Modules 1 - 4 Review

Ace your homework & exams now with Quizwiz!

What's the maximum file size when writing data to a FAT32 drive?

2 GB

What's a hashing algorithm?

A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk

Which organization has guidelines on how to operate a digital forensics lab?

ANAB

What are two advantages and disadvantages of the raw format?

Advantages faster data transfer speeds ignores minor data errors most forensics analysis tools compatibility. Disadvantages requires equal or greater target disk space doesn't contain hash values in the raw file (metadata) might have to run a separate hash program to validate raw format data might not collect marginal (bad) blocks.

Building a business case can involve which of the following? Procedures for gathering evidence Testing software Protecting trade secrets All of the above

All of the above

Policies can address rules for which of the following? When you can log on to a company network from home The Internet sites you can or can't access The amount of personal e-mail you can send Any of the above

All of the above

What are two concerns when acquiring data from a RAID server?

Amount of data storage needed Type of RAID server Whether the acquisition tool can handle RAID acquisitions Whether the analysis tool can handle RAID data Whether the analysis tool can split RAID data into separate disk drives, making it easier to distribute large data sets

List three items that should be in an initial-response field kit.

Any three of the following: · Small computer tool kit · Large capacity drive · IDE ribbon cables · Forensic boot media · Laptop or portable computer.

List three items that should be in your case report.

Any three of the following: ○ An explanation of basic computer and network processes ○ A narrative of what steps you took ○ A description of your findings ○ Log files generated from your analysis tools

List three items that should be on an evidence custody form.

Any three of the following: ○ Case number ○ Name of the investigator assigned to the case ○ Nature of the case ○ Location evidence was obtained ○ Description of the evidence

List two popular certification programs for digital forensics.

Any two of the following: · IACIS Certification · ISFCE Certification · GIAC Certification · EnCE Certification · ACE Certification

List two types of digital investigations typically conducted in a business environment.

Any two of the following: ○ Abuse or misuse of digital assets ○ E-mail abuse ○ Internet abuse

List two items that should appear on a warning banner.

Any two of the following: ○ Access to this system and network is restricted. ○ Use of this system and network is for official business only. ○ Systems and networks are subject to monitoring at any time by the owner. ○ Using this system implies consent to monitoring by the owner. ○ Unauthorized or illegal users of this system or network will be subject to discipline or prosecution. ○ Users of this system agree that they have no expectation of privacy relating to all activity performed on this system.

If a suspect computer is running Windows 10, which of the following can you perform safely? Browsing open applications Disconnecting power Either of the above None of the above

Browsing open applications

List two features common with proprietary format acquisition files.

Can compress or not compress the acquisition data Can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD Case metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or files

What do you call a list of people who have had physical possession of the evidence?

Chain of Custody

Describe what should be videotaped or sketched at a digital crime scene.

Computers, cable connections, overview of scene—anything that might be of interest to the investigation

If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? Coordinate with the HAZMAT team. Determine a way to obtain the suspect's computer. Assume the suspect's computer is contaminated. Do not enter alone.

Coordinate with the HAZMAT team Assume the suspect's computer is contaminated

With remote acquisitions, what problems should you be aware of? (Choose all that apply.) Data transfer speeds Access permissions over the network Antivirus, antispyware, and firewall programs The password of the remote computer's user

Data transfer speeds Access permissions over the network Antivirus, antispyware, and firewall programs

When you perform an acquisition at a remote location, what should you consider to prepare for this task?

Determine whether there's enough electrical power and lighting and check the temperature and humidity at the location

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.

EnCase SafeBack SnapCopy

Which forensics tools can connect to a suspect's remote computer and run surreptitiously?

EnCase Enterprise ProDiscover Incident Response

Why is physical security so critical for digital forensics labs?

Evidence integrity

Of all the proprietary formats, which one is the unofficial standard?

Expert Witness

A forensic workstation should always have a direct broadband connection to the Internet. True or False?

False

Digital forensics and data recovery refer to same the activities. True or False?

False

Digital forensics facilities always have windows. True or False?

False

Evidence storage containers should have several master keys. True or False?

False

FTK Imager can acquire data in a drive's host protected area. True or False?

False

If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. True or False?

False

Small companies rarely need investigators. True or False?

False

The ANAB mandates the procedures established for a digital forensics lab. True or False?

False

The plain view doctrine in computer searches is well-established law. True or False?

False

Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?

False

You should always answer questions from onlookers at a crime scene. True or False?

False

You should always prove the allegations made by the person who hired you. True or False?

False

Police in the United States must use procedures that adhere to which of the following? Third Amendment Fourth Amendment First Amendment None of the above

Fourth Amendment

What does a sparse acquisition collect for an investigation?

Fragments of unallocated data in addition to the logical allocated data

In the Linux dcfldd command, which three options are used for validating data?

Hash Hashlog VF

What's the main goal of a static acquisition?

If disk evidence is preserved correctly, static acquisitions are repeatable.

You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?

Initial-response kit

What are the three rules for a forensic hash?

It can't be predicted No two files can have the same hash value If the file changes, the hash value changes

List two hashing algorithms commonly used for forensic purposes

MD5 and SHA-1

The manager of a digital forensics lab is responsible for which of the following? (Choose all that apply.) Making necessary changes in lab procedures and software Ensuring that staff members have enough training to do the job Knowing the lab objectives None of the above

Making necessary changes in lab procedures and software Ensuring that staff members have enough training to do the job Knowing the lab objectives

Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? Most companies keep inventory databases of all hardware and software used. The investigator doesn't have to get a warrant. The investigator has to get a warrant. Users can load whatever they want on their machines.

Most companies keep inventory databases of all hardware and software used.

Which organization provides good information on safe storage containers?

NISPOM

With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?

Newer Linux distributions automatically mount the USB device, which could alter data on it.

In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/sha1

No. This command reads the image_file.img file and writes it to the evidence drive's /dev/hda1 partition. The correct command is dcfldd if=/dev/hda1 of=image_file.img.

What does a logical acquisition collect for an investigation?

Only specific files of interest to the case

What items should your business plan include?

Physical security items, such as evidence lockers; number of machines are needed; what OSs your lab commonly examines; why you need certain software; and how your lab will benefit the company (such as being able to quickly exonerate employees or discover whether they're guilty)

What is professional conduct, and why is it important?

Professional conduct includes ethics, morals, and standards of behavior. Your professional conduct as a digital investigator is critical because it determines your credibility.

Name the three formats for digital forensics data acquisitions.

Raw Format Proprietary Formats Advanced Forensic Format (AFF)

Typically, a(n) __________ lab has a separate storage area or room for evidence.

Regional

What three items should you research before enlisting in a certification program?

Requirements Cost Acceptability in your chosen area of employment.

What should you consider when determining which data acquisition method to use?

Size of the source drive Whether the source drive is retained as evidence How long the acquisition will take Where the disk evidence is located

What term refers to labs constructed to shield EMR emissions?

TEMPEST

What are the necessary components of a search warrant?

The notarized affidavit and the exhibits (evidence).

Why should you critique your case after it's finished?

To determine what improvements you made during each case, what could have been done differently, and how to apply those lessons to future cases.

Why is it a good practice to make two images of a suspect drive in a critical investigation?

To ensure at least one good copy of the forensically collected data in case of any failures

What's the purpose of maintaining a network of digital forensics specialists?

To have the option of calling on diversified specialists to help with a case.

Why should you do a standard risk assessment to prepare for an investigation?

To list the problems you normally expect in the type of case you're handling.

Why should evidence media be write-protected?

To make sure the data isn't altered.

When you arrive at the scene, why should you extract only those items you need to acquire evidence?

To minimize how much you have to keep track of at the scene

What's the purpose of an affidavit?

To provide a sworn statement of support of facts about evidence of a crime this is submitted to a judge with the request for a search warrant before seizing evidence.

An employer can be held liable for e-mail harassment. True or False?

True

Commingling evidence means what in a private-sector setting?

True

Computer peripherals or attachments can contain DNA evidence. True or False?

True

Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False?

True

EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?

True

For digital evidence, an evidence bag is typically made of antistatic material. True or False?

True

If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False?

True

If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?

True

In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. True or False?

True

Large digital forensics labs should have at least ___ exits.

Two

To determine the types of operating systems needed in your lab, list two sources of information you could use.

Uniform Crime Report statistics for your area and a list of cases handled in your area or at your company.

What's the most critical aspect of digital evidence?

Validation

The triad of computing security includes which of the following? Detection, response, and monitoring Vulnerability assessment, detection, and monitoring Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation Vulnerability assessment, intrusion response, and monitoring

Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation

In forensic hashes, when does a collision occur?

When two different files have the same hash value

As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? You begin to take orders from a police detective without a warrant or subpoena. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. Your internal investigation begins. None of the above.

You begin to take orders from a police detective without a warrant or subpoena.

Which of the following techniques might be used in covert surveillance? · Keylogging · Data sniffing · Network logs · All of the above

· Keylogging · Data sniffing

What are some ways to determine the resources needed for an investigation?

○ Determine the OS of the suspect computer ○ List the necessary software to use for the examination.


Related study sets

CSE 1321 Midterm (Modules 1-4)_SHARED.Version_

View Set

HIS 141 - Age of Exploration Reformations

View Set

Ch. 16: Working with the Command-Line Interface

View Set

Chapter 5 Study Guide (From Quiz)

View Set