Final exam ITSY 2343-1001

Ace your homework & exams now with Quizwiz!

In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each. a. 1024 b. 1512 c. 2048 d. 2512

a. 1024

Digital forensics tools are divided into ____ major categories. a. 2 b. 3 c. 4 d. 5

a. 2

An expert's opinion is governed by FRE, Rule ____, and the corresponding rule in many states. a. 705 b. 755 c. 805 d. 855

a. 705

____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. a. Data recovery b. Network forensics c. Computer forensics d. Disaster recovery

a. Data recovery

Most digital photographs are stored in the ____ format. a. EXIF b. TIFF c. PNG d. GIF

a. EXIF

AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data. a. KFF b. PKFT c. NTI d. NSRL

a. KFF

Metadata in a prefetch file contains an application's ____ times in UTC format and a counter of how many times the application has run since the prefect file was created. a. MAC b. ACL c. startup / access d. log event

a. MAC

The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____. a. NSRL b. CFTT c. FS-TST d. PARTAB

a. NSRL

____ are devices or software placed on a network to monitor traffic. a. Packet analyzers b. Bridges c. Hubs d. Honeypots

a. Packet analyzers

A ____ is a column of tracks on two or more disk platters. a. cylinder b. sector c. track d. head

a. cylinder

A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing. a. disaster recovery b. risk management c. configuration management d. security

a. disaster recovery

The method for expressing an opinion is to have an attorney frame a ____ question based on available factual evidence. a. hypothetical b. nested c. challenging d. contradictory

a. hypothetical

Typically, report writers use one of two numbering systems: decimal numbering or ____ numbering. a. legal-sequential b. roman-sequential c. arabic-sequential d. letter-sequential

a. legal-sequential

Under copyright laws, computer programs may be registered as ____. a. literary works b. motion pictures c. architectural works d. audiovisual works

a. literary works

Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes. a. much easier than b. as easy as c. as difficult as d. more difficult than

a. much easier than

Courts consider evidence data in a computer as ____ evidence. a. physical b. invalid c. virtual d. logical

a. physical

____ is a good tool for extracting information from large Libpcap files. a. tcpslice b. john c. oinkmaster d. memfetch

a. tcpslice

When you give ____ testimony, you present this evidence and explain what it is and how it was obtained. a. technical/scientific b. expert c. lay witness d. deposition

a. technical/scientific

Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult. a. whole disk encryption b. backup utilities c. recovery wizards d. NTFS

a. whole disk encryption

Most packet analyzers operate on layer 2 or ____ of the OSI model. a. 1 b. 3 c. 5 d. 7

b. 3

For forensics examiner, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you're constantly enhancing your skills through training, teaching, and experience. a. testimony b. CV c. examination plan d. deposition

b. CV

Marking bad clusters data-hiding technique is more common with ____ file systems. a. NTFS b. FAT c. HFS d. Ext2fs

b. FAT

Autopsy uses ____ to validate an image. a. RC4 b. MD5 c. AFF d. AFD

b. MD5

____ is a forensics software tool containing a built-in write blocker. a. GSMCon b. MOBILedit c. SIMedit d. 3GPim

b. MOBILedit

After you open e-mail headers, copy and paste them into a text document so that you can read them with a text editor, such as Windows ____. a. vim b. Notepad+ c. Nano d. TextEdit

b. Notepad+

The primary hash algorithm used by the NSRL project is ____. a. MD5 b. SHA-1 c. CRC-32 d. RC4

b. SHA-1

A ____ is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it's accessed through the application's Web interface. a. programming language b. management plane c. backdoor d. configuration manager

b. management plane

Records in the MFT are called ____. a. hyperdata b. metadata c. inodes d. infodata

b. metadata

Most digital investigations in the private sector involve. a. e-mail abuse b. misuse of digital assets c. Internet abuse d. VPN abuse

b. misuse of digital assets

The Google drive file ____ contains a detailed list of a user's cloud transactions. a. loggedtransactions.log b. sync_log.log c. transact_user.db d. history.db

b. sync_log.log

____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size. a. Continuous logging b. Automatic logging c. Circular logging d. Server logging

c. Circular logging

The most common and flexible data-acquisition method is ____. a. Disk-to-disk copy b. Disk-to-network copy c. Disk-to-image file copy d. Sparse data copy

c. Disk-to-image file copy

FRE ____ describes whether basis for the testimony is adequate. a. 700 b. 701 c. 702 d. 703

d. 703

Magnet ____ enables you to acquire the forensic image and process it in the same step. a. DEFR b. FTK c. dd d. AXIOM

d. AXIOM

The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence. a. Federal Rules of Evidence (FRE) b. Department of Defense Computer Forensics Laboratory (DCFL) c. DIBS d. Computer Analysis and Response Team (CART)

d. Computer Analysis and Response Team (CART)

____ is an attempt by opposing attorneys to prevent you from serving on an important case. a. Conflict of interest b. Warrant c. Deposition d. Conflicting out

d. Conflicting out

The ____ network is a digital version of the original analog standard for cell phones. a. TDMA b. EDGE c. CDMA d. D-AMPS

d. D-AMPS

____ isn't usually punitive, but it can be embarrassing for you as a professional and potentially for the attorney who retained you. a. Professional responsibility b. Conflicting out c. Admonition d. Disqualification

d. Disqualification

Paraben Software, a vendor of mobile forensics software, offers several tools, such as ____, for mobile device investigations. a. BitPim b. DataPilot c. MOBILedit! d. E3:DS

d. E3:DS

Certain files, such as the ____ and Security log in Windows, might lose essential network activity records if power is terminated without a proper shutdown. a. Password log b. Word log c. Io.sys d. Event log

d. Event log

The JFIF ____ format has a hexadecimal value of FFD8 FFE0 in the first four bytes. a. EPS b. BMP c. GIF d. JPEG

d. JPEG

____, located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version. a. Boot.ini b. BootSec.dos c. NTDetect.com d. NTBootdd.sys

d. NTBootdd.sys

____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment. a. Risk configuration b. Change management c. Configuration management d. Risk management

d. Risk management

A common way of examining network traffic is by running the ____ program. a. Netdump b. Slackdump c. Coredump d. Tcpdump

d. Tcpdump

If necessary, you can include ____ containing material such as raw data, figures not used in the body of the report, and anticipated exhibits. a. conclusions b. discussions c. references d. appendixes

d. appendixes

One way to compare results and verify your a new tool is by using a ____, such as HexWorkshop, or WinHex. a. disk imager b. write-blocker c. bit-stream copier d. disk editor

d. disk editor

____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed. a. HTCN reports b. IDE reports c. Uniform crime reports d. ASCLD reports

c. Uniform crime reports

What cloud service listed below provides a freeware type 1 hypervisor used for public and private clouds? a. Cisco Cloud Computing b. Amazon EC2 c. XenServer and XenCenter Windows Management Console d. HP Helion

c. XenServer and XenCenter Windows Management Console

In general, a criminal case follows three stages: the complaint, the investigation, and the ____. a. litigation b. allegation c. blotter d. prosecution

d. prosecution

Some popular Web-based e-mail service providers are Gmail, ____, Outlook Online, and Yahoo! a. Zoho b. Facebook c. Greatmail d. Twitter

a. Zoho

Some attorneys contact many experts as a ploy to disqualify them or prevent opposing counsel from hiring them; this practice is called "____." a. conflicting out b. blocking c. disqualification d. discrimination

a. conflicting out

A consultant who doesn't testify can earn a ____ for finding testifying experts or investigative leads. a. contingency fee b. retainer c. stake in a case d. reprimand

a. contingency fee

____ is the physical address support program for accessing more than 4 GB of physical RAM. a. Hal.dll b. Ntkrnlpa.exe c. BootSect.dos d. Io.sys

b. Ntkrnlpa.exe

WinHex provides several hashing algorithms, such as MD5 and ____. a. AES b. SHA-1 c. RC4 d. CRC

b. SHA-1

Global System for Mobile Communications (GSM) uses the ____ technique, so multiple phones take turns sharing a channel. a. Orthogonal Frequency Division Multiplexing b. Time Division Multiple Access c. Enhanced Data GSM Environment d. Code Division Multiple Access

b. Time Division Multiple Access

Cellebrite includes ____, a mobile forensics tool that's often used by law enforcement and the military. a. MOBILedit Forensics b. UFED Reader c. BitPim d. DataPilot

b. UFED Reader

The data-hiding technique ____ changes data from readable code to data that looks like binary executable code. a. marking bad clusters b. partition-shifting c. partition hiding b. bit shifting

b. bit shifting

In the ____, you justify acquiring newer and better resources to investigate digital forensics cases. a. risk evaluation b. business case c. configuration plan d. upgrade policy

b. business case

Before allowing an attorney to describe any case details, determine who the parties are to reduce the possibility of a ____. a. collaberation b. conflict c. mistrial d. contradiction

b. conflict

There are two types of depositions: ____ and testimony preservation. a. examination b. discovery c. direct d. rebuttal

b. discovery

Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure. a. steganography b. key escrow c. password backup d. key splitting

b. key escrow

In Facebook the ____ info simply tells you the last time a person logged on. a. extended subscriber b. advanced subscriber c. Neoprint d. basic subscriber

c. Neoprint

Sometimes opposing attorneys ask several questions inside one question; this practice is called a ____ question. a. leading b. hypothetical c. compound d. rapid-fire

c. compound

If you can't open a graphics file in an image viewer, the next step is to examine the file's ____. a. extension b. name c. header data d. size

c. header data

A written preliminary report is considered a ____ document because opposing counsel can demand discovery on it. a. low-risk b. middle-risk c. high-risk d. no-risk

c. high-risk

If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available. a. passive b. static c. live d. local

c. live

Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses. a. line of authority b. right of privacy c. line of privacy d. line of right

b. right of privacy

Exchange logs information about changes to its data in a(n) ____ log. a. checkpoint b. communication c. transaction d. tracking

c. transaction

Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack. a. ISPs b. soldiers c. zombies d. pawns

c. zombies

To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe. a. secure workstation b. secure workbench c. protected PC d. secure facility

d. secure facility

Which of the following is not one of the five mechanisms the government can use to get electronic information from a provider? a. search warrants b. subpoenas c. court orders d. seizure order

d. seizure order

One technique for extracting evidence from large systems is called ____. a. RAID copy b. RAID imaging c. large evidence file recovery d. sparse acquisition

d. sparse acquisition

Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example. a. live b. online c. real-time d. static

d. static

Steganalysis tools are also called ____. a. image editors b. image tools c. hexadecimal editors d. steg tools

d. steg tools

Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab. a. evidence custody form b. FOIA form c. affidavit d. warrant

d. warrant


Related study sets

Interpersonal Communication Chapter 2

View Set

Chapter 4: The Visual Elements, ART 110 - Ch 4, Art Appreciation Chapter 4, Art Section II

View Set

Accounting Chapter 13 & 15 Study Guide

View Set

Sample NCLEX -RN Questions on Infection Control MCC 1155

View Set

history chapter 13 (democratic reforms in britain)

View Set

Saunders NCLEX Review OB Questions

View Set

Chapter 14 Environment of Business

View Set