Chapters 1-7
Quiz yourself by thinking what should be in
each of the black spaces below before clicking
on it to display the answer.
Help!
|
|
||||
|---|---|---|---|---|---|
| 1. List two organizations mentioned in the chapter that provide computer forensics training. | show 🗑
|
||||
| show | False
🗑
|
||||
| show | Fourth Amendment
🗑
|
||||
| 4. The triad of computing security includes which of the following? | show 🗑
|
||||
| show | Internet Pornagraphy, Espianage, Abuse of Internet Properties.
🗑
|
||||
| 6. A corporate investigator must follow Fourth Amendment standards when conducting an investigation. True or False? | show 🗑
|
||||
| show | when a civillian or corporate investigative agent delivers evidence to a law enforcement agenttheir job is to minimize risk to the company
🗑
|
||||
| 8. Policies can address rules for which of the following? | show 🗑
|
||||
| show | A.) Access to this system and Network are Restricted
B.) Use of this System and Network is for Official use Only.
🗑
|
||||
| show | True. They are easier to present in a trial.
🗑
|
||||
| 11. A corporate investigator is considered an agent of law enforcement. True or False? | show 🗑
|
||||
| show | E-mail Abuse and Internet Abuse.
🗑
|
||||
| 13. What is professional conduct and why is it important? | show 🗑
|
||||
| show | True.
🗑
|
||||
| show | Can help remembering certain tasks or issues and what types of tools software or hardware you used for a particular problem.
🗑
|
||||
| show | ILook is an all-in-one computer forensics suite originally created by Elliot Spencer and currently maintained by the U.S. Department of Treasury Internal Revenue Service Criminal Investigation Division (IRS-CI) Electronic Crimes Program. It was made avail
🗑
|
||||
| 17. The U.S. ______________ maintains a manual on procedures to follow for search and seizure of computers. | show 🗑
|
||||
| 18. Laws and procedures for PDAs are which of the following? a. well established b. still being debated c. on the law books d. none of the above | show 🗑
|
||||
| show | To avoid conflicts and competions between departments and limits who is authorized to request an investigation. Authorized requster
🗑
|
||||
| What is the purpose of an Affidavit? | show 🗑
|
||||
| show | Exhibits (evidence) Notarized Verdict.
🗑
|
||||
| show | chapt 2
🗑
|
||||
| 1. What are some initial assessments you should make for a computing investigation? | show 🗑
|
||||
| show | Identify the Risk; find out what OS to work with and which types of hardware or software and tools to use and security measures.
🗑
|
||||
| 3. List three items that should be on an evidence custody form. | show 🗑
|
||||
| 4. Why should you do a standard risk assessment to prepare for an investigation? | show 🗑
|
||||
| 5. You should always prove the allegations made by the person who hired you. True or False? | show 🗑
|
||||
| show | True. refer to pg36
🗑
|
||||
| show | Only investigators in the group.
🗑
|
||||
| 8. For employee termination cases, what types of investigations do you typically encounter? | show 🗑
|
||||
| show | If you just start windows without anaylizing a hard disk by writing data to the recycling bin it currupts the quality and integrity of eveidence
🗑
|
||||
| show | Resources needed such as tools hardware software example: deleted files email standard risk assesments
🗑
|
||||
| show | Self evaluationfor growth and improved identity secessful decisions, how you could have improved.
🗑
|
||||
| 12. What do you call a list of people who have had physical possession of the evidence? | show 🗑
|
||||
| show | Documentations of items the investigating officers collected with computer to include list of storage media, i.e. removable disk photographs of equipments and windows before they are such down.
🗑
|
||||
| show | Disgruntled employee, embarrass management power struggle between corporations premature release of info on new products
🗑
|
||||
| show | An interrigation is trying to get a suspect to confess. An interview is getting info from a witness. Sometimes a witness in questioning might lose their credibility and turns into a suspect
🗑
|
||||
| 16. What is the most important point to remember when assigned to work on an attorney-client privilege case? | show 🗑
|
||||
| 17. What are the basic guidelines when working on an attorney-client privilege case? | show 🗑
|
||||
| show | False refer to pg. 20
🗑
|
||||
| show | chapter 3
🗑
|
||||
| show | True
🗑
|
||||
| 2. Building a business case can involve which of the following? | show 🗑
|
||||
| 3. The ASCLD mandates the procedures established for a computer forensics lab. True or False? | show 🗑
|
||||
| 4. The manager of a computer forensics lab is responsible for which of the following? (Choose all that apply.) a. necessary changes in lab procedures and software b. ensuring that staff members have sufficient training to do the job c. knowing the lab | show 🗑
|
||||
| show | Uniform Crime Report statistics for your area and a list of cases handled in your area or at your company
🗑
|
||||
| show | physical security items, such as evidence lockers; how many machines are needed; what OSs your lab commonly examines; why you need certain software; and how your lab will benefit the company (such as being able to quickly exonerate employees or discover w
🗑
|
||||
| show | IACIS, HTCN, EnCE refer to pg 76
🗑
|
||||
| 8. The National Cybercrime Training Partnership is available only to law enforcement. True or False? | show 🗑
|
||||
| 9. Why is physical security so critical for computer forensics labs? | show 🗑
|
||||
| 10. If a visitor to your computer forensics lab is a personal friend, it’s not necessary to have him or her sign the visitor’s log. True or False? | show 🗑
|
||||
| show | requirements, cost, and acceptability in your chosen area of employment
🗑
|
||||
| show | two
🗑
|
||||
| 13. Typically, a(n) ____________ lab has a separate storage area or room for evidence. | show 🗑
|
||||
| show | False refer to pg 84
🗑
|
||||
| show | False refer to page 80,81
🗑
|
||||
| 16. Putting out fires in a computer lab typically requires a _______ rated fire extinguisher. | show 🗑
|
||||
| show | False refer to pg.84
🗑
|
||||
| 18. Which organization provides good information on safe storage containers? | show 🗑
|
||||
| 19. Which organization has guidelines on how to operate a computer forensics lab? | show 🗑
|
||||
| show | TEMPEST refer to pg. 80
🗑
|
||||
| show | chapter 4
🗑
|
||||
| 1. What is the primary goal of a static acquisition? | show 🗑
|
||||
| 2. Name the three formats for computer forensics data acquisitions. | show 🗑
|
||||
| 3. What are two advantages and disadvantages of the raw format? | show 🗑
|
||||
| show | Can compress or not compress the acquisition data; can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD; case metadata can be added to the acquisition file, eliminating the need to keep track of any addition
🗑
|
||||
| 5. Of all the proprietary formats, which one is the unofficial standard? | show 🗑
|
||||
| 6. Name two commercial tools that can make a forensic sector-by-sector duplicate of a drive to a larger drive. | show 🗑
|
||||
| show | only specific files of interest to the case
🗑
|
||||
| show | fragments of unallocated data in addition to the logical allocated data
🗑
|
||||
| 9. What should you consider when determining which data acquisition method to use? | show 🗑
|
||||
| 10. What is the advantage of using a tape backup system for forensic acquisitions of large data sets? | show 🗑
|
||||
| 11. When is a standard data backup tool, such as Norton Ghost, used for a computing investigation? | show 🗑
|
||||
| show | to ensure at least one good copy of the forensically collected data in case of any failures
🗑
|
||||
| show | determining whether there’s sufficient electrical power and lighting and checking the temperature and humidity at the location
🗑
|
||||
| show | If the target drive is an external USB drive, the write-protect feature prevents data from being written to it.
🗑
|
||||
| 15. With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB thumb drive, containing evidence? | show 🗑
|
||||
| show | Wrong. This command reads the image_file.img file and writes it to the evidence drive’s /dev/hda1 partition. The correct command is dcfldd if=/dev/hda1 of=image_file.img.
🗑
|
||||
| show | validation
🗑
|
||||
| 18. What is a hashing algorithm? | show 🗑
|
||||
| 19. Which hashing algorithm utilities can be run from a Linux shell prompt? | show 🗑
|
||||
| 20. In the Linux dcfldd command, which three options are used for validating data? | show 🗑
|
||||
| show | 2 GB (a limitation of FAT file systems)
🗑
|
||||
| show | ) amount of data storage needed. 2) the type of RAID server (0, 1, 5, etc.) 3) whether your acquisition tool can handle RAID acquisitions. 4) whether your analysis tool can handle RAID data 5) whether your analysis tool can split RAID data into separate d
🗑
|
||||
| 23. R-Studio and DiskExplorer are used primarily for computer forensics. True or False? | show 🗑
|
||||
| 24. With remote acquisitions, what problems should you be aware of? | show 🗑
|
||||
| show | ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect’s workstation.
🗑
|
||||
| 25. How does ProDiscover Investigator encrypt the connection between the examiner’s and suspect’s computers? | show 🗑
|
||||
| 26. What is the EnCase Enterprise remote access program? | show 🗑
|
||||
| show | PDServer
🗑
|
||||
| show | DiskExplorer for NTFS or DiskExplorer for FAT
🗑
|
||||
| 29. HDHost is automatically encrypted when connected to another computer. True or False? | show 🗑
|
||||
| 30. List the two types of connections in HDHost.. | show 🗑
|
||||
| show | EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response
🗑
|
||||
| 32. EnCase, FTK, SMART, and iLook treat the image file as though it were the original disk. True or False? | show 🗑
|
||||
| 33. When possible, you should make two copies of evidence. True or False? | show 🗑
|
||||
| show | False look up pg.
🗑
|
||||
| show | a. Most companies keep inventory databases of all hardware and software used.
🗑
|
||||
| show | True look up pg.
🗑
|
||||
| show | True look up pgs.
🗑
|
||||
| show | a. You begin to take orders from a police detective without a warrant or subpoena.
b. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement.
🗑
|
||||
| show | False look up pgs.
🗑
|
||||
| 6. If a suspect computer is located in an area that might have toxic chemicals, you must do which of the following? (Choose all that apply.) | show 🗑
|
||||
| show | It can’t be predicted, no two files can have the same hash value, and if the file changes, the hash value changes.
🗑
|
||||
| 8. In forensic hashes, a collision occurs when ____________________. | show 🗑
|
||||
| show | REFER TO REVIEW PGS. Small computer toolkit, large-capacity drive, IDE ribbon cables, forensic boot media, laptop IDE 40-to-44 pin adapter, laptop or portable computer, FireWire or USB dual write-protect external bay, flashlight, digital camera or 35mm ca
🗑
|
||||
| show | to minimize how much you have to keep track of at the scene
🗑
|
||||
| 11. Computer peripherals or attachments can contain DNA evidence. True or False? | show 🗑
|
||||
| 12. If a suspect computer is running Windows 2000, which of the following can you perform safely? | show 🗑
|
||||
| show | Computers, cable connections, overview of scene—anything that might be of interest to the investigation
🗑
|
||||
| 14. Which of the following techniques might be used in covert surveillance? | show 🗑
|
||||
| show | sensitive corporate information being mixed with data collected as evidence
🗑
|
||||
| 16. Identify two hashing algorithms commonly used for forensic purposes. | show 🗑
|
||||
| show | False look up pgs
🗑
|
||||
| 18. If a company doesn’t distribute a computing use policy stating an employer’s right to inspect employees’ computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False? | show 🗑
|
||||
| 19. You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you? | show 🗑
|
||||
| 20. You should always answer questions from onlookers at a crime scene. True or False? | show 🗑
|
||||
| show | chapter 6
🗑
|
||||
| 1. In DOS and Windows 9.x, Io.sys is the first file loaded after the ROM bootstrap loader finds the disk. True or | show 🗑
|
||||
| show | b. 512 refer to review sheet
🗑
|
||||
| show | cylinders, heads, sectors
🗑
|
||||
| 4. Zoned bit recording is how manufacturers ensure that the outer tracks store as much data as possible. True or False? | show 🗑
|
||||
| 5. Areal density refers to which of the following? | show 🗑
|
||||
| 6. Clusters in Windows always begin numbering at what number? | show 🗑
|
||||
| show | a. 1:1 refer to review sheets
🗑
|
||||
| show | file and directory names, starting cluster numbers, file attributes, and date and time stamps
🗑
|
||||
| show | a. FAT12
b. FAT16
c. FAT32
d. NTFS
🗑
|
||||
| 10. In FAT32, a 123 KB file uses how many sectors? | show 🗑
|
||||
| show | b. Unallocated space
d. Free space
refer to review sheets
🗑
|
||||
| 12. List two features NTFS has that FAT does not. | show 🗑
|
||||
| 13. What does MFT stand for? | show 🗑
|
||||
| show | True look up pages
🗑
|
||||
| show | True look up pages
🗑
|
||||
| show | chained clusters
🗑
|
||||
| 17. The Windows Registry in Windows 9x consists of what two files? | show 🗑
|
||||
| 18. HPFS is used on which OS? | show 🗑
|
||||
| show | instructions for the OS on how to interface with hardware devices
🗑
|
||||
| 20. Which of the following Windows XP files contains user-specific information? | show 🗑
|
||||
| 21. Virtual machines have which of the following limitations when running on a host computer? | show 🗑
|
||||
| show | True look up pgs
🗑
|
||||
| show | a. Files, folders, and volumes
refer to review pgs.
🗑
|
||||
| 24. To encrypt a FAT volume, which of the following utilities can you use? | show 🗑
|
||||
| show | Refer to review pg. Data runs have three components; the first declares how many bytes are required in the attribute field to store the number of bytes needed for the second and third components. The second component stores the number of clusters assigned
🗑
|
||||
| show | chapter 7
🗑
|
||||
| 1. What are the five required functions for computer forensics tools? | show 🗑
|
||||
| show | False
🗑
|
||||
| show | c. Logical and physical
🗑
|
||||
| 4. During a remote acquisition of a suspect drive, RAM data is lost. True or False? | show 🗑
|
||||
| 5. Hashing, filtering, and file header analysis make up which function of computer forensics tools? | show 🗑
|
||||
| 6. Sleuth Kit is used to access Autopsy’s tools. True or False? | show 🗑
|
||||
| 7. When considering new forensics software tools, you should do which of the following? | show 🗑
|
||||
| show | Data viewing, Keyword searching, Decompressing, Carving, Decrypting, and Bookmarking
🗑
|
||||
| 9. Data can’t be written to the disk with a command-line tool. True or False? | show 🗑
|
||||
| show | b. Filtering known good files from potentially suspicious data d. validating change.
🗑
|
||||
| 11. What’s the name of the NIST project established to collect all known hash values for commercial software and OS files? | show 🗑
|
||||
| show | True look up pgs.
🗑
|
||||
| show | False look up pgs
🗑
|
||||
| show | False look up pgs.
🗑
|
||||
| 15. Which of the following is true of most drive-imaging tools? (Choose all that apply.) | show 🗑
|
||||
| show | c. ISO 17025 look up review sheet
🗑
|
||||
| 17. Which of the following tools can examine files created by WinZip? | show 🗑
|
||||
| show | disk-to-disk copy, image-to-disk copy, partition-to-partition copy, image-to-partition copy
🗑
|
||||
| show | d. Do both a and b. refer to review sheet
🗑
|
||||
| show | False look up pgs.
🗑
|
Review the information in the table. When you are ready to quiz yourself you can hide individual columns or the entire table. Then you can click on the empty cells to reveal the answer. Try to recall what will be displayed before clicking the empty cell.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Created by:
settleup22
Popular Computers sets