Chapters 1-7
Quiz yourself by thinking what should be in
each of the black spaces below before clicking
on it to display the answer.
Help!
|
|
||||
---|---|---|---|---|---|
show | 1.(IACIS) International Association of Computer Investigation Specialist. 2. FLECT Federal Law Enforcement Training Center.
🗑
|
||||
show | False
🗑
|
||||
3. Police in the United States must use procedures that adhere to which of the following? a. the Third Amendment b. the Fourth Amendment c. the First Amendment d. none of the above | show 🗑
|
||||
4. The triad of computing security includes which of the following? | show 🗑
|
||||
show | Internet Pornagraphy, Espianage, Abuse of Internet Properties.
🗑
|
||||
show | False as long as the company has a security Banner.
🗑
|
||||
show | when a civillian or corporate investigative agent delivers evidence to a law enforcement agenttheir job is to minimize risk to the company
🗑
|
||||
8. Policies can address rules for which of the following? | show 🗑
|
||||
9. List two items that should appear on an internal warning banner. | show 🗑
|
||||
10. Warning banners are often easier to present in court than policy manuals are. True or False? | show 🗑
|
||||
show | False. Refer to page 18 in book
🗑
|
||||
show | E-mail Abuse and Internet Abuse.
🗑
|
||||
show | Maintaining confidentiality, having moral ethics, standards of behavior. It is critical to maintaining your integrity and credibility.
🗑
|
||||
show | True.
🗑
|
||||
show | Can help remembering certain tasks or issues and what types of tools software or hardware you used for a particular problem.
🗑
|
||||
16. iLook is maintained by ________________. | show 🗑
|
||||
show | IRS
🗑
|
||||
18. Laws and procedures for PDAs are which of the following? a. well established b. still being debated c. on the law books d. none of the above | show 🗑
|
||||
show | To avoid conflicts and competions between departments and limits who is authorized to request an investigation. Authorized requster
🗑
|
||||
show | Its a sworn statement for a judge to get a warrent if you have found facts that support the evidence of a crime.
🗑
|
||||
What are the neccesary componaents of a search warrant? | show 🗑
|
||||
Chapt 2 | show 🗑
|
||||
1. What are some initial assessments you should make for a computing investigation? | show 🗑
|
||||
2. What are some ways to determine the resources needed for an investigation? | show 🗑
|
||||
3. List three items that should be on an evidence custody form. | show 🗑
|
||||
4. Why should you do a standard risk assessment to prepare for an investigation? | show 🗑
|
||||
5. You should always prove the allegations made by the person who hired you. True or False? | show 🗑
|
||||
show | True. refer to pg36
🗑
|
||||
7. Who should have access to a secure container? a. only the primary investigator b. only the investigators in the group c. everyone on the floor d. only senior-level management | show 🗑
|
||||
8. For employee termination cases, what types of investigations do you typically encounter? | show 🗑
|
||||
show | If you just start windows without anaylizing a hard disk by writing data to the recycling bin it currupts the quality and integrity of eveidence
🗑
|
||||
10. List three items that should be in your case report. | show 🗑
|
||||
11. Why should you critique your case after it’s finished? | show 🗑
|
||||
show | Evidence of custody.
🗑
|
||||
show | Documentations of items the investigating officers collected with computer to include list of storage media, i.e. removable disk photographs of equipments and windows before they are such down.
🗑
|
||||
14. What are some reasons that an employee might leak information to the press? | show 🗑
|
||||
15. When might an interview turn into an interrogation? | show 🗑
|
||||
show | When conducting an (ACP) atorney client priviledge you must keep all findings confidential.
🗑
|
||||
17. What are the basic guidelines when working on an attorney-client privilege case? | show 🗑
|
||||
show | False refer to pg. 20
🗑
|
||||
show | chapter 3
🗑
|
||||
show | True
🗑
|
||||
2. Building a business case can involve which of the following? | show 🗑
|
||||
show | False
🗑
|
||||
4. The manager of a computer forensics lab is responsible for which of the following? (Choose all that apply.) a. necessary changes in lab procedures and software b. ensuring that staff members have sufficient training to do the job c. knowing the lab | show 🗑
|
||||
5. To determine the types of operating systems needed in your lab, list two sources of information you could use. | show 🗑
|
||||
6. What items should your business plan include? | show 🗑
|
||||
show | IACIS, HTCN, EnCE refer to pg 76
🗑
|
||||
show | True
🗑
|
||||
9. Why is physical security so critical for computer forensics labs? | show 🗑
|
||||
show | False
🗑
|
||||
11. What three items should you research before enlisting in a certification program? | show 🗑
|
||||
show | two
🗑
|
||||
show | regional
🗑
|
||||
show | False refer to pg 84
🗑
|
||||
15. The chief custodian of evidence storage containers should keep several master keys. True or False | show 🗑
|
||||
show | B Refer to review sheets
🗑
|
||||
17. A forensic workstation should always have a direct broadband connection to the Internet. True or False? | show 🗑
|
||||
show | NISPOM refer to pg. 80,81
🗑
|
||||
19. Which organization has guidelines on how to operate a computer forensics lab? | show 🗑
|
||||
20. What name refers to labs constructed to shield EMR emissions? | show 🗑
|
||||
chapter 4 | show 🗑
|
||||
1. What is the primary goal of a static acquisition? | show 🗑
|
||||
2. Name the three formats for computer forensics data acquisitions. | show 🗑
|
||||
show | Advantages: faster data transfer speeds, ignores minor data errors, and most forensic analysis tools can read it. Disadvantages: requires equal or greater target disk space, does not contain hash values in the raw file (metadata), might have to run a sepa
🗑
|
||||
show | Can compress or not compress the acquisition data; can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD; case metadata can be added to the acquisition file, eliminating the need to keep track of any addition
🗑
|
||||
show | Expert Witness, used by Guidance Software EnCase
🗑
|
||||
6. Name two commercial tools that can make a forensic sector-by-sector duplicate of a drive to a larger drive. | show 🗑
|
||||
7. What does a logical acquisition collect for an investigation? | show 🗑
|
||||
8. What does a sparse acquisition collect for an investigation? | show 🗑
|
||||
show | size of the source drive, whether the source drive be retained as evidence, how long the acquisition will take, and where the disk evidence is located
🗑
|
||||
10. What is the advantage of using a tape backup system for forensic acquisitions of large data sets? | show 🗑
|
||||
show | when the suspect computer can’t be taken offline for several hours but can be shut down long enough to switch disks with a Ghost backup, allowing the investigator to take the original disk and preserve it as digital evidence
🗑
|
||||
12. Why is it a good practice to make two images of a suspect drive in a critical investigation? | show 🗑
|
||||
13. When you perform an acquisition at a remote location, what should you consider to prepare for this task? | show 🗑
|
||||
14. What is the disadvantage of using the Windows XP/Vista USB write-protection Registry method? | show 🗑
|
||||
15. With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB thumb drive, containing evidence? | show 🗑
|
||||
16. In a Linux shell, the fdisk -1 command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1 | show 🗑
|
||||
show | validation
🗑
|
||||
18. What is a hashing algorithm? | show 🗑
|
||||
19. Which hashing algorithm utilities can be run from a Linux shell prompt? | show 🗑
|
||||
20. In the Linux dcfldd command, which three options are used for validating data? | show 🗑
|
||||
21. What’s the maximum file size when writing data to a FAT32 drive? | show 🗑
|
||||
show | ) amount of data storage needed. 2) the type of RAID server (0, 1, 5, etc.) 3) whether your acquisition tool can handle RAID acquisitions. 4) whether your analysis tool can handle RAID data 5) whether your analysis tool can split RAID data into separate d
🗑
|
||||
23. R-Studio and DiskExplorer are used primarily for computer forensics. True or False? | show 🗑
|
||||
show | d. All of the above refer to review sheet
🗑
|
||||
show | ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect’s workstation.
🗑
|
||||
show | ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect’s workstation.
🗑
|
||||
26. What is the EnCase Enterprise remote access program? | show 🗑
|
||||
27. What is the ProDiscover remote access program? | show 🗑
|
||||
show | DiskExplorer for NTFS or DiskExplorer for FAT
🗑
|
||||
29. HDHost is automatically encrypted when connected to another computer. True or False? | show 🗑
|
||||
show | TCP/IP and serial RS232 port
🗑
|
||||
show | EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response
🗑
|
||||
32. EnCase, FTK, SMART, and iLook treat the image file as though it were the original disk. True or False? | show 🗑
|
||||
show | True look up pg.
🗑
|
||||
34. FTK Imager can acquire data in a drive’s host protected area. True or False? | show 🗑
|
||||
1. Corporate investigations are typically easier than law enforcement investigations for which of the following reasons? | show 🗑
|
||||
2. In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause. True or False? | show 🗑
|
||||
3. If you discover a criminal act, such as murder or child pornography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False? | show 🗑
|
||||
show | a. You begin to take orders from a police detective without a warrant or subpoena.
b. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement.
🗑
|
||||
show | False look up pgs.
🗑
|
||||
6. If a suspect computer is located in an area that might have toxic chemicals, you must do which of the following? (Choose all that apply.) | show 🗑
|
||||
7. What are the three rules for a forensic hash? | show 🗑
|
||||
show | two files have the same hash value
🗑
|
||||
show | REFER TO REVIEW PGS. Small computer toolkit, large-capacity drive, IDE ribbon cables, forensic boot media, laptop IDE 40-to-44 pin adapter, laptop or portable computer, FireWire or USB dual write-protect external bay, flashlight, digital camera or 35mm ca
🗑
|
||||
10. When you arrive at the scene, why should you extract only those items you need to acquire evidence? | show 🗑
|
||||
11. Computer peripherals or attachments can contain DNA evidence. True or False? | show 🗑
|
||||
show | a. Browsing open applications
refer to review sheets
🗑
|
||||
show | Computers, cable connections, overview of scene—anything that might be of interest to the investigation
🗑
|
||||
14. Which of the following techniques might be used in covert surveillance? | show 🗑
|
||||
show | sensitive corporate information being mixed with data collected as evidence
🗑
|
||||
16. Identify two hashing algorithms commonly used for forensic purposes. | show 🗑
|
||||
show | False look up pgs
🗑
|
||||
18. If a company doesn’t distribute a computing use policy stating an employer’s right to inspect employees’ computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False? | show 🗑
|
||||
show | initial-response field kit
🗑
|
||||
show | False
🗑
|
||||
chapter 6 | show 🗑
|
||||
show | True look up pgs
🗑
|
||||
2. Sectors typically contain how many bytes? | show 🗑
|
||||
show | cylinders, heads, sectors
🗑
|
||||
4. Zoned bit recording is how manufacturers ensure that the outer tracks store as much data as possible. True or False? | show 🗑
|
||||
5. Areal density refers to which of the following? | show 🗑
|
||||
show | 2
🗑
|
||||
show | a. 1:1 refer to review sheets
🗑
|
||||
show | file and directory names, starting cluster numbers, file attributes, and date and time stamps
🗑
|
||||
9. Windows 2000 can be configured to access which of these file formats? (Choose all that apply.) | show 🗑
|
||||
show | The answer is 246 sectors. 123 x 1024 bytes per KB = 125,952 total bytes in the file. 125,952 bytes / 512 sectors per cluster = 246 sectors
🗑
|
||||
show | b. Unallocated space
d. Free space
refer to review sheets
🗑
|
||||
show | Unicode characters, security, journaling
🗑
|
||||
13. What does MFT stand for? | show 🗑
|
||||
show | True look up pages
🗑
|
||||
15. RAM slack can contain passwords. True or False? | show 🗑
|
||||
show | chained clusters
🗑
|
||||
show | System.dat and User.dat
🗑
|
||||
show | OS/2
🗑
|
||||
show | instructions for the OS on how to interface with hardware devices
🗑
|
||||
show | b. Ntuser.dat
refer to review pgs
🗑
|
||||
21. Virtual machines have which of the following limitations when running on a host computer? | show 🗑
|
||||
show | True look up pgs
🗑
|
||||
23. EFS can encrypt which of the following? | show 🗑
|
||||
show | c. PGP Whole Disk Encryption
🗑
|
||||
25. What are the functions of a data run’s field components in an MFT record? | show 🗑
|
||||
show | chapter 7
🗑
|
||||
1. What are the five required functions for computer forensics tools? | show 🗑
|
||||
show | False
🗑
|
||||
show | c. Logical and physical
🗑
|
||||
4. During a remote acquisition of a suspect drive, RAM data is lost. True or False? | show 🗑
|
||||
show | a. Validation and discrimination
🗑
|
||||
show | False (Autopsy is the front end to Sleuth Kit.)
🗑
|
||||
show | c. Test and validate the software.
🗑
|
||||
8. Of the six functions of computer forensics tools, what are the subfunctions of the Extraction function? | show 🗑
|
||||
show | False look up pgs.
🗑
|
||||
show | b. Filtering known good files from potentially suspicious data d. validating change.
🗑
|
||||
show | National Software Reference Library (NSRL)
🗑
|
||||
show | True look up pgs.
🗑
|
||||
13. Building a forensic workstation is more expensive than purchasing one. True or False? | show 🗑
|
||||
14. A live acquisition is considered an accepted forensics practice. True or False? | show 🗑
|
||||
15. Which of the following is true of most drive-imaging tools? (Choose all that apply.) | show 🗑
|
||||
show | c. ISO 17025 look up review sheet
🗑
|
||||
show | a. FTK look up review sheet
🗑
|
||||
show | disk-to-disk copy, image-to-disk copy, partition-to-partition copy, image-to-partition copy
🗑
|
||||
19. When validating the results of a forensic analysis, you should do which of the following? | show 🗑
|
||||
20. NIST testing procedures are valid only for government agencies. True or False? | show 🗑
|
Review the information in the table. When you are ready to quiz yourself you can hide individual columns or the entire table. Then you can click on the empty cells to reveal the answer. Try to recall what will be displayed before clicking the empty cell.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Created by:
settleup22
Popular Computers sets