. federal rules of evidence

Chapter 1 The sale of sensitive or confidential company information to a competitor is known as ??? a. industrial sabotage b. industrial espionage c. industrial collusion d. industrial betrayal

b. industrial espionage

Chapter 2 ??? is a specialized viewer software program a. fastview b. irfanview c. thumbsloader d. absee

b. irfanview

Chapter 8 What file type starts at offset 0 with a hexidecimal value of FFD8?​ a. tiff b. jpeg c. xdg d. bmp

b. jpeg

Chapter 4 ??? would not be found in an initial-response field kit. a. computer evidence bags (antistatic bags) b. leather gloves and disposable gloves c. a digital camera with extra batteries or 35mm camera with film and flash d. external usb devices or a portable hard drive

b. leather gloves and disposable gloves

Chapter 5 Addresses that allow the MFT to link to nonresident files are known as ??? a. virtual cluster numbers b. logical cluster numbers c. sequential cluster numbers d. polarity cluster numbers

b. logical cluster numbers

Chapter 8 The Lempel-Ziv-Welch (LZW) algorithm is used in _____________ compression.​ a. lossy b. lossless c. vector quantization d. adaptive

b. lossless

Chapter 4 What should you do while copying data on a suspect's computer that is still live? a. open files to view contents b. make notes regarding everything you do c. conduct a google search of unknown extensions using the computer d. check facebook for additional suspects

b. make notes regarding everything you do

Chapter 3 Within the fdisk interactive menu, what character should be entered to view existing partitions? a. 1 b. p c. o d. d

b. p

Chapter 4 the term ??? describes rooms filled with extremely large disk systems that are typically used by large business data centers. a. storage room b. server farm c. data well d. storage hub

b. server farm

Chapter 2 A TEMPEST facility is designed to accomplish which of the following goals? a. prevent data loss by maintaining consistent backups b. shield sensitive computing systems and prevent electronic eavesdropping of computer emission c. ensure network security from the internet using comprehensive security software d. protect the integrity of data

b. shield sensitive computing systems and prevent electronic eavesdropping of computer emission

Chapter 5 What registry file contains installed programs' settings and associated usernames and passwords? a. default.dat b. software.dat c. sam.dat d. ntuser.dat

b. software.dat

Chapter 5 When using the file allocation table (FAT), where is the FAT database typically written to? a. the innermost track b. the outermost track c. the first sector d. the first partition

b. the outermost track

Chapter 7 Select below the command that can be used to display bad block information on a Linux file system, but also has the capability to destroy valuable information.

badblocks

Select below the command that can be used to display bad block information on a Linux file system, but also has the capability to destroy valuable information.

badblocks

Chapter 7 What type of block does a UNIX/Linux computer only have one of?

boot block

What type of block does a UNIX/Linux computers only have one of?

boot block

Chapter 1 The ??? is not one of the three stages of a typical criminal case. a. complaint b. investigation c. civil suit d. prosecution

c. civil suit

Chapter 5 What term below describes a column of tracks on two or more disk platters? a. sector b. cluster c. cylinder d. header

c. cylinder

Chapter 3 The ??? command was developed by Nicholas harbor of the defense computer forensics laboratory. a. dd b. split c. dcfldd d. echo

c. dcfldd

Chapter 8 The process of converting raw picture data to another format is called _________________.​ a. splicing b. caring c. demosaicing d. vector quanization

c. demosaicing

Chapter 1 After a judge approves and signs a search warrant, the ??? is responsible for the collection of evidence as defined by the warrant. a. digital evidence recorder b. digital evidence specialist c. digital evidence first responder d. digital evidence scene investigator

c. digital evidence first responder

Chapter 5 What command below can be used to decrypt EFS files? a. cipher b. copy c. efsrecvr d. decrypt

c. efsrecvr

Chapter 1 A chain-of-evidence form, which is used to document what has and had not been done with the original evidence and forensic copies of the evidence, is also known as a(n) ??? a. single-evidence form b. multi-evidence form c. evidence custody form d. evidence tracking form

c. evidence custody form

Chapter 5 Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital extended capacity (SDCX), and memory sticks: a. FAT12 b. FAT32 c. exFAT d. VFAT

c. exFAT

Chapter 1 ??? must be included in an affidavit to support an allegation in order to justify a warrant. a. verdicts b. witnesses c. exhibits d. subpoenas

c. exhibits

Chapter 8 What format was developed as a standard for storing metadata in image files? a. jpeg b. tif c. exif d. bitmap

c. exif

Chapter 6 A keyword search is part of the analysis process within what forensic function? a. reporting b. reconstruction c. extraction d. acquisition

c. extraction

Chapter 2 In order to qualify for the advanced certified computer forensic technician certification, a candidate must have ??? years of hands-on experience in computer forensics investigations. a. two b. three c. five d. six

c. five

Chapter 1 Which amendment to the U.S. Constitution protects everyone's right to be secure in their person, residence, and property from search and seizure? a. first amendment b. second amendment c. fourth amendment d. fifth amendment

c. fourth amendment

Chapter 5 What term is used to describe a disk's logical structure of platters, tracks, and sectors? a. cylinder b. trigonometry c. geometry d. mapping

c. geometry

Chapter 6 passwords are typically stored as one-way ??? rather than in plaintext a. hex values b. variables c. hashes d. stack spaces

c. hashes

Chapter 5 the ??? branches in HKEY_LOCAL_MACHINE/software consist of SAM, security, components, and system a. registry b. storage c. hive d. tree

c. hive

Chapter 6 The ProDiscover utility makes use of the proprietary ??? file format a. .img b. .pro c. .iso d. .eve

d. .eve

Chapter 2 In order to qualify for the certified computer forensic technician, basic level certification, how many hours of computer forensics training are required? a. 10 b. 20 c. 30 d. 40

d. 40

Chapter 2 What percentage of consumers utilize intel and AMD PCs? a. 60 b. 70 c. 80 d. 90

d. 90

Chapter 2 Which file system below is utilized by the xbox gaming system? a. NTFS b. ReFS c. EXT d. FATX

d. FATX

Chapter 3 Which technology below is not a hot-swappable technology? a. usb-3 b. firewire 1394A c. SATA d. IDE

d. IDE

Chapter 6 What algorithm is used to decompress windows files? a. Fibonacci b. zopfli c. Shannon-fano d. Lempel-ziv

d. Lempel-ziv

Chapter 8 Select below the utility that is not a lossless compression utility:​ a. PKZip b. WinZip c. Stufflt d. Lzip

d. Lzip

Chapter 3 Which RAID type utilizes mirrored striping, providing fast access and redundancy? a. RAID 1 b. RAID 3 c. RAID 5 d. RAID 10

d. RAID 10

Chapter 3 Which RAID type utilizes a parity bit and allows for the failure of one drive without losing data? a. RAID 1 b. RAID 2 c. RAID 3 d. RAID 5

d. RAID 5

Chapter 5 What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive? a. PP full disk encryption b. voltage SecureFile c. BestCrypt d. TrueCrypt

d. TrueCrypt

Chapter 5 Which of the following is not a valid configuration of Unicode? a. UTF-8 b. UTF-16 c. UTF-32 d. UTF-64

d. UTF-64

Chapter 1 An evidence custody form does not usually contain ??? a. the nature of the case b. a description of evidence c. vendor names for computer components d. a witness list

d. a witness list

Chapter 6 The physical data copy subfunction exists under the ??? function a. reporting b. validation / verification c. extraction d. acquisition

d. acquisition

Chapter 2 Which of the following scenarios should be covered in a disaster recovery plan? a. damage caused by lightning strikes b. damage caused by flood c. damage caused by a virus contamination d. all of the above

d. all of the above

Chapter 4 ??? is the term for a statement that is made by someone other than an actual witness to the event while testifying at a hearing a. second-party evidence b. rumor c. fiction d. hearsay

d. hearsay

Chapter 4 A ??? is not a private sector organization a. small to medium business b. large corporation c. on-government organization d. hospital

d. hospital

Chapter 2 Which option below is not a recommendation for securing storage containers? a. the container should be located in a restricted area b. only authorized access should be allowed, and it should be kept to a minimum c, evidence containers should remain locked when they aren't under direct supervision d. rooms with evidence containers should have a secured wireless network

d. rooms with evidence containers should have a secured wireless network

Chapter 4 ??? does not recover data in free or slack space a. raw format acquisition b. live acquisition c. static acquisition d. sparse acquisition

d. sparse acquisition

Chapter 8 ​Which of the following formats is not considered to be a standard graphics file format? a. gif b. jpeg c. dxf d. tga

d. tga

Chapter 4 As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state? a. the power cable should be pulled b. the system should be shut down gracefully c. the power should be left on d. the decision should be left to the digital evidence first responder (DEFR)

d. the decision should be left to the digital evidence first responder (DEFR)

Chapter 1 After the evidence has been presented in a trial by jury, the jury must deliver a(n) ??? a. exhibit b. affidavit c. allegation d. verdict

d. verdict

The ______ command was developed by Nicholas Harbour of the Defense Computer Forensics Laboratory. dcfldd

dcfldd

The Linux command _____ can be used to write bit-stream data to files.

dd

When performing disk acquisition, the raw data format is typically created with UNIX/Linux ______ command.

dd

Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks:

exFAT

Chapter 7 What file under the /etc folder contains the hashed passwords for a local system?

shadow

Which of the following formats is not considered to be a standard graphics file format?

tga


Set pelajaran terkait

CH 12 WHO ARE AMERICANS? - Who Are Federal Judges?

View Set

General Biology I Chapter 3 Quiz and Study Guide

View Set

Economic Lowdown Audio Series: Episode 3—The Role of Self-Interest and Competition in a Market Economy

View Set

Experimental Psychology- Chapter 2

View Set

Understanding Software and Hardware

View Set