Test 3

Question 1

Which of the following tools runs only on Windows and allows you to capture a disk image over a network without being physically connected to a suspect computer?

A)

ProDiscover

B)

dd

C)

DriveSpy

D)

Norton Ghost

Answer 1

A)

ProDiscover

Question 2

BONUS: A forensic crime scene processing kit should contain quantities of those items used to process computer equipment.

1) True
2) False

Answer 2

1) True

Question 3

Which of the following is NOT an artifact that will be irrevocably lost if the computer is shut down?

1)

Running processes

2)

Open network ports

3)

Data stored in memory

4)

System date and time

Answer 3

4)

System date and time

Question 4

The ________ command lets you see where a network packet is being sent and received in addition to all the places it goes along the way to its destination.

Answer 4

traceroute, tracert

Question 5

__________, by Guidance Software, runs on Windows workstation and server operating systems, and is one of the most complete forensic suites available.

Answer 5

(EnCase)

Question 6

BONUS: The forensic crime scene processing kit should include all of the following, EXCEPT:

1)

Evidence bags, tags, and other items to label and package evidence

2)

Forensically sanitized hard drives to store acquired data

3)

Compilers for developing forensic tools on site

4)

Hardware write blockers

Answer 6

3)

Compilers for developing forensic tools on site

Question 7

What are advantages to using solid-state drives for storing collected forensic data?

A)

Less expensive than electromechanical disks

B)

Fewer failures

C)

Higher disk capacities

D)

Faster access times

Answer 7

B)

Fewer failures

D)

Faster access times

Question 8

Which of the following tools creates a VMware virtual machine from a physical disk or raw disk image?

A)

Live View

B)

WinHex

C)

Java Virtual View

D)

Netstat

Answer 8

Correct Answer
A)

Live View

Question 9

In regard to preservation, in a child pornography investigation, which of the following should be collected?

1)

Photographs

2)

Papers

3)

Digital cameras

4)

All of the above

Answer 9

4)

All of the above

Question 10

Chain of custody documents record who handled the evidence, when, where, and for what purpose.

1) True
2) False

Answer 10

1) True

Question 11

The _____________ documentation specifies who handled the evidence, when, where, and for what purpose.

1)

Evidence inventory

2)

Chain of custody

3)

Evidence intake

4)

Preservation notes

Answer 11

2)

Chain of custody

Question 12

Mobile devices may contain several kinds of memory, including volatile and nonvolatile memory, such as flash.

A) True
B) False

Answer 12

A) True

Question 13

“dd” is the only way to make a bitstream copy.

1) True
2) False

Answer 13

1) True

Question 14

BONUS: Since computer seizures usually happen pretty much the same way, there is no real need to do any pre-planning.

1) True
2) False

Answer 14

2) False

Question 15

BONUS: If possible, prior to entering a crime scene, it is useful to try and determine what kind of computer equipment to expect.

1) True
2) False

Answer 15

1) True

Question 16

Which of the following tools is not strictly a forensic tool, but it does provide the ability to create disk copies that are almost exact copies of the original?

A)

ProDiscover

B)

dd

C)

DriveSpy

D)

Norton Ghost

Answer 16

D)

Norton Ghost

Question 17

The main advantage to using software (versus hardware) to acquire data images is increased speed.

A) True
B) False

Answer 17

B) False

Question 18

A forensic tool, such as Paraben Device Seizure, enables you to acquire which of the following types of data from a portable device? (Choose all that apply.)

A)

Text message history

B)

Deleted text messages

C)

Phonebook

D)

Call history

Answer 18

A)

Text message history

B)

Deleted text messages

C)

Phonebook

D)

Call history

Question 19

Which of the following items should you document when you examine a PC and make an image of its drive or memory contents? (Choose all that apply.)

A)

System date and time from the BIOS

B)

Drive parameters and boot order

C)

System serial numbers

D)

A and C only

Answer 19

A)

System date and time from the BIOS

B)

Drive parameters and boot order

C)

System serial numbers

Question 20

Which open source toolkit provides collections of tools, such as file system tools, volume system tools, image file tools, disk tools, and other tools?

A)

Forensic Toolkit (FTK)

B)

The Sleuth Kit (TSK)

C)

SIFT

D)

SMART

Answer 20

B)

The Sleuth Kit (TSK)

Question 21

Which of the following was originally developed by SANS as a toolkit for students in the SANS Computer Forensic Investigations and Incident Response course?

A)

SIFT

B)

SMART

C)

NetAnalysis

D)

TSK

Answer 21

A)

SIFT

Question 22

Because of the nature of non-volatile data, it should always be collected first to minimize corruption or loss.

A) True
B) False

Answer 22

B) False

Question 23

WinHex is a Windows-based universal ___________ editor and disk management utility.

Answer 23

___Hex___

Question 24

You can compress and split drive images for efficient storage.

A) True
B) False

Answer 24

A) True

Question 25

Host protected areas (HPAs) are created specifically to allow manufacturers to hide diagnostic and recovery tools.

A) True
B) False

Answer 25

A) True

Question 26

__________ is the process of creating a complete copy of a disk drive where the disk is copied sector-by-sector.

Answer 26

Imaging

Question 27

A ___________ backup (also known as a mirror image or evidence grade backup) is used to create an exact replica of a storage device.

Answer 27

bit stream, bitstream