Preassessment attempt 1 Flashcards
Which law requires both parties to consent to the recording of a conversation?
Electronic Communications Privacy Act (ECPA)
Communications Assistance to Law Enforcement Act (CALEA)
USA Patriot Act
Health Insurance Portability and Accountability Act (HIPAA)
Electronic Communications Privacy Act (ECPA)
Which law is related to the disclosure of personally identifiable protected health information (PHI)?
Federal Privacy Act of 1974
Electronic Communications Privacy Act
Health Insurance Portability and Accountability Act (HIPAA)
CAN-SPAM Act
Health Insurance Portability and Accountability Act (HIPAA)
Which U.S. law criminalizes the act of knowingly using a misleading domain name with the intent to deceive a minor into viewing harmful material?
18 U.S.C. 2252B
CAN-SPAM Act
Children’s Online Privacy Protection Act (COPPA)
Communications Decency Act
18 U.S.C. 2252B
Which U.S. law protects journalists from turning over their work or sources to law enforcement before the information is shared with the public?
The Privacy Protection Act (PPA)
The Federal Privacy Act
The Communications Assistance to Law Enforcement Act (CALEA)
The Electronic Communications Privacy Act (ECPA)
The Privacy Protection Act (PPA)
Which law or guideline lists the four states a mobile device can be in when data is extracted from it?
NIST SP 800-72 Guidelines
The USA Patriot Act
NIST SP 101r1 Guidelines
The Electronic Communications Privacy Act (ECPA)
NIST SP 800-72 Guidelines
Which law includes a provision permitting the wiretapping of VoIP calls?
Communications Assistance to Law Enforcement Act (CALEA)
USA Patriot Act
Electronic Communications Privacy Act (ECPA)
Sarbanes-Oxley Act (SOX)
Communications Assistance to Law Enforcement Act (CALEA)
Which policy is included in the CAN-SPAM Act?
The email sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out.
Whoever knowingly uses a misleading domain name on the Internet with the intent to deceive a person into viewing material constituting obscenity shall be fined or imprisoned not more than 2 years, or both.
Law enforcement officers may now intercept communications to and from the computer trespasser if they have reasonable grounds to believe that the trespasser’s communications will be relevant to the investigation.
A business can claim the business extension exemption only for monitoring by certain types of equipment; the recording must occur in the ordinary course of business.
The email sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out.
Which United States law requires telecommunications equipment manufacturers to provide built-in surveillance capabilities for federal agencies?
Electronic Communication Privacy Act (ECPA)
Communication Assistance to Law Enforcement Act (CALEA)
Foreign Intelligence Surveillance Act (FISA)
USA Patriot Act
Communication Assistance to Law Enforcement Act (CALEA)
Which law requires a search warrant or one of the recognized exceptions to the search warrant requirements for searching email messages on a computer?
The CAN-SPAM Act
The Fourth Amendment to the U.S. Constitution
USC 2252B
The Communication Assistance to Law Enforcement Act
The Fourth Amendment to the U.S. Constitution
Where are local passwords stored for the Windows operating system?
SAM file in \Windows\System32\
SAM file in \Windows\Security\
In the registry key HKEY_LOCAL_MACHINE\SYSTEM
In the registry key HKEY_LOCAL_MAHCINE\SECURITY
SAM file in \Windows\System32\
Where on a Windows system is the config folder located that contains the SAM file?
C:\Windows\System32
C:\Windows\SystemResources
C:\Program Files
C:\Users
C:\Windows\System32
A forensic examiner wants to try to extract passwords for wireless networks to which a system was connected.
Where should passwords for wireless networks be stored on a Windows XP system?
BIOS
Registry
Program Files
Bash
Registry
Which Windows password cracking tool uses rainbow tables?
Ophcrack
ComputerCOP
Sleuth Kit
Digital Intelligence
Ophcrack
How does a rainbow table work to crack a password?
It uses a table of all possible keyboard combinations and their hash values, then searches for a match.
It uses a table to store hash value for every character in the alphabet, then assembles them to create a match.
It starts with a hashed password and then decrypts each individual character.
It searches for passwords stored in RAM and startup files and then matches them to the predefined table.
It uses a table of all possible keyboard combinations and their hash values, then searches for a match.
What should a forensic investigator use to gather the most reliable routing information for tracking an email message?
Email header
Email address
Tracert
Netstat
Email header
Which activity involves email tracing?
Determining the ownership of the source email server
Making bit-by-bit copies of each of the email servers involved
Performing nslookup on the recipient of the message
Removing email header information
Determining the ownership of the source email server
A forensic examiner reviews a laptop running OS X which has been compromised. The examiner wants to know if there were any mounted volumes created from USB drives.
Which digital evidence should be reviewed?
/var/log
/var/vm
/Users/<user>/.bash_history</user>
/Users/<user>/Library/Preferences</user>
/var/log
Which log or folder contains information about printed documents on a computer running Mac OS X?
/var/spool/cups
/var/log
/var/vm
/var/log/lpr.log
/var/spool/cups
Which Windows event log should be checked for evidence of invalid logon attempts?
Security
System
Application
ForwardedEvents
Security
A cyber security organization has issued a warning about a cybercriminal who is using a known vulnerability to attack unpatched corporate Macintosh systems. A network administrator decides to examine the software updates logs on a Macintosh system to ensure the system has been patched.
Which folder contains the software updates logs?
/Library/Receipts
/var/spool/cups
/proc
/var/log
/Library/Receipts
A forensic investigator wants to image an older BlackBerry smartphone running OS 7.0.
Which tool should the investigator use?
BlackBerry Desktop Manager
BlackBerry Extractor
CopyQM Plus
The Sleuth Kit
BlackBerry Desktop Manager
An investigator wants to extract information from a mobile device by connecting it to a computer.
What should the investigator take great care to ensure?
That the mobile device does not synchronize with the computer
That the mobile device is updated with the latest operating system
That proper step information is written to the mobile device
That current time stamps of forensics activities are written to the device
That the mobile device does not synchronize with the computer
Which state is a device in if it is powered on, performing tasks, and able to be manipulated by the user?
Active
Nascent
Quiescent
Guest-mode
Active
The chief information officer of an accounting firm believes sensitive data is being exposed on the local network.
Which tool should the IT staff use to gather digital evidence about this security vulnerability?
Sniffer
Tracer
Disk analyzer
Virus scanner
Sniffer
A police detective investigating a threat traces the source to a house. The couple at the house shows the detective the only computer the family owns, which is in their son’s bedroom. The couple states that their son is presently in class at a local middle school.
How should the detective legally gain access to the computer?
Obtain consent to search from the parents
Seize the computer under the USA Patriot Act
Seize the computer under the Computer Security Act
Obtain a search warrant from the police
Obtain consent to search from the parents
How should a forensic scientist obtain the network configuration from a Windows PC before seizing it from a crime scene?
By using the ipconfig command from a command prompt on the computer
By using the tracert command from a command prompt on the computer
By installing a network packet sniffer on the computer
By logging into the router to which the PC is connected
By using the ipconfig command from a command prompt on the computer
The human resources manager of a small accounting firm believes he may have been a victim of a phishing scam. The manager clicked on a link in an email message that asked him to verify the logon credentials for the firm’s online bank account.
Which digital evidence should a forensic investigator collect to investigate this incident?
Browser cache
Security log
System log
Disk cache
Browser cache
After a company’s single-purpose, dedicated messaging server is hacked by a cybercriminal, a forensics expert is hired to investigate the crime and collect evidence.
Which digital evidence should be collected?
Firewall logs
Workstation logs
Phishing emails
Spam messages
Firewall logs
Thomas received an email stating that he needed to follow a link and verify his bank account information to ensure it was secure. Shortly after following the instructions, Thomas noticed money was missing from his account.
Which digital evidence should be considered to determine how Thomas’ account information was compromised?
Flash drive contents
Social media accounts
Email messages
Router logs
Email messages
The chief executive officer (CEO) of a small computer company has identified a potential hacking attack from an outside competitor.
Which type of evidence should a forensics investigator use to identify the source of the hack?
Browser history
Email headers
Network transaction logs
Disk drive backups
Network transaction logs
A forensic scientist arrives at a crime scene to begin collecting evidence.
What is the first thing the forensic scientist should do?
Photograph all evidence in its original place
Unplug all network connections so data cannot be deleted remotely
Turn off the power to the entire area being examined
Gather up all physical evidence and move it out as quickly as possible
Photograph all evidence in its original place
Which method of copying digital evidence ensures proper evidence collection?
Make the copy at the bit-level
Copy files using drag and drop
Make the copy using file transfer
Copy the logical partitions
Make the copy at the bit-level
A computer involved in a crime is infected with malware. The computer is on and connected to the company’s network. The forensic investigator arrives at the scene.
Which action should be the investigator’s first step?
Unplug the computer’s Ethernet cable.
Unplug the computer’s power cord.
Remove the malware and secure the computer.
Label all the attachments and secure the computer.
Unplug the computer’s Ethernet cable.
What are the three basic tasks that a systems forensic specialist must keep in mind when handling evidence during a cybercrime investigation?
Answer options may be used more than once or not at all. Select your answers from the pull-down list.
Find evidence
Catalog evidence
Disseminate evidence
Preserve evidence
Prepare evidence
Prepare evidence report
Make multiple copies of evidence
Find evidence
Preserve evidence
Prepare evidence
How do forensic specialists show that digital evidence was handled in a protected, secure manner during the process of collecting and analyzing the evidence?
Forensic lab logbooks
Chain of custody
Forensic software logs
Chain of email messages
Chain of custody
Which characteristic applies to magnetic drives compared to solid-state drives (SSDs)?
Lower cost
Lower capacity
Lower power consumption
Better durability
Lower cost
Which characteristic applies to solid-state drives (SSDs) compared to magnetic drives?
They are less susceptible to damage.
They cost less.
They have slower start-up times.
They use more power.
They are less susceptible to damage.
Which type of storage format should be transported in a special bag to reduce electrostatic interference?
Solid-state drives
Optical media
Digital audio tapes
Magnetic media
Magnetic media
Which Windows component is responsible for reading the boot.ini file and displaying the boot loader menu on Windows XP during the boot process?
NTLDR
NTOSKRNL
Windows Registry
Win32 subsystem
NTLDR
The following line of code is an example of how to make a forensic copy of a suspect drive:
dd if=/dev/mem of=/evidence/image.memory1
Which operating system should be used to run this command?
Windows
Chrome
BlackBerry
Linux
Linux
Which file system is supported by Mac?
Berkeley Fast File System (FFS)
Extended File System (Ext)
Reiser File System (ReiserFS)
Hierarchical File System Plus (HFS+)
Hierarchical File System Plus (HFS+)
What is one purpose of steganography?
To deliver information secretly
To alter the color of a photo
To decipher encrypted messages
To prevent images from being edited
To deliver information secretly
Which method is used to implement steganography through pictures?
LSB
MD5
3DES
ROT13
LSB
The chief information security officer of a company believes that an attacker has infiltrated the company’s network and is using steganography to communicate with external sources. A security team is investigating the incident. They are told to start by focusing on the core elements of steganography.
What are the core elements of steganography?
Process, intelligence, mobility
Telemetry, cryptography, multiplexing
Payload, carrier, channel
Transport, network, data link
Payload, carrier, channel
A system administrator believes data are being leaked from the organization. The administrator decides to use steganography to hide tracking information in the types of files he thinks are being leaked.
Which steganographic term describes this tracking information?
Payload
Carrier
Channel
Audit
Payload
A criminal organization has compromised a third-party web server and is using it to control a botnet. The botnet server hides command and control messages through the DNS protocol.
Which steganographic component are the command and control messages?
Payload
Carrier
Channel
Dead drop
Payload
Which method is commonly used to hide data via steganography?
LSB
AES
DES
RSA
LSB
A system administrator believes an employee is leaking information to a competitor by hiding confidential data in images being attached to outgoing emails. The administrator has captured the outgoing emails.
Which tool should the forensic investigator use to search for the hidden data in the images?
Forensic Toolkit (FTK)
Snow
Data Doctor
Wolf
Forensic Toolkit (FTK)
A foreign government is communicating with its agents in the U.S. by hiding text messages in popular American songs, which are uploaded to the web.
Which steganographic tool can be used to do this?
MP3Stego
QuickStego
Steganophony
Snow
MP3Stego
During a cyber-forensics investigation, a USB drive was found that contained multiple pictures of the same flower.
How should an investigator use properties of a file to detect steganography?
Compare the file extensions using a tool such as Windows Explorer
Process the file using SHA-1 to generate a new hash value to compare using a tool such as FTK
Review the properties log looking for changes compared to the original file using a tool such as EnCase
Review the hexadecimal code looking for anomalies in the file headers and endings using a tool such as EnCase
Review the hexadecimal code looking for anomalies in the file headers and endings using a tool such as EnCase
