Module 9 Quiz

Question 1

If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords?

Salting can make password recovery extremely difficult and time consuming.

The effect on the computer’s CMOS clock could alter files’ date and time values.

There are no concerns because salting doesn’t affect password-recovery tools.

Salting applies only to OS startup passwords, so there are no serious concerns for examiners.

Answer 1

Salting can make password recovery extremely difficult and time consuming.

Question 2

Rainbow tables serve what purpose for digital forensics examinations?

Rainbow tables are designed to enhance the search capability of many digital forensics examination tools.

Rainbow tables are a supplement to the NIST NSRL library of hash tables.

Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords.

Rainbow tables provide a scoring system for probable search terms.

Answer 2

Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords.

Question 3

Suppose you’re investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?

Internal corporate investigation because corporate investigators typically have ready access to company records

Internal corporate investigation because ISPs almost always turn over e-mail and access logs when requested by a large corporation

Criminal investigation because subpoenas can be issued to acquire any needed evidence quickly

Criminal investigation because law enforcement agencies have more resources at their disposal

Answer 3

Internal corporate investigation because corporate investigators typically have ready access to company records

Question 4

Which forensic image file format creates or incorporates a validation hash value in the image file?

Expert Witness

AFF

SMART

All of the above

Answer 4

All of the above

Question 5

After you shift a file’s bits, the hash value remains the same.

True

False

Answer 5

False

Question 6

The National Software Reference Library provides what type of resource for digital forensics examiners?

A repository for software vendors to register their developed applications

A list of MD5 and SHA1 hash values for all known OSs and applications

A list of digital forensics tools that make examinations easier

Reference books and materials for digital forensics

Answer 6

A list of MD5 and SHA1 hash values for all known OSs and applications

Question 7

For which of the following reasons should you wipe a target drive?

a: To ensure the quality of digital evidence you acquire

b: To make sure unwanted data isn’t retained on the drive

Both a and b

Neither of the above

Answer 7

Both a and b

Question 8

The Known File Filter (KFF) can be used for which of the following purposes?

a: Filter known program files from view.

b: Calculate hash values of image files.

c: Compare hash values of known files with evidence files.

Both a and c

Answer 8

Both a and c

Question 9

Commercial encryption programs often rely on key escrow technology to recover files if a password or passphrase is lost.

True

False

Answer 9

True

Question 10

You’re using Disk Management to view primary and extended partitions on a suspect’s drive. The program reports the extended partition’s total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?

Nothing; this is what you’d expect to see.

The disk is corrupted.

There’s a hidden partition.

The drive is formatted incorrectly.

Answer 10

There’s a hidden partition.

Question 11

In steganalysis, cover-media is which of the following?

The type of steganographic method used to conceal a message

The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file

A specific type of graphics file used only for hashing steganographic files

The content of a file used for a steganography message

Answer 11

The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file

Question 12

Scope creep happens when an investigation goes beyond the bounds of its original description.

True

False

Answer 12

True

Question 13

The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length.

True

False

Answer 13

True

Question 14

Which of the following represents known files you can eliminate from an investigation?

Files associated with an application

Any graphics files

Any files pertaining to the company

All of the above

Answer 14

Files associated with an application

Question 15

Block-wise hashing has which of the following benefits for forensics examiners?

Allows validating sector comparisons between known files

Provides a faster way to shift bits in a block or sector of data

Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect’s drive

Verifies the quality of OS files

Answer 15

Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect’s drive

Question 16

Steganography is used for which of the following purposes?

Validating data

Accessing remote computers

Hiding data

Creating strong passwords

Answer 16

Hiding data

Question 17

Password recovery is included in all forensics tools.

True

False

Answer 17

False