Digital Forensics Flashcards

Question 1

Q

Which of the following is a unique challenge of cloud forensics that is not encountered in traditional forensic investigations?

A. Jurisdiction of storage
B. A lack of frameworks and specialist tools
C. A lack of data control
D. All of the above

Answer

A

D. All of the above

Question 2

Q

The information in a computer system’s event logs can yield valuable evidence because such logs record events and transactions that have occurred on the computer.

A. True
B. False

Question 3

Q

During the analysis phase in digital forensic investigations, the fraud examiner should look for exculpatory evidence but not inculpatory evidence.

A. True
B. False

Question 4

Q

Which of the following is TRUE regarding the types of information that digital forensic experts can typically recover from computer systems?

A. Digital forensic experts can recover time and date information about files, such as when they were created or modified
B. Digital forensic experts can recover information about websites that were visited on the computer system
C. Digital forensic experts can recover deleted emails, link files, and documents
D. All of the above

Answer

A

D. All of the above

Question 5

Q

When seizing a computer that is running, a fraud examiner should generally NOT search the computer for evidence because doing so might damage and taint relevant evidence.

A. True
B. False

Question 6

Q

If you are seizing a computer for forensic analysis, it is generally unnecessary to seize printers connected to it.

A. True
B. False

Question 7

Q

Which of the following is a matter that fraud examiners should consider when engaging in examinations involving computers?

A. Whether law enforcement should be notified
B. What to look for and where to look for it
C. Whether an outside digital forensic expert is needed
D all

Answer

A

D. All of the above

Question 8

Q

Forensic analysis should NOT be performed directly on suspect devices because doing so can alter or damage digital evidence.

A. True
B. False

Question 9

Q

Which of the following is the MOST ACCURATE statement about the types of information that digital forensic experts can typically recover from computer systems?

A. Hidden files can never be recovered.
B. Communications sent via instant message or email cannot be recovered.
C. Data that are corrupted cannot be uncorrupted.
D. Deleted files that have been overwritten generally cannot be recovered.

Answer

A

D. Deleted files that have been overwritten generally cannot be recovered.

Question 10

Q

When seizing a running computer for forensic examination, the seizing party should perform a graceful shutdown by turning off the computer using the normal shutdown process.

A. True
B. False

Question 11

Q

During the analysis phase in digital forensic investigations, it is BEST to use just one forensic tool for identifying, extracting, and collecting digital evidence.

A. True
B. False

Question 12

Q

When a digital forensic examiner is seizing a running computer for examination, they can retrieve data from the computer while the system is open and operating like normal if the evidence needed exists only in the form of volatile data.

A. True
B. False

Question 13

Q

When seizing a computer for examination, the seizing party should look around the area for passwords because many people leave passwords written down near their computers.

A. True
B. False

Question 14

Q

During the analysis phase in digital forensic investigations, the fraud examiner’s primary concern is to protect the collected information from seizure.

A. True
B. False

Question 15

Q

Even if files have been deleted from a target computer, it might be possible to recover those files.

A. True
B. False

Question 16

Q

Internet browsers create _____________, which store information about websites that a user has visited and images previously viewed online.

A. Operating system files
B. Temporary files
C. Event logs
D. System logs

Answer

A

B. Temporary files

Question 17

Q

Which of the following is TRUE about using computer-created metadata in digital forensic investigations?

A. Metadata can help determine who edited or made changes to a document
B. Metadata can help determine when a document was copied and moved
C. Metadata can help determine who created or accessed a document
D. All of the above

Answer

A

D. All of the above

Question 18

Q

Which of the following BEST describes the image acquisition process used in examinations involving digital evidence?

A. Taking photos of the digital equipment’s physical layout and connections
B. Creating an exact duplicate of the original storage media
C. Acquiring the digital evidence from the suspect
D. Analyzing the system’s data to identify evidence

Answer

A

B. Creating an exact duplicate of the original storage media

Question 19

Q

Ashton, a digital forensic examiner for Cadence Irrigation, is conducting an internal investigation into the alleged theft of trade secrets from Cadence. Kirby, a Cadence employee, is the prime suspect. Ashton decides to seize Kirby’s work computer for forensic examination. If, at the time of seizure, Kirby’s computer is off, then Ashton should turn it on before seizing it.

A. True
B. False

Question 20

Q

Which of the following steps should a fraud examiner take prior to seizing evidence in a digital forensic investigation to ensure its admissibility?

A. Consider potential privacy issues related to the item(s) being searched.
B. Determine appropriate remote evidence collection procedures and legal considerations.
C. Ensure that only trained professionals use any digital forensic tools.
D. All of the above are steps that should be taken prior to seizing evidence.

Answer

A

D. All of the above are steps that should be taken prior to seizing evidence.

Question 21

Q

Digital forensic investigations in cloud environments can be complicated by the jurisdiction of storage, as cloud providers commonly store data in servers across multiple jurisdictions.

A. True
B. False

Question 22

Q

Because digital evidence is different from tangible evidence, the rules regarding its admissibility in court are very different from the rules governing the admissibility of tangible evidence.

A. True
B. False

Question 23

Q

Tangible evidence is more volatile than digital evidence because tangible information is subject to claims of spoliation whereas digital evidence is not.

A. True
B. False

Question 24

Q

Encryption refers to procedures used to convert information using an algorithm (called a cipher) that makes the information unreadable.

A. True
B. False

Question 25

Q

Fraud examiners should take which of the following steps when securing a computer to help ensure that the machine can be fully analyzed?

A. Examine and document the machine’s surroundings
B. Implement a system to manage the evidence
C. Inspect the machine for traps
D. All of the above

Answer

A

D. All of the above

Question 26

Q

Which of the following computer event logs records events executed on an operating system, such as starting up and shutting down, configuration updates, and system crashes?

A. Application log
B. System log
C. Security log
D. None of the above

Answer

A

B. System log

Question 27

Q

Before removing a computer system from a scene for further analysis, it is important to document the system’s setup with photographs or diagrams.

A. True
B. False

Question 28

Q

Similar to traditional forensics, cloud forensics has step-by-step frameworks and specialist tools designed to operate within the cloud environment to enable fraud examiners the ability to locate and preserve data in the cloud.

A. True
B. False

Question 29

Q

If you are seizing a computer for forensic analysis, it is generally unnecessary to seize copiers connected to it.

A. True
B. False

Question 30

Q

Generally, the rules of admissibility for digital evidence are stricter than such rules for tangible evidence.

A. True
B. False

Brainscape's Knowledge GenomeTM

Digital Forensics Flashcards

Brainscape's Knowledge Genome^TM