ITN 276 final exam

the passphrase needed to connect tot a WI-FI network on a windows computer is stored in the windows registry ?

true

Steven is a forensic examiner. he is interested in examining the pictures across all user profiles to look for evidence of malicious activity. where should he begin his search for these files?

C:\Users

in windows 10 the recycle bin is located in a hidden directory .

true

someone has a attempted to gain unauthorized access to data files on Robert's machine. hw would like to investigate if any forensic evidence has been left behind. of the following where should Robert start search ?

event viewer security log.

in windows the system resource usage monitor (SRUM) database collects data on executables.

true

some malware on windows computers can modify the windows registry.

true

during the boot process of a windows computer the NTLDR must begin loading file system drives before the master boot record (MBR) can pas control to the boot sector on the boot partition .

false

regarding the windows boot process the term power- on self-test (POST) refers to a brief hardware test thta the basic input/output system (BIOS) performs upon boot-up

true

what s the definition of "stack"(S) ?

memory that is allocated based on the last-in -out (LIFO) principle

A ---------- is a software program thta appears to be a physical computer and executes programs as if it were a physical computer.

virtual machine

when performing volatile data analysis , you must compute the hash before and after completing memory capture

false

--------- is a windows file that is an interface for hardware.

Hal.dll

in windows when copying or cutting a file to a different partition the file will retain the rights of the source folder.

false

windows registry keys contain an associated value called LastWriteTime which is similar to the datestamp on file or folder

false

volume shadows copy (VSS) is a windows service related to backups.

true

in windows file permissions never change when moving a file.

false

a suspect erased their browsing history on their computer. the computer has Microsoft internet explorer installed. the forensic investigator must retrieve recently visited web addresses and recently opened files. what should the investigator do ?

download a tool that allows for retrieval and review of index.dat file.

the --------- file is responsible for managing services on a windows computer.

Smss.exe

when a windows computer connects to a wireless network the service set identifier (SSID) is logged as a preferred network connection and can be found in the windows registry.

true

a hacker installed an application on a computer to recover deleted files and then uninstalled the application to hide her tracker . where would a forensic examiner most likely find evidence that the application was once installed ?

HKLM\Software

open -source software means that the source code is available for anyone who wants to modify ,repackage and distribute it .

true

Lin is a Linux administrator .she is performing routine maintenance on a server .she wants to view various disk partitions to see information such as the disk size ,device ,block and file systems .which command must Lin issue in the shell?

fdisk

which linux shell command lists various partitions ?

frisk

GNOME is a graphical user interface for linux

true

the Berkeley fast file system is also know as the Reiser file system.

false

Tmpfs is a linux file system whose contents reside only in memory

true

during the linux boot process during the kernel stage the system switches the cpu from ------------ to -------------

real mode , protected mode

which linux shell command delete or removes file ?

rm

your are a forensic specialist learning about the Linux operating system . as the system boots message display on the Linux boot screen .however the message scroll to quickly for you to read what command can you use after the machine is completely booted to read the boot message ?

dmesg

in linux a partition is data structure in the file system that stores all the information about a file expect its name and its actual data .

false

the linux who command returns information regarding a specific user .

false

the linux dmesg command enables you to view a log

true

The linux ---------- file is where the boot-up process and operation are set . it contains enters such as label , run _level process and boot.

/etc/inittab

what is a modern and widely used Linux boot loader ?

GRUB

in linux the grep command is used to invoke super - user mode

false

in linux the /var/log/lpr.log is the printer log

true

the linux EXt4 file system can support single files up to terabytes in size .

true

in linux the process of routing a drive involves the operating system accessing the drive and loading it into memory.

true

in a linux directory what circumstance must occur for a file to be deleted?

the inode link count must reach zero

in linux as with Windows the ----------is the first sector on any disk

boot sector

In the HFS+ file system aliases allow you to have multiple references to a single file or directory

true

wishing the HFS+ file system what allows you to have multiple references to a single file or directory ?

aliases

a MAC OS user moves 12 critical files to their trash folder and the empties the trash folder how can you recover these files for analysis ?

leverage third -party software to recover the files .

the /Library/Preferences/SytemCongiguration/dom.apple.preference file contains the network configuration data for each network card.

True

you need to review the swap file on an Apple computer .where is the swap file Located ?

/var/vm

MAC OS Hierarchical File System Plus (HFS+) performs defragmentation on a per-file basis

true

in Mac OS the -------- folder contains information about system and software updates.

/Library/Receipts

in MAC OS the -------- directory contains information about servers network libraries and network properties.

/network

when performing forensics on a a Apple computer what operation system are you the most likely to encounter ?

MAC OS

what feature that was first released with MAC OSX 10.20 potentially allows evidence related to a cell phone to be found on a MAC OS computer ?

Handoff

when a file is deleted on Ana HFS or HFS+ volume the references to the file are gone and the clusters may be used and overwritten.

true

you need to examine an Apple device and do not have the password .what is the correct sequence of action to take to obtain the password?

Enter Recovery Mode, launch Disk Utility, disable System Integrity Protection, export the plist file, convert the file to a text format, and then run the file though a hash utility.

Melissa is beginning an investigation of an older Apple computer .she wants to determine when the system volumes were created .what is the best way for her to approach discovering this data ?

Examine the volume header in the third section (section 2) of the volum

You are investigating a criminal case. The suspect has been accused of stealing crucial industry data from his workplace after being fired. His Apple computer has been brought to you to see if the stolen data may have been transferred onto the machine. Which log directory is the most critical and should be reviewed first?

/var/log

in MAC OS the /etc directory contained information about system and software updates

fasle.

in Mac OS the ------- hell command returns the hardware information for the host system . this provides information useful for the basic documentation of the system prior to beginning you forensic examination.

system_profiler SPHardwareDataType

n Mac OS the -------- directory contains information about mounted devices

/volumes

Because time is sometimes critical to a case, a digital forensic examiner does not always need prior authorization to access a computer to check for evidence.

false

in Mac OS the --------- shell command lists the current device files that are in use.

ls/dev/disk?

Priyanka is a forensic investigator. She is at an office where a Macintosh computer was used in a suspected crime. The computer is still running. Priyanka wants to image the disk before transporting the computer to the forensic lab. She also wants to avoid accidentally altering information on the computer's hard disk. What should she do first?

put the computer in Target Disk Mode.

You are a forensic investigator researching an email sent for malicious intent. The sender used an email web service to transmit the message. The receiver also used an email web service. Both the sender and receiver deleted the message and then deleted the message from their trash folders. What is your only possible option to recover the email?

Issue a subpoena to the service provider and possibly recover the message from a backup.

email tracing involves examine email header information to look for clues about where a message has been.

true

what is one advantage the IMAP email protocol has over the POP3 email protocol?

IMAP allows the client to download only the email headers, so that the user can choose which messages are to be downloaded completely.

email programs use different emails formats depending on the operating system upon which they run.

false

You are a forensic investigator. You are gathering evidence regarding an email used for malicious purposes. You must present the full data from the email header in order to show from which IP address it originated. How will you read the full header?

you can view the full header by using tools in the email client

what email header filed includes tracking information generated by mail servers that have previously handled a message in reverse order?

received

A WHOIS database contains information on internet protocol (IP) address registration

true

Which law includes the following text? "Whoever knowingly uses a misleading domain name on the internet with the intent to deceive a person into viewing material constituting obscenity shall be fined under this title or imprisoned not more than 2 years, or both."

18 U.S.C. 2252B

what is a wiretapping law passed in 1994 that allows law enforcement to lawfully conduct electric surveillance ?

The Communication Assistance to Law Enforcement Act (CALEA)

If an internet service provider (ISP) or any other communications network stores an email, retrieval of that evidence must be analyzed under __, which creates statutory restrictions on government access to such evidence from ISPs or other electronic communications service providers.

the Electronic Communications Privacy Act (ECPA)

the standard for email format including headers is RFC 2822.

true

per roc 2822 an email message header must including the form filed and the data filed.

true

You are a forensic investigator. You are looking for clues about where an email message has been. This is a frequent task you perform. You often use audits and paper trails of email traffic as evidence in court and sometimes network tracing tools. Which task are you performing?

email tracing

secure versions of email protocols are encrypted with transport layer security (TLS)

true

files with pst extensions belong to which email client ?

microsoft outlook

You are investigating an email reported by a client as malicious. The email came from a known source, passed all validity checks, and originated from a mail server not blacklisted by any blacklist service. However, the message was short and contained a link that, when clicked, loaded malicious software onto the client's server. What form of email faking are you looking at?

valid emails

once you receive an email it not longer on the sending server.

false

the secure version of simple mail transfer protocol (SMTP) is SMPTS

true

the tracers command provides reliable routing information for an email ?

fasle

Microsoft exchange is an email server program

true.

the iPhone routinely auto-sync when connected to a computer

true

The National Institute of Standards and Technology (NIST) list four different states a mobile device can be in when you extract data. The __ state is reached by a timer, which is triggered after a period of inactivity, allowing battery life to be preserved by dimming the display and taking other appropriate actions.

demi-active

the -------- is a set radio transceiver equipment that enables communication between cellular devices and the mobile switching center(MSC)

base station system (BSS)

in a cellular network the --------- database contains subscriber data and service information for roaming phones.

visitor location register (VLR)

the ---------- is a unique identification number for identifying code division multiple access (CDMA) cell phones.

electronic serial number (ESN)

to extract data from a Android phone an examiner can use the ADB (Android Debugging Bridge ) shell

true

what term scribes a small ,electronic card that is intended to identify a cellular phone ?

subscriber identity module (SIM)

Bill is a forensic specialist. He is preparing instructions for how to seize evidence from mobile devices. One of the rules is to make sure the examiner does not write to the device. Which of the following would ensure that an examiner does not write to the device when connecting it to a Windows computer?

On the Windows computer, set the HKEYLOCALMACHINE\System\CurrentControlset\StorageDevicePolicies Windows Registry key value to 0x00000001.

criminals cannot typically access system data in IOS 14

true

The National Institute of Standards and Technology (NIST) list four different states a mobile device can be in when you extract data. In the __ state, a device is powered on, performing tasks, and able to be customized by the user and have its file system populated with data.

active

--------- occurs when a SIM card's identifying information is copied to a different SIM card.

SIM cloning

various releases or versions of Android have beeb need after wild animals

false

in a cellular network the -------- is a central controller coordinating the other pieces of the base station system (BSS)

base nation controller (BNC)

the --------- standard for wireless communication of high speed data for mobile devices is commonly called 4G

Long term evolution (LTE)

there are numerous codes you can enter on an Android keypad such as *#06# for the IMEI number to get bits of information during forensic examination

most mobile devices are able to connect to --------- networks which have become the norm and are found freely available in restaurants coffee shops sites home and many other locations.

WI-FI

to be considered 4G a wireless communication technology must have a speed of 100 megabits per second (MPS)for stationary users

false

due to their increased bandwidth ---------- networks are expected to save mobile devices just like any other cellular network but also be used as general internet service providers (ISPs)

5G

to extract data from an Android phone or tablet it must be in user mode

false

Maria is a forensic specialist she is examine an android mobile device for evidence of a Crime . in which of the following partitions is Maria most likely to find forensically important data?

user data partition