Computer Forensics Cengage Final Test
At what hard link count is a file effectively deleted?
0
The Enhanced Data GSM Environment (EDGE) standard was developed specifically for which type of service?
3G
Which type of tool can be used to compare results and verify a new tool by viewing data in its raw format?
A disk editor
Which document is sworn to under oath and penalty of perjury, or a comparable false swearing statute?
A written report
Which document offers comprehensive guidance for psychologists, with an entire section devoted to forensics activities?
APA's Ethics Code
Where do software forensics tools copy data from a suspect's disk drive?
An image file
What type of questions ask several questions inside one question?
Compound
A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?
Data recovery
What resource might attorneys use to search for information on expert witnesses?
Deposition banks
What is the most common and flexible data-acquisition method?
Disk-to-image file copy
What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced?
EFS
What term refers to a person using a computer to perform routine tasks other than systems administration?
End user
What type of files might lose essential network activity records if power is terminated without a proper shutdown?
Event logs
If a graphics file cannot be opened in an image viewer, what should the next step be?
Examining the file's header data
A verbal report is more structured than a written report.
False
As an expert witness, you can't testify if you weren't present when the event occurred.
False
Corporate investigators always have the authority to seize all computer equipment during a corporate investigation.
False
During opening statements, both attorneys provide an overview of the case, with the plaintiff's attorney going last.
False
Expert opinions cannot be presented without stating the underlying factual basis.
False
From a network forensics standpoint, there are no potential issues related to using virtual machines.
False
In macOS volume fragmentation is kept to a minimum by removing clumps from larger files.
False
Investigating crimes or policy violations involving e-mail is different than investigating other types of computer abuse and crimes.
False
The HFS and HFS+ file systems have four descriptors for the end of a file (EOF).
False
The decimal numbering system is frequently used when writing pleadings.
False
The first 5 bytes (characters) for all MFT records are FILE.
False
The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
False
Type 1 hypervisors are usually the ones you find loaded on a suspect machine.
False
To retrieve e-mail headers in Microsoft Outlook, what option should be clicked after the e-mail has been selected?
File, Properties
Which group often works as part of a team to secure an organization's computers and networks?
Forensics investigators
What should you use to verify evidence and thus ensure its integrity?
Hash algorithms
Because digital forensics tools have limitations in performing hashing, what tools should be used to ensure data integrity?
Hexadecimal editors
Which agency introduced training on software for forensics investigations by the early 1990s?
IACIS
What contains file and directory metadata and provides a mechanism for linking data stored in data blocks?
Inodes
What do published company policies provide for a business that enables them to conduct internal investigations?
Line of authority
What term refers to Linux ISO images that can be burned to a CD or DVD?
Linux Live CDs
What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?
Live
What type of acquisition is used for most remote acquisitions?
Live
Which tool enables the investigator to acquire the forensic image and process it in the same step?
Magnet AXIOM
Which tool lists all open network sockets, including those hidden by rootkits?
Memoryze
Which motion provides a written list of objections to certain testimony or exhibits?
Motion in limine
Which type of forensics can help you determine whether a system is truly under attack or a user has inadvertently installed an untested patch or custom program?
Network forensics
What is Microsoft's SkyDrive now called?
OneDrive
What determines how long a piece of information lasts on a system?
Order of volatility
Which devices have been replaced by iPods, iPads, and other mobile devices for personal use?
PDAs
Which type of format acquisition leaves the investigator unable to share an image between different vendors' computer forensics analysis tools?
Proprietary
Which RAID configuration, also called mirrored striping, is a combination of RAID 1 and RAID 0?
RAID 10
Which activity involves determining how much risk is acceptable for any process or operation?
Risk management
What is the primary hash algorithm used by the NIST project created to collect all known hash values for commercial software and OS files?
SHA-1
What type of cards, consisting of a microprocessor and internal memory, are usually found in GSM devices?
SIM
What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing?
Salesforce
What type of acquisition is typically done on a computer seized during a police raid?
Static
What material is recommended for secure storage containers and cabinets?
Steel
Which type of digital network divides a radio frequency into time slots?
TDMA
What entity created the Interim Standards used in mobile communications?
Telecommunications Industry Association
Which network protocol analyzer can be programmed to examine TCP headers to find the SYN flag?
Tethereal
Suppose you have been hired to determine whether a corrupted file was intentionally altered or altered by a virus. Your forensic examination did not find evidence of a virus and did not find evidence of intentional alteration. What conclusion can you offer?
The cause of the file's corruption is unknown.
What is the main information being sought when examining e-mail headers?
The originating e-mail's domain name or an IP address
What technique, in which multiple phones take turns sharing a channel, does the Global System for Mobile Communications (GSM) use?
Time Division Multiple Access
In which log does Exchange log information about changes to its data?
Transaction
A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the resource-heavy analysis tasks.
True
A separate manual validation is recommended for all raw acquisitions at the time of analysis.
True
Although a disk editor gives you the most flexibility in testing, it might not be capable of examining a compressed file's contents.
True
Because bring your own device (BYOD) has become a business standard, investigators must consider how to keep employees' personal data separate from case evidence.
True
Before OS X, the Hierarchical File System (HFS) was used, in which files are stored in directories (folders) that can be nested in other directories.
True
Besides presenting facts, reports can communicate expert opinion.
True
Computing systems in a forensics lab should be able to process typical cases in a timely manner.
True
Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.
True
Evidence artifacts vary depending on the social media channel and the device.
True
In 1999, Salesforce.com developed a customer relationship management (CRM) Web service that applied digital marketing research to business subscribers so that they could do their own market analysis; this service eventually led the way to the cloud.
True
Network logs record traffic in and out of a network.
True
One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop.
True
Research on wearable computers has been conducted at MIT labs for more than a decade, and these computers are now moving into working reality.
True
The chain of custody of evidence supports the integrity of your evidence.
True
The lab manager sets up processes for managing cases and reviews them regularly.
True
The pipe (|) character redirects the output of the command preceding it.
True
The police blotter provides a record of clues to crimes that have been committed previously.
True
To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.
True
Virtual machines are now common for both personal and business use.
True
Whether you're serving as an expert witness or a fact witness, be professional and polite when presenting yourself to any attorney or the court.
True
What Linux command is used to create the raw data format?
dd
