ITN 276 Final

How many rounds does DES have? 64 56 16 4

16.

What is the key length used for DES? 56 64 128 256

56.

A directory entry in a FAT file system has a logical size of which of the following? A. 0 bytes B. 8 bytes C. 16 bytes D. One sector

A. 0 bytes

Which of the following is not true regarding the exFAT file system? A. Cluster allocation is tracked in the File Allocation Table (FAT). B. When a file is deleted, the corresponding entries in the File Allocation Table (FAT) are reset or zeroed out. C. Cluster allocation is tracked in an allocation bitmap. D. An entry in the FAT of 00 00 00 00 means that the FAT is not tracking allocation for this file.

A. Cluster allocation is tracked in the File Allocation Table (FAT).

Which selection keeps track of a fragmented file in a FAT (not exFAT) file system? A. File Allocation Table B. Directory structure C. Volume boot record D. Master file table

A. File Allocation Table

In Windows, the Recycle Bin is a holding place for deleted files until the user decides to confirm deletion by emptying the Recycle Bin. Once the file is moved to the Recycle Bin, a record is added to the log file that exists in the Recycle Bin. Which of the following files contains records that correspond to each deleted file in the Recycle Bin? A. INFO2 file B. INFO1 file C. LOGINFO2 file D. LOGINFO1 file

A. INFO2 file

What type of encryption uses a different key to encrypt the message than it uses to decrypt the message? Private key Asymmetric Symmetric Secure

Asymmetric.

On a FAT file system, FAT is defined as which of the following? A. A table consisting of master boot record and logical partitions B. A table created during the format that the operating system reads to locate data on a drive C. A table consisting of filenames and file attributes D. A table consisting of filenames, deleted filenames, and their attributes

B. A table created during the format that the operating system reads to locate data on a drive

Section 816 of the USA Patriot Act, titled the "Development and Support of Cybersecurity Forensic Capabilities," does what? A. Establishes guidelines for intercepting email B. Establishes guidelines for seizing hard drives C. Calls for the establishment of regional computer forensic laboratories D. Calls for investigation of all cybercrimes as acts of terrorism

C. Calls for the establishment of regional computer forensic laboratories

What does EnCase do when a deleted file's starting cluster number is assigned to another file? A. EnCase reads the entire existing data as belonging to the deleted file. B. EnCase reads the amount of data only from the existing file that is associated with the deleted file. C. EnCase marks the deleted file as being overwritten. D. EnCase does not display a deleted filename when the data has been overwritten.

C. EnCase marks the deleted file as being overwritten.

How many clusters can a FAT32 file system manage? A. 2 × 32 = 64 clusters B. 232 = 4,294,967,296 clusters C. 2 × 28 = 56 clusters D. 228 = 268,435,456 clusters

D. 228 = 268,435,456 clusters

Each directory entry in a FAT file system is ____ bytes in length. A. 0 B. 8 C. 16 D. 32

D. 32

The NTFS file system does which of the following? A. Supports long filenames B. Compresses individual files and directories C. Supports large file sizes in excess of 4 GB D. All of the above

D. All of the above

Which of the following describes a partition table? A. It is located at cylinder 0, head 0, sector 1. B. Is located in the master boot record. C. It keeps track of the partitions on a hard drive. D. All of the above.

D. All of the above.

According to the Electronic Communications Privacy Act of 1986, when will a law enforcement officer need a warrant to intercept email? A. Never B. Only when seizing it in transit C. Only when seizing it from the server D. Anytime email will be intercepted

D. Anytime email will be intercepted

Which of the following is true about a volume boot record? A. It is always located at the first sector of its logical partition. B. It immediately follows the master boot record. C. It contains BIOS parameter block and volume boot code. D. Both A and C.

D. Both A and C.

Which software forensic tool offers Blade, HstEx, and NetAnalysis.Blade, is a Windows-based data recovery solution, and supports plug-ins that give it advanced data recovery and analysis capabilities? ComputerCOP Digital Intelligence Digital Detective Disk Investigator

Digital Detective

The Electronic Communications Privacy Act extended the consent exception guideline to e-mail monitoring, which states that one party to a conversation must give consent. True False

False

Hard drives that run __________ address blocks, or integer multiples of blocks, at a time. Unix Windows MacOS Linux

Linux

An improvement on the Caesar cipher that uses more than one shift is called a(n)? DES encryption Multialphabit substitution IDEA Triple DES

Multialphabet substitution.

__________ is the data to be covertly communicated. In other words, it is the message you want to hide. Least significant bit (LSB) Caesar cipher Payload Channel

Payload

Which of the following is an asymmetric cryptography algorithm invented by 3 mathematicians in the 1970s? PGP (Pretty Good Privacy) DES (Data Encryption Standard) DSA (Data Structures and Algorithms) RSA (Rivest-Shamir-Adleman)

RSA

__________is the process of analyzing a file or files for hidden content. Steganalysis Asymmetric cryptography Symmetric cryptography Steganophony

Steganalysis

__________is a term that refers to hiding messages in sound files. Asymmetric cryptography Steganography Steganophony Symmetric cryptography

Steganophony

The Caesar cipher is the oldest known encryption method. T F

T

__________has the ability to search for fragments of deleted tools and is a free suite of command-line tools, including a number of search utilities. Many users find the command-line interface to be cumbersome, but a graphical user interface (GUI) called Autopsy has been created. X-Ways Software Technology AG The Sleuth Kit EnCase Digital Intelligence

The Sleuth Kit

A hard drive failure, accidental data deletion, or similar small-scale incident will not prevent a redundant network server or SAN from continuing to provide data and services to end-users. True False

True

It is very common for criminal enterprises to intentionally construct their own clouds with data stored in jurisdictions with rules and laws that make data retrieval for the purpose of forensics difficult or impossible. True False

True

Which of the following is an example of a multialphabet cipher? Caesar Vigenere Atbash ROT13

Vignere.

What name is given to the determination of whether a file or communication hides other information? Kasiski examination substitution steganalysis payload

steganalysis

Hiding messages inside another medium is referred to as cryptography cryptology steganalysis steganography

steganography.

In FAT and NTFS file systems, a __________ is used to map files to specific clusters where they are stored on the disk. cluster table partition node

table

Why can you undelete files in Windows 7? A. Nothing is deleted; it is just removed from MFT. B. Nothing is deleted; it is just removed from FAT. C. Fragments might exist, even though the file is deleted. D. You cannot.

A. Nothing is deleted; it is just removed from MFT.

What three things occur when a file is created in a FAT32 file system? A. The directory entry for the file is created, the FAT assigns the necessary clusters to the file, and the file's data is filled in to the assigned clusters. B. The filename is entered in to the FAT, the directory structure assigns the number of clusters, and the file's data is filled in to the assigned clusters. C. The directory entry for the file is created, the number of clusters is assigned by the directory structure, and the file's data is filled in to the FAT. D. The directory structure maintains the amount of clusters needed, the filename is recorded in the FAT, and the file's data is filled in to the assigned clusters.

A. The directory entry for the file is created, the FAT assigns the necessary clusters to the file, and the file's data is filled in to the assigned clusters.

Which of the following encryption algorithms uses 3 key ciphers in a block system and uses the Rijndael algorithm? DES RSA AES NSA

AES (Advanced Encryption Standard)

When you are performing forensic analysis on devices from diverse jurisdictions, the proper approach is to: A. Adhere to the rules of the jurisdiction with the least restrictive requirements. B. Adhere to the rules of the jurisdiction with the most restrictive requirements. C. Adhere to international requirements. D. Adhere to your own best judgment.

B. Adhere to the rules of the jurisdiction with the most restrictive requirements.

The Patriot Act had no effect on computer forensics. A. True B. False

B. False

What file system does OS X use? A. HPFS B. HFS+ C. NTFS D. EXT3

B. HFS+ (Hierarchical File System)

By default, what color does EnCase use to display directory entries within a directory structure? A. Black B. Red C. Gray D. Yellow

B. Red

The space between the end of a file and the end of the cluster (if there is any such space) is called what? A. Empty space B. Slack space C. Delete space D. Nothing; files occupy the entire cluster

B. Slack space

Which of the following is the Linux equivalent of a shortcut? A. Hard link B. Symbolic link C. Partial link D. Faux link

B. Symbolic link

A file's physical size is which of the following? A. Always greater than the file's logical size B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster C. Both A and B D. None of the above

B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster

How many copies of the FAT does each FAT32 volume maintain in its default configuration? A. One B. Two C. Three D. Four

B. Two

The International Association of Computer Investigative Specialists (IACIS) was created by ______ who wanted to formalize credentials in computing investigations. A. forensic scientists B. police officers C. government agencies D. academic computer science departments

B. police officers

Which of the following is not a unique characteristic of cloud computing relative to forensics? A. Evidence may be in a different location than the suspect computer. B. Evidence may be under different privacy rules. C. Evidence may be stored in binary code. D. Evidence may be easier for multiple persons to tamper with or modify. E. All of the above

C. Evidence may be stored in binary code.

How does EnCase recover a deleted file in a FAT file system? A. It reads the deleted filename in the FAT and searches for the file by its starting cluster number and logical size. B. It reads the deleted filename in the directory entry and searches for the corresponding filename in unallocated clusters. C. It obtains the deleted file's starting cluster number and size from the directory entry to obtain the data's starting location and number of clusters required. D. It obtains the deleted file's starting cluster number and size from the FAT to locate the starting location and amount of clusters needed.

C. It obtains the deleted file's starting cluster number and size from the directory entry to obtain the data's starting location and number of clusters required.

What file system does Windows 7 use? A. FAT B. FAT32 C. NTFS D. HPFS

C. NTFS (New Technology File System)

In a FAT file system, the FAT tracks the _____________ while the directory entry tracks the _____________ . A. The filename and file size B. The file's starting cluster and file's last cluster (EOF) C. The file's last cluster (EOF) and file's starting cluster D. The file size and file fragmentation

C. The file's last cluster (EOF) and file's starting cluster

Jason is performing an investigation of a Linux computer. The computer is part of an investigation into allegations of identity theft. The suspect who owns the computer is skilled with computers, and Jason is concerned that she may have deleted files from the system. In the Linux operating system, when is a file deleted? A. When the Recycle Bin is emptied B. When the Trashcan is emptied C. When the iNode count reaches 0 D. When the MFT removes the file reference

C. When the iNode count reaches 0

The following are characteristics of the __________ certification: Only law enforcement personnel and government employees working as system forensics examiners may join. Students learn to interpret and trace e-mail, acquire evidence properly, identify operating systems, recover data, and understand encryption theory and other topics. Students must pass a written exam before continuing to the next level. There are multiple levels. EnCase Certified Examiner AccessData Certified Examiner Certified Forensic Computer Examiner (CFCE) Certified Hacking Forensic Investigator

Certified Forensic Computer Examiner (CFCE)

Which forensic tool provider offers Professional and Forensic Examiner? Professional is an automated search tool that allows an examiner to immediately find electronic evidence for trial, used by many supervision officers to monitor probationers' and parolees' computer use. ComputerCOP Digital Intelligence Digital Detective Disk Investigator

ComputerCOP

Which of the following is not true regarding the NTFS file system? A. Data for very small files can be stored in the MFT itself and is referred to as resident data. B. Cluster allocation is tracked in the $Bitmap file. C. Data that is stored in clusters is called nonresident data. D. Cluster allocation is tracked in the File Allocation Table (FAT).

D. Cluster allocation is tracked in the File Allocation Table (FAT).

How does a corrupted sector located in the data area of a hard drive affect the corresponding cluster number on a FAT in a FAT file system? A. It does not affect the corresponding cluster number on a FAT; therefore, the rest of the sectors associated with the assigned cluster can still be written to. B. It does not affect the corresponding cluster number on a FAT; only the corrupted portion of the sector is prevented from being written to. C. It does affect the FAT. The corresponding cluster number is marked as bad; however, only the corrupted sector within the cluster is prevented from being written to. D. It does affect the FAT. The corresponding cluster number is marked as bad, and the entire cluster is prevented from being written to.

D. It does affect the FAT. The corresponding cluster number is marked as bad, and the entire cluster is prevented from being written to.

If the FAT, in a FAT file system, lists cluster number 2749 with a value of 0, what does this mean about this specific cluster? A. It is blank and contains no data. B. It is marked as bad and cannot be written to. C. It is allocated to a file. D. It is unallocated and is available to store data.

D. It is unallocated and is available to store data.

What is the area between the end of a file's logical size and the file's physical size called? A. Unused disk area B. Unallocated clusters C. Unallocated sectors D. Slack space

D. Slack space

In Linux, what is the data structure in the file system that stores all the information about a file except its name and its actual data? A. MFT B. FAT C. Cluster D. iNode

D. iNode

Which software is a general-purpose suite of forensic tools that can be used to create a forensic image of a drive, verify that image, and analyze the image? The analysis includes discovering malware, examining the Windows Registry, and breaking passwords in commonly used software, such as Excel spreadsheets or Adobe PDF documents. Forensic Toolkit (FTK) produced by AccessData ASR Data Acquisition & Analysis Digital Intelligence EnCase

Forensic Toolkit (FTK) produced by AccessData

The most common way steganography is accomplished is via_________ MSB ASB RSB LSB

LSB (Least Significant Bit)

Which of the following is the definition of inode? a data structure in the file system that stores all the information about a file except its name and its actual data a number for unlocking an iPhone one of the Linux boot loaders a popular Linux/UNIX search tool

a data structure in the file system that stores all the information about a file except its name and its actual data

__________ is cryptography wherein two keys are used: one to encrypt the message and another to decrypt it. Euler's Totient Feistel cipher asymmetric cryptography symmetric cryptography

asymmetric cryptography

In steganography, the____________ is the stream or file into which the data is hidden. Payload Carrier Signal Channel

carrier

A network where resources, services, and applications are located remotely instead of on a local server is referred to as __________. network redundancy storage area networking cloud computing fail-safe computing

cloud computing

According to Moore's law, computer power _______ at _______ the cost approximately every 18 to 24 months.

doubles / half

Most operating systems provide a basic repair tool for their native file systems. Linux comes with: chkdsk utility fsck utility Disk Utility. TestDisk utility

fsck utility

The Linux/UNIX command __________ can be used to search for files, contents of files, and just about anything else. scalpel diskdigger grep undelete

grep

If a server fails, the organization simply uses the other server, often called the mirror server. In the simplest configuration, there are two servers that are connected. They are complete mirrors of each other. Should one server fail for any reason, all traffic is diverted to the other server. This organization utilizes __________. network redundancy fail-safe servers multiple redundant servers storage area network

multiple redundant servers

In steganography, the__________ is the data to be covertly communicated. In other words, it is the message you want to hide. payload carrier signal channel

payload