Computer forensics – 2nd half – quiz 9 – Flashcards
Unlock all answers in this set
Unlock answersquestion
Because attorneys do not have the right of full discovery of digital evidence, it is not possible for new evidence to come to light while complying with a defense request for full discovery.? t/f
answer
false
question
One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you collect is essential for presenting evidence in court.? t/f
answer
true
question
The advantage of recording hash values is that you can determine whether data has changed.? t/f
answer
true
question
In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant.? t/f
answer
false
question
Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing speci?c ?les or sectors. ? t/f
answer
true
question
What format below is used for VMware images? a. .vhd b. .vmdk c. .s01 d. .aff
answer
b
question
?In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters? a. ?NTFS b. ?FAT c. ?HFSX d. ?Ext3fs
answer
b
question
Which password recovery method uses every possible letter, number, and character found on a keyboard?? a. ?rainbow table b. ?dictionary attack c. ?hybrid attack d. ?brute-force attack
answer
d
question
The goal of recovering as much information as possible can result in ________________, in which an investigation expands beyond the original description because of unexpected evidence found.? a. ?litigation b. ?scope creep c. ?criminal charges d. ?violations
answer
b
question
Which of the following file systems can't be analyzed by OSForensics? a. ?FAT12 b. Ext2fs c. ?HFS+ d. ?XFS
answer
d
question
?In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer. a. ?format b. ?fdisk c. ?grub d. ?diskpart
answer
d
question
?Select the tool below that does not use dictionary attacks or brute force attacks to crack passwords: a. ?Last Bit b. ?AccessData PRTK c. ?OSForensics d. ?Passware
answer
c
question
?Within Windows Vista and later, partition gaps are _____________ bytes in length. a. ?64 b. ?128 c. ?256 d. ?512
answer
b
question
Which option below is not a disk management tool?? a. Partition Magic? b. ?Partition Master c. ?GRUB d. ?HexEdit
answer
d
question
Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses ________________ as a way to hide its malicious code from antivirus tools.? a. ?hashing b. ?bit-shifting c. ?registry edits d. ?slack space
answer
b
question
A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in order to secure the information contained inside.? a. ?compiler b. shifter c. ?macro d. ?script
answer
c
question
What letter should be typed into DiskEdit in order to mark a good sector as bad?? a. ?M b. ?B c. ?T d. ?D
answer
b
question
Many commercial encryption programs use a technology called _____________, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure.? a. ?key vault b. ?key escrow c. ?bump key d. ?master key
answer
b
question
What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords?? a. salted passwords b. ?scrambled passwords c. ?indexed passwords d. master passwords
answer
a
question
When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and documented?? a. ?Inventory and documentation information should be stored on a drive and then the drive should be reformatted. b. ?Start the suspect's computer and begin collecting evidence. c. The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.? d. ?Connect the suspect's computer to the local network so that up to date forensics utilities can be utilized.
answer
c
question
?In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes remotely. a. ?keygrabber b. ?keylogger c. ?packet capture d. ?protocol analyzer
answer
b
question
The AccessData program has a hashing database, ________________, which is available only with FTK, and can be used to filter known program files from view and contains the hash values of known illegal files.? a. ?DeepScan Filter b. Unknown File Filter (UFF) c. ?Known File Filter (KFF) d. ?FTK Hash Imager
answer
c
question
The term for detecting and analyzing steganography files is _________________.? a. ?carving b. ?steganology c. ?steganalysis d. ?steganomics
answer
c
question
A ____________ image file containing software is intended to be bit-stream copied to floppy disks or other external media.? a. ?fdisk b. ?format c. ?dd d. ?DiskEdit
answer
c
question
The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but does not list hash values of known illegal files.? a. ?Open Hash Database b. ?HashKeeper Online c. ?National Hashed Software Referenced. d. National Software Reference Library
answer
d