logo image

Digital Forensics Midterm Ch. 2-8 Okstate 2015

Linux Live CDs and WinFE disks do not automatically mount hard drives, but can be used to file systems.
True
The shielding of sensitive computing systems and prevention of electronic eavesdropping of any computer emission is known as FAUST by the U.S. Department of Defense
FALSE
The recording of all updates made to a workstation or a machine is referred to as configuration management
TRUE
A disaster recovery plan ensures that workstation and file servers can be restored to their original condition in the event of a catastrophe
TRUE
Because they are outdated, ribbon cables should not be considered for use within a forensics lab
FALSE
Candidates who complete the IACIS test successfully are designated as a certified forensics computer examiner
TRUE
What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigation?
Certified Cyber Forensics Professional
How long are computing components designed to last in a normal business environment?
18-36 months
Which of the following scenarios should be covered in a disaster recovery plan?
All of the above
Which operating system listed below is not a distribution of the Linux OS?
Minix
describes the characteristics of a safe storage container
NISPOM
In order to qualify for the CCFT basic level certification, how many hours of computer forensics training are required?
40
Which file system below is utilized by the Xbox gaming system?
FATX
What ISO standard below is followed by the ASCLD?
ISO17025:2005
is responsible for creating and monitoring lab policies for staff, and provides a safe and secure workplace for staff and evidence.
The lab manager
What percentage of consumers utilize Intel and AMD PCs?
90%
can be used to restore backup files directly to a workstation.
Norton Ghost
How often should hardware be replace within a forensics lab?
12-18 months
A TEMPEST facility is designed to accomplish which of the following goals?
Shield sensitive computing systems and prevent electronic eavesdropping of computer emissions
20. In order to qualify for the advanced certified forensic technician certification, a candidate must have ____ of hands-on experience in computer forensics investigations
5 years
21. In order to qualify for the certified computer crime investigator basic level candidates must provide documentation of at least _____ in which they participated.
10 cases
Which tool below is not recommended for use in forensics lab?
Degausser
Which option below is not a recommendation for securing storage containers?
Rooms with evidence containers should have a secured wireless network
Which option below is not one of the recommended practices for maintaining a keypad padlock?
Use a master key
is a specialized viewer software program.
IrfanView
Hardware and software errors or incompatibilities are a common problem when dealing with older hard drives.
TRUE
A forensic investigator should verify that acquisition tools can copy data in the HPA of a disk drive.
TRUE
FTK Imager software can acquire a drive’s host protected area.
FALSE
The ImageUSB utility can be used to create a bootable flash drive
TRUE
A RAID 3 array uses distributed data and distributed parity in a manner similar to a RAID 5 array
TRUE
Which option below is not a hashing function used for validation checks?
RC4
The Linux command _____ can be used to write bit-stream data to files.
dd
Which option below is not a Linux Live CD meant for use as a digital forensics tool?
Ubuntu
The _________ switch can be used with the split command to adjust the size of segmented volumes created by the dd command.
-b
The Linux command ________ can be used to list the current disk devices connected to the computer.
fdisk -1
The ______ command was developed by Nicholas Harbour of the Defense Computer Forensics Laboratory.
dcfldd
dcfldd
Which RAID type utilizes mirrored stripping, providing fast access and redundancy?
RAID 10
Within the fdisk interactive menu, what character should be entered to view existing partitions?
p
When using a target drive that is FAT32 formatted, what is the maximum size limitation for split files?
2 GB
An investigator wants to capture all the data on a SATA drive connected to a Linux system. What should the investigator use for the “if=” portion of the dcfldd command?
/dev/sda
_______ can be used with the dcfldd command to compare an image file to the original medium.
vf
Which RAID type provides increased speed and data storage capability, but lacks redundancy?
RAID 0
Which RAID type utilizes a parity bit and allows for the failure of one drive without losing data?
RAID 5
______ creates a virtual volume of a RAID image file, and then makes repairs on the virtual volume, which can then be restored to the original RAID?
R-Tools R-Studio
_____ is the utility used by the ProDiscover program for remote access.
PDServer
The ________ copies evidence of intrusions to an investigation workstation automatically for further analysis over the network.
intrusion detection system
Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files?
Advanced Forensics Format
What is the name of the Microsoft solution for whole disk encryption?
BitLocker
Which technology below is not a hot-swappable technology?
IDE
To create a new primary partition within the fdisk interactive utility, which letter should be typed?
p
Computer-stored records are data the system maintains, such as a system log files and proxy server logs.
TRUE
An emergency situation under the PATRIOT Act is defined as the immediate risk of death or personal injury, such as finding a bomb threat in an e-mail.
TRUE
The Fourth Amendment starts the only warrants “particularly describing the place to be searched and the persons or things to be seized” can be issued. The courts have determined that this phrase means a warrant can authorize a search of specific place for anything.
FALSE
State public disclosure laws apply to state records, but FOIA allows citizens to request copies of public documents created by federal agencies.
TRUE
The investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct covert surveillance with little or no cause, and access company computer systems and digital devices without a warrant.
TRUE
______ would not be found in an initial response field kit.
Leather gloves and disposable latex gloves
________ is a common cause for lost or corrupted evidence.
Professional curiosity
What does FRE stand for?
Federal Rules of Evidence
If practical, ________ team(s) should collect and catalog digital evidence at a crime or lab.
One
_________ is the term for a statement that is made by someone other than an actual witness to the event while terrifying at a hearing.
Hearsay
You must abide by the ________ while collecting evidence.
Fourth Amendment
Which of the following is not done when preparing for a case?
Set up convert surveillance
A _______ is not a private sector organization
Hospital
In cases that involve dangerous settings, what kind of team should be used to recover evidence from the scene?
HAZMAT
______ are a special category of private sector businesses, due to their ability to investigate computer abuse committed by employees only, but not customers.
ISPs
The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient
Probable cause
Which court case established that is not necessary for computer programmers to testify in order to authenticate computer-generated records?
United States v. Salgado
What should you do while copying data on a suspect’s computer that is still live?
Make notes regarding everything you do
The term _______ describes rooms filled with extremely large disk systems that are typically used by large business data centers
Server farm
______ does not recover data in free or slack space.
Live acquisition
When seizing digital evidence in criminal investigations, whose standards should be followed?
U.S. DOJ
The term ______ is used to describe someone who might be a suspect or someone with additional knowledge that can provide evidence of probable for search warrant or arrest.
Person of interest
What type of media has a 30-year lifespan?
DLT magnetic tape
As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered….
The decision should be left to the Digital Evidence First Responder (DEFR)
Which system below can be used to quickly and accurately match fingerprints in a database?
Automated Fingerprint Identification System (AFIS)
A computer stores system configuration and date and time information in the BIOS when power to the system is off.
FALSE
When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space.
TRUE
Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.
FALSE
FAT32 is used on older Microsoft Oss, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.3 and 4.0.
FALSE
Each MFT record starts with a header identifying it as a resident or nonresident attribute.
TRUE
A typical disk drive stores how many bytes in a single sector?
512
Most manufactures use what technique in order to deal with the fact that a platter’s inner tracks have a smaller circumference than the outer tracks?
Zone Bit Recording (ZBR)
What hexadecimal code below identifies an NTFS file system in the partition table?
07
When using the File Allocation Table (FAT), where is the FAT database typically written to?
The outermost track
Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks:
exFAT
What term is used to describe a disk’s logical structure of platters, tracks, and sectors?
geometry
A Master Boot Record (MBR) partition table marks the first partition starting at what offset?
0x1BE
The ___________ command inserts a HEX E5 (0xE5)in a filename’s first letter position in the associated directory entry.
delete
What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume?
$LogFile
What command below can be used to decrypt EFS files?
cipher
Which of the following commands creates an alternate data stream?
echo text > myfile.txt:stream_name
What term below describes a column of tracks on two or more disk platters?
cylinder
18. Which of the following is not a valid configuration of Unicode?
UFT-64
What does the MFT header field at offset 0x00 contain?
The MFT record identifier FILE
The ReFS storage engine uses a ________ sort of method for fast access to large data sets.
B+-tree
What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive?
TrueCrypt
The _________ branches in HKEY_LOCAL_MACHINESSoftware consist of SAM, Security, Components, and System.
hive
What registry file contains user account management and security settings?
SAM.dat
What registry file contains installed programs’ settings and associated usernames and passwords?
Software.dat
Addresses that allow the MFT to link to nonresident files are known as _________.
logical cluster numbers
Software forensics tools are grouped into command-line applications and GUI applications.
TRUE
Making a logical acquisition of a drive with whole disk encryption can result in unreadable files.
FALSE
Physically copying the entire drive is the only type of data-copying method used in software acquisitions.
FALSE
ISO standard 27037 states that the most important factors in data acquisitions are the DEFR’s competency and the use of validated tools.
TRUE
All forensics acquisitions tools have a method for verification of the data-copying process that compares the original drive with the image.
TRUE
What tool below was written for MS-DOS and was commonly used for manual digital investigations?
Norton DiskEdit
In general, what would a lightweight forensics workstation consist of?
A laptop computer build into a carrying case with a small selection of peripheral options
In what mode do most write-blockers run?
Shell mode
9. Reconstructing fragments of files that have been deleted from a suspect drive, is known as ______ in North America.
carving
The ProDiscover utility makes use of the proprietary __________ file format.
.eve
What is the purpose of the reconstruction function in a forensics investigation?
Re-create a suspect’s drive to show what happened during crime or incident
Which of the following options is not a subfunction of extraction?
logical data copy
13. In what temporary location below might passwords be stored?
pagefile.sys
The ______ Linux Live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep, and utilizes a KDE interface
Kali
What option below is an example of a platform specific encryption tool?
BitLocker
What hex value is the standard indicator for jpeg graphic files?
FF D8
Passwords are typically stored as one-way ____ rather than in plaintext.
hashes
What program serves as the GUI front end for accessing Sleuth Kit’s tools?
Autopsy
Which of the following is stated within the ISO 27037 standard?
Digital Evidence First Responders should use validated tools.
The physical data copy subfunction exists under the ______ function.
acquisition
A keyword search is part of the analysis process within what forensics function?
extraction
What algorithm is used to decompress Windows files?
Lempel-Ziv
What is the goal of the NSRL project created by NIST?
Collect known hash values for commercial software and OS files using SHA hashes.
When performing disk acquisition, the raw data format is typically created with UNIX/Linux ______ command.
dd
________ proves that two sets of data are identical by calculating hash values or using another similar method.
Verification
Linux is a certified UNIX operating system.
FALSE
The term “kernel” is often used when discussing Linux because technically, Linux is only the core of the OS.
TRUE
Capitalization, or lack thereof, makes no difference with UNIX and Linux commands.
FALSE
In UNIX and Linux, everything except monitors are considered files.
FALSE
The only pieces of metadata not in an inode are the filename and path.
TRUE
Who is the current maintainer of the Linux kernel?
Linus Torvalds
What file under the /etc folder contains the hasned passwords for a local system?
Shadow
What is the minimum size of a block in UNIX/Linux filesystems?
512 bytes
___________ contain file and directory metadata and provide a mechanism for linking data stored in data blocks.
Inodes
On Mac OS X systems, what utility can be used to encrypt/decrypt a user’s home directory?
FileVault
____________ is a specialized carving tool that can read many image file formats, such as RAW and Expert Witness
Foremost
What command below will create a symbolic link to a file?
ln -s
Select below the command that can be used to display bad block information on a Linux file system, but also has the capability to destroy valuable information.
badblocks
Adding the _____________ flag to the ls -l file command has the effect of showing all the files beginning with the “.” character in addition to other files.
-a
What type of block does a UNIX/Linux computers only have one of?
boot block
What information below is not included within the inode?
The file’s or directory’s path
A hash that begins with “$6” in the shadow file indicates that it is a hash from what hashing algorithm?
SHA-512
As part of a forensics investigation, you need to recover the logon and logoff history information on a Linux based OS. Where can this information be found?
/var/log/wtmp
The ___________ command can be used to see network interfaces.
ifconfig
The Mac OS reduces file fragmentation by using ____________
clumps
What file is used to store any file information that is not in the MDV or a VCB?
extents overflow file
In a B*-tree file system, what node stores link information to previous and next nodes?
index node
Where is the root user’s home directory located on a Mac OS X file system?
/private/var/root
Within the /etc/shadow file, what field contains the password hash for a user account if one exists?
2nd field
Id a file has 510 bytes of data, what is byte 510?
The logical EOF
How many bits are required to create a pixel capable of displaying 65,536 different colors?
16 bits
Which of the following is not considered to be a non-standard graphics file format?
.dxf
All TIF files start at offset 0 with what 6 hexadecimal characters?
49 49 2A
What kind of graphics file combines bitmap and vector graphics types?
metafile
The process of converting raw picture data to another format is called _______.
demosaicing
6) What format was developed as a standard for storing metadata in image files?
exif
Which of the following formats is not considered to be a standard graphics file format?
tga
Select below the utility that is not a lossless compression utility:
Lzip
In simple terms, _________ compression discards bits in much the same way rounding off decimal values discards numbers.
Vector Quantization
What file type starts at offset 0 with a hexadecimal value of FFD8?
jpeg
How many different colors can be displayed by a 24 bit colored pixel?
16,777,216
The ____________ format is a proprietary format used by Adobe Photoshop.
.psd
For EXIF JPEG files, the hexadecimal value starting at offset 2 is ________.
FFE1
Referred to as a digital negative, the _________ is typically used on many higher-end digital cameras.
raw file format
The Lemple-Ziv-Welch (LZW) algorithm is used in __________ compression.
lossless
For all JPEG files, the ending hexadecimal marker, also known as the end of image (EOI), is _________.
FFD9
Which graphics file format below is rarely compressed?
BMP
When looking at a byte of information in binary, such as 11101100, what is the first bit on the left referred to as?
most significant bit (MSB)
What act defines precisely how copyright laws pertain to graphics?
1976 Copyright Act
Which of the following is not a type of graphic file that is created by a graphics program?
raster graphics
The first 3 bytes of an XIF file are exactly the same as a TIF file.
TRUE
Graphics files are created and saved in a graphics editor, such as Microsoft Paint, Adobe Freehand MX, Adobe Photoshop, or Gnome GIMP.
TRUE
Most digital cameras use the bitmap format to store photos.
FALSE
When you decompress data that uses a lossy compression algorithm, you regain data lost by compression.
FALSE
Each graphics file type has a unique header value.
TRUE

Need essay sample on "Digital Forensics Midterm Ch. 2-8 Okstate 2015"? We will write a custom essay sample specifically for you for only .90/page

Can’t wait to take that assignment burden offyour shoulders?

Let us know what it is and we will show you how it can be done!
×
Sorry, but copying text is forbidden on this website. If you need this or any other sample, please register
Signup & Access Essays

Already on Businessays? Login here

No, thanks. I prefer suffering on my own
Sorry, but copying text is forbidden on this website. If you need this or any other sample register now and get a free access to all papers, carefully proofread and edited by our experts.
Sign in / Sign up
No, thanks. I prefer suffering on my own
Not quite the topic you need?
We would be happy to write it
Join and witness the magic
Service Open At All Times
|
Complete Buyer Protection
|
Plagiarism-Free Writing

Emily from Businessays

Hi there, would you like to get such a paper? How about receiving a customized one? Check it out https://goo.gl/chNgQy