Mid Term

Question 1

True or False

Digital forensics and data recovery refer to the same activities

Answer 1

False

Question 2

Police in the united states must use the procedures that adhere to which of the following?

Answer 2

4th Amendment

Question 3

List two types of digital investigations typically conducted in a business environment.

Answer 3

Fraud

Espionage

Question 4

Why should evidence media be write-protected?

Answer 4

You don’t the original data to be altered or corrupted.

Question 5

Data collected before an attorney issues a memo for an attorney-client privilege case is a protected under the confidential work product rule.

Answer 5

False - they need to have a warrant

Question 6

An employer can be held liable for email harassment.

Answer 6

True

Question 7

The manager of a digital forensics lab is responsible for which of the following?

Answer 7

Understand what the digital forensics lab is responsible for.
Insuring enough staff training for the employers so they know they’re doing the job.
Know the objective of the designated task.

Question 8

To maintain the chain of custody and prevent data from being lost, corrupted, or stolen is the reason why physical security is so critical for digital forensics labs.

Answer 8

True

Question 9

A forensics workstation should always have a direct broadband connection to the internet.

Answer 9

False

Question 10

What name refers to labs constructed to shield EMR emissions?

Answer 10

Tempest

Question 11

Name the three formats for digital forensics data acquisitions.

Answer 11

Raw Format
Proprietary Formats
Advance Forensic Format

Question 12

What does a logical acquisition collect for an investigation?

Answer 12

Only specific files to interest to the case.

Question 13

Why is it good practice to make two images of a suspect drive in a critical investigation.

Answer 13

To ensure at least one good copy of the forensically collected data in case of any failures.

Question 14

What is a hashing algorithm?

Answer 14

A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk.

Question 15

In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause.

Answer 15

True

Question 16

As a corporate investigator, you can become an agent of law enforcement when which of the following happens?

Answer 16

You begin to take orders from a police detective without a warrant or subpoena.
Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement

Question 17

What are the three rules for a forensic hash?

Answer 17

t can’t be predicted
No two files can have the same hash value
If the file changes, the hash value changes.

Question 18

Which of the following techniques might be used in covert surveillance?

Answer 18

Keylogging

Data sniffing refer to review sheets.

Question 19

List two hashing algorithms commonly used for forensics purposes.

Answer 19

MD5 and SHA-1

Question 20

What does MFT stand for?

Answer 20

Master File Table

Question 21

Device drivers contain what kind of information?

Answer 21

Instructing the hardware on how to operate on that particular operating system.

Question 22

An image of a suspect drive can be loaded on a virtual machine?

Answer 22

True

Question 23

What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?

Answer 23

It will not be encrypted.

Question 24

Forensic software tools are grouped into _____ and _____ applications

Answer 24

command line

GUI

Question 25

Hash values are used for which of the following purposes?

Answer 25

Filtering

Validating

Question 26

The verification function does which of the following?

Answer 26

Proves that two sets of data are identical via hash values

Question 27

The log report in forensics tools does which of the following?

Answer 27

Records an investigator’s actions in examining a case

Question 28

Capitalization, or lack thereof, makes no difference with UNIX and Linux commands

Answer 28

False - Linux is case sensitive.

Question 29

What file under the /etc folder contains the hashed passwords for a local system?

Answer 29

Shadow

Question 30

_____ contain file and directory metadata and provide a mechanism for linking data stored in data blocks.

Answer 30

Inodes

Question 31

Where is the root user’s home directory located on a MAC OS X file system?

Answer 31

/private/var/root

Question 32

_____ is a specialized carving tool that can read many image file formats, such as RAW and Expert Witness.

Answer 32

Foremost

Question 33

How many bits are required to create a pixel capable of displaying 65,536 different colors.?

Answer 33

16

Question 34

What kind of graphics file combines bitmap and vector graphics types?

Answer 34

GIF, JPG, PNG

Question 35

The process of converting raw picture data to another format is called _____.

Answer 35

Demosaicing

Question 36

Referred to as a digital negative, the _____ is typically used on many higher end digital cameras.

Answer 36

raw file format