Exam SET D Flashcards
One important tool of computer forensics is the disk image backup. The disk image backup is:
A. Copying the system files
B. Conducting a bit-level copy, sector by sector
C. Copying and authenticating the system files
D. Copying the disk directory
Answer: B
Explanation: Copying sector by sector at the bit level provides the capability to examine slack space, undeleted clusters and possibly, deleted files. With answer a, only the system files are copied and the other information recovered in answer b would not be captured.
Answer “Copying the disk directory” does not capture the data on the disk, and answer “Copying and authenticating the system files “ has the same problem as answer “Copying the system files”. Actually, authenticating the system files is another step in the computer forensics process wherein a message digest is generated for all system directories and files to be able to validate the integrity of the information at a later time. This authentication should be conducted using a backup copy of the disk and not the original to avoid modifying information on the original. For review purposes, computer forensics is the collecting of information from and about computer systems that is admissible in a court of law.
In the U.S. Federal Rules of Evidence, Rule 803 (6) permits an exception to the Hearsay Rule regarding business records and computer records.
Which one of the following is NOT a requirement for business or computer records exception under Rule 803 (6)?
A. Relied upon in the regular course of business
B. Made by a person with information transmitted by a person with knowledge
C. Made only by a person with knowledge of the records
D. Made during the regular conduct of business and authenticated by witnesses familiar with their use
Answer: C
Explanation: The business or computer records may be made by a person with information transmitted by a person with knowledge, also. The other answers are requirements for exceptions to the Hearsay Rule.
How many times should a diskette be formatted to comply with TCSEC Orange Book object reuse recommendations? A. Five B. Nine C. Three D. Seven
Answer: D
Explanation: The correct answer is 7. Most computer certification and accreditation standards recommend that diskettes be formatted seven times to prevent any possibility of data remanence .
Individual privacy rights as defined in the HIPAAPrivacy Rule include consent and authorization by the patient for the release of PHI. The difference between consent and authorization as used in the Privacy Rule is:
A. Consent grants general permission to use or disclose PHI, and authorization limits permission to the purposes and the parties specified in the authorization.
B. Consent grants general permission to use or disclose PHI, and authorization limits permission to the purposes specified in the authorization.
C. Authorization grants general permission to use or disclose PHI, and consent limits permission to the purposes and the parties specified in the consent.
D. Consent grants general permission to use or disclose PHI, and authorization limits permission to the parties specified in the authorization.
Answer: A
Explanation: Answer b is therefore incorrect. Answer c is incorrect since the limits to authorization do not include the parties concerneD . Answer d is incorrect since the limits to authorization do not include the specified purposes. The other individual privacy rights listed in the HIPAA Privacy Rule are: Notice (of the covered entities privacy practices) Right to request restriction Right of access Right to amend Right to an accounting In August of 2002, the U.S. Department of Health and Human Services (HHS) modified the Privacy Rule to ease the requirements of consent and allow the covered entities to use noticE . The changes are summarized as follows: Covered entities must provide patients with notice of the patients privacy rights and the privacy practices of the covered entity. Direct treatment providers must make a good faith effort to obtain patients written acknowledgement of the notice of privacy rights and practices. (The Rule does not prescribe a form of written acknowledgement; the patient may sign a separate sheet or initial a cover sheet of the notice.) Mandatory consent requirements are removed that would inhibit patient access to health care while providing covered entities with the option of developing a consent process that works for that entity. If the provider cannot obtain a written acknowledgement, it must document its good faith efforts to obtain one and the reason for its inability to obtain the acknowledgement. Consent requirements already in place may continue.
Which type of fire detectors sends an alarm when the temperature of the room rises dramatically? A. Odor-sensing B. Heat-sensing C. Smoke-actuated D. Flame-actuated
Answer: B
Explanation: A rate-of-rise detector triggers an alarm when the ambient temperature of a room increases rapidly. Another type of heat-sensing detector, a fixed temperature device, sends an alarm when the temperature passes a predetermined level.
Which of the following is NOT one of the European Union (EU) privacy principles?
A. Individuals have the right to correct errors contained in their personal data.
B. Information collected about an individual can be disclosed to other organizations or individuals unless specifically prohibited by the individual.
C. Individuals are entitled to receive a report on the information that is held about them.
D. Data transmission of personal information to locations where equivalent personal data protection cannot be assured is prohibited.
Answer: B
Explanation: This principle is stated as an opt-out principle in which the individual has to take action to prevent information from being circulated to other organizations. The correct corresponding European Union principle states that information collected about an individual cannot be disclosed to other organizations or individuals unless authorized by law or by consent of the individual. Thus, the individual would have to take an active role or opt-in to authorize the disclosure of information to other organizations. The other principles are valid EU privacy principles.
Which of the following more closely describes the combustibles in a Class B-rated fire? A. Gas B. Paper C. Liquid D. Electrical
Answer: C Explanation: The correct answer is C. Paper is described as a common combustible and is therefore rated a class A fire. An electrical fire is rated Class C. Gas is not defined as a combustible.
Which of the following is NOT a form of data erasure? A. Remanence B. Purging C. Clearing D. Destruction
Answer: A
Explanation: Clearing refers to the overwriting of data media intended to be reused in same organization. Purging refers to degaussing or overwriting media intended to be removed from the organization. Destruction refers to completely destroying the media.
During the investigation of a computer crime, audit trails can be very useful. To ensure that the audit information can be used as evidence, certain procedures must be followed. Which of the following is NOT one of these procedures?
A. Mechanisms should be in place to protect the integrity of the audit trail information.
B. The audit trail information must be used during the normal course of business.
C. There must be a valid organizational security policy in place and in use that defines the use of the audit information.
D. Audit trails should be viewed prior to the image backup.
Answer: D
Explanation: The image backup should be done first in order not to modify any information on the hard disk. For example, the authentication process applied to a hard disk can change the time of last access information on files. Thus, authentication should be applied to a disk image copy.
What does an audit trail or access log usually NOT record?
A. How often a diskette was formatted
B. Whether the attempt was successful
C. The date and time of the access attempt
D. Who attempted access
Answer: A
Explanation: The correct answer is how often a diskette was formatted. The other three answers are common elements of an access log or audit trail.
Under Civil Law, the victim is NOT entitled to which of the following types of damages? A. Compensatory B. Punitive C. Statutory D. Imprisonment of the offender
Answer: D
Explanation: Imprisonment or probation is not a type of punishment available for conviction of a civil crime. Answer a refers to awards set by law. Answer b, punitive damages, are usually determined by the jury and are intended to punish the offender. Compensatory awards are used to provide restitution and compensate the victim for such items as costs of investigations and attorneys fees.
Which of the following is NOT the proper suppression medium for a Class B fire? A. Halon B. Water C. Soda Acid D. CO2
Answer: B Explanation: The correct answer is Water. Water is not a proper suppression medium for a class B fire. The other three are commonly used.
A surge can be defined as a(n): A. Momentary power loss B. Steady interfering disturbance C. Prolonged high voltage D. Initial surge of power at start
Answer: C
Explanation: The correct answer is “Prolonged high voltage”. Answer “initial surge of power at start” or power on, is called an inrush. Momentary power loss is a fault. A steady interfering disturbance, is called noise.
In order for evidence to be admissible in a court of law, it must be relevant, legally permissible, reliable, properly identified, and properly preserved. Reliability of evidence means that:
A. It must tend to prove a material fact; the evidence is related to the crime in that it shows that the crime has been committed, can provide information describing the crime, can provide information as to the perpetrators motives, can verify what had occurred, and so on.
B. The evidence is identified without changing or damaging the evidence.
C. The evidence is not subject to damage or destruction.
D. The evidence has not been tampered with or modified.
Answer: D
Explanation: This requirement is a critical issue with computer evidence since computer data may be easily modified without having an indication that a change has taken place. Answer a defines the relevancy of evidence, answer b describes the identification of evidence, and answer d describes the preservation of evidence.
Because of the nature of information that is stored on the computer, the investigation and prosecution of computer criminal cases have specific characteristics, one of which is:
A. The information is intangible.
B. The investigation does not usually interfere with the normal conduct of the business of an organization.
C. Evidence is usually easy to gather.
D. Investigators and prosecutors have a longer time frame for the investigation.
Answer: A
Explanation: The information is stored in memory on the computer and is intangible as opposed to a physical object. Answer a is incorrect since investigators and prosecutors are under time pressure to gather evidence and proceed to prosecution. If the suspect is alerted, he or she may do damage to the system or destroy important evidencE . Search warrants may have to be obtained by law enforcement to search the suspects home and workplace and seize computers and disks. Answer c is incorrect since an investigation will interfere with the normal conduct of business. Some of the ways in which an investigation may affect an organization are: The organization will have to provide experts to work with law enforcement. Information key to the criminal investigation may be co-resident on the same computer system as information critical to the dayto - day operation of the organization. Proprietary data may be subject to disclosure. Management may be exposed if they have not exercised Due Care to protect information resources. There may be negative publicity that will be harmful to the organization. Answer d is incorrect. Evidence is difficult to gather since it is intangible and easily subject to modification or destruction.
It is estimated that the Asia/Pacific region accounts for about $4 billion worth of loss of income to software publishers due to software piracy. As with the Internet, cross-jurisdictional law enforcement issues make
investigating and prosecuting such crime difficult. Which of the following items is NOT an issue in stopping overseas software piracy?
A. Lack of a central, nongovernmental organization to address the issue of software piracy.
B. Obtaining the cooperation of foreign law enforcement agencies and foreign governments.
C. The producers of the illegal copies of software are dealing in larger and larger quantities, resulting in faster deliveries of illicit software.
D. The quality of the illegal copies of the software is improving, making it more difficult for purchasers to differentiate between legal and illegal products.
Answer: A Explanation: The Business Software Alliance (BSA) is a nongovernmental antisoftware piracy organization (www.bsa.org). The mission statement of the BSA is: The Business Software Alliance is an international organization representing leading software and e-commerce developers in 65 countries around the worlD . Established in 1988, BSA has offices in the United States , Europe , and Asia . . . . Our efforts include educating computer users about software copyrights; advocating public policy that fosters innovation and expands trade opportunities; and fighting software piracy.
The proposed HIPAA Security Rule mandates the protection of the
confidentiality, integrity, and availability of protected health
information (PHI) through three of the following activities. Which of the activities is NOT included under the proposed HIPAA Security Rule?
A. Technical services and mechanisms
B. Physical safeguards
C. Administrative procedures
D. Appointment of a Privacy Officer
Answer: D
Explanation: HIPAA separates the activities of Security and Privacy. HIPAA Security is mandated under the main categories listed in answers a, b, and C. The proposed HIPAA Security Rule mandates the appointment of a Security Officer. The HIPAA Privacy Rule mandates the appointment of a Privacy Officer. HIPAA Privacy covers individually identifiable health care information transmitted, stored in electronic or paper or oral form. PHI may not be disclosed except for the following reasons: Disclosure is approved by the individual Permitted by the legislation For treatment Payment Health care operations As required by law Protected Health Information (PHI) is individually identifiable health information that is: Transmitted by electronic media Maintained in any medium described in the definition of electronic media [under HIPAA] Transmitted or maintained in any other form or medium
Which is NOT considered a physical intrusion detection method? A. Wave pattern motion detector B. Audio motion detector C. Photoelectric sensor D. Line supervision
Answer: D
Explanation: Line supervision is the monitoring of the alarm signaling transmission medium to detect tampering. Audio detectors monitor a room for any abnormal sound wave generation.
Photoelectric sensors receive a beam of light from a light-emitting device. Wave pattern motion detectors generate a wave pattern and send an alarm if the pattern is disturbed.
The definition A mark used in the sale or advertising of services to identify the services of one person and distinguish them from the services of others refers to a: A. Trade name B. Trademark C. Service mark D. Copyright
Answer: C
Explanation: For answer “a trademark” is a distinctive mark of authenticity, through which the products of particular manufacturers or the vendible commodities of particular merchants may be distinguished from those of others. Answer “a trade name” is any designation which is adopted and used by a person to denominate goods which he markets, or services which he renders or business which he conducts. A trade name is descriptive of a manufacturer or dealer and applies to business and goodwill. A trademark is applicable only to vendible commodities. In answer “a copyright “is an intangible, incorporeal right granted by statute to the author or originator of certain literary or artistic productions, whereby he is invested, for a statutorily prescribed period, with the sole and exclusive privilege of multiplying copies of the same and publishing and selling them. (These definitions were also taken from Blacks Law Dictionary, Abridged Fifth Edition, West Publishing Company, St. Paul Minnesota , 1983.)
In the context of legal proceedings and trial practice, discovery refers to:
A. The process in which the prosecution presents information it has uncovered to the defense, including potential witnesses, reports resulting from the investigation, evidence, and so on
B. The process undertaken by the investigators to acquire evidence needed for prosecution of a case
C. The process of obtaining information on potential and existing employees using background checks
D. A step in the computer forensic process
Answer: A
Explanation: The key words are legal proceedings and trial practice. Information and property obtained in the investigation by law enforcement officials must be turned over to the defense. For some information that is proprietary to an organization, restrictions can be placed on who has access to the data. The other answers are forms of the investigative process. During an investigation, answers “The process undertaken by the investigators to acquire evidence needed for prosecution of a case” and “A step in the computer forensic process” are appropriate definitions of discovery.
Which of the following is NOT a goal of the Kennedy-Kassebaum Health Insurance Portability and Accountability Act (HIPAA) of 1996?
A. Provide for restricted access by the patient to personal healthcare information
B. Enable the portability of health insurance
C. Establish strong penalties for healthcare fraud D. Administrative simplification
Answer: A
Explanation: HIPAA is designed to provide for greater access by the patient to personal healthcare information. In answer b, administrative simplification, the goal is to improve the efficiency and effectiveness of the healthcare system by: Standardizing the exchange of administrative and financial data Protecting the security and privacy of individually identifiable health information Answers c and d are self-explanatory.
Which medium below is the most sensitive to damage from temperature? A. Computer hardware B. Sheet rock C. Floppy diskettes D. Paper products
Answer: C
Explanation: Of the four choices, magnetic media is the most sensitive to damage from heat, smoke, water, and humidity
Which of the following is an example of a smart card? A. A bank ATM card B. A library card C. An employee photo ID D. A drivers license
Answer: A
Explanation: The correct answer is “A bank ATM card”. The other three cards are dumb cards because it is assumed that they contain no electronics, magnetic stripes, or integrated circuits.
Which is NOT an element of two-factor authentication? A. Something you are B. Something you have C. Something you know D. Something you ate
Answer: D
Explanation:
Which of the following is NOT a definition or characteristic of Due Care?
A. It may and often does require extraordinary care.
B. Implies that a party has been guilty of a violation of the law in relation to the subject-matter or transaction.
C. That care which an ordinary prudent person would have exercised under the same or similar circumstances.
D. Just, proper, and sufficient care, so far as the circumstances demand it.
Answer: B
Explanation: Due Care implies that not only has a party not been negligent or careless, but also that he/she has been guilty of no violation of law in relation to the subject mater or transaction which constitutes the cause of action. Due Care and Reasonable Care are used interchangeably. The definitions of Due Care given in the other answers re from Blacks Law Dictionary, Abridged Fifth Edition, West Publishing Company, St. Paul Minnesota, 1983.
Which of the following is NOT considered an acceptable replacement for Halon discharge systems? A. Halon 1301 B. Argon (IG55) C. FA200 D. Inergen (IG541)
Answer: A
Explanation: Existing installations are encouraged to replace Halon 1301 with one of the substitutes listed.
The U.S. Uniform Computer Information Transactions Act (UCITA) is a:
A. Model act that is intended to apply uniform legislation to electronic credit transactions
B. Model act that is intended to apply uniform legislation to software licensing
C. Model act that addresses electronic transactions conducted by financial institutions
D. Model act that addresses digital signatures
Answer: B
Explanation: The National Commissioners on Uniform State Laws (NCUSL) voted to approve the Uniform Computers Information Transactions Act (UCITA) on July 29, 1999. This legislation, which will have to be enacted state-by-state, will greatly affect libraries access to and use of software packages. It also will keep in place the current licensing practices of software vendors. At the present time, shrink-wrap or click-wrap licenses limit rights that are normally granted under copyright law. Under Section 109 of the U.S. 1976 Copyright Act, the first sale provision permits the owner of a particular copy without the authority of the copyright owner, to sell or otherwise dispose of the possession of that copy. However, the software manufacturers use the term license in their transactions. As opposed to the word sale, the term license denotes that the software manufacturers are permitting users to use a copy of their softwarE . Thus, the software vendor still owns the softwarE . Until each state enacts the legislation, it is not clear if shrink-wrap licenses that restrict users rights under copyright law are legally enforceablE . For clarification, shrink-wrap licenses physically accompany a disk while click-on and active clickwrap licenses are usually transmitted electronically. Sometimes, the term shrink-wrap is interpreted to mean both physical and electronic licenses to use softwarE . The focus of the UCITA legislation is not on the physical media, but on the information contained on the media.
The theft of a laptop poses a threat to which tenet of the C.I.A. triad? A. All of the above B. Availability C. Integrity D. Confidentiality
Answer: A
Explanation: The correct answer is confidentiality, because the data can now be read by someone outside of a monitored environment; availability, because the user has lost the computing ability provided by the unit; and integrity, because the data residing on and any telecommunications from the portable are now suspect.
Which choice below BEST describes the process of data purging?
A. Complete physical destruction of the media
B. Reusing data storage media after its initial use
C. Overwriting of data media intended to be reused in the same organization or area
D. Degaussing or thoroughly overwriting media intended to be removed the control of the organization or area
Answer: D
Explanation: Answer “Overwriting of data media intended to be reused in the same organization or area” refers to data clearing. Answer “Complete physical destruction of the media” describes data destruction. Answer “Reusing data storage media after its initial use” describes object reuse.
Law enforcement officials in the United States, up until passage of the Patriot Act (see Question 9), had extensive restrictions on search and seizure as established in the Fourth Amendment to the U.S. Constitution. These restrictions are still, essentially, more severe than those on private citizens, who are not agents of a government entity. Thus, internal
investigators in an organization or private investigators are not subject to the same restrictions as government officials. Private individuals are not
normally held to the same standards regarding search and seizure since they are not conducting an unconstitutional government search.
However, there are certain exceptions where the Fourth Amendment applies to private citizens if they act as agents of the government/police.
Which of the following is NOT one of these exceptions?
A. The private individual conducts a warrantless search of company property for the company.
B. The private individual conducts a search that would require a search warrant if conducted by a government entity.
C. The government is aware of the intent to search or is aware of a search conducted by the private individual and does not object to these actions.
D. The private individual performs the search to aid the government.
Answer: A
Explanation: Since the private individual, say an employee of the company, conducts a search for evidence on property that is owned by the company and is not acting as an agent of the government, a warrantless search is permitted. The Fourth Amendment does not apply. For review, the Fourth Amendment guarantees: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. The exigent circumstances doctrine provides an exception to these guarantees if destruction of evidence is imminent. Then, a warrantless search and seizure of evidence can be conducted if there is probable cause to suspect criminal activity. The other answers describe exceptions where the private individual is subject to the Fourth Amendment guarantees.
Which of the following is NOT a form of computer/network surveillance? A. Use of CCTV cameras B. Use of network sniffers C. Keyboard monitoring D. Review of audit logs
Answer: A
Explanation: CCTV cameras fall under the category of physical surveillance. Answers a and b are forms of active surveillance. These types of surveillance require an organizational policy informing the employees that the surveillance is being conducted. Additionally, warning banners describing the surveillance at log-on to a computer or network should be prominently displayed. These banners usually state that by logging on, the user acknowledges the warning and agrees to the monitoring. Answer “Review of audit logs” is a passive form of computer/network surveillance.
The Internet Activities Board (IAB) considers which of the following behaviors relative to the Internet as unethical?
A. Negligence in the conduct of Internet experiments
B. Record keeping in which an individual cannot find out what information concerning that individual is in the record
C. Improper dissemination and use of identifiable personal data
D. Record keeping whose very existence is secret
Answer: A
Explanation: The IAB document, Ethics and the Internet (RFC 1087) listed behaviors as unethical that: Seek to gain unauthorized access to the resources of the Internet Destroy the integrity of computer-based information Disrupt the intended use of the Internet Waste resources such as people, capacity and computers through such actions Compromise the privacy of users Involve negligence in the conduct of Internetwide experiments The other answers are taken from the Code of Fair Information Practices of the U.S. Department of Health, Education of Welfare
Which of the following alternatives should NOT be used by law enforcement to gain access to a password?
A. Contacting the developer of the software for information to gain access to the computer or network through a back door
B. Compelling the suspect to provide the password
C. Data manipulation and trial procedures applied to the original version of the system hard disk
D. Using password cracker software
Answer: C
Explanation: The original disk of a computer involved in a criminal investigation should not be used for any experimental purposes since data may be modified or destroyed. Any operations should be conducted on a copy of the system disk. However, the other answers are the preferred methods of gaining access to a password-protected system. Interestingly, in answer b, there is legal precedent to order a suspect to provide the password of a computer that is in the custody of law enforcement.
Which is NOT a recommended way to dispose of unwanted used data media?
A. Copying new data over existing data on diskettes
B. Formatting diskettes seven or more times
C. Shredding paper reports by cleared personnel
D. Destroying CD-ROMs
Answer: A
Explanation: The correct answer is copying new data over existing data on diskettes. While this method might overwrite the older files, if the new data file is smaller than the older data file, recoverable data might exist past the file end marker of the new file.
The recommended optimal relative humidity range for computer operations is: A. 40% to 60% B. 10% to 30% C. 30% to 40% D. 60% to 80%
Answer: A
Explanation: The correct answer is C. 40% to 60% relative humidity is recommended for safe computer operations. Too low humidity can create static discharge problems, and too high humidity can create condensation and electrical contact problems.
Which is NOT a type of a fire detector? A. Smoke-actuated B. Flame-actuated C. Gas-discharge D. Heat-sensing
Answer: C
Explanation: The correct answer is Gas-discharge. Gas-discharge is a type of fire extinguishing system, not a fire detection system.
Which type of fire extinguishing method contains standing water in the pipe, and therefore generally does not enable a manual shutdown of systems before discharge? A. Dry Pipe B. Deluge C. Wet pipe D. Preaction
Answer: C
Explanation: The other three are variations on a dry pipe discharge method with the water not standing in the pipe until a fire is detected.
Which type of control below is NOT an example of a physical security access control? A. Guard dog B. Audit trail C. Retinal scanner D. Five-key programmable lock
Answer: B
Explanation
A brownout can be defined as a: A. Prolonged low voltage. B. Prolonged power loss. C. Momentary high voltage. D. Momentary low voltage.
Answer: A
Explanation: The correct answer is “Prolonged low voltage”. Answer “prolonged power loss” is a blackout. Answer “momentary low voltage” is a sag. Answer “momentary high voltage” is a spike.
Why should extensive exterior perimeter lighting of entrances or parking areas be installed?
A. To enable programmable locks to be used
B. To create two-factor authentication
C. To discourage prowlers or casual intruders
D. To prevent dataremanence
Answer: C
Explanation: The other answers have nothing to do with lighting