Final Exam Flashcards by Andrew Heckman

By the 1970s electronic crimes were increasing especially in the financial sector.

True

How well did you know this?

Not at all

Perfectly

To be a successful computer forensics investigator you must be familiar with more than one computing platform.

True

How well did you know this?

Not at all

Perfectly

Computer investigations and forensics fall into the same category: public investigations.

False

How well did you know this?

Not at all

Perfectly

The law of search and seizure protects the rights of all people excluding people suspected of crimes.

False

How well did you know this?

Not at all

Perfectly

After a judge approves and signs a search warrant, it’s ready to be executed, meaning you can collect evidence as defined by the warrant.

True

How well did you know this?

Not at all

Perfectly

Maintaining credibility means you must form and sustain unbiased opinions of your cases.

False

How well did you know this?

Not at all

Perfectly

The definition of digital forensics has evolved over the years from simply involving securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases.

True

How well did you know this?

Not at all

Perfectly

The Fourth Amendment to the U.S. Constitution (and each state’s constitution) protects everyone’s rights to be secure in their person, residence, and property from search and seizure.

True

How well did you know this?

Not at all

Perfectly

When you work in the enterprise digital group you test and verify the integrity of standalone workstations and network servers.

False

How well did you know this?

Not at all

Perfectly

The police blotter provides a record of clues to crimes that have been committed previously.

True

How well did you know this?

Not at all

Perfectly

Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence?

Computer Analysis and Response Team (CART)

How well did you know this?

Not at all

Perfectly

A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?

Data recovery

How well did you know this?

Not at all

Perfectly

Which group often works as part of a team to secure an organization’s computers and networks?

Forensic investigators

How well did you know this?

Not at all

Perfectly

Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?

Digital investigations

How well did you know this?

Not at all

Perfectly

Which agency introduced training on software for forensics investigations by the early 1990s?

IACIS

How well did you know this?

Not at all

Perfectly

Which Pacific Northwest agency meets to discuss problems that digital forensics examiners encounter?

CTIN

How well did you know this?

Not at all

Perfectly

Which type of case involves charges such as burglary, murder, or molestation?

Criminal

How well did you know this?

Not at all

Perfectly

What is the third stage of a criminal case after the complaint and the investigation?

Prosecution

How well did you know this?

Not at all

Perfectly

What does the investigator in a criminal or public-sector case submit at the request of the prosecuting attorney if he or she has enough information to support a search warrant?

Affidavit

How well did you know this?

Not at all

Perfectly

When an investigator seeks a search warrant which of the following must be included in an affidavit to support the allegation of a crime?

Probable cause?

How well did you know this?

Not at all

Perfectly

What must be done under oath to verify that the information in the affidavit is true?

It must be notarized

How well did you know this?

Not at all

Perfectly

What do published company policies provide for a business that enables them to conduct internal investigations?

Line of authority

How well did you know this?

Not at all

Perfectly

What usually appears when a computer starts or connects to the company intranet network or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will?

Warning banner

How well did you know this?

Not at all

Perfectly

What term refers to a person using a computer to perform routine tasks other than systems administration?

End user

How well did you know this?

Not at all

Perfectly

Which term refers to an accusation or supposition of fact that a crime has been committed and is made by the complainant based on the incident?

Allegation

Without a warning banner what right might employees assume they have when using a company's computer systems and network accesses?

Privacy

What term refers to the individual who has the power to conduct digital forensic investigations?

Authorized requester

What is most often the focus of digital investigations in the private sector?

Misuse of digital assets

Which doctrine found to be unconstitutional was used to allow a civilian or private-sector investigative agent to deliver evidence obtained in a manner that violated the Fourth Amendment to a law enforcement agency?

Silver platter

A forensics analysis of a 6 TB disk for example can take several days or weeks.

True

Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses.

False

If damage occurs to the floor walls ceilings or furniture in your computer forensics lab it does not need to be repaired immediately.

False

A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.

True

Computing systems in a forensics lab should be able to process typical cases in a timely manner.

True

By using marketing to attract new customers or clients you can justify future budgets for the lab's operation and staff.

True

The ANSI-ASQ National Accreditation Board (ANAB) is a wholly owned subsidiary of the American Society of Crime Laboratory Directors (ASCLD).

False

The lab manager sets up processes for managing cases and reviews them regularly.

True

For daily work production several examiners can work together in a large open area as long as they all have different levels of authority and access needs.

False

Chapter 5 Section 3 of the NISPOM describes the characteristics of a safe storage container.

True

At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work?

Digital forensics lab

At what levels should lab costs be broken down?

Monthly, quarterly, and annually

What reports are generated at the local state and federal levels to show the types and frequency of crimes committed?

Uniform crime reports

In addition to FAT16, FAT32, and Resilient File System which file system can Windows hard disks also use?

NTFS

What organization was created by police officers in order to formalize credentials for digital investigators?

IACIS

How frequently does IACIS require recertification to demonstrate continuing work in the field of computer forensics?

Every three years

What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases?

Certified Computer Forensic Technician, Basic (CCFT-B)

What kind of forensic investigation lab best preserves the integrity of evidence?

A secure facility

At what distance can the EMR from a computer monitor be picked up?

1/2 mile

During the Cold War defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. What did the U.S. Department of Defense call this special computer-emission shielding?

TEMPEST

What material is recommended for secure storage containers and cabinets?

Steel

How frequently should floors and carpets in the computer forensic lab be cleaned to help minimize dust that can cause static electricity?

Once a week

Which resource can be helpful when investigating older and unusual computing systems?

AICIS lists

What type of plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing?

Disaster recovery plan

Where should your computer backups be kept?

Off-site

What process refers to recording all the updates made to a workstation?

Configuration management

Methods for restoring large data sets are important for labs using which type of servers?

RAID

Which activity involves determining how much risk is acceptable for any process or operation?

Risk management

What is the maximum amount of time computing components are designed to last in normal business operations?

36 months

In what process is the acquisition of newer and better resources for investigation justified?

Building a business case

If the computer has an encrypted drive a live acquisition is done if the password or passphrase is not available.

True

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.

True

Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive.

True

FTK Imager requires that you use a device such as a USB dongle for licensing.

False

Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.

False

In Autopsy and many other forensics tools, raw format image files don't contain metadata.

True

Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.

False

A separate manual validation is recommended for all raw acquisitions at the time of analysis.

True

Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized.

True

There's no simple method for getting an image of a RAID server's disks.

True

Which type of format acquisition leaves the investigator unable to share an image between different vendors' computer forensics analysis tools?

Proprietary

What type of acquisition is typically done on a computer seized during a police raid?

Static

What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?

Live

What is the most common and flexible data-acquisition method?

Disk-to-image

If your time is limited, what type of acquisition data copy method should you consider?

Logical or sparse

By what percentage can lossless compression reduce image file size?

50%

What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult?

Whole disk encryption

What term refers to Linux ISO images that can be burned to a CD or DVD?

Linux live CD

What command displays pages from the online help manual for information on Linux commands and their options?

man

What command creates a raw format file that most computer forensics analysis tools can read?

What command works similarly to the dd command but has many features designed for computer forensics acquisitions?

dcfldd

In addition to md5sum which hashing algorithm utility is included with current distributions of Linux?

sha1sum

What option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512?

hash

What does Autopsy use to validate an image?

MD5

What older Microsoft disk compression tool eliminates only slack disk space between files?

DriveSpace

In addition to RAID 0, what type of RAID configuration is available for Windows XP 2000 and NT servers and workstations?

RAID 1

In which RAID configuration do two or more disk drives become one large volume so the computer views the disks as a single disk?

RAID 0

Which RAID configuration also called mirrored striping is a combination of RAID 1 and RAID 0?

RAID 10

Which RAID configuration offers the greatest access speed and most robust data recovery capability?

RAID 10

What type of acquisition is used for most remote acquisitions?

Live

ISPs can investigate computer abuse committed by their customers.

True

If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime you run the risk of becoming an agent of law enforcement.

True

A judge can exclude evidence obtained from a poorly worded warrant.

True

The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location.

True

Corporate investigators always have the authority to seize all computer equipment during a corporate investigation.

False

The most common computer-related crime is check fraud.

True

Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs) which always get funding from the government or other agencies.

False

Some cases involve dangerous settings. For these types of investigations you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene.

True

If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner employees have an expectation of privacy.

True

When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant which allows the police to present all evidence together.

False

When federal courts are evaluating digital evidence from computer-generated records what exception is applied to hearsay?

Business-records exception

Under what circumstances are digital records considered admissible?

If they qualify as business records

What type of records are considered data that the system maintains such as system log files and proxy server logs?

Computer-generated records

When was the Freedom of Information Act originally enacted?

1967

Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes?

Investigating and controlling the scene is much easier in private sector environments.

At a minimum what do most company policies require that employers have in order to initiate an investigation?

Reasonable suspicion that a law or policy is being violated

When confidential business data are included with the criminal evidence what are they referred to as?

Commingled data

What standard is used to determine whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest?

Probable cause

What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?

A warrant

In addition to environmental issues, what issues are the investigator's primary concerns when working at the scene to gather information about an incident or a crime?

Safety

When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action?

80 C

What will allow the investigator to arrive at a scene, acquire the needed data, and return to the lab as quickly as possible?

Initial-response field kit

Which type of kit should include all the tools the investigator can afford to take to the field?

Extensive-response field kit

What type of evidence do courts consider evidence data in a computer to be?

Digital

The presence of police officers and other professionals who aren't part of the crime scene-processing team may result in the loss or corruption of data through which process?

Professional curiosity

When seizing computer evidence in criminal investigations which organization's standards should be followed?

Department of Justice

Power should not be cut during an investigation involving a live computer unless it is what type of system?

Older Windows or MS-DOS

What type of files might lose essential network activity records if power is terminated without a proper shutdown?

Event log

Which technique can be used for extracting evidence from large systems?

Sparse acquisition

What is required for real-time surveillance of a suspect's computer activity?

Sniffing

The type of file system an OS uses determines how data is stored on the disk.

True

One way to examine a partition's physical level is to use a disk editor such as WinHex or Hex Workshop.

True

As data is added the MFT can expand to take up 75% of the NTFS disk.

False

The first 5 bytes (characters) for all MFT records are FILE.

False

Alternate data streams can obscure valuable evidentiary data intentionally or by coincidence.

True

Typically a virtual machine consists of just one file.

False

From a network forensics standpoint there are no potential issues related to using virtual machines.

False

In Microsoft file structures, sectors are grouped to form clusters which are storage allocation units of one or more sectors.

True

Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.

True

It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.

True

What term refers to a column of tracks on two or more disk platters?

Cylinder

How do most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks?

Zone bit recording (ZBR)

What term refers to the number of bits in one square inch of a disk platter?

Areal density

Which acronym refers to the file structure database that Microsoft originally designed for floppy disks?

FAT

Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?

NTFS

What is on an NTFS disk immediately after the Partition Boot Sector?

Master File Table (MFT)

What are records in the MFT called?

FILE records

In the NTFS MFT all files and folders are stored in separate records of how many bytes each?

1024

The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. What are these cluster addresses called?

Data runs

What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced?

Encrypting File System (EFS)

Which certificate provides a mechanism for recovering files encrypted with EFS if there is a problem with the user's original private key?

Recovery certificate

When Microsoft created Windows 95, into what were initialization (.ini) files consolidated?

Registry

What specifies the Windows XP path installation and contains options for selecting the Windows version?

Boot.ini

Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data and then passes its findings to Ntldr?

NTDetect.com

Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS?

NTBootdd.sys

What contains instructions for the OS for hardware devices such as the keyboard mouse and video card?

Device Drivers

Which filename refers to a core Win32 subsystem DLL file?

Kernel32.dll, Advapi32.dll, User32.dll, Gdi32.dll

Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM?

Ntkrnlpa.exe

Which filename refers to the Windows XP system service dispatch stubs to executables functions and internal support functions?

Ntdll.dll

What enables the user to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment?

Hypervisor

When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.

True

In software acquisition there are three types of data-copying methods.

False

To help determine which computer forensics tool to purchase, a comparison table of functions subfunctions and vendor products is useful.

True

Computers used several OSs before Windows and MS-DOS dominated the market.

True

After retrieving and examining evidence data with one tool you should verify your results by performing the same tasks with other similar forensics tools.

True

Software forensic tools are grouped into command-line applications and GUI applications.

True

The validation function is the most challenging of all tasks for computer investigators to master.

False

Although a disk editor gives you the most flexibility in testing, it might not be capable of examining a compressed file's contents.

True

Because there are a number of different versions of UNIX and Linux these OSs are referred to as CLI platforms.

False

Hardware manufacturers have designed most computer components to last about 36 months between failures.

False

Which digital forensics tool is categorized as a single-purpose hardware component?

Tableau T35es-R2 SATA/IDE eSATA bridge

Where do software forensics tools copy data from a suspect's disk drive?

Image file

Which tool enables the investigator to acquire the forensic image and process it in the same step?

Magnet AXIOM

What Linux command is used to create the raw data format?

Which activity involves sorting and searching through investigation findings to separate good data and suspicious data?

Filtering

Many password recovery tools have a feature for generating potential password lists for which type of attack?

Dictionary

Which type of copy from the suspect disk to the target location does the simplest method of duplicating a disk drive make?

Physical bit-by-bit copy

What must be created to complete a forensic disk analysis and examination?

Report

The first MS-DOS tools that analyzed and extracted data from floppy disks and hard disks were used with which type of PC file systems?

IBM

In Windows 2000 and later which command shows you the file owner if you have multiple users on the system or network?

Dir

Building your own forensics workstation:

requires the time and skills necessary to support the chosen hardware.

What do you call a forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation?

portable workstation

What type of disk is commonly used with Sun Solaris systems?

SPARC

What is the general term for software or hardware that is used to protect evidence disks by preventing data from being written to them?

Write protector

Devices used to prevent data from being written to a disk can connect to a computer through FireWire, SATA, PATA, and SCSI controllers as well as which other type of controller?

USB 2.0 and 3.0

Which entity publishes articles, provides tools, and creates procedures for testing and validating computer forensics software?

NIST

Which standards document demands accuracy for all aspects of the testing process?

ISO 5725

Which NIST project manages research on forensics tools?

Computer Forensic Tool Testing (CFTT)

What is the primary hash algorithm used by the NIST project created to collect all known hash values for commercial software and OS files?

SHA-1

Which type of tool can be used to compare results and verify a new tool by viewing data in its raw format?

Disk editor

If a file contains information it always occupies at least one allocation block.

True

macOS is built with the new Apple File System (APFS). The current version offers better security encryption and performance speeds, but users can't mount HFS+ drives.

False

Some notable UNIX distributions included Silicon Graphics Inc. (SGI), IRIX, Santa Cruz Operation (SCO) UnixWare, Sun Solaris, IBM AIX, and HP-UX.

True

Does Windows have a kernel?

Yes

The pipe (|) character redirects the output of the command preceding it.

True

All disks have more storage capacity than the manufacturer states.

True

Before OS X, the Hierarchical File System (HFS) was used in which files are stored in directories (folders) that can be nested in other directories.

True

The HFS and HFS+ file systems have four descriptors for the end of a file (EOF).

False

Ext3 is a journaling version of Ext2 that has a built-in file recovery mechanism used after a crash.

True

In macOS, volume fragmentation is kept to a minimum by removing clumps from larger files.

False

Macintosh moved to the Intel processor and became UNIX based with which operating system?

OS X

In older versions of macOS, in which fork are file metadata and application information stored?

Resource fork

In macOS, in addition to allocation blocks, what kind of blocks do volumes have?

Logical blocks

In older versions of macOS where is all information about the volume stored?

Master Directory Block (MDB)

What macOS system application tracks each block on a volume to determine which blocks are in use and which ones are available to receive data?

Volume Bitmap

In macOS what stores any file information not in the Master Directory Block or Volume Control Block?

Extents overflow file

Which term is often used when discussing Linux because technically Linux is only the core of the OS?

Kernel

What was the early standard Linux file system?

Ext2

What is the largest disk partition Ext4 can support?

1 exabyte

What contains file and directory metadata and provides a mechanism for linking data stored in data blocks?

Inodes

At what hard link count is a file effectively deleted?

Zero

How many components define the file system on UNIX/Linux?

Four

Where are directories and files stored on a disk drive?

Data block

In Linux in which directory are most system configuration files stored?

/etc/

In Linux in which directory are most applications and commands stored?

/usr/

On a Linux computer by what are file systems exported to remote hosts represented?

/etc/exports

On a Linux computer what contains group memberships for the local system?

/etc/group

In a file's inode what are the first 10 pointers called?

Indirect pointers

In macOS which fork typically contains data the user creates?

Data fork

In macOS, when working with an application file, which fork contains additional information such as menus, dialog boxes, icons, executable code, and controls?

Resource fork

Bitmap images are collections of dots or pixels in a grid format that form a graphic.

True

Operating systems do not have tools for recovering image files.

False

If a graphics file is fragmented across areas on a disk you must recover all the fragments before re-creating the file.

True

With many computer forensics tools, you can open files with external viewers.

True

Steganography cannot be used with file formats other than image files.

False

Under copyright laws, maps and architectural plans may be registered as pictorial, graphic, and sculptural works.

True

A graphics program creates and saves one of three types of image files: bitmap, vector, or XIF.

False

The Internet is the best source for learning more about file formats and their extensions.

True

All TIF files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 3B.

False

The two major forms of steganography are insertion and substitution.

True

What kinds of images are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes?

Vector

What tools are used to create, modify, and save bitmap, vector, and metafile graphics?

Graphics editors

Which images store graphics information as grids of pixels?

Bitmap

What is the process of converting raw picture data to another format called?

Demosaicing

In which format are most digital photographs stored?

Exchangeable Image File (Exif)

Which type of compression compresses data permanently by discarding bits of information in the file?

Lossy compression

What term refers to recovering fragments of a file?

Carving

Which JFIF format has a hexadecimal value of FFD8 FFE0 in the first four bytes?

JFIF

If a graphics file cannot be opened in an image viewer what should the next step be?

Examining the header data

Which uppercase letter has a hexadecimal value 41?

From which file format is the image format XIF derived?

TIFF

What is the simplest way to access a file header?

Using a hexadecimal editor like WinHex

Which header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03?

XIF

Which term refers to a data-hiding technique that uses host files to cover the contents of a secret message?

Steganography

Which data-hiding technique places data from the secret file into the host file without displaying the secret data when the host file is viewed in its associated program?

Insertion steganography

Which data-hiding technique replaces bits of the host file with other bits of data?

Substitution steganography

What is another term for steganalysis tools?

Steg tools

What technique has been used to protect copyrighted material by inserting digital watermarks into a file?

Steganography

What type of laws should computer investigators be especially aware of when working with image files in order to avoid infringement violations?

How may computer programs be registered under copyright laws?

As written works

The defense request for full discovery of digital evidence applies only to criminal cases in the United States.

True

For target drives use only recently wiped media that have been reformatted and inspected for computer viruses.

True

Autopsy for Windows cannot perform forensics analysis on FAT file systems.

False

Autopsy for Windows cannot analyze data from image files from other vendors.

False

When two files look the same when viewed but one has an invisible digital watermark they appear to be the same file except for their sizes.

False

Several password-cracking tools are available for handling password-protected data or systems.

True

Most organizations keep e-mail for longer than 90 days.

False

Some encryption schemes are so complex that the time to crack them can be measured in days, weeks, years, and even decades.

True

Private-sector cases such as employee abuse investigations might not specify limitations in recovering data.

True

For static acquisitions, remove the original drive from the computer if practical and then check the date and time values in the system's CMOS.

True

What does scope creep typically do?

Increases the amount of work required

What should be created in order to begin a digital forensics case?

Investigation plan

In addition to search warrants what defines the scope of civil and criminal cases?

Subpoenas

Which program has an indexed version of the NIST NSRL of MD5 hashes that can be imported to enhance searching for and eliminating known OS and application files?

Autopsy

Because digital forensics tools have limitations in performing hashing what tools should be used to ensure data integrity?

Advanced hexadecimal editors

Which AccessData feature compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data?

FTK KFF

Which activity involves changing or manipulating a file to conceal information?

Data hiding

Which Windows disk partition utility can be used to hide partitions?

diskpart

The data-hiding technique involving marking bad clusters is more commonly used with what type of file system?

FAT

Which term comes from the Greek word for 'hidden writing'?

Steganography

When both the original file with no hidden message and the converted file with the hidden message are available what analysis method is recommended by Johnson and Jajodia?

Known cover attack

What technology is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure?

Key escrow

Which program incorporates an advanced encryption technique that can be used to hide data?

PGP or BestCrypt

Which type of recovery is becoming more common in digital forensic analysis?

Password recovery

What type of attacks use every possible letter number and character found on a keyboard when cracking a password?

Brute-force

Many password-protected OSs and applications store passwords in the form of which type of hash values?

MD5 or SHA

Which action alters hash values making cracking passwords more difficult?

Salting

What limits the data that can be sought in a criminal investigation?

Search warrant

Which data-hiding technique changes data from readable code to data that looks like binary executable code?

Bit-shifting

Which hashing algorithm is provided by WinHex?

MD5

When intruders break into a network they rarely leave a trail behind.

False

Network forensics is a fast easy process.

False

Virtual machines are now common for both personal and business use.

True

Virtual machines (VMs) help offset hardware costs for companies.

True

Type 2 hypervisors cannot be used on laptops.

False

Type 1 hypervisors are usually the ones you find loaded on a suspect machine.

False

Before attempting to install a type 2 hypervisor you need to enable virtualization in the BIOS before attempting to create a VM.

True

In network forensics you have to restore the drive to see how malware that attackers have installed on the system works.

True

A honeywall is a computer set up to look like any other machine on your network but it lures the attacker to it.

False

Network logs record traffic in and out of a network.

True

Which type of forensics can help you determine whether a system is truly under attack or a user has inadvertently installed an untested patch or custom program?

Network forensics

Which type of strategy hides the most valuable data at the innermost part of the network?

Layered network defense strategy

What type of software runs virtual machines?

Hypervisor

Which type of virtual machine software is typically but not exclusively loaded on servers or workstations with a lot of RAM and storage?

Tier 1 hypervisor

Which product responded to the need for security and performance by producing different CPU designs?

Intel Virtualization Technology

Which program can be used to examine network traffic?

Wireshark, tcpdump

Which tool lists all open network sockets including those hidden by rootkits?

Mandiant Memoryze

What determines how long a piece of information lasts on a system?

Order of Volatility (OoV)

Which network defense strategy developed by the National Security Agency (NSA) has three modes of protection?

Defense in Depth (DiD)

Which tool allows network traffic to be viewed graphically?

Etherape

Which network protocol analyzer can be programmed to examine TCP headers to find the SYN flag?

tcpdump, tethereal

Which tool is useful for extracting information from large Libpcap files?

Tcpslice

What are packet analyzers?

Devices or software placed on a network to monitor traffic.

On which OSI model layers do most packet analyzers operate?

Two or three

Which format can be read by most packet analyzer tools?

Pcap

In which type of attack does the attacker keep asking the server to establish a connection?

SYN flood

Which tool was designed as an easy-to-use interface for inspecting and analyzing large tcpdump files?

Netdude

Which tool probes, collects, and analyzes session data?

Argus

Which project was developed to make information widely available in an attempt to thwart Internet and network hackers?

Honeynet

What term is used for the machines used in a DDoS attack?

Zombies

For digital investigators, tracking intranet e-mail is easier because accounts use standard names the administrator establishes.

True

Investigating crimes or policy violations involving e-mail is different than investigating other types of computer abuse and crimes.

False

E-mail programs either save e-mail messages on the client computer or leave them on the server.

True

All e-mail servers use databases that store multiple users' e-mails.

False

Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication.

True

Forensic linguistics encompasses civil cases, criminal cases, cyberterrorism cases, and other legal proceedings.

True

E-mail crimes and violations rarely depend on the city state and country in which the e-mail originated.

False

Evidence artifacts vary depending on the social media channel and the device.

True

A challenge with using social media data in court is authenticating the author and the information.

True

You can send and receive e-mail in two environments: via the Internet or an intranet (an internal network).

True

What name is used for the configuration typically used for e-mail messages that are distributed from a central server to many connected client computers?

Client-server

In an e-mail address what symbol separates the domain name from the rest of the address?

In what type of e-mail programs can the user copy an e-mail message by dragging the message to a storage medium such as a folder or drive?

GUI

What is the main information being sought when examining e-mail headers?

The originating e-mail's IP address

To retrieve e-mail headers in Microsoft Outlook what option should be clicked after the e-mail has been selected?

File, Properties

In Web-based e-mail how are messages displayed and saved?

Web pages in the browser's cache

In which discipline do professionals listen to voice recordings to determine who's speaking or read e-mail and other writings known to be by a certain person and determine whether that person wrote the e-mail or letter in question?

Forensic linguistics

To view Gmail Web e-mail headers, what should be clicked after the e-mail has been opened and the down arrow next to the Reply circular arrow has been clicked?

Show Original

To view e-mail headers on Yahoo!, what should be clicked on after 'More' has been selected?

View Raw Message

In Microsoft Outlook what file extension is used with saved, sent, drafted, deleted, and received e-mails?

.pst or .ost

Which site can be used to verify the names of domains a message is flowing through?

dkim.org

Which type of logging allocates space for a log file on the server and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size?

Circular logging

Which files provide helpful information to an e-mail investigation?

Log files and configuration files

Which location contains configuration information for Sendmail?

/etc/mail/sendmail.cf

In which directory do UNIX installations typically store logs?

/var/log

In which log does Exchange log information about changes to its data?

Transaction log

In Exchange what type of file is inserted in the transaction log to mark the last point at which the database was written to disk in order to prevent loss of data?

Checkpoint file

In Microsoft Exchange which file is responsible for messages formatted with MAPI?

An .edb file

Which information from Facebook simply tells you the last time a person logged on the person's e-mail address and mobile number and whether the account can be viewed publicly?

Basic subscriber info

What format is used for the flat plaintext files some e-mail systems use for message storage?

mbox

Many people store more information on smartphones and tablets than on computers.

True

Investigating smartphones and other mobile devices is a relatively easy task in digital forensics.

False

TDMA can operate in the cell phone (800 to 1000 MHz) or PCS (1900 MHz) frequency.

True

Most basic phones use the same OSs as PCs.

False

Portability of information is what makes SIM cards so versatile.

True

In 2010 both VMware and BlackBerry were thinking of developing type 2 hypervisors for mobile devices.

True

Because bring your own device (BYOD) has become a business standard, investigators must consider how to keep employees' personal data separate from case evidence.

True

The IoA will eventually include 4G smart devices and 4G mobile networks.

False

Gaming consoles such as the Sony PlayStation and Xbox are safe because they don't contain information hackers might try to intercept and collect.

False

Research on wearable computers has been conducted at MIT labs for more than a decade and these computers are now moving into working reality.

True

What technology developed during WWII uses the full radio spectrum to define channels and is now used in the U.S. by Sprint, U.S. Cellular, and Verizon?

Code Division Multiple Access (CDMA)

Which type of digital network divides a radio frequency into time slots?

Time Division Multiple Access (TDMA)

Which type of network is a digital version of the original analog standard for cell phones?

Digital Advanced Mobile Phone Service (D-AMPS)

Which type of digital network is a faster version of GSM designed to deliver data?

Enhanced Data GSM Environment (EDGE)

Which standard introduced sleep mode to enhance battery life?

IS-136

Where do phones typically store system data?

Electronically erasable programmable read-only memory (EEPROM)

What type of cards consisting of a microprocessor and internal memory are usually found in GSM devices?

Subscriber identity module (SIM) cards

Which devices have been replaced by iPods, iPads, and other mobile devices for personal use?

Personal digital assistants (PDAs)

What structure is used for the file system for a SIM card?

Hierarchical structure

What does the SIM file structure begin with?

System root

Which tool provided by Paraben Software examines Internet of Things (IoT) devices, has a bootloader for locked mobile devices, and can perform data parsing and cloud data capture?

E3:DS

In a Windows environment what is the default storage location used by BitPim?

Documents\BitPim

Which forensics software tool contains a built-in write blocker?

MOBILedit Forensic

The Enhanced Data GSM Environment (EDGE) standard was developed specifically for which type of service?

What entity created the Interim Standards used in mobile communications?

Telecommunications Industry Association (TIA)

What technique in which multiple phones take turns sharing a channel does the Global System for Mobile Communications (GSM) use?

Time Division Multiple Access (TDMA)

What entity developed the 3G standard?

International Telecommunication Union (ITU)

How much internal memory do mobile devices have?

Up to 64 GB

Which tool used by government agencies retrieves data from smartphones, GPS devices, tablets, music players, and drones?

Micro Systemation XRY

Which Cellebrite mobile forensics tool is often used by law enforcement and the military?

Cellebrite UFED Forensic System

The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET).

True

A search warrant can be used in any kind of case either civil or criminal.

False

Specially trained system and network administrators are often a CSP's first responders.

True

The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments the property to be seized usually describes physical hardware rather than data unless the CSP is a suspect.

False

In the United States the Electronic Communications Privacy Act (ECPA) describes five mechanisms the government can use to get electronic information from a provider.

True

In 1999 Salesforce.com developed a customer relationship management (CRM) Web service that applied digital marketing research to business subscribers so that they could do their own market analysis; this service eventually led the way to the cloud.

True

The platform as a service cloud service is most likely found on a desktop or a server although it could also be found on a company network or the remote service provider's infrastructure.

True

Homomorphic encryption uses an 'ideal lattice' mathematical formula to encrypt data.

True

Remote acquisitions are often easier because you're usually dealing with large volumes of data.

False

Magnet AXIOM Cloud can retrieve information from Skype, Instagram, Twitter, and iCloud but not from Facebook Messenger.

False

Metadata in a prefetch file contains an application's ____ times in UTC format and a counter of how many times the application has run since the prefetch file was created.

MAC

Which organization has developed resource documentation for cloud service providers and their staff and provides guidance for privacy agreements, security measures, and other issues?

Cloud Security Alliance (CSA)

In which cloud service level are applications delivered via the Internet?

Software as a Service (SaaS)

What cloud application offers a variety of cloud services including automation and CRM, cloud application development, and Web site marketing?

Salesforce

What document issued by a judge compels the recipient to do or not do something?

Court order

What files created by Microsoft contain the DLL pathnames and metadata used by applications and reduce the time it takes to start applications?

Prefetch files

What is Microsoft's SkyDrive now called?

OneDrive

With cloud systems running in a virtual environment what can be used to give the investigator valuable information before, during, and after an incident?

Snapshots

Which type of order requires that the government offer specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication or the records or other information sought are relevant and material to an ongoing criminal investigation?

Court order

A government entity must show that there is probable cause to believe the contents of a wire communication an electronic communication or other records are relevant to an ongoing criminal investigation to obtain which type of order?

Search warrant

Which tool can be used to bypass a virtual machine's hypervisor and can be used with OpenStack?

Forensic Open-Stack Tools (FROST)

What cloud service provides a freeware type 1 hypervisor used for public and private clouds?

XenServer and XenCenter Windows Management Console

Which folder is most likely to contain Dropbox files for a specific user?

C:\Users\username\Dropbox

Which type of tool has application programming interfaces (APIs) that allow reconfiguring a cloud on the fly and is accessed through the application's Web interface?

Management plane

Which Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system?

filecache.dbx

At what offset are the application's last access date and time located in a prefetch file?

0x90

At what offset is a prefetch file's create date and time located?

0x80

Which cloud forensics training program is limited to law enforcement personnel?

National Institute of Justice Digital Forensics Training (NIJ DFT)

Where is the snapshot database created by Google Drive located in Windows?

C:\Users\username\AppData\Local\Google\Drive\user_default

Which Google Drive file contains a detailed list of a user's cloud transactions?

sync_log.log

Besides presenting facts reports can communicate expert opinion.

True

A verbal report is more structured than a written report.

False

If you must write a preliminary report use words such as 'preliminary copy', 'draft copy', or 'working draft'.

False

As with any research paper write the report abstract last.

True

When writing a report use a formal technical style.

False

When writing a report style means the tone of language you use to address the reader.

True

The decimal numbering system is frequently used when writing pleadings.

False

Lawyers use services called deposition banks (libraries) which store examples of expert witnesses' previous testimony.

True

Signposts assist readers in scanning the text quickly by highlighting the main points and logical development of information.

True

For civil cases including those involving digital forensics investigations U.S. district courts consider optional that expert witnesses submit written reports.

False

What is the standard format in U.S. federal courts for the electronic submission of documents?

Portable Document Format (PDF)

Which document serves as a guideline for knowing what questions an investigator should expect when testifying?

Examination plan

What is most appropriately used to help an attorney learn the terms and functions used in digital forensics?

Glossary of terms

A written report is often submitted as what type of document?

Portable Document Format (PDF)

What should be provided if a report is long and complex?

An abstract

Which document is sworn to under oath and penalty of perjury or a comparable false swearing statute?

Affidavit

What type of question should an attorney ask to allow an investigator to offer an opinion?

Hypothetical

Which Federal Rule of Evidence rule governs expert opinions?

Federal Rules of Civil Procedure (FRCP) 26; Federal Rules of Evidence (FRE) 702, 703, and 705

Anything an investigator writes down as part of examination for a report in a civil litigation case is subject to which action from the opposing attorney?

Discovery

Because opposing counsel can demand discovery on them what are written preliminary reports considered to be?

High-risk documents

How many words should an abstract contain?

150-200

Under FRCP Rule 26 where must the investigator's curriculum vitae be placed unless the bona fides are integrated elsewhere?

Appendices of the written report

In addition to decimal numbering what numbering system can be used in a written report?

Legal-sequential

Which numbering system is being used if the report writer divides material into sections and restarts numbering with each main section?

Decimal

What format is typically used to cite references in the main body of a report?

APA (last name, year of publication)

What section of a report should contain broader generalizations?

Conclusion

What section of a report should restate the objectives, aims, and key questions and summarize the findings with clear concise statements?

Conclusion

What section of a report can be used for material such as raw data figures not used in the body of the report and anticipated exhibits?

Appendices

In addition to text, word processing, and spreadsheet formats, which format is used for forensic reports and logs generated by forensic tools?

HTML

What sections of a report are included in the report body?

Introduction and discussion

As an expert witness you have opinions about what you have found or observed.

True

You should create a formal checklist of your procedures that's applied to all your cases or include such a checklist in your report.

False

As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.

True

Like a job resume, your CV should be geared for a specific trial.

False

Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise.

True

The chain of custody of evidence supports the integrity of your evidence.

True

Depending on your attorney's needs you might give him or her just your opinion and technical expertise instead of testifying in court; this role is called an expert witness.

False

Motion in limine includes voir dire of venireman strikes and seating of jurors.

False

During opening statements both attorneys provide an overview of the case with the plaintiff's attorney going last.

False

Whether you're serving as an expert witness or a fact witness, be professional and polite when presenting yourself to any attorney or the court.

True

How many roles might a forensics examiner play in a trial?

Two

In which type of testimony does the investigator present evidence and explain what it is and how it was obtained?

Technical or scientific testimony

What should you use to verify evidence and thus ensure its integrity?

Hash algorithms

What should the forensics specialist keep updated and complete in order to support his or her role as an expert and document enhancement of skills through training teaching and experience?

Curriculum Vitae (CV)

How often should the document describing your expertise and used to qualify your testimony be updated to reflect new cases and additional training?

Every three months

Which motion provides a written list of objections to certain testimony or exhibits?

Motion in limine

What term refers to rejecting potential jurors?

Voir dire of venireman

What optional phase of a trial typically involves an issue raised during cross-examination of a witness?

rebuttal

How close should a microphone be to the person testifying?

6-8 inches

How many years of education does the typical juror have?

What method might be used by opposing attorneys to prevent an investigator from serving on an important case?

Conflicting out

What term refers to evidence that exonerates or diminishes the defendant's liability?

Exculpatory evidence

What type of testimony occurs when the investigator answers questions from the attorney who hired the investigator?

Direct testimony

What is the most important part of an investigator's testimony at a trial?

Direct examination

Generally the best approach an attorney can take in direct examination is to ask the investigator what type of questions?

Open-ended

Leading questions such as 'Isn't it true that forensics experts always destroy their handwritten notes', are referred to as what type of questions?

Setup questions

What type of questions ask several questions inside one question?

Compound questions

How is a deposition different from trial testimony?

There is no jury or judge present

Which type of deposition is used to give an opposing attorney the chance to conduct what amounts to a direct examination and cross-examination of a witness?

Discovery deposition

Which practice is advisable when an investigator gives a deposition?

Stay relaxed and confident, maintain a professional demeanor, use facts, take your time, answer only the questions you are asked

People need ethics to help maintain their balance especially in difficult and contentious situations.

True

In the United States there's no state or national licensing body for digital forensics examiners.

True

Experts should be paid in full for all previous work and for the anticipated time required for testimony.

True

Expert opinions cannot be presented without stating the underlying factual basis.

False

The American Bar Association (ABA) is a licensing body.

False

When searching for specific record information sometimes you see duplicate files with the same name that have different data runs meaning the file was written to disk more than once on separate occasions.

True

As an expert witness you can't testify if you weren't present when the event occurred.

False

When you're aware of a possible disqualification issue bring it to the attention of the opposing attorney.

False

No single source offers a definitive code of ethics for expert witnesses so you must draw on standards from other organizations to form your own ethical standards.

True

There are inherent conflicts between the goals of attorneys and the goals of scientists or technicians (experts).

True

What are the most important laws applying to attorneys and witnesses?

Rules of evidence

Forensic examiners may serve as what types of witnesses?

Fact and expert

What resource might attorneys use to search for information on expert witnesses?

Deposition banks

What type of questions can give the investigator the factual structure to support and defend his or her opinion?

Hypothetical

Which Federal Rule of Evidence is used to determine whether the expert is qualified and whether the expert opinion can be helpful?

FRE 702

Which Federal Rule of Evidence is used to determine whether the basis for testimony is adequate?

FRE 703

Which organization has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients?

American Bar Association (ABA)

Which document offers comprehensive guidance for psychologists with an entire section devoted to forensics activities?

American Psychological Association's (APA's) Ethics Code

Which standard states that to provide reliable and valid testimony the expert has the 'ethical responsibility to present a complete and unbiased picture of the . . . research relevant to the case at hand'?

Daubert

Attorneys who contact many experts as a ploy to disqualify them or prevent opposing counsel from hiring them are using what practice?

Conflicting out

Which outcome when caused by an ethical lapse could effectively be a death sentence for a career as an expert witness?

Disqualification

How can an investigator minimize any challenges an opposing attorney could make to discredit the investigator's report or testimony?

Being as thorough as possible

In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous contact with an opposing party?

Wang Laboratories, Inc. v. Toshiba Corp.

Suppose you have been hired to determine whether a corrupted file was intentionally altered or altered by a virus. Your forensic examination did not find evidence of a virus and did not find evidence of intentional alteration. What conclusion can you offer?

The cause of the corruption is unknown

Which action isn't usually punitive but can be embarrassing for the professional and potentially for the attorney who retained the professional?

Disqualification

Which term refers to internalized rules used to measure one's own performance?

Ethics

Requesting which of these will deter attorneys from communicating with an investigator solely for the purpose of disqualifying that investigator?

Retainer

Which of the following options would represent a valid retainer?

2-8 hours of your usual billable rate

What is reduced by knowing who the parties in a case are?

Possibility of a conflict

What can a consultant who doesn't testify earn for finding testifying experts or investigative leads?

Contingency fee