CFOR101 Chps 9, 10, 14 Final Exam

Ace your homework & exams now with Quizwiz!

In steganalysis, cover-media is which of the following? The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file The content of a file used for a steganography message The type of steganographic method used to conceal a message A specific type of graphics file used only for hashing steganographic files

The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file

If you were a lay witness at a previous trial, you shouldn't list that case in your written report. True False

True

Scope creep happens when an investigation goes beyond the bounds of its original description. True False

True

Spoliation means destroying a report before the final resolution of a case called. True False

True

Which of the following types of hypervisor will allow you to install the OS directly on the hardware? Type 2 Type 1 Type 4 Type 3

Type 1

Steganography is used for which of the following purposes? Accessing remote computers Creating strong passwords Hiding data Validating data

Hiding data

A layered network defense strategy puts the most valuable data where? In the DMZ In the outermost layer In the innermost layer None of the above

In the innermost layer

Commercial encryption programs often rely on key escrow technology to recover files if a password or passphrase is lost. True False

True

Tcpslice can be used to retrieve specific timeframes of packet captures. True False

True

The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True False

True

Which of the following is a clue that a virtual machine has been installed on a host system? Virtual network adapter USB drive Virtualization software Network logs

Virtual network adapter

After you shift a file's bits, the hash value remains the same. True False

False

For which of the following reasons should you wipe a target drive? a: To ensure the quality of digital evidence you acquire b: To make sure unwanted data isn't retained on the drive Both a and b Neither of the above

Both a and b

Virtual Machine Extensions (VMX) are part of which of the following? AMD Virtualized Technology Intel Virtualized Technology Type 2 hypervisors Type 1 hypervisors

Intel Virtualized Technology

In VirtualBox, a(n) __________ file contains settings for virtual hard drives. .vbox-prev .vbox .log .ovf

.vbox

Which of the following file extensions are associated with VMware virtual machines? .vbox, .vdi, and .log .vmx, .log, and .nvram .vmx, .r0, and .xml-prev .vdi, .ova, and .r0

.vmx, .log, and .nvram

The National Software Reference Library provides what type of resource for digital forensics examiners? Reference books and materials for digital forensics A list of MD5 and SHA1 hash values for all known OSs and applications A list of digital forensics tools that make examinations easier A repository for software vendors to register their developed applications

A list of MD5 and SHA1 hash values for all known OSs and applications

An expert witness can give an opinion in which of the following situations? The witness testifies to a reasonable degree of certainty (probability) about his or her opinion, inference, or conclusion. The opinion, inferences, or conclusions depend on special knowledge, skills, or training not within the ordinary experience of laypeople. All of the above

All of the above

Which forensic image file format creates or incorporates a validation hash value in the image file? AFF SMART Expert Witness All of the above

All of the above

You can expect to find a type 2 hypervisor on what type of device? Smartphone Desktop Tablet All of the above

All of the above

Which of the following is an example of a written report? A search warrant An affidavit Voir dire Any of the above

An affidavit

The Known File Filter (KFF) can be used for which of the following purposes? a: Filter known program files from view. b: Calculate hash values of image files. c: Compare hash values of known files with evidence files. Both a and c

Both a and c

When do zero day attacks occur? a: On the day the application or OS is released b: Before a patch is available c: Before the vendor is aware of the vulnerability Both b and c.

Both b and c

In a forensics investigation, you must follow certain procedures. Which of the following is NOT something you should do? Document all your steps Wipe and prepare target drives Carry out the investigation on the original evidence only Check date and time values in the suspect computer s CMOS

Carry out the investigation on the original evidence only

In OSForensics, how can you attach to a drive to examine evidence? Choose Attach Drive Image Choose Install Drive Image Choose Build Drive Image Choose Mount Drive Image

Choose Mount Drive Image

When writing a report, what's the most important aspect of formatting? A neat appearance Consistency Size of the font Clear use of symbols and abbreviations

Consistency

Automated tools help you collect and report evidence, but you're responsible for doing which of the following? Explaining your formatting choices Explaining in detail how the software works Explaining the significance of the evidence All of the above

Explaining the significance of the evidence

A forensic image of a VM includes all snapshots. True False

False

Figures not used in the body of the report can't be included in report appendixes True False

False

Password recovery is included in all forensics tools. True False

False

Which of the following represents known files you can eliminate from an investigation? Files associated with an application Any files pertaining to the company Any graphics files All of the above

Files associated with an application

Which Registry key contains associations for file extensions? HFILE_CLASSES_ROOT HFILE_EXTENSIONS HKEY_CLASSES_FILE HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation? Internal corporate investigation because ISPs almost always turn over e-mail and access logs when requested by a large corporation Criminal investigation because law enforcement agencies have more resources at their disposal Criminal investigation because subpoenas can be issued to acquire any needed evidence quickly Internal corporate investigation because corporate investigators typically have ready access to company records

Internal corporate investigation because corporate investigators typically have ready access to company records

Which of the following statements about the legal-sequential numbering system in report writing is true? It's required for reports submitted in federal court. It's favored because it's easy to organize and understand. It's most effective for shorter reports. It doesn't indicate the relative importance of information.

It doesn't indicate the relative importance of information.

Packet analyzers examine what layers of the OSI model? Layers 2 and 4 Layers 4 through 7 Layers 2 and 3 All layers

Layers 2 and 3

What is a good resource for known OSs and applications? National Software Resource Library (NSRL) National Institute for known OSs and applications (NIOA) National Library of Software and Applications (NLSA) National Institute of Standards and Technology (NIST)

National Software Resource Library (NSRL)

Which of the following tools will allow you to mount a disk image? ImageMount OSFMount AutopsyMount ProDiscoverMount

OSFMount

Which of the following is the standard format for reports filed electronically in U.S. federal courts and most state courts? Excel Word PDF HTML

PDF

What are the three modes of protection in the DiD strategy? People, PCs, mobile devices Computer, smartphones, tablets People, technology, operations PCs, mobile devices, laptops

People, technology, operations

Whichs of the following tools were used in the lab to generate reports (Choose two answers)? Autopsy ProDiscover EnCase OSForensics

ProDiscover OSForensics

Block-wise hashing has which of the following benefits for forensics examiners? Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive Allows validating sector comparisons between known files Verifies the quality of OS files Provides a faster way to shift bits in a block or sector of data

Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive

The number of VMs that can be supported per host by a type 1 hypervisor is generally determined by the amount of __________ and __________. RAM, storage RAM, network speed RAM, GPU Storage, processing power

RAM, storage

Which of the following contains a set of hashes for known passwords? Rainbow Tables Brute-forced Tables Solved Hash Table Cracked Hash Tables

Rainbow Tables

Rainbow tables serve what purpose for digital forensics examinations? Rainbow tables are designed to enhance the search capability of many digital forensics examination tools. Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords. Rainbow tables provide a scoring system for probable search terms. Rainbow tables are a supplement to the NIST NSRL library of hash tables.

Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords.

Which rule of the Federal Rules of Civil Procedure requires expert witnesses to submit written reports? Rule 26 Rule 27 Rule 24 Rule 25

Rule 26

Which of the following is a free, open-source incident response and forensic tool that can be installed on a virtual machine? SIFT Workstation ProDiscover OSForensics Encase

SIFT Workstation

If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords? Salting can make password recovery extremely difficult and time consuming. There are no concerns because salting doesn't affect password-recovery tools. Salting applies only to OS startup passwords, so there are no serious concerns for examiners. The effect on the computer's CMOS clock could alter files' date and time values.

Salting can make password recovery extremely difficult and time consuming.

You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information? The disk is corrupted. There's a hidden partition. The drive is formatted incorrectly. Nothing; this is what you'd expect to see

There's a hidden partition.

For what purpose have hypothetical questions traditionally been used in litigation? To define the case issues for the finder of fact to determine To deter a witness from expanding the scope of his or her investigation beyond the case requirements. To frame the factual context of rendering an expert witness's opinion To stimulate discussion between a consulting expert and an expert witness

To frame the factual context of rendering an expert witness's opinion

Being able to incorporate the log files and reports tools generate into your written reports is a major advantage of automated forensics tools in report writing. True False

True

We captured and examined physical memory in one of the labs in chapter 10. What is the name of the tool we used to examine the file dump? Hex Workshop WinHex Irfanview Autopsy

WinHex

Which of the following tools can be used to monitor network traffic so that packet analysis can be carried out? FTK OSForensics Wireshark Autopsay

Wireshark

Which of the following rules or laws requires an expert to prepare and submit a report? a: FRCP 26 b: FRE 801 Both a and b Neither of the above

a: FRCP 26

What file extension was used in the lab to scan and extract Outlook Express files for analysis? oex pst oef dbx

dbx

Which of the following can be used to determine if the contents of a file have changed? hash file flags encryption keys bit-shifting

hash

To find network adapters, you use the __________ command in Windows and the __________ command in Linux. tcpdump, netstat more, netstat top, nd ipconfig, ifconfig

ipconfig, ifconfig

Which of the following live acquisition forensic terms determines how long a piece of information lasts on a system? time to live (TTL) order of volatility (OOV) volatility factor (OF) live acquisition volatility (LAV)

order of volatility (OOV)

All of the following should be avoided when writing expert witness reports, EXCEPT: slang vague wording jargon signposts

signposts


Related study sets

LESSON 2. VOICES AND MOODS OF VERB

View Set

promulgated contracts final exam qs

View Set