Practice Test 1 (cyber forensics)

Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the.afd extension for segmented image files?

Advanced Forensic Format

Sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence.

Affidavit

Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.

Allegation

A person who has the power to initiate investigations in a corporate environment.

Authorized Requester

What is the name of the Microsoft solution for whole disk encryption?

BitLocker

A(n) __________ is a plan that can be used to sell your services to management or clients, in which a justification is made for acquiring newer and better resources to investigate digital forensics cases.

Business Case

What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations?

Certified Cyber Forensics Professional

The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence.

Computer Analysis and Response Team (CART)

In the Pacific Northwest, ____ meets to discuss problems that digital forensics examiners encounter.

Computer Technology Investigators Network (CTIN)

____ records are data the system maintains, such as system log files and proxy server logs.

Computer-Generated

The process of keeping track of all upgrades and patches you apply to your computer's OS and applications.

Configuration Management

____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.

Data Recovery

The application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.

Digital Forensics

The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime.

Digital Investigation

Certain files, such as the ____ and Security log in Windows, might lose essential network activity records if power is terminated without a proper shutdown.

Event Log

T/F A keyed hash set can identify known files, such as executable programs or viruses that hide themselves by changing their names.

False

T/F Rebuilding evidence or repeating a situation to verify that the results can be reproduced reliably is NOT one of the general tasks that investigators perform when working with digital evidence.

False

T/F Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.

False

T/F The difference between live and static acquisitions is that live acquisition will preserve the original media, thus making a second live acquisition should produce the same results.

False

Shows the known drives connected to your computer

Fdisk - 1

____ often work as part of a team to secure an organization's computers and networks.

Forensics Investigator

General tasks investigators perform when working with digital evidence include ____.

Identifying digital information that can be used as evidence

PassMark Software acquisition tool for its OSForensics analysis product

ImageUSB

Involves selling sensitive or confidential company information to a competitor.

Industrial Espionage

By the early 1990s, the ____ introduced training on software for forensics investigations.

International Association for Computer Information Systems (IACIS)

The process of trying to get a suspect to confess to a specific incident or crime.

Interrogation

Most digital investigations in the private sector involve ____.

Misuse of digital assets

Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System.

NTFS

Yields information about how attackers gain access to a network along with files they might have copied, examined, or tampered with.

Network Forensics

Which RAID type utilizes a parity bit and allows for the failure of one drive without losing data?

RAID 5

A data acquisition format that creates simple sequential flat files of a suspect drive or data set.

Raw Format

Which of the following DOES NOT apply to a TEMPEST-qualified lab?

Special wood molding for all doors.

By the 1970s, electronic crimes were increasing, especially in the financial sector.

True

T/F Scientific Working Group on Digital Evidence is one of the groups that set standards for recovering, preserving, and examining digital evidence.

True

T/F The best evidence rule states that the best evidence is the document created and saved on a computer's hard disk.

True

T/F The lossy compression algorithms is used with .jpeg image files to reduce the size of the files.

True

T/F The recording of all updates made to a workstation or machine is referred to as configuration management.

True

T/F To be a successful computer forensics investigator, you must be familiar with more than one computing platform.

True

Identifies the number of hard disk types, such as SATA or SCSI, and the OS used to commit crimes.

Uniform Crime Report

____________ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.

Uniform Crime Report

A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.

Warning Banner

Example of a lossless compression tool

WinZip

Recognizes file types and retrieves lost or deleted files.

Xtree Gold

The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.

dcfldd

Allows legal counsel to use previous cases similar to the current one because the laws don't yet exist.

Case Law

A ____ is where you conduct your investigations, store evidence, and do most of your work.

Computer Forensics Lab

In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation.

Criminal

A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.

Disaster Recovery

Addresses how to restore a workstation you reconfigured for a specific investigation

Disaster Recovery Plan

It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant.

Exhibits

Vendor-neutral specialty remote access utility designed to work with any digital forensics program

F-response

T/F If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.

False

T/F If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available.

False

T/F Live acquisition refers to the collection of digital evidence from magnetic disk media and flash drives.

False

T/F Maintaining credibility means you must form and sustain unbiased opinions of your cases.

False

T/F The law of search and seizure protects the rights of all people, excluding people suspected of crimes.

False

One way to investigate older and unusual computing systems is to keep track of ____ that you can find through an online search.

Forums and blogs

You must abide by the _______ while collecting evidence.

Fourth Amendment

The first forensics vendor to develop a remote acquisition and analysis tool

Guidance Software

The _____ is a unique hexadecimal code value that identifies a file or drive.

Hash Value

Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain ____.

Hearsay

ILookIX acquisition tool

IxImager

Creates and monitors lab policies for staff and provides a safe and secure workplace for staff and evidence.

Lab Manager

Specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.

Line of Authority

If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.

Live

Linux ISO images are referred to as ____.

Live CDs

Used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed

Lossy Compression

The ____ command displays pages from the online help manual for information on Linux commands and their options.

Man

Tool for directly restoring files

Norton Ghost

_______ can be used to restore backup files directly to a workstation.

Norton Ghost

You should have at least one copy of your backups on site and a duplicate copy or a previous copy of your backups stored in a safe ____ facility.

Off-site

ProDiscover utility for remote access

PD server

If you find evidence related to the crime but not in the location the warrant specifies or if you find evidence of another unrelated crime, the evidence is subject to the _____.

Plain View Doctrine

Instead of producing hard disks in court, attorneys can submit ______ copies of files as evidence.

Printed

____ is facts or circumstances that lead a reasonable person to believe a crime has been committed or is about to be committed.

Probable Cause

Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility.

Professional Conduct

A computer configuration involving two or more physical disks

RAID

Two or more disks combined into one large drive in several configurations for special needs

RAID

Which RAID type utilizes mirrored striping, providing fast access and redundancy?

RAID 10

Every business or organization must have a well defined process that describes when an investigation can be initiated. At a minimum, most corporate policies require that employers have a ____that a law or policy is being violated.

Reasonable Suspicion

Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses.

Right of Privacy

The process of determining how much risk is acceptable for any process or operation, such as replacing equipment.

Risk Management

Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.

Safety

A(n) _________ acts as an evidence locker or safe to preserve the integrity of evidence.

Secure facility

Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer.

Silver-Platter

Lists each piece of evidence on a separate page.

Single-evidence form

Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.

Static

A term referring to facilities that have been hardened so that electrical signals from computers, the computer network, and telephone systems can't be monitored or accessed easily by someone outside the facility.

TEMPEST

Which of the following is NOT a responsibility of a lab manager?

Take training to update his technical skills.

Which of the following is NOT a recommendation for securing storage containers?

The people authorized to open the evidence container should be limited to supervisors.

A judge can exclude evidence obtained from a poorly worded warrant.

True

T/F A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.

True

T/F A live acquisition is often performed on a a computer that has an encrypted drive and the password or passphrase is available.

True

T/F A separate manual validation is recommended for all raw acquisitions at the time of analysis.

True

T/F After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant.

True

T/F If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.

True

T/F Many acquisition tools don't copy data in the host protected area (HPA) of a disk drive.

True

T/F Plain view doctrine occurs when you find evidence related to the crime but not in the location the warrant specifies or if you find evidence of another unrelated crime.

True

T/F Probable cause refers to the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.

True

T/F The ImageUSB utility can be used to create a bootable flash drive.

True

T/F To investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct covert surveillance with little or no cause, and access company computer systems and digital devices without a warrant.

True

An encryption technique that performs a sector-by-sector encryption of an entire drive; each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method.

Whole Disk Encryption