Busy. Please wait.
Log in with Clever
or

show password
Forgot Password?

Don't have an account?  Sign up 
Sign up using Clever
or

Username is available taken
show password

Your email address is only used to allow you to reset your password. See our Privacy Policy and Terms of Service.


Already a StudyStack user? Log In

Reset Password
Enter the associated with your account, and we'll email you a link to reset your password.

Chapters 1-7

        Help!  

Question
Answer
show 1.(IACIS) International Association of Computer Investigation Specialist. 2. FLECT Federal Law Enforcement Training Center.  
🗑
2. Computer forensics and data recovery refer to the same activities. True or False?   show
🗑
3. Police in the United States must use procedures that adhere to which of the following? a. the Third Amendment b. the Fourth Amendment c. the First Amendment d. none of the above   show
🗑
show Vulnerability Assesment, Intrusion Response, and Investigations.  
🗑
show Internet Pornagraphy, Espianage, Abuse of Internet Properties.  
🗑
6. A corporate investigator must follow Fourth Amendment standards when conducting an investigation. True or False?   show
🗑
7. To what does the term “silver-platter doctrine” refer?   show
🗑
8. Policies can address rules for which of the following?   show
🗑
show A.) Access to this system and Network are Restricted B.) Use of this System and Network is for Official use Only.  
🗑
10. Warning banners are often easier to present in court than policy manuals are. True or False?   show
🗑
11. A corporate investigator is considered an agent of law enforcement. True or False?   show
🗑
12. List two types of computer investigations typically conducted in the corporate environment.   show
🗑
show Maintaining confidentiality, having moral ethics, standards of behavior. It is critical to maintaining your integrity and credibility.  
🗑
show True.  
🗑
15. What is the purpose of maintaining a professional journal?   show
🗑
16. iLook is maintained by ________________.   show
🗑
17. The U.S. ______________ maintains a manual on procedures to follow for search and seizure of computers.   show
🗑
show b.) Still being established.  
🗑
19. Why should companies appoint an authorized requester for computer investigations?   show
🗑
What is the purpose of an Affidavit?   show
🗑
What are the neccesary componaents of a search warrant?   show
🗑
show chapt 2  
🗑
show A.) Talk to others involved in the case about the incident. B.) Has evidence already been seized by Law enforcement or security officers?  
🗑
2. What are some ways to determine the resources needed for an investigation?   show
🗑
3. List three items that should be on an evidence custody form.   show
🗑
show Identify the risks as in having a set amount of things that can or normally will happen who is the user what type of equipment  
🗑
5. You should always prove the allegations made by the person who hired you. True or False?   show
🗑
6. For digital evidence, an evidence bag is typically made of antistatic material. True or False?   show
🗑
7. Who should have access to a secure container? a. only the primary investigator b. only the investigators in the group c. everyone on the floor d. only senior-level management   show
🗑
8. For employee termination cases, what types of investigations do you typically encounter?   show
🗑
9. Why should your evidence media be write-protected?   show
🗑
show Resources needed such as tools hardware software example: deleted files email standard risk assesments  
🗑
show Self evaluationfor growth and improved identity secessful decisions, how you could have improved.  
🗑
show Evidence of custody.  
🗑
13. What two tasks is an acquisitions officer responsible for at a crime scene?   show
🗑
14. What are some reasons that an employee might leak information to the press?   show
🗑
show An interrigation is trying to get a suspect to confess. An interview is getting info from a witness. Sometimes a witness in questioning might lose their credibility and turns into a suspect  
🗑
16. What is the most important point to remember when assigned to work on an attorney-client privilege case?   show
🗑
17. What are the basic guidelines when working on an attorney-client privilege case?   show
🗑
show False refer to pg. 20  
🗑
chapter 3   show
🗑
show True  
🗑
2. Building a business case can involve which of the following?   show
🗑
3. The ASCLD mandates the procedures established for a computer forensics lab. True or False?   show
🗑
show all the answers refer to review sheet  
🗑
5. To determine the types of operating systems needed in your lab, list two sources of information you could use.   show
🗑
6. What items should your business plan include?   show
🗑
7. List two popular certification systems for computer forensics.   show
🗑
8. The National Cybercrime Training Partnership is available only to law enforcement. True or False?   show
🗑
9. Why is physical security so critical for computer forensics labs?   show
🗑
show False  
🗑
show requirements, cost, and acceptability in your chosen area of employment  
🗑
show two  
🗑
13. Typically, a(n) ____________ lab has a separate storage area or room for evidence.   show
🗑
show False refer to pg 84  
🗑
show False refer to page 80,81  
🗑
show B Refer to review sheets  
🗑
17. A forensic workstation should always have a direct broadband connection to the Internet. True or False?   show
🗑
18. Which organization provides good information on safe storage containers?   show
🗑
19. Which organization has guidelines on how to operate a computer forensics lab?   show
🗑
show TEMPEST refer to pg. 80  
🗑
show chapter 4  
🗑
1. What is the primary goal of a static acquisition?   show
🗑
2. Name the three formats for computer forensics data acquisitions.   show
🗑
3. What are two advantages and disadvantages of the raw format?   show
🗑
4. List two features common with proprietary format acquisition files.   show
🗑
show Expert Witness, used by Guidance Software EnCase  
🗑
show EnCase, SafeBack, and SnapCopy.  
🗑
show only specific files of interest to the case  
🗑
8. What does a sparse acquisition collect for an investigation?   show
🗑
9. What should you consider when determining which data acquisition method to use?   show
🗑
show There is no limit to the size of data you can write to magnetic tape.  
🗑
show when the suspect computer can’t be taken offline for several hours but can be shut down long enough to switch disks with a Ghost backup, allowing the investigator to take the original disk and preserve it as digital evidence  
🗑
show to ensure at least one good copy of the forensically collected data in case of any failures  
🗑
13. When you perform an acquisition at a remote location, what should you consider to prepare for this task?   show
🗑
show If the target drive is an external USB drive, the write-protect feature prevents data from being written to it.  
🗑
show Newer Linux distributions automatically mount the USB device, which could alter data on it.  
🗑
show Wrong. This command reads the image_file.img file and writes it to the evidence drive’s /dev/hda1 partition. The correct command is dcfldd if=/dev/hda1 of=image_file.img.  
🗑
17. What is the most critical aspect of computer evidence?   show
🗑
18. What is a hashing algorithm?   show
🗑
19. Which hashing algorithm utilities can be run from a Linux shell prompt?   show
🗑
show hash=, hashlog=, and vf=  
🗑
show 2 GB (a limitation of FAT file systems)  
🗑
show ) amount of data storage needed. 2) the type of RAID server (0, 1, 5, etc.) 3) whether your acquisition tool can handle RAID acquisitions. 4) whether your analysis tool can handle RAID data 5) whether your analysis tool can split RAID data into separate d  
🗑
show False. They are designed as data recovery tools but are useful in rebuilding corrupt data when forensics tools fail.  
🗑
show d. All of the above refer to review sheet  
🗑
show ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect’s workstation.  
🗑
show ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect’s workstation.  
🗑
show ServLet  
🗑
27. What is the ProDiscover remote access program?   show
🗑
show DiskExplorer for NTFS or DiskExplorer for FAT  
🗑
show False look up pg  
🗑
show TCP/IP and serial RS232 port  
🗑
31. Which computer forensics tools can connect to a suspect’s remote computer and run surreptitiously?   show
🗑
32. EnCase, FTK, SMART, and iLook treat the image file as though it were the original disk. True or False?   show
🗑
33. When possible, you should make two copies of evidence. True or False?   show
🗑
show False look up pg.  
🗑
1. Corporate investigations are typically easier than law enforcement investigations for which of the following reasons?   show
🗑
show True look up pg.  
🗑
3. If you discover a criminal act, such as murder or child pornography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?   show
🗑
4. As a corporate investigator, you can become an agent of law enforcement when which of the following happens? (Choose all that apply.)   show
🗑
5. The plain view doctrine in computer searches is well-established law. True or False?   show
🗑
show a. Coordinate with the HAZMAT team. c. Assume the suspect computer is contaminated. Rfer to review sheets  
🗑
7. What are the three rules for a forensic hash?   show
🗑
8. In forensic hashes, a collision occurs when ____________________.   show
🗑
show REFER TO REVIEW PGS. Small computer toolkit, large-capacity drive, IDE ribbon cables, forensic boot media, laptop IDE 40-to-44 pin adapter, laptop or portable computer, FireWire or USB dual write-protect external bay, flashlight, digital camera or 35mm ca  
🗑
10. When you arrive at the scene, why should you extract only those items you need to acquire evidence?   show
🗑
11. Computer peripherals or attachments can contain DNA evidence. True or False?   show
🗑
show a. Browsing open applications refer to review sheets  
🗑
show Computers, cable connections, overview of scene—anything that might be of interest to the investigation  
🗑
14. Which of the following techniques might be used in covert surveillance?   show
🗑
15. Commingling evidence means what in a corporate setting?   show
🗑
show MD5 and SHA-1  
🗑
17. Small companies rarely need investigators. True or False?   show
🗑
show True look up pgs  
🗑
19. You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?   show
🗑
20. You should always answer questions from onlookers at a crime scene. True or False?   show
🗑
show chapter 6  
🗑
1. In DOS and Windows 9.x, Io.sys is the first file loaded after the ROM bootstrap loader finds the disk. True or   show
🗑
show b. 512 refer to review sheet  
🗑
3. What does CHS stand for?   show
🗑
4. Zoned bit recording is how manufacturers ensure that the outer tracks store as much data as possible. True or False?   show
🗑
5. Areal density refers to which of the following?   show
🗑
show 2  
🗑
7. What is the ratio of sectors per cluster in a floppy disk?   show
🗑
8. List three items stored in the FAT database.   show
🗑
show a. FAT12 b. FAT16 c. FAT32 d. NTFS  
🗑
10. In FAT32, a 123 KB file uses how many sectors?   show
🗑
11. What is the space on a drive called when a file is deleted? (Choose all that apply.)   show
🗑
show Unicode characters, security, journaling  
🗑
show Master File Table  
🗑
show True look up pages  
🗑
show True look up pages  
🗑
16. A virtual cluster consists of what kind of clusters?   show
🗑
17. The Windows Registry in Windows 9x consists of what two files?   show
🗑
18. HPFS is used on which OS?   show
🗑
19. Device drivers contain what kind of information?   show
🗑
show b. Ntuser.dat refer to review pgs  
🗑
show c. Virtual machines are limited to the host computer’s peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. refer to review pgs  
🗑
22. An image of a suspect drive can be loaded on a virtual machine. True or False?   show
🗑
23. EFS can encrypt which of the following?   show
🗑
24. To encrypt a FAT volume, which of the following utilities can you use?   show
🗑
show Refer to review pg. Data runs have three components; the first declares how many bytes are required in the attribute field to store the number of bytes needed for the second and third components. The second component stores the number of clusters assigned  
🗑
chapter 7   show
🗑
1. What are the five required functions for computer forensics tools?   show
🗑
show False  
🗑
show c. Logical and physical  
🗑
4. During a remote acquisition of a suspect drive, RAM data is lost. True or False?   show
🗑
5. Hashing, filtering, and file header analysis make up which function of computer forensics tools?   show
🗑
show False (Autopsy is the front end to Sleuth Kit.)  
🗑
7. When considering new forensics software tools, you should do which of the following?   show
🗑
show Data viewing, Keyword searching, Decompressing, Carving, Decrypting, and Bookmarking  
🗑
9. Data can’t be written to the disk with a command-line tool. True or False?   show
🗑
show b. Filtering known good files from potentially suspicious data d. validating change.  
🗑
11. What’s the name of the NIST project established to collect all known hash values for commercial software and OS files?   show
🗑
12. Many of the newer GUI tools use a lot of system resources. True or False?   show
🗑
show False look up pgs  
🗑
show False look up pgs.  
🗑
15. Which of the following is true of most drive-imaging tools? (Choose all that apply.)   show
🗑
show c. ISO 17025 look up review sheet  
🗑
show a. FTK look up review sheet  
🗑
show disk-to-disk copy, image-to-disk copy, partition-to-partition copy, image-to-partition copy  
🗑
19. When validating the results of a forensic analysis, you should do which of the following?   show
🗑
20. NIST testing procedures are valid only for government agencies. True or False?   show
🗑


   

Review the information in the table. When you are ready to quiz yourself you can hide individual columns or the entire table. Then you can click on the empty cells to reveal the answer. Try to recall what will be displayed before clicking the empty cell.
 
To hide a column, click on the column name.
 
To hide the entire table, click on the "Hide All" button.
 
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
 
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.

 
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

  Normal Size     Small Size show me how
Created by: settleup22
Popular Computers sets