Practice Test 1 (cyber forensics)
Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the.afd extension for segmented image files?
Advanced Forensic Format
Sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence.
Affidavit
Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.
Allegation
A person who has the power to initiate investigations in a corporate environment.
Authorized Requester
What is the name of the Microsoft solution for whole disk encryption?
BitLocker
A(n) __________ is a plan that can be used to sell your services to management or clients, in which a justification is made for acquiring newer and better resources to investigate digital forensics cases.
Business Case
What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations?
Certified Cyber Forensics Professional
The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence.
Computer Analysis and Response Team (CART)
In the Pacific Northwest, ____ meets to discuss problems that digital forensics examiners encounter.
Computer Technology Investigators Network (CTIN)
____ records are data the system maintains, such as system log files and proxy server logs.
Computer-Generated
The process of keeping track of all upgrades and patches you apply to your computer's OS and applications.
Configuration Management
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
Data Recovery
The application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
Digital Forensics
The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime.
Digital Investigation
Certain files, such as the ____ and Security log in Windows, might lose essential network activity records if power is terminated without a proper shutdown.
Event Log
T/F A keyed hash set can identify known files, such as executable programs or viruses that hide themselves by changing their names.
False
T/F Rebuilding evidence or repeating a situation to verify that the results can be reproduced reliably is NOT one of the general tasks that investigators perform when working with digital evidence.
False
T/F Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.
False
T/F The difference between live and static acquisitions is that live acquisition will preserve the original media, thus making a second live acquisition should produce the same results.
False
Shows the known drives connected to your computer
Fdisk - 1
____ often work as part of a team to secure an organization's computers and networks.
Forensics Investigator
General tasks investigators perform when working with digital evidence include ____.
Identifying digital information that can be used as evidence
PassMark Software acquisition tool for its OSForensics analysis product
ImageUSB
Involves selling sensitive or confidential company information to a competitor.
Industrial Espionage
By the early 1990s, the ____ introduced training on software for forensics investigations.
International Association for Computer Information Systems (IACIS)
The process of trying to get a suspect to confess to a specific incident or crime.
Interrogation
Most digital investigations in the private sector involve ____.
Misuse of digital assets
Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System.
NTFS
Yields information about how attackers gain access to a network along with files they might have copied, examined, or tampered with.
Network Forensics
Which RAID type utilizes a parity bit and allows for the failure of one drive without losing data?
RAID 5
A data acquisition format that creates simple sequential flat files of a suspect drive or data set.
Raw Format
Which of the following DOES NOT apply to a TEMPEST-qualified lab?
Special wood molding for all doors.
By the 1970s, electronic crimes were increasing, especially in the financial sector.
True
T/F Scientific Working Group on Digital Evidence is one of the groups that set standards for recovering, preserving, and examining digital evidence.
True
T/F The best evidence rule states that the best evidence is the document created and saved on a computer's hard disk.
True
T/F The lossy compression algorithms is used with .jpeg image files to reduce the size of the files.
True
T/F The recording of all updates made to a workstation or machine is referred to as configuration management.
True
T/F To be a successful computer forensics investigator, you must be familiar with more than one computing platform.
True
Identifies the number of hard disk types, such as SATA or SCSI, and the OS used to commit crimes.
Uniform Crime Report
____________ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.
Uniform Crime Report
A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.
Warning Banner
Example of a lossless compression tool
WinZip
Recognizes file types and retrieves lost or deleted files.
Xtree Gold
The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.
dcfldd
Allows legal counsel to use previous cases similar to the current one because the laws don't yet exist.
Case Law
A ____ is where you conduct your investigations, store evidence, and do most of your work.
Computer Forensics Lab
In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation.
Criminal
A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.
Disaster Recovery
Addresses how to restore a workstation you reconfigured for a specific investigation
Disaster Recovery Plan
It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant.
Exhibits
Vendor-neutral specialty remote access utility designed to work with any digital forensics program
F-response
T/F If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.
False
T/F If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available.
False
T/F Live acquisition refers to the collection of digital evidence from magnetic disk media and flash drives.
False
T/F Maintaining credibility means you must form and sustain unbiased opinions of your cases.
False
T/F The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
False
One way to investigate older and unusual computing systems is to keep track of ____ that you can find through an online search.
Forums and blogs
You must abide by the _______ while collecting evidence.
Fourth Amendment
The first forensics vendor to develop a remote acquisition and analysis tool
Guidance Software
The _____ is a unique hexadecimal code value that identifies a file or drive.
Hash Value
Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain ____.
Hearsay
ILookIX acquisition tool
IxImager
Creates and monitors lab policies for staff and provides a safe and secure workplace for staff and evidence.
Lab Manager
Specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.
Line of Authority
If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.
Live
Linux ISO images are referred to as ____.
Live CDs
Used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed
Lossy Compression
The ____ command displays pages from the online help manual for information on Linux commands and their options.
Man
Tool for directly restoring files
Norton Ghost
_______ can be used to restore backup files directly to a workstation.
Norton Ghost
You should have at least one copy of your backups on site and a duplicate copy or a previous copy of your backups stored in a safe ____ facility.
Off-site
ProDiscover utility for remote access
PD server
If you find evidence related to the crime but not in the location the warrant specifies or if you find evidence of another unrelated crime, the evidence is subject to the _____.
Plain View Doctrine
Instead of producing hard disks in court, attorneys can submit ______ copies of files as evidence.
Printed
____ is facts or circumstances that lead a reasonable person to believe a crime has been committed or is about to be committed.
Probable Cause
Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility.
Professional Conduct
A computer configuration involving two or more physical disks
RAID
Two or more disks combined into one large drive in several configurations for special needs
RAID
Which RAID type utilizes mirrored striping, providing fast access and redundancy?
RAID 10
Every business or organization must have a well defined process that describes when an investigation can be initiated. At a minimum, most corporate policies require that employers have a ____that a law or policy is being violated.
Reasonable Suspicion
Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses.
Right of Privacy
The process of determining how much risk is acceptable for any process or operation, such as replacing equipment.
Risk Management
Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.
Safety
A(n) _________ acts as an evidence locker or safe to preserve the integrity of evidence.
Secure facility
Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer.
Silver-Platter
Lists each piece of evidence on a separate page.
Single-evidence form
Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.
Static
A term referring to facilities that have been hardened so that electrical signals from computers, the computer network, and telephone systems can't be monitored or accessed easily by someone outside the facility.
TEMPEST
Which of the following is NOT a responsibility of a lab manager?
Take training to update his technical skills.
Which of the following is NOT a recommendation for securing storage containers?
The people authorized to open the evidence container should be limited to supervisors.
A judge can exclude evidence obtained from a poorly worded warrant.
True
T/F A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.
True
T/F A live acquisition is often performed on a a computer that has an encrypted drive and the password or passphrase is available.
True
T/F A separate manual validation is recommended for all raw acquisitions at the time of analysis.
True
T/F After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant.
True
T/F If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.
True
T/F Many acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
True
T/F Plain view doctrine occurs when you find evidence related to the crime but not in the location the warrant specifies or if you find evidence of another unrelated crime.
True
T/F Probable cause refers to the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.
True
T/F The ImageUSB utility can be used to create a bootable flash drive.
True
T/F To investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct covert surveillance with little or no cause, and access company computer systems and digital devices without a warrant.
True
An encryption technique that performs a sector-by-sector encryption of an entire drive; each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method.
Whole Disk Encryption