Final Exam Flashcards
By the 1970s electronic crimes were increasing especially in the financial sector.
True
To be a successful computer forensics investigator you must be familiar with more than one computing platform.
True
Computer investigations and forensics fall into the same category: public investigations.
False
The law of search and seizure protects the rights of all people excluding people suspected of crimes.
False
After a judge approves and signs a search warrant, it’s ready to be executed, meaning you can collect evidence as defined by the warrant.
True
Maintaining credibility means you must form and sustain unbiased opinions of your cases.
False
The definition of digital forensics has evolved over the years from simply involving securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases.
True
The Fourth Amendment to the U.S. Constitution (and each state’s constitution) protects everyone’s rights to be secure in their person, residence, and property from search and seizure.
True
When you work in the enterprise digital group you test and verify the integrity of standalone workstations and network servers.
False
The police blotter provides a record of clues to crimes that have been committed previously.
True
Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence?
Computer Analysis and Response Team (CART)
A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?
Data recovery
Which group often works as part of a team to secure an organization’s computers and networks?
Forensic investigators
Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?
Digital investigations
Which agency introduced training on software for forensics investigations by the early 1990s?
IACIS
Which Pacific Northwest agency meets to discuss problems that digital forensics examiners encounter?
CTIN
Which type of case involves charges such as burglary, murder, or molestation?
Criminal
What is the third stage of a criminal case after the complaint and the investigation?
Prosecution
What does the investigator in a criminal or public-sector case submit at the request of the prosecuting attorney if he or she has enough information to support a search warrant?
Affidavit
When an investigator seeks a search warrant which of the following must be included in an affidavit to support the allegation of a crime?
Probable cause?
What must be done under oath to verify that the information in the affidavit is true?
It must be notarized
What do published company policies provide for a business that enables them to conduct internal investigations?
Line of authority
What usually appears when a computer starts or connects to the company intranet network or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will?
Warning banner
What term refers to a person using a computer to perform routine tasks other than systems administration?
End user
Which term refers to an accusation or supposition of fact that a crime has been committed and is made by the complainant based on the incident?
Allegation
Without a warning banner what right might employees assume they have when using a company’s computer systems and network accesses?
Privacy
What term refers to the individual who has the power to conduct digital forensic investigations?
Authorized requester
What is most often the focus of digital investigations in the private sector?
Misuse of digital assets
Which doctrine found to be unconstitutional was used to allow a civilian or private-sector investigative agent to deliver evidence obtained in a manner that violated the Fourth Amendment to a law enforcement agency?
Silver platter
A forensics analysis of a 6 TB disk for example can take several days or weeks.
True
Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses.
False
If damage occurs to the floor walls ceilings or furniture in your computer forensics lab it does not need to be repaired immediately.
False
A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.
True
Computing systems in a forensics lab should be able to process typical cases in a timely manner.
True
By using marketing to attract new customers or clients you can justify future budgets for the lab’s operation and staff.
True
The ANSI-ASQ National Accreditation Board (ANAB) is a wholly owned subsidiary of the American Society of Crime Laboratory Directors (ASCLD).
False
The lab manager sets up processes for managing cases and reviews them regularly.
True
For daily work production several examiners can work together in a large open area as long as they all have different levels of authority and access needs.
False
Chapter 5 Section 3 of the NISPOM describes the characteristics of a safe storage container.
True
At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work?
Digital forensics lab
At what levels should lab costs be broken down?
Monthly, quarterly, and annually
What reports are generated at the local state and federal levels to show the types and frequency of crimes committed?
Uniform crime reports
In addition to FAT16, FAT32, and Resilient File System which file system can Windows hard disks also use?
NTFS
What organization was created by police officers in order to formalize credentials for digital investigators?
IACIS
How frequently does IACIS require recertification to demonstrate continuing work in the field of computer forensics?
Every three years
What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases?
Certified Computer Forensic Technician, Basic (CCFT-B)
What kind of forensic investigation lab best preserves the integrity of evidence?
A secure facility
At what distance can the EMR from a computer monitor be picked up?
1/2 mile
During the Cold War defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. What did the U.S. Department of Defense call this special computer-emission shielding?
TEMPEST
What material is recommended for secure storage containers and cabinets?
Steel
How frequently should floors and carpets in the computer forensic lab be cleaned to help minimize dust that can cause static electricity?
Once a week
Which resource can be helpful when investigating older and unusual computing systems?
AICIS lists
What type of plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you’re analyzing?
Disaster recovery plan
Where should your computer backups be kept?
Off-site
What process refers to recording all the updates made to a workstation?
Configuration management
Methods for restoring large data sets are important for labs using which type of servers?
RAID
Which activity involves determining how much risk is acceptable for any process or operation?
Risk management
What is the maximum amount of time computing components are designed to last in normal business operations?
36 months
In what process is the acquisition of newer and better resources for investigation justified?
Building a business case
If the computer has an encrypted drive a live acquisition is done if the password or passphrase is not available.
True
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.
True
Some acquisition tools don’t copy data in the host protected area (HPA) of a disk drive.
True
FTK Imager requires that you use a device such as a USB dongle for licensing.
False
Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.
False
In Autopsy and many other forensics tools, raw format image files don’t contain metadata.
True
Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.
False
A separate manual validation is recommended for all raw acquisitions at the time of analysis.
True
Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized.
True
There’s no simple method for getting an image of a RAID server’s disks.
True
Which type of format acquisition leaves the investigator unable to share an image between different vendors’ computer forensics analysis tools?
Proprietary
What type of acquisition is typically done on a computer seized during a police raid?
Static
What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?
Live
What is the most common and flexible data-acquisition method?
Disk-to-image
If your time is limited, what type of acquisition data copy method should you consider?
Logical or sparse
By what percentage can lossless compression reduce image file size?
50%
What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult?
Whole disk encryption
What term refers to Linux ISO images that can be burned to a CD or DVD?
Linux live CD
What command displays pages from the online help manual for information on Linux commands and their options?
man
What command creates a raw format file that most computer forensics analysis tools can read?
dd
What command works similarly to the dd command but has many features designed for computer forensics acquisitions?
dcfldd
In addition to md5sum which hashing algorithm utility is included with current distributions of Linux?
sha1sum
What option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512?
hash
What does Autopsy use to validate an image?
MD5
What older Microsoft disk compression tool eliminates only slack disk space between files?
DriveSpace
In addition to RAID 0, what type of RAID configuration is available for Windows XP 2000 and NT servers and workstations?
RAID 1
In which RAID configuration do two or more disk drives become one large volume so the computer views the disks as a single disk?
RAID 0
Which RAID configuration also called mirrored striping is a combination of RAID 1 and RAID 0?
RAID 10
Which RAID configuration offers the greatest access speed and most robust data recovery capability?
RAID 10
What type of acquisition is used for most remote acquisitions?
Live
ISPs can investigate computer abuse committed by their customers.
True
If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime you run the risk of becoming an agent of law enforcement.
True
A judge can exclude evidence obtained from a poorly worded warrant.
True
The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene’s immediate location.
True
Corporate investigators always have the authority to seize all computer equipment during a corporate investigation.
False
The most common computer-related crime is check fraud.
True
Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs) which always get funding from the government or other agencies.
False
Some cases involve dangerous settings. For these types of investigations you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene.
True
If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner employees have an expectation of privacy.
True
When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant which allows the police to present all evidence together.
False
When federal courts are evaluating digital evidence from computer-generated records what exception is applied to hearsay?
Business-records exception
Under what circumstances are digital records considered admissible?
If they qualify as business records
What type of records are considered data that the system maintains such as system log files and proxy server logs?
Computer-generated records
When was the Freedom of Information Act originally enacted?
1967
Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes?
Investigating and controlling the scene is much easier in private sector environments.
At a minimum what do most company policies require that employers have in order to initiate an investigation?
Reasonable suspicion that a law or policy is being violated
When confidential business data are included with the criminal evidence what are they referred to as?
Commingled data
What standard is used to determine whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest?
Probable cause
What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?
A warrant
In addition to environmental issues, what issues are the investigator’s primary concerns when working at the scene to gather information about an incident or a crime?
Safety
When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action?
80 C
What will allow the investigator to arrive at a scene, acquire the needed data, and return to the lab as quickly as possible?
Initial-response field kit
Which type of kit should include all the tools the investigator can afford to take to the field?
Extensive-response field kit
What type of evidence do courts consider evidence data in a computer to be?
Digital
The presence of police officers and other professionals who aren’t part of the crime scene-processing team may result in the loss or corruption of data through which process?
Professional curiosity
When seizing computer evidence in criminal investigations which organization’s standards should be followed?
Department of Justice
Power should not be cut during an investigation involving a live computer unless it is what type of system?
Older Windows or MS-DOS
What type of files might lose essential network activity records if power is terminated without a proper shutdown?
Event log
Which technique can be used for extracting evidence from large systems?
Sparse acquisition
What is required for real-time surveillance of a suspect’s computer activity?
Sniffing
The type of file system an OS uses determines how data is stored on the disk.
True
One way to examine a partition’s physical level is to use a disk editor such as WinHex or Hex Workshop.
True
As data is added the MFT can expand to take up 75% of the NTFS disk.
False
The first 5 bytes (characters) for all MFT records are FILE.
False
Alternate data streams can obscure valuable evidentiary data intentionally or by coincidence.
True
Typically a virtual machine consists of just one file.
False
From a network forensics standpoint there are no potential issues related to using virtual machines.
False
In Microsoft file structures, sectors are grouped to form clusters which are storage allocation units of one or more sectors.
True
Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.
True
It’s possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.
True
What term refers to a column of tracks on two or more disk platters?
Cylinder
How do most manufacturers deal with a platter’s inner tracks having a smaller circumference than its outer tracks?
Zone bit recording (ZBR)
What term refers to the number of bits in one square inch of a disk platter?
Areal density
Which acronym refers to the file structure database that Microsoft originally designed for floppy disks?
FAT
Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?
NTFS
What is on an NTFS disk immediately after the Partition Boot Sector?
Master File Table (MFT)
What are records in the MFT called?
FILE records
In the NTFS MFT all files and folders are stored in separate records of how many bytes each?
1024
The file or folder’s MFT record provides cluster addresses where the file is stored on the drive’s partition. What are these cluster addresses called?
Data runs
What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced?
Encrypting File System (EFS)
Which certificate provides a mechanism for recovering files encrypted with EFS if there is a problem with the user’s original private key?
Recovery certificate
When Microsoft created Windows 95, into what were initialization (.ini) files consolidated?
Registry
What specifies the Windows XP path installation and contains options for selecting the Windows version?
Boot.ini
Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data and then passes its findings to Ntldr?
NTDetect.com
Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS?
NTBootdd.sys
What contains instructions for the OS for hardware devices such as the keyboard mouse and video card?
Device Drivers
Which filename refers to a core Win32 subsystem DLL file?
Kernel32.dll, Advapi32.dll, User32.dll, Gdi32.dll
Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM?
Ntkrnlpa.exe
Which filename refers to the Windows XP system service dispatch stubs to executables functions and internal support functions?
Ntdll.dll
What enables the user to run another OS on an existing physical computer (known as the host computer) by emulating a computer’s hardware environment?
Hypervisor
When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.
True
In software acquisition there are three types of data-copying methods.
False
To help determine which computer forensics tool to purchase, a comparison table of functions subfunctions and vendor products is useful.
True
Computers used several OSs before Windows and MS-DOS dominated the market.
True
After retrieving and examining evidence data with one tool you should verify your results by performing the same tasks with other similar forensics tools.
True
Software forensic tools are grouped into command-line applications and GUI applications.
True
The validation function is the most challenging of all tasks for computer investigators to master.
False
Although a disk editor gives you the most flexibility in testing, it might not be capable of examining a compressed file’s contents.
True
Because there are a number of different versions of UNIX and Linux these OSs are referred to as CLI platforms.
False
Hardware manufacturers have designed most computer components to last about 36 months between failures.
False
Which digital forensics tool is categorized as a single-purpose hardware component?
Tableau T35es-R2 SATA/IDE eSATA bridge
Where do software forensics tools copy data from a suspect’s disk drive?
Image file
Which tool enables the investigator to acquire the forensic image and process it in the same step?
Magnet AXIOM
What Linux command is used to create the raw data format?
dd
Which activity involves sorting and searching through investigation findings to separate good data and suspicious data?
Filtering
Many password recovery tools have a feature for generating potential password lists for which type of attack?
Dictionary
Which type of copy from the suspect disk to the target location does the simplest method of duplicating a disk drive make?
Physical bit-by-bit copy
What must be created to complete a forensic disk analysis and examination?
Report
The first MS-DOS tools that analyzed and extracted data from floppy disks and hard disks were used with which type of PC file systems?
IBM
In Windows 2000 and later which command shows you the file owner if you have multiple users on the system or network?
Dir
Building your own forensics workstation:
requires the time and skills necessary to support the chosen hardware.
What do you call a forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation?
portable workstation
What type of disk is commonly used with Sun Solaris systems?
SPARC
What is the general term for software or hardware that is used to protect evidence disks by preventing data from being written to them?
Write protector
Devices used to prevent data from being written to a disk can connect to a computer through FireWire, SATA, PATA, and SCSI controllers as well as which other type of controller?
USB 2.0 and 3.0
Which entity publishes articles, provides tools, and creates procedures for testing and validating computer forensics software?
NIST
Which standards document demands accuracy for all aspects of the testing process?
ISO 5725
Which NIST project manages research on forensics tools?
Computer Forensic Tool Testing (CFTT)
What is the primary hash algorithm used by the NIST project created to collect all known hash values for commercial software and OS files?
SHA-1
Which type of tool can be used to compare results and verify a new tool by viewing data in its raw format?
Disk editor
If a file contains information it always occupies at least one allocation block.
True
macOS is built with the new Apple File System (APFS). The current version offers better security encryption and performance speeds, but users can’t mount HFS+ drives.
False
Some notable UNIX distributions included Silicon Graphics Inc. (SGI), IRIX, Santa Cruz Operation (SCO) UnixWare, Sun Solaris, IBM AIX, and HP-UX.
True
Does Windows have a kernel?
Yes
The pipe (|) character redirects the output of the command preceding it.
True
All disks have more storage capacity than the manufacturer states.
True
Before OS X, the Hierarchical File System (HFS) was used in which files are stored in directories (folders) that can be nested in other directories.
True
The HFS and HFS+ file systems have four descriptors for the end of a file (EOF).
False
Ext3 is a journaling version of Ext2 that has a built-in file recovery mechanism used after a crash.
True
In macOS, volume fragmentation is kept to a minimum by removing clumps from larger files.
False
Macintosh moved to the Intel processor and became UNIX based with which operating system?
OS X
In older versions of macOS, in which fork are file metadata and application information stored?
Resource fork
