CCT121 Chapter 9
In steganalysis, cover-media is which of the following?
The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file
Scope creep happens when an investigation goes beyond the bounds of its original description.
True
The Known File Filter (KFF) can be used for which of the following purposes?
~Filter known program files from view. ~Compare hash values of known files with evidence files
Which forensic image file format creates or incorporates a validation hash value in the image file?
~SMART ~Expert Witness ~AFF
Commercial encryption programs often rely on key escrow technology to recover files if a password or passphrase is lost.
True
The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length.
True
After you shift a file's bits, the hash value remains the same.
False
Steganography is used for which of the following purposes?
Hiding data
The National Software Reference Library provides what type of resource for digital forensics examiners?
A list of MD5 and SHA1 hash values for all known OSs and applications
Password recovery is included in all forensics tools.
False
Which of the following represents known files you can eliminate from an investigation?
Files associated with an application
Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?
Internal corporate investigation because corporate investigators typically have ready access to company records
Block-wise hashing has which of the following benefits for forensics examiners?
Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive
Rainbow tables serve what purpose for digital forensics examinations?
Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords.
If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords?
Salting can make password recovery extremely difficult and time consuming
You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?
There's a hidden partition
For which of the following reasons should you wipe a target drive?
~To ensure the quality of digital evidence you acquire ~To make sure unwanted data isn't retained on the drive
