Computer Forensics Chapter 6

Forensics software tools are grouped into ______ and ______ applications.

a. mobile, pc

b. portable, desktop

c. local, remote

d. GUI, command-line

d. GUI, command-line

Data can't be written to disk with a command-line tool.

a. true

b. false

b. false

When using a write-blocking device you can't remove and reconnect drives without having to shut down your workstation.

a. true

b. false

b. false

A log report in forensics tools does which of the following?

a. tracks file types

b. monitors network intrusion attempts

c. records an investigator's actions in examining case

d. lists known good files

c. records an investigator's actions in examining case

Which of the following is true of most drive-imaging tools?

a. They perform the same function as a backup.

b. They ensure that the original drive doesn't become corrupt and damage the digital evidence.

c. They must be run from the command line.

d. All of the above

b. They ensure that the original drive doesn't become corrupt and damage the digital evidence.

In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results.

a. true

b. false

b. false

According to ISO standard 27037, which of the following is an important factor in data acquisition?

a. The DEFR's competency

b. The DEFR's skills in using the command line

c. Conditions at the acquisition setting

. None of the above

a. The DEFR's competency

Hash values are used for which of the following purposes?

a. Determining file size

b. Filling disk slack

c. Reconstructing file fragments

d. Validating that the original data hasn't changed

d. Validating that the original data hasn't changed

A live acquisition can be replicated.

a. True

b. False

b. False

Building a forensic workstation is more expensive than purchasing one.

a. True

b. False

b. False

The primary hashing algorithm the NSRL project uses is SHA-1.

a. True

b. False

a. True

Hardware acquisition tools typically have built-in software for data analysis.

a. True

b. False

b. False

Hashing, filtering, and file header analysis make up which function of digital forensics tools?

a. Validation and verification

b. Acquisition

c. Extraction

d. Reconstruction

a. Validation and verification

An encrypted drive is one reason to choose a logical acquisition.

a. True

b. False

a. True

When validating the results of a forensic analysis, you should do which of the following?

a. Calculate the hash value with two different tools.

b. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results.

c. Use a command-line tool and then a GUI tool.

d. None of the above

a. Calculate the hash value with two different tools.

Data viewing, keyword searching, decompressing are three subfunctions of the extraction function.

a. True

b. False

a. True

The reconstruction function is needed for which of the following purposes?

a. Re-create a suspect drive to show what happened.

b. Create a copy of a drive for other investigators.

c. Re-create a drive compromised by malware.

d. All of the above

d. All of the above

The verification function does which of the following?

a. Proves that a tool performs as intended

b. Creates segmented files

c. Proves that two sets of data are identical via hash values

d. Verifies hex editors

c. Proves that two sets of data are identical via hash values

The standards for testing forensics tools are based on which criteria?

a. ISO 17025

b. ASTD 1975

c. U.S. Title 18

d. All of the above

a. ISO 17025