CIS 296 computer forensics exam 1
if your time is limited, consider using logical acquisition or ____ acquisition data copy method
sparse
one technique for extracting evidence from large systems is called ____
sparse acquisition
typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example
static
in autopsy and many other forensic tools raw format image files don't contain metadata
true
in microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors
true
one way to examine a partition's physical level is to use a disk editor, such as winhex, or hex workshop
true
the definition of digital forensics has evolved over the years from simply involving securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases
true
the fourth amendment to the U.S constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from a search and seizure
true
to be a successful computer forensics investigator, you must be familiar with more than one computing platform
true
when seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data
u.s doj
____ is a core win32 subsystem DLL file
user32.sys
when recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to avoid damage to the drive from overheating
80
image files can be reduces by as much as ____% of the original when using lossless compression
50%
a ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and traffic at will
warning banner
without a warning banner, employees might have an assumed ____ when using a company's computer system and network access
right of privacy
environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime
safety
corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer
silver-platter
real-time surveillance requires ____ data transmissions between a suspect's computer and a network server
sniffing
the FOIA was originally enacted in the ____.
1960's
computer investigations and forensics fall into the same category: public investigations
false
if the computer has an encrypted drive, a live acquisition is done of the password or passphrase is not available
false
the law of search and seizure protects the rights of all people, excluding people suspected of crimes
false
typically, a virtual machine consists of just one file
false
____ often work as a part of a team to secure an organization's computers and networks
forensics investigators
when microsoft introduced windows 2000, it added optional built-in encryption to ntfs called ____
EFS
autopsy uses ____ to validate an image
MD5
on an NTFS disk, immediately after the partition boot sector is the ____
MFT
____ was introduced when microsoft created windows NT and is still the main file system in windows 10
NTFS
____ is how most manufacturers deal with a platter's inner tracks having a smaller circumference that it's outer tracks
ZBR
in a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____
affidavit
____ refers to the number of bits in one square inch of a disk platter
areal density
____ records are data the system maintains, such as system log files and proxy server logs
computer-generated
a ____ is a column of tracks on two or more disk platters
cylinder
the file or folder's MFT record provides cluster addresses where the file is stored on the driver's partition. these clusters addresses are called ____
data runs
the ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions
dd
____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the system/root\Windows\System32\Drivers folder
device drivers
the ____ group manages investigators and conducts forensic analysis of system suspected of containing evidence related to an incident or crime
digital investigation
a(n) ____ is a person using a computer to perform routine tasks other than the system administrator
end user
certain files such as ____ and security log in windows, might lose essential network activity records if power is terminated without a proper shutdown
event log
you use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha256, or sha512
hash
with a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible
initial-response field kit
published company policies provide a(n) ____ for a business to conduct internal investigations
line of authority
linux iso images that can be burned to a CD or DVD are referred to as ____.
linux live CD's
most remote acquisitions have to be done as ____ acquisitions
live
records in the MFT are called ____
metadata
____ is the physical address support program for accessing more than 4GB of physical RAM
ntkrnlpa.exe
courts consider evidence data in a computer as ____ evidence
physical
____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest
probable cause
the purpose of the ____ is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key
recovery certificate
when microsoft created windows 95, it consolidated initialization (.ini) files into the ____.
registry
