CFOR101 Chps 9, 10, 14 Final Exam
In steganalysis, cover-media is which of the following? The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file The content of a file used for a steganography message The type of steganographic method used to conceal a message A specific type of graphics file used only for hashing steganographic files
The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file
If you were a lay witness at a previous trial, you shouldn't list that case in your written report. True False
True
Scope creep happens when an investigation goes beyond the bounds of its original description. True False
True
Spoliation means destroying a report before the final resolution of a case called. True False
True
Which of the following types of hypervisor will allow you to install the OS directly on the hardware? Type 2 Type 1 Type 4 Type 3
Type 1
Steganography is used for which of the following purposes? Accessing remote computers Creating strong passwords Hiding data Validating data
Hiding data
A layered network defense strategy puts the most valuable data where? In the DMZ In the outermost layer In the innermost layer None of the above
In the innermost layer
Commercial encryption programs often rely on key escrow technology to recover files if a password or passphrase is lost. True False
True
Tcpslice can be used to retrieve specific timeframes of packet captures. True False
True
The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True False
True
Which of the following is a clue that a virtual machine has been installed on a host system? Virtual network adapter USB drive Virtualization software Network logs
Virtual network adapter
After you shift a file's bits, the hash value remains the same. True False
False
For which of the following reasons should you wipe a target drive? a: To ensure the quality of digital evidence you acquire b: To make sure unwanted data isn't retained on the drive Both a and b Neither of the above
Both a and b
Virtual Machine Extensions (VMX) are part of which of the following? AMD Virtualized Technology Intel Virtualized Technology Type 2 hypervisors Type 1 hypervisors
Intel Virtualized Technology
In VirtualBox, a(n) __________ file contains settings for virtual hard drives. .vbox-prev .vbox .log .ovf
.vbox
Which of the following file extensions are associated with VMware virtual machines? .vbox, .vdi, and .log .vmx, .log, and .nvram .vmx, .r0, and .xml-prev .vdi, .ova, and .r0
.vmx, .log, and .nvram
The National Software Reference Library provides what type of resource for digital forensics examiners? Reference books and materials for digital forensics A list of MD5 and SHA1 hash values for all known OSs and applications A list of digital forensics tools that make examinations easier A repository for software vendors to register their developed applications
A list of MD5 and SHA1 hash values for all known OSs and applications
An expert witness can give an opinion in which of the following situations? The witness testifies to a reasonable degree of certainty (probability) about his or her opinion, inference, or conclusion. The opinion, inferences, or conclusions depend on special knowledge, skills, or training not within the ordinary experience of laypeople. All of the above
All of the above
Which forensic image file format creates or incorporates a validation hash value in the image file? AFF SMART Expert Witness All of the above
All of the above
You can expect to find a type 2 hypervisor on what type of device? Smartphone Desktop Tablet All of the above
All of the above
Which of the following is an example of a written report? A search warrant An affidavit Voir dire Any of the above
An affidavit
The Known File Filter (KFF) can be used for which of the following purposes? a: Filter known program files from view. b: Calculate hash values of image files. c: Compare hash values of known files with evidence files. Both a and c
Both a and c
When do zero day attacks occur? a: On the day the application or OS is released b: Before a patch is available c: Before the vendor is aware of the vulnerability Both b and c.
Both b and c
In a forensics investigation, you must follow certain procedures. Which of the following is NOT something you should do? Document all your steps Wipe and prepare target drives Carry out the investigation on the original evidence only Check date and time values in the suspect computer s CMOS
Carry out the investigation on the original evidence only
In OSForensics, how can you attach to a drive to examine evidence? Choose Attach Drive Image Choose Install Drive Image Choose Build Drive Image Choose Mount Drive Image
Choose Mount Drive Image
When writing a report, what's the most important aspect of formatting? A neat appearance Consistency Size of the font Clear use of symbols and abbreviations
Consistency
Automated tools help you collect and report evidence, but you're responsible for doing which of the following? Explaining your formatting choices Explaining in detail how the software works Explaining the significance of the evidence All of the above
Explaining the significance of the evidence
A forensic image of a VM includes all snapshots. True False
False
Figures not used in the body of the report can't be included in report appendixes True False
False
Password recovery is included in all forensics tools. True False
False
Which of the following represents known files you can eliminate from an investigation? Files associated with an application Any files pertaining to the company Any graphics files All of the above
Files associated with an application
Which Registry key contains associations for file extensions? HFILE_CLASSES_ROOT HFILE_EXTENSIONS HKEY_CLASSES_FILE HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation? Internal corporate investigation because ISPs almost always turn over e-mail and access logs when requested by a large corporation Criminal investigation because law enforcement agencies have more resources at their disposal Criminal investigation because subpoenas can be issued to acquire any needed evidence quickly Internal corporate investigation because corporate investigators typically have ready access to company records
Internal corporate investigation because corporate investigators typically have ready access to company records
Which of the following statements about the legal-sequential numbering system in report writing is true? It's required for reports submitted in federal court. It's favored because it's easy to organize and understand. It's most effective for shorter reports. It doesn't indicate the relative importance of information.
It doesn't indicate the relative importance of information.
Packet analyzers examine what layers of the OSI model? Layers 2 and 4 Layers 4 through 7 Layers 2 and 3 All layers
Layers 2 and 3
What is a good resource for known OSs and applications? National Software Resource Library (NSRL) National Institute for known OSs and applications (NIOA) National Library of Software and Applications (NLSA) National Institute of Standards and Technology (NIST)
National Software Resource Library (NSRL)
Which of the following tools will allow you to mount a disk image? ImageMount OSFMount AutopsyMount ProDiscoverMount
OSFMount
Which of the following is the standard format for reports filed electronically in U.S. federal courts and most state courts? Excel Word PDF HTML
What are the three modes of protection in the DiD strategy? People, PCs, mobile devices Computer, smartphones, tablets People, technology, operations PCs, mobile devices, laptops
People, technology, operations
Whichs of the following tools were used in the lab to generate reports (Choose two answers)? Autopsy ProDiscover EnCase OSForensics
ProDiscover OSForensics
Block-wise hashing has which of the following benefits for forensics examiners? Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive Allows validating sector comparisons between known files Verifies the quality of OS files Provides a faster way to shift bits in a block or sector of data
Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive
The number of VMs that can be supported per host by a type 1 hypervisor is generally determined by the amount of __________ and __________. RAM, storage RAM, network speed RAM, GPU Storage, processing power
RAM, storage
Which of the following contains a set of hashes for known passwords? Rainbow Tables Brute-forced Tables Solved Hash Table Cracked Hash Tables
Rainbow Tables
Rainbow tables serve what purpose for digital forensics examinations? Rainbow tables are designed to enhance the search capability of many digital forensics examination tools. Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords. Rainbow tables provide a scoring system for probable search terms. Rainbow tables are a supplement to the NIST NSRL library of hash tables.
Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords.
Which rule of the Federal Rules of Civil Procedure requires expert witnesses to submit written reports? Rule 26 Rule 27 Rule 24 Rule 25
Rule 26
Which of the following is a free, open-source incident response and forensic tool that can be installed on a virtual machine? SIFT Workstation ProDiscover OSForensics Encase
SIFT Workstation
If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords? Salting can make password recovery extremely difficult and time consuming. There are no concerns because salting doesn't affect password-recovery tools. Salting applies only to OS startup passwords, so there are no serious concerns for examiners. The effect on the computer's CMOS clock could alter files' date and time values.
Salting can make password recovery extremely difficult and time consuming.
You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information? The disk is corrupted. There's a hidden partition. The drive is formatted incorrectly. Nothing; this is what you'd expect to see
There's a hidden partition.
For what purpose have hypothetical questions traditionally been used in litigation? To define the case issues for the finder of fact to determine To deter a witness from expanding the scope of his or her investigation beyond the case requirements. To frame the factual context of rendering an expert witness's opinion To stimulate discussion between a consulting expert and an expert witness
To frame the factual context of rendering an expert witness's opinion
Being able to incorporate the log files and reports tools generate into your written reports is a major advantage of automated forensics tools in report writing. True False
True
We captured and examined physical memory in one of the labs in chapter 10. What is the name of the tool we used to examine the file dump? Hex Workshop WinHex Irfanview Autopsy
WinHex
Which of the following tools can be used to monitor network traffic so that packet analysis can be carried out? FTK OSForensics Wireshark Autopsay
Wireshark
Which of the following rules or laws requires an expert to prepare and submit a report? a: FRCP 26 b: FRE 801 Both a and b Neither of the above
a: FRCP 26
What file extension was used in the lab to scan and extract Outlook Express files for analysis? oex pst oef dbx
dbx
Which of the following can be used to determine if the contents of a file have changed? hash file flags encryption keys bit-shifting
hash
To find network adapters, you use the __________ command in Windows and the __________ command in Linux. tcpdump, netstat more, netstat top, nd ipconfig, ifconfig
ipconfig, ifconfig
Which of the following live acquisition forensic terms determines how long a piece of information lasts on a system? time to live (TTL) order of volatility (OOV) volatility factor (OF) live acquisition volatility (LAV)
order of volatility (OOV)
All of the following should be avoided when writing expert witness reports, EXCEPT: slang vague wording jargon signposts
signposts
