Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Forensic mid term
quiz questions
| Term | Definition |
|---|---|
| Which of the following roles may involve computer forensics? | Private investigator, Corporate compliance professional or Law enforcement official |
| Which of the following are required to perform electronic discovery? | In-depth computer knowledge and The ability to logically dissect a computer system or network |
| When a computer forensic professional assists law enforcement in an investigation, the forensic professional is bound by the same restrictions as law enforcement personnel. | true |
| These are specifications for a secure environment, including items such as physical security requirements, network security planning details, a detailed list of approved software, and human resources policies on employee hiring and dismissal | Security Policies |
| What law requires financial institutions to ensure the security and confidentiality of the personal information they collect, such as names, addresses, phone numbers, income, and Social Security numbers? | Gramm-Leach-Bliley (GLB) Act |
| Which of the following is most likely to hire a computer forensic professional to gather computer evidence of possible fraud in accident, arson, and workman’s compensation cases? | Insurance companies |
| Prosecuting attorneys should have training on electronic discovery and digital data, and how to properly present computer evidence in a court of law. | Social engineering |
| Many states have laws that require businesses to protect sensitive personal and financial data, and to report data breaches. | true |
| Although each organization is different, security measures and security policies are always the same | flase |
| Information stored on devices such as hard disks and USB flash drives is ___________, which means it persists intact when such a device is powered off (and sometimes even after erasure). (one word, or two words separated by a dash | nonvolatile |
| Mobile devices generally use flash memory instead of a hard drive for storage to keep them as light and small as possible. | false |
| What device tends to offer the highest data capacity? | External hard drive |
| A _____________ is a USB device that intercepts, records, and stores everything typed on a keyboard into a file. This includes all keystrokes, even passwords. | keylogger |
| Which of the following is a wireless interface standard? | Bluetooth |
| The most common Microsoft systems a computer forensic investigator will encounter today are Windows XP, Windows Vista, and Windows 7. | true |
| Which operating systems are based on Unix? (Choose all that apply.) | Mac OS X and Linux |
| This is the process of tracking users and their actions on a network and its component systems. | Auditing |
| A corporate employer may consent to a search of an employee’s computer and peripherals if the employer has common authority over the equipment. | true |
| A computer forensic examiner is qualified to do all of the following except which one? | Determine the outcome of a court case |
| Fingerprints are an example of which type of evidence? | Real |
| A handwritten note is an example of which types of evidence? (Choose all that apply.) | Real and Documentary |
| Whenever you introduce documentary evidence, you must introduce an original document, not a copy. This is called the ________ rule. | best evidence |
| A company that suffered a security breach refuses to hand over computer evidence because of the possibility of additional sensitive information being leaked. Which of the following search and seizure methods is most appropriate to engage? | Subpoena |
| An independent computer forensic investigator can execute a search warrant. | false |
| Taking photos of real evidence is part of the chain of custody. | true |
| You are completing a chain of custody for seizing a hard drive. Which of the following steps is out of order? | Mount the drive in read-only mode. |
| The courts apply two basic standards to all evidence. Any evidence you want to use in a court case must be ________ and admissible. | unchanged |
| Most courts consider software write blockers to be safer than hardware write blockers. | false |
| Which of the following is not a technique for ensuring the admissibility of evidence in court? | Obtain a search warrant even when a client surrenders evidence voluntarily. |
| When you enter a crime scene, document the scene by taking photographs, drawing sketches, and writing descriptions of what you see. The photos, drawings, and notes form the initial __________. | site survey |
| Removable or external media generally contain intentionally archived and/or transient files. | true |
| __________ evidence cannot stand on its own and must be authenticated. | Documentary |
| What is the main goal of evidence preservation? | To ensure that evidence has not changed since it was collected |
| Shutting a system down prevents entries from being written to activity log files and preserves the state of the evidence. | False |
| You left the PDA powered on in its charger while stored. While testifying as an expert witness in court, you are asked if the data in the PDA has changed. You should truthfully answer "Yes." | true |
| You need to perform a drive integrity check. You use a forensic tool to calculate a hash value. Which of the following might you end up with? (Choose all that apply.) | MD5 and SHA-1 |
| You must often find specific keywords or phrases that appear in large numbers of files. Which tool should you use? | Searching tool |
| When organizing a presentation that will take the audience on a tour of an evidence trail, always take a chronological approach. | False |
| A ________ is the same as a hash sum. | checksum |
| __________ is the process of creating a complete copy of a disk drive where the disk is copied sector-by-sector | imaging |
| Because of the nature of non-volatile data, it should always be collected first to minimize corruption or loss. | false |
| What are advantages to using solid-state drives for storing collected forensic data? | Fewer failures, Faster access times |
| The ________ command lets you see where a network packet is being sent and received in addition to all the places it goes along the way to its destination. | traceroute, tracert |
| A ___________ backup (also known as a mirror image or evidence grade backup) is used to create an exact replica of a storage device. | bit stream, bitstream |
| Host protected areas (HPAs) are created specifically to allow manufacturers to hide diagnostic and recovery tools. | True |
| A forensic tool, such as Paraben Device Seizure, enables you to acquire which of the following types of data from a portable device? (Choose all that apply.) | Text message history, Deleted text messages, Phonebook and Call history |
| Which of the following items should you document when you examine a PC and make an image of its drive or memory contents? (Choose all that apply.) | System date and time from the BIOS, Drive parameters and boot order and System serial numbers |
| Which of the following tools creates a VMware virtual machine from a physical disk or raw disk image? | Live View |
| Mobile devices may contain several kinds of memory, including volatile and nonvolatile memory, such as flash. | true |
| WinHex is a Windows-based universal ___________ editor and disk management utility | hexadecimal, hex |
| Which of the following tools is not strictly a forensic tool, but it does provide the ability to create disk copies that are almost exact copies of the original? | Norton Ghost |
| You can compress and split drive images for efficient storage. | True |
| Which of the following tools runs only on Windows and allows you to capture a disk image over a network without being physically connected to a suspect computer? | ProDiscover |
| Which open source toolkit provides collections of tools, such as file system tools, volume system tools, image file tools, disk tools, and other tools? | The Sleuth Kit (TSK) |
| Which of the following tools run in Linux? (Choose all that apply.) | dd, FTK Imager and SMART |
| Which of the following was originally developed by SANS as a toolkit for students in the SANS Computer Forensic Investigations and Incident Response course? | False |
| The main advantage to using software (versus hardware) to acquire data images is increased speed | false |
| __________, by Guidance Software, runs on Windows workstation and server operating systems, and is one of the most complete forensic suites available. | EnCase |
| Which of the following is not a type of computer connector? | IDS |
| Web browsers cache web pages that the user visited recently. This cached data is referred to as a temporary Internet file, and it is stored in a folder on the user’s hard drive. | true |
| An e-mail header can have more than one Received field. | true |
| A ________________ systematically tries every conceivable combination until a password is found, or until all possible combinations have been exhausted | Brute force |
| ______________ is a technique that uses a filter to analyze both the header and the contents of a datagram, usually referred to as the packet payload. | Signature analysis, Signature |
| Metadata is a data component that describes other data. In other words, it’s data about data. | True |
| A criminal can conceal data in hidden disk partitions. | true |
| On a Windows 7 computer, what is the name of the feature that stores user names, passwords, and other credentials? | Credential Manager |
| In Linux, which directory holds the security logs? | /Var/Log/ |
| Suspects can hide data in which of the following locations? | White space in documents, Behind graphics in documents and Host protected areas (HPAs) on drives |
| _________ is the process of translating an encrypted message back into the original unencrypted message. | Decrypt |
| Which of the following security principles assures that a message originated from the stated source? | Nonrepudiation |
| Which of the following uses the same value to encrypt and decrypt text? | Private key algorithm |
| The biggest difference between cracking passwords and cracking encryption keys is that cracking passwords is usually much harder and takes far longer. | False |
| A _________ algorithm uses one key to encrypt plaintext and another key to decrypt ciphertext. | public key, public-key |
| A key that is 4 bits in length can represent how many different key values? Hint: 2^4 | 16 |
| A ______________ attack decrypts a file characterized by comparing ciphertext to a plaintext message you chose and encrypted. | Chosen Plaintext Attack, Chosen Plaintext, Plaintext Attack, Plaintext |
| Of the following symmetric encryption algorithms, which one latest and strongest standard adopted by the U.S. government, with key sizes of 128, 192, or 256 bits? | Advanced Encryption Standard (AES) |
| BONUS: who designed the Blowfish cipher? | Bruce Schneier, Schneier |
| Social engineering can be an effective method of obtaining a password. | false |
| BONUS: A valid definition of digital evidence is | Digital data of probative value |
| BONUS: Computers can be involved in which of the following types of crime? | All of the above |
| BONUS: A logon record tells us that, at a specific time: | The account was used to log into the system |
| BONUS: The criminological principle which states that, when anyone, or anything, enters a crime scene he/she takes something of the scene with him/her, and leaves something of himself/herself behind, is: | Locard’s Exchange Principle |
| Which of the following issues is NOT one that a forensic examiner faces when dealing with Windows-based media? | The facility in the standard Windows environment for mounting a hard drive as Read-Only |
| Forensically acceptable alternatives to using a Windows Evidence Acquisition Boot Disk include all but which of the following? | Booting into safe mode |
| The standard Windows environment supports all of the following file systems EXCEPT | ext2 |
| Before evidentiary media is “acquired,” forensic examiners often ________ the media to make sure it contains data relevant to the investigation. | Preview |
| Media can be accessed for examination either ________ or ________ | Logically or Physically |
| Which of the following software tools is NOT used for data recovery? | Safeback |
| You find the following deleted file on a floppy disk. How many clusters does this file occupy? Name .Ext ID Size Date Time Cluster 76 A R S H D V _REENF~1 DOC Erased 19968 5-08-03 2:34 pm 275 A ---- | 39 19968/512 |
| Log files are used by the forensic examiner to __________. | Associate system events with specific user accounts |
| The Windows NT Event log Appevent.evt: | Contains a log of application usage |
| Unlike the standard DOS/Windows environments, the UNIX environment has the capability of _______________, thereby preventing the contents of evidentiary media from being changed. | Mounting storage media as Read-Only |
| What is the most efficient method for a forensic examiner to confirm whether a particular tool or methodology works in a forensically acceptable manner? | Test the tool under controlled conditions |
| _______, which is part of the standard Linux distribution, can be used to make a bitstream copy of evidentiary media to either image files or sterile media. | dd |
| The Coroner’s Toolkit and The Sleuth Kit are examples of open source _________. | Forensic examination tools |
| One of the most common web browsers on UNIX systems is: | FireFox |
| grep is a standard Linux tool that searches a specified file or region for a specified string. | True |
| UNIX convention of “piping” the results of one command into another is a serious limitation and is detrimental to using the UNIX platform for forensic examinations. | False |
| Most data-carving tools operate on the assumption that the operating system generally tries to save data in contiguous sectors. | true |
| UNIX log files (or those of any operating system, for that matter) can provide a great deal of useful information to the examiner. | true |
| Windows evidentiary media must be acquired and examined with Windows-based examination software. | false |
| In the Windows environment, simply opening a file to read, without writing it back to disk, can change the date-time stamp. | true |
| The most common approach to salvaging deleted data on Macintosh systems is to | Use file carving techniques |
| On Mac OS X, when a file is deleted, it is copied to the: | .Trash folder |
| Recently accessed files and applications are listed in: | com.apple.TextEdit.plist |
| The default browser used on Mac OS X is: | Safari |
| The folder ~/Library/Mail Downloads contains: | E-mail attachments that have been opened |
| All “.plist” files are in plaintext. | False |
| Examination of a Mac computer must be done manually – no automated tools exist. | False |
| Macintosh disks can only be examined on a Macintosh system. | False |
| By default, when Mac OS X boots up, it will attempt to mount an evidence disk. | True |
| Which of the following is NOT one of the methods mobile devices use to communicate? | FDDI |
| One of the dangers (from a forensic standpoint) of mobile devices is: | Connected networks can enable offenders to delete data remotely. |
| One of the difficulties unique to forensic processing of mobile devices is: | An investigator must make a calculated decision to either prevent or allow the device to receive new data over wireless networks. |
| Which of the following are methods for preserving mobile devices by isolating them from the networks? | RF-shielded pouch |
| Why is it important to collect charging cables when seizing mobile devices? | Mobile device batteries have a limited charge life span, and the device will need a charger to maintain the battery until the device can be processed. |
| Which of the following is NOT one of the currently available methods for extracting data from mobile devices? | Connecting the communication port directly to an output device such as a printer |
| Forensic examiners should be aware that a mobile device with a blank or broken display: | May only indicate that the screen is damaged and it may still be possible to extract data |
| The IEEE standard that specifies a standardized interface for testing integrated circuits, interconnections between components, and a means of observing and modifying circuit activity during a component’s operation is: | JTAG |
| Since mobile devices consist of a CPU, memory, storage, and software, the same as traditional computers, they are processed in exactly the same way. | False |
| One drawback of mobile device examination is that when a user deletes data on a mobile device that data is never recoverable. | false |
Created by:
1001783742