Chapter 3

Question 1

What is the term for the unused space between the logical end of file and the physical end of file on a disk?

Answer 1

File slack

Question 2

What is the name of the principle that states that you cannot interact in an environment without leaving some trace?

Answer 2

Locard’s principle of transference

Question 3

What is the purpose of the Federal Rules of Evidence (FRE)?

Answer 3

Both A and B
A - To govern the admission of facts in U.S. federal court cases
B - To provide guidelines for the authentication and identification of evidence

Question 4

What does Rule 901 of the FRE require for the authentication or identification of an item of evidence?

Answer 4

A - Sufficient evidence to support a finding that the item is what the proponent claims it is
B - Testimony that an item is what it is claimed to be

Question 5

What does Item 1 in the Federal Rules of Evidence (FRE) refer to?

Answer 5

Expert testimony

Question 6

What is the significance of Item 9 in the FRE for computer forensics?

Answer 6

B - It emphasizes understanding how the tools work
C - It is critical for authenticating the process

Question 7

What is the first step in collecting evidence according to the order of volatility?

Answer 7

Collecting data from registers and cache

Question 8

What does volatility refer to in the context of digital forensics?

Answer 8

The ease with which data can change

Question 9

What is RFC 3227?

Answer 9

A document that presents guidelines for evidence collection and archiving

Question 10

What is the life span of information stored in computer memory?

Answer 10

1 millisecond

Question 11

What are the six classes in the DFRWS framework?

Answer 11

Identification, Preservation, Collection, Examination, Analysis, Presentation

Question 12

What are the primary phases of the Event-Based Digital Forensics Investigation Framework?

Answer 12

Readiness, Deployment, Physical Crime Scene Investigation, Digital Crime Scene Investigation, Presentation

Question 13

Why is file slack a potential security risk?

Answer 13

It contains residual information that is not necessarily overwritten when a new file is created

Question 14

What are the three basic tasks related to handling evidence for a system forensics specialist?

Answer 14

Finding, preserving, and preparing evidence

Question 15

What is the first step in any forensic investigation?

Answer 15

Making a copy of the suspected storage device

Question 16

What is an expert report?

Answer 16

A document that details the expert’s findings
A document that lists all items, documents, and evidence considered by the expert
A document that details tests performed, analysis done, and conclusions drawn by the expert

Question 17

What is ISO/IEC 27037:2012?

Answer 17

It’s a standard for digital forensics.

Question 18

What does ISO/IEC 27041:2015 provide guidance on?

Answer 18

Forensics methods and tools.

Question 19

What organization has a Computer Forensics Tool Testing Program?

Answer 19

National Institute of Standards and Technology.

Question 20

What is TEMPEST?

Answer 20

It’s a certification for equipment with EMR shielding.

Question 21

What is EnCase?

Answer 21

A forensic toolkit from Guidance Software

Question 22

What does EnCase use to verify the integrity of the entire disk image?

Answer 22

MD5 hash

Question 23

What is Forensic Toolkit (FTK) particularly useful for?

Answer 23

Cracking passwords

Question 24

What does FTK provide tools to search and analyze?

Answer 24

Windows Registry

Question 25

What is the purpose of Helix (for Linux only) in computer forensics?

Answer 25

To perform analysis on a suspect system

Question 26

What is one of the main functions of AnaDisk?

Answer 26

Analyzing disks for anomalies