Module 6 Quiz

Question 1

Hash values are used for which of the following purposes?

Determining file size

Filling disk slack

Reconstructing file fragments

Validating that the original data hasn’t changed

Answer 1

Validating that the original data hasn’t changed

Question 2

The primary hashing algorithm the NSRL project uses is SHA-1.

True

False

Answer 2

True

Question 3

Building a forensic workstation is more expensive than purchasing one.

True

False

Answer 3

False

Question 4

The standards for testing forensics tools are based on which criteria?

U.S. Title 18

ASTD 1975

ISO 17025

All of the above

Answer 4

ISO 17025

Question 5

According to ISO standard 27037, which of the following is an important factor in data acquisition?

The DEFR’s competency

The DEFR’s skills in using the command line

Conditions at the acquisition setting

None of the above

Answer 5

The DEFR’s competency

Question 6

The reconstruction function is needed for which of the following purposes?

Re-create a suspect drive to show what happened.

Create a copy of a drive for other investigators.

Re-create a drive compromised by malware.

All of the above

Answer 6

All of the above

Question 7

The verification function does which of the following?

Proves that a tool performs as intended

Creates segmented files

Proves that two sets of data are identical via hash values

Verifies hex editors

Answer 7

Proves that two sets of data are identical via hash values

Question 8

Forensics software tools are grouped into ______ and ______ applications.

Portable, Desktop

Mobile, PC

Local, remote

GUI, command-line

Answer 8

GUI, command-line

Question 9

Data can’t be written to disk with a command-line tool.

True

False

Answer 9

False

Question 10

Which of the following is true of most drive-imaging tools?

They perform the same function as a backup.

They ensure that the original drive doesn’t become corrupt and damage the digital evidence.

They must be run from the command line.

All of the above

Answer 10

They ensure that the original drive doesn’t become corrupt and damage the digital evidence.

Question 11

Focus
A live acquisition can be replicated.

True

False

Answer 11

False

Question 12

When using a write-blocking device you can’t remove and reconnect drives without having to shut down your workstation.

True

False

Answer 12

False

Question 13

A log report in forensics tools does which of the following?

Tracks file types

Monitors network intrusion attempts

Records an investigator’s actions in examining a case

Lists known good files

Answer 13

Records an investigator’s actions in examining a case

Question 14

Data viewing, keyword searching, decompressing are three subfunctions of the extraction function.

True

False

Answer 14

True

Question 15

When validating the results of a forensic analysis, you should do which of the following?

Calculate the hash value with two different tools.

Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results.

Use a command-line tool and then a GUI tool.

None of the above

Answer 15

Calculate the hash value with two different tools.

Question 16

An encrypted drive is one reason to choose a logical acquisition.

True

False

Answer 16

True

Question 17

In testing tools, the term “reproducible results” means that if you work in the same lab on the same machine, you generate the same results.

True

False

Answer 17

False

Question 18

Hashing, filtering, and file header analysis make up which function of digital forensics tools?

Validation and verification

Acquisition

Extraction

Reconstruction

Answer 18

Validation and verification

Question 19

Hardware acquisition tools typically have built-in software for data analysis.

True

False

Answer 19

False