Forensics Review Quiz 1
How is Unallocated Space named in FTK and FTK Viewer
Each unallocated space is named after the sector or cluster from which it starts in.
Name three file systems FTK Imager can read.
FAT (12,16, 32), NTFS, HFS
How can you get all the images in a case to appear in the File List on the Graphic Tab
Find the user that you want to display all of the Graphics for, and "Quick Pick" them... This will show you all of the Graphics for that user.
You use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512. a. hashlog b. checksum c. hash d. md5sum
hash
Name four imaging formats FTK Imager can write.
.001 - Raw dd(Linux dd), .S01 - SMART, .aff - Advanced Forensics Format, .ADI - AccessData Custom Content Logical Images
Name the 2 default KFF Groups
AD_Alert, AD_Ingnore
When archiving a case, which two things must occur separately
Detach, Archive
In the ____, you justify acquiring newer and better resources to investigate digital forensics cases. a. risk evaluation b. upgrade policy c. configuration plan d. business case
business case
The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true. a. challenged b. notarized c. recorded d. examined
notarized
Name three things a case reviewer cannot do
Create, Add, or delete Cases. Administer Users. Use the Decrypt Files Menu option.
Name the five images that FTK Imager can read.
EnCase (.E01), Virtual Hard Disk (.vhd), Pinnacle CD Image (.pdi), Gear CD Image (.p01), Tar Archive (.tar)
Computer investigations and forensics fall into the same category: public investigations. True False
False
If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately. True False
False
If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available. True False
False
What are the 8 Primary Containers of the Overview Tab
File Items, File Extension, File Category, File Status, Labels, Bookmarks, Cluster Topic, Document Content
Name four different media and data storage devices.
Floppy Disk, Hard Drives, CD's, Tablets
If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available. a. live b. local c. passive d. static
Live
Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility. a. professional conduct b. professional policy c. line of authority d. oath
Professional Conduct
____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment. a. Risk configuration b. Change management c. Risk management d. Configuration management
Risk Management
After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant. True False
True
Computing systems in a forensics lab should be able to process typical cases in a timely manner. True False
True
To be a successful computer forensics investigator, you must be familiar with more than one computing platform. True False
True
Which file category is Unallocated Space Located
Unallocated space is located under Overview tab.
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____. a. blotter b. litigation report c. affidavit d. exhibit report
affidavit
In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations. a. authority of right b. authorized requester c. line of right d. authority of line
authorized requester
In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation. a. criminal b. fourth amendment c. civil d. corporate
criminal
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. a. Computer forensics b. Disaster recovery c. Network forensics d. Data recovery
data recovery
A ____ is where you conduct your investigations, store evidence, and do most of your work. a. workbench b. storage room c. digital forensics lab d. forensic workstation
digital forensics lab
The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime. a. digital investigations b. incident response c. network intrusion detection d. litigation
digital investigations
A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing. a. configuration management b. security c. disaster recovery d. risk management
disaster recovery
A(n) ____ is a person using a computer to perform routine tasks other than systems administration. a. investigator b. end user c. complainant d. user banner
end user
___ often work as part of a team to secure an organization's computers and networks. a. Computer analysts b. Data recovery engineers c. Forensics investigators d. Network monitors
forensics investigators
Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity. a. once b. twice c. three times d. four times
once
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools. a. AFF b. AFD c. raw d. proprietary
proprietary
In general, a criminal case follows three stages: the complaint, the investigation, and the ____. a. blotter b. allegation c. prosecution d. litigation
prosecution
A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock. a. wood b. steel c. gypsum d. expanded metal
steel
