Computer Forensics Midterm Review Ch 1-5

Ace your homework & exams now with Quizwiz!

The manager of a digital forensics lab is responsible for which of the following?

All of the above

What are two concerns when acquiring data from a RAID server?

Amount of data storage needed and type of RAID

With remote acquisitions, what problems should you be aware of?

Antivirus, antispyware, and firewall programs

A forensic workstation should always have a direct broadband connection to the Internet.

False

A warning banner should never state that the organization has the right to monitor what users do. True or False

False

ASQ and ANAB are two popular certification programs for digital forensics. True or False

False

An initial-response field kit does not contain evidence bags.

False

BIOS boot firmware was developed to provide better protection against malware than EFI does developed?

False

Slower data transfer speeds and dealing with minor data errors are two disadvantages of the raw format

False

Small companies rarely need investigators.

False

The ANAB mandates the procedures established for a digital forensics lab. True or False

False

The plain view doctrine in computer searches is well-established law

False

Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False

False

When determining which data acquisition method to use you should not consider how long the acquisition will take.

False

You should always answer questions from onlookers at a crime scene.

False

You should always prove the allegations made by the person who hired you. True or False

False

You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?

Initial-response kit

What are the three rules for a forensic hash?

It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes

Which of the following techniques might be used in covert surveillance (Choose All That Apply)?

Keylogging & Data sniffing

List two hashing algorithms commonly used for forensic purposes.

MD5 and SHA-1

What does the Ntuser.dat file contain?

MRU files list

Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons?

Most companies keep inventory databases of all hardware and software used.

Which organization provides good information on safe storage containers?

NISPOM

In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?

None of the above

Which of the following Windows 8 files contains user-specific information?

Ntuser.dat

Areal density refers to which of the following?

Number of bits per square inch of a disk platter

Name the three formats for digital forensics data acquisitions.

Raw format, proprietary formats, and AFF

What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?

The file is unencrypted automatically.

Why is it a good practice to make two images of a suspect drive in a critical investigation?

To ensure at least one good copy of the forensically collected data in case of any failures

What's the purpose of an affidavit?

To improve your work

Embezzlement is a type of digital investigation typically conducted in a business environment. True or False

True

FTK Imager requires that you use a device such as a USB dongle for licensing.

True

File and directory names are some of the items stored in the FAT database.

True

For digital evidence, an evidence bag is typically made of antistatic material. True or False

True

If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy.

True

If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement.

True

In NTFS, files smaller than 512 bytes are stored in the MFT.

True

In forensic hashes, a collision occur when two different files have the same hash value.

True

In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause.

True

One way to determine the resources needed for an investigation is based on the OS of the suspect computer, list the software needed for the examination. True or False

True

The main goal of a static acquisition is the preservation of digital evidence.

True

The purpose of maintaining a network of digital forensics specialists is to develop a list of colleagues who specialize in areas different from your own specialties in case you need help on an investigation. True or False

True

To determine the types of operating systems needed in your lab, list two sources of information you could use.

Uniform Crime Report statistics and a list of cases handled in your area

What's the most critical aspect of digital evidence?

Validation

Virtual machines have which of the following limitations when running on a host computer?

Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.

The triad of computing security includes which of the following?

Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation

As a private-sector investigator, you can become an agent of law enforcement when which of the following happens?

You begin to take orders from a police detective without a warrant or subpoena.

Clusters in Windows always begin numbering at what number?

2

Large digital forensics labs should have at least ________ exits.

2

What's the maximum file size when writing data to a FAT32 drive?

2 GB

In FAT32, a 123-KB file uses how many sectors?

246

How many sectors are typically in a cluster on a disk drive?

4 or more

On a Windows system, sectors typically contain how many bytes?

512

Which organization has guidelines on how to operate a digital forensics lab?

ANAB

Building a business case can involve which of the following?

All of the above

Policies can address rules for which of the following?

Any of the above

List three items that should be on an evidence custody form.

Case number, name of the investigator and nature of the case

What do you call a list of people who have had physical possession of the evidence?

Chain of custody

If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following?

Coordinate with the HAZMAT team.

Before enlisting in a certification program, thoroughly research the requirements, ________, and acceptability in your area of employment.

Cost

Which forensics tools can connect to a suspect's remote computer and run surreptitiously?

EnCase Enterprise and ProDiscover Incident Response

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.

EnCase and X-Ways Forensics

Of all the proprietary formats, which one is the unofficial standard?

Expert Witness

Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False

False

Digital forensics and data recovery refer to the same activities. True or False

False

Digital forensics facilities always have windows.

False

Evidence storage containers should have several master keys.

False

FTK Imager can acquire data in a drive's host protected area.

False

If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log.

False

In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. So, the following dcfldd is command correct. dcfldd if=image_file.img of=/dev/hda1

False

You shouldn't include a narrative of what steps you took in your case report. True or False

False

Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible.

False

EFS can encrypt which of the following?

Files, folders, and volumes

Police in the United States must use procedures that adhere to which of the following?

Fourth Amendment

What does a sparse acquisition collect for an investigation?

Fragments of unallocated data in addition to the logical allocated data

Why is professional conduct important?

It includes ethics, morals, and standards of behavior

Typically, a(n) ________ lab has a separate storage area or room for evidence.

Regional

What is one of the necessary components of a search warrant?

Signature of an impartial judicial officer

What term refers to labs constructed to shield EMR emissions?

TEMPEST

Why should you critique your case after it's finished?

To list problems that might happen when conducting an investigation

Why should you do a standard risk assessment to prepare for an investigation?

To list problems that might happen when conducting an investigation

Why should evidence media be write-protected?

To make sure data isn't altered

When you arrive at the scene, why should you extract only those items you need to acquire evidence?

To minimize how much you have to keep track of at the scene

Why is physical security so critical for digital forensics labs?

To prevent data from being lost, corrupted, or stolen

A hashing algorithm is a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk.

True

A logical acquisition collects only specific files of interest to the case.

True

A virtual cluster number represents the assigned clusters of files that are nonresident in the MFT.

True

An employer can be held liable for e-mail harassment.

True

An image of a suspect drive can be loaded on a virtual machine.

True

CHS stands for cylinders, heads, and sectors.

True

Commingling evidence means that sensitive or confidential information being mixed with data collected as evidence.

True

Commonly, proprietary format acquisition files can compress the acquisition data and segment acquisition output files into smaller volumes.

True

Computer peripherals or attachments can contain DNA evidence.

True

Device drivers contain instructions for the OS on how to interface with hardware devices.

True

MFT stands for Master File Table.

True

With newer Linux kernel distributions, USB devices are automatically mounted, which can alter data on it.

True

You should videotape or sketch anything at a digital crime scene that might be of interest to the investigation.

True

Your business plan should include physical security items.

True

What is the space on a drive called when a file is deleted?

Unallocated space

List two features NTFS has that FAT does not.

Unicode characters and better security

In the Linux dcfldd command, which three options are used for validating data?

hash, hashlog, and vf


Related study sets

NCLEX Lung and Thorax, Disorders

View Set

AP Psych Unit 3: Sensation/Perception

View Set

Chapter 10 - critical thinking and clinical reasoning

View Set

Prep U: Chapter 60 Adult Nursing

View Set

2nd semester study guide - Algebra 2 - Reeves

View Set

Shakespeare: Who was the bard? commonlit answers

View Set

MGT 4350: Chapter 3 Evaluating a Company's External Environment

View Set