When gathering systems evidence what is not a common principle quizlet?
|
A sector is the basic unit of data storage on a hard disk, which is usually 64 KB. (T or F) Show False A suspect stores data where an investigator is unlikely to find it. What is this technique called? A. Data hiding Data destruction
A warrant is not needed when evidence is in plain sight. (T or F) True Computer forensics is the exclusive domain of law enforcement. (T or F) False Demonstrative evidence means information that helps explain other evidence. An example of demonstrative evidence is a chart that explains a technical concept to the judge and jury. (T or F) True Disk forensics refers to the process of examining malicious computer code. (T or F) False Ed is an expert witness providing testimony in court. He uses a high-tech computer animation to explain a technical concept to the judge and jury. What type of evidence is Ed using? A. Demonstrative Demonstrative Generally, __________ is considered to be the use of analytical and investigative techniques to identify, collect, examine, and preserve evidence or information that is magnetically stored or encoded. A. digital evidence computer forensics If you change the extension of a file so it looks like some other type of file, you also change the file structure itself. (T or F) False Internet forensics is the study of the source and content of email as evidence. (T or F) False Investigators must authenticate documentary evidence. (T or F) True Malware forensics is also known as Internet forensics. (T or F) False One must be able to show the whereabouts and custody of evidence, how it was handled, stored and by whom, from the time the evidence is first seized by a law enforcement officer or civilian investigator until the moment it is shown in court. This is referred to as ________. A. real evidence chain of custody One way to obscure information is to scramble it by encryption. (T or F) True Real evidence means physical objects that can be touched, held, or directly observed, such as a laptop with a suspect's fingerprints on it. (T or F) True Susan is a hacker. After breaking into a computer system and running some hacking tools, she deleted several files she created to cover her tracks. What general term describes Susan's actions? A. Anti-forensics Anti-forensics The Electronic Communications Privacy Act of 1986 protects children 13 years of age and younger from the collection and use of their personal information by websites. (T or F) False The Federal Bureau of Investigation (FBI) is the premier federal agency tasked with combating cybercrime. (T or F) False
The Windows Registry is essentially a repository of all settings, software, and parameters for Windows. (T or F) True The __________ command is used to send a test network packet, or echo packet, to a machine to determine if the machine is reachable and how long the packet takes to reach the machine. A. ipconfig ping The __________ contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies. A. Computer Security Act of 1987 Sarbanes-Oxley Act of 2002 The __________ is a federal wiretap law for traditional wired telephony that was expanded to include wireless, voice over internet protocol (VoIP), and other forms of electronic communications. A. Telecommunications Act of 1996 Communications Assistance for Law Enforcement Act of 1994 The __________ is the continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered. A. documentary evidence chain of custody The __________ protects journalists from being required to turn over to law enforcement any work product and documentary material, including sources, before it is disseminated to the public. A. Communications Assistance for Law Enforcement Act of 1994 Privacy Protection Act of 1980 The __________ was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information. A. Telecommunications Act of 1996 Computer Security Act of 1987 The number 22 for SSH (Secure Shell) and 80 for Hypertext Transfer Protocol (HTTP) are examples of ________. A. Logical port numbers Logical port numbers The objective in computer forensics is to recover, analyze, and present computer-based material in such a way that it can be used as evidence in a legal proceeding. (T or F) True The process of acquiring and analyzing information stored on physical storage media, such as computer hard drives or smartphones is the definition of anti-forensics. (T or F) False The term ______ refers to testimony taken from a witness or party to a case before a trial. A. real evidence deposition The underlying operating system of Mac OS X is based on Windows. (T or F) False To avoid changing a computer system while examining it, make a forensic copy and work with that copy. (T or F) True Volatile memory is computer memory that requires power to maintain the data it holds.(T or F) True What is NOT true of random access memory (RAM)? A. It is volatile memory. It cannot be changed. What is the process of searching memory in real time, typically for working with compromised hosts or to identify system abuse? A. Live system forensics Live system forensics What term describes data about information, such as disk partition structures and file tables? A. Potential storage Metadata What term describes information that forensic specialists use to support or interpret real or documentary evidence? For example, a specialist might demonstrate that the fingerprints found on a keyboard are those of a specific individual. A. Digital evidence Testimonial evidence __________ is data stored as written matter, on paper or in electronic files. A. Documentary evidence Documentary evidence __________ is information that has been processed and assembled to be relevant to an investigation, and that supports a specific finding or determination. A. The Daubert Standard Digital evidence __________ is the concept that any scientific evidence presented in a trial has to have been reviewed and tested by the relevant scientific community. A. Consistent scientific manner The Daubert Standard A SYN flood is an example of a(n) _______. A. distributed denial of service (DDoS) attack denial of service (DoS) attack A SYN flood is software that self-replicates. (T or F) False A denial of service (DoS) attack typically does NOT harm data on the target server. (T or F) True A distributed denial of service (DDoS) attack is possible with traditional telephone systems by using an automatic dialer to tie up target phone lines. (T or F) True Aditya is a digital forensics specialist. He is investigating the computer of an identity theft victim. What should he look for first? A. Evidence of an SQL injection attack Spyware An attacker may distribute a logic bomb via a Trojan horse. (T or F) True Any attempt to gain financial reward through deception is called ______. A. social engineering fraud Ben was browsing reviews on a sporting goods website from which he purchased items in the past. He saw a comment that read "Great price on camping gear! Read my review." When he clicked the associated link, a new window appeared and prompted him to log in again. What type of attack is most likely underway? A.
Spear phishing Cross-site scripting (XSS) China Eagle Union is __________. A. a spyware program a Chinese cyberterrorism group Denial of service (DoS) attack refers to the type of password crackers that work with pre-calculated hashes of all passwords available within a certain character space. (T or F) False During an attack, hackers break into computer systems and steal secret defense plans of the United States. This is an example of a Trojan horse. (T or F) False Email evidence would be useful for investigating cyberstalking but not a denial of service (DoS) attack. (T or F) True Fraud refers to a broad category of crime that can encompass many different activities, but essentially, any attempt to gain financial reward through deception. (T or F) True Identity theft refers to any software that monitors activity on a computer. (T or F) False If an attacker doesn't spoof a MAC address, each packet sent in a denial of service (DoS) attack contains evidence of the machine from which it was launched. (T or F) True It is legal to monitor the computers of adult relatives as long as they are living in your home. (T or F) False Macro and polymorphic are types of viruses. (T or F) True Malware that executes damage when a specific condition is met is the definition of __________. A. SYN attack logic bomb Malware that executes damage when a specific condition is met is the definition of a Trojan horse. (T or F) False Most often, criminals commit __________ in order to perpetrate some kind of financial fraud. A. identity theft identity theft Ophcrack is a tool that cracks local passwords on Windows systems. (T or F) True Ophcrack uses cross-site scripting to crack passwords. (T or F) False Spyware software is legal, if used correctly. (T or F) False The Tribal Flood Network (TFN) is one of the most widely deployed viruses. (T or F) False The act of wrongfully obtaining another person's personal data is a crime, with or without stealing any money. (T or F) True The distribution of illegally copied materials via the Internet is known as __________. A. Cybercrime Data piracy The process of connecting to a server and exchanging packets containing acknowledgment (ACK) and synchronize (SYN) flags is called: A. Distributed denial of service (DDoS) attack Three-way handshake The term distributed denial of service (DDoS) attack describes the process of connecting to a server that involves three packets being exchanged. (T or F) False The use of electronic communications to harass or threaten another person is the definition of __________. A. denial of service (DoS) attack cyberstalking Viruses are difficult to locate but easy to trace back to the creator. (T or F) False What is NOT true of cyberstalking? A. The intent is to target a human victim, not a computer or network Is not a criminal offense What is a type of targeted phishing attack in which the criminal targets a specific group; forexample, IT staff at a bank? A. Service attack Spear phishing What is meant by distributed denial of service (DDoS) attack? A. Malware that executes damage when a specific condition is met An attack in which the attacker seeks to infect several machines, and use those machines to overwhelm the target system to achieve a denial of service What is the definition of a virus, in relation to a computer? A. An attacker keeps sending SYN packets but never responds to the SYN/ACK packets it receives from the server Any software that self-replicates Which of the following are subclasses of fraud? A. Investment offers and cyberstalking Investment offers and data piracy With respect to phishing, a good fictitious email gets a __________ response rate, according to the Federal Bureau of Investigation (FBI). A. 11 to 13 percent 1 to 3 percent _________ is the method used by password crackers who work with pre-calculated hashes of all passwords possible within a certain character space. A. Denial of service (DoS)
attack Rainbow Table __________ is designed to render a target unreachable by legitimate users, not to provide the attacker access to the site. A. A logic bomb A denial of service (DoS) attack __________ is the cyber equivalent of vandalism. A. A denial of service (DoS) attack A denial of service (DoS) attack __________ refers to phishing with a specific, high-value target in mind. For example, the attacker may target the president or CEO of a company. A. Bank fraud Whaling A CPU cache is not volatile, whereas a CD-ROM is volatile. (T or F) False A forensic certification is meant to demonstrate a baseline of competence. (T or F) True A system forensics specialist has three basic tasks related to handling evidence: find evidence, preserve evidence, and __________ evidence. A. store prepare According to the order of volatility in RFC 3227, what evidence should you collect first on a typical system? A. System state backup, then Registry Volatile data, then file slack An MD5 hash taken when a computer drive is acquired is used to check for changes, alterations, or errors. (T or F) True An expert witness who leaves information out of an expert report usually cannot testify about the information at trial. (T or F) True Disk Investigator is a Linux Live CD that you use to boot a system and then use the tools. (T or F) False File slack and slack space are the same thing. (T or F) True Forensic investigators who collect data as evidence must understand the __________ of information, which refers to how long it is valid. A. life span life span From the perspective of digital forensics, changing the time or date stamp on a file does not alter the file. (T or F) False Helix is a customized Linux Live CD used for computer forensics. (T or F) True How you will gather evidence and which tools are most appropriate for a specific investigation are part of ___________. A. a forensic analysis plan a forensic analysis plan Identification, preservation, collection, examination, analysis, and presentation are six classes in the matrix of the __________. A. Forensic Toolkit Digital Forensic Research Workshop (DFRWS) framework In a forensics lab, the machines being examined should not be connected to the Internet. (T or F) True Jan is entering the digital forensics field and wants to pursue a general forensics certification. Which certification is BEST to start with? A. (ISC)2 CISSP EC-Council Certified Hacking Forensic Investigator (CHFI) Life span refers to how long information is accurate. (T or F) False Making two copies of a suspect's drive, using two different imaging tools, can help to prove that evidence is accurate. (T or F) True One principal of evidence gathering is to avoid changing the evidence. Which of the following is NOT true of evidence gathering? A. Label wires and sockets so you can put everything back as it was once you get computers and other equipment into the lab. Photograph seized equipment after you set it up in the lab. Residual information in file slack is always overwritten when a new file is created. (T or F) False Storage servers in a forensics lab should be backed up at least once a month. (T or F) False The Federal Rules of Evidence (FRE) governs the admission of facts by which parties in the U.S. federal court system may prove their cases. (T or F) True The first step in any computer forensic investigation is to make a copy of the suspected storage device. ( T or F) True The information in a routing table is more volatile than a network topology. (T or F) True
The life span of information may be as short as milliseconds to longer than one year. (T or F) True To achieve American Society of Crime Laboratory Directors (ASCLD) accreditation, a lab must meet about 40 criteria. (T or F) False Use of __________ enables an investigator to reconstruct file fragments if files have been deleted or overwritten. A. the rules of evidence bit-level tools What is a formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted? A. Expert report
Expert report When gathering evidence in a forensic investigation, working with a drive image is safer than working with the original drive. (T or F) T When gathering systems evidence, what is NOT a common principle? A. Search throughout a device. Search throughout a device. Which forensic certification is open to both the public and private sectors and is specific to the use and mastery of FTK? A. High Tech Crime Network Certified Computer Crime Investigator, Advanced AccessData Certified Examiner Which of the following BEST defines rules of evidence? A. Information that has been processed and assembled so that it is relevant to an investigation and supports a specific finding or determination Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury Which of the following requires certification candidates to take an approved training course, pass a written test, and submit to a review of the candidate's work history? A.
EC-Council Certified Hacking Forensic Investigator (CHFI) High Tech Crime Network certifications You can make a bit-level copy of a computer hard drive using basic Linux commands. (T or F) True _______ is an industry certification that focuses on knowledge of PC hardware. A. EC-Council Certified Hacking Forensic Investigator (CHFI) CompTIA A+ __________ govern whether, when, how, and why proof of a legal case can be placed before a judge or jury. A. General principles Rules of evidence __________ is a Linux Live CD that you use to boot a system and then use the tools. It is a free Linux distribution, making it attractive to schools teaching forensics or laboratories on a strict budget. A. The Sleuth Kit Kali Linux __________ is a free utility that comes as a graphical user interface for use with Windows operating systems. When you first launch the utility, it presents you with a cluster-by-cluster view of your hard drive in hexadecimal form. A. Kali Linux Disk Investigator __________ is information at the level of 1s and 0s stored in computer memory or on a storage device. A.
A cluster Bit-level information __________ sets standards for digital evidence processing, analysis, and diagnostics. A. New Technologies Incorporated (NTI) The DoD Cyber Crime Center (DC3) A DVD is a type of optical media. (T or F) True A swap file is an example of persistent data. (T or F) False After imaging a drive, you must always create a hash of the original and the copy. (T or F) True
An example of volatile data is __________. A. state of network connections state of network connections Before imaging a drive, you must forensically wipe the target drive to ensure no residual data remains. (T or F) True EIDE is _________.
A. an operating system a type of magnetic drive If a hard drive has been demagnetized, there is no way to recover the data. (T or F) True Incriminating evidence shows, or tends to show, a person's involvement in an act, or evidence that can establish guilt. (T or F) True Jim is a forensic specialist. He seized a suspect computer from a crime scene, removed the hard drive and bagged it, documented and labeled the equipment, took photographs, completed a chain of custody form, and locked the computer in his car. On the way to the lab, he stopped to purchase supplies to use at the next crime scene. What did Jim do wrong? A. He made the drive
susceptible to demagnetization by bagging it. He left the computer unattended while shopping for supplies. Many USB drives come with a switch to put them in read-only mode. (T or F) True Offline analysis is another term for live analysis. (T or F) False People try to thwart investigators by using encryption to scramble information or _________ to hide information, or both together. A. scrubbers steganography RAID 1 mirrors the contents of disks. (T or F) True SHA1 and SHA2 are currently the most widely used hashing algorithms. (T or F) True Solid-state drives (SSDs) are often used in tablets and in some laptops. (T or F) True The Linux dd command is commonly used to forensically wipe a drive. ( T or F) True The Linux netcat command reads and writes bits over a network connection. (T or F) True The __________ format is a proprietary file format defined by Guidance Software for use in its forensic tool to store hard drive images and individual files. A. The Advanced
Forensic Format EnCase The benefit of using automated forensic systems is that you do not have to know how to perform all forensic processes manually. (T or F) False The only way to clean random access memory (RAM) is with cleansing devices known as sweepers or scrubbers. (T or F) False The start-up time for solid-state drives (SSDs) is usually much slower than for magnetic storage drives. (T or F) False The term scrubber refers to software that cleans unallocated drive space. (T or F) True This is the space that remains on a hard drive if the partitions do not use all the available space. A. Host protected area Volume slack Two of the easiest things to extract during __________ are a list of all website uniform resource locators (URLs) and a list of all email addresses on the computer. A. physical analysis physical analysis USB, or universal serial bus, is actually a connectivity technology, not a storage technology. (T or F) True What are attributes of a solid-state drive (SSD)? A. Tape storage and a read-only mode switch Flash memory and microchips What is the definition of hash? A. A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions What kind of data changes rapidly and may be lost when the machine that holds it is powered down? A. Persistent data Volatile data What term describes analysis performed on an evidence disk or a forensic duplicate using the native operating system? A. Network analysis Logical analysis What term describes data that an operating system creates and overwrites without the computer user directly saving this data? A.
Persistent data Temporary data What uses microchips that retain data in non-volatile memory chips and contains no moving parts? A. Integrated Drive Electronics (IDE) Solid-state drive (SSD) What version of RAID involves three or more striped disks with parity that protect data against the loss of any one disk? A. RAID 3 or 4 RAID 3 or 4 What was designed as an area where computer vendors could store data that is shielded from user activities and operating system utilities, such as delete and format? A. Volume slack Host protected area (HPA) When determining when evidence was created, a forensic specialist should not trust a computer's internal clock or activity logs. (T or F) True When seizing a suspect computer, you need to remove drives only if they are currently attached to cabling. (T or F) False Which of the following is NOT true of chain of custody forms? A. You typically need to use a separate chain of custody form for each drive you have removed from a suspect computer. A chain of custody form is a federal form and is therefore universal. Windows uses __________ on each system as a "scratch pad" to write data when additional random access memory (RAM) is needed. A. metadata a swap file _______ is the area of a hard drive that has never been allocated for file storage. A. Temporary data Unallocated space __________ contains remnants of word processing documents, emails, Internet browsing activity, database entries, and almost any other work that has occurred during past Windows sessions. A. A swap file A swap file __________ is offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system. A. Logical analysis Physical analysis A block cipher is a form of cryptography that encrypts data in blocks. (T or F) True A brute-force attack on a polyalphabetic substitution cipher can deduce the length of the keyword used in the cipher. (T or F) False Advanced Encryption Standard (AES) can have three different key sizes: 256, 512, or 1024 bits. (T or F) False Advanced Encryption Standard (AES) is also known as the Rijndael block cipher. (T or F) True Advanced Encryption Standard (AES) with a 256-bit key is secure enough for commercial applications. (T or F) True All modern block-cipher algorithms use both substitution and transposition. (T or F) True Data Encryption Standard (DES) is a stream cipher. (T or F) False Essentially, the ROT13 cipher is a multialphabet cipher, consisting of 13 possible letters. (T or F) False In World War II, the Germans made use of an electromechanical rotor-based cipher system known as __________. A. symmetric cryptography the Enigma machine In steganography, the term payload describes data to be covertly communicated. In other words, it is the message you want to hide. (T or F) True In steganography, what is meant by carrier? A. The type of medium used to send covert communications The signal, stream, or data file in which the payload is hidden Kasiski examination is a nontechnical means of obtaining information you would not normally have access to. (T or F) False Kerckhoffs' principle states that the security of a cryptographic algorithm depends only on the secrecy of the algorithm. (T or F) False Modern cryptography is separated into two distinct groups: symmetric cryptography and asymmetric cryptography. (T or F) True Multialphabet ciphers are more secure than single-alphabet substitution ciphers; however, they are still not acceptable for modern cryptographic usage. (T or F) True The Caesar and Atbash ciphers are simple substitution ciphers. (T or F) True The Caesar cipher shifts each letter of a message by a certain number and substitutes the new alphabetic letter for the letter you are encrypting. (T or F) True The Feistel function encrypts data as a stream, one bit at a time. (T or F) False The __________ cipher is a Hebrew code that substitutes the first letter of the alphabet for the last letter and the second letter for the second-to-last letter, and so forth. A. Scytale Atbash The __________ cipher is a method of encrypting alphabetic text by using a series of different monoalphabetic ciphers selected based on the letters of a keyword. A. The
ROT13 Vigenère The __________ cipher is a single-alphabet substitution cipher that is a permutation of the Caesar cipher. All characters are rotated 13 characters through the alphabet. A. Scytale ROT13 The known plaintext attack is one method used to crack modern encryption. (T or F) True The term transposition refers to the art and science of writing hidden messages. (T or F) False The total number of possible keys for Data Encryption Standard (DES) is _________, which a modern computer system can break in a reasonable amount of time. A. 56 256 The type of medium used to hide data in steganography is referred to as __________. This may be a photo, video, sound file, or Voice over IP, for example. A. the carrier the channel The word cryptography is derived from the word kryptós, which means hidden, and the verb gráfo, which means picture. (T or F) False What is meant by symmetric cryptography? A. A method in which one key encrypts the message and another key decrypts it A method in which the same key is used to encrypt and decrypt plaintext What is the definition of Feistel function? A. A form of cryptography that encrypts the data as a stream, one bit at a time A form of cryptography that encrypts the data as a stream, one bit at a time What is the definition of transposition in terms of cryptography? A. The determination of whether a file or
communication hides other information The swapping of blocks of ciphertext What name is given to a method of attacking polyalphabetic substitution ciphers? This method can be used to deduce the length of the keyword used in a polyalphabetic substitution cipher. A. Cryptanalysis Kasiski examination What term describes a method of using techniques other than brute force to derive a cryptographic key? A. Social engineering Cryptanalysis ________ is the art and science of writing hidden messages. A. Cryptanalysis Steganography __________ describes the total number of coprime numbers; two numbers are considered coprime if they have no common factors. A. Kasiski examination Euler's Totient __________ is a term that refers to hiding messages in sound files. A. Symmetric cryptography Steganophony __________ is cryptography wherein two keys are used: one to encrypt the message and another to decrypt it. A. Asymmetric cryptography Asymmetric cryptography __________ is perhaps the most widely used public-key cryptography algorithm in existence today. A. Advanced Encryption Standard RSA __________ is the process of analyzing a file or files for hidden content. A. Steganophony Steganalysis __________ obfuscates a message so that it cannot be read. A. Steganography Cryptography A symbolic link in Linux is similar to a ____________. A. Windows shortcut Windows shortcut A symbolic link is an inode that links directly to a specific file. (T or F) False A test system is a functional system compatible with the hard drive from which someone is trying to recover data. (T or F) True A(n) __________ is a data structure in the Linux file system that stores all the information about a file except its name and actual data. A. partition inode An environment that has a controlled level of contamination, such as from dust, microbes, and other particles is the definition of a __________. A. test system clean room An inode is a data structure in the Windows NTFS file system that stores all information about a file except its name and its actual data. (T or F) False Clusters in a Windows NTFS system are more likely to be overwritten as more time elapses after deletion. (T or F) True Consistency checking analysis is usually much slower than zero-knowledge analysis. (T or F) False Damage to how data is stored on a disk, such as file system corruption, is the definition of physical damage. (T or F) False Forensically scrubbing a file or folder may involve overwriting data with random characters seven times. (T or F) True In FAT and NTFS file systems, a __________ is used to map files to specific clusters where they are stored on the disk. A. table table In Windows, files that are moved to the Recycle Bin are permanently deleted. (T or F) False Infinitely recursing directories is a symptom of logical damage to a file system. (T or F) True Linux file systems use hard links and symbolic links. (T or F) True Linux stores file content in blocks, which are similar to clusters in Windows NTFS. (T or F) True Logical damage control is a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification. (T or F) False Logical damage to a disk is damage to how data is stored, for example, file system corruption. (T or F) True Logical damage to a file system is more common than physical damage. (T or F) True Paige is attempting to recover data from a failed hard disk. She removed the failed drive from the system on which it was installed, and then connected it to a test system. She made the connection by simply connecting the data and power cables but did not actually install the failed drive. What step should she perform next? A. Determine whether the failed drive is recognized and can be installed as an additional disk on the test system. Boot the test system from its own internal drive. The Linux/UNIX command __________ can be used to search for files or contents of files. A. scalpel grep The basic repair tool in Linux is _______. A. Disk Utility fsck
The basic repair tool in Mac OS is _______. A. chkdsk Disk Utility The basic repair tool in Windows is _______. A. the TestDisk utility chkdsk The file allocation table is a list of entries that map to each __________ on the disk partition. A. cluster cluster The purpose of file carving is to extract the data from a single file from the larger set of data, that is, the entire disk or partition. (T or F) True The typical sector size of a modern hard drive is _______ bytes. A.
4,096 4,096 Turning off a computer while it is booting or shutting down can lead to logical damage of its file system. (T or F) True Two techniques are common for recovering data after physical damage: consistency checking and zero-knowledge analysis. (T or F) False What is meant by zero-knowledge analysis? A. The process of searching memory in real time, typically for working with compromised hosts or to identify system abuse A technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification What name is given to a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification? A.
Logical checking Consistency checking When a file on a Windows drive is deleted, the data is removed from the drive. (T or F) False When attempting to recover a failed drive, which of the following is NOT true? A. If the failed drive installs
properly on a test system, copy all directories and files to a different hard drive on the test system. You should connect the failed drive to a test system and make the failed drive bootable. When two files claim to share the same allocation unit (or cluster), one of the files is almost certain to lose data. (T or F) True Which file recovery tool works in Linux and Mac OS, and in Windows if you compile the source code? A. WinUndelete scalpel Which of the following is NOT true of file carving? A. Most file carving utilities look for file headers or footers, and then pull out data that is found between these two boundaries. You can perform file carving on Windows and Linux files systems, but not Mac OS. Which of the following is true of hard drives? A. Clusters are always contiguous on a hard disk. File systems look at clusters, not sectors. Which operating system uses the ext file system natively? A. Linux Linux Windows 2000 and newer Windows operating systems use the __________ file system. A. Ext3 NTFS With the consistency checking file system repair technique, a computer's file system is rebuilt from scratch using knowledge of an undamaged file system structure. (T or F) False What is the first step in gathering evidence from a router?What is the first step he should take to safely examine the router? Connect to the router over the network. Sniffers are used to collect digital evidence. Which software package allows the user to map out what ports are open on a target system and what services are running?
Which of the following is the best definition of forensics?The term forensic refers to the application of scientific knowledge to legal problems, especially scientific analysis of physical evidence (as from a crime scene). Forensics, generally speaking, is scientific knowledge meant to be applied in court.
What is one of the first steps in a computer forensic investigation according to the FBI?The first step in any computer forensic investigation is to make a copy of the suspected storage device.
Which of the following is the definition of digital evidence?Which of the following is the definition of digital evidence? information that has been processed and assembled so that it is relevant to an investigation and supports a specific finding or determination.
|
