Computer Forensics

Ace your homework & exams now with Quizwiz!

_______ is the area of a hard drive that has not been allocated for file storage. -A- Unallocated space -B- Temporary data -C- Basic input/output system (BIOS) -D- Volume slack

A) Unallocated space

A(n) __________ is a data structure in the Linux file system that stores all the information about a file except its name and actual data. -A- cluster -B- inode -C- partition -D- table

B) inode

Which tool in Paraben's E3, will create the MD5 and SHA1 values for a file? -A- Hash Code Generator -B- Add Evidence -C- Content Analysis -D- Reports

C) Content Analysis

__________ holds that you cannot interact in an environment without altering it in some way, without leaving some trace. -A- The chain of custody -B- The Daubert Standard -C- Locard's principle of transference -D- A rule of evidence

C) Locard's principle of transference

According to the order of volatility in RFC 3227, what evidence should you collect first on a typical system? -A- File system, then memory dumps -B- System state backup, then the file system -C- The Registry, then internet traces -D- Volatile data, then file slack

D) Volatile data, then file slack

What NTFS metafile serves as a record of which clusters on a disk are allocated and unallocated? -A- $MFT -B- $BitMap -C- $Boot -D- $NTFS

B) $BitMap

The Caesar cipher is an old method of encryption involving a substitution cipher. Practicing this method, you want to perform -4. What is this? -A- Shifting 4 letters to the right -B- Shifting 4 letters to the left -C- Shifting the text 4 lines down -D- Shifting the text 4 lines up

B) Shifting 4 letters to the left

_______ is an industry certification that focuses on knowledge of PC hardware. -A- Cisco Certified Network Associate -B- (ISC)2 CISSP -C- EC-Council Certified Hacking Forensic Investigator (CHFI) -D- CompTIA A+

D) CompTIA A+

True or False? A sector is the basic unit of data storage on a solid-state disk.

False

Which of the following is the best description of volatile data? -A- Data that has been manually deleted by a user -B- Data that is sent across a network to another device -C- Data that is lost when the system is used, such as the swap file and state of network connections -D- Data that is stored in a hidden location on a disk drive

C) Data that is lost when the system is used, such as the swap file and state of network connections

Although the Data Encryption Standard (DES) algorithm is sound, it is no longer considered secure because: -A- of its XOR result. -B- of its long key size. -C- of its small key size. -D- block ciphers are no longer used.

C) of its small key size.

In World War II, the Germans made use of _________, which is an electromechanical rotor-based cipher system. -A- the Feistel function -B- Kerckhoffs' principle -C- symmetric cryptography -D- the Enigma machine

D) the Enigma machine

True or False? Exif data is associated with temporary internet files.

False Feedback: Exif stands for exchangeable image file format and is associated with image files.

True or False? In Windows, when copying or cutting a file to a different partition, the file will retain the rights of the source folder.

False Feedback: When copying or cutting a file to a different partition, the file will inherit rights of the destination folder.

True or False? When gathering evidence in a forensic investigation, working with the original drive is safer than working with a drive image.

False Feedback: When gathering evidence in a forensic investigation, working with a drive image is safer than working with the original drive.

True or False? Hackers break into computer systems and steal secret defense plans of the United States. This is an example of a virus.

False Feedback: This is an example of cyberterrorism.

True or False? Fraud refers to a broad category of crime that can encompass many different activities, but essentially, it is any attempt to gain financial reward through deception.

True

True or False? Frequency analysis is the basic tool for breaking most classical ciphers, but is not effective against modern methods of cryptography.

True

True or False? If you can hear a hard drive's internal disks spinning, the drive probably has not experienced a catastrophic failure.

True

True or False? In Windows 10, the Recycle Bin is located in a hidden directory.

True

_______ is the unused space between the logical end of a file and the physical end of a file. -A- File slack -B- Bit-level information -C- A cluster -D- A segment

A) File slack

In E3, what appears next to a filename that is identified as deleted in the file system? -A- A stop sign -B- A red X -C- A red dot -D- The word "deleted"

B) A red X

True or False? A denial of service (DoS) attack typically does not harm data on the target system.

True

True or False? Disk forensics includes both the recovery of hidden and deleted information and the process of identifying who created a file or message.

True

True or False? File slack and slack space are the same thing.

True

True or False? Forensically scrubbing a file or folder may involve overwriting data with random characters seven times.

True

True or False? Least significant bit (LSB) is a common steganography method.

True

True or False? Machines undergoing a forensic examination should not be connected to the internet.

True

True or False? Mean time to failure (MTTF) is the amount of time, on average, before a given device is likely to fail through normal use.

True

True or False? On a Windows system, some viruses infect the boot sector and are loaded when the system loads.

True

True or False? Real evidence means physical objects that can be touched, held, or directly observed, such as a laptop with a suspect's fingerprints on it.

True

You are the infrastructure manager. You are performing a business impact analysis (BIA) to consider the cost of likely disasters and the impact on your organization. How do you calculate the single loss expectancy (SLE)? -A- By multiplying the asset value (AV) times the exposure factor (EF) -B- By dividing the annual rate of occurrence (ARO) by the exposure factor (EF) -C- By multiplying the annual rate of occurrence (ARO) times the exposure factor (EF) -D- The SLE is calculated by multiplying the asset value times the exposure factor.

A) By multiplying the asset value (AV) times the exposure factor (EF)

What disk drive feature is most important for forensic consideration? -A- Good blocks marked as bad -B- The type of drive connection -C- The number of disk platters -D- Maximum data storage size

A) Good blocks marked as bad

When performing a manual recovery on a Linux system, what is the first step to recovering manually deleted files? -A- Move the system to single-user mode. -B- Boot into the recovery menu and select to run diagnostics. -C- Install the Linux recovery toolkit. -D- Log in with root.

A) Move the system to single-user mode.

What does a file, beginning with "$R", contain in a Windows 10 Recycle? -A- The actual deleted file -B- The destination address of the file -C- The original location of the file -D- The deletion date of the file

A) The actual deleted file

Which of the following OpenPuff functions should you use to retrieve a hidden file concealed with an image? -A- UnHide Data -B- CleanUp -C- Expose Data -D- Recovery Decoy

A) UnHide Data

The type of medium used to hide data in steganography is referred to as __________, which may be a photo, video, sound file, or Voice over IP (VoIP), for example. -A- the channel -B- the payload -C- steganophony -D- the carrier

A) the channel

What is the definition of a computer virus? -A- An attacker keeps sending SYN packets but never responds to the SYN/ACK packets it receives from the server -B- Any software that self-replicates -C- An attack in which the attacker seeks to infect several machines and use those machines to overwhelm the target system to denial service -D- An attack designed to overwhelm the target system so it can no longer reply to legitimate requests for connection

B) Any software that self-replicates

When hiding a message in a video file, what method takes advantage of an image capable of storing colors in 24 bits to increase the storage area for the payload? -A- Transposition -B- BPCS -C- LSB -D- GNU

B) BPCS

The RSA algorithm is used in asymmetric cryptography. To create the key, two large random prime numbers are generated. The two numbers are multiplied to get n. The next step is to multiply __________ for each of these primes. -A- Kerckhoffs' principle -B- Euler's Totient -C- the Feistel function -D- Diffie-Hellman

B) Euler's Totient

What is one use of steganography in the digital age? -A- Decoding encrypted data -B- Hiding data within images -C- Creating hidden files on a server -D- Altering the structure of a confidential message

B) Hiding data within images

Which of the following are subclasses of fraud? -A- Investment offers and cyberstalking -B- Investment offers and data piracy -C- Hacking and cyberterrorism -D- Cross-site scripting and data piracy

B) Investment offers and data piracy

How is cyberterrorism different from other cybercrimes? -A- Attacks are motivated purely by financial gain. -B- It is investigated by federal law enforcement. -C- It is never leveraged by spyware programs. -D- It always includes a logic bomb.

B) It is investigated by federal law enforcement.

What phrase represents the left-most or right-most bit (depending on the computer architecture) of a given byte? -A- Least Common Multiple -B- Least Significant Bit -C- Minor Significant Bit -D- Minor Pixel Byte

B) Least Significant Bit

FTK Imager's Export File Hash List function generates a file with three important fields. Which field is the hash value of the file? -A- SHA1 -B- MD5 -C- Filename location -D- HA15

B) MD5

Bill is an accountant for a construction firm. He receives an urgent email at 5:30 p.m. on Friday that appears to be from his company's chief financial officer. The email is approving a request for funds to be moved from a corporate account to a personal account for the construction manager. The request is for the funds to be moved immediately so that the manager can purchase equipment needed for a project to be completed over the weekend. Bill notices that the sender's actual email account is from a domain that is not affiliated with the company. What type of attack is likely underway? -A- Spyware -B- Phishing -C- A denial of service (DoS) attack -D- A SQL injection attack

B) Phishing Feedback: Bill is likely experiencing a phishing attack.

Which of the following is not true of computer forensics? -A- A forensic specialist must adhere to stringent guidelines. -B- The emphasis is on the volume of evidence. -C- The objective is to recover, analyze, and present computer-based material in such a way that it can be used as evidence in a court of law. -D- Any device that can store data is potentially the subject of computer forensics.

B) The emphasis is on the volume of evidence.

_______ is an example of volatile data. -A- A hash -B- The state of network connections -C- Steganized files -D- A word processing file

B) The state of network connections Feedback: Some examples of volatile data are swap files, the state of network connections, and the state of running processes.

Why are hash codes important to demonstrate the integrity of digital evidence? -A- They allow you to generate a data reliability score. -B- They allow you to determine if a file has been altered. -C- They allow you to access the evidence to determine if it adheres to the Daubert standard. -D- They provide a quick, easy way to analyze files.

B) They allow you to determine if a file has been altered.

When gathering systems evidence, what is not a common principle? -A- Avoid changing the evidence. -B- Trust only virtual evidence. -C- Determine when the evidence was created. -D- Search throughout a device.

B) Trust only virtual evidence.

A ________ is a plan for returning the business to full normal operations. -A- business continuity plan (BCP) -B- disaster recovery plan (DRP) -C- business impact analysis (BIA) -D- maximum tolerable downtime (MTD)

B) disaster recovery plan (DRP)

Malware designed to do harm to a system when some logical condition is reached, often triggered on a specific date and time, is called a: -A- SYN attack. -B- logic bomb. -C- denial of service (DoS) attack. -D- rainbow table.

B) logic bomb.

One must be able to show the whereabouts and custody of evidence, and how it was handled and stored and by whom, from the time the evidence is first seized by a law enforcement officer or civilian investigator until the moment it is shown in court. What standard does this refer to? -A- Consistent scientific manner -B- Real evidence -C- Chain of custody -D- Demonstrative evidence

C) Chain of custody

What is the legal standard that trial judges use to assess whether a forensic expert's testimony is based on reason or is scientifically valid? -A- Chain of custody -B- Digital litmus -C- Daubert standard -D- Federal Standards of Evidence (FSE)

C) Daubert standard

A suspect has erased their browsing history on their computer. The computer has Microsoft Internet Explorer installed. The forensic investigator must retrieve recently visited web addresses and recently opened files. What should the investigator do? -A- Perform a volatile memory analysis. -B- Extract the most recent Volume Shadow Copy. -C- Download a tool that allows for retrieval and review of the index.dat file. -D- Download UserAssist and examine the registry.

C) Download a tool that allows for retrieval and review of the index.dat file. Feedback: Index.dat is a file used by Internet Explorer to store web addresses, search queries, and recently opened files.

Which of the following allows you to create forensic images, preview files and folders, mount an image for read-only viewing, recover deleted files, create hashes of files, and generate hash reports. -A- IF Toolkit -B- Postmortem -C- FTK Imager -D- Digital Forensics Toolset

C) FTK Imager

You are a server technician for your organization. You are creating a backup routine for your server systems. You are considering hierarchical storage management (HSM) rather than traditional tape media. What is an advantage of HSM? -A- It can perform full backups. -B- It can perform differential backups. -C- It has far more storage capacity than traditional tape media. -D- It can perform incremental backups.

C) It has far more storage capacity than traditional tape media. HSM provides continuous online backup by using optical or tape "jukeboxes." It appears as an infinite disk to the system, and can be configured to provide the closest version of an available real-time backup.

Darien is performing analysis on an image of a seized machine. A power outage causes the computer to power off and back on again. When he attempts to boot up the machine to continue his work, the Windows operating system begins to initialize. However, it does not proceed past the loading screen. What type of damage is likely to have occurred? -A- Master Boot Record virus infection -B- Deletion of some critical files by the chkdsk utility -C- Logical damage -D- File carving

C) Logical damage

Company AtoZ hosts an e-commerce server with a large hard drive. The manufacturer claims the drive is guaranteed to perform properly for 100,000 hours. What is this measure most closely related to? -A- The business continuity plan (BCP) -B- Mean time to repair (MTTR) -C- Mean time to failure (MTTF) -D- Maximum tolerable downtime (MTD)

C) Mean time to failure (MTTF) The mean time to failure (MTTF) is the amount of time, on average, before a given device is likely to fail through normal use. The manufacturer's claim relates to MTTF.

What is the definition of "stack (S)"? -A- A type of physical memory -B- Dynamic memory for a program -C- Memory that is allocated based on the last-in, first-out (LIFO) principle -D- The result of acquiring a file as it is being updated

C) Memory that is allocated based on the last-in, first-out (LIFO) principle

Miriam is a forensic investigator. She assisted in an investigation of a computer incident for a company that processes payment card information. She is writing the report on the breach and has been informed that all companies that process payment card data must issue a report if a breach violates which of the following? -A- NIST -B- IETF -C- PCI DSS -D- FISMA

C) PCI DSS The payment card industry requires its merchants and other organizations processing payment card data to report security incidents involving cardholder data. This report should be issued whenever a breach is detected that violates the Payment Card Industry Data Security Standard (PCI DSS).

What E3 feature should you use to search for files on a suspect's drive image using hash values? -A- Search and Sort Evidence -B- Advanced Sort and Search -C- Sorted Files Search -D- Search MD5s

C) Sorted Files Search

__________ is the concept that any scientific evidence presented in a trial has to have been reviewed and tested by the relevant scientific community. -A- Demonstrative evidence -B- Documentary evidence -C- The Daubert Standard -D- Consistent scientific manner

C) The Daubert Standard

Which of the following best defines data carving? -A- The process of deconstructing files from raw data on a disk -B- The reassembling of disorganized information from differentiate data -C- The removal of organized information from undifferentiated data -D- The process of decrypting large quantities of data

C) The removal of organized information from undifferentiated data

There are three specific steps to follow to handle computer evidence. The first step is to ______ the evidence, followed by _______ the evidence, and finally ________ the evidence. -A- preserve, presenting, preparing -B- process, identifying, preserving -C- find, preserving, preparing -D- find, presenting, preparing

C) find, preserving, preparing

Alice is a computer hacker. She is attempting to cover her tracks by repeatedly overwriting a cluster of data on a hard disk with patterns of 1s and 0s. What general term describes Alice's actions? -A- Obfuscation -B- Data transformation -C- Disk forensics -D- Anti-forensics

D) Anti-forensics

If a hard disk is damaged and the data is deemed "lost," what is the recommended next step? -A- Shred the hard disk. -B- Install the drive on a new computer as a final test. -C- Create a bit-by-bit image. -D- Attempt a local repair.

D) Attempt a local repair.

__________ is information at the level of 1s and 0s stored in computer memory or on a storage device. -A- File slack -B- A cluster -C- A segment -D- Bit-level information

D) Bit-level information Feedback: Going to a bit-level view gives the most accurate view of how the information is actually stored on hardware.

What other technique is often used in conjunction with digital steganography to prevent unwanted access to sensitive information? -A- Dictation -B- Counter coding -C- Password protection -D- Cryptography

D) Cryptography

A computer crime suspect stores data where an investigator is unlikely to find it. What is this technique called? -A- Data destruction -B- File system alteration -C- Data transformation -D- Data hiding

D) Data hiding

Which of the following is not true of cyberstalking? -A- It involves repeated, threatening behavior. -B- It occurs via social media or email. -C- The intent is to target a human victim, not a computer or network. -D- Stalkers are often technically savvy computer criminals.

D) Stalkers are often technically savvy computer criminals. Feedback: Stalkers are often not the most technically savvy computer criminals.

In Windows, what does the file allocation table (FAT) store? -A- The list of applications installed and their corresponding files -B- A view of disk overages that are available -C- The data types stored on the disk -D- The mapping between files and their cluster location on the hard drive

D) The mapping between files and their cluster location on the hard drive

Which of the following is not true of the Feistel function? -A- Any block cipher that is based on the Feistel function will essentially work in the same manner; the differences will be found in what is done in the round function. -B- The Feistel function starts by splitting the block of plaintext data (often 64 bits) into two halves. -C- It is named after Horst Feistel, a German physicist and cryptographer. -D- This function forms the basis for many stream ciphers.

D) This function forms the basis for many stream ciphers.

What is the purpose of the dd Linux command? -A- To dig deep and restore recently deleted files -B- To restore corrupt data on a storage partition -C- To mount (make accessible from a place in your own file tree) partitions -D- To write random data to a section of a file system

D) To write random data to a section of a file system

True or False? A business continuity plan (BCP) is a process whereby the disaster recovery team contemplates likely disasters and what impact each would have on the organization.

False

True or False? Disk forensics refers to the process of examining malicious computer code.

False

True or False? ISO 27001 deals with contingency planning for U.S. federal information systems specifically.

False

True or False? Internet forensics is the study of the source and content of email as evidence.

False

True or False? When performing volatile data analysis, you must compute the hash before and after completing the memory capture.

False

True or False? A cryptographic hash is reversible.

False Feedback: A cryptographic hash is one-way, not reversible.

True or False? The term "logic bomb" refers to a set pre-calculated hashes used for cracking passwords.

False Feedback: A rainbow table is a set of pre-calculated hashes.

True or False? The process of connecting to a server and the exchange of three packets is referred to as cross-site scripting.

False Feedback: A three-way handshake involves the exchange of three packets.

True or False? Windows Registry keys contain an associated value called LastWriteTime, which is similar to the datestamp on a file or folder.

False Feedback: LastWriteTime is similar to the modification time on a file or folder.

True or False? Damage to how data is stored on a disk, such as file system corruption, refers to physical damage.

False Feedback: That is the definition of logical damage.

True or False? The Windows ShellBag tracks compatibility issues with executed programs.

False Feedback: The Windows Shimcache was created by Microsoft beginning in Windows XP to track compatibility issues with executed programs.

True or False? After imaging a drive, the purpose of creating a hash of the original and the copy is to label them for documentation.

False Feedback: The purpose of creating a hash of the original and the copy is to verify that nothing was altered.

True or False? Viruses are difficult to locate but easy to trace back to the creator.

False Feedback: Viruses are easy to locate but hard to trace to the creator.

True or False? In Windows, the term "64-bit processing" refers to how the central processing unit and the operating system process information.

True

True or False? In most cases, law enforcement may not search a mobile phone without a warrant if they do not have the owner's consent.

True

True or False? Incriminating evidence shows, or tends to show, a person's involvement in an act, or evidence that can establish guilt.

True

True or False? Remote Network MONitoring (RMON), developed by the Internet Engineering Task Force, provides a standardized method of classifying network traffic and can be used to perform a postmortem analysis on network logs to determine when an attack began and perhaps identify its source.

True

True or False? The Federal Rules of Evidence (FRE) governs the admission of facts by which parties in the U.S. federal court system may prove their cases.

True

True or False? The Windows NTFS file system views a cluster as entirely utilized if even one bit is used.

True

True or False? The Windows Registry is essentially a repository of all settings, software, and parameters for Windows.

True

True or False? The act of wrongfully obtaining another person's personal data is a crime, with or without stealing any money.

True

True or False? The forensics process begins once an incident has been discovered, but it does not get fully under way until after the disaster or incident is contained.

True

True or False? The netstat utility enables a forensic examiner to check live system data.

True

True or False? Universal serial bus is a connectivity technology, not a storage technology.

True

True or False? When two files claim to share the same allocation unit (or cluster), one of the files is almost certain to lose data.

True

True or False? Whereas physical imaging is making a bit-by-bit copy of a disk, logical imaging uses the target system's file system to copy data to an image for analysis.

True


Related study sets

Supply and Demand Extra Practice

View Set

SHRM SCP 2020: Corporate Social Responsibility

View Set

IGGY Ch.7 Elsevier - End-of-Life Care

View Set