Sett 2 Flashcards
Which is not a formal position in a forensics lab?
Investigator, manager, analyst, legal manager
Legal manager
What are the CERT standards for a forensic laboratory?
ASCLD (American Society of Crime Laboratory Directors) does the test and their process is based on ISO 17025:2005.
Which role develops and forces lab policies?
lab manager
What role is testifying the facts of data gathered?
Analyst
Which is not a service offered by a forensics lab?
Adversary emulation
Parking lot security and biometric authentication are what level security?
Lab level 4
Physical control, neither, or tech control?
Fencing
ballards
identity management
firewalls
security
training
procedures
Fencing, ballards phys
identity management, firewalls, security tech
training, procedures neutral
Cc television is what physical security control?
Preventative, detective, corrective, recovery, deterrent, or compensate
Detective
George needs a forensics package that is free to use and can examine images of hard drives. What should he use?
Autopsy
Ken is a lead investigator, he surveys a crime scene. What tool will not contaminate digital evidence?
Write Blocker
Company is closing, highly sensitive data is on their systems what sanitization method must be used?
Destroy
Which is not a santitization term?
Wipe
Maintained by SANS to help with forensic issues?
SIFT
What company does specification for data sanitization standards?
NIST (National Institute of Standards Technology)
Which org certifies free tools to examine images on a hard drive?
CFTT (The Computer Forensics Tool Testing) Handbook
Before you seize any evidence what must you have?
A warrant
As a member of her organization’s IS team, Larissa is performing a data forensic investigation involving 3 members of the corporate finance team. Before Larissa can seize any evidence from the suspects employee’s computer, she must have an active warrant? True or False
False
5th amendment is search and seizure? True or False
False/4th amendment is search and seizure
Going to a judge with a request to seize digital evidence the request must provide what?
Probable cause
Evidence may be seized without a warrant if people are in danger, these are called what?
Exigent circumstances
Seize evidence if you see incriminating evidence?
Plain view doctrine
Cyber policy employee system might be monitored, this policy is called what?
Login banner
Michelle is completing an affidavit for review with a judge. Which of the following would she not include in the document?
A reference number to the approved warrant
What does the dd command do? sudo dd command?
Used to make a forensic bit-by-bit copy of a drive to a number of locations.
Disk to disk
disk to image
disk to network
sudo runs that shit with admin priv maybe idk
Which of the following is not considered an aspect used to define a crime scene?
Locations where witnesses are located
Which of the following would not be considered an obligation to a first responder to a crime scene?
Allow all individuals to leave the scene
Which is not considered a key to securely packaging evidence?
Contain arson evidence in a porous container
Data forensic analyst who does not follow the appropriate evidence collection procedure can complete a statement of admissibility so any evidence that was potentially contaminated can still be considered admissible in a court of law? True or False
False
Which of the following employee activities is considered most suspicious?
User appears to have connected to an FTP site in a residential ISP
Which tool in windows can be used to create,delete, or manage disk volume?
Disk Part
What could you use to prevent a running process on Linux from potentially destroying a corrupting digital evidence?
Pull the plug
Command choice?
Halt
Beau is a data forensic investigator for the FBI. A murder occurred in a large-scale office building in downtown Atlanta where Beau is called as a first responder. A suspect is at the scene with his laptop while Beau waits for a warrant to be approved by a judge. What steps could he take in order to seize and search the suspect’s laptop immediately?
Have the suspect sign a consent form
When discussing numbered surveillance, which 2 layers of the OSI model contain addressing information which could be monitored and collected as metadata under various electronic surveillance laws?
Network and Transport
Which of the following types of drives is not considered magnetic media?
Solid State
Both flash memory such as SD cards, micro SD come with a switch that allows them to be place into read only mode to prevent corruption of evidence? True or False
True
Which of the following systems would not be windows based?
Extension 4 (Linux)
Two techniques used to compress graphics files?
Hoffman & LZW
When a computer is first powered on the first phase which checks to ensure basic communication exist between critical parts of the system is called?
Post
When referring to MACE properties, M means what?
Modified
In a standard magnetic hard drive, concentric circles are written into platters and they’re referred to as?
Tracks
Which of the following is not considered a standard interface for hard drives?
ISCA
Which of the following raid configurations does not offer full tolerance?
Raid 0
Which part of the sleuth kit commands could be used to recover deleted files from a hard drive?
iCat
Which of the following processes is used by data forensic analyst to determine the presence of stenography in a file?
Steganalysis
When using a tool such as autopsy or the sleuth kit to recover a deleted file from a hard drive you’re using a process known as?
File carving
Which record in the MFT would have been damaged if I couldn’t tell you which file blocks were in use?
Spinning Rust
A magnetic hard drive file system block is called a cluster. It is composed of a number of?
Sectors
Which action is part of contingency planning for data acquisition?
Make a copy with two different tools
Which of the following must be covered in a search warrant?
All of the above
Which of the following is a characteristic that does not belong in a computer forensics lab?
Windows that open
