Chapters 1-7
Help!
|
|
||||
|---|---|---|---|---|---|
| show | 1.(IACIS) International Association of Computer Investigation Specialist. 2. FLECT Federal Law Enforcement Training Center.
🗑
|
||||
| 2. Computer forensics and data recovery refer to the same activities. True or False? | show 🗑
|
||||
| 3. Police in the United States must use procedures that adhere to which of the following? a. the Third Amendment b. the Fourth Amendment c. the First Amendment d. none of the above | show 🗑
|
||||
| show | Vulnerability Assesment, Intrusion Response, and Investigations.
🗑
|
||||
| show | Internet Pornagraphy, Espianage, Abuse of Internet Properties.
🗑
|
||||
| 6. A corporate investigator must follow Fourth Amendment standards when conducting an investigation. True or False? | show 🗑
|
||||
| 7. To what does the term “silver-platter doctrine” refer? | show 🗑
|
||||
| 8. Policies can address rules for which of the following? | show 🗑
|
||||
| show | A.) Access to this system and Network are Restricted
B.) Use of this System and Network is for Official use Only.
🗑
|
||||
| 10. Warning banners are often easier to present in court than policy manuals are. True or False? | show 🗑
|
||||
| 11. A corporate investigator is considered an agent of law enforcement. True or False? | show 🗑
|
||||
| 12. List two types of computer investigations typically conducted in the corporate environment. | show 🗑
|
||||
| show | Maintaining confidentiality, having moral ethics, standards of behavior. It is critical to maintaining your integrity and credibility.
🗑
|
||||
| show | True.
🗑
|
||||
| 15. What is the purpose of maintaining a professional journal? | show 🗑
|
||||
| 16. iLook is maintained by ________________. | show 🗑
|
||||
| 17. The U.S. ______________ maintains a manual on procedures to follow for search and seizure of computers. | show 🗑
|
||||
| show | b.) Still being established.
🗑
|
||||
| 19. Why should companies appoint an authorized requester for computer investigations? | show 🗑
|
||||
| What is the purpose of an Affidavit? | show 🗑
|
||||
| What are the neccesary componaents of a search warrant? | show 🗑
|
||||
| show | chapt 2
🗑
|
||||
| show | A.) Talk to others involved in the case about the incident. B.) Has evidence already been seized by Law enforcement or security officers?
🗑
|
||||
| 2. What are some ways to determine the resources needed for an investigation? | show 🗑
|
||||
| 3. List three items that should be on an evidence custody form. | show 🗑
|
||||
| show | Identify the risks as in having a set amount of things that can or normally will happen who is the user what type of equipment
🗑
|
||||
| 5. You should always prove the allegations made by the person who hired you. True or False? | show 🗑
|
||||
| 6. For digital evidence, an evidence bag is typically made of antistatic material. True or False? | show 🗑
|
||||
| 7. Who should have access to a secure container? a. only the primary investigator b. only the investigators in the group c. everyone on the floor d. only senior-level management | show 🗑
|
||||
| 8. For employee termination cases, what types of investigations do you typically encounter? | show 🗑
|
||||
| 9. Why should your evidence media be write-protected? | show 🗑
|
||||
| show | Resources needed such as tools hardware software example: deleted files email standard risk assesments
🗑
|
||||
| show | Self evaluationfor growth and improved identity secessful decisions, how you could have improved.
🗑
|
||||
| show | Evidence of custody.
🗑
|
||||
| 13. What two tasks is an acquisitions officer responsible for at a crime scene? | show 🗑
|
||||
| 14. What are some reasons that an employee might leak information to the press? | show 🗑
|
||||
| show | An interrigation is trying to get a suspect to confess. An interview is getting info from a witness. Sometimes a witness in questioning might lose their credibility and turns into a suspect
🗑
|
||||
| 16. What is the most important point to remember when assigned to work on an attorney-client privilege case? | show 🗑
|
||||
| 17. What are the basic guidelines when working on an attorney-client privilege case? | show 🗑
|
||||
| show | False refer to pg. 20
🗑
|
||||
| chapter 3 | show 🗑
|
||||
| show | True
🗑
|
||||
| 2. Building a business case can involve which of the following? | show 🗑
|
||||
| 3. The ASCLD mandates the procedures established for a computer forensics lab. True or False? | show 🗑
|
||||
| show | all the answers refer to review sheet
🗑
|
||||
| 5. To determine the types of operating systems needed in your lab, list two sources of information you could use. | show 🗑
|
||||
| 6. What items should your business plan include? | show 🗑
|
||||
| 7. List two popular certification systems for computer forensics. | show 🗑
|
||||
| 8. The National Cybercrime Training Partnership is available only to law enforcement. True or False? | show 🗑
|
||||
| 9. Why is physical security so critical for computer forensics labs? | show 🗑
|
||||
| show | False
🗑
|
||||
| show | requirements, cost, and acceptability in your chosen area of employment
🗑
|
||||
| show | two
🗑
|
||||
| 13. Typically, a(n) ____________ lab has a separate storage area or room for evidence. | show 🗑
|
||||
| show | False refer to pg 84
🗑
|
||||
| show | False refer to page 80,81
🗑
|
||||
| show | B Refer to review sheets
🗑
|
||||
| 17. A forensic workstation should always have a direct broadband connection to the Internet. True or False? | show 🗑
|
||||
| 18. Which organization provides good information on safe storage containers? | show 🗑
|
||||
| 19. Which organization has guidelines on how to operate a computer forensics lab? | show 🗑
|
||||
| show | TEMPEST refer to pg. 80
🗑
|
||||
| show | chapter 4
🗑
|
||||
| 1. What is the primary goal of a static acquisition? | show 🗑
|
||||
| 2. Name the three formats for computer forensics data acquisitions. | show 🗑
|
||||
| 3. What are two advantages and disadvantages of the raw format? | show 🗑
|
||||
| 4. List two features common with proprietary format acquisition files. | show 🗑
|
||||
| show | Expert Witness, used by Guidance Software EnCase
🗑
|
||||
| show | EnCase, SafeBack, and SnapCopy.
🗑
|
||||
| show | only specific files of interest to the case
🗑
|
||||
| 8. What does a sparse acquisition collect for an investigation? | show 🗑
|
||||
| 9. What should you consider when determining which data acquisition method to use? | show 🗑
|
||||
| show | There is no limit to the size of data you can write to magnetic tape.
🗑
|
||||
| show | when the suspect computer can’t be taken offline for several hours but can be shut down long enough to switch disks with a Ghost backup, allowing the investigator to take the original disk and preserve it as digital evidence
🗑
|
||||
| show | to ensure at least one good copy of the forensically collected data in case of any failures
🗑
|
||||
| 13. When you perform an acquisition at a remote location, what should you consider to prepare for this task? | show 🗑
|
||||
| show | If the target drive is an external USB drive, the write-protect feature prevents data from being written to it.
🗑
|
||||
| show | Newer Linux distributions automatically mount the USB device, which could alter data on it.
🗑
|
||||
| show | Wrong. This command reads the image_file.img file and writes it to the evidence drive’s /dev/hda1 partition. The correct command is dcfldd if=/dev/hda1 of=image_file.img.
🗑
|
||||
| 17. What is the most critical aspect of computer evidence? | show 🗑
|
||||
| 18. What is a hashing algorithm? | show 🗑
|
||||
| 19. Which hashing algorithm utilities can be run from a Linux shell prompt? | show 🗑
|
||||
| show | hash=, hashlog=, and vf=
🗑
|
||||
| show | 2 GB (a limitation of FAT file systems)
🗑
|
||||
| show | ) amount of data storage needed. 2) the type of RAID server (0, 1, 5, etc.) 3) whether your acquisition tool can handle RAID acquisitions. 4) whether your analysis tool can handle RAID data 5) whether your analysis tool can split RAID data into separate d
🗑
|
||||
| show | False. They are designed as data recovery tools but are useful in rebuilding corrupt data when forensics tools fail.
🗑
|
||||
| show | d. All of the above refer to review sheet
🗑
|
||||
| show | ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect’s workstation.
🗑
|
||||
| show | ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect’s workstation.
🗑
|
||||
| show | ServLet
🗑
|
||||
| 27. What is the ProDiscover remote access program? | show 🗑
|
||||
| show | DiskExplorer for NTFS or DiskExplorer for FAT
🗑
|
||||
| show | False look up pg
🗑
|
||||
| show | TCP/IP and serial RS232 port
🗑
|
||||
| 31. Which computer forensics tools can connect to a suspect’s remote computer and run surreptitiously? | show 🗑
|
||||
| 32. EnCase, FTK, SMART, and iLook treat the image file as though it were the original disk. True or False? | show 🗑
|
||||
| 33. When possible, you should make two copies of evidence. True or False? | show 🗑
|
||||
| show | False look up pg.
🗑
|
||||
| 1. Corporate investigations are typically easier than law enforcement investigations for which of the following reasons? | show 🗑
|
||||
| show | True look up pg.
🗑
|
||||
| 3. If you discover a criminal act, such as murder or child pornography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False? | show 🗑
|
||||
| 4. As a corporate investigator, you can become an agent of law enforcement when which of the following happens? (Choose all that apply.) | show 🗑
|
||||
| 5. The plain view doctrine in computer searches is well-established law. True or False? | show 🗑
|
||||
| show | a. Coordinate with the HAZMAT team.
c. Assume the suspect computer is contaminated.
Rfer to review sheets
🗑
|
||||
| 7. What are the three rules for a forensic hash? | show 🗑
|
||||
| 8. In forensic hashes, a collision occurs when ____________________. | show 🗑
|
||||
| show | REFER TO REVIEW PGS. Small computer toolkit, large-capacity drive, IDE ribbon cables, forensic boot media, laptop IDE 40-to-44 pin adapter, laptop or portable computer, FireWire or USB dual write-protect external bay, flashlight, digital camera or 35mm ca
🗑
|
||||
| 10. When you arrive at the scene, why should you extract only those items you need to acquire evidence? | show 🗑
|
||||
| 11. Computer peripherals or attachments can contain DNA evidence. True or False? | show 🗑
|
||||
| show | a. Browsing open applications
refer to review sheets
🗑
|
||||
| show | Computers, cable connections, overview of scene—anything that might be of interest to the investigation
🗑
|
||||
| 14. Which of the following techniques might be used in covert surveillance? | show 🗑
|
||||
| 15. Commingling evidence means what in a corporate setting? | show 🗑
|
||||
| show | MD5 and SHA-1
🗑
|
||||
| 17. Small companies rarely need investigators. True or False? | show 🗑
|
||||
| show | True look up pgs
🗑
|
||||
| 19. You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you? | show 🗑
|
||||
| 20. You should always answer questions from onlookers at a crime scene. True or False? | show 🗑
|
||||
| show | chapter 6
🗑
|
||||
| 1. In DOS and Windows 9.x, Io.sys is the first file loaded after the ROM bootstrap loader finds the disk. True or | show 🗑
|
||||
| show | b. 512 refer to review sheet
🗑
|
||||
| 3. What does CHS stand for? | show 🗑
|
||||
| 4. Zoned bit recording is how manufacturers ensure that the outer tracks store as much data as possible. True or False? | show 🗑
|
||||
| 5. Areal density refers to which of the following? | show 🗑
|
||||
| show | 2
🗑
|
||||
| 7. What is the ratio of sectors per cluster in a floppy disk? | show 🗑
|
||||
| 8. List three items stored in the FAT database. | show 🗑
|
||||
| show | a. FAT12
b. FAT16
c. FAT32
d. NTFS
🗑
|
||||
| 10. In FAT32, a 123 KB file uses how many sectors? | show 🗑
|
||||
| 11. What is the space on a drive called when a file is deleted? (Choose all that apply.) | show 🗑
|
||||
| show | Unicode characters, security, journaling
🗑
|
||||
| show | Master File Table
🗑
|
||||
| show | True look up pages
🗑
|
||||
| show | True look up pages
🗑
|
||||
| 16. A virtual cluster consists of what kind of clusters? | show 🗑
|
||||
| 17. The Windows Registry in Windows 9x consists of what two files? | show 🗑
|
||||
| 18. HPFS is used on which OS? | show 🗑
|
||||
| 19. Device drivers contain what kind of information? | show 🗑
|
||||
| show | b. Ntuser.dat
refer to review pgs
🗑
|
||||
| show | c. Virtual machines are limited to the host computer’s peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. refer to review pgs
🗑
|
||||
| 22. An image of a suspect drive can be loaded on a virtual machine. True or False? | show 🗑
|
||||
| 23. EFS can encrypt which of the following? | show 🗑
|
||||
| 24. To encrypt a FAT volume, which of the following utilities can you use? | show 🗑
|
||||
| show | Refer to review pg. Data runs have three components; the first declares how many bytes are required in the attribute field to store the number of bytes needed for the second and third components. The second component stores the number of clusters assigned
🗑
|
||||
| chapter 7 | show 🗑
|
||||
| 1. What are the five required functions for computer forensics tools? | show 🗑
|
||||
| show | False
🗑
|
||||
| show | c. Logical and physical
🗑
|
||||
| 4. During a remote acquisition of a suspect drive, RAM data is lost. True or False? | show 🗑
|
||||
| 5. Hashing, filtering, and file header analysis make up which function of computer forensics tools? | show 🗑
|
||||
| show | False (Autopsy is the front end to Sleuth Kit.)
🗑
|
||||
| 7. When considering new forensics software tools, you should do which of the following? | show 🗑
|
||||
| show | Data viewing, Keyword searching, Decompressing, Carving, Decrypting, and Bookmarking
🗑
|
||||
| 9. Data can’t be written to the disk with a command-line tool. True or False? | show 🗑
|
||||
| show | b. Filtering known good files from potentially suspicious data d. validating change.
🗑
|
||||
| 11. What’s the name of the NIST project established to collect all known hash values for commercial software and OS files? | show 🗑
|
||||
| 12. Many of the newer GUI tools use a lot of system resources. True or False? | show 🗑
|
||||
| show | False look up pgs
🗑
|
||||
| show | False look up pgs.
🗑
|
||||
| 15. Which of the following is true of most drive-imaging tools? (Choose all that apply.) | show 🗑
|
||||
| show | c. ISO 17025 look up review sheet
🗑
|
||||
| show | a. FTK look up review sheet
🗑
|
||||
| show | disk-to-disk copy, image-to-disk copy, partition-to-partition copy, image-to-partition copy
🗑
|
||||
| 19. When validating the results of a forensic analysis, you should do which of the following? | show 🗑
|
||||
| 20. NIST testing procedures are valid only for government agencies. True or False? | show 🗑
|
Review the information in the table. When you are ready to quiz yourself you can hide individual columns or the entire table. Then you can click on the empty cells to reveal the answer. Try to recall what will be displayed before clicking the empty cell.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Created by:
settleup22
Popular Computers sets