Computer Forensics

Ace your homework & exams now with Quizwiz!

Which of these image file formats rarely compress their data or do so inefficiently?

BMP

Which of the following are not common computer forensics tools functions?

Command-line applications and GUI applications

The FBI formed this in 1984 to handle the increasing number of cases involving digital evidence.

Computer Analysis and Response Team (CART)

These records are data the system maintains, such as system log files and proxy server logs.

Computer-generated

In a MAC file system, a file consists of?

Data fork and resource fork.

This involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.

Data recovery

The process of converting raw images to another format is called which of the following?

Demosaicing

You can expect to find a type 2 hypervisor on what type of device?

Desktop

The most common and flexible data-acquisition method is ____.

Disk-to-image file copy

Which of these image file formats was developed by JEIDA as a standard for storing metadata in JPEG and TIFF files?

EXIF

Which of the following Linux file systems added support for partitions larger than 16TB?

Ext4

A forensic lab doesn't need to be physically secure as long as the forensic workstation is secured with a strong password. True or False

False

Advanced hexadecimal editors cannot generate the hash value of selected data sets in a file or sector. True or False

False

All forensic acquisition tools can copy data in the host protected area (HPA) of a disk drive. True or False

False

An officer trained as a Digital Evidence First Responder (DEFR) has the skill to analyze the data and determine when another specialist should be called in to assist with the analysis. True or False

False

Building a forensic workstation is more expensive than purchasing one. True or False

False

Clusters in Windows always begin numbering at one in NTFS and 3 in FAT. True or False

False

Exculpatory evidence, in essence, is the same as inculpatory evidence, meaning it tends to clear the suspect. True or False

False

Hardware acquisition tools typically have built-in software for data analysis. True of False

False

ISPs can investigate computer abuse committed by their customers. True or False

False

International Copyright laws apply to all Web sites in all countries. True or False

False

Linux is the only OS that has a kernel. True or False

False

Password recovery is included in all forensic tools. True or False

False

Steganography determines ownership of media, such as images downloaded from a website, and the right to use media. True or False

False

The Windows disk partition utility cannot change the disk partition table. True or False

False

The law of search and seizure protects the rights of all people, excluding people suspected of crimes. True or False

False

The unused space between partitions is called the unallocated gap. True or False

False

Two files with different file names but exactly the same data content will have different hash values. True or False

False

UNIX reduces file fragmentation by using clumps, which are groups of contiguous allocation blocks. True or False

False

UNIX was created in the early 1990s to be a multiuser secure OS specifically for mobile phones. True or False

False

Software forensic tools are grouped into which two applications?

GUI and Command-line applications

Which Registry key contains associations for file extensions?

HKEY_CLASSES_ROOT

Digital forensic tools are divided into which two major categories?

Hardware and software

The process of block-wise hashing can be best defined as:

Hashing of sectors to look for known file fragments.

This was created by police officers who wanted to formalize credentials in computing investigations.

IACIS

The standards for testing forensic tools are based on which criteria?

ISO 17025

Which of these compression methods permanently discards bits of information?

Lossy compression

Which of the following is not a common graphic type:

Metafile

Data acquisition is the process of copying data. How many different types of data acquisition are there?

2

Image files can be reduced by as much as ____% of the original.

50

A UNIX/Linux hard link is:

A pointer that allows accessing the same file by different filenames.

In Virtual Box, a(n) ____ file contains settings for virtual hard drives.

.vbox

Which of the following file extensions are associated with VMware virtual machines?

.vmx, .log, and .nvram

Areal density refers to which of the following?

Number of bits per square inch of a disk platter

Which best defines Order of Volatility (OOV)?

Order of conflicts within a VM and the hardware used to sustain the VM.

The first rule for all digital investigations is to:

Preserve the evidence

This is facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed.

Probable cause

The verification function does which of the following?

Proves that two sets of data are identical by calculating hash values

Which digital camera file format is referred to as a digital negative?

RAW

When you carve a graphics file, recovering the image depends on which of the following skills?

Recognizing the pattern of the file header content

A log report in forensic tools does which of the following?

Records an investigator's actions in examining a case

Search of data where investigation expands beyond the original description because of unexpected evidence that has been found is called?

Scope Creep

Write-blockers protect evidence disks by preventing data from being written to them and can be divided into which two types?

Software and Hardware

Which of the following represents known files you can eliminate from an investigation?

System files the OS uses

Defense contractors during the Cold War were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____.

TEMPEST

Which of the following is the main challenge in acquiring an image of a Mac OS?

The Mac design and engineering.

UNIX and Linux have four components defining the file system. They include:

The boot block, superblock, inode block, and data block.

The plain view doctrine applies when investigators find evidentiary items that aren't specified in a warrant or under probable cause. True or False

True

Validating digital evidence is the most critical aspect of computer forensics. True or False

True

When attorneys challenge digital evidence, often they raise the issue of whether computer-generated records were altered or damaged after they were created. True or False

True

Your professional conduct as a digital investigator is critical because it determines your credibility. True or False

True

Virtual Machine "Hypervisors" can be divided into how many types:

Two

When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data.

U.S. DoJ

What is the space on a drive called when a file is deleted?

Unallocated space

What is one of the most critical aspects of computer forensics?

Validating digital evidence

Which of the following is a clue that a virtual machine has been installed on a host system?

Virtual network adapter

During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system.

Windows XP

In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit this.

affidavit

This is the route the evidence takes from the time you find it until the case is closed or goes to court.

chain of custody

Confidential business data included with the criminal evidence are referred to as this kind of data.

commingled

For computer forensics, this is the task of collecting digital evidence from electronic media.

data acquisition

To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as this.

forensic workstation

Which graphic type uses lines instead of dots to make up an image?

vector

Microsoft has added ____ with BitLocker to its newer operating systems, such as Windows 7 and 8, which makes performing static acquisitions more difficult.

whole disk encryption

The Federal Rules of Evidence (FRE), signed into law in 1973, was created for what purpose?

To ensure consistency in federal proceedings

A digital forensic lab is where you conduct investigations, store evidence, and do most of your work. True or False

True

A forensic image of a VM includes all snapshots? True or False

True

A live acquisition is considered an accepted practice in digital forensics. True or False

True

A way of categorizing computer records is by dividing them into computer-generated records and computer-stored records. True or False

True

Acquisition is the process of creating a duplicate image of data; one of the required functions of digital forensic tools. True or False

True

All forensics acquisition tools have a method for verification of the data-copying process that compares the original drive with the image. True or False

True

Digital Evidence can be ANY information stored or transmitted in digital form. True or False

True

Digital forensic tools have some limitations in performing hashing, however, so using advanced hexadecimal editors is necessary to ensure data integrity. True or False

True

Each type of graphics file has a unique header containing information that distinguishes it from other types of graphic files. True or False

True

Forensics data acquisitions are stored in three formats, raw, proprietary, and AFF. True or False

True

In a NTFS file system, the partition table is located in the Master Boot Record, located at sector 0. True or False

True

Law enforcement can confiscate anything an arrested person is carrying and log that device, such as a smartphone, was on the person, they don't necessarily have the right or authority to search the device. True or False

True

Macintosh OS X uses the Intel Processor and is UNIX based. True or False

True

Many password-protected OS's and applications store passwords in the form of MD5 or SHA hash values. True or False

True

One advantage of using command-line tools for an investigation is that they require few system resources because they're designed to run in minimal configurations. True or False

True

One reason to choose a logical acquisition is an encrypted drive. True or False

True

The HFS and HFS+ file systems uses not one but two descriptors for the end of a file (EOF). True or False

True

Courts consider evidence data in a computer as ____ evidence.

physical

Evidence is commonly lost or corrupted through this, which involves police officers and other professionals who aren't part of the crime scene processing team.

professional curiosity

In general, a criminal case follows three stages: the complaint, the investigation, and this.

prosecution

Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses.

right of privacy

Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.

safety

Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server.

sniffing


Related study sets

Vulnerability and Hazard Exposure

View Set

3.04 Defend, Challenge, or Qualify

View Set

Major Lines of Latitude and Longitude

View Set

Quiz 33-Chi-Square test for independence

View Set

Simulated Life Exam -- Questions that were troublesome

View Set