Busy. Please wait.
Log in with Clever
or

show password
Forgot Password?

Don't have an account?  Sign up 
Sign up using Clever
or

Username is available taken
show password

Your email address is only used to allow you to reset your password. See our Privacy Policy and Terms of Service.


Already a StudyStack user? Log In

Reset Password
Enter the associated with your account, and we'll email you a link to reset your password.

Chapters 1-7

Quiz yourself by thinking what should be in each of the black spaces below before clicking on it to display the answer.
        Help!  

Question
Answer
show 1.(IACIS) International Association of Computer Investigation Specialist. 2. FLECT Federal Law Enforcement Training Center.  
🗑
show False  
🗑
3. Police in the United States must use procedures that adhere to which of the following? a. the Third Amendment b. the Fourth Amendment c. the First Amendment d. none of the above   show
🗑
4. The triad of computing security includes which of the following?   show
🗑
show Internet Pornagraphy, Espianage, Abuse of Internet Properties.  
🗑
show False as long as the company has a security Banner.  
🗑
show when a civillian or corporate investigative agent delivers evidence to a law enforcement agenttheir job is to minimize risk to the company  
🗑
8. Policies can address rules for which of the following?   show
🗑
9. List two items that should appear on an internal warning banner.   show
🗑
10. Warning banners are often easier to present in court than policy manuals are. True or False?   show
🗑
show False. Refer to page 18 in book  
🗑
show E-mail Abuse and Internet Abuse.  
🗑
show Maintaining confidentiality, having moral ethics, standards of behavior. It is critical to maintaining your integrity and credibility.  
🗑
show True.  
🗑
show Can help remembering certain tasks or issues and what types of tools software or hardware you used for a particular problem.  
🗑
16. iLook is maintained by ________________.   show
🗑
show IRS  
🗑
18. Laws and procedures for PDAs are which of the following? a. well established b. still being debated c. on the law books d. none of the above   show
🗑
show To avoid conflicts and competions between departments and limits who is authorized to request an investigation. Authorized requster  
🗑
show Its a sworn statement for a judge to get a warrent if you have found facts that support the evidence of a crime.  
🗑
What are the neccesary componaents of a search warrant?   show
🗑
Chapt 2   show
🗑
1. What are some initial assessments you should make for a computing investigation?   show
🗑
2. What are some ways to determine the resources needed for an investigation?   show
🗑
3. List three items that should be on an evidence custody form.   show
🗑
4. Why should you do a standard risk assessment to prepare for an investigation?   show
🗑
5. You should always prove the allegations made by the person who hired you. True or False?   show
🗑
show True. refer to pg36  
🗑
7. Who should have access to a secure container? a. only the primary investigator b. only the investigators in the group c. everyone on the floor d. only senior-level management   show
🗑
8. For employee termination cases, what types of investigations do you typically encounter?   show
🗑
show If you just start windows without anaylizing a hard disk by writing data to the recycling bin it currupts the quality and integrity of eveidence  
🗑
10. List three items that should be in your case report.   show
🗑
11. Why should you critique your case after it’s finished?   show
🗑
show Evidence of custody.  
🗑
show Documentations of items the investigating officers collected with computer to include list of storage media, i.e. removable disk photographs of equipments and windows before they are such down.  
🗑
14. What are some reasons that an employee might leak information to the press?   show
🗑
15. When might an interview turn into an interrogation?   show
🗑
show When conducting an (ACP) atorney client priviledge you must keep all findings confidential.  
🗑
17. What are the basic guidelines when working on an attorney-client privilege case?   show
🗑
show False refer to pg. 20  
🗑
show chapter 3  
🗑
show True  
🗑
2. Building a business case can involve which of the following?   show
🗑
show False  
🗑
4. The manager of a computer forensics lab is responsible for which of the following? (Choose all that apply.) a. necessary changes in lab procedures and software b. ensuring that staff members have sufficient training to do the job c. knowing the lab   show
🗑
5. To determine the types of operating systems needed in your lab, list two sources of information you could use.   show
🗑
6. What items should your business plan include?   show
🗑
show IACIS, HTCN, EnCE refer to pg 76  
🗑
show True  
🗑
9. Why is physical security so critical for computer forensics labs?   show
🗑
show False  
🗑
11. What three items should you research before enlisting in a certification program?   show
🗑
show two  
🗑
show regional  
🗑
show False refer to pg 84  
🗑
15. The chief custodian of evidence storage containers should keep several master keys. True or False   show
🗑
show B Refer to review sheets  
🗑
17. A forensic workstation should always have a direct broadband connection to the Internet. True or False?   show
🗑
show NISPOM refer to pg. 80,81  
🗑
19. Which organization has guidelines on how to operate a computer forensics lab?   show
🗑
20. What name refers to labs constructed to shield EMR emissions?   show
🗑
chapter 4   show
🗑
1. What is the primary goal of a static acquisition?   show
🗑
2. Name the three formats for computer forensics data acquisitions.   show
🗑
show Advantages: faster data transfer speeds, ignores minor data errors, and most forensic analysis tools can read it. Disadvantages: requires equal or greater target disk space, does not contain hash values in the raw file (metadata), might have to run a sepa  
🗑
show Can compress or not compress the acquisition data; can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD; case metadata can be added to the acquisition file, eliminating the need to keep track of any addition  
🗑
show Expert Witness, used by Guidance Software EnCase  
🗑
6. Name two commercial tools that can make a forensic sector-by-sector duplicate of a drive to a larger drive.   show
🗑
7. What does a logical acquisition collect for an investigation?   show
🗑
8. What does a sparse acquisition collect for an investigation?   show
🗑
show size of the source drive, whether the source drive be retained as evidence, how long the acquisition will take, and where the disk evidence is located  
🗑
10. What is the advantage of using a tape backup system for forensic acquisitions of large data sets?   show
🗑
show when the suspect computer can’t be taken offline for several hours but can be shut down long enough to switch disks with a Ghost backup, allowing the investigator to take the original disk and preserve it as digital evidence  
🗑
12. Why is it a good practice to make two images of a suspect drive in a critical investigation?   show
🗑
13. When you perform an acquisition at a remote location, what should you consider to prepare for this task?   show
🗑
14. What is the disadvantage of using the Windows XP/Vista USB write-protection Registry method?   show
🗑
15. With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB thumb drive, containing evidence?   show
🗑
16. In a Linux shell, the fdisk -1 command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1   show
🗑
show validation  
🗑
18. What is a hashing algorithm?   show
🗑
19. Which hashing algorithm utilities can be run from a Linux shell prompt?   show
🗑
20. In the Linux dcfldd command, which three options are used for validating data?   show
🗑
21. What’s the maximum file size when writing data to a FAT32 drive?   show
🗑
show ) amount of data storage needed. 2) the type of RAID server (0, 1, 5, etc.) 3) whether your acquisition tool can handle RAID acquisitions. 4) whether your analysis tool can handle RAID data 5) whether your analysis tool can split RAID data into separate d  
🗑
23. R-Studio and DiskExplorer are used primarily for computer forensics. True or False?   show
🗑
show d. All of the above refer to review sheet  
🗑
show ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect’s workstation.  
🗑
show ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect’s workstation.  
🗑
26. What is the EnCase Enterprise remote access program?   show
🗑
27. What is the ProDiscover remote access program?   show
🗑
show DiskExplorer for NTFS or DiskExplorer for FAT  
🗑
29. HDHost is automatically encrypted when connected to another computer. True or False?   show
🗑
show TCP/IP and serial RS232 port  
🗑
show EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response  
🗑
32. EnCase, FTK, SMART, and iLook treat the image file as though it were the original disk. True or False?   show
🗑
show True look up pg.  
🗑
34. FTK Imager can acquire data in a drive’s host protected area. True or False?   show
🗑
1. Corporate investigations are typically easier than law enforcement investigations for which of the following reasons?   show
🗑
2. In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause. True or False?   show
🗑
3. If you discover a criminal act, such as murder or child pornography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?   show
🗑
show a. You begin to take orders from a police detective without a warrant or subpoena. b. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement.  
🗑
show False look up pgs.  
🗑
6. If a suspect computer is located in an area that might have toxic chemicals, you must do which of the following? (Choose all that apply.)   show
🗑
7. What are the three rules for a forensic hash?   show
🗑
show two files have the same hash value  
🗑
show REFER TO REVIEW PGS. Small computer toolkit, large-capacity drive, IDE ribbon cables, forensic boot media, laptop IDE 40-to-44 pin adapter, laptop or portable computer, FireWire or USB dual write-protect external bay, flashlight, digital camera or 35mm ca  
🗑
10. When you arrive at the scene, why should you extract only those items you need to acquire evidence?   show
🗑
11. Computer peripherals or attachments can contain DNA evidence. True or False?   show
🗑
show a. Browsing open applications refer to review sheets  
🗑
show Computers, cable connections, overview of scene—anything that might be of interest to the investigation  
🗑
14. Which of the following techniques might be used in covert surveillance?   show
🗑
show sensitive corporate information being mixed with data collected as evidence  
🗑
16. Identify two hashing algorithms commonly used for forensic purposes.   show
🗑
show False look up pgs  
🗑
18. If a company doesn’t distribute a computing use policy stating an employer’s right to inspect employees’ computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False?   show
🗑
show initial-response field kit  
🗑
show False  
🗑
chapter 6   show
🗑
show True look up pgs  
🗑
2. Sectors typically contain how many bytes?   show
🗑
show cylinders, heads, sectors  
🗑
4. Zoned bit recording is how manufacturers ensure that the outer tracks store as much data as possible. True or False?   show
🗑
5. Areal density refers to which of the following?   show
🗑
show 2  
🗑
show a. 1:1 refer to review sheets  
🗑
show file and directory names, starting cluster numbers, file attributes, and date and time stamps  
🗑
9. Windows 2000 can be configured to access which of these file formats? (Choose all that apply.)   show
🗑
show The answer is 246 sectors. 123 x 1024 bytes per KB = 125,952 total bytes in the file. 125,952 bytes / 512 sectors per cluster = 246 sectors  
🗑
show b. Unallocated space d. Free space refer to review sheets  
🗑
show Unicode characters, security, journaling  
🗑
13. What does MFT stand for?   show
🗑
show True look up pages  
🗑
15. RAM slack can contain passwords. True or False?   show
🗑
show chained clusters  
🗑
show System.dat and User.dat  
🗑
show OS/2  
🗑
show instructions for the OS on how to interface with hardware devices  
🗑
show b. Ntuser.dat refer to review pgs  
🗑
21. Virtual machines have which of the following limitations when running on a host computer?   show
🗑
show True look up pgs  
🗑
23. EFS can encrypt which of the following?   show
🗑
show c. PGP Whole Disk Encryption  
🗑
25. What are the functions of a data run’s field components in an MFT record?   show
🗑
show chapter 7  
🗑
1. What are the five required functions for computer forensics tools?   show
🗑
show False  
🗑
show c. Logical and physical  
🗑
4. During a remote acquisition of a suspect drive, RAM data is lost. True or False?   show
🗑
show a. Validation and discrimination  
🗑
show False (Autopsy is the front end to Sleuth Kit.)  
🗑
show c. Test and validate the software.  
🗑
8. Of the six functions of computer forensics tools, what are the subfunctions of the Extraction function?   show
🗑
show False look up pgs.  
🗑
show b. Filtering known good files from potentially suspicious data d. validating change.  
🗑
show National Software Reference Library (NSRL)  
🗑
show True look up pgs.  
🗑
13. Building a forensic workstation is more expensive than purchasing one. True or False?   show
🗑
14. A live acquisition is considered an accepted forensics practice. True or False?   show
🗑
15. Which of the following is true of most drive-imaging tools? (Choose all that apply.)   show
🗑
show c. ISO 17025 look up review sheet  
🗑
show a. FTK look up review sheet  
🗑
show disk-to-disk copy, image-to-disk copy, partition-to-partition copy, image-to-partition copy  
🗑
19. When validating the results of a forensic analysis, you should do which of the following?   show
🗑
20. NIST testing procedures are valid only for government agencies. True or False?   show
🗑


   

Review the information in the table. When you are ready to quiz yourself you can hide individual columns or the entire table. Then you can click on the empty cells to reveal the answer. Try to recall what will be displayed before clicking the empty cell.
 
To hide a column, click on the column name.
 
To hide the entire table, click on the "Hide All" button.
 
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
 
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.

 
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

  Normal Size     Small Size show me how
Created by: settleup22
Popular Computers sets