Digital Forensics Midterm Ch. 2-8 Okstate 2015 – Flashcards
Unlock all answers in this set
Unlock answersquestion
Linux Live CDs and WinFE disks do not automatically mount hard drives, but can be used to file systems.
answer
True
question
The shielding of sensitive computing systems and prevention of electronic eavesdropping of any computer emission is known as FAUST by the U.S. Department of Defense
answer
FALSE
question
The recording of all updates made to a workstation or a machine is referred to as configuration management
answer
TRUE
question
A disaster recovery plan ensures that workstation and file servers can be restored to their original condition in the event of a catastrophe
answer
TRUE
question
Because they are outdated, ribbon cables should not be considered for use within a forensics lab
answer
FALSE
question
Candidates who complete the IACIS test successfully are designated as a certified forensics computer examiner
answer
TRUE
question
What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigation?
answer
Certified Cyber Forensics Professional
question
How long are computing components designed to last in a normal business environment?
answer
18-36 months
question
Which of the following scenarios should be covered in a disaster recovery plan?
answer
All of the above
question
Which operating system listed below is not a distribution of the Linux OS?
answer
Minix
question
describes the characteristics of a safe storage container
answer
NISPOM
question
In order to qualify for the CCFT basic level certification, how many hours of computer forensics training are required?
answer
40
question
Which file system below is utilized by the Xbox gaming system?
answer
FATX
question
What ISO standard below is followed by the ASCLD?
answer
ISO17025:2005
question
is responsible for creating and monitoring lab policies for staff, and provides a safe and secure workplace for staff and evidence.
answer
The lab manager
question
What percentage of consumers utilize Intel and AMD PCs?
answer
90%
question
can be used to restore backup files directly to a workstation.
answer
Norton Ghost
question
How often should hardware be replace within a forensics lab?
answer
12-18 months
question
A TEMPEST facility is designed to accomplish which of the following goals?
answer
Shield sensitive computing systems and prevent electronic eavesdropping of computer emissions
question
20. In order to qualify for the advanced certified forensic technician certification, a candidate must have ____ of hands-on experience in computer forensics investigations
answer
5 years
question
21. In order to qualify for the certified computer crime investigator basic level candidates must provide documentation of at least _____ in which they participated.
answer
10 cases
question
Which tool below is not recommended for use in forensics lab?
answer
Degausser
question
Which option below is not a recommendation for securing storage containers?
answer
Rooms with evidence containers should have a secured wireless network
question
Which option below is not one of the recommended practices for maintaining a keypad padlock?
answer
Use a master key
question
is a specialized viewer software program.
answer
IrfanView
question
Hardware and software errors or incompatibilities are a common problem when dealing with older hard drives.
answer
TRUE
question
A forensic investigator should verify that acquisition tools can copy data in the HPA of a disk drive.
answer
TRUE
question
FTK Imager software can acquire a drive's host protected area.
answer
FALSE
question
The ImageUSB utility can be used to create a bootable flash drive
answer
TRUE
question
A RAID 3 array uses distributed data and distributed parity in a manner similar to a RAID 5 array
answer
TRUE
question
Which option below is not a hashing function used for validation checks?
answer
RC4
question
The Linux command _____ can be used to write bit-stream data to files.
answer
dd
question
Which option below is not a Linux Live CD meant for use as a digital forensics tool?
answer
Ubuntu
question
The _________ switch can be used with the split command to adjust the size of segmented volumes created by the dd command.
answer
-b
question
The Linux command ________ can be used to list the current disk devices connected to the computer.
answer
fdisk -1
question
The ______ command was developed by Nicholas Harbour of the Defense Computer Forensics Laboratory. dcfldd
answer
dcfldd
question
Which RAID type utilizes mirrored stripping, providing fast access and redundancy?
answer
RAID 10
question
Within the fdisk interactive menu, what character should be entered to view existing partitions?
answer
p
question
When using a target drive that is FAT32 formatted, what is the maximum size limitation for split files?
answer
2 GB
question
An investigator wants to capture all the data on a SATA drive connected to a Linux system. What should the investigator use for the "if=" portion of the dcfldd command?
answer
/dev/sda
question
_______ can be used with the dcfldd command to compare an image file to the original medium.
answer
vf
question
Which RAID type provides increased speed and data storage capability, but lacks redundancy?
answer
RAID 0
question
Which RAID type utilizes a parity bit and allows for the failure of one drive without losing data?
answer
RAID 5
question
______ creates a virtual volume of a RAID image file, and then makes repairs on the virtual volume, which can then be restored to the original RAID?
answer
R-Tools R-Studio
question
_____ is the utility used by the ProDiscover program for remote access.
answer
PDServer
question
The ________ copies evidence of intrusions to an investigation workstation automatically for further analysis over the network.
answer
intrusion detection system
question
Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files?
answer
Advanced Forensics Format
question
What is the name of the Microsoft solution for whole disk encryption?
answer
BitLocker
question
Which technology below is not a hot-swappable technology?
answer
IDE
question
To create a new primary partition within the fdisk interactive utility, which letter should be typed?
answer
p
question
Computer-stored records are data the system maintains, such as a system log files and proxy server logs.
answer
TRUE
question
An emergency situation under the PATRIOT Act is defined as the immediate risk of death or personal injury, such as finding a bomb threat in an e-mail.
answer
TRUE
question
The Fourth Amendment starts the only warrants "particularly describing the place to be searched and the persons or things to be seized" can be issued. The courts have determined that this phrase means a warrant can authorize a search of specific place for anything.
answer
FALSE
question
State public disclosure laws apply to state records, but FOIA allows citizens to request copies of public documents created by federal agencies.
answer
TRUE
question
The investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct covert surveillance with little or no cause, and access company computer systems and digital devices without a warrant.
answer
TRUE
question
______ would not be found in an initial response field kit.
answer
Leather gloves and disposable latex gloves
question
________ is a common cause for lost or corrupted evidence.
answer
Professional curiosity
question
What does FRE stand for?
answer
Federal Rules of Evidence
question
If practical, ________ team(s) should collect and catalog digital evidence at a crime or lab.
answer
One
question
_________ is the term for a statement that is made by someone other than an actual witness to the event while terrifying at a hearing.
answer
Hearsay
question
You must abide by the ________ while collecting evidence.
answer
Fourth Amendment
question
Which of the following is not done when preparing for a case?
answer
Set up convert surveillance
question
A _______ is not a private sector organization
answer
Hospital
question
In cases that involve dangerous settings, what kind of team should be used to recover evidence from the scene?
answer
HAZMAT
question
______ are a special category of private sector businesses, due to their ability to investigate computer abuse committed by employees only, but not customers.
answer
ISPs
question
The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient
answer
Probable cause
question
Which court case established that is not necessary for computer programmers to testify in order to authenticate computer-generated records?
answer
United States v. Salgado
question
What should you do while copying data on a suspect's computer that is still live?
answer
Make notes regarding everything you do
question
The term _______ describes rooms filled with extremely large disk systems that are typically used by large business data centers
answer
Server farm
question
______ does not recover data in free or slack space.
answer
Live acquisition
question
When seizing digital evidence in criminal investigations, whose standards should be followed?
answer
U.S. DOJ
question
The term ______ is used to describe someone who might be a suspect or someone with additional knowledge that can provide evidence of probable for search warrant or arrest.
answer
Person of interest
question
What type of media has a 30-year lifespan?
answer
DLT magnetic tape
question
As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered....
answer
The decision should be left to the Digital Evidence First Responder (DEFR)
question
Which system below can be used to quickly and accurately match fingerprints in a database?
answer
Automated Fingerprint Identification System (AFIS)
question
A computer stores system configuration and date and time information in the BIOS when power to the system is off.
answer
FALSE
question
When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space.
answer
TRUE
question
Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.
answer
FALSE
question
FAT32 is used on older Microsoft Oss, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.3 and 4.0.
answer
FALSE
question
Each MFT record starts with a header identifying it as a resident or nonresident attribute.
answer
TRUE
question
A typical disk drive stores how many bytes in a single sector?
answer
512
question
Most manufactures use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks?
answer
Zone Bit Recording (ZBR)
question
What hexadecimal code below identifies an NTFS file system in the partition table?
answer
07
question
When using the File Allocation Table (FAT), where is the FAT database typically written to?
answer
The outermost track
question
Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks:
answer
exFAT
question
What term is used to describe a disk's logical structure of platters, tracks, and sectors?
answer
geometry
question
A Master Boot Record (MBR) partition table marks the first partition starting at what offset?
answer
0x1BE
question
The ___________ command inserts a HEX E5 (0xE5)in a filename's first letter position in the associated directory entry.
answer
delete
question
What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume?
answer
$LogFile
question
What command below can be used to decrypt EFS files?
answer
cipher
question
Which of the following commands creates an alternate data stream?
answer
echo text > myfile.txt:stream_name
question
What term below describes a column of tracks on two or more disk platters?
answer
cylinder
question
18. Which of the following is not a valid configuration of Unicode?
answer
UFT-64
question
What does the MFT header field at offset 0x00 contain?
answer
The MFT record identifier FILE
question
The ReFS storage engine uses a ________ sort of method for fast access to large data sets.
answer
B+-tree
question
What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive?
answer
TrueCrypt
question
The _________ branches in HKEY_LOCAL_MACHINESSoftware consist of SAM, Security, Components, and System.
answer
hive
question
What registry file contains user account management and security settings?
answer
SAM.dat
question
What registry file contains installed programs' settings and associated usernames and passwords?
answer
Software.dat
question
Addresses that allow the MFT to link to nonresident files are known as _________.
answer
logical cluster numbers
question
Software forensics tools are grouped into command-line applications and GUI applications.
answer
TRUE
question
Making a logical acquisition of a drive with whole disk encryption can result in unreadable files.
answer
FALSE
question
Physically copying the entire drive is the only type of data-copying method used in software acquisitions.
answer
FALSE
question
ISO standard 27037 states that the most important factors in data acquisitions are the DEFR's competency and the use of validated tools.
answer
TRUE
question
All forensics acquisitions tools have a method for verification of the data-copying process that compares the original drive with the image.
answer
TRUE
question
What tool below was written for MS-DOS and was commonly used for manual digital investigations?
answer
Norton DiskEdit
question
In general, what would a lightweight forensics workstation consist of?
answer
A laptop computer build into a carrying case with a small selection of peripheral options
question
In what mode do most write-blockers run?
answer
Shell mode
question
9. Reconstructing fragments of files that have been deleted from a suspect drive, is known as ______ in North America.
answer
carving
question
The ProDiscover utility makes use of the proprietary __________ file format.
answer
.eve
question
What is the purpose of the reconstruction function in a forensics investigation?
answer
Re-create a suspect's drive to show what happened during crime or incident
question
Which of the following options is not a subfunction of extraction?
answer
logical data copy
question
13. In what temporary location below might passwords be stored?
answer
pagefile.sys
question
The ______ Linux Live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep, and utilizes a KDE interface
answer
Kali
question
What option below is an example of a platform specific encryption tool?
answer
BitLocker
question
What hex value is the standard indicator for jpeg graphic files?
answer
FF D8
question
Passwords are typically stored as one-way ____ rather than in plaintext.
answer
hashes
question
What program serves as the GUI front end for accessing Sleuth Kit's tools?
answer
Autopsy
question
Which of the following is stated within the ISO 27037 standard?
answer
Digital Evidence First Responders should use validated tools.
question
The physical data copy subfunction exists under the ______ function.
answer
acquisition
question
A keyword search is part of the analysis process within what forensics function?
answer
extraction
question
What algorithm is used to decompress Windows files?
answer
Lempel-Ziv
question
What is the goal of the NSRL project created by NIST?
answer
Collect known hash values for commercial software and OS files using SHA hashes.
question
When performing disk acquisition, the raw data format is typically created with UNIX/Linux ______ command.
answer
dd
question
________ proves that two sets of data are identical by calculating hash values or using another similar method.
answer
Verification
question
Linux is a certified UNIX operating system.
answer
FALSE
question
The term "kernel" is often used when discussing Linux because technically, Linux is only the core of the OS.
answer
TRUE
question
Capitalization, or lack thereof, makes no difference with UNIX and Linux commands.
answer
FALSE
question
In UNIX and Linux, everything except monitors are considered files.
answer
FALSE
question
The only pieces of metadata not in an inode are the filename and path.
answer
TRUE
question
Who is the current maintainer of the Linux kernel?
answer
Linus Torvalds
question
What file under the /etc folder contains the hasned passwords for a local system?
answer
Shadow
question
What is the minimum size of a block in UNIX/Linux filesystems?
answer
512 bytes
question
___________ contain file and directory metadata and provide a mechanism for linking data stored in data blocks.
answer
Inodes
question
On Mac OS X systems, what utility can be used to encrypt/decrypt a user's home directory?
answer
FileVault
question
____________ is a specialized carving tool that can read many image file formats, such as RAW and Expert Witness
answer
Foremost
question
What command below will create a symbolic link to a file?
answer
ln -s
question
Select below the command that can be used to display bad block information on a Linux file system, but also has the capability to destroy valuable information.
answer
badblocks
question
Adding the _____________ flag to the ls -l file command has the effect of showing all the files beginning with the "." character in addition to other files.
answer
-a
question
What type of block does a UNIX/Linux computers only have one of?
answer
boot block
question
What information below is not included within the inode?
answer
The file's or directory's path
question
A hash that begins with "$6" in the shadow file indicates that it is a hash from what hashing algorithm?
answer
SHA-512
question
As part of a forensics investigation, you need to recover the logon and logoff history information on a Linux based OS. Where can this information be found?
answer
/var/log/wtmp
question
The ___________ command can be used to see network interfaces.
answer
ifconfig
question
The Mac OS reduces file fragmentation by using ____________
answer
clumps
question
What file is used to store any file information that is not in the MDV or a VCB?
answer
extents overflow file
question
In a B*-tree file system, what node stores link information to previous and next nodes?
answer
index node
question
Where is the root user's home directory located on a Mac OS X file system?
answer
/private/var/root
question
Within the /etc/shadow file, what field contains the password hash for a user account if one exists?
answer
2nd field
question
Id a file has 510 bytes of data, what is byte 510?
answer
The logical EOF
question
How many bits are required to create a pixel capable of displaying 65,536 different colors?
answer
16 bits
question
Which of the following is not considered to be a non-standard graphics file format?
answer
.dxf
question
All TIF files start at offset 0 with what 6 hexadecimal characters?
answer
49 49 2A
question
What kind of graphics file combines bitmap and vector graphics types?
answer
metafile
question
The process of converting raw picture data to another format is called _______.
answer
demosaicing
question
6) What format was developed as a standard for storing metadata in image files?
answer
exif
question
Which of the following formats is not considered to be a standard graphics file format?
answer
tga
question
Select below the utility that is not a lossless compression utility:
answer
Lzip
question
In simple terms, _________ compression discards bits in much the same way rounding off decimal values discards numbers.
answer
Vector Quantization
question
What file type starts at offset 0 with a hexadecimal value of FFD8?
answer
jpeg
question
How many different colors can be displayed by a 24 bit colored pixel?
answer
16,777,216
question
The ____________ format is a proprietary format used by Adobe Photoshop.
answer
.psd
question
For EXIF JPEG files, the hexadecimal value starting at offset 2 is ________.
answer
FFE1
question
Referred to as a digital negative, the _________ is typically used on many higher-end digital cameras.
answer
raw file format
question
The Lemple-Ziv-Welch (LZW) algorithm is used in __________ compression.
answer
lossless
question
For all JPEG files, the ending hexadecimal marker, also known as the end of image (EOI), is _________.
answer
FFD9
question
Which graphics file format below is rarely compressed?
answer
BMP
question
When looking at a byte of information in binary, such as 11101100, what is the first bit on the left referred to as?
answer
most significant bit (MSB)
question
What act defines precisely how copyright laws pertain to graphics?
answer
1976 Copyright Act
question
Which of the following is not a type of graphic file that is created by a graphics program?
answer
raster graphics
question
The first 3 bytes of an XIF file are exactly the same as a TIF file.
answer
TRUE
question
Graphics files are created and saved in a graphics editor, such as Microsoft Paint, Adobe Freehand MX, Adobe Photoshop, or Gnome GIMP.
answer
TRUE
question
Most digital cameras use the bitmap format to store photos.
answer
FALSE
question
When you decompress data that uses a lossy compression algorithm, you regain data lost by compression.
answer
FALSE
question
Each graphics file type has a unique header value.
answer
TRUE
