Digital Forensics CSC 280 Midterm

Digital forensics and data recovery refer to the activities.

false

Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?

digital investigations

After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant.

true

To be a successful computer forensics investigator, you must be familiar with more than one computing platform.

true

The OS of the suspect computer and list the software needed for the examination are some ways to determine the resources needed for an investigation. True or False?

true

You should always prove the allegations made by the person who hired you. True or False?

false

Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False?

false

Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?

false

What process refers to recording all the updates made to a workstation?

configuration management

Which activity involves determining how much risk is acceptable for any process or operation?

risk management

The ANSI-ASQ National Accreditation Board (ANAB) is a wholly owned subsidiary of the American Society of Crime Laboratory Directors (ASCLD).

false

Digital forensics facilities always have windows. True or False?

false

Evidence storage containers should have several master keys. True or False?

false

The ANAB mandates the procedures established for a digital forensics lab. True or False?

false

To determine the types of operating systems needed in your lab, two sources of information you could use: Uniform Crime Report statistics for your area and a list of cases handled in your area or at your company. True or False?

true

popular certification programs for digital forensics include: IACIS, CFCE, CCFP, HTCN, EnCE, ACE, ISFCE, and CCE. True or False?

true

If a visitor to your digital forensics lab is a personal friend, it's not necessary to create a log record for this visit.

false

By what percentage can lossless compression reduce image file size?

50%

In which RAID configuration do two or more disk drives become one large volume, so the computer views the disks as a single disk?

raid 0

What option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512?

hash

With newer Linux kernel distributions, if you connect a hot-swappable device, such a USB drive, containing evidence, it will automatically mount the USB device, which could alter data on it. True or False?

true

In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the dcfldd command: dcfldd if=image_file.img of=/dev/hda1 correct?

no

A hashing algorithm is a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk. True or False?

true

4 G is the maximum file size when writing data to a FAT32 drive. True or False?

false

FTK Imager can acquire data in a drive's host protected area. True or False? True or False?

false

Of all the proprietary formats, Expert Witness, used by Guidance Software EnCase, is the unofficial standard? True or False?

true

A logical acquisition collect only specific files of interest to the case for an investigation. True or False?

true

For an investigation, a sparse acquisition should not collect fragments of unallocated data in addition to the logical allocated data. True or False?

false

Which tool enables the investigator to acquire the forensic image and process it in the same step?

Magnet AXIOM

Because there are a number of different versions of UNIX and Linux, these OSs are referred to as CLI platforms.

false

Hardware manufacturers have designed most computer components to last about 36 months between failures.

false

When validating the results of a forensics analysis, you should do which of the following?

calculate the hash value with two different tools

Hardware acquisition tools typically have built-in software for data analysis. True or False?

false

Data can't be written to disk with a command-line tool. True or False?

false

Macintosh moved to the Intel processor and became UNIX based with which operating system?

OS X

On a Linux computer, what contains group memberships for the local system?

/etc/group

In macOS volume fragmentation is kept to a minimum by removing clumps from larger files.

false

The pipe (|) character redirects the output of the command preceding it.

true

In macOS, the Disk Arbitration feature can be used to disable and enable automatic mounting when a drive is connected via a USB or FireWire device. True or False?

true

On most Linux systems, current user login information is in which of the following locations?

/var/log/utmp

Which of the following is the main challenge in acquiring an image of a system running macOS?

vendor training is needed

Which of the following Linux system files contains hashed passwords for the local system?

/etc/shadow

Which of the following describes the superblock's function in the Linux file system?

manages the file system, including config information

a technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?

data recovery

What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?

an affidavit

What is most often the focus of digital investigations in the private sector?

misuse of digital assets

What must be done, under oath, to verify that the information in the affidavit is true?

it must be notarized

What term refers to the individual who has the power to conduct digital forensic investigations?

authorized requester

When an investigator seeks a search warrant, which of the following must be included in an affidavit to support the allegation of a crime?

exhibits

Which doctrine, found to be unconstitutional, was used to allow a civilian or private-sector investigative agent to deliver evidence obtained in a manner that violated the Fourth Amendment to a law enforcement agency?

Silver-platter

Which Pacific Northwest agency meets to discuss problems that digital forensics examiners encounter?

CTIN

Which type of case involves charges such as burglary, murder, or molestation?

criminal

Computer investigations and forensics fall into the same category: public investigations.

false

The definition of digital forensics has evolved over the years from simply involving securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases.

true

The law of search and seizure protects the rights of all people, excluding people suspected of crimes.

false

The purpose of an affidavit is to provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant. True or False?

true

What is NOT true about the necessary components of a search warrant?

a search warrant cannot limit the scope of what can be seized.

Which of the following item should not be on an evidence custody form.

- Location where evidence was obtained

-Description of the evidence

-Nature of the case

-Case number

-None

-Name of the investigator assigned to the case

None

In a standard risk assessment, you list problems that might happen when conducting an investigation, which can help in planning your case. True or False?

true

For digital evidence, an evidence bag is typically made of antistatic material. True or False?

false

Evidence media should be write-protected to make sure data isn't altered. True or False?

true

The items such as an explanation of basic computer and network processes, a narrative of what steps you took, a description of your findings, and log files generated from your analysis tools, should be in your case report. True or False?

true

To improve your work, you should always critique your case after it's finished. True or False?

true

Police in the United States must use procedures that adhere to which of the following?

fourth amendment

A list of people who have had physical possession of the evidence is called chain of custody. True or False?

true

The triad of computing security includes ...

vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation

The purpose of maintaining a network of digital forensics specialists is to develop a list of colleagues who specialize in areas different from your own specialties in case you need help on an investigation. True or False?

true

Policies can address rules for which of the following?

-When you can log on to a company network from home.

- The amount of personal e-mail you can send.

- The internet sites you can or cannot access

Any of these options

Statements that the organization has the right to monitor what users do that should appear on a warning banner. True or False?

true

Fraud, embezzlement, insider trading, espionage, and e-mail harassment are the types of digital investigations typically conducted in a business environment. True or False?

true

Professional conduct include:

ethics, morals, and standards of behavior.

An employer can be held liable for e-mail harassment. True or False?

true

At what distance can the EMR from a computer monitor be picked up?

1/2 mile

At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work?

the digital forensics lab

How frequently does IACIS require recertification to demonstrate continuing work in the field of computer forensics?

every 3 years

In addition to FAT16, FAT32, and Resilient File System, which file system can Windows hard disks also use?

NTFS

Methods for restoring large data sets are important for labs using which type of servers?

RAID

What is the maximum amount of time computing components are designed to last in normal business operations?

36 months

What material is recommended for secure storage containers and cabinets?

steel

What type of plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing?

disaster recovery

A forensics analysis of a 6 TB disk, for example, can take several days or weeks.

true

By using marketing to attract new customers or clients, you can justify future budgets for the lab's operation and staff.

true

Computing systems in a forensics lab should be able to process typical cases in a timely manner.

true

If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.

false

What items should you research before enlisting in a certification program?

acceptability in your chosen area of employment, requirements, and the costs

Large digital forensics labs should have at least two exits. True or False?

true

Typically, a regional lab has a separate storage area or room for evidence. True or False?

true

A forensic workstation should always have a direct broadband connection to the Internet. True or False?

false

Which organization provides good information on safe storage containers?

NISPOM

Which organization has guidelines on how to operate a digital forensics lab?

ASCLD

TEMPEST is the term refers to labs constructed to shield EMR emissions. True or False?

true

Building a business case can involve which of the following?

testing software, protecting trade secrets, and procedures for gathering evidence

The manager of a digital forensics lab is responsible for which of the following?

knowing the lab objectives, making necessary changes in lab procedures and software, and ensuring that staff members have enough training to do the job

Your business plan include ...

what OSs your lab commonly examines, why you need certain software, physical security items, how many machines are needed, how your lab will benefit the company

To maintain the chain of custody and prevent data from being lost, corrupted, or stolen, you have to have a secure digital forensics labs. True or False?

true

The main goal of a static acquisition is preservation of digital evidence. True or False?

true

In addition to md5sum, which hashing algorithm utility is included with current distributions of Linux?

sha1sum

What command displays pages from the online help manual for information on Linux commands and their options?

man

What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult?

whole disk encryption

What is the most common and flexible data-acquisition method?

disk-to-image file copy