CTC 328 Study for all the Quizzes (Ch. 1-6)

Ace your homework & exams now with Quizwiz!

What is the goal of the NSRL project, created by NIST? a. Collect known hash values for commercial software and OS files using SHA hashes. b. Search for collisions in hash values, and contribute to fixing hashing programs. c. Collect known hash values for commercial software and OS files using MD5 hashes. d. Create hash values for illegal files and distribute the information to law enforcement.

Selected Answer: a. Collect known hash values for commercial software and OS files using SHA hashes.

What is the purpose of the reconstruction function in a forensics investigation? a. Re-create a suspect's drive to show what happened during a crime or incident. b. Generate reports or logs that detail the processes undertaken by a forensics investigator. c. Prove that two sets of data are identical. d. Copy all information from a suspect's drive, including information that may have been hidden.

Selected Answer: a. Re-create a suspect's drive to show what happened during a crime or incident.

When performing disk acquisition, the raw data format is typically created with the UNIX/Linux _____________ command. a. dump b. dd c. tar d. format

Selected Answer: b. dd

Most digital investigations in the private sector involve misuse of computing assets. True or False

true

Software forensics tools are grouped into command-line applications and GUI applications true or false

true

To investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct covert surveillance with little or no cause, and access company computer systems and digital devices without a warrant.​ True or false

True

The ___________ command inserts a HEX E5 (0xe5) in a filename's first letter position in the associated directory entry. a. delete b. edit c. update d. clear

-a. delete

The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient _______.​ Selected Answer: a. ​probable cause b. ​accusations c. ​due diligence d. ​reliability

Correct a. ​probable cause

An investigator wants to capture all data on a SATA drive connected to a Linux system. What should the investigator use for the "if=" portion of the dcfldd command? Selected Answer: Answers: a. ​/dev/sda b. ​/dev/hda c. ​/dev/sda1 d. ​/dev/hda1

Correct a. ​/dev/sda

_______ is a common cause for lost or corrupted evidence. a. ​Professional curiosity b. ​Having an undefined security perimeter c. ​Public access d. ​Not having enough people on the processing team

Correct a. ​Professional curiosity

_______ does not recover data in free or slack space. Selected Answer: a. ​Live acquisition b. Raw format acquisition c. ​Sparse acquisition d. ​Static acquisition

Correct c. ​Sparse acquisition

Which RAID type utilizes mirrored striping, providing fast access and redundancy?​ Selected Answer: a. ​RAID 3 b. ​RAID 5 c. ​RAID 1 d. ​RAID 10

Correct d. ​RAID 10

The Linux command _____ can be used to write bit-stream data to files.​ Selected Answer: Answers: a. ​dump b. ​cat c. ​write d. ​dd

Correct d. ​dd

Which option below is not a hashing function used for validation checks? Selected Answer: a. ​CRC32 b. ​SHA-1 c. ​MD5 d. ​RC4

Correct d.RC4

What does FRE stand for? Selected Answer: a. ​Federal Regulations for Evidence b. ​Federal Rules of Evidence c. ​Federal Rules for Equipment d. ​Federal Rights for Everyone

Correct b. ​Federal Rules of Evidence

When seizing digital evidence in criminal investigations, whose standards should be followed?​ Selected Answer: a. ​U.S. DOJ b. ​ITU c. ISO/IEC​ d. ​IEEE

Correcta. ​U.S. DOJ

_______ is the utility used by the ProDiscover program for remote access. Selected Answer: a. ​VNCServer b. ​PDServer c. ​l0pht d. ​SubSe7en

Correctb. ​PDServer

What is the name of the Microsoft solution for whole disk encryption? Selected Answer: Answers: a. ​SecureDrive b. ​TrueCrypt c. ​BitLocker d. ​DriveCrypt

Correctc. ​BitLocker

You must abide by the _______ while collecting evidence. Selected Answer: a. ​Federal Rules of Evidence b. ​Fifth Amendment c. ​Fourth Amendment d. ​state's Rules of Evidence

Correctc. ​Fourth Amendment

Computer-stored records are data the system maintains, such as system log files and proxy server logs​. True or False

False

The Fourth Amendment states that only warrants "particularly describing the place to be searched and the persons ​or things to be seized" can be issued. The courts have determined that this phrase means a warrant can authorize a search of a specific place for ​anything.​ True or false

False

All forensics acquisition tools have a method for verification of the data-copying process that compares the original drive with the image. True or False

True

Passwords are typically stored as one-way _____________ rather than in plaintext. a. hashes b. hex values c. variables d. slack spaces

Variables

How often should hardware be replaced within a forensics lab? Answers: a. Every ​12 to 18 months b. Every ​24 to 30 months c. Every ​18 to 24 months d. ​Every 6 to 12 months

a. Every ​12 to 18 months

What term is used to describe a disk's logical structure of platters, tracks, and sectors? Answers: a. geometry b. mapping c. cylinder d. trigonometry

a. geometry

A Master Boot Record (MBR) partition table marks the first partition starting at what offset? a. 0x1BE b. 0x1AE c. 0x1DE d. 0x1CE

a. 0x1BE

What option below is an example of a platform specific encryption tool? a. BitLocker b. GnuPG c. TrueCrypt d. Pretty Good Privacy (PGP)

a. BitLocker

_______ is not one of the functions of the investigations triad. Answers: a. Data recovery b. Digital investigations c. Vulnerability/threat assessment and risk management d. Network intrusion detection and incident response

a. Data recovery

_______ must be included in an affidavit to support an allegation in order to justify a warrant. Answers: a. Exhibits b. Witnesses c. Verdicts d. Subpoenas

a. Exhibits

What tool, currently maintained by the IRS Criminal Investigation Division and limited to use by law enforcement, can analyze and read special files that are copies of a disk? a. ILook b. Photorec c. DeepScan d. AccessData Forensic Toolkit

a. ILook

The _______ is responsible for analyzing data and determining when another specialist should be called in to assist with analysis. a. Digital Evidence Specialist b. Digital Evidence Analyst c. Digital Evidence Examiner d. Digital Evidence First Responder

a. Digital Evidence Specialist

The _________ branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and System. a. registry b. hive c. storage d. tree

b hive

A typical disk drive stores how many bytes in a single sector? Answers: a. 1024 b. 512 c. 8 d. 4096

b. 512

​What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations? Answers: a. ​EnCase Certified Examiner b. ​Certified Cyber Forensics Professional c. ​Certified Forensic Computer Examiner d. ​Certified Computer Crime Investigator

b. ​Certified Cyber Forensics Professional

A TEMPEST facility is designed to accomplish which of the following goals? Answers: a. ​Ensure network security from the Internet using comprehensive security software. b. ​Shield sensitive computing systems and prevent electronic eavesdropping of computer emissions. c. ​Prevent data loss by maintaining consistent backups. d. ​Protect the integrity of data.

b. ​Shield sensitive computing systems and prevent electronic eavesdropping of computer emissions.

_______ is responsible for creating and monitoring lab policies for staff, and provides a safe and secure workplace for staff and evidence.​ Answers: a. ​The lab steward b. ​The lab manager c. ​The lab secretary d. ​The lab investigator

b. ​The lab manager

What hex value is the standard indicator for jpeg graphics files? a. F8 D8 b. FF D8 c. FF D9 d. AB CD

b. FF D8

What registry file contains installed programs' settings and associated usernames and passwords? a. System.dat b. Software.dat c. Default.dat d. Security.dat

b. Software.dat

A chain-of-evidence form, which is used to document what has and has not been done with the original evidence and forensic copies of the evidence, is also known as a(n) _______. Answers: a. evidence tracking form b. evidence custody form c. single-evidence form d. multi-evidence form

b. evidence custody form

Within a computing investigation, the ability to perform a series of steps again and again to produce the same results is known as _______. a. verifiable reporting b. repeatable findings c. reloadable steps d. evidence reporting

b. repeatable findings

The __________ Linux Live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep, and utilizes a KDE interface. a. Ubuntu b. Helix3 c. Kali d. Arch

c kali

When using the File Allocation Table (FAT), where is the FAT database typically written to? a. The first sector b. The innermost track c. The outermost track d. The first partition

c. the outermost track

Which tool below is not recommended for use in a forensics lab?​ Answers: a. ​FireWire and USB adapters b. ​2.5-inch adapters for drives c. ​Degausser d. ​SCSI cards

c. ​Degausser

Which option below is not a standard systems analysis step? Answers: a. Mitigate or minimize the risks. b. Obtain and copy an evidence drive. c. Share evidence with experts outside of the investigation. d. Determine a preliminary design or approach to the case.

c. Share evidence with experts outside of the investigation.

Reconstructing fragments of files that have been deleted from a suspect drive, is known as ____________ in North America. a. sculpting b. scraping c. carving d. salvaging

c. carving

The sale of sensitive or confidential company information to a competitor is known as _______. Answers: a. industrial sabotage b. industrial betrayal c. industrial espionage d. industrial collusion

c. industrial espionage

How long are computing components designed to last in a normal business environment?​ Answers: a. ​14 to 26 months b. ​36 to 90 months c. ​12 to 16 months d. ​18 to 36 months

d. ​18 to 36 months

​Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files? Selected Answer: a. ​Advanced Open Capture b. ​Advanced Capture Image c. ​Advanced Forensics Disk d. ​Advanced Forensic Format

d. ​Advanced Forensic Format

Which of the following scenarios should be covered in a disaster recovery plan?​ Answers: a. damage caused by lightning strikes b. ​damage caused by flood c. ​damage caused by a virus contamination d. ​all of the above

d. ​all of the above

A computer stores system configuration and date and time information in the BIOS when power to the system is off. Selected Answer: False or True

false

All suspected industrial espionage cases should be treated as civil case investigations. Answers: True or False

false

FTK Imager software can acquire a drive's host protected area.​ Selected Answer: True or false

false

Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities. Selected Answer: true or false

false

A disaster recovery plan ensures that workstations and file servers can be restored to their original condition in the event of a catastrophe. Answers: True False

true

A forensics investigator should verify that acquisition tools can copy data in the HPA of a disk drive.​ True or false

true

When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space. Selected Answer: True or false

true

​The ImageUSB utility can be used to create a bootable flash drive. Selected Answer: True or false

true

​The recording of all updates made to a workstation or machine is referred to as configuration management. Answers: True False

true

Which ISO standard below is followed by the ASCLD? Answers: a. ​17025:2005 b. ​17026:2007 c. ​12076:2005 d. ​12075:2007

​17025:2005

As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state? Selected Answer: a. ​The power cable should be pulled. b. ​The decision should be left to the Digital Evidence First Responder (DEFR). c. ​The system should be shut down gracefully. d. ​The power should be left on.

​The decision should be left to the Digital Evidence First Responder (DEFR).


Related study sets

TDT4136: Knowledge Representation

View Set

Film Appreciation - Chapter Five

View Set

L201 Final Exam Last Class Review

View Set