meh

Question 1

This involves recovering information that could have been deleted by mistake or lost during a power outage for example.

Answer 1

data recovery

Question 2

This is the process of obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases.

Answer 2

Computer forensics

Question 3

This kind of investigation usually involves criminal cases and government agencies

Answer 3

public investigations

Question 4

This refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence

Answer 4

chain of custody

Question 5

The witness or victim is often referred to as this. He or she makes an allegation to the police (an accusation or supposition of fact that a crime has been committed).

Answer 5

Complainant

Question 6

This is a sworn statement of support of facts about or evidence of a crime is submitted to a judge with the request for a search warrant before seizing evidence.

Answer 6

affidavit

Question 7

Police officers may have different _____ of expertise or certifications.

Answer 7

levels

Question 8

Your professional ______ as a computer investigation and forensics analyst is critical because it determines your credibility. Professional _____ includes ethics, morals, and standards of behavior. Note: it’s the same word twice.

Answer 8

conduct

Question 9

Part of the evidence gathering process involves keeping a form called an ___________ form.

Answer 9

evidence

Question 10

To secure and catalog the evidence contained in large computer components, you can use large ______ bags, tape, tags, labels, and other products available from police supply

Answer 10

evidence bags

Question 11

This is a bit-by-bit copy (also known as a sector copy) of the original drive or storage medium and is an exact duplicate.

Answer 11

Bit-stream copy

Question 12

The target disk that is used to copy evidence data should be at least _______ the size of the evidence disk

Answer 12

1.5x

Question 13

This is the acronym of the name of Windows 8’s file-system

Answer 13

ReFS

Question 14

At minimum, a forensics lab should have a __________ log listing people who have accessed the lab

Answer 14

visitor’s log

Question 15

A _______ ______ plan ensures that you can restore your forensic lab’s workstations and file servers to their original condition if a catastrophic failure occurs.

Answer 15

disaster recovery

Question 16

The process of recording all updates made on a lab’s workstations is called __________ management.

Answer 16

config/change

Question 17

This storage format is a universal format that is fast and is able to ignore minor data read errors on a source drive.

Answer 17

raw format

Question 18

One can validate digital evidence using a ________ algorithm such as MD5 or SHA-1

Answer 18

hashing

Question 19

This RAID level is made up of two disks and if one drive fails, the OS switches to the other disk. The contents on the two disks is identical.

Answer 19

raid-1

Question 20

Only ______ person (how many?) should collect and catalog digital evidence at a crime scene or lab.

Answer 20

1

Question 21

________ is an out-of-court statement that is offered to prove the truth of the matter asserted in the statement.

Answer 21

hearsay

Question 22

To establish authorship of digital evidence in some cases, attorneys can use __________ evidence, which requires finding other clues associated with the suspect’s computer or location.

Answer 22

circumstantial

Question 23

________ cause refers to the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.

Answer 23

probable

Question 24

This is the file system that was commonly used in Windows 95, 98, Me, 200, XP, and Vista. Disks could be as large as 2TB.

Answer 24

fat-32

Question 25

When Microsoft introduced Windows 2000, it added built-in encryption to NTFS called this

Answer 25

Encrypting File System (EFS)

Question 26

When a laptop, smartphone, or other digital device is retrieved, its contents are unknown and pose a challenge to the examiner. The evidence can be __________ evidence (in criminal cases, the expression is “incriminating”) or ________ evidence, meaning it tends to clear the suspect.

Answer 26

Inculpatory and exculpatory

Question 27

The witness or victim (often referred to as the “complainant”) makes an______ to the police, an accusation or supposition of fact that a crime has been committed.

Answer 27

Allegation

Question 28

The most important policies are those defining the rules for using the company’s computers and networks; this type of policy is commonly known as an “______ ___ policy.”

Answer 28

Acceptable use

Question 29

Another way a private or public organization can avoid litigation is to display a warning ______ on computer screens

Answer 29

Banner

Question 30

Data acquisition is the task of collecting digital evidence from electronic media. There are two types:

Answer 30

static and live

Question 31

When confidential business data gets included with the criminal evidence, this data is referred to as __________ data.

Answer 31

Commingled

Question 32

The ___ command, available on all UNIX and Linux distributions means “data dump.” This command has many functions such copying an entire device (all data files, slack space, and free space). It creates a raw format that most forensics tools can read. Most forensics tools have this command built in already.

Answer 32

dd

Question 33

The _____ Amendment to the U.S. Constitution (and each state’s constitution) protects everyone’s rights to be secure in their person, residence, and property from search and seizure, for example.

Answer 33

fourth

Question 34

All updates done to workstations in a lab should be recorded by using a process called __________ management.

Answer 34

Configuration

Question 35

A _______ acquisition captures only specific files of interest to the case or specific types of files

Answer 35

Logical

Question 36

This is the ISO standard for Digital Forensics

Answer 36

27037?

Question 37

A regulation intended to strengthen and unify data protection for all individuals within the EU and addresses the export of personal data outside the EU

Answer 37

GDPR

Question 38

This type (grade) of forensics lab has the highest security and is the most expensive. It can block computer emanation among other things.

Answer 38

Tempest

Question 39

This exception allows “records of regularly conducted activity,” such as business memos, reports, records, or data compilations. Generally, computer records are considered admissible if they qualify as a business record.

Answer 39

Business-record exception

Question 40

This rule states that to prove the content of a written document, recording, or photograph, ordinarily the original writing, recording, or photograph is required.

Answer 40

The best evidence rule

Question 41

The _____ _____ doctrine states that objects falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a warrant and can be introduced into evidence.

Answer 41

plain view doctrine

Question 42

This is the unused portion of the hard drive.

Answer 42

Unallocated space

Question 43

This is the unused space that is created between the end-of-file marker and the end of the hard drive cluster in which the file is stored.

Answer 43

File slack or slack space