Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Computer Forensics > Test 2 > Flashcards

Test 2 Flashcards

1
Q

You are completing a chain of custody for seizing a hard drive. Which of the following steps is out of order?

A)

Seize the drive.

B)

Create an exact image of the drive.

C)

Analyze the data on the drive.

D)

Mount the drive in read-only mode.

A

D)

Mount the drive in read-only mode.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following are limitations to salvaging data through data carving?

1)

File name and date-time stamps that were associated with the file are not salvaged.

2)

The size of the original file may not be known, making it necessary to guess how much
data to carve out.

3)

Simple carving assumes all portions of the file were stored contiguously, and not
fragmented.

4)

All of the above.

A

4)

All of the above.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Whenever you introduce documentary evidence, you must introduce an original document, not a copy. This is called the ________ rule. (two words)

A

Best evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An independent computer forensic investigator can execute a search warrant.

1) True
2) False
A

2) False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Removable or external media generally contain intentionally archived and/or transient files.

1) True
2) False
A

1) True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The proper collection of evidence at a crime scene is crucial in terms of admissibility in court.

1) True
2) False
A

1) True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Taking photos of real evidence is part of the chain of custody.

1) True
2) False
A

1) True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You must often find specific keywords or phrases that appear in large numbers of files. Which tool should you use?

A)

File viewer

B)

Extension checker

C)

Unerase tool

D)

Searching tool

A

D)

Searching tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You seized a PDA as evidence during an investigation. You extracted the information and analyzed it to find what you were looking for. You left the PDA powered on in its charger while stored. While testifying as an expert witness in court, you are asked if the data in the PDA has changed. You should truthfully answer “Yes.”

1) True
2) False
A

1) True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You need to perform a drive integrity check. You use a forensic tool to calculate a hash value. Which of the following might you end up with? (Choose all that apply.)

A)

UFD

B)

CFTT

C)

MD5

D)

SHA-1

A

C)

MD5

D)

SHA-1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Shutting a system down prevents entries from being written to activity log files and preserves the state of the evidence.

1) True
2) False
A

2) False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Since crime scenes are typically pretty much the same, very little planning needs to take place prior to first entering the scene.

1) True
2) False
A

2) False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When entering a crime scene, the initial survey should:

1)

Include user manuals

2)

Involve tracing cables

3)

Collect relevant data such as passwords and account details

4)

All of the above

A

4) All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A company that suffered a security breach refuses to hand over computer evidence because of the possibility of additional sensitive information being leaked. Which of the following search and seizure methods is most appropriate to engage?

A)

Voluntary surrender

B)

Subpoena

C)

Search warrant

D)

None of the above

A

B) Subpoena

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Fingerprints are an example of which type of evidence?

A)

Real

B)

Documentary

C)

Testimonial

D)

Demonstrative

A

A) Real

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When shutting down a live system it is generally recommended to unplug the power from the back of the computer.

1) True
2) False
A

1) True

17
Q

Unallocated space is:

1)

The space between the end of a volume and the end of a partition

2)

The space in a cluster that is not occupied by the file in that cluster

3)

The space on a disk that is not assigned to files

4)

The space left on a disk after a file is deleted

A

3)

The space on a disk that is not assigned to files

18
Q

A handwritten note is an example of which types of evidence? (Choose all that apply.)

A)

Real

B)

Documentary

C)

Testimonial

D)

Demonstrative

A

B)

Documentary

C)

Testimonial

D)

Demonstrative

19
Q

Which of the following is not a technique for ensuring the admissibility of evidence in court?

A)

Know the rules surrounding evidence collection and handling.

B)

Protect the chain of custody.

C)

Treat every incident as a criminal act.

D)

Obtain a search warrant even when a client surrenders evidence voluntarily.

A

D)

Obtain a search warrant even when a client surrenders evidence voluntarily.

20
Q

Examples of data that should be immediately preserved include:

1)

USB drives

2)

Digital picture frames

3)

System and network information

4)

USB bracelets

A

3)

System and network information

21
Q

The likelihood of collecting notable information from a running computer is relatively small, so it is safe to shut down any running computer to preserve the data on the hard drive.

1) True
2) False
A

2) False

22
Q

__________ evidence cannot stand on its own and must be authenticated.

A

Answer: Documentary

23
Q

When you enter a crime scene, document the scene by taking photographs, drawing sketches, and writing descriptions of what you see. The photos, drawings, and notes form the initial __________. (two words)

A

Answer: site survey

24
Q

The courts apply two basic standards to all evidence. Any evidence you want to use in a court case must be ________ and admissible.

A

Answer: relevant

25
Q

File slack space is:

1)

The space between the end of a volume and the end of a partition

2)

The sectors in a cluster that are not occupied by the file in that cluster

3)

The space on a disk that is not allocated to files

4)

The space left on a disk after a file is deleted

A

2)

The sectors in a cluster that are not occupied by the file in that cluster

26
Q

Most courts consider software write blockers to be safer than hardware write blockers.

1) True
2) False
A

2) False

27
Q

When organizing a presentation that will take the audience on a tour of an evidence trail, always take a chronological approach.

1) True
2) False
A

2) False

28
Q

How many bytes are in a kilobyte?

1)

8

2)

100

3)

1000

4)

1024

A

4) 1024

29
Q

What is the main goal of evidence preservation?

A)

To ensure that evidence makes sense to a judge or jury

B)

To ensure that evidence has not changed since it was collected

C)

To determine the admissibility of evidence

D)

To appropriately catalog evidence for long-term storage

A

B)

To ensure that evidence has not changed since it was collected

30
Q

A ________ is the same as a hash sum.

A

Answer: checksum

Computer Forensics (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions