Quiz: Module 03 The Investigator's Laboratory and Digital Forensics Tools

Which of the following should be considered when building a business case for developing a forensics lab? (Choose all that apply.)

a. Procedures for gathering evidence

b. Testing software

c. Protecting trade secrets

d. The organization's digital forensics needs

a. Procedures for gathering evidence

b. Testing software

c. Protecting trade secrets

d. The organization's digital forensics needs

ANAB mandates the procedures established for a digital forensics lab. True or False?

False

What is the purpose of the reconstruction function of a digital forensics tool?

a. The reconstruction function in a digital forensics program will extract additional evidence from a suspect's disk image.

b. The reconstruction function only rebuilds data carved from a disk image file.

c. The reconstruction function is a copy of a logical partition to another logical partition.

d. The reconstruction function duplicates a suspect's drive.

d. The reconstruction function duplicates a suspect's drive.

What type of information can help you to determine the types of operating systems needed in your lab? (Choose all that apply.)

a. Types of computing assets of your organization

b. Computer sales marketing trends for your community

c. Typical computing assets found in your community

d. Uniform Crime Report statistics for your area and a list of cases handled in your area

a. Types of computing assets of your organization

c. Typical computing assets found in your community

d. Uniform Crime Report statistics for your area and a list of cases handled in your area

What types of expenses and ongoing costs should be included in a business case for a digital forensics lab? (Choose all that apply.)

a. Anticipated specialized training costs for personnel

b. Digital media evidence lockers

c. Digital forensics hardware and software with prices

d. Consumable items such as flash drives, CDs, and DVDs

a. Anticipated specialized training costs for personnel

b. Digital media evidence lockers

c. Digital forensics hardware and software with prices

d. Consumable items such as flash drives, CDs, and DVDs

Why is physical security so critical for a digital forensics lab?

a. To keep the lab working area free from dust and dirt

b. To keep the lab a safe working environment for visitors

c. To ensure lab operation costs are kept low

d. To maintain the chain of custody and prevent data from being lost, corrupted, or stolen

d. To maintain the chain of custody and prevent data from being lost, corrupted, or stolen

If a visitor to your digital forensics lab is a personal friend, it's not necessary to have them sign the visitor's log. True or False?

False

A forensic lab should have a master key that opens the locks for several different evidence storage containers. True or False?

False

A forensic workstation should always have a direct broadband connection to the Internet. True or False?

False

What document provides good information on safe storage containers?

a. ISO 27037

b. ISO 17025

c. NISPOM

d. ISO 5725

c. NISPOM

According to ISO standard 27037, which of the following is an important factor in data acquisition? (Choose all that apply.)

a. DEFR's competency

b. DEFR's skills in using the command line

c. Use of validated tools

d. Conditions at the acquisition setting

a. DEFR's competency

c. Use of validated tools

Hashing analysis makes up which function of digital forensics tools?

a. Validation and verification

b. Acquisition

c. Extraction

d. Reconstruction

a. Validation and verification

Digital forensics hardware acquisition tools typically have built-in hashing capabilities. True or False?

True

The reconstruction function of a forensics tool can be used for which of the following? (Choose all that apply.)

a. Re-create a suspect drive to show what happened.

b. Create a copy of a drive for other investigators.

c. Recover file headers.

d. Re-create a drive compromised by malware.

a. Re-create a suspect drive to show what happened.

b. Create a copy of a drive for other investigators.

d. Re-create a drive compromised by malware.

Which of the following are subfunctions associated with data extraction for digital forensics acquisition tools? (Choose all that apply.)

a. Tagging data of interest to the examination

b. Copying fragmented data located in unallocated disk space

c. Searching for specific data sets of interest

d. Exploring and examining the contents of data sets of interest

a. Tagging data of interest to the examination

b. Copying fragmented data located in unallocated disk space

c. Searching for specific data sets of interest

d. Exploring and examining the contents of data sets of interest

Data can't be written to a disk drive with a command-line tool. True or False?

False

In testing tools, the term "reproducible results" means that you get the same results every time a tool is used on the same digital evidence. True or False?

False

The verification function does which of the following?

a. Proves that a tool performs as intended.

b. Creates segmented files.

c. Proves that two sets of data are identical via hash values.

d. Verifies hex editors.

c. Proves that two sets of data are identical via hash values.

What is the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?

a. Write-blockers provide additional firewall protection for suspect computers.

b. Write-blockers are specifically designed to detect malware on a suspect's computer.

c. USB or FireWire write-blockers provide plug-and-play access to disk drives.

d. Write-blockers allow for USB or FireWire connections between computers, similar to a local area network.

c. USB or FireWire write-blockers provide plug-and-play access to disk drives.

Which of the following criteria must be met when implementing new hardware or software for a digital forensics lab? (Choose all that apply.)

a. Identify forensics category requirements.

b. Identify test cases.

c. Establish a test method.

d. Analyze cost of the hardware or software.

a. Identify forensics category requirements.

b. Identify test cases.

c. Establish a test method.

A log report in forensics tools does which of the following?

a. Tracks file types

b. Monitors network intrusion attempts

c. Records an investigator's actions in examining a case

d. Lists known good files

c. Records an investigator's actions in examining a case