System Forensics

Ace your homework & exams now with Quizwiz!

What name is given to a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification? A. Logical checking B. Inode scan C. Consistency checking D. File allocation checking

Consistency checking

Ben was browsing reviews on a sporting goods website from which he purchased items in the past. He saw a comment that read "Great price on camping gear! Read my review." When he clicked the associated link, a new window appeared and prompted him to log in again. What type of attack is most likely underway? A. Spear phishing B. Cross-site scripting (XSS) C. Denial of service (DoS) attack D. SYN flood

Cross-site scripting (XSS)

A CPU cache is not volatile, whereas a CD-ROM is volatile. (T or F)

False

A SYN flood is software that self-replicates. (T or F)

False

A brute-force attack on a polyalphabetic substitution cipher can deduce the length of the keyword used in the cipher. (T or F)

False

A sector is the basic unit of data storage on a hard disk, which is usually 64 KB. (T or F)

False

A swap file is an example of persistent data. (T or F)

False

A symbolic link is an inode that links directly to a specific file. (T or F)

False

Advanced Encryption Standard (AES) can have three different key sizes: 256, 512, or 1024 bits. (T or F)

False

An inode is a data structure in the Windows NTFS file system that stores all information about a file except its name and its actual data. (T or F)

False

Computer forensics is the exclusive domain of law enforcement. (T or F)

False

Consistency checking analysis is usually much slower than zero-knowledge analysis. (T or F)

False

Damage to how data is stored on a disk, such as file system corruption, is the definition of physical damage. (T or F)

False

Data Encryption Standard (DES) is a stream cipher. (T or F)

False

Denial of service (DoS) attack refers to the type of password crackers that work with pre-calculated hashes of all passwords available within a certain character space. (T or F)

False

Disk Investigator is a Linux Live CD that you use to boot a system and then use the tools. (T or F)

False

Disk forensics refers to the process of examining malicious computer code. (T or F)

False

During an attack, hackers break into computer systems and steal secret defense plans of the United States. This is an example of a Trojan horse. (T or F)

False

Essentially, the ROT13 cipher is a multialphabet cipher, consisting of 13 possible letters. (T or F)

False

From the perspective of digital forensics, changing the time or date stamp on a file does not alter the file. (T or F)

False

Identity theft refers to any software that monitors activity on a computer. (T or F)

False

If you change the extension of a file so it looks like some other type of file, you also change the file structure itself. (T or F)

False

In Windows, files that are moved to the Recycle Bin are permanently deleted. (T or F)

False

Internet forensics is the study of the source and content of email as evidence. (T or F)

False

It is legal to monitor the computers of adult relatives as long as they are living in your home. (T or F)

False

Kasiski examination is a nontechnical means of obtaining information you would not normally have access to. (T or F)

False

Kerckhoffs' principle states that the security of a cryptographic algorithm depends only on the secrecy of the algorithm. (T or F)

False

Life span refers to how long information is accurate. (T or F)

False

Logical damage control is a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification. (T or F)

False

Malware forensics is also known as Internet forensics. (T or F)

False

Malware that executes damage when a specific condition is met is the definition of a Trojan horse. (T or F)

False

Offline analysis is another term for live analysis. (T or F)

False

Ophcrack uses cross-site scripting to crack passwords. (T or F)

False

Residual information in file slack is always overwritten when a new file is created. (T or F)

False

Spyware software is legal, if used correctly. (T or F)

False

Storage servers in a forensics lab should be backed up at least once a month. (T or F)

False

The Electronic Communications Privacy Act of 1986 protects children 13 years of age and younger from the collection and use of their personal information by websites. (T or F)

False

The Federal Bureau of Investigation (FBI) is the premier federal agency tasked with combating cybercrime. (T or F)

False

The Feistel function encrypts data as a stream, one bit at a time. (T or F)

False

The Tribal Flood Network (TFN) is one of the most widely deployed viruses. (T or F)

False

The benefit of using automated forensic systems is that you do not have to know how to perform all forensic processes manually. (T or F)

False

The only way to clean random access memory (RAM) is with cleansing devices known as sweepers or scrubbers. (T or F)

False

The process of acquiring and analyzing information stored on physical storage media, such as computer hard drives or smartphones is the definition of anti-forensics. (T or F)

False

The start-up time for solid-state drives (SSDs) is usually much slower than for magnetic storage drives. (T or F)

False

The term distributed denial of service (DDoS) attack describes the process of connecting to a server that involves three packets being exchanged. (T or F)

False

The term transposition refers to the art and science of writing hidden messages. (T or F)

False

The underlying operating system of Mac OS X is based on Windows. (T or F)

False

The word cryptography is derived from the word kryptós, which means hidden, and the verb gráfo, which means picture. (T or F)

False

To achieve American Society of Crime Laboratory Directors (ASCLD) accreditation, a lab must meet about 40 criteria. (T or F)

False

Two techniques are common for recovering data after physical damage: consistency checking and zero-knowledge analysis. (T or F)

False

Viruses are difficult to locate but easy to trace back to the creator. (T or F)

False

When a file on a Windows drive is deleted, the data is removed from the drive. (T or F)

False

When seizing a suspect computer, you need to remove drives only if they are currently attached to cabling. (T or F)

False

With the consistency checking file system repair technique, a computer's file system is rebuilt from scratch using knowledge of an undamaged file system structure. (T or F)

False

Which of the following is true of hard drives? A. Clusters are always contiguous on a hard disk. B. File systems look at clusters, not sectors. C. Today, sectors are referred to as allocation units. D. The sector size on hard drives is either 1,024 or 2,048 bytes.

File systems look at clusters, not sectors.

What are attributes of a solid-state drive (SSD)? A. Tape storage and a read-only mode switch B. Microchips and magnetic storage C. Flash memory and microchips D. Reflective pits and flash memory

Flash memory and microchips

__________ is a Linux Live CD that you use to boot a system and then use the tools. It is a free Linux distribution, making it attractive to schools teaching forensics or laboratories on a strict budget. A. The Sleuth Kit B. Helix C. Disk Investigator D. Kali Linux

Kali Linux

What name is given to a method of attacking polyalphabetic substitution ciphers? This method can be used to deduce the length of the keyword used in a polyalphabetic substitution cipher. A. Cryptanalysis B. Substitution C. Euler's Totient D. Kasiski examination

Kasiski examination

Which operating system uses the ext file system natively? A. Linux B. UNIX C. Mac OS D. Windows

Linux

__________ is offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system. A. Logical analysis B. Encryption C. Physical analysis D. Steganography

Physical analysis

The __________ cipher is a single-alphabet substitution cipher that is a permutation of the Caesar cipher. All characters are rotated 13 characters through the alphabet. A. Scytale B. ROT13 C. Vigenère D. Atbash

ROT13

__________ is perhaps the most widely used public-key cryptography algorithm in existence today. A. Advanced Encryption Standard B. Diffie-Hellman C. Triple-DES (3DES) D. RSA

RSA

_________ is the method used by password crackers who work with pre-calculated hashes of all passwords possible within a certain character space. A. Denial of service (DoS) attack B. Rainbow table C. Phishing D. SQL injection

Rainbow Table

What term describes information that forensic specialists use to support or interpret real or documentary evidence? For example, a specialist might demonstrate that the fingerprints found on a keyboard are those of a specific individual. A. Digital evidence B. Testimonial evidence C. Documentary evidence D. The Daubert Standard

Testimonial evidence

__________ is the concept that any scientific evidence presented in a trial has to have been reviewed and tested by the relevant scientific community. A. Consistent scientific manner B. Demonstrative evidence C. The Daubert Standard D. Documentary evidence

The Daubert Standard

__________ sets standards for digital evidence processing, analysis, and diagnostics. A. New Technologies Incorporated (NTI) B. CompTIA C. The DoD Cyber Crime Center (DC3) D. The American Society of Crime Laboratory Directors (ASCLD)

The DoD Cyber Crime Center (DC3)

__________ refers to phishing with a specific, high-value target in mind. For example, the attacker may target the president or CEO of a company. A. Bank fraud B. Spear phishing C. Whaling D. Identity theft

Whaling

A symbolic link in Linux is similar to a ____________. A. Windows shortcut B. Mac OS hard link C. Windows metadata D. UNIX hard link

Windows shortcut

China Eagle Union is __________. A. a spyware program B. malware C. a Chinese cyberterrorism group D. a logic bomb

a Chinese cyberterrorism group

How you will gather evidence and which tools are most appropriate for a specific investigation are part of ___________. A. a forensic analysis plan B. the rules of evidence C. a curriculum vitae D. the expert report

a forensic analysis plan

Windows uses __________ on each system as a "scratch pad" to write data when additional random access memory (RAM) is needed. A. metadata B. a swap file C. an installed operating system D. a partition

a swap file

EIDE is _________. A. an operating system B. a type of magnetic drive C. a type of running process D. a file format

a type of magnetic drive

Use of __________ enables an investigator to reconstruct file fragments if files have been deleted or overwritten. A. the rules of evidence B. bit-level tools C. a null modem cable D. digital forensics framework

bit-level tools

Demonstrative evidence means information that helps explain other evidence. An example of demonstrative evidence is a chart that explains a technical concept to the judge and jury. (T or F)

True

Email evidence would be useful for investigating cyberstalking but not a denial of service (DoS) attack. (T or F)

True

File slack and slack space are the same thing. (T or F)

True

Forensically scrubbing a file or folder may involve overwriting data with random characters seven times. (T or F)

True

Fraud refers to a broad category of crime that can encompass many different activities, but essentially, any attempt to gain financial reward through deception. (T or F)

True

Helix is a customized Linux Live CD used for computer forensics. (T or F)

True

If a hard drive has been demagnetized, there is no way to recover the data. (T or F)

True

If an attacker doesn't spoof a MAC address, each packet sent in a denial of service (DoS) attack contains evidence of the machine from which it was launched. (T or F)

True

In a forensics lab, the machines being examined should not be connected to the Internet. (T or F)

True

In steganography, the term payload describes data to be covertly communicated. In other words, it is the message you want to hide. (T or F)

True

Incriminating evidence shows, or tends to show, a person's involvement in an act, or evidence that can establish guilt. (T or F)

True

Infinitely recursing directories is a symptom of logical damage to a file system. (T or F)

True

Investigators must authenticate documentary evidence. (T or F)

True

Linux file systems use hard links and symbolic links. (T or F)

True

Linux stores file content in blocks, which are similar to clusters in Windows NTFS. (T or F)

True

Logical damage to a disk is damage to how data is stored, for example, file system corruption. (T or F)

True

Logical damage to a file system is more common than physical damage. (T or F)

True

Macro and polymorphic are types of viruses. (T or F)

True

Making two copies of a suspect's drive, using two different imaging tools, can help to prove that evidence is accurate. (T or F)

True

Many USB drives come with a switch to put them in read-only mode. (T or F)

True

Modern cryptography is separated into two distinct groups: symmetric cryptography and asymmetric cryptography. (T or F)

True

Multialphabet ciphers are more secure than single-alphabet substitution ciphers; however, they are still not acceptable for modern cryptographic usage. (T or F)

True

One way to obscure information is to scramble it by encryption. (T or F)

True

Ophcrack is a tool that cracks local passwords on Windows systems. (T or F)

True

RAID 1 mirrors the contents of disks. (T or F)

True

Real evidence means physical objects that can be touched, held, or directly observed, such as a laptop with a suspect's fingerprints on it. (T or F)

True

SHA1 and SHA2 are currently the most widely used hashing algorithms. (T or F)

True

Solid-state drives (SSDs) are often used in tablets and in some laptops. (T or F)

True

The Caesar and Atbash ciphers are simple substitution ciphers. (T or F)

True

The Caesar cipher shifts each letter of a message by a certain number and substitutes the new alphabetic letter for the letter you are encrypting. (T or F)

True

The Federal Rules of Evidence (FRE) governs the admission of facts by which parties in the U.S. federal court system may prove their cases. (T or F)

True

The Linux dd command is commonly used to forensically wipe a drive. ( T or F)

True

The Linux netcat command reads and writes bits over a network connection. (T or F)

True

The Windows Registry is essentially a repository of all settings, software, and parameters for Windows. (T or F)

True

The act of wrongfully obtaining another person's personal data is a crime, with or without stealing any money. (T or F)

True

The first step in any computer forensic investigation is to make a copy of the suspected storage device. ( T or F)

True

The information in a routing table is more volatile than a network topology. (T or F)

True

The known plaintext attack is one method used to crack modern encryption. (T or F)

True

The life span of information may be as short as milliseconds to longer than one year. (T or F)

True

The objective in computer forensics is to recover, analyze, and present computer-based material in such a way that it can be used as evidence in a legal proceeding. (T or F)

True

The purpose of file carving is to extract the data from a single file from the larger set of data, that is, the entire disk or partition. (T or F)

True

The term scrubber refers to software that cleans unallocated drive space. (T or F)

True

To avoid changing a computer system while examining it, make a forensic copy and work with that copy. (T or F)

True

Turning off a computer while it is booting or shutting down can lead to logical damage of its file system. (T or F)

True

USB, or universal serial bus, is actually a connectivity technology, not a storage technology. (T or F)

True

Volatile memory is computer memory that requires power to maintain the data it holds.(T or F)

True

When determining when evidence was created, a forensic specialist should not trust a computer's internal clock or activity logs. (T or F)

True

When two files claim to share the same allocation unit (or cluster), one of the files is almost certain to lose data. (T or F)

True

You can make a bit-level copy of a computer hard drive using basic Linux commands. (T or F)

True

_______ is the area of a hard drive that has never been allocated for file storage. A. Temporary data B. Basic input/output system (BIOS) C. Unallocated space D. Volume slack

Unallocated space

One must be able to show the whereabouts and custody of evidence, how it was handled, stored and by whom, from the time the evidence is first seized by a law enforcement officer or civilian investigator until the moment it is shown in court. This is referred to as ________. A. real evidence B. consistent scientific manner C. demonstrative evidence D. chain of custody

chain of custody

The __________ is the continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered. A. documentary evidence B. chain of custody C. demonstrative evidence D. consistent scientific manner

chain of custody

The basic repair tool in Windows is _______. A. the TestDisk utility B. fsck C. Disk Utility D. chkdsk

chkdsk

An environment that has a controlled level of contamination, such as from dust, microbes, and other particles is the definition of a __________. A. test system B. recovery room C. clean room D. test room

clean room

The file allocation table is a list of entries that map to each __________ on the disk partition. A. cluster B. thread C. file D. node

cluster

Generally, __________ is considered to be the use of analytical and investigative techniques to identify, collect, examine, and preserve evidence or information that is magnetically stored or encoded. A. digital evidence B. testimonial evidence C. anti-forensics D. computer forensics

computer forensics

Any attempt to gain financial reward through deception is called ______. A. social engineering B. fraud C. identity theft D. cyberterrorism

fraud

The basic repair tool in Linux is _______. A. Disk Utility B. fsck C. the TestDisk utility D. chkdsk

fsck

The Linux/UNIX command __________ can be used to search for files or contents of files. A. scalpel B. diskdigger C. grep D. undelete

grep

Two of the easiest things to extract during __________ are a list of all website uniform resource locators (URLs) and a list of all email addresses on the computer. A. physical analysis B. logical analysis C. computer shutdown D. evidence determination

physical analysis

The __________ command is used to send a test network packet, or echo packet, to a machine to determine if the machine is reachable and how long the packet takes to reach the machine. A. ipconfig B. ping C. tracert D. traceroute

ping

A system forensics specialist has three basic tasks related to handling evidence: find evidence, preserve evidence, and __________ evidence. A. store B. secure C. prepare D. evaluate

prepare

Which file recovery tool works in Linux and Mac OS, and in Windows if you compile the source code? A. WinUndelete B. Diskdigger C. scalpel D. extundelete

scalpel

An example of volatile data is __________. A. state of network connections B. steganized files C. a hash D. a word processing file

state of network connections

People try to thwart investigators by using encryption to scramble information or _________ to hide information, or both together. A. scrubbers B. running processes C. steganography D. sweepers

steganography

In FAT and NTFS file systems, a __________ is used to map files to specific clusters where they are stored on the disk. A. table B. partition C. node D. cluster

table

In World War II, the Germans made use of an electromechanical rotor-based cipher system known as __________. A. symmetric cryptography B. the Feistel function C. Kerckhoffs' principle D. the Enigma machine

the Enigma machine

The type of medium used to hide data in steganography is referred to as __________. This may be a photo, video, sound file, or Voice over IP, for example. A. the carrier B. the payload C. the channel D. steganophony

the channel

A warrant is not needed when evidence is in plain sight. (T or F)

True

Advanced Encryption Standard (AES) is also known as the Rijndael block cipher. (T or F)

True

Advanced Encryption Standard (AES) with a 256-bit key is secure enough for commercial applications. (T or F)

True

After imaging a drive, you must always create a hash of the original and the copy. (T or F)

True

All modern block-cipher algorithms use both substitution and transposition. (T or F)

True

An MD5 hash taken when a computer drive is acquired is used to check for changes, alterations, or errors. (T or F)

True

An attacker may distribute a logic bomb via a Trojan horse. (T or F)

True

With respect to phishing, a good fictitious email gets a __________ response rate, according to the Federal Bureau of Investigation (FBI). A. 11 to 13 percent B. 16 to 20 percent C. 7 to 10 percent D. 1 to 3 percent

1 to 3 percent

The total number of possible keys for Data Encryption Standard (DES) is _________, which a modern computer system can break in a reasonable amount of time. A. 56 B. 128 C. 256 D. 64

256

The typical sector size of a modern hard drive is _______ bytes. A. 4,096 B. 512 C. 2,048 D. 1,024

4,096

Which of the following is NOT true of chain of custody forms? A. You typically need to use a separate chain of custody form for each drive you have removed from a suspect computer. B. A chain of custody form is a federal form and is therefore universal. C. Some forensic examiners use both an evidence form and a separate chain of custody form. D. A chain of custody form typically requires a signature.

A chain of custody form is a federal form and is therefore universal.

__________ is designed to render a target unreachable by legitimate users, not to provide the attacker access to the site. A. A logic bomb B. A denial of service (DoS) attack C. Identity theft D. A distributed denial of service (DDos) attack

A denial of service (DoS) attack

__________ is the cyber equivalent of vandalism. A. A denial of service (DoS) attack B. Social engineering C. A SQL injection attack D. Spyware

A denial of service (DoS) attack

What is the definition of Feistel function? A. A form of cryptography that encrypts the data as a stream, one bit at a time B. Cryptography wherein two keys are used: one to encrypt the message and another to decrypt it C. A cryptographic method in which someone chooses a number by which to shift each letter of a text in the alphabet and substitute the new letter for the letter being encrypted D. A method other than brute force to derive a cryptographic key

A form of cryptography that encrypts the data as a stream, one bit at a time

What is the definition of hash? A. A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions B. A utility that cleans unallocated space C. An analysis involving using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data D. The art and science of writing hidden messages

A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions

What is meant by symmetric cryptography? A. A method in which one key encrypts the message and another key decrypts it B. A method in which someone chooses a number by which to shift each letter of a text in the alphabet and substitute the new letter for the letter being encrypted C. A method in which the same key is used to encrypt and decrypt plaintext D. The art and science of writing hidden messages

A method in which the same key is used to encrypt and decrypt plaintext

__________ contains remnants of word processing documents, emails, Internet browsing activity, database entries, and almost any other work that has occurred during past Windows sessions. A. A swap file B. The master boot record (MBR) C. Metadata D. The basic input/output system (BIOS)

A swap file

What is meant by zero-knowledge analysis? A. The process of searching memory in real time, typically for working with compromised hosts or to identify system abuse B. A technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification C. Searching for specific text in binary files even if the file has a reference count of zero D. A technique for file system repair that involves recovering data from a damaged partition with limited knowledge of the file system

A technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification

Clusters in a Windows NTFS system are more likely to be overwritten as more time elapses after deletion. (T or F)

True

Which forensic certification is open to both the public and private sectors and is specific to the use and mastery of FTK? A. High Tech Crime Network Certified Computer Crime Investigator, Advanced B. AccessData Certified Examiner C. EC-Council Certified Hacking Forensic Investigator (CHFI) D. (ISC)2 CISSP certification

AccessData Certified Examiner

An expert witness who leaves information out of an expert report usually cannot testify about the information at trial. (T or F)

True

What is meant by distributed denial of service (DDoS) attack? A. Malware that executes damage when a specific condition is met B. A broad category of crime that can encompass many different activities, but essentially, any attempt to gain financial reward through deception C. The use of electronic communications to harass or threaten another person D. An attack in which the attacker seeks to infect several machines, and use those machines to overwhelm the target system to achieve a denial of service

An attack in which the attacker seeks to infect several machines, and use those machines to overwhelm the target system to achieve a denial of service

Susan is a hacker. After breaking into a computer system and running some hacking tools, she deleted several files she created to cover her tracks. What general term describes Susan's actions? A. Anti-forensics B. Live system forensics C. Data transformation D. Disk forensics

Anti-forensics

What is the definition of a virus, in relation to a computer? A. An attacker keeps sending SYN packets but never responds to the SYN/ACK packets it receives from the server B. An attack designed to overwhelm the target system so it can no longer reply to legitimate requests for connection C. Any software that self-replicates D. An attack in which the attacker seeks to infect several machines, and use those machines to overwhelm the target system to achieve a denial of service

Any software that self-replicates

__________ is cryptography wherein two keys are used: one to encrypt the message and another to decrypt it. A. Asymmetric cryptography B. Euler's Totient C. The Feistel cipher D. Symmetric cryptography

Asymmetric cryptography

The __________ cipher is a Hebrew code that substitutes the first letter of the alphabet for the last letter and the second letter for the second-to-last letter, and so forth. A. Scytale B. Caesar C. ROT13 D. Atbash

Atbash

The __________ is a federal wiretap law for traditional wired telephony that was expanded to include wireless, voice over internet protocol (VoIP), and other forms of electronic communications. A. Telecommunications Act of 1996 B. Communications Assistance for Law Enforcement Act of 1994 C. Federal Privacy Act of 1974 D. Wireless Communications and Public Safety Act of 1999

Communications Assistance for Law Enforcement Act of 1994

__________ is information at the level of 1s and 0s stored in computer memory or on a storage device. A. A cluster B. File slack C. A segment D. Bit-level information

Bit-level information

Paige is attempting to recover data from a failed hard disk. She removed the failed drive from the system on which it was installed, and then connected it to a test system. She made the connection by simply connecting the data and power cables but did not actually install the failed drive. What step should she perform next? A. Determine whether the failed drive is recognized and can be installed as an additional disk on the test system. B. Install the failed drive. C. Listen to the failed drive to determine whether the internal disks are spinning. D. Boot the test system from its own internal drive.

Boot the test system from its own internal drive.

_______ is an industry certification that focuses on knowledge of PC hardware. A. EC-Council Certified Hacking Forensic Investigator (CHFI) B. CompTIA A+ C. (ISC)2 CISSP D. Cisco Certified Network Associate

CompTIA A+

The __________ was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information. A. Telecommunications Act of 1996 B. Computer Security Act of 1987 C. Federal Privacy Act of 1974 D. USA Patriot Act

Computer Security Act of 1987

What term describes a method of using techniques other than brute force to derive a cryptographic key? A. Social engineering B. Cryptanalysis C. Kasiski examination D. Transposition

Cryptanalysis

__________ obfuscates a message so that it cannot be read. A. Steganography B. Substitution C. Cryptography D. Steganalysis

Cryptography

A suspect stores data where an investigator is unlikely to find it. What is this technique called? A. Data hiding B. Data destruction C. File system alteration D. Data transformation

Data destruction

The distribution of illegally copied materials via the Internet is known as __________. A. Cybercrime B. Fraud C. Data piracy D. Identity theft

Data piracy

Ed is an expert witness providing testimony in court. He uses a high-tech computer animation to explain a technical concept to the judge and jury. What type of evidence is Ed using? A. Demonstrative B. Testimonial C. Real D. Documentary

Demonstrative

Identification, preservation, collection, examination, analysis, and presentation are six classes in the matrix of the __________. A. Forensic Toolkit B. Federal Rules of Evidence (FRE) C. TEMPEST program D. Digital Forensic Research Workshop (DFRWS) framework

Digital Forensic Research Workshop (DFRWS) framework

__________ is information that has been processed and assembled to be relevant to an investigation, and that supports a specific finding or determination. A. The Daubert Standard B. Anti-forensics C. Expert testimony D. Digital evidence

Digital evidence

__________ is a free utility that comes as a graphical user interface for use with Windows operating systems. When you first launch the utility, it presents you with a cluster-by-cluster view of your hard drive in hexadecimal form. A. Kali Linux B. OSForensics C. Disk Investigator D. EnCase

Disk Investigator

The basic repair tool in Mac OS is _______. A. chkdsk B. fsck C. the TestDisk utility D. Disk Utility

Disk Utility

__________ is data stored as written matter, on paper or in electronic files. A. Documentary evidence B. Demonstrative evidence C. Real evidence D. Testimonial evidence

Documentary evidence

Jan is entering the digital forensics field and wants to pursue a general forensics certification. Which certification is BEST to start with? A. (ISC)2 CISSP B. EC-Council Certified Hacking Forensic Investigator (CHFI) C. High Tech Crime Network Certified Computer Crime Investigator, Advanced D. GIAC Certified Forensic Examiner (GCFE

EC-Council Certified Hacking Forensic Investigator (CHFI)

The __________ format is a proprietary file format defined by Guidance Software for use in its forensic tool to store hard drive images and individual files. A. The Advanced Forensic Format B. EnCase C. The Generic Forensic Zip D. IXimager

EnCase

__________ describes the total number of coprime numbers; two numbers are considered coprime if they have no common factors. A. Kasiski examination B. Caesar cipher C. Steganalysis D. Euler's Totient

Euler's Totient

What is a formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted? A. Expert report B. Rules of evidence C. Expert witness D. Curriculum vitae (CV)

Expert report

Jim is a forensic specialist. He seized a suspect computer from a crime scene, removed the hard drive and bagged it, documented and labeled the equipment, took photographs, completed a chain of custody form, and locked the computer in his car. On the way to the lab, he stopped to purchase supplies to use at the next crime scene. What did Jim do wrong? A. He made the drive susceptible to demagnetization by bagging it. B. He should have performed drive analysis at the scene. C. He left the computer unattended while shopping for supplies. D. He should not have removed the hard drive at the scene.

He left the computer unattended while shopping for supplies.

Which of the following requires certification candidates to take an approved training course, pass a written test, and submit to a review of the candidate's work history? A. EC-Council Certified Hacking Forensic Investigator (CHFI) B. GIAC certifications C. AccessData Certified Examiner D. High Tech Crime Network certifications

High Tech Crime Network certifications

What was designed as an area where computer vendors could store data that is shielded from user activities and operating system utilities, such as delete and format? A. Volume slack B. Master boot record (MBR) C. File slack D. Host protected area (HPA)

Host protected area (HPA)

Which of the following are subclasses of fraud? A. Investment offers and cyberstalking B. Cross-site scripting and data piracy C. Hacking and cyberterrorism D. Investment offers and data piracy

Investment offers and data piracy

What is NOT true of cyberstalking? A. The intent is to target a human victim, not a computer or network B. Occurs via social media or email C. Is not a criminal offense D. Involves repeated, threatening behavior

Is not a criminal offense

What is NOT true of random access memory (RAM)? A. It is volatile memory. B. It stores programs and data that are currently open. C. It retains items in memory for as long as the computer has power supplied to it. D. It cannot be changed.

It cannot be changed.

What is the process of searching memory in real time, typically for working with compromised hosts or to identify system abuse? A. Live system forensics B. Internet forensics C. Network forensics D. Disk forensics

Live system forensics

What term describes analysis performed on an evidence disk or a forensic duplicate using the native operating system? A. Network analysis B. Physical analysis C. Logical analysis D. Steganalysis

Logical analysis

The number 22 for SSH (Secure Shell) and 80 for Hypertext Transfer Protocol (HTTP) are examples of ________. A. Logical port numbers B. MAC addresses C. IP addresses D. Physical ports

Logical port numbers

What term describes data about information, such as disk partition structures and file tables? A. Potential storage B. Volatile memory C. Store data D. Metadata

Metadata

Windows 2000 and newer Windows operating systems use the __________ file system. A. Ext3 B. FAT32 C. FAT16 D. NTFS

NTFS

One principal of evidence gathering is to avoid changing the evidence. Which of the following is NOT true of evidence gathering? A. Label wires and sockets so you can put everything back as it was once you get computers and other equipment into the lab. B. Transport items carefully and avoid touching hard disks or CDs. C. Make exact bit-by-bit copies and store them on a medium such as a write-once CD. D. Photograph seized equipment after you set it up in the lab.

Photograph seized equipment after you set it up in the lab.

The __________ protects journalists from being required to turn over to law enforcement any work product and documentary material, including sources, before it is disseminated to the public. A. Communications Assistance for Law Enforcement Act of 1994 B. Privacy Protection Act of 1980 C. Federal Privacy Act of 1974 D. Electronic Communications Privacy Act of 1986

Privacy Protection Act of 1980

What version of RAID involves three or more striped disks with parity that protect data against the loss of any one disk? A. RAID 3 or 4 B. RAID 1+0 C. RAID 0 D. RAID 1

RAID 3 or 4

__________ govern whether, when, how, and why proof of a legal case can be placed before a judge or jury. A. General principles B. Common practices C. Forensic specialists D. Rules of evidence

Rules of evidence

Which of the following BEST defines rules of evidence? A. Information that has been processed and assembled so that it is relevant to an investigation and supports a specific finding or determination B. A term that refers to how long evidence will last C. A formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted as well as the specialist's own curriculum vitae (CV) D. Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury

Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury

The __________ contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies. A. Computer Security Act of 1987 B. Sarbanes-Oxley Act of 2002 C. Privacy Protection Act of 1980 D. Federal Privacy Act of 1974

Sarbanes-Oxley Act of 2002

When gathering systems evidence, what is NOT a common principle? A. Search throughout a device. B. Avoid changing the evidence. C. Determine when evidence was created. D. Trust only virtual evidence.

Search throughout a device.

Before imaging a drive, you must forensically wipe the target drive to ensure no residual data remains. (T or F)

True

What uses microchips that retain data in non-volatile memory chips and contains no moving parts? A. Integrated Drive Electronics (IDE) B. Parallel Advanced Technology Attachment (PATA) C. Serial Advanced Technology Attachment (SATA) D. Solid-state drive (SSD)

Solid-state drive (SSD)

What is a type of targeted phishing attack in which the criminal targets a specific group; forexample, IT staff at a bank? A. Service attack B. Spoofing C. Spear phishing D. Whaling

Spear phishing

Aditya is a digital forensics specialist. He is investigating the computer of an identity theft victim. What should he look for first? A. Evidence of an SQL injection attack B. A logic bomb C. Stolen files D. Spyware

Spyware

__________ is the process of analyzing a file or files for hidden content. A. Steganophony B. Symmetric cryptography C. Asymmetric cryptography D. Steganalysis

Steganalysis

________ is the art and science of writing hidden messages. A. Cryptanalysis B. Steganography C. Social engineering D. Steganophony

Steganography

__________ is a term that refers to hiding messages in sound files. A. Symmetric cryptography B. Asymmetric cryptography C. Steganography D. Steganophony

Steganophony

When gathering evidence in a forensic investigation, working with a drive image is safer than working with the original drive. (T or F)

T

What term describes data that an operating system creates and overwrites without the computer user directly saving this data? A. Persistent data B. Scrubbed data C. Metadata D. Temporary data

Temporary data

In steganography, what is meant by carrier? A. The type of medium used to send covert communications B. Using the last bit or least significant bit to store data C. The information to be covertly communicated D. The signal, stream, or data file in which the payload is hidden

The signal, stream, or data file in which the payload is hidden

What is the definition of transposition in terms of cryptography? A. The determination of whether a file or communication hides other information B. The swapping of blocks of ciphertext C. A method of using techniques other than brute force to derive a cryptographic key D. The art and science of writing hidden messages

The swapping of blocks of ciphertext

A forensic certification is meant to demonstrate a baseline of competence. (T or F)

True

A test system is a functional system compatible with the hard drive from which someone is trying to recover data. (T or F)

True

The process of connecting to a server and exchanging packets containing acknowledgment (ACK) and synchronize (SYN) flags is called: A. Distributed denial of service (DDoS) attack B. Three-way handshake C. Phishing D. SYN flood attack

Three-way handshake

A DVD is a type of optical media. (T or F)

True

A block cipher is a form of cryptography that encrypts data in blocks. (T or F)

True

A denial of service (DoS) attack typically does NOT harm data on the target server. (T or F)

True

A distributed denial of service (DDoS) attack is possible with traditional telephone systems by using an automatic dialer to tie up target phone lines. (T or F)

True

The __________ cipher is a method of encrypting alphabetic text by using a series of different monoalphabetic ciphers selected based on the letters of a keyword. A. The ROT13 B. The Atbash C. Vigenère D. The Scytale

Vigenère

What kind of data changes rapidly and may be lost when the machine that holds it is powered down? A. Persistent data B. A hash C. Volatile data D. Non-volatile data

Volatile data

According to the order of volatility in RFC 3227, what evidence should you collect first on a typical system? A. System state backup, then Registry B. Memory dumps, then file system C. Volatile data, then file slack D. Registry, then volatile data

Volatile data, then file slack

This is the space that remains on a hard drive if the partitions do not use all the available space. A. Host protected area B. Unallocated space C. File slack D. Volume slack

Volume slack

Which of the following is NOT true of file carving? A. Most file carving utilities look for file headers or footers, and then pull out data that is found between these two boundaries. B. File carving is a common method of data recovery particularly when the file metadata has been damaged. C. You can perform file carving on Windows and Linux files systems, but not Mac OS. D. File carving is often used to recover data from a disk where there has been some damage or where the file itself is corrupt.

You can perform file carving on Windows and Linux files systems, but not Mac OS.

When attempting to recover a failed drive, which of the following is NOT true? A. If the failed drive installs properly on a test system, copy all directories and files to a different hard drive on the test system. B. If the failed drive's disks are spinning, that's an indication that a catastrophic failure has not occurred. C. If the drive fails on one system but installs on another, the drive may have failed because of a power supply failure or corruption of the operating system. D. You should connect the failed drive to a test system and make the failed drive bootable.

You should connect the failed drive to a test system and make the failed drive bootable.

The use of electronic communications to harass or threaten another person is the definition of __________. A. denial of service (DoS) attack B. cyberstalking C. rainbow table D. logic bomb

cyberstalking

A SYN flood is an example of a(n) _______. A. distributed denial of service (DDoS) attack B. denial of service (DoS) attack C. SQL injection D. virus

denial of service (DoS) attack

The term ______ refers to testimony taken from a witness or party to a case before a trial. A. real evidence B. deposition C. documentary evidence D. expert report

deposition

Most often, criminals commit __________ in order to perpetrate some kind of financial fraud. A. identity theft B. harassment C. service attacks D. cyberterrorism

identity theft

A(n) __________ is a data structure in the Linux file system that stores all the information about a file except its name and actual data. A. partition B. inode C. table D. cluster

inode

Forensic investigators who collect data as evidence must understand the __________ of information, which refers to how long it is valid. A. life span B. volatility C. slack space D. bit-level

life span

Malware that executes damage when a specific condition is met is the definition of __________. A. SYN attack B. rainbow table C. denial of service (DoS) attack D. logic bomb

logic bomb


Related study sets

Session 9 GI Nurse Prac Exam 3 (part 2)

View Set

Adult 2- Lower GI Problems practice questions

View Set

Peronality Disorders and Manipulation

View Set

EMT Chapter 17 & 18 - Neurologic Emergencies, Gastrointestinal and Urologic Emergencies

View Set

Civil Engineering Materials (Kelli)

View Set

Abdominal vasculature/wall & GI tract

View Set