CIS 484 Final - All Quizes

What is the little endian representation of the hex value 0x22FE03BA?

0xBA03FE22

How many partitions can be defined in the mast boot record?

4

Which of the following scenarios is most likely to result in the creation of orphan files in an NTFS-formatted file system? A directory with files is wiped A directory with files is deleted before adding new files to the system A file is sent to the recycle bin A single file is removed from the recycle bin

A directory with files is deleted before adding new files to the system

If a police officer or investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit a(n) _______. Affidavit Memo Verdict Exhibit

Affidavit

Logical/targeted acquisitions may be best suited under which of the following circumstances? Limited time Only need specific files Only granted access to certain files All of the Above

All of the above

Which of the following can be used as a forensic acquisition tool? FTK DCFLDD X-Ways All of the above

All of the above

__________ is not recommended for a digital forensics workstation. A test editor tool A write-blocker device A SCSI card All of the above

All of the above are recommended.

Which of the following is a benefit of conducting LNK file analysis? Determine Files accessed by the user Gather info about connected devices Recover deleted files Both A and B

Both A and B Determine files accessed by the user Gather info about connected devices

Which of the following is NOT a benefit of LNK file and JL analysis? Can identify the cluster(s) associated with target files for use in deleted recovery. Can provide info about remote resources/shares used by the system Can provide evidence of files no longer available Helps portray user activity

Can identify the cluster(s) associated with target files for use in deleted recovery.

Which of the following is NOT a disadvantage of file carving? Very difficult to deal with deleted files fragmented around one another. File name is often lost File timestamps are typically lost Cannot utilize if a file's MFT record has been overwritten.

Cannot utilize if a file's MFT record has been overwritten.

In MS file systems, sectors are grouped to form _________, which are storage allocation units or one or more sectors.

Clusters

Which of the following must a file system do in order to function? A.Keep track of files B.Manage partition tables C.Track Cluster allocation status D.Both A and C

D.Both A and C

The raw data format, typically created with the Linux _____ command, is a simple bit-for-bit copy of a data file, a disk partition, or an entire drive

DD

For computer forensics, ______ is the task of collecting digital evidence from electronic media.

Data acquisition

Which of the following does NOT commonly result in the creation of a LNK file in Windows 10? Software installation Opening a file Deleting a file Saving a new file

Deleting a file

Which of the following is a scenario that would require or greatly benefit from creating a split image during a forensic investigation? Suspect drive is FAT32 formatted Destination drive is FAT32 formatted. Destination drive is NTFS formatted Suspect drive is GPT formatted

Destination drive is FAT32 formatted.

One way to compare results and verify your new tool is by using a ______, such as HexWorkshop or WinHex

Disk Editor

Which of the following is NOT likely to yield relevant information regarding specific files and folders a user has been accessing? Shellbags RecentDocs UserAssist key EMDMgmt

EMDMgmt

Which of the following keys can be correlated with LNK files and jump lists using the volume serial number on a device?

EMDMgmt

If you wanted to determine the last time a user opened a target file, which of the following JL attributes would you be most interested in? Embedded DestList stream JL file last modified time JL file creation time Embedded LNK stream

Embedded DestList stream

Which of the following is NOT a scenario in which cryptographic hashing is commonly used in digital forensics?

Establishing a read-only connection to a remote drive

A(n) ______ should include all the tools you can afford to take to the field

Extensive-response field kit

A static set of bytes at the beginning of a particular file type is often referred to as the file's "footer". T/F

False

Corporate investigators always have the authority to seize all computer equipment during a corporate investigation. T/F

False

DCFLDD provides the user with the option to automatically verify a forensic image immediately after it is acquired, eliminating the requirement to manually verify an image after acquisition. T/F

False

It is not important for the physical security of a digital forensics lab to be maintained since evidence is stored in a digital format? T/F

False

Once deleted, registry keys, subkeys and values are not recoverable. T/F

False

The artifacts available to a forensic examiner from a Windows system ave remained the same since Windows XP. T/F

False

The most common and recommend method of collecting enterprise RAID servers is through dead/static acquisitions. T/F

False

You should generally attempt file carving before recovering deleted filed using the MFT due to the complexity of MFT-based recovery methods. T/F

False

The TypedURLs key tracks information about websites visited in Google Chrome. T/F

False - It keeps track of what is typed in the address bar of IE

The main difference between FAT12, FAT16, and FAT 32 is the size of the directory entries used to track files. T/F

False - The main difference between the different versions of FAT is the size of the entries in the file allocation table (FAT). 12 byte, 16 byte etc.

The SAM, SYSTEM, UsrClass.dat and SOFTWARE hives are system-wide registry hives that are not associated with a particular user account. T/F

False - UsrClass.dat is associated with specific user accounts

The SOFTWARE registry hive contains the "TimeZoneInformation" key, which identifies the time zone observed by the system. T/F

False - this is the SYSTEM registry hive?

Cluster allocation status is tracked via directory entries in FAT file systems. T/F

False -They are tracked in the File Allocation table.

A bit-stream copy is a file containing a bit-stream copy of all data on a disk or disk partition, and is usually referred to as an "image," "image save," or "image file" T/F

False -This is a bit stream image

MBR-partitioned disks have an advantage over GPT-partitioned disks in that they can create larger partition sizes. T/F

False, GPT can create larger partitions than MBR. MBR is limited to 2TB partitions.

The VBR gives the layout of the disk, while the MBR gives the layout of the file system T/F

False, the MBR gives the layout of the disk and the VBR gives the layout of the file system.

Signed into law in 1973, the __________ was/were created to ensure consistency in federal proceedings.

Federal Rules of Evidence

A bit-stream image is an exact copy of a disk written to a ________.

File

_______ Involves sorting and searching through investigation findings to separate good data and suspicious data.

Filtering

Shellbags are useful for which of the following reasons? Identifying the active control set Identifying accessed directories Identifying executed programs Recovering deleted files

Identifying accessed directories

If you wanted to determine the last time a user opened a target file, which of the following LNK file attributes would you be most interested in?

LNK file last modified time

Which of the following timestamps in a FAT file system does not maintain a time (ie: this timestamp stores its value to the granularity of one day)

Last Access

Which type of forensic acquisition is recommended if the target system is powered on, full-disk encryption is in use, and you do not have access to the decryption key?

Live

Which of the following is not generally stored as internal metadata to LNK files? MD5 hash of target file Path to the target file Timestamps of the target file Size of the target file

MD5 hash of the target file

The NIST project that has a goal to collect all known hash values for commercial software application and OS files is________

NSRL - National Software Reference Library

Which of the following registry hives is associated with a particular user (ie instead of the system as a whole)? SAM SOFTWARE NTUSER.DAT SYSTEM

NTUSER.DAT

Which of the following is NOT a common step in tracing an email? Contact admin if email was sent within a controlled network Determine originating IP address Contact ISP None of the above

None of the above

Which of the following is an option for dealing with the file fragmentation during file carving? There is nothing you can do Only carve unallocated clusters Only carve allocated clusters Fragmentation does not have an impact on file carving

Only carve unallocated clusters.

Courts consider evidence data in a computer as ____ evidence.

Physical

One disadvantage of ______ format acquisitions is the potential inability to share an image between different vendors' computer forensic analysis tools.

Proprietary

Every business or organization must have well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers ave a ______ that a law or policy is being violated.

Reasonable suspicion

The ________ hive contains multiple "control sets", which detail the hardware settings and configuration used by the system.

SYSTEM

Which option below is not a standard systems analysis step? Determine a preliminary design or approach to the case Share evidence with experts outside of the investigation Obtain and copy an evidence drive Mitigate or minimize the risks

Share evidence with experts outside of the investigation.

Which amendment to the US Constitution protects everyone's right to be secure in their person, residence, and property from search and seizure?

The Fourth Ammendment

In NTFS, if a deleted file's name and creation/modification/accessed timestamps are recoverable but its content (ie non-resident $DATA attribute) has been overwritten, what data structure must be intact? The file's MFT Record This scenario is not possible The parent directory's $I30 attribute The file's clusters

The file's MFT Record

If you open 4 files in MS Excel, 6 files in MS Word and one file in Adobe Acrobat on a Windows 7 system, how many JLs would you expect to find related to these actions?

Three

A bootable forensic environment such as DEFT can be used during forensic acquisitions because it runs entirely in RAM and by default does not make changes to the target hard drive. T/F

True

A chain-of-custody form is used to document the location of evidence throughout a case and contains information that can be used to uniquely identify the evidence such as serial numbers, model numbers, and a description of the evidence. T/F

True

A deleted file's content and metadata may be fully recoverable in NTFS if its MFT record has not been reused and the file's clusters have not been reused. T/F

True

After obtaining the original IP address of an email, the next step to track down the original sender should be to identify the ISP that owns the IP address. T/F

True

After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools. T/F

True

Although a disk editor gives you the most flexibility in testing, it might not be capable of examining a compressed file's contents. T/F

True

An offset specifies the location within a data structure that a particular value resides. T/F

True

Both the NTUSER.DAT and SOFTWARE registry hives contain autostart keys, which identify programs to be started at boot or user logon. T/F

True

Corporate policies governing computer use are important in the context of digital forensics because well-defined policies give computer investigators and forensic examiners the authority to conduct and investigation. T/F

True

Custom JL are created and maintained by the application and are not updated with the same frequency as automatic JLs. T/F

True

Directory entries in FAT file systems contain the name of a file. T/F

True

During and investigation involving a live system, you should typically not cut power to the running system. T/F

True

Email server logs such as transaction logs can include crucial information for an email investigation. T/F

True

File slack can be defined as the unused space created when a file is saved. T/F

True

If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees may have an expectation of privacy. T/F

True

In order to acquire smartphones and other mobile devices, the use of specialized acquisition software and hardware is often required. T/F

True

It is common for digital forensic investigators to have at least one (1) mobile workstation for field work and one (1) heavy-duty workstation for in-lab work. T/F

True

It is less common for a file type to have a defined footer than a defined header. T/F

True

JLs were a new addition to Windows 7 that can provide computer forensic examiners with similar info that is found in LNK files. T/F

True

LNK files can be found in Windows Vista, Windows 7, Windows 8, and Windows 10 systems. T/F

True

Long file name (LFN) directory entries are used in FAT file systems to store file names that do not adhere to the 8.3 naming standard. T/F

True

Many digital investigations in the private sector involve misuse of computing assets or company time. T/F

True

One advantage with live acquisitions is that you are able to collect the contents of encrypted containers that are mounted on the system. T/F

True

The "C:\Documents and Settings" directory on a Windows 7 system is an example of a reparse point. T/F

True

The AppData directory located within a user's profile folder contains a wealth of useful information that can be used in forensic examinations. This included web browser history, application settings, and a "Temp" directory commonly used by malicious software. T/F

True

The LastWrite time found in the registry is the equivalent of the last time a particular key or subkey was modified. T/F

True

The SAM registry hive stores information about local user accounts on the system. T/F

True

The embedded streams of a jump list are stored in the same format as LNK files and therefore provide similar information as LNK files. T/F

True

The process of file carving can be employed across multiple file systems and is not specific to NTFS. T/F

True

The process of file carving uses known file signatures (otherwise known as headers and footers) to attempt to recover deleted files from a system's unallocated space. T/F

True

The professional conduct of a digital forensics examiner includes the ethics, morals and standards of behavior of the examiner; it is imperative that the examiner exhibit the highest levels of professional behavior at all times. T/F

True

The use of clean media (ie: wiped and reformatted) is recommended for the destination-media used in forensic acquisitions. T/F

True

Verifying a forensic image involves ensuring that the bit-stream image created is exactly the same as the original evidence and is often carried out via cryptographic hashes. T/F

True

When an email is deleted from a Microsoft Outlook profile, the deleted email may be recoverable by carving the PST/OST Outlook container file. T/F

True

When conducting a digital forensics analysis under attorney-client privilege (ACP) rules for an attorney, you must keep all findings confidential unless you are forced to disclose information as a testifying expert. T/F

True

When viewing the registry on a live system via regedit, you are presented with a single tree-like structure representing a "view" into the individual registry hives stored on disk. Analysis of the registry on a forensic image involves viewing the individual registry hives using a forensic registry viewer. T/F

True

WinHex, FTK Imager, and most other forensic or data recovery tools will usually alert the user of deleted files that have been identified by representing these files with a different icon (often a red "X"). T/F

True

When a file is deleted in a FAT file system, the value(s) in the file allocation table entries associated with the deleted file is/are changed to zero. T/F

True - not just sending files to the recycling bin, this is permanent deletion. Directory entry is marked as unused (first byte is changed to 0xE5- the rest of the entry remains in tact) FAT entries for clusters allocated to the file are all set to 0.

Registry values do not have a Last Write time associated with them. T/F

True - only keys have a last write time

Found in the SYSTEM registry hive, the ________ key records information about USB storage devices that have been connected to the system.

USBSTOR

____________ can be software or hardware and are used to protect evidence disks by preventing data from being written to them.

Write-blockers

After the evidence has been presented in a trial by jury, the jury must deliver a(n) ___________.

verdict