Final Exam Flashcards
By the 1970s electronic crimes were increasing especially in the financial sector.
True
To be a successful computer forensics investigator you must be familiar with more than one computing platform.
True
Computer investigations and forensics fall into the same category: public investigations.
False
The law of search and seizure protects the rights of all people excluding people suspected of crimes.
False
After a judge approves and signs a search warrant, it’s ready to be executed, meaning you can collect evidence as defined by the warrant.
True
Maintaining credibility means you must form and sustain unbiased opinions of your cases.
False
The definition of digital forensics has evolved over the years from simply involving securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases.
True
The Fourth Amendment to the U.S. Constitution (and each state’s constitution) protects everyone’s rights to be secure in their person, residence, and property from search and seizure.
True
When you work in the enterprise digital group you test and verify the integrity of standalone workstations and network servers.
False
The police blotter provides a record of clues to crimes that have been committed previously.
True
Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence?
Computer Analysis and Response Team (CART)
A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?
Data recovery
Which group often works as part of a team to secure an organization’s computers and networks?
Forensic investigators
Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?
Digital investigations
Which agency introduced training on software for forensics investigations by the early 1990s?
IACIS
Which Pacific Northwest agency meets to discuss problems that digital forensics examiners encounter?
CTIN
Which type of case involves charges such as burglary, murder, or molestation?
Criminal
What is the third stage of a criminal case after the complaint and the investigation?
Prosecution
What does the investigator in a criminal or public-sector case submit at the request of the prosecuting attorney if he or she has enough information to support a search warrant?
Affidavit
When an investigator seeks a search warrant which of the following must be included in an affidavit to support the allegation of a crime?
Probable cause?
What must be done under oath to verify that the information in the affidavit is true?
It must be notarized
What do published company policies provide for a business that enables them to conduct internal investigations?
Line of authority
What usually appears when a computer starts or connects to the company intranet network or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will?
Warning banner
What term refers to a person using a computer to perform routine tasks other than systems administration?
End user
Which term refers to an accusation or supposition of fact that a crime has been committed and is made by the complainant based on the incident?
Allegation
Without a warning banner what right might employees assume they have when using a company’s computer systems and network accesses?
Privacy
What term refers to the individual who has the power to conduct digital forensic investigations?
Authorized requester
What is most often the focus of digital investigations in the private sector?
Misuse of digital assets
Which doctrine found to be unconstitutional was used to allow a civilian or private-sector investigative agent to deliver evidence obtained in a manner that violated the Fourth Amendment to a law enforcement agency?
Silver platter
A forensics analysis of a 6 TB disk for example can take several days or weeks.
True
Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses.
False
If damage occurs to the floor walls ceilings or furniture in your computer forensics lab it does not need to be repaired immediately.
False
A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.
True
Computing systems in a forensics lab should be able to process typical cases in a timely manner.
True
By using marketing to attract new customers or clients you can justify future budgets for the lab’s operation and staff.
True
The ANSI-ASQ National Accreditation Board (ANAB) is a wholly owned subsidiary of the American Society of Crime Laboratory Directors (ASCLD).
False
The lab manager sets up processes for managing cases and reviews them regularly.
True
For daily work production several examiners can work together in a large open area as long as they all have different levels of authority and access needs.
False
Chapter 5 Section 3 of the NISPOM describes the characteristics of a safe storage container.
True
At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work?
Digital forensics lab
At what levels should lab costs be broken down?
Monthly, quarterly, and annually
What reports are generated at the local state and federal levels to show the types and frequency of crimes committed?
Uniform crime reports
In addition to FAT16, FAT32, and Resilient File System which file system can Windows hard disks also use?
NTFS
What organization was created by police officers in order to formalize credentials for digital investigators?
IACIS
How frequently does IACIS require recertification to demonstrate continuing work in the field of computer forensics?
Every three years
What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases?
Certified Computer Forensic Technician, Basic (CCFT-B)
What kind of forensic investigation lab best preserves the integrity of evidence?
A secure facility
At what distance can the EMR from a computer monitor be picked up?
1/2 mile
During the Cold War defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. What did the U.S. Department of Defense call this special computer-emission shielding?
TEMPEST
What material is recommended for secure storage containers and cabinets?
Steel
How frequently should floors and carpets in the computer forensic lab be cleaned to help minimize dust that can cause static electricity?
Once a week
Which resource can be helpful when investigating older and unusual computing systems?
AICIS lists
What type of plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you’re analyzing?
Disaster recovery plan
Where should your computer backups be kept?
Off-site
What process refers to recording all the updates made to a workstation?
Configuration management
Methods for restoring large data sets are important for labs using which type of servers?
RAID
Which activity involves determining how much risk is acceptable for any process or operation?
Risk management
What is the maximum amount of time computing components are designed to last in normal business operations?
36 months
In what process is the acquisition of newer and better resources for investigation justified?
Building a business case
If the computer has an encrypted drive a live acquisition is done if the password or passphrase is not available.
True
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.
True
Some acquisition tools don’t copy data in the host protected area (HPA) of a disk drive.
True
FTK Imager requires that you use a device such as a USB dongle for licensing.
False
Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.
False
In Autopsy and many other forensics tools, raw format image files don’t contain metadata.
True
Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.
False
A separate manual validation is recommended for all raw acquisitions at the time of analysis.
True
Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized.
True
There’s no simple method for getting an image of a RAID server’s disks.
True
Which type of format acquisition leaves the investigator unable to share an image between different vendors’ computer forensics analysis tools?
Proprietary
What type of acquisition is typically done on a computer seized during a police raid?
Static
What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?
Live
What is the most common and flexible data-acquisition method?
Disk-to-image
If your time is limited, what type of acquisition data copy method should you consider?
Logical or sparse
By what percentage can lossless compression reduce image file size?
50%
What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult?
Whole disk encryption
What term refers to Linux ISO images that can be burned to a CD or DVD?
Linux live CD
What command displays pages from the online help manual for information on Linux commands and their options?
man
What command creates a raw format file that most computer forensics analysis tools can read?
dd
What command works similarly to the dd command but has many features designed for computer forensics acquisitions?
dcfldd
In addition to md5sum which hashing algorithm utility is included with current distributions of Linux?
sha1sum
What option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512?
hash
What does Autopsy use to validate an image?
MD5
What older Microsoft disk compression tool eliminates only slack disk space between files?
DriveSpace
In addition to RAID 0, what type of RAID configuration is available for Windows XP 2000 and NT servers and workstations?
RAID 1
In which RAID configuration do two or more disk drives become one large volume so the computer views the disks as a single disk?
RAID 0
Which RAID configuration also called mirrored striping is a combination of RAID 1 and RAID 0?
RAID 10
Which RAID configuration offers the greatest access speed and most robust data recovery capability?
RAID 10
What type of acquisition is used for most remote acquisitions?
Live
ISPs can investigate computer abuse committed by their customers.
True
If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime you run the risk of becoming an agent of law enforcement.
True
A judge can exclude evidence obtained from a poorly worded warrant.
True
The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene’s immediate location.
True
Corporate investigators always have the authority to seize all computer equipment during a corporate investigation.
False
The most common computer-related crime is check fraud.
True
Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs) which always get funding from the government or other agencies.
False
Some cases involve dangerous settings. For these types of investigations you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene.
True
If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner employees have an expectation of privacy.
True
When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant which allows the police to present all evidence together.
False
When federal courts are evaluating digital evidence from computer-generated records what exception is applied to hearsay?
Business-records exception
Under what circumstances are digital records considered admissible?
If they qualify as business records
What type of records are considered data that the system maintains such as system log files and proxy server logs?
Computer-generated records
When was the Freedom of Information Act originally enacted?
1967
Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes?
Investigating and controlling the scene is much easier in private sector environments.
At a minimum what do most company policies require that employers have in order to initiate an investigation?
Reasonable suspicion that a law or policy is being violated
When confidential business data are included with the criminal evidence what are they referred to as?
Commingled data
What standard is used to determine whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest?
Probable cause
What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?
A warrant
In addition to environmental issues, what issues are the investigator’s primary concerns when working at the scene to gather information about an incident or a crime?
Safety
When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action?
80 C
What will allow the investigator to arrive at a scene, acquire the needed data, and return to the lab as quickly as possible?
Initial-response field kit
Which type of kit should include all the tools the investigator can afford to take to the field?
Extensive-response field kit
What type of evidence do courts consider evidence data in a computer to be?
Digital
The presence of police officers and other professionals who aren’t part of the crime scene-processing team may result in the loss or corruption of data through which process?
Professional curiosity
When seizing computer evidence in criminal investigations which organization’s standards should be followed?
Department of Justice
Power should not be cut during an investigation involving a live computer unless it is what type of system?
Older Windows or MS-DOS
What type of files might lose essential network activity records if power is terminated without a proper shutdown?
Event log
Which technique can be used for extracting evidence from large systems?
Sparse acquisition
What is required for real-time surveillance of a suspect’s computer activity?
Sniffing
The type of file system an OS uses determines how data is stored on the disk.
True
One way to examine a partition’s physical level is to use a disk editor such as WinHex or Hex Workshop.
True
As data is added the MFT can expand to take up 75% of the NTFS disk.
False
The first 5 bytes (characters) for all MFT records are FILE.
False
Alternate data streams can obscure valuable evidentiary data intentionally or by coincidence.
True
Typically a virtual machine consists of just one file.
False
From a network forensics standpoint there are no potential issues related to using virtual machines.
False
In Microsoft file structures, sectors are grouped to form clusters which are storage allocation units of one or more sectors.
True
Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.
True
It’s possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.
True
What term refers to a column of tracks on two or more disk platters?
Cylinder
How do most manufacturers deal with a platter’s inner tracks having a smaller circumference than its outer tracks?
Zone bit recording (ZBR)
What term refers to the number of bits in one square inch of a disk platter?
Areal density
Which acronym refers to the file structure database that Microsoft originally designed for floppy disks?
FAT
Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?
NTFS
What is on an NTFS disk immediately after the Partition Boot Sector?
Master File Table (MFT)
What are records in the MFT called?
FILE records
In the NTFS MFT all files and folders are stored in separate records of how many bytes each?
1024
The file or folder’s MFT record provides cluster addresses where the file is stored on the drive’s partition. What are these cluster addresses called?
Data runs
What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced?
Encrypting File System (EFS)
Which certificate provides a mechanism for recovering files encrypted with EFS if there is a problem with the user’s original private key?
Recovery certificate
When Microsoft created Windows 95, into what were initialization (.ini) files consolidated?
Registry
What specifies the Windows XP path installation and contains options for selecting the Windows version?
Boot.ini
Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data and then passes its findings to Ntldr?
NTDetect.com
Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS?
NTBootdd.sys
What contains instructions for the OS for hardware devices such as the keyboard mouse and video card?
Device Drivers
Which filename refers to a core Win32 subsystem DLL file?
Kernel32.dll, Advapi32.dll, User32.dll, Gdi32.dll
Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM?
Ntkrnlpa.exe
Which filename refers to the Windows XP system service dispatch stubs to executables functions and internal support functions?
Ntdll.dll
What enables the user to run another OS on an existing physical computer (known as the host computer) by emulating a computer’s hardware environment?
Hypervisor
When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.
True
In software acquisition there are three types of data-copying methods.
False
To help determine which computer forensics tool to purchase, a comparison table of functions subfunctions and vendor products is useful.
True
Computers used several OSs before Windows and MS-DOS dominated the market.
True
After retrieving and examining evidence data with one tool you should verify your results by performing the same tasks with other similar forensics tools.
True
Software forensic tools are grouped into command-line applications and GUI applications.
True
The validation function is the most challenging of all tasks for computer investigators to master.
False
Although a disk editor gives you the most flexibility in testing, it might not be capable of examining a compressed file’s contents.
True
Because there are a number of different versions of UNIX and Linux these OSs are referred to as CLI platforms.
False
Hardware manufacturers have designed most computer components to last about 36 months between failures.
False
Which digital forensics tool is categorized as a single-purpose hardware component?
Tableau T35es-R2 SATA/IDE eSATA bridge
Where do software forensics tools copy data from a suspect’s disk drive?
Image file
Which tool enables the investigator to acquire the forensic image and process it in the same step?
Magnet AXIOM
What Linux command is used to create the raw data format?
dd
Which activity involves sorting and searching through investigation findings to separate good data and suspicious data?
Filtering
Many password recovery tools have a feature for generating potential password lists for which type of attack?
Dictionary
Which type of copy from the suspect disk to the target location does the simplest method of duplicating a disk drive make?
Physical bit-by-bit copy
What must be created to complete a forensic disk analysis and examination?
Report
The first MS-DOS tools that analyzed and extracted data from floppy disks and hard disks were used with which type of PC file systems?
IBM
In Windows 2000 and later which command shows you the file owner if you have multiple users on the system or network?
Dir
Building your own forensics workstation:
requires the time and skills necessary to support the chosen hardware.
What do you call a forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation?
portable workstation
What type of disk is commonly used with Sun Solaris systems?
SPARC
What is the general term for software or hardware that is used to protect evidence disks by preventing data from being written to them?
Write protector
Devices used to prevent data from being written to a disk can connect to a computer through FireWire, SATA, PATA, and SCSI controllers as well as which other type of controller?
USB 2.0 and 3.0
Which entity publishes articles, provides tools, and creates procedures for testing and validating computer forensics software?
NIST
Which standards document demands accuracy for all aspects of the testing process?
ISO 5725
Which NIST project manages research on forensics tools?
Computer Forensic Tool Testing (CFTT)
What is the primary hash algorithm used by the NIST project created to collect all known hash values for commercial software and OS files?
SHA-1
Which type of tool can be used to compare results and verify a new tool by viewing data in its raw format?
Disk editor
If a file contains information it always occupies at least one allocation block.
True
macOS is built with the new Apple File System (APFS). The current version offers better security encryption and performance speeds, but users can’t mount HFS+ drives.
False
Some notable UNIX distributions included Silicon Graphics Inc. (SGI), IRIX, Santa Cruz Operation (SCO) UnixWare, Sun Solaris, IBM AIX, and HP-UX.
True
Does Windows have a kernel?
Yes
The pipe (|) character redirects the output of the command preceding it.
True
All disks have more storage capacity than the manufacturer states.
True
Before OS X, the Hierarchical File System (HFS) was used in which files are stored in directories (folders) that can be nested in other directories.
True
The HFS and HFS+ file systems have four descriptors for the end of a file (EOF).
False
Ext3 is a journaling version of Ext2 that has a built-in file recovery mechanism used after a crash.
True
In macOS, volume fragmentation is kept to a minimum by removing clumps from larger files.
False
Macintosh moved to the Intel processor and became UNIX based with which operating system?
OS X
In older versions of macOS, in which fork are file metadata and application information stored?
Resource fork
In macOS, in addition to allocation blocks, what kind of blocks do volumes have?
Logical blocks
In older versions of macOS where is all information about the volume stored?
Master Directory Block (MDB)
What macOS system application tracks each block on a volume to determine which blocks are in use and which ones are available to receive data?
Volume Bitmap
In macOS what stores any file information not in the Master Directory Block or Volume Control Block?
Extents overflow file
Which term is often used when discussing Linux because technically Linux is only the core of the OS?
Kernel
What was the early standard Linux file system?
Ext2
What is the largest disk partition Ext4 can support?
1 exabyte
What contains file and directory metadata and provides a mechanism for linking data stored in data blocks?
Inodes
At what hard link count is a file effectively deleted?
Zero
How many components define the file system on UNIX/Linux?
Four
Where are directories and files stored on a disk drive?
Data block
In Linux in which directory are most system configuration files stored?
/etc/
In Linux in which directory are most applications and commands stored?
/usr/
On a Linux computer by what are file systems exported to remote hosts represented?
/etc/exports
On a Linux computer what contains group memberships for the local system?
/etc/group
In a file’s inode what are the first 10 pointers called?
Indirect pointers
In macOS which fork typically contains data the user creates?
Data fork
In macOS, when working with an application file, which fork contains additional information such as menus, dialog boxes, icons, executable code, and controls?
Resource fork
Bitmap images are collections of dots or pixels in a grid format that form a graphic.
True
Operating systems do not have tools for recovering image files.
False
If a graphics file is fragmented across areas on a disk you must recover all the fragments before re-creating the file.
True
With many computer forensics tools, you can open files with external viewers.
True
Steganography cannot be used with file formats other than image files.
False
Under copyright laws, maps and architectural plans may be registered as pictorial, graphic, and sculptural works.
True
A graphics program creates and saves one of three types of image files: bitmap, vector, or XIF.
False
The Internet is the best source for learning more about file formats and their extensions.
True
All TIF files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 3B.
False
The two major forms of steganography are insertion and substitution.
True
What kinds of images are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes?
Vector
What tools are used to create, modify, and save bitmap, vector, and metafile graphics?
Graphics editors
Which images store graphics information as grids of pixels?
Bitmap
What is the process of converting raw picture data to another format called?
Demosaicing
In which format are most digital photographs stored?
Exchangeable Image File (Exif)
Which type of compression compresses data permanently by discarding bits of information in the file?
Lossy compression
What term refers to recovering fragments of a file?
Carving
Which JFIF format has a hexadecimal value of FFD8 FFE0 in the first four bytes?
JFIF
If a graphics file cannot be opened in an image viewer what should the next step be?
Examining the header data
Which uppercase letter has a hexadecimal value 41?
A
From which file format is the image format XIF derived?
TIFF
What is the simplest way to access a file header?
Using a hexadecimal editor like WinHex
Which header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03?
XIF
Which term refers to a data-hiding technique that uses host files to cover the contents of a secret message?
Steganography
Which data-hiding technique places data from the secret file into the host file without displaying the secret data when the host file is viewed in its associated program?
Insertion steganography
Which data-hiding technique replaces bits of the host file with other bits of data?
Substitution steganography
What is another term for steganalysis tools?
Steg tools
What technique has been used to protect copyrighted material by inserting digital watermarks into a file?
Steganography
What type of laws should computer investigators be especially aware of when working with image files in order to avoid infringement violations?
Copyright laws
How may computer programs be registered under copyright laws?
As written works
The defense request for full discovery of digital evidence applies only to criminal cases in the United States.
True
For target drives use only recently wiped media that have been reformatted and inspected for computer viruses.
True
Autopsy for Windows cannot perform forensics analysis on FAT file systems.
False
Autopsy for Windows cannot analyze data from image files from other vendors.
False
When two files look the same when viewed but one has an invisible digital watermark they appear to be the same file except for their sizes.
False
Several password-cracking tools are available for handling password-protected data or systems.
True
Most organizations keep e-mail for longer than 90 days.
False
Some encryption schemes are so complex that the time to crack them can be measured in days, weeks, years, and even decades.
True
Private-sector cases such as employee abuse investigations might not specify limitations in recovering data.
True
For static acquisitions, remove the original drive from the computer if practical and then check the date and time values in the system’s CMOS.
True
What does scope creep typically do?
Increases the amount of work required
What should be created in order to begin a digital forensics case?
Investigation plan
In addition to search warrants what defines the scope of civil and criminal cases?
Subpoenas
Which program has an indexed version of the NIST NSRL of MD5 hashes that can be imported to enhance searching for and eliminating known OS and application files?
Autopsy
Because digital forensics tools have limitations in performing hashing what tools should be used to ensure data integrity?
Advanced hexadecimal editors
Which AccessData feature compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data?
FTK KFF
Which activity involves changing or manipulating a file to conceal information?
Data hiding
Which Windows disk partition utility can be used to hide partitions?
diskpart
The data-hiding technique involving marking bad clusters is more commonly used with what type of file system?
FAT
Which term comes from the Greek word for ‘hidden writing’?
Steganography
When both the original file with no hidden message and the converted file with the hidden message are available what analysis method is recommended by Johnson and Jajodia?
Known cover attack
What technology is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure?
Key escrow
Which program incorporates an advanced encryption technique that can be used to hide data?
PGP or BestCrypt
Which type of recovery is becoming more common in digital forensic analysis?
Password recovery
What type of attacks use every possible letter number and character found on a keyboard when cracking a password?
Brute-force
Many password-protected OSs and applications store passwords in the form of which type of hash values?
MD5 or SHA
Which action alters hash values making cracking passwords more difficult?
Salting
What limits the data that can be sought in a criminal investigation?
Search warrant
Which data-hiding technique changes data from readable code to data that looks like binary executable code?
Bit-shifting
Which hashing algorithm is provided by WinHex?
MD5
When intruders break into a network they rarely leave a trail behind.
False
Network forensics is a fast easy process.
False
Virtual machines are now common for both personal and business use.
True
Virtual machines (VMs) help offset hardware costs for companies.
True
Type 2 hypervisors cannot be used on laptops.
False
Type 1 hypervisors are usually the ones you find loaded on a suspect machine.
False
Before attempting to install a type 2 hypervisor you need to enable virtualization in the BIOS before attempting to create a VM.
True
In network forensics you have to restore the drive to see how malware that attackers have installed on the system works.
True
A honeywall is a computer set up to look like any other machine on your network but it lures the attacker to it.
False
Network logs record traffic in and out of a network.
True
Which type of forensics can help you determine whether a system is truly under attack or a user has inadvertently installed an untested patch or custom program?
Network forensics
Which type of strategy hides the most valuable data at the innermost part of the network?
Layered network defense strategy
What type of software runs virtual machines?
Hypervisor
Which type of virtual machine software is typically but not exclusively loaded on servers or workstations with a lot of RAM and storage?
Tier 1 hypervisor
Which product responded to the need for security and performance by producing different CPU designs?
Intel Virtualization Technology
Which program can be used to examine network traffic?
Wireshark, tcpdump
Which tool lists all open network sockets including those hidden by rootkits?
Mandiant Memoryze
What determines how long a piece of information lasts on a system?
Order of Volatility (OoV)
Which network defense strategy developed by the National Security Agency (NSA) has three modes of protection?
Defense in Depth (DiD)
Which tool allows network traffic to be viewed graphically?
Etherape
Which network protocol analyzer can be programmed to examine TCP headers to find the SYN flag?
tcpdump, tethereal
Which tool is useful for extracting information from large Libpcap files?
Tcpslice
What are packet analyzers?
Devices or software placed on a network to monitor traffic.
On which OSI model layers do most packet analyzers operate?
Two or three
Which format can be read by most packet analyzer tools?
Pcap
In which type of attack does the attacker keep asking the server to establish a connection?
SYN flood
Which tool was designed as an easy-to-use interface for inspecting and analyzing large tcpdump files?
Netdude
Which tool probes, collects, and analyzes session data?
Argus
Which project was developed to make information widely available in an attempt to thwart Internet and network hackers?
Honeynet
What term is used for the machines used in a DDoS attack?
Zombies
For digital investigators, tracking intranet e-mail is easier because accounts use standard names the administrator establishes.
True
Investigating crimes or policy violations involving e-mail is different than investigating other types of computer abuse and crimes.
False
E-mail programs either save e-mail messages on the client computer or leave them on the server.
True
All e-mail servers use databases that store multiple users’ e-mails.
False
Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication.
True
Forensic linguistics encompasses civil cases, criminal cases, cyberterrorism cases, and other legal proceedings.
True
E-mail crimes and violations rarely depend on the city state and country in which the e-mail originated.
False
Evidence artifacts vary depending on the social media channel and the device.
True
A challenge with using social media data in court is authenticating the author and the information.
True
You can send and receive e-mail in two environments: via the Internet or an intranet (an internal network).
True
What name is used for the configuration typically used for e-mail messages that are distributed from a central server to many connected client computers?
Client-server
In an e-mail address what symbol separates the domain name from the rest of the address?
@
In what type of e-mail programs can the user copy an e-mail message by dragging the message to a storage medium such as a folder or drive?
GUI
What is the main information being sought when examining e-mail headers?
The originating e-mail’s IP address
To retrieve e-mail headers in Microsoft Outlook what option should be clicked after the e-mail has been selected?
File, Properties
In Web-based e-mail how are messages displayed and saved?
Web pages in the browser’s cache
In which discipline do professionals listen to voice recordings to determine who’s speaking or read e-mail and other writings known to be by a certain person and determine whether that person wrote the e-mail or letter in question?
Forensic linguistics
To view Gmail Web e-mail headers, what should be clicked after the e-mail has been opened and the down arrow next to the Reply circular arrow has been clicked?
Show Original
To view e-mail headers on Yahoo!, what should be clicked on after ‘More’ has been selected?
View Raw Message
In Microsoft Outlook what file extension is used with saved, sent, drafted, deleted, and received e-mails?
.pst or .ost
Which site can be used to verify the names of domains a message is flowing through?
dkim.org
Which type of logging allocates space for a log file on the server and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size?
Circular logging
Which files provide helpful information to an e-mail investigation?
Log files and configuration files
Which location contains configuration information for Sendmail?
/etc/mail/sendmail.cf
In which directory do UNIX installations typically store logs?
/var/log
In which log does Exchange log information about changes to its data?
Transaction log
In Exchange what type of file is inserted in the transaction log to mark the last point at which the database was written to disk in order to prevent loss of data?
Checkpoint file
In Microsoft Exchange which file is responsible for messages formatted with MAPI?
An .edb file
Which information from Facebook simply tells you the last time a person logged on the person’s e-mail address and mobile number and whether the account can be viewed publicly?
Basic subscriber info
What format is used for the flat plaintext files some e-mail systems use for message storage?
mbox
Many people store more information on smartphones and tablets than on computers.
True
Investigating smartphones and other mobile devices is a relatively easy task in digital forensics.
False
TDMA can operate in the cell phone (800 to 1000 MHz) or PCS (1900 MHz) frequency.
True
Most basic phones use the same OSs as PCs.
False
Portability of information is what makes SIM cards so versatile.
True
In 2010 both VMware and BlackBerry were thinking of developing type 2 hypervisors for mobile devices.
True
Because bring your own device (BYOD) has become a business standard, investigators must consider how to keep employees’ personal data separate from case evidence.
True
The IoA will eventually include 4G smart devices and 4G mobile networks.
False
Gaming consoles such as the Sony PlayStation and Xbox are safe because they don’t contain information hackers might try to intercept and collect.
False
Research on wearable computers has been conducted at MIT labs for more than a decade and these computers are now moving into working reality.
True
What technology developed during WWII uses the full radio spectrum to define channels and is now used in the U.S. by Sprint, U.S. Cellular, and Verizon?
Code Division Multiple Access (CDMA)
Which type of digital network divides a radio frequency into time slots?
Time Division Multiple Access (TDMA)
Which type of network is a digital version of the original analog standard for cell phones?
Digital Advanced Mobile Phone Service (D-AMPS)
Which type of digital network is a faster version of GSM designed to deliver data?
Enhanced Data GSM Environment (EDGE)
Which standard introduced sleep mode to enhance battery life?
IS-136
Where do phones typically store system data?
Electronically erasable programmable read-only memory (EEPROM)
What type of cards consisting of a microprocessor and internal memory are usually found in GSM devices?
Subscriber identity module (SIM) cards
Which devices have been replaced by iPods, iPads, and other mobile devices for personal use?
Personal digital assistants (PDAs)
What structure is used for the file system for a SIM card?
Hierarchical structure
What does the SIM file structure begin with?
System root
Which tool provided by Paraben Software examines Internet of Things (IoT) devices, has a bootloader for locked mobile devices, and can perform data parsing and cloud data capture?
E3:DS
In a Windows environment what is the default storage location used by BitPim?
Documents\BitPim
Which forensics software tool contains a built-in write blocker?
MOBILedit Forensic
The Enhanced Data GSM Environment (EDGE) standard was developed specifically for which type of service?
3G
What entity created the Interim Standards used in mobile communications?
Telecommunications Industry Association (TIA)
What technique in which multiple phones take turns sharing a channel does the Global System for Mobile Communications (GSM) use?
Time Division Multiple Access (TDMA)
What entity developed the 3G standard?
International Telecommunication Union (ITU)
How much internal memory do mobile devices have?
Up to 64 GB
Which tool used by government agencies retrieves data from smartphones, GPS devices, tablets, music players, and drones?
Micro Systemation XRY
Which Cellebrite mobile forensics tool is often used by law enforcement and the military?
Cellebrite UFED Forensic System
The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET).
True
A search warrant can be used in any kind of case either civil or criminal.
False
Specially trained system and network administrators are often a CSP’s first responders.
True
The law requires search warrants to contain specific descriptions of what’s to be seized. For cloud environments the property to be seized usually describes physical hardware rather than data unless the CSP is a suspect.
False
In the United States the Electronic Communications Privacy Act (ECPA) describes five mechanisms the government can use to get electronic information from a provider.
True
In 1999 Salesforce.com developed a customer relationship management (CRM) Web service that applied digital marketing research to business subscribers so that they could do their own market analysis; this service eventually led the way to the cloud.
True
The platform as a service cloud service is most likely found on a desktop or a server although it could also be found on a company network or the remote service provider’s infrastructure.
True
Homomorphic encryption uses an ‘ideal lattice’ mathematical formula to encrypt data.
True
Remote acquisitions are often easier because you’re usually dealing with large volumes of data.
False
Magnet AXIOM Cloud can retrieve information from Skype, Instagram, Twitter, and iCloud but not from Facebook Messenger.
False
Metadata in a prefetch file contains an application’s ____ times in UTC format and a counter of how many times the application has run since the prefetch file was created.
MAC
Which organization has developed resource documentation for cloud service providers and their staff and provides guidance for privacy agreements, security measures, and other issues?
Cloud Security Alliance (CSA)
In which cloud service level are applications delivered via the Internet?
Software as a Service (SaaS)
What cloud application offers a variety of cloud services including automation and CRM, cloud application development, and Web site marketing?
Salesforce
What document issued by a judge compels the recipient to do or not do something?
Court order
What files created by Microsoft contain the DLL pathnames and metadata used by applications and reduce the time it takes to start applications?
Prefetch files
What is Microsoft’s SkyDrive now called?
OneDrive
With cloud systems running in a virtual environment what can be used to give the investigator valuable information before, during, and after an incident?
Snapshots
Which type of order requires that the government offer specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication or the records or other information sought are relevant and material to an ongoing criminal investigation?
Court order
A government entity must show that there is probable cause to believe the contents of a wire communication an electronic communication or other records are relevant to an ongoing criminal investigation to obtain which type of order?
Search warrant
Which tool can be used to bypass a virtual machine’s hypervisor and can be used with OpenStack?
Forensic Open-Stack Tools (FROST)
What cloud service provides a freeware type 1 hypervisor used for public and private clouds?
XenServer and XenCenter Windows Management Console
Which folder is most likely to contain Dropbox files for a specific user?
C:\Users\username\Dropbox
Which type of tool has application programming interfaces (APIs) that allow reconfiguring a cloud on the fly and is accessed through the application’s Web interface?
Management plane
Which Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client’s system?
filecache.dbx
At what offset are the application’s last access date and time located in a prefetch file?
0x90
At what offset is a prefetch file’s create date and time located?
0x80
Which cloud forensics training program is limited to law enforcement personnel?
National Institute of Justice Digital Forensics Training (NIJ DFT)
Where is the snapshot database created by Google Drive located in Windows?
C:\Users\username\AppData\Local\Google\Drive\user_default
Which Google Drive file contains a detailed list of a user’s cloud transactions?
sync_log.log
Besides presenting facts reports can communicate expert opinion.
True
A verbal report is more structured than a written report.
False
If you must write a preliminary report use words such as ‘preliminary copy’, ‘draft copy’, or ‘working draft’.
False
As with any research paper write the report abstract last.
True
When writing a report use a formal technical style.
False
When writing a report style means the tone of language you use to address the reader.
True
The decimal numbering system is frequently used when writing pleadings.
False
Lawyers use services called deposition banks (libraries) which store examples of expert witnesses’ previous testimony.
True
Signposts assist readers in scanning the text quickly by highlighting the main points and logical development of information.
True
For civil cases including those involving digital forensics investigations U.S. district courts consider optional that expert witnesses submit written reports.
False
What is the standard format in U.S. federal courts for the electronic submission of documents?
Portable Document Format (PDF)
Which document serves as a guideline for knowing what questions an investigator should expect when testifying?
Examination plan
What is most appropriately used to help an attorney learn the terms and functions used in digital forensics?
Glossary of terms
A written report is often submitted as what type of document?
Portable Document Format (PDF)
What should be provided if a report is long and complex?
An abstract
Which document is sworn to under oath and penalty of perjury or a comparable false swearing statute?
Affidavit
What type of question should an attorney ask to allow an investigator to offer an opinion?
Hypothetical
Which Federal Rule of Evidence rule governs expert opinions?
Federal Rules of Civil Procedure (FRCP) 26; Federal Rules of Evidence (FRE) 702, 703, and 705
Anything an investigator writes down as part of examination for a report in a civil litigation case is subject to which action from the opposing attorney?
Discovery
Because opposing counsel can demand discovery on them what are written preliminary reports considered to be?
High-risk documents
How many words should an abstract contain?
150-200
Under FRCP Rule 26 where must the investigator’s curriculum vitae be placed unless the bona fides are integrated elsewhere?
Appendices of the written report
In addition to decimal numbering what numbering system can be used in a written report?
Legal-sequential
Which numbering system is being used if the report writer divides material into sections and restarts numbering with each main section?
Decimal
What format is typically used to cite references in the main body of a report?
APA (last name, year of publication)
What section of a report should contain broader generalizations?
Conclusion
What section of a report should restate the objectives, aims, and key questions and summarize the findings with clear concise statements?
Conclusion
What section of a report can be used for material such as raw data figures not used in the body of the report and anticipated exhibits?
Appendices
In addition to text, word processing, and spreadsheet formats, which format is used for forensic reports and logs generated by forensic tools?
HTML
What sections of a report are included in the report body?
Introduction and discussion
As an expert witness you have opinions about what you have found or observed.
True
You should create a formal checklist of your procedures that’s applied to all your cases or include such a checklist in your report.
False
As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.
True
Like a job resume, your CV should be geared for a specific trial.
False
Part of what you have to deliver to the jury is a person they can trust to help them figure out something that’s beyond their expertise.
True
The chain of custody of evidence supports the integrity of your evidence.
True
Depending on your attorney’s needs you might give him or her just your opinion and technical expertise instead of testifying in court; this role is called an expert witness.
False
Motion in limine includes voir dire of venireman strikes and seating of jurors.
False
During opening statements both attorneys provide an overview of the case with the plaintiff’s attorney going last.
False
Whether you’re serving as an expert witness or a fact witness, be professional and polite when presenting yourself to any attorney or the court.
True
How many roles might a forensics examiner play in a trial?
Two
In which type of testimony does the investigator present evidence and explain what it is and how it was obtained?
Technical or scientific testimony
What should you use to verify evidence and thus ensure its integrity?
Hash algorithms
What should the forensics specialist keep updated and complete in order to support his or her role as an expert and document enhancement of skills through training teaching and experience?
Curriculum Vitae (CV)
How often should the document describing your expertise and used to qualify your testimony be updated to reflect new cases and additional training?
Every three months
Which motion provides a written list of objections to certain testimony or exhibits?
Motion in limine
What term refers to rejecting potential jurors?
Voir dire of venireman
What optional phase of a trial typically involves an issue raised during cross-examination of a witness?
rebuttal
How close should a microphone be to the person testifying?
6-8 inches
How many years of education does the typical juror have?
12
What method might be used by opposing attorneys to prevent an investigator from serving on an important case?
Conflicting out
What term refers to evidence that exonerates or diminishes the defendant’s liability?
Exculpatory evidence
What type of testimony occurs when the investigator answers questions from the attorney who hired the investigator?
Direct testimony
What is the most important part of an investigator’s testimony at a trial?
Direct examination
Generally the best approach an attorney can take in direct examination is to ask the investigator what type of questions?
Open-ended
Leading questions such as ‘Isn’t it true that forensics experts always destroy their handwritten notes’, are referred to as what type of questions?
Setup questions
What type of questions ask several questions inside one question?
Compound questions
How is a deposition different from trial testimony?
There is no jury or judge present
Which type of deposition is used to give an opposing attorney the chance to conduct what amounts to a direct examination and cross-examination of a witness?
Discovery deposition
Which practice is advisable when an investigator gives a deposition?
Stay relaxed and confident, maintain a professional demeanor, use facts, take your time, answer only the questions you are asked
People need ethics to help maintain their balance especially in difficult and contentious situations.
True
In the United States there’s no state or national licensing body for digital forensics examiners.
True
Experts should be paid in full for all previous work and for the anticipated time required for testimony.
True
Expert opinions cannot be presented without stating the underlying factual basis.
False
The American Bar Association (ABA) is a licensing body.
False
When searching for specific record information sometimes you see duplicate files with the same name that have different data runs meaning the file was written to disk more than once on separate occasions.
True
As an expert witness you can’t testify if you weren’t present when the event occurred.
False
When you’re aware of a possible disqualification issue bring it to the attention of the opposing attorney.
False
No single source offers a definitive code of ethics for expert witnesses so you must draw on standards from other organizations to form your own ethical standards.
True
There are inherent conflicts between the goals of attorneys and the goals of scientists or technicians (experts).
True
What are the most important laws applying to attorneys and witnesses?
Rules of evidence
Forensic examiners may serve as what types of witnesses?
Fact and expert
What resource might attorneys use to search for information on expert witnesses?
Deposition banks
What type of questions can give the investigator the factual structure to support and defend his or her opinion?
Hypothetical
Which Federal Rule of Evidence is used to determine whether the expert is qualified and whether the expert opinion can be helpful?
FRE 702
Which Federal Rule of Evidence is used to determine whether the basis for testimony is adequate?
FRE 703
Which organization has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients?
American Bar Association (ABA)
Which document offers comprehensive guidance for psychologists with an entire section devoted to forensics activities?
American Psychological Association’s (APA’s) Ethics Code
Which standard states that to provide reliable and valid testimony the expert has the ‘ethical responsibility to present a complete and unbiased picture of the . . . research relevant to the case at hand’?
Daubert
Attorneys who contact many experts as a ploy to disqualify them or prevent opposing counsel from hiring them are using what practice?
Conflicting out
Which outcome when caused by an ethical lapse could effectively be a death sentence for a career as an expert witness?
Disqualification
How can an investigator minimize any challenges an opposing attorney could make to discredit the investigator’s report or testimony?
Being as thorough as possible
In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous contact with an opposing party?
Wang Laboratories, Inc. v. Toshiba Corp.
Suppose you have been hired to determine whether a corrupted file was intentionally altered or altered by a virus. Your forensic examination did not find evidence of a virus and did not find evidence of intentional alteration. What conclusion can you offer?
The cause of the corruption is unknown
Which action isn’t usually punitive but can be embarrassing for the professional and potentially for the attorney who retained the professional?
Disqualification
Which term refers to internalized rules used to measure one’s own performance?
Ethics
Requesting which of these will deter attorneys from communicating with an investigator solely for the purpose of disqualifying that investigator?
Retainer
Which of the following options would represent a valid retainer?
2-8 hours of your usual billable rate
What is reduced by knowing who the parties in a case are?
Possibility of a conflict
What can a consultant who doesn’t testify earn for finding testifying experts or investigative leads?
Contingency fee
