Unit 1
Digital Forensics
A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?
Reasonable suspicion that a law or policy is being violated
At a minimum, what do most company policies require that employers have in order to initiate an investigation?
1/2 mile
At what distance can the EMR from a computer monitor be picked up?
Monthly, quarterly, and annually
At what levels should lab costs be broken down?
The digital forensics lab
At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work?
requires the time and skills necessary to support the chosen hardware.
Building your own forensics workstation:
50%
By what percentage can lossless compression reduce image file size?
USB 2.0/3.0
Devices used to prevent data from being written to a disk can connect to a computer through FireWire, SATA, PATA, and SCSI controllers as well as which other type of controller?
TEMPEST
During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. What did the U.S. Department of Defense call this special computer-emission shielding?
TIF
From which file format is the image format XIF derived
ZBR
How do most manufacturers deal with a platter's inner tracks having smaller circumference than its outer tracks?
Every 3 years
How frequently does IACIS require recertification to demonstrate continuing work in the field of computer forensics?
at least once a week
How frequently should floors and carpets in the computer forensics lab be cleaned to help minimize dust that can cause static electricity?
As literary works
How may computer programs be registered under copyright laws?
Examining the file header data
If a graphics file cannot be opened in an image viewer, what should the next step be?
dir
In Windows 2000 and later, which command shows you the file owner if you have multiple users on a system or network?
NTFS
In addition to FAT16, FAT32, and Resilient File System, which file system can windows hard disks also use?
RAID 1
In addition to RAID 0, what type of RAID configuration is available for windows XP, 2000, and NT servers and workstations?
safety
In addition to environmental issues, what issues are the investigator's primary concerns when working at the scene to gather information about an incident or a crime?
sha1sum
In addition to md5sum, which hashtag algorithm utility is included with current distributions of Linux?
1024
In the NTFS MFT, all files and folders are stored in separate records of how many bytes each?
Exif
In what format are most digital photographs stored?
Building a business case
In what process is the acquisition of newer and better resources for investigation justified?
RAID 0
In which RAID configuration do two or more disk drives become one large volume, so the computer views the disks as a single disk?
RAID 15
In which RAID configuration offers the greatest access speed and the most robust data recovery capability?
RAID 10
In which RAID configuration, also called mirrored striping, is a combination of RAID 1 and RAID 0?
password dictionary
Many password recovery tools have a feature for generating potential password lists for which type of attack?
RAID
Methods for restoring large data sets are important for labs using which type of servers?
An older Windows or MS-DOS system
Power should not be cut during an investigation involving a love computer, unless it is what type of system?
data runs
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. What are these cluster addresses called?
IBM
The first MS-DOS tools that analyzed and extracted data from floppy disks and hard disks were used with which type of PC file systems?
professional curiosity
The presence of police officers and other professionals who are not part of the crime scene-processing team may result in the loss or corruption of data through which process?
They are business records
Under what circumstances are digital records considered admissible?
Certified Computer Forensic Technician, Basic
What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases?
dd
What Linux command is used to create the raw data format?
Hyperdata, Metadata, Infodata
What are records in the MFT called?
dd
What command creates a raw format file that most computer forensics analysis tools can read?
man
What command displays pages from the online help manual for information on Linux commands and their options?
dcfldd
What command works similarly to the dd command but has many features designed for computer forensics acquisitions?
Device Drivers
What contains instructions for the OS for hardware devices, such as the keyboard, mouse, and video card?
Whole Disk Encryption
What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult?
A warrant
What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?
Line of authority
What do published company policies provide for a business that enables them to conduct internal investigations?
A portable workstation
What do you call a forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation?
MD5
What does Autopsy use to validate an image?
an affidavit
What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?
Virtual Machine
What enables the user to run another OS on an existing physical computer by emulating a computer's hardware environment?
Professional conduct
What investigator characteristic, which includes ethics, morals, and standards of behavior, determines the investigator's credibility?
steg tools
What is another term for steganalysis tools?
misuse of digital assets
What is most often the focus of digital investigations in the private sector?
MFT
What is on an NTFS disk immediately after the Partition Boot Sector?
Sniffing data transmissions between a suspect's computer and network server.
What is required for real-time surveillance of a suspect's computer activity?
Write-blockers
What is the general term for software or hardware that is used to protect evidence disks by preventing data from being written to them?
36 months
What is the maximum amount of time computing components are designed to last in normal business hours?
Disk-to-image file copy
What is the most common and flexible data-acquisition method?
EFS
What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced?
SHA-1
What is the primary hash algorithm used by the NIST project created to collect all known hash values for commercial software and OS files?
Demosaicing
What is the process of converting raw picture data to another format called?
Use a hexadecimal editor
What is the simplest way to access a file header?
prosecution
What is the third stage of a criminal case, after the complaint and the investigation?
secure facility
What kind of forensic investigation lab best preserves the integrity of evidence?
Vector Graphics
What kinds of images are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes?
Steel
What material is recommended for secure storage containers and cabinets?
A report
What must be created to complete a forensic disk analysis and examination?
It must be notarized
What must be done, under oath, to verify that the information in the affidavit is true?
DriveSpace
What older Microsoft disk compression tool eliminates only slack disk space between files?
IACIS
What organization was created by police officers in order to formalize credentials for digital investigators?
Configuration management
What process refers to recording all the updates made to a workstation?
Uniform crime reports
What reports are generated at the local, state, and federal levels to show the types and frequency of crimes committed?
Boot.ini
What specifies the Windows XP path installation and contains options for selecting the Windows version?
probable cause
What standard is used to determine whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest?
Steganography
What technique has been used to protect copyrighted material by inserting digital watermarks into a file?
Linux Live CDs
What term refers to Linux ISO images that can be burned to a CD or DVD?
cylinder
What term refers to a column of tracks on two or more disk platters?
End user
What term refers to a person using a computer to perform routine tasks other than systems administration?
carving
What term refers to recovering fragments of a file?
authorized requester
What term refers to the individual who has the power to conduct digital forensic investigations?
areal density
What term refers to the number of bits in one square inch of a disk platter?
Graphics editors
What tools are used to create, modify, and save bitmap, vector and metafile graphics?
Live
What type of acquisition is used for most remote acquisitions?
SPARC
What type of disk is commonly used with Sun Solaris systems?
physical
What type of evidence do courts consider evidence data in a computer to be?
Event Logs
What type of files might lose essential network activity records if power is terminated without proper shutdown?
An extensive-response field kit
What type of kit should include all the tools the investigator can afford to take to the field?
Copyright
What type of laws should computer investigators be especially aware of when working with image files in order to avoid infringement violations?
Disaster Recovery
What type of plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing?
computer-stored records
What type of records are considered data that the system maintains, such as system log files and proxy server logs?
A warning banner
What usually appears when a computer starts or connects to the company intranet, networks, or VPN and informs end users that the organization reserves the right to inspect computer systems and network traffic at will?
An initial-response field kit
What will allow the investigator to arrive at the scene, acquire the needed data, and return to the lab as quickly as possible?
The registry
When Microsoft created Windows 95, into what were initialization (.ini) files consolidated?
Exhibits
When an investigator seeks a search warrant, which of the following must be included in an affidavit to support the allegation of a crime?
commingled data
When confidential business data are included with the criminal evidence, what are they referred to as?
Business Records Exception
When federal courts are evaluating digital evidence from computer-generated records, what exception is applied to hearsay?
80 degrees or higher
When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action?
US DOJ
When seizing computer evidence in criminal investigations, which organization's standards should be followed?
1960s
When was the Freedom of Information Act originally enacted?
An image file
Where do software forensic tools copy data from a suspect's disk drive?
An off-site facility
Where should your computer backups be kept?
JPEG
Which JFIF format has a hexadecimal value of FFD8 FFE0 in the first four bytes?
CFTT
Which NIST project manages research on froensics tools?
CTIN
Which Pacific Northwest agency meets to discuss problems that digital forensics examiners encounter?
FAT
Which acronym refers to the file structure database that Microsoft originally designed for floppy disks?
NTFS
Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?
Risk management
Which activity involves determining how much risk is acceptable for any process or operation?
Filtering
Which activity involves sorting and searching through investigation findings to separate good data and suspicious data?
IACIS (International Association of Computer Investigative Specialists)
Which agency introduced training on software for forensics investigations by the early 1990s?
recovery certificate
Which certificate provides a mechanism for recovering files encrypted with EFS if there is a problem with the user's original private key?
Insertion
Which data-hiding technique places data from the secret file into the host file without displaying the secret data when the host file is viewed in its associated program?
Substitution
Which data-hiding technique replaces bits of the host file with other bits of data?
Tableau T35es-R2 SATA/IDE eSATA bridge
Which digital forensics tool is categorized as a single-purpose hardware component?
Silver Platter Doctrine
Which doctrine, found to be unconstitutional, was used to allow a civilian or private-sector investigative agent to deliver evidence obtained in a manner that violated the Fourth Amendment to a law enforcement agency?
NIST
Which entity publishes articles, provides tools, and creates procedures for testing and validating computer forensics software?
Computer Analysis and Response Team (CART)
Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence?
Ntdetect.com
Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr?
User32.sys
Which filename refers to a core Win32 subsystem DLL file?
Ntdll.dll
Which filename refers to the Windows XP system service dispatch stubs to executable functions and internal support functions?
NTBootdd.sys
Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that are not related to the BIOS?
Ntkrnlpa.exe
Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM?
Digital investigations
Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?
Forensics investigators
Which group often works as part of a team to secure an organization's computers and networks?
XIF
Which header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 6E 64 20 03?
Bitmap
Which images store graphics information as grids of pixels?
Investigating and controlling the scene is much easier in private sector environments
Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes?
forums and blogs
Which resource can be helpful when investigating older and unusual computing systems?
ISO 5725
Which standards document demands accuracy for all aspects of the testing process?
Sparse acquisition
Which technique can be used to extracting evidence from large systems?
Steganography
Which term refers to a data-hiding technique that uses host files to cover the contents of a secret message?
Allegation
Which term refers to an accusation or supposition of fact that a crime has been committed and is made by the complainant, based on the incident?
Magnet AXIOM
Which tool enables the investigator to acquire the forensic image and process it in the same step?
criminal
Which type of case involves charges such as burglary, murder, or molestation?
Lossy
Which type of compression compresses data permanently by discarding bits of information in the file?
Disk-to-image
Which type of copy from the suspect disk to a target location does the simplest method of duplicating a disk drive make?
disk editor
Which type of tool can be used to compare results and verify a new tool by viewing data in its raw format?
"A"
Which uppercase letter has a hexadecimal value of 41?
Privacy
Without a warning banner, what right might employees assume they have when using a company's computer systems and network accesses?
sparse
if your time is limited, what type of acquisition data copy method should you consider?
hash
what option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512?
Live
which type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?
static
which type of acquisition is typically done on a computer seized during a police raid?
Proprietary
which type of format acquisition leaves the investigator unable to share an image between different vendors' computer forensics analysis tools?