TEST BANK For Guide to Computer Forensics and Investigations 7e Bill Nelson, Amelia Phillips, Christ

Page 1


Guide to Computer Forensics and Investigations 7e Bill Nelson, Amelia Phillips, Christopher Steuart (Test Bank All Chapters, 100% Original Verified, A+ Grade) Mod 01: Understanding the Digital Forensics Profession and Investigations 1. Mahmood is examining a device for digital evidence. There are two types of evidence he is looking for.

Which type of evidence will prove that his client is not guilty? a. Inculpatory evidence b. Exculpatory evidence c. Miaculpatory evidence d. Discretionary evidence ANSWER: RATIONALE:

b

Mahmood is looking for exculpatory evidence which is evidence that tends to show that a defendant is not guilty of the crime they have been charged with. This type of evidence can help to exonerate or clear the defendant of the charges. Exculpatory evidence can include physical evidence, witness statements, or other types of evidence that support the defendant's innocence.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.1 - Describe the field of digital forensics TOPICS: An Overview of Digital Forensics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 2. What are the main differences between public-sector investigations and private-sector investigations? a. Private-sector investigations involve government agencies responsible for criminal investigations and

prosecution. Public-sector investigations focus more on policy violations. b. Private-sector investigations can become criminal investigations and public-sector investigations can become civil investigation depending upon the circumstances. c. Public-sector investigations involve government agencies responsible for criminal investigations and prosecution. Private-sector investigations focus more on policy violations. d. The private sector can ignore criminal investigations, and the public sector can ignore civil investigations. ANSWER: RATIONALE:

b, c

POINTS: QUESTION TYPE:

1 Multiple Response

In general, the main difference between public-sector and private sector investigations is that the public-sector investigations involve government agencies responsible for criminal investigations and prosecution. Government agencies range from municipal, county, and state or provincial police departments to federal law enforcement agencies. These organizations must observe legal guidelines of their jurisdictions. Private-sector investigations focus more on policy violations. However, criminal acts, such as corporate espionage, can also occur. So, although private-sector investigations often start as civil cases, they can develop into criminal cases; likewise, a criminal case can have implications leading to a civil case.

Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.2 - Explain how to prepare for computer investigations and summarize the difference between public-sector and private-sector investigations TOPICS: Preparing for Digital Investigations KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 3. When conducting a computer investigation for potential criminal violations of the law, the legal processes

you follow depend on local customs, legislative standards, and rules of evidence. In general, however, a criminal case follows three stages. What are those three stages? a. Complaint, the investigation, and the prosecution b. Complaint, discovery, and the trial c. Complaint, service of process, and motions d. Complaint, answer, discovery, and trial ANSWER: RATIONALE:

a

If it has been determined that a crime has been committed, it is sent to the prosecutor to prosecute the case. Hence, there is a complaint, an investigation, and then the prosecution.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.2 - Explain how to prepare for computer investigations and summarize the difference between public-sector and private-sector investigations TOPICS: Preparing for Digital Investigations KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 4. You're the head of the executive management committee and as part of your corporate governance duties you

must implement a policy to define and limit who has authorization to request a computer investigation and forensics analysis (authorized requestor). Which group or groups should have the authority to request a computer investigation? a. The human resources department b. The corporate ethics office c. The general counsel or legal department d. The accounting department ANSWER: RATIONALE:

b, c

The reason the corporate ethics office and general counsel's office should only be involved in authorizing investigations is that other groups within the organization might create false allegations of misconduct to prevent competing departments from delivering a proposal for the same source of funds.

Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.2 - Explain how to prepare for computer investigations and summarize the difference between public-sector and private-sector investigations TOPICS: Preparing for Digital Investigations KEYWORDS: Bloom's: Apply DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 5. Allen works for a small newspaper. There is no corporate security investigations group, no written or verbal

acceptable use policy, and the publisher (owner) owns the rights to all the computer hardware and software. One day, the publisher calls him into the office and asks him to help them with an email problem. Upon fixing the problem Allen discovers that there are illicit photos (no one was underage) on the publisher's laptop. The publisher later asks Allen to sanitize the laptop because the publisher wants to give it to their grandson. Allen must go through the laptop to find all the photos. What can Allen do to stop this work behavior? a. Report the publisher to Human Resources b. File a hostile work environment claim c. Sanitize the laptop and do nothing else d. Refuse to do the job ANSWER: RATIONALE:

b

In this situation, no laws are broken. There is no written or verbal acceptable use policy so there is no legal recourse for the publisher's actions other than Allen filing a claim citing a hostile work environment.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.2 - Explain how to prepare for computer investigations and summarize the difference between public-sector and private-sector investigations TOPICS: Preparing for Digital Investigations KEYWORDS: Bloom's: Apply DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 6. As head of Zenon's corporate IT department, Naya is tasked with analyzing the corporate mobile device

policy. She needs to decide which is better, company owned mobile devices or BYOD? As a member of the corporate security team, Naya asks you for advice on which you think will be more appropriate. When you examine all options, which environment do you think works best for Zenon? a. With company owned devices, it falls on the employee to keep them updated. b. With company owned devices, all apps, files, and email can be secured. c. With BYOD employees own the devices so companies are not liable if anything happens to the

device. Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations d. With BYOD, the employee buys the device, and the company can lock it down (mobile device

management). ANSWER: RATIONALE:

b, d

The issues relating to BYOD versus company owned devices have been argued amongst corporate IT managers for years. On the one hand, having a BYOD policy frees companies from having to purchase smart phones for employees and saves them money. But on the other hand, having a corporate owned device means a more secure environment. It is a matter of corporate policy that determines what the smart phone policy is.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.2 - Explain how to prepare for computer investigations and summarize the difference between public-sector and private-sector investigations TOPICS: Preparing for Digital Investigations KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 7. Thanks to the dark web, anybody can access computer programs that will help users exfiltrate (remove) data

from any type of computer or network. Because of this activity, white-collar crime and industrial espionage are on the rise. How does white-collar-crime compare to industrial espionage? a. White-collar crime refers to financial crimes committed in a business or professional setting, while

espionage refers to the unauthorized sharing of confidential information to a competitor or foreign entity. b. Espionage refers to financial crimes committed in a business or professional setting, while white collar crime refers to the unauthorized sharing of confidential information to a competitor or foreign entity. c. White-collar crime is the same as espionage and are both punishable offenses. d. White-collar crime and espionage are victimless crimes. ANSWER: RATIONALE:

a

The cost of white-collar crime and espionage to companies can vary greatly and is difficult to quantify with precision. However, the fiscal impact can be substantial and goes far beyond financial losses. However, in general white-collar crime refers to financial crimes committed in a business or professional setting, while espionage refers to the unauthorized sharing of confidential information to a competitor or foreign entity.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.2 - Explain how to prepare for computer investigations and summarize the difference between public-sector and private-sector investigations TOPICS: Preparing for Digital Investigations Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations KEYWORDS: DATE CREATED: DATE MODIFIED:

Bloom's: Analyze/Create/Evaluate 4/18/2024 2:41 PM 4/18/2024 2:41 PM

8. Kwan is a Digital Evidence Specialist and is looking for a new job. He has an immaculate resume, fantastic

references, and an excellent work history. But on the weekends, he likes to go out and get drunk, play beer pong, get high, and to post a lot of selfies to his social media sites. Recently, he applied to Jaffe Corporation for a Digital Evidence Specialist position. The interview went well. In fact, Jaffe is looking to hire him for a project, but upon further investigation, they decide not to. What might the deciding factor have been in Jaffe Corp. not hiring Kwan? a. Kwan should put all his social media platform settings on private so no one can see his pictures. b. Kwan can do whatever he wants. What he does with his own time should not affect him

professionally. c. Kwan's selfies of getting drunk and high show a critical lack of judgment. Those images could allow an opposing attorney to discredit him due to his behavior. d. Kwan can control what pictures of him are put on the Internet. ANSWER: RATIONALE:

c

In today's world, getting drunk or high may not be illegal, but when working in the legal field, flaunting it shows a lack of character and judgment. Doing so could allow an opposing attorney to discredit Kwan for his behavior. Any image that represents Kwan can be used against him professionally. Kwan cannot control what pictures of him end up on the Internet; he can only control his behavior.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.3 - Explain the importance of maintaining professional conduct TOPICS: Maintaining Professional Conduct KEYWORDS: Bloom's: Apply DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 9. Lucy needs to make a forensic initial assessment about a case she is investigating. What are some of the steps

she needs to take for the assessment? a. Has law enforcement apprehended a suspect? b. Have law enforcement or company security officers already seized the computer, disks, peripherals,

and other components? c. Was a computer or a laptop found? d. Is the president of the company available? ANSWER: RATIONALE:

b

Lucy needs to identify, preserve, and analyze digital evidence that may be relevant to an investigation. So it is important that she knows if computers, disks, peripherals, and other components have been seized, and if they are safely within the chain-of-

Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations

custody. Then, Lucy can begin her investigation. POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.4 - Describe how to manage a digital forensics investigation by taking a systematic approach TOPICS: Managing a Digital Forensics Investigation KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 10. Carmon needs to determine what the preliminary approach to a case should be. What are some of the general

steps she needs to follow to investigate the case? a. Create a detailed check list, determine resources you need, obtain, and copy an evidence drive b. Check fingerprint databases, search rainbow tables, speak with police personnel c. Identify suspects, check the DMV, talk to crime scene investigators for evidence that might have

been missed d. Identify the risks, mitigate, or minimize the risks, test the design, investigate the data recovered ANSWER: RATIONALE:

a, d

Carmon's approach to the case should be to; determine the resources she needs, obtain, and copy the evidence drive, identify the risks, mitigate or minimize the risks, test the design, analyze and recover the digital evidence, investigate the data she recovers, complete the case report, and critique the case.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.4 - Describe how to manage a digital forensics investigation by taking a systematic approach TOPICS: Managing a Digital Forensics Investigation KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 11. Joe has been tasked with investigating an incident at Zander Corp. What is the first rule he must follow that

is important for all investigations, no matter how big or small? a. Categorizing the evidence b. Stabilizing the evidence c. Preserve the evidence d. Detain the evidence ANSWER: RATIONALE:

c

Joe must preserve the evidence. This is the first rule for all investigations. It refers to

Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations

the overall process of collecting, documenting, and maintaining evidence so that it can be used as evidence in a legal proceeding or investigation. POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.4 - Describe how to manage a digital forensics investigation by taking a systematic approach TOPICS: Managing a Digital Forensics Investigation KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 12. Jennifer is about to take over a computer crime case at Amcore lab. Before she begins, must verify that the

chain of custody has not been broken. She discovers that the seal on the container on the suspect's hard drive has been broken and there is no signature on the sign out sheet that someone took the hard drive for analysis. How does this affect the chain of custody? a. It does nothing to the chain of custody. b. It only affects authenticity. c. It breaks the chain of custody. d. The custody of the data's journey is now refutable but can still be admissible. ANSWER: RATIONALE:

c

The chain of custody has been broken. It is not known if the data on the hard drive has been corrupted or manipulated. Multiple hard drives located in the same facility could be called into question because an attorney could hypothesize that those hard drives have also been corrupted or manipulated.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.4 - Describe how to manage a digital forensics investigation by taking a systematic approach TOPICS: Managing a Digital Forensics Investigation KEYWORDS: Bloom's: Apply DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 13. Akikta has been given a Windows 10 computer that needs to be investigated. Mostly, he will be recovering

deleted files, and checking unallocated space on the hard drive. What are some software Akikta may want to use? a. FTK Imager, X-Ways Forensics, and dd b. EnCase, FTK, and Autopsy c. Photorec and Scalpel d. md5sum and sha256sum Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations ANSWER: RATIONALE:

b, c

Akika would use EnCase, FTK, and Autopsy to recover deleted files and Photorec and Scalpel, which are file carving tools, to look for unallocated space on the hard drive.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.4 - Describe how to manage a digital forensics investigation by taking a systematic approach TOPICS: Managing a Digital Forensics Investigation KEYWORDS: Bloom's: Apply DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 14. Kailani is about to take possession of a Windows 2000 computer for forensic investigation. Why must

Kailani use older forensic tools for this Windows 2000 computer? a. Windows 2000 is too advanced b. Windows 2000 is a legacy system c. Windows 2000 is no longer used in production networks d. Windows 2000 no longer works ANSWER: RATIONALE:

b

Windows 2000 is a legacy system and is still used in some instances. Not all modern tools will work with it. However, tools like ForensiX and SMART are still available for use with Windows 2000 for data acquisition.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.4 - Describe how to manage a digital forensics investigation by taking a systematic approach TOPICS: Managing a Digital Forensics Investigation KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 15. Ethel is transporting a computer to her forensic lab, and she needs to secure the device before transport.

What does Ethel need to do to ensure that the computer maintains chain of custody and arrives intact at her lab? a. Put the entire tower or laptop in a Faraday box or bag b. Transport the drives in separate vehicles from the tower or laptop c. Place evidence tape over drive bays and insertion slots for power supply cords and USB cables d. Place everything in her trunk and lock it so it can't be stolen ANSWER:

c, d

Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations RATIONALE:

To transport the computer to her forensics lab, Ethel must seal off the device by placing evidence tape over drive bays and plug insertion slots as well as write her name on the evidence tape sealing the device. If the tape is removed or broken, so is her name, meaning the seal has been broken.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.4 - Describe how to manage a digital forensics investigation by taking a systematic approach TOPICS: Managing a Digital Forensics Investigation KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 16. Ha-Yoon must do a risk assessment for a client. The client has an employee who does not know computers

very well but has recently been taking classes on computer hacking. He has been spending more time on his computer and less time working. Recently their network has seen more traffic and attempted breaches than usual. There is no acceptable use policy in place. What should Ha-Yoon recommend first to mitigate the risk to the client's network? a. Have the employer create an acceptable use policy and implement it. b. Fire the employee c. Remove the employee's computer d. Replace the employee's computer, give them standard access, and isolate them from any network

assets ANSWER: RATIONALE:

a, d

If there is no acceptable use policy, then a curious employee could get themselves in trouble. Ha-Yoon needs to have the client make an acceptable use policy and put it into place immediately. Not all employees are bad. To make sure this doesn't happen again, Ha-Yoon should recommend that the employee be given standard access and keep him isolated from any network assets.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.4 - Describe how to manage a digital forensics investigation by taking a systematic approach TOPICS: Managing a Digital Forensics Investigation KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 17. Haris is presented with a case by a client involving employee termination. He hasn't been told about the case

yet, but he can guess. What are some of the predominate types of issues that occur in an employee termination case? Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations a. Working from home b. Creating a hostile work environment c. Playing games d. Surfing the Internet ANSWER: RATIONALE:

b

Haris knows that most often the usual types of employee termination cases involve abuse of company resources such as sending inappropriate emails, creating a hostile work environment, and using company resources to start a business on the side.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.5 - Describe procedures for private-sector high-tech investigations TOPICS: Procedures for Private-Sector High-Tech Investigations KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 18. Fumiko will be conducting an investigation involving Internet abuse on a client's internal private network.

What will he need to gather from his client's network administrator? a. The suspect's computer IP address b. The client's ISP IP address c. The client's router IP address d. The organization's Internet proxy server logs ANSWER: RATIONALE:

a, d

Fumiko will need to get the organization's Internet proxy server logs and the suspect's computer IP address to track where the suspect's computer has been going on the Internet.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.5 - Describe procedures for private-sector high-tech investigations TOPICS: Procedures for Private-Sector High-Tech Investigations KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 19. During an investigation, Jerry discovers that there were no matches between the network server logs and the

forensic examination showing no contributing evidence that a crime was committed. What does this mean for the investigation? a. The allegations were unsubstantiated and there was no misconduct b. The allegations were substantiated and there was misconduct Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations c. There were no allegations, just conjecture d. It was all a misunderstanding ANSWER: RATIONALE:

a

Because there were no matches between the logs and no contributing forensic evidence was found, Jerry was able to say that there was no misconduct on the part of the employee.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.5 - Describe procedures for private-sector high-tech investigations TOPICS: Procedures for Private-Sector High-Tech Investigations KEYWORDS: Bloom's: Apply DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 20. Quan-Van is working on a case that's attorney-client privilege (ACP). The attorney asks that all

correspondence with them be verbal. What is the reason behind this request? a. The attorney doesn't like to read b. There will be too much paperwork c. Anything written down is subject to discovery d. Anything written down must be done in a very specific way ANSWER: RATIONALE:

c

Quan-Van has been told that once he is signed on to the case, anything written down is subject to discovery by the opposing counsel. Therefore, until the preliminary report is needed, the attorney doesn't want anything in writing.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.5 - Describe procedures for private-sector high-tech investigations TOPICS: Procedures for Private-Sector High-Tech Investigations KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 21. Olga is about to embark on her first overseas Internet abuse case. She knows the privacy laws of her state as

she has worked on Internet abuse cases on a regular basis. The client she is working for is in Germany so she can easily perform the investigation the same way in Germany as she does in the United States. a. True b. False ANSWER: RATIONALE:

b

Olga cannot investigate as easily in Germany as she does in the United States because

Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations

the laws covering data privacy are much stricter in the European Union than they are in the United States. Investigating a network server log without proper authorization might not be legal in Germany due to the General Data Protection Regulation (GDPR), which is the standard for data protections and privacy in the European Union (EU), and is more stringent than U.S. privacy laws POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.5 - Describe procedures for private-sector high-tech investigations TOPICS: Procedures for Private-Sector High-Tech Investigations KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 22. Dakarai has many legacy operating systems on his forensic workstation as well as the newest OSs, but he

has only the most up-to-date software on his day-to-day workstation. Why does Dakarai need legacy operating systems? a. It's not taking up much space on his forensic station, so why bother? b. It's cheaper to keep the older software around. c. Dakarai hasn't gotten around to getting rid of the old software yet. d. Older computer systems may not be compatible with modern software. ANSWER: RATIONALE:

d

Dakarai keeps legacy operating systems because they allow older computer systems to be analyzed while preserving the data and metadata.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.6 - Explain requirements for data recovery workstations and software TOPICS: Understanding Data Recovery Workstations and Software KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 23. Rivka is building a forensic workstation and needs to buy some hardware to get started. What are some of

the types of hardware she will need to buy? a. A workstation running Windows 7 b. A write-blocker device, spare PATA and SATA ports c. Network interface card (NIC) d. Graphics card ANSWER: RATIONALE:

b, c

Rivkas workstation must be running at least Windows 10 not 7. She will need a

Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations

write-block device, spare PATA and SATA ports and a NIC. No additional graphics capabilities beyond what is standard on modern computers will be necessary. POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.6 - Explain requirements for data recovery workstations and software TOPICS: Understanding Data Recovery Workstations and Software KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 24. Kevin is about to begin an examination of a hard drive. Out of all the tools available to him, which one is the

most important to keep the OS from writing data to the hard drive? a. SCSI card b. Network interface card (NIC) c. Write-blocker d. Target drive ANSWER: RATIONALE:

c

Kevin will need a write-blocker to keep the hard drive from being written to by the OS. Network interface cards, SCSI cards and target drives do not write to the hard drive.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.6 - Explain requirements for data recovery workstations and software TOPICS: Understanding Data Recovery Workstations and Software KEYWORDS: Bloom's: Apply DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 25. Gerald is using MS-DOS 6.22 to examine a legacy hard drive. Why would Gerald use such an old operating

system? a. Other DOS OSs are no longer available. b. Other DOS OSs do not have the appropriate tools. c. It's the only DOS OS that works with older digital forensic tools. d. It is the only DOS OS that's least intrusive to disks. ANSWER: RATIONALE:

d

POINTS:

1

Gerald uses MS-DOS 6.22 because it is the least intrusive as far as changing data. Older DOS versions are still available and they work with older digital forensics tools, but MS-DOS 6.22 is still the best for digital forensics work.

Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.6 - Explain requirements for data recovery workstations and software TOPICS: Understanding Data Recovery Workstations and Software KEYWORDS: Bloom's: Apply DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 26. Isabella is conducting an investigation for a client. She will need to copy evidence from a disk using

multiple methods. Why can't she use just one method? a. It's just for backup purposes. b. No one media type can be trusted. c. No single method retrieves all data from a disk. d. Analyzing data is a tricky job. ANSWER: RATIONALE:

c

Isabella must start by copying the evidence, using a variety of methods because not one tool can retrieve all data on a disk well. She needs multiple tools to analyze all the data properly.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.7 - Summarize how to conduct an investigation, including critiquing a case TOPICS: Conducting an Investigation KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 27. Sammy needs to return to the office to retrieve some antistatic bags and wrist straps before handling digital

evidence. Why are these items important for handling digital evidence? a. Static electricity doesn't do anything to digital evidence. It's just a precaution. b. Static electricity can hurt the user. c. Static electricity can make your hair stand up. d. Static electricity can destroy digital evidence. ANSWER: RATIONALE:

d

POINTS: QUESTION TYPE:

1 Multiple Choice

Sammy knows that static electricity can cause physical damage to digital evidence, such as computers, hard drives, and memory chips, by electrostatic discharge (ESD). That is why it is important to have antistatic bags and wrist straps. They help avoid the build up of static electricity that causes ESD.

Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.7 - Summarize how to conduct an investigation, including critiquing a case TOPICS: Conducting an Investigation KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 28. Zoey is new to the field of computer forensics. Her boss has asked her to make a bit-stream copy of a disk

drive for an investigation her company is working on. Zoey is curious why she can't make a backup copy instead. She comes to you for advice. What do you tell her? a. A bit-stream copy is used because it is an exact duplicate of the original drive. b. A backup copy has most of the files necessary; you just need to take extra steps. c. A backup copy doesn't have deleted files and emails or recovered file fragments. d. A bit-stream copy needs multiple forensic tools to get all the data off it. ANSWER: RATIONALE:

a, c

Zoey needs to create a bit-stream copy, which is a bit-by-bit copy of the original drive because it is an exact bit-by-bit replica of the original drive. Copying the drive this way gives the investigator a better chance of retrieving all the evidence needed from the copy of the original drive, since you never work on the original drive.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.7 - Summarize how to conduct an investigation, including critiquing a case TOPICS: Conducting an Investigation KEYWORDS: Bloom's: Apply DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 29. Kenneth is creating a bit-stream image from a bit-stream copy of an evidence drive, but he's confused as to

what the difference is. To Kenneth, there isn't much difference. Please help him out and tell him what makes a bit-stream image different from a bit-stream copy. a. A bit-stream image and a bit-copy are identical. b. A bit-stream image replicates the evidence drive but is not an exact copy. c. There only has to be one bit-stream copy made when working on an image drive. d. A bit-stream image creates an exact copy of the evidence disk down to the physical drive level. ANSWER: RATIONALE:

d

Kenneth is creating a bit-stream image. The difference between a bit stream-image and a bit-stream copy is that the image is an exact copy of the data down to the physical (target drive) being the same make and model of the evidence drive. Whereas the bit-copy is just a copy of the evidence drive but not on the same make

Copyright Cengage Learning. Powered by Cognero.

Page 15


Name:

Class:

Date:

Mod 01: Understanding the Digital Forensics Profession and Investigations

and model of the actual drive (target drive). POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.7 - Summarize how to conduct an investigation, including critiquing a case TOPICS: Conducting an Investigation KEYWORDS: Bloom's: Apply DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM 30. Stella just finished writing a report for Tera Corp. and reviews her report one more time to check the steps

she took to be sure her findings are repeatable. The problem is she used a new tool in her findings that has not been vetted by industry experts yet, so it may not adhere to industry standards. Why is this an issue? a. New tools that are not vetted may not return repeatable data. b. It doesn't change anything. c. New tools are used all the time. d. It's not important to repeat results. ANSWER: RATIONALE:

a

Stella used a new tool that hasn't been vetted by industry experts and therefore may not adhere to industry standards. This issue will bring Stella's conclusions into question and may cause opposing counsel to try and throw out the case.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.1.7 - Summarize how to conduct an investigation, including critiquing a case TOPICS: Conducting an Investigation KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/18/2024 2:41 PM DATE MODIFIED: 4/18/2024 2:41 PM

Copyright Cengage Learning. Powered by Cognero.

Page 16


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations 1. Daubert v. Merrell Dow Pharmaceuticals rules that the "testimony must be based off facts or data, whereas

using Frye v. United States rules, the "testimony" must be based on generally accepted principles in the field in which it belongs. a. True b. False ANSWER: RATIONALE:

a

Daubert v. Merrell Dow Pharmaceuticals rules that the "testimony must be based off facts or data, whereas using Frye v. United States rules, the "testimony" must be based on generally accepted principles in the field in which it belongs.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.1 - Explain the importance of reports and testimony and preparing to testify TOPICS: Understanding the Importance of Reports with a View to Testifying KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 2. Each state has its own rules of civil procedure, which may be less stringent than federal rules but can never be

more so. a. True b. False ANSWER: RATIONALE:

b

Each state has its own rules of civil procedure, which may be MORE stringent than the federal rules but can never be LESS so.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.1 - Explain the importance of reports and testimony and preparing to testify TOPICS: Understanding the Importance of Reports with a View to Testifying KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 3. Feng Mian is going to be a lay witness in Zepher Inc. v. United States. This will be the first time Feng Mian

testifies. What is the purpose of a lay witness's testimony? a. Testifies to evidence in the case b. Testifies to personally observed facts c. Testifies to evidence for a search warrant Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations d. Testifies to an accounting report ANSWER: RATIONALE:

b

Since Feng Mian is a lay witness, she will testify with first-hand knowledge of an event she witnessed that is relevant to the case.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.1 - Explain the importance of reports and testimony and preparing to testify TOPICS: Understanding the Importance of Reports with a View to Testifying KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 4. Maddox is an expert in exfiltration (removal) of data. He is testifying about an incident where Areon Corp.

lost its customer database to hackers over several months. He has no personal knowledge of the incident but has been called to testify before a jury. In what manner is Maddox allowed to testify? a. He may testify as if he has personal knowledge of the event. b. He can state his opinions by responding to actual questions. c. He must state opinions by responding to hypothetical questions. d. He should testify only about what he knows. ANSWER: RATIONALE:

c

Maddox doesn't have personal knowledge about the specific occurrence (data exfiltration), so he must state his opinion by responding to hypothetical questions from the attorney that are based on available factual evidence.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.2 - Describe guidelines for writing reports TOPICS: Guidelines for Writing Reports KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 5. Emilia is in the process of writing a preliminary report for the first time. Her friend Amari tells her to be

careful as to what to write because a preliminary report is a high-risk document. What makes a preliminary report a high-risk document? a. It's a final report. b. Opposing counsel can try and discredit you with it. c. The preliminary report can always be used against you in a court of law. d. Opposing counsel can demand discovery on it. Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations ANSWER: RATIONALE:

b, d

The preliminary report is considered a high-risk document because, if written, opposing counsel may demand discovery on it and may also use it to try and discredit Emilia.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.2 - Describe guidelines for writing reports TOPICS: Guidelines for Writing Reports KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 6. Xiang Liu is writing her report. Her mentor Steve Lu reminds Xiang that "objectivity is critical when writing

a report." This is a very important statement. Why do you think Steve reminded her about objectivity? a. She must be biased in her writing. b. She must communicate calm, detached observations in her report. c. It's better to identify flaws rather than to allow opposing counsel to do it for her. d. She should use passive voice in her writing. ANSWER: RATIONALE:

b, c

Steve wants Xiang to know that "objectivity is critical" because she is not trying to solve the case. Therefore, she must be unbiased and detached as she is just presenting the facts of the case to the judge, jury, and counsel. Only the jury can decide on guilt or innocence.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.2 - Describe guidelines for writing reports TOPICS: Guidelines for Writing Reports KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 7. Caleb created a hash value on a file he was working on before he left for the day. When he came back the

next day, the hash value had changed. Since there was a change in hash value, what did that do to the file Caleb was working on? a. The file had been opened. b. The file had been altered. c. The file had been erased. d. The file had been moved. ANSWER:

b

Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations RATIONALE:

Caleb's file had been altered in some way. Any alteration in a file will cause the hash value to change.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.2 - Describe guidelines for writing reports TOPICS: Guidelines for Writing Reports KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 8. Avraham knows that for a statement to be considered absolutely true, it must be stated conservatively.

However, it might be considered a guess if he overreaches. How can Avraham protect his credibility? a. By making a statement of limitations of knowledge and uncertainty b. Swearing on a Bible c. Reading off his CV to the jury d. Talking about past cases ANSWER: RATIONALE:

a

Avraham knows that for a statement to be considered absolutely true, it must be stated conservatively. However, it might be considered a guess if he overreaches. He can find greater truth by throwing a wider net and collecting more evidence to support his statement. The narrower the net, or less evidence, the more the evidence becomes a guess.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.2 - Describe guidelines for writing reports TOPICS: Guidelines for Writing Reports KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 9. Jennifer is working at a research lab and is about to write her first report. As she sits down to write, she

begins by making a template. Her colleague Mike stops by and tells her that's a bad idea. Why would Mike argue against Jennifer using her own template? a. Organizations are picky about who writes report templates. b. Organizations likely have established templates for reports. c. Organizations want people to ask for permission before creating templates. d. Organizations want reports written quickly. ANSWER: RATIONALE:

b

Jennifer should not create her own template because the organization she works for

Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations

likely has its own template(s) they use for report writing. POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.2 - Describe guidelines for writing reports TOPICS: Guidelines for Writing Reports KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 10. Helga is writing her report. It's going to be long and complex, so she needs to create an abstract. She puts the

abstract at the beginning of the report. What is the reason Helga puts the abstract at the beginning of the report? a. More people read the abstract than the entire report. b. The abstract summarizes the report. c. The abstract names the guilty party. d. The abstract is the conclusion of the case. ANSWER: RATIONALE:

a, b

Helga puts the abstract at the beginning of the report because more people read the abstract since it's a summary of the report itself.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.2 - Describe guidelines for writing reports TOPICS: Guidelines for Writing Reports KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 11. Aziz is about to write his report and grabs his examiner's notes to begin. His new assistant Asif, who is new

to the field of computer forensics, wants to know what's so special about the book. Aziz tells Asif it's to keep track of all his notes during an examination. What are some of the notes Aziz is referring to? a. Documenting the exam process b. Providing a path for repeatability c. Taking notes for the attorney d. Analyzing notes for the suspect ANSWER: RATIONALE:

a, b

POINTS: QUESTION TYPE:

1 Multiple Response

Aziz is referring to keeping track of the findings and recording all steps taken during the examination. These notes will also provide the path for repeatability of his findings.

Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.3 - Describe procedures for generating report findings and writing a digital forensics report TOPICS: Generating Report Findings and Writing the Digital Forensics Report KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 12. Miriam's PDF is about to be put into the e-discovery database. The document has several images in it. When

she puts it through the OCR (Optical Character Recognition) software, the text for the images comes out garbled. So before Miriam adds her document to the e-discovery database, what steps should she take to correct the errors she finds? a. Run it through the OCR software again and then send it. b. Leave it as a PDF. c. Give it to someone else to fix. d. Check the OCR document and be sure to correct any errors she finds. ANSWER: RATIONALE:

d

Miriam should fix any issues she finds after running the OCR software before sending the document. That way, there can be no misinterpretation causing an embarrassing situation.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.3 - Describe procedures for generating report findings and writing a digital forensics report TOPICS: Generating Report Findings and Writing the Digital Forensics Report KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 13. Camilla works for an attorney so she must bill her time by the hour. Time duration is listed in tenths of an

hour. How many minutes are there in a 10th of an hour? a. 10 minutes b. 12 minutes c. 6 minutes d. 5 minutes ANSWER: RATIONALE:

c

POINTS: QUESTION TYPE: HAS VARIABLES:

1 Multiple Choice False

Camilla must bill in six-minute increments, which is a tenth of an hour.

Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations LEARNING OBJECTIVES: Ceng.GuideForens.25.2.3 - Describe procedures for generating report findings and writing a digital forensics report TOPICS: Generating Report Findings and Writing the Digital Forensics Report KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 14. Derek is about to write a report for his client. There are a few questions he needs to consider before writing

it. What are a few of those questions Derek needs to consider? a. Who is the attorney? b. Who is the defendant? c. What are the defined goals or mission of this examination? d. What is the purpose of the report? ANSWER: RATIONALE:

c, d

Two of the questions Derek needs to consider are What are the defined goals or mission of the examination? and What is the purpose of the report? Who is the attorney? and Who is the defendant? are not germane to this question.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.3 - Describe procedures for generating report findings and writing a digital forensics report TOPICS: Generating Report Findings and Writing the Digital Forensics Report KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 15. Reynaldo has completed the first draft of his preliminary report. He is now working on the conclusion

questionnaire to make sure his report covers all the pertinent information required for the examination. What questions should Reynaldo ask himself now to revise his draft and create his final report? a. In a brief statement, what is the purpose of this report? b. In a brief statement, what are the main points of the examination? c. What are my opinion and observations from this examination? d. In a brief statement, what will the jury think about this report? ANSWER: RATIONALE:

a, b, c

POINTS: QUESTION TYPE: HAS VARIABLES:

1 Multiple Response False

Reynaldo needs to ask himself what the purpose of the report is, what the main points of the exam are, and what his opinion and observation for the examination are before he revises his draft.

Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations LEARNING OBJECTIVES: Ceng.GuideForens.25.2.3 - Describe procedures for generating report findings and writing a digital forensics report TOPICS: Generating Report Findings and Writing the Digital Forensics Report KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 16. Yasmin's about to write her report. Her boss Rebecca, hands her the Digital Forensics Report Audience

Worksheet to determine the type of audience reading the report. Yasmin sees that the attorney's knowledge of information technology is low, but Steve Billings, a non-legal party, has medium technical knowledge. Knowing this piece of information, how should Yasmin go about writing for her audience?

a. Yasmin should write for the attorney's knowledge level. b. Yasmin should write for Steve Billings' knowledge level. c. Yasmin should write for jury's knowledge level. d. Yasmin should write for the judge's knowledge level. ANSWER: RATIONALE:

a

Yasmin should write for the attorney's level of knowledge since they have the lowest level of knowledge. Steve Billings will be able to understand technology at that level too since he has a medium level of understanding. There is no mention of a judge and jury in the Audience Worksheet.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.3 - Describe procedures for generating report findings and writing a digital forensics report TOPICS: Generating Report Findings and Writing the Digital Forensics Report KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 17. Jimmy has refined his outline and is now working on his topic sentences. He's unsure how to proceed and

how to develop good topic sentences because this is his first time writing a forensic report. Hanska, his friend and mentor, wants to help him through his dilemma but doesn't want to just give him answers. You walk by and hear this conversation. You think you know the answer. What's the purpose of a good topic sentence? a. It introduces the main finding of the examination. b. It can belong in more than just one section. c. It can set the tone for your whole examination. d. It provides a clear direction for the rest of the analysis. ANSWER: RATIONALE:

a, d

A topic sentence introduces the main findings of the examinations and provides a

Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations

clear direction for the rest of the analysis so that the report flows in a logical manner. POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.3 - Describe procedures for generating report findings and writing a digital forensics report TOPICS: Generating Report Findings and Writing the Digital Forensics Report KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 18. Julian was using Autopsy (a digital forensics tool) to generate a list of files found during an examination.

He's new to the field of digital forensics. Before he begins, he needs to know what type of functions Autopsy can perform. You've recently begun working with Autopsy. What can you tell Julian about the program? a. Autopsy lists files and compares evidence. b. Autopsy describes the evidence, not just a list of the files. c. Autopsy provides a list of files. It does not describe the evidence. d. Autopsy can file a report but cannot list files. ANSWER: RATIONALE:

c

Autopsy is a digital forensics tool that typically generates a list of reports in text format, word processing formats, HTML, and spreadsheets to name a few. It does not describe evidence.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.3 - Describe procedures for generating report findings and writing a digital forensics report TOPICS: Generating Report Findings and Writing the Digital Forensics Report KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 19. Solomon is working on a case that is garnering a lot of media attention. every time he leaves the courtroom,

he is swarmed by reporters. One day he finally gets away and is sitting by himself having lunch, when a single reporter approaches him. This reporter, Jessica, says to Solomon, everything you tell me will be off the record, so could you tell me about the case? Why should Solomon tell Jessica he can't speak to her? a. Solomon's comments could harm the case and create a record that can be used against him. b. Solomon's comments could show he's impartial to this case. c. Solomon has no control over the context of the information a journalist publishes. d. Journalists don't care what Solomon thinks, they just want to sell newspapers. ANSWER:

a, c

Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations RATIONALE:

Solomon must say no because anything the journalist writes could harm the case and create a record that could be used against him now and for future cases and anything Solomon says could be taken out of context.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.4 - Explain the preparation necessary for testifying as a fact witness or an expert witness TOPICS: Preparing for Testimony KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 20. Amelia is about to begin work on a new forensic examination. As she is preparing to process the evidence,

the one thing that she must always keep in mind is to keep her opinions to a minimum. Why is it important for Amelia to keep her opinions to a minimum during an examination? a. Amelia must keep her opinions to a minimum to maintain her experience. b. Amelia must keep her opinions to a minimum to maintain her composure. c. Amelia must keep her opinions to a minimum to maintain her impartiality. d. Amelia must keep her opinions to a minimum to maintain her credibility. ANSWER: RATIONALE:

c, d

Amelia must keep her opinions to a minimum for the sake of her credibility and impartiality. It is important to maintain an appearance of not showing bias or having a vested interest in the outcome of any case.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.4 - Explain the preparation necessary for testifying as a fact witness or an expert witness TOPICS: Preparing for Testimony KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 21. As a forensic examiner, Jakob can apply his skill set in two different ways when testifying. He can be either

a fact witness or an expert witness. What are the main differences between being a fact witness and an expert witness? a. As a fact witness, Jakob provides only the facts he has found in his investigation. As an expert

witness, he forms opinions from experience and deductive reasoning based on facts found during an investigation. b. As an expert witness, Jakob provides only the facts he has found in his investigation. As a fact witness, he forms opinions from experience and deductive reasoning based on facts found during an Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations

investigation. c. Expert and fact witnesses base testimony on facts and experience alone. d. It's the facts that make Jakob a fact witness; it's his opinion that makes him an expert witness. ANSWER: RATIONALE:

a, d

Jakob can be either a fact or expert witness depending on the needs of the client. As a fact witness, Jakob relies only on the facts in his investigation and as an expert witness, he forms opinions from experience and deductive reasoning based on facts of the case. It's his opinion that makes him an expert witness.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.4 - Explain the preparation necessary for testifying as a fact witness or an expert witness TOPICS: Preparing for Testimony KEYWORDS: Bloom's: Analyze/Create/ Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 22. Samantha is about to be questioned for the first time about her qualifications as an expert witness. She hears

the attorney she works for calling it voir dire. Samantha wants to know what "voir dire" means. What does Samantha's attorney tell her the translation means? a. To see, to say b. To hear, to look c. To be or not to be d. To say, to see ANSWER: RATIONALE:

a

Samantha's attorney tells her that the phrase comes from French, and it literally means "to see, to say."

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.5 - Describe guidelines for testifying in court and in depositions TOPICS: Testifying in Court and Depositions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 23. Adel is going to a new district court for the first time. He is scheduled to testify as an expert witness in the

case. He needs a plan in place to learn about the judge, jury pool, and other attorneys in the case, so he can determine the average knowledge, skill, and general attitude toward computers. What should he do? a. Sit outside a few courtrooms and listen to the way people talk. Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations b. Make an educated guess. c. He should check with his attorney and local attorneys. d. Find out the potential jury pool's average educational level. ANSWER: RATIONALE:

c, d

Adel needs to speak with his attorney and local attorneys, and research the jury pool to determine average education level. This way he can adjust his presentation accordingly.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.5 - Describe guidelines for testifying in court and in depositions TOPICS: Testifying in Court and Depositions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 24. Gretchen is about to give oral testimony and wants to be sure that the jury understands it clearly. What's the

best way to impart her testimony to help listeners retain what's being said? a. Graphical presentation b. Copious notes c. Detailed explanation d. Simple explanation ANSWER: RATIONALE:

a

There is a saying that a picture is worth 1000 words. Graphical images are much easier to assist in the audience retaining evidence than it is to listen to someone speak about evidence.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.5 - Describe guidelines for testifying in court and in depositions TOPICS: Testifying in Court and Depositions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 25. Carlos is an independent contractor. He recently went to work for the law firm of Bartlet and James. He was

beginning work on a new case involving an aerospace firm. One day, he gets a call from Jim Lacy, the opposing attorney from the firm of Cagney and Marcy and asks him to discuss the case with him. Carlos says "no" and quickly hangs up the phone. Why does Jim want to speak with Carlos about the case? a. Jim is interested in Carlos' opinion about the case. b. Jim wants Carlos's help on a part of the case. Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations c. Jim wants to conflict out Carlos. d. Jim wants to find out how much Carlos is being paid. ANSWER: RATIONALE:

c

Jim wants to conflict out Carlos. By speaking with Carlos about the case, it will prevent Carlos from working on it. Jim can say Carlos has a conflict of interest by speaking to him about the case.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.5 - Describe guidelines for testifying in court and in depositions TOPICS: Testifying in Court and Depositions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 26. Jesus is testifying for the first time in a big case for General Computing Corp. The judge has ordered a ten-

minute recess, and Jesus realizes he has a question for General Computing Corp's attorney. So, Jesus runs to catch Martin, the attorney, in the hallway. Jesus is speaking to Martin when the opposing counsel sees them talking. What are the possible repercussions of the interaction between Jesus and Martin? a. There are no repercussions from the conversation between Jesus and Martin. b. Opposing counsel can demand that Jesus explain and repeat the conversation he had with Martin. c. Repercussions can include fines for misconduct. d. The case is thrown out on a technicality. ANSWER: RATIONALE:

b

If opposing counsel sees Jesus and Martin speaking in the hallway, Jesus can be cross-examined by opposing counsel who can demand that Jesus explain what he and Martin were speaking about.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.5 - Describe guidelines for testifying in court and in depositions TOPICS: Testifying in Court and Depositions KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 27. Filipa is working for the Sussex County DA's office. She comes across some evidence she believes is

exculpatory (evidence that exonerates or diminishes the defendant's liability) and tells the District Attorney about it emphasizing its exculpatory nature. DA Jennifer Donner sets it aside and doesn't do anything about it. Filipa has tried several times to get DA Donner to look at it. Filipa is worried an innocent man might go to jail. What is Filipa's next course of action? a. Tell the defense attorney. Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations b. Keep attempting to prompt the DA to do something about it. c. Drop it. d. Report the lack of disclosure to the judge. ANSWER: RATIONALE:

d

If Filipa has all her attempts documented and has tried several times to get the DA to disclose the evidence to the defense, she can report the DA's lack of disclosure to the judge. Her obligation is then complete.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.5 - Describe guidelines for testifying in court and in depositions TOPICS: Testifying in Court and Depositions KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 28. Ambrus is in a discovery deposition. The opposing counsel Mark Miller is just about to finish up. At the end

of the session Mark asks Ambrus if he would like to waive signature. Ambrus says no. Why is Ambrus not waiving signature on the deposition? a. Not waiving signature will avoid delays in the deposition process. b. Not waiving signature allows for review and corrections. c. Not waiving signature will avoid disputes. d. Not waiving signature will keep you from making commitments. ANSWER: RATIONALE:

b

Ambrus does not want to waive his signature, so he has time to review and make corrections on the corrections page. Then he will sign the deposition.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.5 - Describe guidelines for testifying in court and in depositions TOPICS: Testifying in Court and Depositions KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 29. Gabriel is an expert witness on ransomware attacks across Canada. He is working on his analysis of the

crime when his supervisor, Antonia, comes up to him and says, "Forget about going to court for now, you are needed in the House of Commons!" Gabriel is concerned. Why would they need him in the House of Commons (Canada's Legislative body)? a. He's in trouble for knowing too much about ransomware. b. They are seeking his testimony because they are contemplating making a rule or legislation. Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 02: Report Writing and Testimony for Digital Investigations c. He is going there for a matter unrelated to ransomware. d. They want to look like they're doing something in front of the TV cameras. ANSWER: RATIONALE:

b

The House of Commons wants Gabriel's testimony because they are contemplating making a rule or legislation governing legal recourse for ransomware attacks.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.5 - Describe guidelines for testifying in court and in depositions TOPICS: Testifying in Court and Depositions KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 30. Roseline is an attorney for the firm Dewy and Howe. Her expert witness for a case is Stanley. Roseline and

Stanley are discussing the case before they arrive at the courtroom. Roseline tells Stanley not to worry or get defensive about what's about to happen in the courtroom. "This is common occurrence in judicial hearings." Roseline tells Stanley, "The judge and attorneys will be focusing on certain areas of your forensic examination." Which areas of Stanley's forensic examination will more than likely be the focus of the preliminary hearing? a. The procedure for obtaining and preserving evidence b. The basis or authority (warrant or probable cause) for Stanley conducting the examination c. Rules and procedures for the trial d. Rules and procedures for the witnesses ANSWER: RATIONALE:

a, b

The areas of focus for Stanley will be on the procedures in obtaining and preserving evidence as well as the basis or authority (warrant or probable cause) for Stanley to conduct the examination.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.2.5 - Describe guidelines for testifying in court and in depositions TOPICS: Testifying in Court and Depositions KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM

Copyright Cengage Learning. Powered by Cognero.

Page 15


Name:

Class:

Date:

Mod 03: The Investigator’s Laboratory and Digital Forensics Tools 1. Abdul is the lab manager for the Morrow Valley County Sheriff's Office. He is reviewing the Uniform Crime

Report to determine what equipment he's going to need for his forensic workstations over the next 18 months. (18 months is the average lifespan of hardware and software.) Looking at the report, what type of software and hardware will Abdul need? Please refer to Figure 3-1 for this question. Figure 3-1 a. Linux OS b. Windows OS c. HDDs d. Mobile devices ANSWER: RATIONALE:

b, d

Abdul will need to order Windows OS software, hardware and peripherals, and mobile device forensic tools for the office forensic workstations.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.1 - Describe the certification requirements for digital forensics labs TOPICS: Understanding Forensics Lab Accreditation Requirements KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 2. Mateo is working with Devo Corp. to build a new forensic lab facility. He knows that he must put a lot of

thought into a particular part of the build when determining lab expenses. What expense is Mateo most concerned about? a. Visual security of the facility. b. Aural (sound) security of the facility. c. Physical security of the facility. d. Digital security of the facility. ANSWER: RATIONALE:

c

Mateo is concerned about the physical security of the facility because evidence that is not safe can be lost, corrupted, or destroyed.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.2 - List the physical requirements for a digital forensics lab TOPICS: Determining the Physical Requirements for a Digital Forensics Lab KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 03: The Investigator’s Laboratory and Digital Forensics Tools DATE MODIFIED:

4/19/2024 2:08 PM

3. Joseph is the lab manager for Pavlon Corp., and he is looking at the visitor name roster with the new day

guard Henderson. Joseph comes across the name Nosmo King (No Smoking) with today's date next to it. Joseph is suspicious and asks Henderson if he let this person into the lab, Henderson says, "he tried to get in, but I wouldn't let him." Why wouldn't Henderson let Nosmo King into the lab? a. Nosmo's ID was fake. b. Nosmo changed his mind. c. Nosmo was in the wrong building. d. Nosmo already had what he was looking for. ANSWER: RATIONALE:

a

Henderson looked at Nosmo's ID and discovered that it was fake. He then escorted Nosmo out of the building.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.2 - List the physical requirements for a digital forensics lab TOPICS: Determining the Physical Requirements for a Digital Forensics Lab KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 4. Malik is in the network design phase for a forensics lab. He needs to build one local area network for the

forensic workstations and one that is air gapped (not on the same network as the forensic network) for the computers with Internet access. Malik knows it's important that Internet facing workstations must not connect to forensics workstations. Why is it important to have two separate networks for a forensics lab? a. Because Internet access on the forensics network can inhibit employee productivity. b. Because Internet access on the forensics network can severely decrease workstation. Bandwidth. c. Because Internet access on the forensics network can fill hard drives with worthless data. d. Because Internet access on the forensics network can contaminate evidence. ANSWER: RATIONALE:

d

Malik must have two networks in the lab. One for the forensic workstations and one for Internet access. If the Internet facing machines were to be allowed on the forensics network, the forensics workstations could be subject to attack or internal/external contamination.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.2 - List the physical requirements for a digital forensics lab TOPICS: Determining the Physical Requirements for a Digital Forensics Lab KEYWORDS: Bloom's: Analyze/Create/Evaluate Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 03: The Investigator’s Laboratory and Digital Forensics Tools DATE CREATED: DATE MODIFIED:

4/19/2024 2:08 PM 4/19/2024 2:08 PM

5. Imka works in a forensic lab for a small local police department. The average population income falls just

above poverty level, but most schools have some computers from donations, and some residents have computers too. What type of hardware and software should Imka have, given this small community? a. Legacy hardware systems and software. b. Up-to-date hardware and software. c. Equipment that's less than 3 years old. d. Make her own. ANSWER: RATIONALE:

a

Given the size of this community, chances are that Imka should keep legacy systems and software available because computers in this community are usually kept much longer than those in larger, more computer-literate communities.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.3 - Explain the criteria for selecting a basic forensic workstation TOPICS: Selecting a Basic Forensic Workstation KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 6. Matilda works in a police crime lab in the city of Ontario. There are manufacturing firms in Ontario that

employ over 100,000 employees. Based on the crime reports that Matilda has consulted, statistically about 1% of those employees could be involved in criminal behavior at some point in time. Matilda now knows how many employees could be involved in a crime. What's the total number of potential employees involved in criminal behavior? a. 10,000 b. 100 c. 1,000 d. 10 ANSWER: RATIONALE:

c

Matilda knows that 1% of 100,000 employees equals 1,000 potential crimes according to the criminal statistics she has read.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.3 - Explain the criteria for selecting a basic forensic workstation TOPICS: Selecting a Basic Forensic Workstation KEYWORDS: Bloom's: Remember/Understand Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 03: The Investigator’s Laboratory and Digital Forensics Tools DATE CREATED: DATE MODIFIED:

4/19/2024 2:08 PM 4/19/2024 2:08 PM

7. Gabriela is setting up a workstation specifically to crack passwords. To crack passwords quickly, Gabriela

needs to pick a workstation where she can install multiple graphics processing units (GPUs). a. True b. False ANSWER: RATIONALE:

a

Gabriela's use of multiple GPUs will allow multiple processors to work on cracking passwords without using the core processing unit, thereby allowing the computer to continue to work on other projects while cracking passwords in the background.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.3 - Explain the criteria for selecting a basic forensic workstation TOPICS: Selecting a Basic Forensic Workstation KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 8. Sara needs to work with her management team to create a disaster recovery plan. She tries to take all

possibilities into account while planning. Out of all things considered disasters, which of the following possibilities is not? a. Forensic workstation hard disk crash. b. Lightning strike causing the building to lose power. c. Power outage two blocks away. d. The lab floods with water. ANSWER: RATIONALE:

c

Although Sara and her team need to be alert if there is a power outage two blocks away, it's not considered a disaster.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.3 - Explain the criteria for selecting a basic forensic workstation TOPICS: Selecting a Basic Forensic Workstation KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 9. Arno is about to buy a computer and build it into a forensics workstation. What are the three most important

factors Arno must consider for purchasing a computer and converting it into a forensic workstation? Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 03: The Investigator’s Laboratory and Digital Forensics Tools a. Graphic processing unit (GPU), central processing unit (CPU), and monitor size b. CPU, RAM, and disk storage c. Graphics card, number of available USB ports, and motherboard d. Motherboard, pata ports, and sata ports ANSWER: RATIONALE:

b

Arno must get the most powerful processor (CPU), the most RAM, and the largest disk storage available for his workstation. Other peripheral devices like GPUs and bigger monitors can be added later.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.3 - Explain the criteria for selecting a basic forensic workstation TOPICS: Selecting a Basic Forensic Workstation KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 10. Martina is about to store her backups from the last session. In the event of a disaster, they need to be kept

safe. So how is Martina going to store her backups? a. Two backups onsite, nothing offsite b. Two duplicate backups offsite, nothing onsite c. One backup onsite, one duplicate offsite, and one previous backup offsite d. Zero onsite and all duplicates offsite ANSWER: RATIONALE:

c

Martina should keep one backup onsite for easy retrieval, one duplicate backup offsite, and one older backup offsite.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.3 - Explain the criteria for selecting a basic forensic workstation TOPICS: Selecting a Basic Forensic Workstation KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 11. Hershel wants to build a forensics lab, but he needs to gain the support of his management team to do so.

What document does Hershel need to create to justify building his lab? a. Business case b. Document case c. Organizational case d. Legal case Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 03: The Investigator’s Laboratory and Digital Forensics Tools ANSWER: RATIONALE:

a

Hershel needs to build a business case to provide justification for establishing or upgrading his lab.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.4 - Describe the components of a business case for developing a forensics lab TOPICS: Building a Business Case for Developing a Forensics Lab KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 12. Liam is writing a business case for his employer, Champ Industries. When writing a business case, Liam

must take into consideration that it needs to be updated regularly. How many times a year should Liam update his business case? a. Every six months b. Quarterly c. Annually d. Bi-yearly ANSWER: RATIONALE:

c

Liam should update the business case annually.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.4 - Describe the components of a business case for developing a forensics lab TOPICS: Building a Business Case for Developing a Forensics Lab KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 13. Willow is building a business case for Verta Corp. because her management team wants a new forensics lab.

One item on the list that Willow needs to mention is profitability. How can Willow explain that a forensic lab can be profitable? a. Protecting intellectual property b. Protecting trade secrets and future business plans c. Protecting employees from physical injury d. Protecting the company network ANSWER: RATIONALE:

a, b

Willow's business case can demonstrate profitability by mentioning to her team that

Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 03: The Investigator’s Laboratory and Digital Forensics Tools

protecting intellectual property, trade secrets, and future business plans are profitable in that they mitigate risk (saves the company money). POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.4 - Describe the components of a business case for developing a forensics lab TOPICS: Building a Business Case for Developing a Forensics Lab KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 14. Koa is researching private-sector versus public-sector business cases for forensics labs. What was Koa's

conclusion regarding the main difference of a business case for private-sector (corporation) and public-sector (police department)? a. Police departments must always show cost recovery for additional capabilities. b. Corporations must always show cost recovery for additional capabilities. c. Police departments don't always have to show cost recovery for additional capabilities. d. Corporations don't always have to show cost recovery for additional capabilities. ANSWER: RATIONALE:

c

Koa's research found that police departments don't always have to show cost recovery for additional capabilities and new resources.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.4 - Describe the components of a business case for developing a forensics lab TOPICS: Building a Business Case for Developing a Forensics Lab KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 15. Delilah is working on data acquisition, which is one of the first tasks in digital forensics. Jamal, a friend of

hers, doesn't know what digital forensics is and asks Delilah to explain it. So, Delilah gives him a basic idea of what she is working on. What does Delilah tell Jamal? a. She's making a physical copy of the data. b. She's making a logical copy of the data. c. She's making a backup copy of the data. d. She's making a bootleg copy of the data. ANSWER: RATIONALE:

a, b

Delilah is working on physical data copies and logical data copies.

Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 03: The Investigator’s Laboratory and Digital Forensics Tools POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.5 - Explain how to evaluate digital forensics tools TOPICS: Evaluating Digital Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 16. Sofia is investigating a fraud case. She is searching for relevant data and needs to narrow her search

parameters to separate good data from bad data. What type of search should Sofia use? a. Word phrase search b. Key phrase search c. Keyword search d. .pdf search ANSWER: RATIONALE:

c

To narrow down search parameters, Sofia should use a keyword search to separate good data from bad data.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.5 - Explain how to evaluate digital forensics tools TOPICS: Evaluating Digital Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 17. Gino's lab likes to separate duties so that each tech does something different. Gino takes the acquisitioned

data to validate and verify. Why is it important for Gino to validate and verify data? a. Validation proves that two sets of data are identical. b. Verification is the process of confirming that a tool is functioning as intended. c. Validation is the process of confirming that a tool is functioning as intended. d. Verification proves that two sets of data are identical. ANSWER: RATIONALE:

c, d

Gino must validate the process to confirm that a tool is functioning as intended, and verification proves that those two sets of data created from the validation are identical.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.5 - Explain how to evaluate digital forensics tools Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 03: The Investigator’s Laboratory and Digital Forensics Tools TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

Evaluating Digital Forensics Tools Bloom's: Apply 4/19/2024 2:08 PM 4/19/2024 2:08 PM

18. Luna is researching dictionary and brute-force attacks. What does Luna's research discover as the

differences between dictionary and brute force attacks? a. Password lists typically give you a starting point for guessing passwords. b. Brute-force attacks use every combination of characters on the keyboard. c. Brute-force attacks typically give you a starting point for guessing passwords. d. Password lists use every combination of characters on the keyboard. ANSWER: RATIONALE:

a, b

Luna discovers password lists typically give you a starting point for guessing passwords, whereas brute-force attacks use every combination of characters on the keyboard.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.5 - Explain how to evaluate digital forensics tools TOPICS: Evaluating Digital Forensics Tools KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 19. Miko prefers using command-line tools over GUI tools. When her friend Justin asked why, Miko said she

prefers them to GUI tools for a specific reason. What's the reason Miko prefers command-line tools? a. Command-line tools are more precise than GUI tools. b. Command-line tools are easier to use. c. Command-line tools require minimal system resources. d. Command-line tools take less time to learn than GUI tools. ANSWER: RATIONALE:

c

Miko prefers using command-line tools because they require minimal system resources.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.6 - Describe available digital forensics software tools TOPICS: Digital Forensics Software Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 03: The Investigator’s Laboratory and Digital Forensics Tools 20. It is important to continue learning about command-line tools because some GUI tools might miss critical

evidence. a. True b. False ANSWER: RATIONALE:

a

GUI tools can miss critical evidence that command-line tools may discover.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.6 - Describe available digital forensics software tools TOPICS: Digital Forensics Software Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 21. Berat is working on his first mobile examination. But he does not have the tools to acquire mobile device

data. What company offers frameworks necessary for Berat to continue his examination? a. Apple b. Microsoft c. Samsung d. Nokia ANSWER: RATIONALE:

c

Berat needs Samsung mobile frameworks to assist in acquiring mobile device data.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.6 - Describe available digital forensics software tools TOPICS: Digital Forensics Software Tools KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 22. Miray is examining a Windows 10 computer and needs to determine file ownership on the computer since

there were multiple users. What command does Miray use? a. ls b. rm c. mv d. dir ANSWER:

d

Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 03: The Investigator’s Laboratory and Digital Forensics Tools RATIONALE:

In Windows 2000 and later, Miray can use the dir command to show file ownership if there are multiple users on a computer.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.6 - Describe available digital forensics software tools TOPICS: Digital Forensics Software Tools KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 23. José manages a busy lab where the equipment runs 24/7. For this reason, he needs to schedule periodic

equipment replacement. How often should José replace his equipment when it's under heavy usage? a. 12 months b. 18 months c. 24 months d. 36 months ANSWER: RATIONALE:

b

Under heavy usage, José should ideally schedule equipment replacement every 18 months.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.7 - Identify considerations for selecting digital forensics hardware tools TOPICS: Digital Forensics Hardware Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 24. Renée is looking at buying several workstations for her lab. There are several types of workstations for her

to choose from. What categories of workstations does Renée have to choose from? a. Stationary workstation b. Portable workstation c. Lightweight workstation d. Heavy-duty workstation ANSWER: RATIONALE:

a, b, c

POINTS: QUESTION TYPE:

1 Multiple Response

The categories of workstations Renée is choosing from are stationary, portable, and lightweight.

Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 03: The Investigator’s Laboratory and Digital Forensics Tools HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.7 - Identify considerations for selecting digital forensics hardware tools TOPICS: Digital Forensics Hardware Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 25. Francis needs to purchase a device for his workstation that allows him to connect to a suspect's drive without

changing data files. What's the name of the device that Francis needs to purchase? a. Read-blocker b. SPARC-blocker c. SCSI-blocker d. Write-blocker ANSWER: RATIONALE:

d

Francis needs to purchase a write-blocker so that the data and metadata he explores cannot be changed.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.7 - Identify considerations for selecting digital forensics hardware tools TOPICS: Digital Forensics Hardware Tools KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 26. Ricardo is looking to acquire a forensic workstation. He has a limited budget to work with. He can't build his

own nor can he purchase a workstation such as a FRED unit. What's the best way for Ricardo to spend his limited budget? a. Buy a used computer b. Use his existing computer and get a write-blocking device c. Buy a high-end gaming PC d. Buy the cheapest new computer he can find ANSWER: RATIONALE:

c

Ricardo should buy a high-end gaming PC. With some minor modifications, these systems work extremely well.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.7 - Identify considerations for selecting digital forensics hardware Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 03: The Investigator’s Laboratory and Digital Forensics Tools

TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

tools Digital Forensics Hardware Tools Bloom's: Analyze/Create/Evaluate 4/19/2024 2:08 PM 4/19/2024 2:08 PM

27. Hakim is analyzing evidence to be admitted in court. What must Hakim do to ensure his evidence can be

admissible in court? a. Test and validate his software b. Test and validate his hardware c. Analyze his evidence carefully d. Be sure his company's software licenses are up-to-date ANSWER: RATIONALE:

a

Hakim's software tools must be tested and validated for recovered evidence to be admitted in court.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.8 - Describe methods for validating and testing forensics tools TOPICS: Validating and Testing Forensics Software KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 28. Milo is researching hashing algorithms. He wants to know the hashing algorithm with the best accuracy to

reduce the number of known files such as OS or program files so that only unknown files remain. Which hashing algorithm does Milo decide to use? a. MD5 b. DES c. SHA-1 d. 3DES ANSWER: RATIONALE:

c

Milo discovers that SHA-1 has better accuracy than other hashing methods, such as MD5.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.8 - Describe methods for validating and testing forensics tools TOPICS: Validating and Testing Forensics Software KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 03: The Investigator’s Laboratory and Digital Forensics Tools DATE MODIFIED:

4/19/2024 2:08 PM

29. Xander needs to examine a .pst file. He wants to use his disk editor, but he's uncertain. Why is Xander

unsure about using a disk editor? a. A disk editor only works with hex files. b. A disk editor is not a flexible tool. c. A disk editor does not work with .pst files. d. A disk editor might not be capable of examining a compressed file's contents. ANSWER: RATIONALE:

d

Xander may not be able to use his disk editor because it might not be capable of examining compressed file content such as a .zip file or an Outlook .pst file.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.8 - Describe methods for validating and testing forensics tools TOPICS: Validating and Testing Forensics Software KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 30. Jenna has just begun working in the field of forensics. Originally, she thought repeatable and reproducible

results were the same but later found out that they are not. What did Jenna learn about repeatable and reproducible results? a. Repeatability means that the same results occur every time a tool is used. b. Reproducibility means the same results occur when different software or hardware tools are used. c. Reproducibility means that the same results occur every time a tool is used. d. Repeatability means the same results occur when different software or hardware tools are used. ANSWER: RATIONALE:

a, b

Jenna learned that the difference between repeatable and reproducible results is that repeatability means the same results occur every time a tool is used to analyze digital evidence; and reproducibility means the same results occur when different software or hardware tools are used to analyze digital evidence.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.3.8 - Describe methods for validating and testing forensics tools TOPICS: Validating and Testing Forensics Software KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM

Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 04: Data Acquisition 1. Winnie is deciding whether to collect her forensic data in an open source or proprietary format. There are

advantages and disadvantages to both, but she wants her data read by as many forensic tools as possible. Which format should Winnie use to achieve her objective? a. Proprietary format b. Raw format c. Single format d. Evidence format ANSWER: RATIONALE:

b

Winnie uses the raw format since it is compatible with most forensic tools.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.1 - Describe digital evidence storage formats TOPICS: Understanding Storage Formats for Digital Evidence KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 2. Keira was at a remote site collecting data evidence. She needs to take a break, so how does she keep her data

collection secure from tampering? a. She can leave just for a short amount of time. b. She can ask somebody nearby to watch the computers for her. c. She puts crime scene tape around the location. d. Another authorized person must always be present. ANSWER: RATIONALE:

d

Keira must ensure that there is another authorized person present who is available to stand guard over the acquisition to maintain continuous control of the evidence.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.2 - Understand how to plan for a digital forensics acquisition TOPICS: Acquisition Planning KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 3. Reilynn is performing a static acquisition. She's creating a physical disk-to-image, which is the most common

method of acquisition and offers the most flexibility for an investigation. What are some of the features that make physical disk-to-imaging method so flexible? a. Compatible with all operating systems Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 04: Data Acquisition b. Copies are bit-for-bit replicas of the original drive c. Many copies of a suspect's drive can be made d. Individual files can be easily restored ANSWER: RATIONALE:

b, c

Reilynn can make as many bit-for-bit replicas of the original drive as required by her forensics department.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.2 - Understand how to plan for a digital forensics acquisition TOPICS: Acquisition Planning KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 4. Vanessa is in the process of conducting an email investigation that requires only collecting Outlook .pst files.

Since .pst files are extremely large, and this is an e-discovery case, what is the preferred method of data acquisition that Vanessa should use? a. Partial acquisition b. Sparse acquisition c. Complete acquisition d. Logical acquisition ANSWER: RATIONALE:

d

Vanessa is using logical acquisition, which is becoming the preferred method in ediscovery for the purpose of litigation.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.2 - Understand how to plan for a digital forensics acquisition TOPICS: Acquisition Planning KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 5. Jackie is working with large files on her forensic acquisition. She needs to compress them to fit on her target

drive and must use a compression algorithm that does not alter the original data. What algorithm must Jackie use to prevent alteration of the original data? a. lossy b. AAC c. Lossless d. MPEG Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 04: Data Acquisition ANSWER: RATIONALE:

c

Jackie uses lossless compression, which does not alter the original data.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.2 - Understand how to plan for a digital forensics acquisition TOPICS: Acquisition Planning KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 6. Kenneth is testing the accuracy of his compressed file (lossless). Once he checks the before and after

compression hash values, he finds they do not match. What could be the reason for this error? a. Software error b. Hardware error c. System crash d. The file itself ANSWER: RATIONALE:

a, b

If the hashes didn't match, Kenneth could have experienced either a hardware or software error that could have corrupted the compressed file.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.2 - Understand how to plan for a digital forensics acquisition TOPICS: Acquisition Planning KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 7. Tehya is preparing for a Digital Forensics acquisition. Preparation is key to reducing potential failure. What

are some of the key elements Tehya must consider before initiating her acquisition? a. Is the source drive accessible or is it still in the suspect's computer? b. Will Tehya be able to retain the source drive, or will it need to be returned to the owner? c. Has the source drive been compromised by being misplaced? d. Has the original source drive been destroyed? ANSWER: RATIONALE:

a, b

POINTS: QUESTION TYPE:

1 Multiple Response

Tehya needs to find out if the source drive is accessible or is it still in the suspect's computer. She also needs to know if she can retain the original source drive or must she return it to the owner.

Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 04: Data Acquisition HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.2 - Understand how to plan for a digital forensics acquisition TOPICS: Acquisition Planning KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 8. Bella is about to decrypt a hard drive. The best thing about decryption is that allocated data and unallocated

data are not altered when the drive is decrypted. However, Bella does have a big concern about whole disk encryption. What is Bella concerned about? a. Cracking the password or passcode b. Recovering the decryption key c. Automating the decryption process d. Making sure there is enough drive space ANSWER: RATIONALE:

a, b

Bella's concern is cracking the password or passcode. She can get the decryption key by using a tool such as Elcomsoft Forensic Disk Decryptor or she could guess the password.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.3 - Describe contingency planning for data acquisitions TOPICS: Contingency Planning for Image Acquisitions KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 9. Tamar is using Mini-WinFE, which is a forensically sound Windows boot utility for a Windows environment.

It has one advantage over a Linux live distro when examining a Windows computer. What is the advantage Mini-WinFE has over a live Linux distro? a. Mini-WinFE runs its own version of a Linux distro. b. Mini-WinFE can access the suspect's Windows registry files without modifying them. c. Mini-WinFE can survey Windows-specific OS files while maintaining data integrity. d. Mini-WinFE can read both Windows and Linux file systems. ANSWER: RATIONALE:

b, c

POINTS: QUESTION TYPE: HAS VARIABLES:

1 Multiple Response False

Tamar is using Mini-WinFE because it can access the suspect's Windows registry files without modifying them as well as survey Windows-specific OS files while maintaining data integrity.

Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 04: Data Acquisition LEARNING OBJECTIVES: Ceng.GuideForens.25.4.4 - Explain how to use acquisition tools TOPICS: Using Acquisition Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 10. Greta wants to determine drive letter, file system, and other properties information regarding a computer she

is investigating. What PowerShell command will she run to retrieve this data? a. Get-process b. Get-wmiobject c. Get-volume d. Get-item ANSWER: RATIONALE:

c

Greta will use the get-volume command in PowerShell to retrieve information regarding logical disks, drive letters, file system, size, free space, and other properties associated with each volume.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.4 - Explain how to use acquisition tools TOPICS: Using Acquisition Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 11. Colin is examining an x86 computer with a disk drive that uses a Master Boot Record (MBR). What

firmware program does Colin need to be familiar with when examining this boot process? a. EFI b. UEFI c. BIOS d. CMOS ANSWER: RATIONALE:

c

For Collin to examine a x86 computer with a Master Boot Record, he must be familiar with BIOS.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.4 - Explain how to use acquisition tools TOPICS: Using Acquisition Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 04: Data Acquisition DATE MODIFIED:

4/19/2024 2:08 PM

12. Jeremiah is looking for where the system configuration, date, and time information is stored when the power

to the system is off. He's new to the field of Computer Forensics, so he needs some help. Where will Jeremiah find the information he's looking for? a. BIOS b. CMOS c. GUID d. UEFI ANSWER: RATIONALE:

b

Jeremiah will find system configuration, date, and time information stored in CMOS when power to the system is off.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.4 - Explain how to use acquisition tools TOPICS: Using Acquisition Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 13. Cindy is working on two computers, one is an x86 and the other is a x64. Her boss Tim tells her to work on

the x64 first. What disk format and system I/O hardware is Cindy working with? a. BIOS (Basic Input/Output System) b. Unified Extensible Firmware Interface (UEFI) c. Master Boot Record (MBR) d. GUID Partition Table (GPT) ANSWER: RATIONALE:

b, d

For an x64 system, Cindy is working with GPT and UEFI.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.4 - Explain how to use acquisition tools TOPICS: Using Acquisition Tools KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 14. Wendell is initiating a static acquisition on a suspect's computer. First thing he does is access the CMOS set

up to verify settings. Why is Wendell accessing the CMOS setup first? Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 04: Data Acquisition a. To confirm it boots to the forensically configured media first b. To confirm it boots to the hard drive first c. To confirm it boots to the network drive first d. To confirm it boots to a floppy drive first ANSWER: RATIONALE:

a

Wendell needs to ensure that the computer boots to a forensically configured CD, DVD, or USB drive first and not a drive without forensically configured media.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.4 - Explain how to use acquisition tools TOPICS: Using Acquisition Tools KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 15. Navi is collecting evidence for his case, but he only needs to acquire specific files and no other data, so he is

using the xcopy/s command. What is Navi trying to copy? a. List file name source and its destination name b. If errors are encountered, continues to copy data c. Copies all folders that contain data and ignores empty folders d. Copies only files that have the attribute set on ANSWER: RATIONALE:

c

Navi uses the xcopy/s command to copy all folders that contain data and ignores empty folders.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.4 - Explain how to use acquisition tools TOPICS: Using Acquisition Tools KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 16. Jorge is working on an e-discovery case. He only needs the data files that are required for evidence

collection. He wants to know where the files are located on the drive, so what command will Jorge use to find that information? a. robocopy/v b. robocopy/fp c. robocopy/tee d. robocopy/xc Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 04: Data Acquisition ANSWER: RATIONALE:

b

Jorge will use robocopy/fp to display the full pathname for where the files are located on the drive.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.4 - Explain how to use acquisition tools TOPICS: Using Acquisition Tools KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 17. Naya has been handed a hard drive to begin a forensic examination. It is not a new hard drive, it's from a

case that's a few years old. Naya erases the hard drive but does not zero it out (completely erase the drive by overwriting it with zeros and ones) so there is a possibility that data from the old case may have survived the erasure. Naya's manager hears that opposing counsel wants to review the target drive. What's the possible outcome from the opposing counsel's review of Naya's target drive? a. Commingling of previous case data can lessen or discredit Naya's work. b. Wiping the target drive should be enough to prevent commingling of data. c. The jury will understand that recovered data is unrelated to the case. d. Previous case files cannot be admitted as evidence, so they are not important. ANSWER: RATIONALE:

a

If opposing counsel finds commingled data from a previous case, they can lessen or discredit Naya's work during a hearing or trial.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.4 - Explain how to use acquisition tools TOPICS: Using Acquisition Tools KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 18. Rumi is acquisitioning a 4TB drive for a windows computer. She wipes her target drive and then needs to

format it. What drive format should Rumi use on a 4TB drive? a. exFAT b. FAT32 c. NTFS d. HFS+ ANSWER: RATIONALE:

c

Since the drive is over 32 GB, and a windows machine, Rumi should use NTFS.

Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 04: Data Acquisition POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.4 - Explain how to use acquisition tools TOPICS: Using Acquisition Tools KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 19. Hector is validating digital evidence using a hashing algorithm utility that creates a binary or hexadecimal

number that represents the uniqueness of the data set. Because it is unique, a binary or hexadecimal number is often referred to as a "digital fingerprint." a. True b. False ANSWER: RATIONALE:

a

The binary or hexadecimal number that represents the uniqueness of a data set is often referred to as a digital fingerprint. If any alteration is made in the file, the fingerprint (hash value) will be changed.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.5 - Describe how to validate data acquisitions TOPICS: Validating Data Acquisitions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 20. Wendy is using Linux and needs to split a nonsegmented volume (single continuous block of storage) into

multiple segments of volumes. What command will Wendy use? a. dcfldd b. dc3dd c. dd d. splt ANSWER: RATIONALE:

c

Wendy uses the dd command because it is best for splitting nonsegmented volumes into segmented volumes.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.5 - Describe how to validate data acquisitions TOPICS: Validating Data Acquisitions Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 04: Data Acquisition KEYWORDS: DATE CREATED: DATE MODIFIED:

Bloom's: Remember/Understand 4/19/2024 2:08 PM 4/19/2024 2:08 PM

21. Gabriela just received a newly examined hard drive that has already been hashed. Before she continues her

part of the examination, she uses Autopsy and calculates a new hash and discovers that the two hashes are not the same. What does Gabriela's finding prove about the evidence? a. The evidence is tainted and can't be used. b. The evidence is not affected. c. The evidence may be affected but it needs to be examined. d. It doesn't matter if the hashes don't match. ANSWER: RATIONALE:

c

Gabriela must take this evidence to an examiner who will determine what the differences are and how they may affect the case. In this case, hashed changes don't necessarily eliminate the evidence.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.5 - Describe how to validate data acquisitions TOPICS: Validating Data Acquisitions KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 22. Lily is attempting to recover deleted data from an SSD. The problem is that periodic maintenance functions

by the SSD make it harder to recover deleted data. So, Lily needs to acquire the data as soon as possible after its been deleted. What combination of maintenance functions in SSDs create problems for physical acquisition? a. Marshaling b. TRIM c. Garbage collection d. Wear leveling ANSWER: RATIONALE:

b, c, d

Wear leveling, garbage collection, and TRIM are all meant to ensure the useful life of an SSD through management of memory cell allocation; this also means it is bad for recovery of deleted data over time.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.5 - Describe how to validate data acquisitions TOPICS: Validating Data Acquisitions KEYWORDS: Bloom's: Apply Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 04: Data Acquisition DATE CREATED: DATE MODIFIED:

4/19/2024 2:08 PM 4/19/2024 2:08 PM

23. Lukas' company, Lynx International, just received its first forensic case requiring knowledge of SSD

technology. Lukas knows how magnetic disks record data, but he is not quite sure how NAND flash memory works. How does magnetic disk memory work versus SSD memory? a. Magnetic disks record data tracks b. SSDs (NAND) use an array of memory cells c. Magnetic disk memory is organized into blocks d. SSDs use volatile memory cells ANSWER: RATIONALE:

a, b

HDDs use a magnetic disk to record data on the tracks, whereas NAND flash memory uses an array of memory cells.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.5 - Describe how to validate data acquisitions TOPICS: Validating Data Acquisitions KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 24. Donna just ran an image on an SSD through Autopsy to get a hash value. She then placed it into evidence

storage. However, when she got the SSD out of storage, the periodic maintenance functions of the SSD erased unallocated areas altering hash values. What should Donna do to avoid this error in the future? a. Disable the wear leveling function b. Disable the garbage collection function c. Disable the TRIM function d. Disable the block function ANSWER: RATIONALE:

c

Donna should disable the TRIM function for all SSD devices that are stored into evidence.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.5 - Describe how to validate data acquisitions TOPICS: Validating Data Acquisitions KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 04: Data Acquisition 25. Beatriz is examining a Windows NT server and discovers a RAID array. What version of RAID did Beatriz

find? a. RAID 0 or 1 b. RAID 2 or 5 c. RAID 3 or 4 d. RAID 6 or 10 ANSWER: RATIONALE:

a

Beatriz is examining a Windows NT server and therefore RAID 0 or 1 is the available option.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.6 - Describe RAID acquisition methods TOPICS: Performing RAID Data Acquisitions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 26. Kamau is acquiring data from a RAID array. He knows that RAID 3 and RAID 5 are similar in that they can

use a minimum of three disks. However, Kamau finds the main difference between RAID 3 and RAID 5 is parity. How is parity distributed in a RAID 3 and RAID 5 array? a. RAID 3 distributes parity across all disks. b. RAID 5 distributes parity data on each disk. c. RAID 3 distributes parity data on each disk. d. RAID 5 distributes parity across all disks. ANSWER: RATIONALE:

a, b

Kamau finds the difference between RAID 3 and RAID 5 is that RAID 3 distributes parity across all disks whereas RAID 5 distributes parity across each disk. When a disk on a RAID 5 array is damaged, a new disk can be added and rebuilt from the existing drives.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.6 - Describe RAID acquisition methods TOPICS: Performing RAID Data Acquisitions KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 27. Imani is trying to acquire data on a RAID array that is over 200 TB. Imani decides there is too much data on

the RAID and it is best only to retrieve the data relevant to the investigation. Since a live acquisition is out of Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 04: Data Acquisition

the question due to size constraints, what acquisition types are practical solutions in this case? a. Mini b. Full c. Sparse d. Logical ANSWER: RATIONALE:

c, d

Imani decides to retrieve the data relevant to the investigation, so she uses a sparse or logical acquisition method.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.6 - Describe RAID acquisition methods TOPICS: Performing RAID Data Acquisitions KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 28. Albert is examining a hard drive and discovers there are many bad sectors on the drive. Which forensic tool

does Albert decide to use for this problem? a. ASR Data SMART b. ILookIX IXImager c. PassMark Software OSForensics OSFClone d. RunTime Software DiskExplorer ANSWER: RATIONALE:

a

Albert uses ASR Data SMART forensics tool because it has robust data reading capabilities for bad sectors on drives.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.7 - List other forensics tools available for data acquisitions TOPICS: Using Other Forensics Acquisition Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 29. Quinn has been sent into the field to examine several Windows 10 laptops to acquire their data. He can

choose from several commercial forensics tools, but he is limited to the bootable media he can use. What form of media should Quinn take with him that's almost always available on today's modern laptops? a. Thumb drive b. CD Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 04: Data Acquisition c. FireWire d. SCSI ANSWER: RATIONALE:

a

USB ports are almost universal on modern laptops. CD/DVD players no longer come built in. So, it is in Quinn's best interest to bring a bootable USB thumb drive.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.7 - List other forensics tools available for data acquisitions TOPICS: Using Other Forensics Acquisition Tools KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM 30. Lia's next forensics acquisition is a tough one. She cannot go into the client's office and exfiltrate (remove)

the data from the source computer. Lia decides to use X-Ways Imager. In this situation, what makes X-Ways Imager the best tool for Lia to use? a. X-Ways can clone a network computer's drives. b. X-Ways can connect to a network computer's drives. c. X-Ways can quickly acquire data from a remote-connected computer. d. X-Ways can quickly acquire data from connected SCSI drives. ANSWER: RATIONALE:

c

Lia's best option is to use X-Ways Imager since it can quickly acquire data from a remote-connected computer.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.4.7 - List other forensics tools available for data acquisitions TOPICS: Using Other Forensics Acquisition Tools KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:08 PM DATE MODIFIED: 4/19/2024 2:08 PM

Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 05: Processing Crime and Incident Scenes 1. Aida is dealing with digital records so she should be familiar with the concept of hearsay. What is hearsay? a. Hearsay is a statement made while testifying by the actual witness to the event. b. Hearsay is a statement made while testifying by someone other than the actual witness to the event. c. Hearsay is a statement made by opposing counsel to the witness regarding the event. d. Hearsay is another word for gossip. ANSWER: RATIONALE:

b

The concept of hearsay is a statement made while testifying by someone other than an actual witness to the event.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.1 - Explain how to identify digital evidence TOPICS: Identifying Digital Evidence KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 2. Hadar is examining a suspect's drive and discovers business records on it. Some records will fall under the

hearsay rule, and some will not. Which records does Hadar know will fall under the hearsay rule? a. Social media posts b. Customer reviews c. Text messages d. Bookkeeping records ANSWER: RATIONALE:

d

Hadar knows that the business-record exemption rule would apply to the bookkeeping records of the business. The recorded entries of expenses, profits and losses, and payroll made by the bookkeeper are considered a regular practice of that business.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.1 - Explain how to identify digital evidence TOPICS: Identifying Digital Evidence KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 3. Liron is categorizing digital records by dividing them into computer-generated records and computer-stored

records. He finds several different file types. Which file types does Liron consider computer stored records? a. System log files Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 05: Processing Crime and Incident Scenes b. Spreadsheets c. Proxy server logs d. Word processing documents ANSWER: RATIONALE:

b, d

Liron puts data that people create into the category of computer-stored records, such as spreadsheets and word processing documents.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.1 - Explain how to identify digital evidence TOPICS: Identifying Digital Evidence KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 4. Sarah was examining a Word file to determine who the author was of that document. To determine

authorship, Sarah examined the metadata of the document. What information did Sarah find in the metadata? a. Author/owner name b. File size c. File format d. Create date ANSWER: RATIONALE:

a, d

The metadata can contain the author/owner's name as well as the creation date of the document.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.1 - Explain how to identify digital evidence TOPICS: Identifying Digital Evidence KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 5. Ezra is in the process of making a bit-stream copy of a suspect disk to a target disk. This first bit-stream copy

is fine, but while attempting a second copy, a head crash occurs making the original disk unusable. Now, Ezra has one successful copy. What happens to Ezra's evidence now? a. Ezra's first successful copy becomes secondary evidence. b. Ezra's first successful copy is still considered best evidence. c. The attorney does not need to get involved since the copy is still considered best evidence. d. The attorney must explain to the judge the issue that resulted in the loss of the original evidence. ANSWER:

a, d

Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 05: Processing Crime and Incident Scenes RATIONALE:

Ezra's first copy becomes secondary evidence, and the attorney must be able to explain to the judge that circumstances beyond the examiner's control resulted in the loss of the original evidence.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.1 - Explain how to identify digital evidence TOPICS: Identifying Digital Evidence KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 6. Orson is the new compliance officer for FoxTrot Inc. He wants to let employees know they do not have an

expectation of privacy when using company assets. What steps should Orson take so employees know this policy? a. Display a warning banner b. Tell each employee c. Create a well-defined company policy d. Send a companywide email ANSWER: RATIONALE:

a, c

Orson must have a warning banner displayed on every computer and have a welldefined company policy stating that the employer has the right to examine, inspect, or access any company-owned digital assets at any time.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.2 - Describe how to collect evidence at private-sector incident scenes TOPICS: Collecting Evidence at Private-Sector Incident Scenes KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 7. Olivia has been hired to determine if there has been any illegal activity at OrangeThorpe Limited. She's found

enough evidence to meet the criteria for a search warrant. The police instruct her to gather additional evidence without obtaining a search warrant first. Why is it wrong for Olivia to gather evidence without the police obtaining a search warrant first? a. Olivia runs the risk of becoming an agent of law enforcement. b. Olivia runs the risk of being sued. c. Olivia runs the risk of violating the Fifth Amendment. d. Olivia runs the risk of violating the First Amendment. ANSWER:

a

Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 05: Processing Crime and Incident Scenes RATIONALE:

Olivia runs the risk of becoming an agent of law enforcement.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.2 - Describe how to collect evidence at private-sector incident scenes TOPICS: Collecting Evidence at Private-Sector Incident Scenes KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 8. Charlotte discovers that her lead engineer on a revolutionary new router has also been collecting contraband

on their hard drive. In collecting the contraband on the same drive as the company's intellectual property (IP), they have commingled it with the company's confidential design plans. What problems must Charlotte deal with on discovering this contraband evidence? a. Charlotte must delete the contraband evidence. b. Charlotte must report the crime to the police. c. Charlotte must protect her company's sensitive information. d. Charlotte must ask the lead engineer to remove the contraband evidence. ANSWER: RATIONALE:

b, c

Charlotte must report the crime to the police, and second, she must protect sensitive company information.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.2 - Describe how to collect evidence at private-sector incident scenes TOPICS: Collecting Evidence at Private-Sector Incident Scenes KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 9. Ava discovers that Mark, an employee at her company, has been accused of using company resources to start

his own business. Ava has been asked to investigate by the human resources department to determine if Mark should be prosecuted. During the investigation, it was determined that Mark is sending emails, creating logos, and sending flyers. What conclusion can Ava draw from this investigation? a. Mark is misusing company assets, and it is therefore an internal civil matter. b. Mark is misusing company assets, and it is therefore an external criminal complaint. c. Mark is stealing intellectual property, and it is therefore an external criminal complaint. d. Mark is borrowing intellectual property, and it is therefore an internal civil matter. ANSWER: RATIONALE:

a

Mark is only breaking company policy and misusing company assets. Therefore, Ava considers this an internal civil matter.

Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 05: Processing Crime and Incident Scenes POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.2 - Describe how to collect evidence at private-sector incident scenes TOPICS: Collecting Evidence at Private-Sector Incident Scenes KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 10. William recently started at a new organization that was not security savvy. There were no warning banners

on the network. When William conducted an audit of the network drives, he found that employees had personal files, private programs, and network tools on the drives. Those files, programs, and tools need to be deleted. But since there were no warning banners, company employees believe they have an expectation of privacy. What must William do before he purges the network drive of all non-company files? a. William must write a well-defined policy statement that the employer has the right to examine or

access all company-owned digital assets, have an attorney check it, and then have employees sign it. b. William must place warning banners on all the network hosts stating that the employer has the right to inspect digital assets at will. c. William must give employees a set amount of time to remove their files from network drives before purging the files. d. William can start purging files immediately. He doesn't have to give any notice or warning. ANSWER: RATIONALE:

a, b, c

Since the company did not have any policies in place, William must first publish a policy and warning banners regarding the rights of the company to inspect all digital assets. He must also give employees time to remove their files before he purges everything from the network drives.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.2 - Describe how to collect evidence at private-sector incident scenes TOPICS: Collecting Evidence at Private-Sector Incident Scenes KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 11. Benjamin is searching a suspect's drive and recovers emails, pictures, and documents unrelated to the case.

What type of information has Benjamin discovered? a. Guilty information b. Innocent information c. Incomplete information d. Limited information ANSWER:

b

Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 05: Processing Crime and Incident Scenes RATIONALE:

Benjamin has discovered innocent information, which is information not related to the case.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.3 - Explain guidelines for processing law enforcement crime scenes TOPICS: Processing Law Enforcement Crime Scenes KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 12. Noah, a police officer with the Shiloh Sheriff's Department, was at the location of an alleged drug dealer (he

had a warrant) when he sees unopened Amazon boxes. Noah seizes these boxes as evidence of another crime. Under what doctrine is Noah allowed to seize the Amazon boxes? a. Inadvertent discovery doctrine b. Open eyes doctrine c. Plain view doctrine d. Warrantless doctrine ANSWER: RATIONALE:

c

Noah's discovery of the Amazon boxes falls under the plain view doctrine since they were in his direct line of sight.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.3 - Explain guidelines for processing law enforcement crime scenes TOPICS: Processing Law Enforcement Crime Scenes KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 13. Grayson is a digital forensics expert with the Mendocino County Sheriff's Department. He's been called in

on illegal drug operation that involves computers (they have a warrant). On examination of the computers, Grayson finds an image of child pornography on the screen. In this case, plain view doctrine can be applied, but only narrowly. What is Grayson allowed to do in this situation? a. Grayson may seize the specific photo, copied from the computer to external media. b. Grayson may examine the computer for additional contraband without an additional warrant. c. Grayson may seize the computer and copy the entire hard drive. d. Grayson must stop looking for evidence altogether. ANSWER: RATIONALE:

a

Grayson may only seize the specific photo by copying from the computer to external media until another warrant has been issued.

Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 05: Processing Crime and Incident Scenes POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.3 - Explain guidelines for processing law enforcement crime scenes TOPICS: Processing Law Enforcement Crime Scenes KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 14. Leo is an attorney for Xenon Corporation and must see a judge about an employee whose case has turned

into a criminal complaint. Because the employee commingled intellectual property with contraband, he is asking the judge to allow the police to separate innocent information from the contraband. What is Leo asking the judge to issue? a. A limited warrant b. An innocent information declaration c. A limiting phrase d. A commingled phrase ANSWER: RATIONALE:

c

Leo is asking the judge to issue a limiting phrase to the warrant, which allows the police to separate innocent information from the evidence.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.3 - Explain guidelines for processing law enforcement crime scenes TOPICS: Processing Law Enforcement Crime Scenes KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 15. Jack has drawn up a warrant for the house at the corner of 1st and Main Street. But the judge who is asked to

sign the warrant says that the address is too vague. Jack says, "But it's the house on the corner." The judge refuses to sign and sends Jack away. Why would the judge refuse to sign Jack's warrant? a. Jack did not specify an actual address in the warrant. b. 1st and Main Street was the wrong location. c. The color of the house was wrong. d. There were no names listed as the occupants of the house. ANSWER: RATIONALE:

a

POINTS: QUESTION TYPE: HAS VARIABLES:

1 Multiple Choice False

Jack did not include an actual address in the warrant.

Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 05: Processing Crime and Incident Scenes LEARNING OBJECTIVES: Ceng.GuideForens.25.5.3 - Explain guidelines for processing law enforcement crime scenes TOPICS: Processing Law Enforcement Crime Scenes KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 16. Emma is speaking to the complainant of a case involving email harassment. The suspect in this case is her

boss. What is the term used for a suspect in an investigation? a. Suspect of interest b. Person of interest c. Defendant d. Informant of interest ANSWER: RATIONALE:

b

A suspect in an investigation is considered a person of interest.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.4 - List the steps in preparing for an evidence search TOPICS: Preparing for a Search KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 17. Evelyn is a digital forensics investigator with the Humboldt County Sheriff's Department. The crime scene

she is heading to isn't controlled, so she doesn't know what kinds of digital devices were used to commit the crime. Before heading out, Evelyn searches a specific resource. What resource is Evelyn searching through? a. Hardware Database b. Local Crime Statistics Database c. Uniform Crime Report d. Emerging Threats Report ANSWER: RATIONALE:

c

Evelyn looks through the Uniform Crime Report to see what devices, hardware, and software are being used to commit crimes in her area.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.4 - List the steps in preparing for an evidence search TOPICS: Preparing for a Search KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 05: Processing Crime and Incident Scenes 18. Camila is the lead on an investigation gathering evidence at a data center running high-end Linux servers,

Oracle databases, and multiple RAID drives. Camila's expertise is in Windows servers. What must she do to make sure all evidence is collected correctly? a. Hire experts with specialized knowledge of devices and software for the Linux servers, Oracle

databases, and RAID drives b. Use her team regardless of their knowledge base c. Use the manuals that came with the software and hardware d. Tell her department head she does not have the skills to do the job ANSWER: RATIONALE:

a

Camila will need to hire experts with knowledge of Linux servers, Oracle databases, and RAID drives to continue collecting evidence and complete the job correctly.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.4 - List the steps in preparing for an evidence search TOPICS: Preparing for a Search KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 19. Hugo is a digital forensics technician from the Regent police station in North Greywood. He leaves the

scene for a minute, and when he comes back, he notices a police detective from Genevieve Station touching the computer Hugo was working on. This detective is not a part of the investigation, and Hugo sees the detective tapping on the keyboard. What is the term used for personnel who are not part of the crime-scene processing team that have a compelling interest in seeing what's happening? a. Looky-loo snooping b. Thrill-seeking snooping c. Amateur curiosity d. Professional curiosity ANSWER: RATIONALE:

d

Professional curiosity refers to the motivation of law enforcement and other professional personnel to examine an incident scene to see what happened, even though they are not a part of the crime-scene processing team.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.5 - Describe how to secure a computer incident or crime scene TOPICS: Securing a Digital Incident or Crime Scene KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 05: Processing Crime and Incident Scenes DATE MODIFIED:

4/19/2024 2:09 PM

20. Pablo is examining a computer at a crime scene. He does not touch it. He is only taking pictures for now. He

is worried that if he touches the keyboard, he may contaminate the evidence. What type of evidence is Pablo worried about contaminating? a. Fingerprint evidence b. DNA evidence c. Digital evidence d. Manual evidence ANSWER: RATIONALE:

a, b

Pablo may contaminate fingerprint and DNA evidence if he touches the keyboard.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.5 - Describe how to secure a computer incident or crime scene TOPICS: Securing a Digital Incident or Crime Scene KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 21. Lunan is investigating James, an employee at Warner Group. His employer thinks he's writing a book on

company time using company resources. Lunan must create a working copy of James' hard drive when he's not at his desk. What should Lunan do to prevent James from noticing anything is out of order when he returns to his desk? a. Lunan should carefully remove the hard drive and replace it with the copy without disturbing

anything. b. Lunan should photograph the scene, measure the height of James's chair and record the position of items on his desk before replacing the hard drive with the copy. c. Most people don't notice when things are moved on their desk, so Lunan doesn't have to be careful. d. Lunan should replace his computer with another computer that has the copied hard drive in it. ANSWER: RATIONALE:

b

Lunan should photograph the scene, measure the height of the chair, record the position of items on the desk, and then replace the hard drive with a copy.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.6 - Explain guidelines for seizing digital evidence at the scene TOPICS: Seizing Digital Evidence at the Scene KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 05: Processing Crime and Incident Scenes 22. Gianna is at a crime scene, and before she begins her digital investigation, she must secure the perimeter.

The next step is to catalog the scene. What are some of the steps Gianna must take to achieve this goal? a. Take video and still recordings of the area around the computer and digital devices b. Record the overall scene and then record details with close-up shots, including the back of the

computers c. Record the area around the computer, including the floor, ceiling, and all other access points d. Unplug everything and take it back to the lab for further examination ANSWER: RATIONALE:

a, b, c

Gianna must take video and still recordings of the area surrounding the computers and digital evidence. Record the overall scene including detailed close-ups of the backs of the computers and record the area around the computers including the floor and ceiling as well as all other access points.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.6 - Explain guidelines for seizing digital evidence at the scene TOPICS: Seizing Digital Evidence at the Scene KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 23. Tierra needs to archive a target drive. Her biggest concern is the lifespan of the storage medium. Which is

the best storage medium that has the longest lifespan? a. CD/DVD b. Magnetic tape c. SSDs d. M-Disc ANSWER: RATIONALE:

d

Tierra should choose M-Disc. As of now, M-Disc has the longest lifespan of any storage medium, which the manufacturer states has a shelf life of over 1,000 years.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.7 - List procedures for transporting and storing digital evidence TOPICS: Archival Storing and Transporting Digital Evidence KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 24. When transporting evidence to the lab, evidence must always be under surveillance and never out of sight of

the evidence custodian. Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 05: Processing Crime and Incident Scenes a. True b. False ANSWER: RATIONALE:

a

The security of digital evidence during transit requires protection from unauthorized access. The designated evidence custodian is responsible for ensuring that no one has access to the evidence during its transport to the lab.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.7 - List procedures for transporting and storing digital evidence TOPICS: Archival Storing and Transporting Digital Evidence KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 25. The cyclic redundancy check (CRC) is considered the first forensic hashing algorithm. a. True b. False ANSWER: RATIONALE:

b

The first algorithm used for digital forensics was Message Digest 5 (MD5).

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.8 - Explain how to obtain a digital hash TOPICS: Obtaining a Digital Hash KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 26. Rikku is new to the field of digital forensics. Her boss, Josephine, is discussing the rules of forensic hashes.

What are the rules Rikku learns about regarding forensic hashes? a. One cannot predict the hash value of a file or device. b. No two hash values can be the same. c. If anything changes in the file or device, the hash value must change. d. Hash values are constant regardless of changes to the data. ANSWER: RATIONALE:

a, b, c

POINTS: QUESTION TYPE:

1 Multiple Response

Rikku learns that there are three rules for forensics hashes: One cannot predict the hash value of a file or device, no two hash values can be the same, and if anything changes the file or device, that hash value must change.

Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 05: Processing Crime and Incident Scenes HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.8 - Explain how to obtain a digital hash TOPICS: Obtaining a Digital Hash KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 27. Sakura is reviewing the latest hash values on a byte-by-byte copy she just made. She suspects a collision has

occurred. What can Sakura do to determine if the hash values are the same between the original and coped files? a. Use the Windows ATTRIB command b. Use the MS-DOS comp command c. Use the Linux/UNIX diff command d. Use the Windows DIR command ANSWER: RATIONALE:

b, c

Sakura can use the MS-DOS comp command or the Linux/UNIX diff command to verify that the bytes are identical between the original and copied data.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.8 - Explain how to obtain a digital hash TOPICS: Obtaining a Digital Hash KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 28. Akari works for the Overland Group and oversees Employee Compliance. She is monitoring an employee

for potential abuse of company resources. What type of surveillance is Akari performing? a. Overt surveillance b. Covert surveillance c. Inverted surveillance d. Exterior surveillance ANSWER: RATIONALE:

b

Akari is performing covert surveillance as employees are being monitored for potential abuse of her organization's resources.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.9 - Understand employee compliance investigations TOPICS: Employee Compliance Investigations KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 05: Processing Crime and Incident Scenes DATE MODIFIED:

4/19/2024 2:09 PM

29. Reynaldo is implementing covert surveillance on an employee. He's planning on using a keylogger remotely.

What will Reynaldo need to do to prevent the keylogger transmissions from being detected? a. The firewall utility will need to be turned off. b. Firewall utilities ignore this type of transmission, so nothing needs to be done. c. The firewall utility will need to be reconfigured. d. The firewall utility will need to be removed. ANSWER: RATIONALE:

c

Reynaldo will have to reconfigure the firewall to allow the keylogger to transmit data without triggering an alert.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.9 - Understand employee compliance investigations TOPICS: Employee Compliance Investigations KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 30. Niko is setting up monitoring tools to record a suspect's activity in real time. There are multiple types of

tools she can use. Right now, she needs to concentrate on the company network. What type of tool does Niko need? a. Keylogger b. Sniffer c. Port scanner d. Dongle ANSWER: RATIONALE:

b

Niko needs to use a network sniffer to watch data transmissions between the suspect's computer and the network server.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.5.9 - Understand employee compliance investigations TOPICS: Employee Compliance Investigations KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM

Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 06: Working with Microsoft File Systems and the Windows Registry 1. Lucia is taking her first test in computer forensics at Seminole College. The first question is regarding how a

file system works. How does Lucia answer this question? a. A file system provides an operating system with a road map to data on a disk. b. A file system only holds the data on a disk. c. A file system only holds the operating system. d. A file system only holds the registry files. ANSWER: RATIONALE:

a

Lucia provided the correct answer: The answer is a file system provides an operating system with a road map to data on a disk.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.1 - Explain the purpose and structure of file systems TOPICS: Understanding File Systems KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 2. Geometry is one of the concentric circles on a disk platter where data is located. a. True b. False ANSWER: RATIONALE:

b

Geometry refers to a disk's logical structure of platters, tracks, and sectors.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.1 - Explain the purpose and structure of file systems TOPICS: Understanding File Systems KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 3. Santiago is examining his first magnetic hard drive as a forensics examiner. What are some of the

components that make up a hard drive? Choose all that apply. a. Tracks b. Cylinders c. Sectors d. Trusted platform module ANSWER: RATIONALE:

a, b, c

Tracks, cylinders, and sectors are all components of a mechanical hard drive. The

Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 06: Working with Microsoft File Systems and the Windows Registry

trusted platform module is located on the motherboard. POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.1 - Explain the purpose and structure of file systems TOPICS: Understanding File Systems KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 4. Sofia has a suspect's drive and a target drive. The target drive is a bit smaller in size than the suspect's drive,

but they hold 500 MB of data. Sofia is puzzled. How can a smaller drive (in size) hold the same amount of data as a larger disk? a. Cylinder skew b. Zone bit recording (ZBR) c. Areal density d. Track density ANSWER: RATIONALE:

b

Grouping tracks by zone ensures that all tracks hold the same amount of data.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.1 - Explain the purpose and structure of file systems TOPICS: Understanding File Systems KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 5. Martin is examining a logical block address using a HEX tool. He is examining an older operating system

with a 10 TB drive. A logical block address (LBA) on a GUID partition table (GPT) drive is typically 4096 bytes. What happens when GPT is used with an older operating system? a. The physical sector defaults to 512 bytes. b. The physical sector remains at 4096 bytes. c. The physical sector defaults to 1024 bytes. d. The physical sector defaults to 2048 bytes. ANSWER: RATIONALE:

a

With an older operating system, the LBA on a GPT drive defaults to 512 bytes.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.1 - Explain the purpose and structure of file systems Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 06: Working with Microsoft File Systems and the Windows Registry TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

Understanding File Systems Bloom's: Apply 4/19/2024 2:09 PM 4/19/2024 2:09 PM

6. Maria's forensics department works on both PCs and Macintosh computers. She is looking for data on the

logical partition volume on a Windows 11 PC (on the main disk). Since this is a newer computer, which partition scheme is she working with? a. BIOS b. GPT c. MBR d. CMOS ANSWER: RATIONALE:

b

Since Maria is working with a newer Windows 11 PC, she is using the GPT partition scheme. MBR can only be used for a second disk.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.1 - Explain the purpose and structure of file systems TOPICS: Understanding File Systems KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 7. Lucas is analyzing a Windows 7 PC with a 2.0 TB disk drive. He needs to know if the disk drive uses a

master boot record (MBR) partition scheme. Since Lucas is examining a 2.0 TB, is it possible that the disk is using MBR? a. Original MBR can address up to 8 GB. b. Redesigned MBR can address up to 2.2 TB of disk drive space. c. Redesigned MBR can address up to 10 TB of disk drive space. d. Original MBR can address up to 3.0 TB of disk drive space. ANSWER: RATIONALE:

b

The disk drive Lucas is examining can be using MBR since it was redesigned to handle up to 2.2 TB of disk drive space.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.1 - Explain the purpose and structure of file systems TOPICS: Understanding File Systems KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:09 PM Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 06: Working with Microsoft File Systems and the Windows Registry DATE MODIFIED:

4/19/2024 2:09 PM

8. In Microsoft file structures, sectors are grouped to form a cluster, which is a storage allocation unit of one or

more sectors. a. True b. False ANSWER: RATIONALE:

a

In Microsoft file structures, sectors are grouped to form a cluster, which is a storage allocation unit of one or more sectors.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.2 - Describe Microsoft file structures TOPICS: Exploring Microsoft File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 9. Brooklyn is being tested by her new boss to see how much she knows about Microsoft file structures.

Brooklyn's boss asks her where a physical address is assigned on a hard drive. How does Brooklyn answer the question? Choose all that apply. a. The physical address is assigned at the hardware level. b. The physical address is assigned at the firmware level. c. The physical address is assigned at the software level. d. The physical address is assigned at the file level. ANSWER: RATIONALE:

a, b

The physical address is assigned at the hardware or firmware level.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.2 - Describe Microsoft file structures TOPICS: Exploring Microsoft File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 10. In addition to the primary boot sectors having their own sector location on a disk drive, each partition

volume has its own boot sector. At what number can that boot sector be found? a. 2 b. 3 Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 06: Working with Microsoft File Systems and the Windows Registry c. 1 d. 0 ANSWER: RATIONALE:

d

Each partition volume has its own boot sector at number 0.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.2 - Describe Microsoft file structures TOPICS: Exploring Microsoft File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 11. Paisley is examining a forensically rendered target drive. She is looking for hidden partitions. Where can

Paisley look to find hidden partitions? a. In the partition gap b. In the cylinder c. in a hidden file folder d. Within the tracks ANSWER: RATIONALE:

a

Paisley can look inside the partition gap for hidden partitions.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.2 - Describe Microsoft file structures TOPICS: Exploring Microsoft File Structures KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 12. Bryson already has three main partitions using an MBR partition table but needs two more partitions. How

does Bryson make two extra partitions? a. Bryson needs one extended partition table. b. Bryson creates a second extended partition table. c. Bryson creates an extended partition table for each partition he needs. d. Bryson creates a third extended partition. ANSWER: RATIONALE:

a

POINTS: QUESTION TYPE:

1 Multiple Choice

Bryson needs to create one extended partition table to create two additional partitions.

Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 06: Working with Microsoft File Systems and the Windows Registry HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.2 - Describe Microsoft file structures TOPICS: Exploring Microsoft File Structures KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 13. Kaydon wants to add an additional partition to his MBR drive so he needs to add it to an extended partition.

After he creates the partition, where does Kaydon look to find the partition table? a. Kaydon must look in the first sector primary partition table. b. Kaydon must look in the first sector of the extended partition. c. Kaydon must look in the last sector of the extended partition. d. Kaydon must look in the last sector primary partition table. ANSWER: RATIONALE:

b

If Kaydon adds an additional partition to an extended partition, then he must look in the first sector of the extended partition to find the partition table.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.2 - Describe Microsoft file structures TOPICS: Exploring Microsoft File Structures KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 14. Dakota is examining an older double-sided floppy disk. He knows there are four or more sectors per cluster

on a hard disk, but how many sectors per cluster are there on an old double-sided floppy disk? a. Two sectors per cluster b. One sector per cluster c. Three sectors per cluster d. Six sectors per cluster ANSWER: RATIONALE:

b

There is one sector per cluster on an older double-sided floppy disk.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.2 - Describe Microsoft file structures TOPICS: Exploring Microsoft File Structures KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 06: Working with Microsoft File Systems and the Windows Registry 15. Calian is having a debate with his manager about which is better, the GPT utility or the MBR utility. They

each have their benefits, but Calian says GUID partition table (GPT) is the better utility. Why is Calian correct? a. GPT can address up to 18 ZB (zettabyte) per partition. b. GPT can address up to 18 EB (exabyte) per partition. c. GPT can handle up to 18 TB (terabytes) per partition. d. GPT can handle up to 18 GB (gigabytes) per partition. ANSWER: RATIONALE:

b

Calian is correct because GPT can address up to 18 EB per partition.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.2 - Describe Microsoft file structures TOPICS: Exploring Microsoft File Structures KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 16. Anakin is examining a disk using the File Allocation Table (FAT) and is looking for the FAT database.

Where will Anakin locate the database on the disk? a. The disk's outermost track b. The disk's innermost track c. The center disk track d. Multiple disk tracks ANSWER: RATIONALE:

a

The FAT database is typically written to a disk's outermost track.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.3 - Explain the structure of FAT disks TOPICS: Examining FAT Disks KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 17. Abey is investigating a drive for some hidden files. She discovers the files at the end of a cluster. What is the

unused space between the end of a file's contents and the end of a cluster called? a. Sector slack b. Drive slack c. Disk slack Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 06: Working with Microsoft File Systems and the Windows Registry d. Cluster slack ANSWER: RATIONALE:

b

The unused space between the end of a file's contents and the end of a cluster is called drive slack.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.3 - Explain the structure of FAT disks TOPICS: Examining FAT Disks KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 18. Chenoa is investigating a hard drive that uses the NTFS. In her opinion, NTFS is superior because it has a

journaling feature. What features make journaling helpful for the file system? Choose all that apply. a. It takes notes of your actions. b. It records a transaction before the system carries it out. c. It allows the system to complete a transaction after an interruption to the system. d. It keeps track of all network transactions. ANSWER: RATIONALE:

b, c

Journaling records a transaction before the system carries it out and also allows the system to complete a transaction after an interruption or to go back to the last good setting.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.4 - Explain the structure of NTFS disks TOPICS: Exploring NTFS Disks KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 19. Isaac is trying to determine if there are alternate data streams on the hard drive that he is investigating. What

DOS command can Isaac use on the hard drive to determine if there are any alternate data streams? a. dir /q b. dir /s c. dir /o d. dir /r ANSWER: RATIONALE:

d

POINTS:

1

Isaac should use the dir /r command that displays alternate data streams of files.

Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 06: Working with Microsoft File Systems and the Windows Registry QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.4 - Explain the structure of NTFS disks TOPICS: Exploring NTFS Disks KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 20. Nathan recently discovered a breach at his office. It was determined that company information such as

employees' full names, date of birth, home addresses, and Social Security numbers had been stolen. What is that type of information called? a. Personal identifiable information b. Company identifiable information c. Confidential personal identification d. Personal confidential identification ANSWER: RATIONALE:

a

The information that was stolen is considered personally identifiable information (PII).

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.5 - Describe whole disk encryption TOPICS: Understanding Whole Disk Encryption (WDE) KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 21. Naomi is examining a hard drive that's encrypted with BitLocker. Therefore, she knows that certain

requirements must be followed to decrypt the drive. What are some of those requirements? Choose all that apply. a. A computer capable of running Windows Vista or later (Home Editions only) b. A Trusted Platform Module (TPM) microchip, version 1.2 or newer c. A computer BIOS compliant with Trusted Computing Group (TCG) d. One NTFS partition for the operating system and an active system volume with available space ANSWER: RATIONALE:

b, c

Some of those requirements are a Trusted Platform Module microchip, version 1.2 or newer, and a computer BIOS compliant with Trusted Computing Group.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.5 - Describe whole disk encryption Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 06: Working with Microsoft File Systems and the Windows Registry TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

Understanding Whole Disk Encryption (WDE) Bloom's: Remember/Understand 4/19/2024 2:09 PM 4/19/2024 2:09 PM

22. Shira is trying to examine a drive partition, but she can't. Encryption is blocking access to the partition.

What must Shira do to decrypt the partition and allow her to examine it? a. Reset the BIOS b. Decrypt the whole drive c. Decrypt the drive's boot sector d. Move the hard drive to another computer ANSWER: RATIONALE:

c

In order to examine the partition, Shira must decrypt the drive boot sector.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.5 - Describe whole disk encryption TOPICS: Understanding Whole Disk Encryption (WDE) KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 23. Talia is trying to decrypt a hard drive, but it isn't encrypted with BitLocker. What are some of the reasons a

hard drive can't be encrypted with BitLocker? Choose all that apply. a. Talia is trying to decrypt a FAT drive. b. The hard drive was encrypted with a third-party vendor encryption utility. c. The hard drive doesn't have a TPM microchip. d. The hard drive is too small. ANSWER: RATIONALE:

a, b

Talia could be trying to decrypt a FAT drive since BitLocker only encrypts or decrypts NTFS drives. Or the drive may be encrypted using a third-party WDE utility that is not BitLocker.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.5 - Describe whole disk encryption TOPICS: Understanding Whole Disk Encryption (WDE) KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 06: Working with Microsoft File Systems and the Windows Registry 24. Francisco is an IT manager at a small hospital in Oregon. A new doctor started recently and decided to take

their new laptop home to look over some files. So, they put their laptop in the car and drove off. They left the laptop in the car for only a few minutes, and when they came back the laptop had been stolen. Unfortunately, Francisco had not encrypted and password protected the doctor's laptop. What would be the most damaging information that could be stolen from the laptop? a. Patient records b. Email files c. Website browser records d. Their music play list records ANSWER: RATIONALE:

a

Patient records are usually uploaded to doctors' computers. These records are worth a lot of money to criminals and can also be held hostage (by ransomware) causing major damage to the hospital's workflow and reputation.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.5 - Describe whole disk encryption TOPICS: Understanding Whole Disk Encryption (WDE) KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 25. Hilda has been asked to examine the suspect's computer registry for information that might be useful in her

company's latest investigation. Why is examining the registry important to Hilda's examination? a. It's a database containing system and user information. b. It's a database where data files are kept. c. It's a database where only user information is kept. d. It's a database where only system information is kept. ANSWER: RATIONALE:

a

Hilda is investigating the registry because it's the database containing system and user information that may contain important evidence.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.6 - Explain how the Windows Registry works TOPICS: Understanding the Windows Registry KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 26. Joaquim is examining the registry in a recent Windows 10 acquisition and is looking for stored information Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 06: Working with Microsoft File Systems and the Windows Registry

for the current logged-on user. Which key should Joaquim examine? a. HKEY_LOCAL_MACHINE b. HKEY_CURRENT_CONFIG c. HKEY_USERS d. HKEY_CLASSES_ROOT ANSWER: RATIONALE:

c

Since Joaquim is looking for information on the current logged-on user, the key he should be looking at is HKEY_USERS.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.6 - Explain how the Windows Registry works TOPICS: Understanding the Windows Registry KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 27. Eloisa wants to find the security settings for a suspect's drive she just finished copying. Where would Eloisa

find this file? a. Users\user-account\Ntuser.dat b. Windows\system32\config\Default.dat c. Windows\system32\config\SAM.dat d. Windows\system32\config\Security.dat ANSWER: RATIONALE:

d

Eloisa will find the file at Windows\system32\config\Security.dat. This is where the computer's security settings are located.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.6 - Explain how the Windows Registry works TOPICS: Understanding the Windows Registry KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 28. Ebony is a computer forensics technician at a crime scene. She finds a closed laptop on a desk that is in

hibernation mode. With her forensics tools in place, she needs to find evidence as quickly as possible. Where should Ebony look first? a. Pagefile.sys b. Recycle.Bin Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 06: Working with Microsoft File Systems and the Windows Registry c. Hiberfile.sys d. Internet history files ANSWER: RATIONALE:

c

RAM data is volatile. When a computer is in hibernation mode, Windows writes all volatile data to RAM. So, Ebony should check Hiberfile.sys first as that is where recently used and created information will be stored.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.7 - Identify Windows artifacts TOPICS: Windows Forensics Artifacts KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 29. Jada is examining $Recycling.Bin folder from a suspect's computer. How can the $Recycling.Bin folder be

helpful to Jada in finding evidence of a crime? a. The $Recycling.Bin folder can contain deleted files that may show criminal activity. b. The $Recycling.Bin folder can contain saved files that may show criminal activity. c. The $Recycling.Bin folder can contain recently deleted drives that may show criminal activity. d. The $Recycling.Bin folder can contain saved drives that may show criminal activity. ANSWER: RATIONALE:

a

The $Recycling.Bin folder can contain deleted files that may show criminal activity.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.7 - Identify Windows artifacts TOPICS: Windows Forensics Artifacts KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM 30. Jabari discovers a deleted file named MyTextFile.txt. He wants to examine the metadata in the file. What is

some of the information Jabari could find in the deleted file? Choose all that apply. a. File's permissions b. Owner c. Access times d. Computer hardware information ANSWER: RATIONALE:

a, b, c

Some of the information Jabari could find in the metadata: the file's permissions, owner, and access times.

Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 06: Working with Microsoft File Systems and the Windows Registry POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.6.7 - Identify Windows artifacts TOPICS: Windows Forensics Artifacts KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:09 PM DATE MODIFIED: 4/19/2024 2:09 PM

Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 07: Linux and Macintosh File Systems 1. Linux is a UNIX system because it's UNIX certified. a. True b. False ANSWER: RATIONALE:

b

Linux is not UNIX certified and is therefore not technically a UNIX system.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.1 - Describe Linux file structures TOPICS: Examining Linux File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 2. The core of Linux is called the kernel, and the core of Windows is called the seed. a. True b. False ANSWER: RATIONALE:

b

The cores of both Linux and Windows are called the kernel.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.1 - Describe Linux file structures TOPICS: Examining Linux File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 3. Destiny was trying to check the sudo version in Kali Linux, but nothing happened. She was typing sudo -

v, but that did not work. Why wasn't Destiny getting a response to her command? a. She was using incorrect syntax. b. It was the wrong command. c. Linux commands are case sensitive. d. The command was incomplete. ANSWER: RATIONALE:

c

POINTS: QUESTION TYPE: HAS VARIABLES:

1 Multiple Choice False

Destiny used the wrong case. Instead of sudo -v, she should have typed sudo -V. The "V" should have been capitalized.

Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 07: Linux and Macintosh File Systems LEARNING OBJECTIVES: Ceng.GuideForens.25.7.1 - Describe Linux file structures TOPICS: Examining Linux File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 4. Ben needs to locate the machine name and the Linux kernel version number for a forensics examination he's

working on. What command should Ben use to find it? a. uname -a b. cat c. grep d. ~/my.log ANSWER: RATIONALE:

a

Ben should use uname -a to locate the machine name and Linux kernel version number.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.1 - Describe Linux file structures TOPICS: Examining Linux File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 5. Kaley wants to find the IP addresses for the network interfaces attached to the computer she is working on.

What command should Kaley use? a. pwd b. whoami c. sudo cat d. ip addr ANSWER: RATIONALE:

d

To find the IP addresses for all the network interfaces attached to the computer Kali is working on, she must use ip addr.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.1 - Describe Linux file structures TOPICS: Examining Linux File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 07: Linux and Macintosh File Systems 6. One of the main design goals of the ext4 file system was that it was backwards compatible with ext2/ext3. a. True b. False ANSWER: RATIONALE:

a

One of the main design goals of the ext4 file system was that it was backwards compatible with ext2/ext3.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.1 - Describe Linux file structures TOPICS: Examining Linux File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 7. In UNIX and Linux, disk drives, monitors, tape drives, network interface cards, system memory, and

directories are all considered to be files. a. True b. False ANSWER: RATIONALE:

a

In UNIX and Linux, everything is considered a file.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.1 - Describe Linux file structures TOPICS: Examining Linux File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 8. The inode block contains the bootstrap code-instructions for startup. A UNIX/Linux computer has only one

boot block, on the main hard disk. a. True b. False ANSWER: RATIONALE:

b

POINTS: QUESTION TYPE:

1 Multiple Choice

An inode block contains the first data after the superblock. An inode is assigned to every file allocation unit.

Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 07: Linux and Macintosh File Systems HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.1 - Describe Linux file structures TOPICS: Examining Linux File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 9. Devlin is searching for evidence in Linux by looking for bad blocks using Autopsy. He discovers inode 1 and

proceeds to examine it. What commands should Devlin use when examining inode 1 to safeguard the important information found there? Choose all that apply. a. gke2fs b. mke2fs c. d2fsck d. e2fsck ANSWER: RATIONALE:

b, d

Devlin should use mke2fs and e2fsck commands because they include safeguards that prevent the overwriting of important information that may be useful in an investigation.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.1 - Describe Linux file structures TOPICS: Examining Linux File Structures KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 10. Navi is a Linux user that wants to add a new printer to the network. He logs in with this password, but he

finds he can't add a printer. Why can't Navi add a printer to his network? Choose all that apply. a. Navi must log on as a root user (superuser). b. Navi must change his password because his old one expired. c. Navi is not an administrator so he cannot log on as a root user (superuser). d. The printer does not work with his Linux network. ANSWER: RATIONALE:

a, c

Navi must either log on as a root user if he is allowed to or must have an administrator add the printer for him because he does not have administrator privileges.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.1 - Describe Linux file structures Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 07: Linux and Macintosh File Systems TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

Examining Linux File Structures Bloom's: Apply 4/19/2024 2:10 PM 4/19/2024 2:10 PM

11. Luna uses the command /dev/sda. Her friend Sally is looking over her shoulder and wants to know what

that command means. Luna tells Sally that it's for device files that act as stand-ins for the devices they represent. So, Sally asks Luna, what does /dev/sda represent? So, what does Luna say /dev/sda represents? a. The first non-IDE disk drive on the system, usually the main hard drive. b. The first IDE disk drive on the system, usually the second hard drive. c. The last IDE disk drive on the system, usually the second hard drive. d. The last non-IDE disk drive on the system. ANSWER: RATIONALE:

a

Luna tells Sally that /dev/sda is the first non-IDE disk drive on the system, usually the main hard drive.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.1 - Describe Linux file structures TOPICS: Examining Linux File Structures KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 12. As a limitation of HFS, allocation blocks could store only one file that wastes storage capacity that could

have been used for other files. a. True b. False ANSWER: RATIONALE:

a

A limitation of HFS was that allocation blocks could store only one file, so that if a file was only 0.1 MB (100 KB), 31.9 MB of file storage was wasted.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures TOPICS: Understanding Macintosh File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 07: Linux and Macintosh File Systems 13. In Mac OS 9 and earlier, there could be multiple volumes on a floppy disk. a. True b. False ANSWER: RATIONALE:

b

in Mac OS 9 and earlier, a volume on a floppy disk was always the entire floppy.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures TOPICS: Understanding Macintosh File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 14. An allocation block is a group of consecutive logical blocks. a. True b. False ANSWER: RATIONALE:

a

An allocation block is a group of consecutive logical blocks.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures TOPICS: Understanding Macintosh File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 15. Jeremiah is new to macOS. He knows how file fragmentation is reduced on a Windows machine, but he is

not sure what the mechanism is on macOS. What is the best way to describe how to reduce fragmentation on macOS? a. File fragmentation is reduced by using clumps, which is a group of contiguous allocation blocks. b. File fragmentation is reduced by using clumps, which is a group of contiguous logical blocks. c. File fragmentation is reduced by using lumps, which is a group of contiguous allocation blocks. d. File fragmentation is reduced by using lumps, which is a group of contiguous logical blocks. ANSWER: RATIONALE:

a

In macOS, file fragmentation is reduced by using clumps. A clump is a group of contiguous allocation blocks. As a file increases in size, it occupies more of the clump. Volume fragmentation is kept to a minimum by adding more clumps to larger files.

Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 07: Linux and Macintosh File Systems POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures TOPICS: Understanding Macintosh File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 16. Irma is attempting to get an application to work on a macOS computer, but it does not work. What may be

the cause of this issue? a. A bfile is missing. b. A pfile is missing. c. A gfile is missing. d. An xfile is missing. ANSWER: RATIONALE:

b

The app Irma is trying to launch will not work if a pfile is missing.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures TOPICS: Understanding Macintosh File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 17. Timothy is attempting to examine a SQLite database found on a seized macOS computer. He heard about

the new macOS feature for examining a SQLite database called unified logging. Where can Timothy find that new feature? Choose all that apply. a. /var/ap/diagnostics b. /var/db/diagnostics c. /var/dl/uuidtext d. /var/db/uuidtext ANSWER: RATIONALE:

b, d

Timothy can find the new macOS feature located in /var/db/diagnostics (where log files are stored and /var/db/uuidtext that includes three new utilities-log, log collect, and log show).

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 07: Linux and Macintosh File Systems TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

Understanding Macintosh File Structures Bloom's: Remember/Understand 4/19/2024 2:10 PM 4/19/2024 2:10 PM

18. Veronica once used FileVault as her encryption method of choice, but soon found out there were some

vulnerabilities that made it easy to crack. She then moved up to FileVault2 when Apple introduced it, which was an improvement over FileVault. What was the main vulnerability in FileVault, and why did FileVault2 become a better encryption option? Choose all that apply. a. FileVault could have its master and recovery keys retrieved from RAM. b. FileVault used 64-bit encryption to encrypt the whole disk. c. FileVault2 used 128-bit AES encryption to encrypt the whole disk. d. FileVault2 can encrypt individual files and folders. ANSWER: RATIONALE:

a, c

FileVault could have its master and recovery keys retrieved from RAM and used to crack encryption, and the improved FileVault2 allowed for full disk 128-bit AES encryption.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures TOPICS: Understanding Macintosh File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 19. Lindsey is trying to locate Keychain Access on a Mac OS 8.6 machine. These files are in a variety of places.

Where should Lindsey look to find the keychain files? Choose all that apply. a. /System/Keychains/Library b. /Keychains/Library c. /System/Library/Keychains d. /Library/Keychains ANSWER: RATIONALE:

c, d

Lindsey can find Keychain files in /System/Library/Keychains and /Library/Keychains. These locations can be helpful in locating what applications and files require passwords.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures TOPICS: Understanding Macintosh File Structures Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 07: Linux and Macintosh File Systems KEYWORDS: DATE CREATED: DATE MODIFIED:

Bloom's: Remember/Understand 4/19/2024 2:10 PM 4/19/2024 2:10 PM

20. Monty is new to the field of computer forensics. His boss, Sam, is testing him on macOS. When asked about

Volume Bitmap, Monty confuses it with a description of an image bitmap. What is a Volume Bitmap? a. A system application that tracks each block b. The location where all system utilities reside c. The location where boot block resides d. The location where all information about a volume is stored ANSWER: RATIONALE:

a

The Volume Bitmap is a system application that tracks each block on a volume to determine which blocks are in use and which ones are available to receive data. It has information about the blocks' use but not about their content.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures TOPICS: Understanding Macintosh File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 21. Margo was asked to take a manual snapshot of a hard drive before a data-recovery procedure. Why are

snapshots so important to data recovery? a. A snapshot takes a "picture" of the file system at a point in time without incurring significant storage

penalties. b. A snapshot allows users to make identical copies of files without incurring significant storage penalties. c. A snapshot takes a "picture" of metadata, so it is preserved to aid in crash protection. d. A snapshot optimizes the file system for easy evidence collection. ANSWER: RATIONALE:

a

Snapshots are important to data recovery because they take a "picture" of the file system at a point in time without incurring significant storage penalties. As data changes, additional snapshots can be taken to reflect those changes again, without a significant storage penalty.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures TOPICS: Understanding Macintosh File Structures Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 07: Linux and Macintosh File Systems KEYWORDS: DATE CREATED: DATE MODIFIED:

Bloom's: Remember/Understand 4/19/2024 2:10 PM 4/19/2024 2:10 PM

22. Enrico was trying to mount and read an HFS device on a macOS computer, but he found that those functions

were not supported. Why couldn't Enrico mount and read his HFS device? a. Enrico was trying to mount and read using macOS Sierra 10.12. b. Enrico was trying to mount and read using macOS High Sierra 10.13. c. Enrico was trying to mount and read using macOS Catalina 10.15. d. Enrico was trying to mount and read using macOS Mojave 10.14. ANSWER: RATIONALE:

c

Enrico was trying to mount and read an HFS device on an Apple computer running macOS Catalina 10.15, which had support for mounting and reading HFS devices removed.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures TOPICS: Understanding Macintosh File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 23. Grace is a Linux user and was about to examine a macOS computer for the first time. As with Linux, the

first place she examines is the home directory. What does Grace find when she examines the home directory of the macOS computer? a. Program files b. Document files c. No files d. User files ANSWER: RATIONALE:

c

Unlike Linux, when Grace examines the home directory on the Apple computer, she will find there are no files in the home directory.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures TOPICS: Understanding Macintosh File Structures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 07: Linux and Macintosh File Systems 24. A tarball is a highly compressed program file containing one or more programs. a. True b. False ANSWER: RATIONALE:

b

A tarball is a highly compressed data file containing one or more files or directories and their contents.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.3 - Use Linux forensics tools TOPICS: Using Linux Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 25. Farrell has decided to use the dc3dd command over the dd and dcfldd commands because it offers

additional features specifically designed for computer forensics and data recovery purposes. What are some of the additional features found in the dc3dd command? Choose all that apply. a. Enhanced hashing b. Data verification c. Data analysis d. Error logging ANSWER: RATIONALE:

a, b

Farrell has decided to use the dc3dd command because some of the additional features are enhanced hashing and data verification.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.3 - Use Linux forensics tools TOPICS: Using Linux Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 26. One of dc3dd features can generate detailed logs that record information about the imaging process,

including command-line options used, timing information, and verification results, which can be valuable for forensic investigations. This feature is called Forensic Logging. a. True b. False Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 07: Linux and Macintosh File Systems ANSWER: RATIONALE:

a

Forensic Logging can generate detailed logs that record information about the imaging process, including command-line options used, timing information, and verification results, which can be valuable for forensic investigations.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.3 - Use Linux forensics tools TOPICS: Using Linux Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 27. Zuri prefers dc3dd because it offers the ability to give real-time information about the status of the imaging

operation, including the amount of data copied, the transfer rate, and estimated time remaining. What is the name of that feature? a. Progress output b. Error handling c. Progress reporting d. Data verification ANSWER: RATIONALE:

c

Progress reporting gives real-time information about the status of the imaging operation, including the amount of data copied, the transfer rate, and estimated time remaining.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.3 - Use Linux forensics tools TOPICS: Using Linux Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 28. Victor is a Windows user, so he is familiar with looking for files located in the recycle bin. However, he is

new to macOS. When he looks into the recycle bin on the macOS desktop, what difference is there between the Windows and macOS files in the recycle bin? a. Windows file names change, macOS file names retain the names they originally had. b. Windows file names retain the names they had originally, macOS file names change. c. Both Windows and macOS keep the same file names. d. Both Windows and macOS have different file names. ANSWER:

a

Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 07: Linux and Macintosh File Systems RATIONALE:

Windows file names change when they are put into the recycling bin. macOS names retain their same names.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures TOPICS: Understanding Macintosh File Structures KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 29. Marla is examining an Apple computer. Under normal circumstances, she can take apart a computer to

retrieve the hard drive, but with this Apple computer, she cannot. What are some of the reasons older Apple computers cannot have their hard drives removed? Choose all that apply. a. Products may feature proprietary screws. b. Older hard drives are not compatible with newer forensics technology. c. Older Apple computers have nonstandard components. d. Older Apple computers may have data encrypted with Apple's T2 Security Chip or the native Secure

Enclave platform. ANSWER: RATIONALE:

c, d

The computer Marla is working on has nonstandard components and has data encrypted with Apple's T2 Security Chip. Although the computer may have proprietary screws, tool kits can be purchased containing the correct tools to remove the screws.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures TOPICS: Understanding Macintosh File Structures KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 30. Zev is in the process of conducting an acquisition on an Apple computer that has an M1Pro processor.

Before making the acquisition, what will Zev need to do? Choose all that apply. a. Install Rosetta 2 b. Download FTK c. Have the system administrator credential d. Install Rosetta Stone ANSWER: RATIONALE:

a, c

Since Zev is conducting an acquisition on a computer that has an M1 family

Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 07: Linux and Macintosh File Systems

processor, he must install Rosetta 2 and have the system administrator password in order to examine the computer. POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.7.2 - Describe Macintosh file structures TOPICS: Understanding Macintosh File Structures KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM

Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics 1. Destiny is searching for digital photos that are in the Exchangeable Image File (Exif) format. What type of

information can Destiny recover from photos using the Exif file format? Choose all that apply. a. Latitude and longitude location b. Date and time c. Camera owner's name d. Type of film being used ANSWER: RATIONALE:

a, b

Destiny can recover latitude and longitude location as well as date and time that the photo was taken. There are many other data points that can be collected as well.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.1 - Identify different types of media files TOPICS: Media Files KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 2. Janos was using a Hex editor and discovered a JFIF file. What file format is JFIF, and what is the

corresponding beginning hexadecimal value and offset? a. JPEG at Hex value FFD8 starting at offset 1 b. JPEG at Hex value FFE0 starting at offset 2 c. Exif JPEG at Hex value FFE1 starting at offset 2 d. Exif JPEG at Hex value FFE1 starting at offset 1 ANSWER: RATIONALE:

b

Janos JFIF file is the JPEG format that has the Hex value FFE0 starting at offset 2.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.1 - Identify different types of media files TOPICS: Media Files KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 3. Quentin was examining a Windows OS for trace evidence of videos on a drive he just acquired. There may

still be evidence on the drive though the original files were deleted. It is not an image file, so what is Quentin looking for? a. Database file b. Text file Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics c. Spreadsheet file d. Video player file ANSWER: RATIONALE:

a

Quentin is looking for thumbs.db, which is a database file.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.1 - Identify different types of media files TOPICS: Media Files KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 4. Xavier is examining photos from a suspect's drive that were downloaded from a smartphone. The issue is that

when the suspect downloaded the photos, he changed the format from jpeg to tif. As a forensics examiner, why should Xavier consider this to be a problem for his investigation? a. The format change may have changed the image. b. The metadata may not be reliable due to the format change from the original file type when

transferred. c. The format change may have corrupted the image. d. The suspect erased the metadata before changing formats. ANSWER: RATIONALE:

b

The metadata may not be reliable due to the format change from the original file type when transferred. Therefore, image files found on a suspect computer's drive should be treated subjectively.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.1 - Identify different types of media files TOPICS: Media Files KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 5. Elena is examining a hard drive and discovers several altered files. There are both legitimate and illegitimate

reasons for altered files on a hard drive. What are they? Choose all that apply. a. Compressed data to save space b. Hide data from examination c. Files containing computer program data d. Files containing .exe programs ANSWER:

a, b

Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics RATIONALE:

The two reasons Elena would find altered files on a hard drive are to save space by compression or for transmission or to hide it from examination.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.2 - Summarize data compression and obfuscation TOPICS: Data Compression and Obfuscation KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 6. Isabella finds a jpeg file on a hard drive and discovers that the image quality is bad. Although camera quality

can affect image quality, what other issue can cause image quality with a jpeg to degrade? a. JPEG files use lossy compression and saving it multiple times with different names removes bits of

data that reduces image quality. b. JPEG files use lossy compression and saving it multiple times with the same name reduces image quality. c. JPEG files require high-quality hardware in order to be viewed and printed properly. d. JPEG data loss is not significant for the average user to ever notice. It takes special tools to tell there has been a degradation of quality. ANSWER: RATIONALE:

a

Isabella knows that JPEG files use lossy compression. If the file were saved multiple times with different names, each save will remove bits of data, which will reduce the image quality.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.2 - Summarize data compression and obfuscation TOPICS: Data Compression and Obfuscation KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 7. Jayden finds several saved web pages on a suspect's computer. They look like legitimate web pages, but this

suspect is a known child pornographer, so the police are on the lookout for images and messages that might be in the suspect's possession. How does Jayden go about searching for this evidence? a. Click on links on the website to see where they go b. Look carefully at the website c. Search the HTML source code for hidden text d. Use a Hex editor to find the hidden text ANSWER:

c

Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics RATIONALE:

Jayden should search the HTML source code for hidden text. The suspect can hide text messages within the source code that no one can see unless the source code is revealed.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.2 - Summarize data compression and obfuscation TOPICS: Data Compression and Obfuscation KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 8. Gerald is a professor at a local community college. He is taking excerpts from his favorite authors to use as

study material for his English class. He's going to use these excerpts under the fair use guidelines for educational purposes. He takes them to his local copy shop and pays for 40 copies of the handout he created. Does this handout violate the fair use guidelines? a. Since Gerald is only using the handout for his class, it does not violate the fair use guidelines. b. Since Gerald paid to have the handout printed for his class, it violates the fair use guidelines. c. Since Gerald is only using excerpts and not the author's work in total, it does not violate the fair use

guidelines. d. Since Gerald is only using it for educational purposes, it does not violate the fair use guidelines. ANSWER: RATIONALE:

b

Because Gerald paid to have a commercial printer copy the handout, a copywrite violation has occurred, and therefore, the fair use guidelines have been violated.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.2 - Summarize data compression and obfuscation TOPICS: Data Compression and Obfuscation KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 9. Edgar is researching the difference between lossless and lossy compression. If JPEG is lossy and GIF is

lossless, how does JPEG and GIF differ in the way their data is represented? a. The difference between GIF and JPEG is in how the data is represented after it is compressed. b. The difference between GIF and JPEG is in how the data is represented after it is uncompressed. c. There is no difference between GIF and JPEG in how the data is represented after it is uncompressed. d. There is no difference between GIF and JPEG in how the data is represented. ANSWER: RATIONALE:

b

The difference between GIF and JPEG is in how the data is represented after it is

Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics

uncompressed. GIF is lossless so it produces an exact replica of the original data when uncompressed. JPEG is lossy so it typically produces an altered replica of the data. POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.2 - Summarize data compression and obfuscation TOPICS: Data Compression and Obfuscation KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 10. Bit-shifting is the process of shifting one or more digits in a binary number to the left or right to produce a

different value changing the data from readable code to data that looks like binary executable code. a. True b. False ANSWER: RATIONALE:

a

Bit-shifting is the process of shifting one or more digits in a binary number to the left or right to produce a different value changing the data from readable code to data that looks like binary executable code.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.3 - Define data-hiding techniques TOPICS: Additional Data-Hiding Techniques KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 11. Salting passwords is the process of removing bits of a password and then hashing it. This alters the hash

value, which makes cracking passwords more difficult. a. True b. False ANSWER: RATIONALE:

b

When salting passwords, extra (random) bits have been added to the password and then hashed. This alters the hash value, which makes cracking the password more difficult.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.3 - Define data-hiding techniques Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

Additional Data-Hiding Techniques Bloom's: Remember/Understand 4/19/2024 2:10 PM 4/19/2024 2:10 PM

12. Edward is examining the disk space on a hard drive for evidence. He notices that there is a 10 MB gap

between two partitions, but there is no assigned drive letter for that 10 MB. What could be the reason for there being no drive letter assigned? a. The drive letter has been removed intentionally to hide data in that 10 MB of space. b. The 10 MB space between the two partitions is normal. c. The 10 MB space between the two partitions carries computer startup data. d. The 10 MB of space is fragmented data and will be removed once the disk is defragmented. ANSWER: RATIONALE:

a

The 10 MB of space Edward found without a drive letter has been removed intentionally to hide data.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.3 - Define data-hiding techniques TOPICS: Additional Data-Hiding Techniques KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 13. Audrey is examining a computer hard drive that uses the FAT file system. As she examines file clusters, she

notices there are several bad clusters among the good ones. Are bad clusters important to Audrey in her forensic examination of the hard drive? a. Bad clusters are eliminated as usable disk space. So, Audrey must only look in good clusters for

evidence since only they can carry data. b. Bad clusters can determine how many read/writes the disk has had in its lifetime. c. Good clusters can be marked as bad to hide evidence of a crime. d. All hard drives have bad clusters; it's a normal part of the manufacturing process. ANSWER: RATIONALE:

c

When Audrey finds bad clusters, she can use a disk editor to mark them as good and see if any data has been written to them. Bad clusters are effectively hidden from the OS, so they are a great place to hide evidence.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.3 - Define data-hiding techniques TOPICS: Additional Data-Hiding Techniques Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics KEYWORDS: DATE CREATED: DATE MODIFIED:

Bloom's: Remember/Understand 4/19/2024 2:10 PM 4/19/2024 2:10 PM

14. Darla has scoured social media for information on a suspect so that she can try and crack his computer

password. How does examining social media help Darla with her attempt to crack a suspect's password? a. Darla can use names of people, pets, and other data gathered from social media and add those to a

brute force attack database. b. Darla can use names of people, pets, and other data gathered from social media to guess the password or passphrase. c. Darla can use names of people, pets, and other data gathered from social media to create a rainbow table. d. Darla can use names of people, pets, and other data gathered from social media and add those to a dictionary (hybrid) attack database. ANSWER: RATIONALE:

d

Darla can insert names of people, places, pets, colors, and other unique words extracted from evidence and social media and add them to a dictionary to create a hybrid attack.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.3 - Define data-hiding techniques TOPICS: Additional Data-Hiding Techniques KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 15. Steven is examining a hard drive that has a password-protected application that stores its passwords in the

form of SHA passwords. What's the most time-saving way for Steven to try and crack these passwords without using a dictionary or brute-force attack? a. Use a hybrid attack that uses known information from the suspect inserted into a dictionary. b. Use known information such as favorite pets, family names, birthdates, and favorite colors taken

from social media first since people tend to use what they know first. c. Steven can create or download rainbow tables, which will reduce CPU demand and speed up the cracking process. d. Steven can use multiple GPUs to work in tandem to speed up the cracking process. ANSWER: RATIONALE:

c

POINTS: QUESTION TYPE:

1 Multiple Choice

Steven can download or create rainbow tables. Since rainbow tables already contain hash values, no conversion from plaintext to hash value is necessary, which reduces CPU demands.

Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.3 - Define data-hiding techniques TOPICS: Additional Data-Hiding Techniques KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 16. Ginger is examining image files. The trouble is that image file headers are complex and difficult to

remember. What can Ginger do to make examining image files easier? a. Use a hex editor and look carefully b. Compare a known good image file header with that of a suspected altered file c. Try using another digital forensics tool d. Ask a more experienced member of the team for help ANSWER: RATIONALE:

b

Ginger should compare a known good image file header against that of a suspect file. Knowing what the good header looks like can help her spot differences of the altered header.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.4 - Explain how to locate and recover media files TOPICS: Locating and Recovering Media Files KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 17. Recovering any type of file fragment is called salvaging, also known as carving, outside of North America. a. True b. False ANSWER: RATIONALE:

b

Recovering any type of file fragment is called carving, also known as salvaging, outside of North America.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.4 - Explain how to locate and recover media files TOPICS: Locating and Recovering Media Files KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics 18. Maggie is examining a hard drive using a hex editor. She is looking for JPEG files. What label and

hexadecimal head value is she looking for to determine if it is a JPEG file? a. TIF, Hex value FFD9 b. JFIF, Hex value FFD8 c. GIF, Hex value FFD6 d. DOC, Hex value FFD2 ANSWER: RATIONALE:

b

Maggie will find JPEG files at the hexadecimal value of FFD8 and the label JFIF.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.4 - Explain how to locate and recover media files TOPICS: Locating and Recovering Media Files KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 19. Paul is deciding on a forensics program for a data-carving extraction. What are some of the programs Paul

can choose from for this extraction? Choose all that apply. a. X-Ways Forensics b. OSForensics c. HxD d. Autopsy ANSWER: RATIONALE:

a, b

Paul can choose from X-Ways Forensics and OSForensics for the data-carving extraction. HxD and Autopsy are used to copy the known data patterns from the files he recovered and then will restore this information to view the file.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.4 - Explain how to locate and recover media files TOPICS: Locating and Recovering Media Files KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 20. Alyssa is examining a hard drive, when she finds an image file extension she does not recognize. How

should Alysa proceed to find a solution to her file extension problem? a. Alyssa should rely on a hex editor to look for file extension types. b. Alyssa should ask for assistance from her coworkers. Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics c. Alyssa should use a search engine to do a general search for "file type" or "file format" to find

websites with the current information on a range of file extensions. d. Alyssa should look for other image file extensions first, before going back to the one she cannot recognize. ANSWER: RATIONALE:

c

Alyssa should use a search engine to do a general search for "file type" or "file format" to find websites with the current information on a range of file extensions.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.4 - Explain how to locate and recover media files TOPICS: Locating and Recovering Media Files KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 21. Ursula needs to perform a data-carving task to recover graphic files from a suspect's drive. For this task to be

done, certain processes must be followed. What are the steps Ursula needs to take in the beginning phase of data carving these graphic files? a. Ursula adds what she thinks are the appropriate extensions to the recovered file. b. Ursula locates and exports all sectors of the fragmented file. c. Ursula determines the starting and ending cluster numbers for each fragmented group of sectors. d. Ursula using HxD, so she converts the starting and ending cluster addresses to the offset byte

positions. ANSWER: RATIONALE:

b, c, d

These are the first three steps when data carving: Ursula must locate and export all sectors of the fragmented file. Then Ursula determines the starting and ending cluster numbers for each fragmented group of sectors, and finally, since she is using HxD, she converts the starting and ending cluster addresses to the offset byte positions.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.4 - Explain how to locate and recover media files TOPICS: Locating and Recovering Media Files KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 22. Jennifer is searching for JPEG files using the search string "FIF." Because it's part of the label name of the

JFIF JPEG formation, she also gets several false hits (false positives.) How should Jennifer change her search string to reduce the number of false positives? a. Change the string, so it uses IF for its label instead Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics b. Change the string, so it uses JF for its label instead c. Change the string, so it uses the EXIF label d. Change the string, so it uses the whole JFIF label ANSWER: RATIONALE:

d

Jennifer should change the string, so it uses the whole JFIF label. This should decrease the number of false positives since it only included the JFIF JPEG format.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.4 - Explain how to locate and recover media files TOPICS: Locating and Recovering Media Files KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 23. Kyle is searching for image files on a suspect's drive that contains child pornography. He wants to make his

job as simple as possible and automatically filter known good files from view. This list contains the hash values of illegal files. What is this database called? a. Illegal File Filter b. Known File Filter c. File Database Filter d. Illicit Data Filter ANSWER: RATIONALE:

b

AccessData has its own hashing database, Known File Filter (KFF), which filters known files from view and contains the hash values of known illegal files.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.5 - Explain digital evidence validation and discrimination techniques TOPICS: Digital Evidence Validation and Discrimination KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 24. The process of building data sets of hashes of sectors from an original file, and then examining those sectors

on a suspect's drive to see whether any other sectors match, is called block-wise hashing. a. True b. False ANSWER: RATIONALE:

a

Block-wise hashing is the process of building a data set of hashes of sectors from the original file, and then examining the sectors on the suspect's drive to see whether any

Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics

other sectors match. POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.5 - Explain digital evidence validation and discrimination techniques TOPICS: Digital Evidence Validation and Discrimination KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 25. Digital forensics tools have no limitations in performing hashing, so using advanced hexadecimal editors is

not necessary to ensure data integrity. a. True b. False ANSWER: RATIONALE:

b

Digital forensics tools do have some limitations in performing hashing, so using advanced hexadecimal editors is necessary to ensure data integrity.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.5 - Explain digital evidence validation and discrimination techniques TOPICS: Digital Evidence Validation and Discrimination KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 26. Debbie loads an image file of copied data into a forensics tool and runs a SHA-1 hash. She then compares

the copied data to the original and finds that the hashes do not match, and the forensic tool produces an error indicating the digital evidence has been corrupted. What's the first step Debbie must take to try and correct the hash error? a. Debbie only needs to state in her report that the finding may not be accurate because the hash values

do not match. b. Debbie needs to examine the dd image even though it does not store the original hash value. c. Debbie needs to create a new forensic image of the original data. d. There's nothing Debbie can do; the evidence has been destroyed. ANSWER: RATIONALE:

c

Debbie needs to create a new forensic image of the original data and try again.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.5 - Explain digital evidence validation and discrimination techniques Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

Digital Evidence Validation and Discrimination Bloom's: Apply 4/19/2024 2:10 PM 4/19/2024 2:10 PM

27. Sergio has just added a new forensics program to his suite of programs. Before he begins using the new

program, he needs to verify the hash value database is up to date. How does Sergio ensure that his program's hash value database is up to date? a. Sergio does not need to do anything. All forensics programs come with the latest updated file hash

values. b. Sergio should go to the NIST National Software Library and import the latest updated file hash values. c. Sergio should go to the NIST National Software Library and import the latest updated known illegal file hash values. d. Sergio should go to the NIST National Software Library and export the latest updated file hash values. ANSWER: RATIONALE:

b

Sergio should go to the NIST National Software Library and import the latest updated file hash values. Whenever a new program is installed, it is best to always download the latest updates and not rely on what is already installed. The newest hash files may not be installed.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.5 - Explain digital evidence validation and discrimination techniques TOPICS: Digital Evidence Validation and Discrimination KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 28. Jeremiah is working at Zephyr forensics lab and is undertaking a private-sector investigation. Since this is

not a criminal case, there are no warrants or subpoenas to specify what data can be recovered. How should Jeremiah build his examination plan? a. Jeremiah's plan should only examine the evidence presented and not deviate from it. b. Jeremiah plan should only go broad enough as the designated manager tells him to make the

investigation. c. Jeremiah's plan should be broad enough to encompass all relevant evidence, yet not so wide-ranging that he wastes his time and resources analyzing irrelevant data. d. Jeremiah's plan needs to cast a wide net and examine everything available to him. ANSWER: RATIONALE:

c

Jeremiah's examination plan should be broad enough to encompass all relevant evidence, yet not so wide-ranging that he wastes his time and resources analyzing

Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics

irrelevant data that is not going to help the case. POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.6 - Describe an examination plan TOPICS: Examination Planning KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 29. Maya is working with an attorney on an intellectual property theft case. She has recovered a lot of

information, and now the attorney is asking for more due to some additional evidence that has been discovered. The investigation has now moved beyond the original description of the investigation because of unexpected evidence. Maya uses a term for this situation; what is it? a. Investigation creep b. Evidence creep c. Scope creep d. Project creep ANSWER: RATIONALE:

c

When the investigation expands beyond the original description because of unexpected evidence, the term for this situation is scope creep.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.6 - Describe an examination plan TOPICS: Examination Planning KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM 30. Naomi has been asked to work with Luna Corporation to determine if an employee has started his own

business using company resources during work hours. In the process of examining the employee's computer, Naomi discovers evidence that the employee is running an online business from his workstation. Where would Naomi be looking to find evidence? Choose all that apply. a. Temporary Internet files and Internet history b. Windows registry files c. Email program d. System files ANSWER: RATIONALE:

a, c

Since the employee is under suspicion for starting his own online business on the side, Naomi is looking for unauthorized Internet use, such as temporary Internet files,

Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 08: Media Files and Digital Forensics

Internet history, and email communication. POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.8.6 - Describe an examination plan TOPICS: Examination Planning KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:10 PM DATE MODIFIED: 4/19/2024 2:10 PM

Copyright Cengage Learning. Powered by Cognero.

Page 15


Name:

Class:

Date:

Mod 09: Virtual Machine Forensics and Live Acquisitions Forensics 1. Shani wants to run the newest version of Windows 11 and use Kali Linux on her computer. She has decided

to use a hypervisor so she does not have to use a dual boot system. What type of hypervisor should Shani use? a. Type 1 hypervisor b. Type 2 hypervisor c. Type 3 hypervisor d. Type 4 hypervisor ANSWER: RATIONALE:

b

Shani should use a type 2 hypervisor as it rests on top of the existing OS, in this case Windows, and she will be able to access Kali Linux whenever she wants.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.1 - Describe virtual machines and virtual machine forensics TOPICS: An Overview of Virtual Machine Forensics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 2. Sam is involved in an investigation of a virtual machine found on a suspect's computer. What are the basic

steps involved in the beginning of a virtual machine investigation? Choose all that apply. a. Acquire a forensic image of the host computer b. Acquire the login files c. Acquire the network logs d. Export associated VM files ANSWER: RATIONALE:

a, c, d

The basic steps involved at the beginning of a virtual machine investigation include acquiring a forensic image of the host computer, acquiring the network logs, and exporting the associated VM files.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.1 - Describe virtual machines and virtual machine forensics TOPICS: An Overview of Virtual Machine Forensics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 3. Talia is investigating a Windows OS host computer and is looking for a virtual machine. Where would Talia

usually look to find the virtual machine? a. Windows folder Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 09: Virtual Machine Forensics and Live Acquisitions Forensics b. Program files (x86) c. Users or Documents folder d. SystemApps folder ANSWER: RATIONALE:

c

Talia would usually find a virtual machine in the User or Documents folder.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.1 - Describe virtual machines and virtual machine forensics TOPICS: An Overview of Virtual Machine Forensics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 4. Jamar is thinking about using a type 1 hypervisor, but there are some limitations. What are the three main

limitations of a type 1 hypervisor? a. Input devices, bus width, fan size b. Video card, CPU, motherboard c. RAM, storage, and throughput d. Graphical processing units (GPU), central processing unit (CPU), and peripheral ports ANSWER: RATIONALE:

c

A type 1 hypervisor is only limited by the amount of available RAM, storage, and throughput.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.1 - Describe virtual machines and virtual machine forensics TOPICS: An Overview of Virtual Machine Forensics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 5. Keyshawn is interested in using "bare metal" type 1 hypervisors for his company of over 500 employees.

What makes a "bare metal" hypervisor superior in an enterprise setting? Choose all that apply. a. It is cheaper to use than a type 2 hypervisor b. It loads directly onto the existing Windows OS c. It loads directly on physical hardware and doesn't require a separate OS d. Thousands of VMs can be hosted on a single "bare metal" type 1 hypervisor ANSWER: RATIONALE:

c, d

A type 1 hypervisor loads directly on physical hardware, does not require a separate

Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 09: Virtual Machine Forensics and Live Acquisitions Forensics

OS, and thousands of VMs can be hosted on a single "bare metal" type 1 hypervisor. POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.1 - Describe virtual machines and virtual machine forensics TOPICS: An Overview of Virtual Machine Forensics KEYWORDS: Bloom's: Apply DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 6. Nori is investigating a suspect's machine when she discovers a type 2 hypervisor. Why would Nori find a type

2 hypervisor on a suspect's computer? a. Type 1 hypervisors are too expensive for the average user. b. It's easier to hide information on a type 2 hypervisor. c. Type 2 hypervisors can be hidden within an OS so that investigators cannot see a user's virtual

machine. d. Users tend to be more familiar with type 2 hypervisors, and they are easier to install and use. ANSWER: RATIONALE:

d

Nori found a type 2 hypervisor on the suspect's computer because, most likely, the suspect was familiar with type 2 hypervisors and wanted to hide their activities within the virtual machine that the hypervisor controlled.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.1 - Describe virtual machines and virtual machine forensics TOPICS: An Overview of Virtual Machine Forensics KEYWORDS: Bloom's: Apply DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 7. Khalil has Autopsy, FTK Imager, and OS Forensics tools available to her but she can't use them to read the

VM files that she needs to investigate. Why is that? a. Autopsy, FTK Imager, and OS Forensics can only read .VDI virtual image files. b. Autopsy, FTK Imager, and OS Forensics can only read Virtual Box VM image files. c. Autopsy, FTK Imager, and OS Forensics cannot read VM image files. d. Autopsy, FTK Imager, and OS Forensics tools can only read .VMDK and .VHD VM image files. ANSWER: RATIONALE:

d

POINTS: QUESTION TYPE:

1 Multiple Choice

Autopsy, FTK Imager, and OS Forensics tools can only read .VMDK and .VHD VM image files.

Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 09: Virtual Machine Forensics and Live Acquisitions Forensics HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.1 - Describe virtual machines and virtual machine forensics TOPICS: An Overview of Virtual Machine Forensics KEYWORDS: Bloom's: Apply DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 8. Martha is searching for the common Virtual Box image file. Where should she look, and what is the image

file extension? a. HKEY_LOCAL_MACHINE and the extension is .VMDK b. HKEY_CURRENT_CONFIG and the extension is .VHD c. HKEY_CURRENT_USER and the extension is .VPC d. HKEY_CLASSES_ROOT and the extension is .VDI ANSWER: RATIONALE:

d

Martha should check for associated file extensions at HKEY_CLASSES_ROOT, and the common extension Virtual Box uses is .VDI

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.1 - Describe virtual machines and virtual machine forensics TOPICS: An Overview of Virtual Machine Forensics KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 9. Levi types in ifconfig in the command line. What OS is Levi using, and what information will the

command show? a. Linux, and all open ports b. Windows, and all network adapters c. Linux, and all network adapters d. Windows, and all open ports ANSWER: RATIONALE:

c

When Levi types in ifconfig, he is working in Linux, and the command he is using will show all network adapters.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.1 - Describe virtual machines and virtual machine forensics TOPICS: An Overview of Virtual Machine Forensics KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/23/2024 3:35 PM Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 09: Virtual Machine Forensics and Live Acquisitions Forensics DATE MODIFIED:

4/23/2024 3:35 PM

10. Teyana is investigating a suspect's host machine when she discovers a virtual machine. She needs to acquire

the VM. She thinks that acquiring the snapshots will be enough to recover any evidence she might need. Or would it be better to complete a live acquisition? a. A snapshot records the state of a VM at a particular moment and is a recording of changes in state. b. Many network administrators depend on snapshots when working with VMs in case updates or

software installations fail, so snapshots have everything an investigator needs. c. Snapshots can show what type of software a suspect had installed on the VM and what they may have removed at a given point in time. d. When acquiring an image of a VM file, snapshots might not be included. In this case, there is only the original VM, which might not have any of the changes made to it after it was created. Therefore, doing live acquisitions of VMs is important to make sure snapshots are incorporated. ANSWER: RATIONALE:

d

Obtaining snapshots are not enough because they do not contain the whole "picture" of the VM. A snapshot is only a moment in time, not everything included in the VM. Therefore, doing live acquisitions of VMs is important to make sure snapshots are incorporated.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.1 - Describe virtual machines and virtual machine forensics TOPICS: An Overview of Virtual Machine Forensics KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 11. Kenneth's boss tells him he must quickly perform a live acquisition before taking their latest client offline

due to an active network intrusion. What is the reason for performing a live acquisition in this case? Choose all that apply. a. Attackers may still be in the system, and it is the best way to capture them. b. Attackers may leave footprints only in running processes or RAM. c. Performing a live acquisition causes information on the system to change because the acquisition

affects RAM and running processes meaning the information cannot be reproduced. d. Performing a live acquisition may help you track the attackers back to their original location. ANSWER: RATIONALE:

b, c

POINTS:

1

Attackers may leave footprints only in running processes or RAM. However, performing a live acquisition causes information on the system to change because the acquisition affects RAM and running processes meaning the information cannot be reproduced. In other words, to find the attacker's footprints data will be destroyed during the search of the RAM.

Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 09: Virtual Machine Forensics and Live Acquisitions Forensics QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.2 - Explain how live acquisitions are performed TOPICS: Performing Live Acquisitions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 12. CPU cache has more data capacity than regular RAM. a. True b. False ANSWER: RATIONALE:

b

CPU cache has less data capacity than regular RAM and is more likely to be written over sooner.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.2 - Explain how live acquisitions are performed TOPICS: Performing Live Acquisitions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 13. FTK Imager and Mandiant Memoryze are software tools used for capturing RAM, which can list all open

network sockets, including those hidden by rootkits. a. True b. False ANSWER: RATIONALE:

b

Only Mandiant Memoryze can list all open network sockets, including those hidden by rootkits.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.2 - Explain how live acquisitions are performed KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 14. Malcolm is at a critical stage of a live acquisition. As per order of volatility, he is acquiring RAM data first.

What types of data can be discovered in RAM? Choose all that apply. a. Passwords Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 09: Virtual Machine Forensics and Live Acquisitions Forensics b. Data from previous sessions c. Inactive browser tabs d. Login names ANSWER: RATIONALE:

a, d

Anything not saved can potentially be found in RAM. But in this case, passwords and login names are the correct answers.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.2 - Explain how live acquisitions are performed TOPICS: Performing Live Acquisitions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 15. Mary requires a good place to store the information that she collects on the live acquisition she is

performing. Where is an ideal place to send it? Choose all that apply. a. A CD drive b. A network drive c. An external drive d. An internal drive ANSWER: RATIONALE:

b, c

A network or external drive is the best place to send information that has been collected for a live acquisition.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.2 - Explain how live acquisitions are performed TOPICS: Performing Live Acquisitions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 16. Ethan must perform a live acquisition in Linux, but because there are many different flavors and kernels

involved with Linux, there are only a couple of tools commonly used with Linux live acquisitions. What are those tools? Choose all that apply. a. LiME b. EnCase Forensic c. AccessData FTK Imager d. Volatility ANSWER:

a, d

Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 09: Virtual Machine Forensics and Live Acquisitions Forensics RATIONALE:

Ethan will use either LiME or Volatility since these two tools are the ones commonly used for live Linux acquisitions.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.2 - Explain how live acquisitions are performed TOPICS: Performing Live Acquisitions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 17. Command-line forensic tools give one a lot of control when acquiring RAM but might give false readings in

Windows OSs. a. True b. False ANSWER: RATIONALE:

b

Command-line tools give one a lot of control when acquiring RAM. However, GUI tools might give false readings in Windows OSs.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.2 - Explain how live acquisitions are performed TOPICS: Performing Live Acquisitions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 18. Marquise has been performing live acquisitions on Windows computers for years. He has been asked to

complete a live acquisition on a Linux computer. He is worried that his skillset will not be up to the task. What do live acquisitions for Windows and Linux computers have in common? a. They both use the same type of command line commands such as ipconfig b. They both have the same order of volatility. RAM, logs, network traffic and then actual drive c. Both operating systems work the same d. Both operating systems use the same tools for live acquisitions ANSWER: RATIONALE:

b

Both Windows and Linux machines have hardware with the same order of volatility RAM, logs, network traffic, and then the actual drives.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.2 - Explain how live acquisitions are performed Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 09: Virtual Machine Forensics and Live Acquisitions Forensics TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

Performing Live Acquisitions Bloom's: Apply 4/23/2024 3:35 PM 4/23/2024 3:35 PM

19. Antonella is performing a live acquisition from a local computer. What does she need to successfully

complete the acquisition? Choose all that apply. a. Access to the user's account and password b. Target media drive or access to network server c. Computer administrator's password d. Permission from the employee who is being targeted ANSWER: RATIONALE:

a, b, c

For Antonella to perform a selective live acquisition from a local computer, she requires access to the user's account and most likely the password to the account, as well as the target media drive or access to a network server. If available, Antonella should have access to the computer's administrator account password to ensure that all data on the computer is accessible.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.2 - Explain how live acquisitions are performed TOPICS: Performing Live Acquisitions KEYWORDS: Bloom's: Apply DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 20. Clarice needs to perform a remote live acquisition and has FTK Imager and X-Ways Imager but cannot seem

to perform the acquisition. Why can't Clarice get the information she needs? a. She is using a version of the software that is to old b. Her software is unlicensed c. FTK Imager and X-Ways Imager only perform acquisitions on local or mapped drives d. Her firewall is blocking the attempted acquisition ANSWER: RATIONALE:

c

Typically, tools such as FTK Imager and X-Ways Imager only access local or mapped drives.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.2 - Explain how live acquisitions are performed TOPICS: Performing Live Acquisitions KEYWORDS: Bloom's: Apply Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 09: Virtual Machine Forensics and Live Acquisitions Forensics DATE CREATED: DATE MODIFIED:

4/23/2024 3:35 PM 4/23/2024 3:35 PM

21. Tia's supervisor said she needs to perform a remote acquisition on an employee. The issue is that the

employee is in London, United Kingdom, however, the office in the UK is a branch office of the company Tia works for, which is in the United States. What should Tia do first before performing the remote acquisition? a. She must check that the employee has signed the policies and procedures manual that stipulates they

give up their right to privacy. b. She must check the laws regarding Data Protection in the UK, to be sure there are no legal ramifications because they have very strict data privacy laws. c. She must engage forensic experts with expertise in cross-border acquisitions to carry out the acquisition process while adhering to legal and ethical standards. d. She can go ahead with the remote acquisition because the employee is part of a US business doing business in the UK and not a citizen of the UK without further inquiries. ANSWER: RATIONALE:

a, b, c

First, Tia must check that the employee has signed the policies and procedures manual that stipulates they give up their right to privacy. If they did not sign the manual, then the employee can argue that they have a right to privacy. Then Tia must check the laws regarding Data Protection in the UK, to be sure there are no legal ramifications because they have strict data privacy laws. Finally, it is best that Tia engages forensic experts with expertise in cross-border acquisitions to carry out the acquisition process while adhering to legal and ethical standards. When dealing with an international situation, it is always best for someone with experience to handle that type of operation to keep your company from being fined for mishandling data from another country.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.2 - Explain how live acquisitions are performed TOPICS: Performing Live Acquisitions KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 22. Nia is performing e-discovery for a client on a remote computer. What acquisition tool is Nia using? a. F-Response Collect b. Magnet AXIOM Cyber c. Belkasoft R d. Volatility ANSWER: RATIONALE:

a

Nia is using F-Response Collect because it is designed to perform a wide range of remote data collection tasks including e-discovery.

Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 09: Virtual Machine Forensics and Live Acquisitions Forensics POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.3 - Describe tools used for remote acquisitions TOPICS: Performing Live Acquisitions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 23. Carolyne is performing a remote acquisition on an AWS S3 Bucket. What acquisition tool is Carolyne

using? a. F-Response Collect b. Magnet AXIOM Cyber c. Belkasoft R d. Volatility ANSWER: RATIONALE:

b

Carolyne is using Magnet AXIOM Cyber. It is a remote acquisition tool that has a wide range of data collection capabilities including access to various cloud services such as AWS S3 Buckets and EC2 Instances.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.3 - Describe tools used for remote acquisitions TOPICS: Performing Live Acquisitions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 24. Shawn is performing a remote acquisition on a computer several states away. He needs to be sure that

communications between the Windows devices is encrypted. What software should Shawn use? a. Response Collect b. Magnet AXIOM Cyber c. Volatility d. Belkasoft R ANSWER: RATIONALE:

d

POINTS: QUESTION TYPE: HAS VARIABLES:

1 Multiple Choice False

Shawn should use Belkasoft R because a Secure Sockets Layer (SSL) certificate to encrypt communications for Windows systems can be setup between the server and the endpoint computer.

Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 09: Virtual Machine Forensics and Live Acquisitions Forensics LEARNING OBJECTIVES: Ceng.GuideForens.25.9.3 - Describe tools used for remote acquisitions TOPICS: Performing Live Acquisitions KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 25. Lucy is using Belkasoft R for a remote acquisition she is performing. During the acquisition, she finds that

the connection keeps timing out, and the acquisition is incomplete. How can this be fixed? a. She should use a Secure Socket Layer. b. She should make sure the screen saver is turned off. c. She should make sure the computer cannot go into sleep mode d. She should make sure that the IT Department does not flag the computer as having a malware

intrusion due to extra data packets from the remote acquisition. ANSWER: RATIONALE:

c

Lucy should make sure the endpoint computer's sleep mode is turned off. If the endpoint computer goes into sleep mode, the acquisition may terminate and will be incomplete.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.3 - Describe tools used for remote acquisitions TOPICS: Performing Live Acquisitions KEYWORDS: Bloom's: Apply DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 26. Debbie is using F-Response Collect while performing a remote acquisition. She needs to create digital

forensic images. Since she doesn't know what team will be reading these images, how will she create these images so they can be read by most forensics programs? a. Create them in EnCase Forensics (EO1) b. Create them in Smart File Format (SFF) c. Create them in Raw Image Format (RAW) d. Create them in Forensic Data File (FDF) ANSWER: RATIONALE:

c

Debbie must use the RAW format. RAW is widely supported by a range of forensic tools and software, which makes it compatible with many forensic analysis and examination applications.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.3 - Describe tools used for remote acquisitions Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 09: Virtual Machine Forensics and Live Acquisitions Forensics TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

Performing Live Acquisitions Bloom's: Apply 4/23/2024 3:35 PM 4/23/2024 3:35 PM

27. fsutil allows users to interact with and manipulate aspects of the file system. It is a versatile tool for

performing a wide range of file-system related tasks on Linux systems. a. True b. False ANSWER: RATIONALE:

b

fsutil allows users to interact with and manipulate aspects of the file system. It is a versatile tool for performing a wide range of file-system related tasks on Windows systems.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.3 - Describe tools used for remote acquisitions TOPICS: Using Microsoft's File System Utility Command KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 28. Kenya types the following Windows command in an Administrator Command Prompt. fsutil usn

readjournal c:. What will that command do? a. The command will output all of the network interfaces to a file on the screen. b. The command will output all of the open ports to the screen. c. The command will output the entire contents of the $UsnJrnl:$J file to the screen. d. The command will output all the open processes to the screen. ANSWER: RATIONALE:

c

This command will output to the screen the entire contents of the $UsnJrnl:$J file.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.3 - Describe tools used for remote acquisitions TOPICS: Using Microsoft's File System Utility Command KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 29. Alexi is new to the field of computer forensics. She has heard about this file called $UsnJrnl:$J file. A

colleague of hers says it is used for digital forensics investigations. Alexi is puzzled. She turns to you and asks, Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 09: Virtual Machine Forensics and Live Acquisitions Forensics

what is this file used for? What is your answer? a. It can show an investigator who the suspect is. b. It can show an investigator where the attack came from. c. It can show an investigator who the perpetrator was and who the victim was. d. It can show an investigator a history of file system activity, helping them track file changes and

potentially identify suspicious activities. ANSWER: RATIONALE:

d

The $UsnJrnl:$J file can provide a history of file system activity, helping investigators track file changes and potentially identify suspicious activities.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.3 - Describe tools used for remote acquisitions TOPICS: Using Microsoft's File System Utility Command KEYWORDS: Bloom's: Apply DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM 30. Nikki must examine a victim's computer for malware. Unfortunately, malware programs will sometimes

change their names and then delete themselves to hide their presence. How would Nikki exam a computer to find out if there has been any malware activity? a. Examine the $UsnJrnl using the fsutil command b. Run lsmod command to check kernel module c. Examine the VSBScript file using the fsutil command d. Run ps aux and check all running processes ANSWER: RATIONALE:

a

To examine a computer for possible malware activity, Nikki would examine the $UsnJrnl using the fsutil command.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.9.3 - Describe tools used for remote acquisitions TOPICS: Using Microsoft's File System Utility Command KEYWORDS: Bloom's: Apply DATE CREATED: 4/23/2024 3:35 PM DATE MODIFIED: 4/23/2024 3:35 PM

Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 10: Network Forensics 1. Network forensics is the process of collecting and analyzing raw network data and systematically tracking

network traffic to ascertain how an attack was carried out or how an event occurred on a network. a. True b. False ANSWER: RATIONALE:

a

Network forensics is the process of collecting and analyzing raw network data and systematically tracking network traffic to ascertain how an attack was carried out or how an event occurred on a network.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.1 - Describe network forensics TOPICS: Network Forensics Overview KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 2. Xander just got his first job in network forensics. For the first six months, he is told that he will be auditing

network logs. He thinks to himself, "This is boring work, I don't like it." How important is auditing network logs in network forensics? a. Auditing network logs is not important at all in network forensics. b. Auditing network logs does not play much of a role in network forensics. c. Auditing network logs is only a part of network forensics. d. Auditing network logs is the key to network forensics. ANSWER: RATIONALE:

d

Xander is wrong. Auditing network logs is the key to network forensics and an important job.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.1 - Describe network forensics TOPICS: Network Forensics Overview KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 3. Phoenix has discovered that port 23 is open on the company server. This is a major security risk. What

protocol is port 23 used for? a. Https b. Ftp c. Telnet Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 10: Network Forensics d. Smtp ANSWER: RATIONALE:

c

Port 23 is used for Telnet, which is the protocol used for interfacing with remote devices. This protocol is not secure.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.1 - Describe network forensics TOPICS: Network Forensics Overview KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 4. Layla is monitoring traffic patterns on her company's network. During the creation of the network traffic

baseline, they found that peak network traffic happened between 8:00 a.m. and 6:00 p.m. Monday through Friday, and traffic patterns were flat Saturday and Sunday. One Monday, Layla came into the office and noticed a significant spike in the traffic patterns for the previous Saturday. They were 100% above normal baseline patterns. What could this mean? Choose all that apply. a. IT could have been backing up data to cloud storage. b. Since the irregularity was only one day, it was probably just an anomaly. c. The activity was unusual for that day and should be investigated further. d. It was a bug in a custom program that was accidently put on the production network. ANSWER: RATIONALE:

a, c, d

Since traffic patterns were high only for that day, unusual activity could have been related to IT performing a backup to cloud storage, an attack on the network, or a new program installed on the production network containing a bug, which caused the spike in activity.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.1 - Describe network forensics TOPICS: Network Forensics Overview KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 5. Melanie is investigating a network breach at a local hospital in California. Before that, she was on an

investigation of another hospital in Ohio. Why are these two cases different even though they are both investigations of network breaches at a hospital? a. Because national regulations are the same regarding the handling of private medical information and

other personally identifiable information (PII), the only difference between these two hospitals is how Melanie needs to extract the data since each hospital has its own type of network. Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 10: Network Forensics b. The two locations are different only because of the types of data stolen and the way data needs to be

extracted from the network. c. The laws governing private medical information and other personally identifiable information (PII) can be different in each state and must be addressed on a state-by-state basis when handling this type of data. d. The hospitals and networks are the same. The only difference is the location of the hospital. ANSWER: RATIONALE:

c

Since a network can touch data, such as private medical information and other personal identifiable information (PII), network forensics investigators must also be aware of the jurisdiction governing any PII stored on the network and the applicable privacy laws regarding the information being gathered and analyzed. In other words, the laws governing private medical information and other personally identifiable information (PII) can be different in each state and must be addressed on a state-bystate basis when handling this type of data.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.1 - Describe network forensics TOPICS: Network Forensics Overview KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 6. Leon is a network administrator and just took a class on procedures and protocols to follow when stopping

network intruders. What are some of the procedures and protocols Leon and his department should follow when a network intrusion occurs? Choose all that apply. a. Determine what they were looking for b. Determine what they used to get in c. Determine how they got in and what they copied, altered, or deleted d. Determine if they are still on the network ANSWER: RATIONALE:

c, d

The increase in cybercrime has prompted many groups to begin compiling procedures and protocols to follow when a network intrusion occurs. Network administrators need to learn how to stop intruders and determine how they got in; what they copied, altered, or deleted; and whether the intruders are still on the network.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.2 - Explain the process of a network investigation TOPICS: Network Forensics Standard Procedures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 10: Network Forensics DATE MODIFIED:

4/19/2024 2:11 PM

7. Braxton is a network administrator and strong believer in using defense in depth for protecting his company's

network. What makes defense an important tool for network administrators? a. Defense in depth is inexpensive to use. b. Defense in depth is easy to use. c. Defense in depth has multiple modes that can be chosen from, not all of them need to be used. d. If one mode of protection fails, the others can be used to thwart an attack. ANSWER: RATIONALE:

d

If one mode of protection fails, such as a firewall, another mode, such as an intrusion prevention system (IPS), may catch the attack. In other words, there are multiple types of defenses available built into the network to thwart an attack. This also includes people.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.2 - Explain the process of a network investigation TOPICS: Network Forensics Standard Procedures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 8. Amy works in digital forensics and is comparing notes with her friend Kaden, who works in network

forensics. They find there is a difference between the two, what is it? a. In network forensics, you can work from the image to find most of the deleted or hidden files and

partitions. Sometimes, you restore the image to a physical drive so that you can run programs on the drive. In digital forensics, you must restore the drive to see how malware that attackers have installed on the system works. b. In digital forensics, you cannot work from the image to find hidden or deleted files, but you can with the tools in network forensics. c. In digital forensics, you can work from the image to find most of the deleted or hidden files and partitions. Sometimes, you restore the image to a physical drive so that you can run programs on the drive. In network forensics, you must restore the drive to see how malware that attackers have installed on the system works. d. In digital forensics, you can see how malware that attackers have installed on the system works. ANSWER: RATIONALE:

c

POINTS: QUESTION TYPE:

1 Multiple Choice

In digital forensics, you can work from the image to find most of the deleted or hidden files and partitions. Sometimes, you restore the image to a physical drive so that you can run programs on the drive. In network forensics, you must restore the drive to see how malware that attackers have installed on the system works.

Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 10: Network Forensics HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.2 - Explain the process of a network investigation TOPICS: Network Forensics Standard Procedures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 9. Tyson is examining network logs. He discovers that a pattern has emerged regarding a single IP address

assigned to one employee. It appears that this particular employee spends time on the Internet often. What is Tyson's next step? a. Investigate the IP address and see where it leads b. Investigate the employee and see what they are doing c. Investigate the computer and see if it is infected with malware d. Investigate the computer logs and see if anyone else is using that computer ANSWER: RATIONALE:

a

Tyson should investigate the IP address and see where it leads. It could lead to a shopping website, which could mean that the employee in question could be shopping during work time. If this is the case, the matter should be turned over to HR for further handling and possible investigation.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.2 - Explain the process of a network investigation TOPICS: Network Forensics Standard Procedures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 10. Harlow has been told by their supervisor to check the company's network logs, because, lately, there has

been some suspicious activity on the network. What are some of the devices that record activities and events which could be considered network logs? Choose all that apply. a. Network servers b. Keyboards c. Firewalls d. Display monitors ANSWER: RATIONALE:

a, c

POINTS: QUESTION TYPE: HAS VARIABLES:

1 Multiple Response False

Network servers and firewalls are two of the devices that record traffic, which travels in and out of the network.

Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 10: Network Forensics LEARNING OBJECTIVES: Ceng.GuideForens.25.10.2 - Explain the process of a network investigation TOPICS: Network Forensics Standard Procedures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 11. Briar is using Wireshark to analyze network traffic. What are some of the potential lists that could be

generated in Wireshark to determine what type of activity is occurring on a network? Choose all that apply. a. List of names using internal resources b. Top website network users are visiting c. List of top computer peripherals being used d. List of top five internal users ANSWER: RATIONALE:

b, d

A few of the potential lists that can be generated from Wireshark are the top websites network users are visiting and a list of the top five internal users.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.2 - Explain the process of a network investigation TOPICS: Network Forensics Standard Procedures KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 12. Eliana's team has been tasked with hardening their company's network, and her team plans to go with a

defense in depth strategy. However, they must put a plan in place to mitigate issues with the weakest link. What is the weakest link in the defense in depth strategy, and why is it considered weak? a. Data is the weakest link. It can become corrupted for any reason, even without an attack happening.

It can be accidental or on purpose. If not handled properly, data can fail for no reason whatsoever. b. Technology is the weakest link. Technology becomes outdated or fails, can give false positives and negatives, and can miss the warning signs of an impending or ongoing attack. c. People are the weakest link. They need to be trained, and without proper training, can miss warning signs of an impending or ongoing attack or fixing issues before they become problems. d. Operations are the weakest link. Security patches can fail, antivirus software can fail to update, and operating systems can crash, leaving systems vulnerable to attack. ANSWER: RATIONALE:

c

People are the weakest link because people manage data, technology, and operations. People change technology when it becomes outdated, install security patches, and make changes to firewalls and networks. Without the proper training, technology and operations fail, and defense in depth cannot be achieved. Although data is mentioned in this question, it is not a part of this chapter per se, however, it is inferred, because without data, there is no reason for defense in depth. People are responsible for

Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 10: Network Forensics

backing data up and checking data for viruses and possibly encrypting data to ensure that it is safe. POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.2 - Explain the process of a network investigation TOPICS: Network Forensics Standard Procedures KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 13. A packet analyzer is a device or software placed on a network to monitor traffic. a. True b. False ANSWER: RATIONALE:

a

A packet analyzer is a device or software placed on a network to monitor traffic.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.3 - Use network forensics tools TOPICS: Exploring Common Network Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 14. Ari is using a packet analyzer on his office network. He notices the majority of traffic moving across the

network is Transmission Control Protocol (TCP) and Internet Protocol (IP). Why is that? a. He is using the wrong firewall for the office network. b. The router has been incorrectly installed. c. He has a virus on the network, and viruses use TCP and IP for transmission purposes. d. The most common protocols associated with network traffic are Transmission Control Protocol

(TCP) and Internet Protocol (IP). ANSWER: RATIONALE:

d

The most common protocols associated with network traffic are Transmission Control Protocol (TCP) and Internet Protocol (IP).

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.3 - Use network forensics tools TOPICS: Exploring Common Network Forensics Tools KEYWORDS: Bloom's: Remember/Understand Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 10: Network Forensics DATE CREATED: DATE MODIFIED:

4/19/2024 2:11 PM 4/19/2024 2:11 PM

15. Maryam's company is experiencing an attack whereby the company server is having trouble keeping up with

the number of established connections. Requests come in to establish connections, but then no connection is established. What type of attack is this? a. Ping of death b. DoS flood c. SYN flood d. Trojan ANSWER: RATIONALE:

c

When an attacker requests connections but does not follow through with connecting, it is called a SYN flood attack.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.3 - Use network forensics tools TOPICS: Exploring Common Network Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 16. Ashtyn is trying to extract information from large libpcap files. What program should she use? a. Tcpreplay b. Etherape c. Tcpslice d. Netdude ANSWER: RATIONALE:

c

Tcpslice is a good tool for extracting information from large libpcap files; simply specify the timeframe needed to be examined.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.3 - Use network forensics tools TOPICS: Exploring Common Network Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 17. Billie is looking for a multipurpose tool that can be used as an intrusion prevention system (IPS) and an

intrusion detection system (IDS). It should also be usable for network forensics. Which tool should Billie Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 10: Network Forensics

choose? a. Etherape b. Netdude c. Snort d. Argus ANSWER: RATIONALE:

c

Snort (snort.org) is one of the more powerful network tools in the industry. In addition to being an intrusion prevention system (IPS) and an intrusion detection system (IDS), Snort can be used for network forensics.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.3 - Use network forensics tools TOPICS: Exploring Common Network Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 18. Kenna wants to use graphical tools for viewing network traffic. She believes that they are quicker than using

command-line tools. Which of the following tools are graphical user interface (GUI) tools? Choose all that apply. a. Argus b. Etherape c. Netdude d. Tcpreplay ANSWER: RATIONALE:

b, c

Etherape and Netdude are both graphical user interface (GUI) tools.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.3 - Use network forensics tools TOPICS: Exploring Common Network Forensics Tools KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 19. Hawkins is looking for software that will replay network traffic in libpcap format. What format is libpcap

and what can the information be used for? a. Libpcap is Linux, and it is used to test network devices, such as intrusion detection systems (IDS)s,

switches, and routers. Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 10: Network Forensics b. Libpcap is Windows, and it is used to test Network Interface Cards (NICs), network speeds, and

IPSs. c. Libpcap is Linux, and it is used to test Network Interface Cards (NICs), network speeds, and IPSs. d. Libpcap is Windows, and it is used to test network devices, such as intrusion detection systems (IDS)s, network speeds, and routers. ANSWER: RATIONALE:

a

Libpcap is Linux, and it is used to test network devices, such as intrusion detection systems (IDS)s, switches, and routers.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.3 - Use network forensics tools TOPICS: Exploring Common Network Forensics Tools KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 20. Selina is working on a difficult case. She is looking for an exploit, so she is rebuilding a session in

Wireshark. Why is rebuilding the session important? a. By rebuilding the session, she can determine where the exploit came from and how long it was in the

system. b. By rebuilding the session, she can determine who created the exploit and when it was launched. c. By rebuilding the session, she can determine if the exploit was local or from a nation-state. d. By rebuilding the session, it is possible to detect suspicious or unexpected behavior, which may indicate a security breach. ANSWER: RATIONALE:

d

By Selina rebuilding the session, it is possible for her to detect suspicious or unexpected behavior, which may indicate a security breach.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.3 - Use network forensics tools TOPICS: Exploring Common Network Forensics Tools KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 21. Ivette's company is switching from physical networks to virtual networks, and she is learning how physical

switches differ from virtual switches. How are virtual switches different from physical switches? Choose all that apply. a. There is no spanning tree with virtual switches. Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 10: Network Forensics b. There are a limited number of virtual switches that can be used in a network. c. They do not share the same physical adapters. d. Virtual switches are slower than physical switches. ANSWER: RATIONALE:

a, c

There is no spanning tree protocol with virtual switches, and they do not share the same physical adapters. Therefore, it is possible for multiple networks to have the same IP address scheme.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.4 - Describe virtual network forensics TOPICS: Investigating Virtual Networks KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 22. No two devices can have the same MAC address on a virtual network. a. True b. False ANSWER: RATIONALE:

b

Due to the nature of virtual networks, multiple MAC addresses can be assigned to multiple devices if they are on different virtual networks.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.4 - Describe virtual network forensics TOPICS: Investigating Virtual Networks KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 23. Katana teaches four courses in one classroom, and each computer has four students working on it at different

times of the week. The students are completing computer forensics labs that require them to perform many of the functions that would be required in the field. They are using Kali Linux, Metasploitable framework, Windows 10, and Server 2016. Since this is a classroom, what would be the least expensive way to set up the class, yet allow each student to work on their projects and save their work for the next time that they are in class without affecting the other three students who will be using the same computer? a. Set up a type 1 hypervisor with multiple virtual machine managers (such as Virtual Box) and create a

closed virtual network with Kali, Metasploitable framework, Windows 10, and Server 2016 that's password protected for each class. b. Set up a type 1 hypervisor with multiple virtual machines of Kali, Metasploitable framework, Windows 10, and Server 2016 and create a virtual network for each class. Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 10: Network Forensics c. Set up a type 2 hypervisor with multiple virtual machine managers (such as Virtual Box) and create a

closed virtual network using Kali, Metasploitable framework, Windows 10, and Server 2016 that's password protected for each class. d. Set up a type 2 hypervisor with multiple virtual machine managers (such as Virtual Box) and create a closed virtual network using Kali, Metasploitable framework, Windows 10, and Server 2016. The students can save their work and then roll back the virtual machines to the original snapshot. ANSWER: RATIONALE:

c

This is a true story. Katana set up a type 2 hypervisor with multiple virtual machine managers (Virtual Box) and created a closed virtual network using Kali, Metasploitable framework, Windows 10, and Server 2016. The networks were then password protected for each class. This allowed students to work on their own networks at their own pace without fear of losing their work. This also ensured that no student could interfere or check the status of another student from another class. The reason the class was set up this way was due to cost. Using existing computers as type 2 hypervisors was less expensive than getting type 1s for the whole classroom. The Linux programs were free, and the school had licenses for Windows and Server 2016.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.4 - Describe virtual network forensics TOPICS: Investigating Virtual Networks KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 24. Brigid notices that her servers are acting strangely. She also notices that the Internet traffic that the servers

are receiving are 100 times greater than normal. What does this usually mean? a. SYN flood attack b. DDoS attack c. Ping of death attack d. Ransomware attack ANSWER: RATIONALE:

b

When Internet traffic increases to amounts extremely larger than normal, that usually means that there is a Distributed Denial of Service (DDoS) attack in progress.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.5 - Describe how to research and investigate types of attacks TOPICS: Researching and Investigating Types of Attacks KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 10: Network Forensics DATE MODIFIED:

4/19/2024 2:11 PM

25. Aloise is a penetration tester (pen tester). While attempting to break into a client's network, she finds some

undiscovered vulnerabilities. These vulnerabilities can lead to attacks. What are these vulnerabilities called? a. Day-one attack b. Undercover attack c. Zero-day attack d. Transitional attack ANSWER: RATIONALE:

c

A zero-day attack is launched against a vendor's software before the vendor knows that a vulnerability is present in their software to be targeted.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.5 - Describe how to research and investigate types of attacks TOPICS: Researching and Investigating Types of Attacks KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 26. Enya is approached by a client to build a honeypot. What is the purpose of a honeypot? a. To lure attackers to the honeypot and attack back b. To lure attackers to the honeypot and then trap them inside c. To lure attackers to the honeypot and then discover what they are doing d. To lure attackers to the honeypot instead of the actual network ANSWER: RATIONALE:

d

A honeypot is a computer set up to look like any other machine on a network; its purpose is to lure attackers to a network, but it contains no information of significant value.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.5 - Describe how to research and investigate types of attacks TOPICS: Researching and Investigating Types of Attacks KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 27. Reade is in the process of building a honeywall for a client. What is the purpose of a honeywall? a. To create an entire virtual network with real vulnerabilities and see how attackers breach the Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 10: Network Forensics

vulnerabilities while keeping the actual network safe b. To monitor what is happening to honeypots on a network and record what attackers are doing c. To monitor what is happening to honeypots on a network and trap the attackers d. To monitor an attacker's behavior and attack back ANSWER: RATIONALE:

b

A honeywall is a computer set up to monitor what is happening to honeypots on a network and record what attackers are doing.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.5 - Describe how to research and investigate types of attacks TOPICS: Researching and Investigating Types of Attacks KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 28. Edris has a problem. His company has been attacked three times this year, and he needs to figure out how

the attackers are getting in, without putting his network at risk. How should Edris accomplish this task? a. First, build honeypots to resemble the parts of the network that keep getting attacked and then build a

honeywall to monitor the honeypots to record the attackers. b. First, build a honeywall to monitor the network and then build the honeypots to record the attackers. c. First, build honeypots to record the attackers and then build a honeywall to monitor the network. d. Honeypots are all that are needed to monitor and track attackers. ANSWER: RATIONALE:

a

First, Edris should build multiple honeypots to resemble the parts of his network that are getting attacked. Then, he should build a honeywall and monitor the honeypots so he can record the attackers actions.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.5 - Describe how to research and investigate types of attacks TOPICS: Researching and Investigating Types of Attacks KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 29. Larkyn and her team are deciding which defense system would be right for them based on price. What is the

determining factor in deciding how much to spend for a defense system? a. How much a company can afford to pay for a defense system b. What defenses are already in place and how effective they are c. The size of the IT Department Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 10: Network Forensics d. The value of an organization's data ANSWER: RATIONALE:

d

In any organization, a determination must be made as to the value of the data that's being protected and weigh that against the price of a new defense system.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.5 - Describe how to research and investigate types of attacks TOPICS: Researching and Investigating Types of Attacks KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 30. Bren's computer has been acting up lately. It has been showing pop-up windows when he hasn't been using

his browser. There is high network traffic, according to his task manager, and the machine has been crashing frequently. What could be happening to Bren's computer? a. His computer needs more memory. b. A friend is playing tricks on him. c. His computer has become a zombie in a botnet. d. He has a virus. ANSWER: RATIONALE:

c

Bren was able to figure out that his computer was a zombie because pop-up windows kept appearing even when he wasn't online. When he looked at his task manager, it read high network traffic even though network traffic was supposed to be flat.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.10.5 - Describe how to research and investigate types of attacks TOPICS: Researching and Investigating Types of Attacks KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM

Copyright Cengage Learning. Powered by Cognero.

Page 15


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything 1. Kelsie is using Google Docs to write a term paper. What cloud service is she using? a. Platform as a service (PaaS) b. Software as a service (SaaS) c. Infrastructure as a service (IaaS) d. Anything as a service (XaaS) ANSWER: RATIONALE:

b

Programs, such as Google Docs, are considered software as a service (SaaS), since they are hosted and used in a cloud environment rather than the desktop.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.1 - Describe the main concepts of cloud computing TOPICS: An Overview of Cloud Computing KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 2. Loella and her business partner need to expand rapidly but do not have the resources to build out a new server

room nor can they afford a person to help build and run it. What cloud service should they use? a. Platform as a service (PaaS) b. Software as a service (SaaS) c. Infrastructure as a service (IaaS) d. Anything as a service (XaaS) ANSWER: RATIONALE:

c

Loella and her business partner should use infrastructure as a service because that service model provides the hardware and personnel to maintain it. All Loella and her partner must do is pay for the time they use it. Also, they can add capacity during peak times and remove capacity when they do not need it.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.1 - Describe the main concepts of cloud computing TOPICS: An Overview of Cloud Computing KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 3. Jeffery is studying the many dimensions of cloud forensics. Which one is concerned with the location of data

storage and the administration of services? a. The organizational dimension Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything b. The legal dimension c. The technical dimension d. The discovery dimension ANSWER: RATIONALE:

a

The organizational dimension of cloud forensics addresses the structure of the cloud forensics, such as location of data storage and administration of services.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.1 - Describe the main concepts of cloud computing TOPICS: An Overview of Cloud Computing KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 4. Myisha works for a cloud service provider. Myisha's friend is not familiar with the term and asks her to

explain what cloud service providers do. How does Myisha respond? a. A cloud service provider supplies business services only for enterprise size businesses. b. A cloud service provider supplies on-occasion office network assistance for such things as desktops,

notebooks, and printers. c. A cloud service provider supplies on-demand network access to a shared pool of resources to clients. These resources include server farms, mass storage, and automation. d. A cloud service provider only supplies business services to small to midsize businesses. ANSWER: RATIONALE:

c

A cloud service provider supplies on-demand network access to a shared pool of resources to clients. These resources include server farms, mass storage, and automation.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.1 - Describe the main concepts of cloud computing TOPICS: An Overview of Cloud Computing KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 5. Zenovia is researching cloud deployment methods for her organization. She just opened a small community

medical clinic that is about to become affiliated with a larger hospital group. Which type of cloud deployment would be best for Zenovia's organization and why? a. A public cloud. It is free and open to anyone, so they can use it for their email and productivity suite

of tools. Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything b. A private cloud. Only her organization has access to it, so it is safer for patient file storage. c. A community cloud. Since the medical clinic will be affiliated with a larger hospital, it would be

beneficial in terms of sharing files with the hospital to enhance patient care. They would also be using the same Electronic Medical Records (EMR) software. d. A hybrid cloud. They could keep some of their records private (employee and payroll) and designate some files for the community cloud (for the hospital). ANSWER: RATIONALE:

d

Zenovia should look at a hybrid cloud. Not all records in her clinic will need to be shared with the hospital. Internal records, such as employee and payroll records, do not need to be shared. However, records dealing with patient care, such as X-rays, blood tests, and examination notes, should be shared with the hospital.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.1 - Describe the main concepts of cloud computing TOPICS: An Overview of Cloud Computing KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 6. Barry is beginning an investigation into a cloud service provider (CSP). An issue with this service provider is

that they have been commingling their data in with their other clients to hide profits from illegal activity. What is the term for many different unrelated businesses sharing the same applications and storage space, and what makes collecting evidence difficult in this situation? a. It's called zero-trust tenancy. All the other business cannot be accessed by anyone other than the

cloud provider. b. It's called cohabitating. The problem would be finding the relevant data from all those other companies. It would be like trying to find a needle in a haystack. c. It's called cotenancy. The problem is there is too much data in different formats, and it would be hard to analyze. d. It's called multitenancy. The problem is in trying to retrieve data from the other tenants (businesses) in the CSP, due to legal and jurisdictional specific factors governing the data that those businesses own. ANSWER: RATIONALE:

d

It's called multitenancy. The problem is in trying to retrieve data from the other tenants (businesses) in the CSP, due to legal and jurisdictional specific factors governing the data that those businesses own.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.1 - Describe the main concepts of cloud computing TOPICS: An Overview of Cloud Computing KEYWORDS: Bloom's: Apply Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything DATE CREATED: DATE MODIFIED:

4/19/2024 2:11 PM 4/19/2024 2:11 PM

7. Labrenda is the Chief Technology Officer (CTO) of her company and is about to sign a cloud service

agreement with Rackspace® for a cloud deployment. What is a cloud service agreement, and what does it specify? Choose all that apply. a. A cloud service agreement is the contract between a cloud service provider and a cloud customer.

The CSA describes what services are being provided and at what level. b. A cloud service agreement specifies support options, penalties for services not provided, expected system performance (periods of downtime and uptime, for example), fees, provided software or hardware, and so forth. c. A cloud service agreement is between a cloud service provider and cloud client specifying how data will be managed in the cloud environment. d. A cloud service agreement is between a cloud service provider and cloud client specifying how applications will be developed. ANSWER: RATIONALE:

a, b

A cloud service agreement (CSA), also called a master service agreement or a service-level agreement (SLA), is the contract between a cloud service provider and a cloud customer. The CSA describes what services are being provided and at what level. It should also specify support options, penalties for services not provided, expected system performance (periods of downtime and uptime, for example), fees, and provided software or hardware.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.2 - Summarize the legal challenges in conducting cloud forensics TOPICS: Legal Challenges in Cloud Forensics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 8. Brynda is perusing the CSA agreement for a client and is examining customer restrictions and security

measures components of the CSA. What must these components include? Choose all that apply. a. When can the investigation be conducted b. Who is authorized to access data c. When can data be analyzed d. What the limitations are in conducting acquisitions for an investigation ANSWER: RATIONALE:

b, d

POINTS: QUESTION TYPE:

1 Multiple Response

CSA components must state who is authorized to access data and what the limitations are in conducting acquisitions for an investigation.

Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.2 - Summarize the legal challenges in conducting cloud forensics TOPICS: Legal Challenges in Cloud Forensics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 9. Brendolyn is preparing for a cloud investigation and is reviewing the cloud service providers (CSP) policies,

standards, and guidelines. Why is it important for an investigator to understand CSP policies before starting an investigation? a. Policies are the guide to business continuity and disaster recovery plans, which can be helpful in

recovering and analyzing data needed for an investigation. b. Policies describe best practices for cloud processes and give staff an example of what they should strive to achieve. Best practices are helpful to the investigator as many companies follow best practices, so it can be a roadmap to locate evidence. c. Since policies give guidance to staff for operations and describe their obligations, an investigator knows where to look and who to look for when searching for evidence. d. Policies detail rules for a CSP's internal operations and typically include personnel responsibilities, management structure, delegation authority, expectations of protecting data, and the authorization to distribute information. Therefore, knowledge of company policies will help guide an investigator to the right people and provide an idea as to how to obtain evidence correctly. ANSWER: RATIONALE:

d

Policies detail rules for a CSP's internal operations and typically include personnel responsibilities, management structure, delegation authority, expectations of protecting data, and the authorization to distribute information. Therefore, knowledge of company policies will help guide an investigator to the right people and provide an idea as to how to obtain evidence correctly.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.2 - Summarize the legal challenges in conducting cloud forensics TOPICS: Legal Challenges in Cloud Forensics KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 10. Taran is searching for evidence for a cloud service provider. He is aware that the intruder may have used

anti-forensic methods to slow the search or even destroy evidence. What are some of the anti-forensic methods used to obfuscate or change data? Choose all that apply. a. Using encryption to conceal malware programs activated through other malware programs b. Using data-hiding utilities that append malware to existing files c. Affect file metadata by changing the modify and last access times Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything d. Permanently deleting sensitive data to protect privacy ANSWER: RATIONALE:

a, b, c

Some of the anti-forensics methods the intruder could have used are: encryption to conceal malware programs activated through other malware programs, data-hiding utilities that append malware to existing files, and changing the modify and last access times that affect file metadata because changing file timestamps can make it hard to develop a timeline of an intruder's activities. However, intent is also a factor. Permanently deleting sensitive data to protect privacy is not anti-forensics, it's good cyber-hygiene (good data management).

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.3 - Explain the technical challenges associated with cloud forensics and how to acquire cloud data TOPICS: Technical Challenges in Cloud Forensics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 11. Bridie is investigating a cloud provider breach. She needs to determine if personally identifiable information

(PII) has been compromised. This is what part of role management? a. Data owners b. Identity protection c. Users d. Access controls ANSWER: RATIONALE:

b

One aspect of identity protection is to determine whether sensitive personally identifiable information (PII) was compromised, and if it was, it will broaden the scope of the investigation.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.3 - Explain the technical challenges associated with cloud forensics and how to acquire cloud data TOPICS: Technical Challenges in Cloud Forensics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 12. Bader is checking with the cloud provider she is working with regarding what states of encryption they are

using. This provider has encryption for RAM. What is this state of encryption called? a. Data in use Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything b. Data at rest c. Data in motion d. Data on the fly ANSWER: RATIONALE:

a

Data that is encrypted in RAM is called data in use.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.3 - Explain the technical challenges associated with cloud forensics and how to acquire cloud data TOPICS: Technical Challenges in Cloud Forensics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 13. If a CSP is a victim of a cyberattack, the investigation should follow data acquisition techniques. a. True b. False ANSWER: RATIONALE:

b

If a CSP is a victim of a cyberattack, the investigation should follow network forensics techniques.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.4 - Explain how to conduct a cloud investigation and describe some of the commonly used tools TOPICS: Conducting a Cloud Investigation KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 14. Apollo is proceeding with an investigation of a small CSP. They have very little staff to handle an

investigation. What are some of the questions Apollo should ask to understand how the CSP is set up? Choose all that apply. a. Does the investigator have the authority to use cloud staff and resources to conduct an investigation? b. How many staff members from the CSP can Apollo use to help in the investigation? c. Is detailed knowledge of the cloud's topology, policies, data storage methods, and devices available? d. For e-discovery demands on multitenant cloud systems, is the data to collect commingled with other

cloud customers' unrelated data? Is there a way to separate the data to prevent violating privacy rights or confidentiality agreements? ANSWER:

a, c, d

Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything RATIONALE:

Some of the questions Apollo needs to ask are: Does the investigator have the authority to use cloud staff and resources to conduct an investigation? Is detailed knowledge of the cloud's topology, policies, data storage methods, and devices available? And for e-discovery demands on multitenant cloud systems, is the data to collect commingled with other cloud customers' unrelated data? Is there a way to separate the data to prevent violating privacy rights or confidentiality agreements?

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.4 - Explain how to conduct a cloud investigation and describe some of the commonly used tools TOPICS: Conducting a Cloud Investigation KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 15. Sylas is investigating a CSP's customer for evidence of a crime. There are many places Sylas can look

regardless of whether the client has the CSP's application installed. Where are some of those places Sylas should look for evidence? Choose all that apply. a. Windows Prefetch folder b. Web browser's cache file c. Users account folder d. HKEY_LOCAL_MACHINE\WEBBROWSER ANSWER: RATIONALE:

a, b, c

Sylas can find evidence in the Windows Prefetch folder, web browser's cache file, and the user's account folder.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.4 - Explain how to conduct a cloud investigation and describe some of the commonly used tools TOPICS: Conducting a Cloud Investigation KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 16. Moses is examining a personal computer because an employee is suspected of committing fraud. As Moses

searches the employee's cloud accounts, he finds child pornography. The employee says it is not theirs and they don't know where it came from. Upon further inspection, Moses finds that the employee is telling the truth. How did Moses determine this was true? a. Moses determined this by looking at the image's metadata. b. Moses determined that this happened by reviewing the employee's CSP's web-connected login Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything

records and compared them with date and time values for the suspected files. c. Moses determined this by checking the employee's passwords for breaches and finds the one they've been using for their cloud account has been compromised. d. Moses has a gut feeling that the employee is telling the truth and does not look like they would be trafficking in child pornography. ANSWER: RATIONALE:

b

Moses determined that this happened by reviewing the employee's CSP's webconnected login records and compared them with date and time values for the suspected files. The times and date values did not match, so the data was not input from one of the employee's computers.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.4 - Explain how to conduct a cloud investigation and describe some of the commonly used tools TOPICS: Conducting a Cloud Investigation KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 17. The Internet of Things (IoT) refers to the network of devices connected to the Internet via embedded sensors

and software that allow the devices to easily send and receive data. a. True b. False ANSWER: RATIONALE:

a

The Internet of Things (IoT) refers to the network of devices connected to the Internet via embedded sensors and software that allow the devices to easily send and receive data.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.5 - Define the Internet of Anything TOPICS: An Overview of the Internet of Things, the Internet of Anything, and the Internet of Everything KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 18. The Internet of Anything (IoA) moves beyond devices and their ability to collect and leverage data-

encompassing all things that can be or will be connected to the Internet only using Bluetooth and Wi-Fi protocols. a. True Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything b. False ANSWER: RATIONALE:

b

The Internet of Anything (IoA) moves beyond devices and their ability to collect and leverage data-encompassing all things that can be or will be connected to the Internet via multiple communications protocols not just Bluetooth and Wi-Fi protocols.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.5 - Define the Internet of Anything TOPICS: An Overview of the Internet of Things, the Internet of Anything, and the Internet of Everything KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 19. In the Internet of Everything (IoE), the raw data generated by the many devices are processed in a central

location and then fed into the network. a. True b. False ANSWER: RATIONALE:

b

In the Internet of Everything (IoE), the raw data generated by the many devices may be processed in a central or decentralized location and then fed into the network.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.5 - Define the Internet of Anything TOPICS: An Overview of the Internet of Things, the Internet of Anything, and the Internet of Everything KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 20. Ares is researching categories of the Internet of Anything. He wants to know which category of IoT includes

applications and devices related to businesses in sectors such as office buildings, large residential buildings, healthcare, entertainment, hotels, and travel. Which category is it? a. Consumer Internet of Things (CIoT) b. Industrial Internet of Things (IIoT) c. Infrastructure Internet of Things d. Commercial Internet of Things ANSWER: RATIONALE:

d

Commercial Internet of Things: This part of the IoT includes applications and devices

Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything

related to businesses in sectors such as office buildings, large residential buildings, healthcare, entertainment, hotels, and travel. POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.6 - Describe the five main categories of the Internet of Anything TOPICS: Categories of the Internet of Anything KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 21. Lucian is researching categories of the Internet of Anything. He wants to know what category includes

sectors such as agriculture, energy, manufacturing, and supply chain logistics. a. Consumer Internet of Things (CIoT) b. Industrial Internet of Things (IIoT) c. Infrastructure Internet of Things d. Commercial Internet of Things ANSWER: RATIONALE:

b

Industrial Internet of Things (IIoT): This category includes sectors such as agriculture, energy, manufacturing, and supply chain logistics.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.6 - Describe the five main categories of the Internet of Anything TOPICS: Categories of the Internet of Anything KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 22. Hudson just scanned his card and entered the office. When he opened the door, the lights automatically

turned on. What IoT category can this scenario be placed in? a. Infrastructure Internet of Things b. Commercial Internet of Things c. Consumer Internet of Things (CIoT) d. Industrial Internet of Things (IIoT) ANSWER: RATIONALE:

b

POINTS: QUESTION TYPE: HAS VARIABLES:

1 Multiple Choice False

Commercial Internet of Things: Smart buildings are capable of turning on lights in certain areas of a building, depending upon the badge that was scanned upon entry.

Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything LEARNING OBJECTIVES: Ceng.GuideForens.25.11.6 - Describe the five main categories of the Internet of Anything TOPICS: Categories of the Internet of Anything KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 23. Caleb works at the ACME nuclear powerplant. The plant relies on IIoT, a part of which is operational

technology. He works with automated control systems, which are used to monitor processes and machines. What are those systems called? a. SCSI b. DRAM c. HMI d. SCADA ANSWER: RATIONALE:

d

The systems used to monitor processes and machines are called SCADA, which stands for supervisory control and data acquisition systems.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.6 - Describe the five main categories of the Internet of Anything TOPICS: Categories of the Internet of Anything KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 24. The digital chain of custody (DCoC) is the route that digital evidence takes from the time the investigator

obtains it until the case is closed or goes to court. a. True b. False ANSWER: RATIONALE:

a

The digital chain of custody (DCoC) is the route that digital evidence takes from the time the investigator obtains it until the case is closed or goes to court.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.7 - Explain the challenges of forensics in the Internet of Anything TOPICS: Forensics of the Internet of Anything KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything 25. Roman is documenting how digital data was obtained for a digital chain of custody (DCoC) on a case he is

working on. What are some of the areas where data can be found? Choose all that apply. a. A sensor b. Network interface card (NIC) c. Central processing area d. IoT edge device ANSWER: RATIONALE:

a, c, d

Digital data can be obtained from sensors, the central processing area, or an IoT edge device that has already completed some data processing.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.7 - Explain the challenges of forensics in the Internet of Anything TOPICS: Forensics of the Internet of Anything KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 26. Athena is part of an IoT Advisory Board connected to NIST. Since IoT security and forensics are closely

interrelated due to storage, security, and range issues, Athena's group proposed a zone approach for security and forensics issues related to IoT devices. What are those zones? Choose all that apply. a. Items you control b. Items at your border c. Items on the Internet d. Hardware and software outside of your control ANSWER: RATIONALE:

a, b, d

The group proposed a three-zone approach when considering security and forensics issues related to IoT devices: items you control, items at your border, and hardware and software outside of your control.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.7 - Explain the challenges of forensics in the Internet of Anything TOPICS: Forensics of the Internet of Anything KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 27. Leo was chosen to create a forensics preparedness plan to assist an incident response team in case of a

breach or attack. What information about the data should be included in this plan? Choose all that apply. a. When data is stored Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything b. Where data is stored c. What data is stored d. Legal aspects of such data ANSWER: RATIONALE:

b, c, d

Leo's forensics preparedness plan must ensure that the incident response team knows where data is stored, what data is stored, and the legal aspects of such data.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.7 - Explain the challenges of forensics in the Internet of Anything TOPICS: Forensics of the Internet of Anything KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 28. Jai works for the military. His commander used to let Jai and the rest of his platoon wear consumer

wearables, such as Fitbit, when they were exercising so they could keep track of their fitness training. Not too long ago, the military banned those devices from military bases. Why would Fitbits and other fitness tracking devices be banned from military sites? a. The fitness trackers were not built for the type of training the military does and they kept breaking. b. The fitness trackers kept getting in the way during missions and were getting lost. These devices had

a lot of soldier's personal information on them and shouldn't fall into the hands of the enemy. c. Soldiers spent more time looking at their trackers and less time watching their surroundings. d. Geolocation trackers inside of the watches revealed the locations and pathways of military installations around the globe. ANSWER: RATIONALE:

d

True story: The military banned fitness trackers because Geolocation trackers inside of the watches revealed the locations and pathways of military installations around the globe. A private company released a "heat map" that showed the density of trackers in places around the world. The dense traces of tracks going around in the same large spaces turned out to be military sites, including top secret locations.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.7 - Explain the challenges of forensics in the Internet of Anything TOPICS: Forensics of the Internet of Anything KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 29. Jacob uses a smart thermostat to keep his home the temperature he likes. The thermostat has learned when

he is home and when he is away and adjusts the temperature accordingly. It is connected to his wireless network Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything

so he can also contact the thermostat when he is away from home and make changes to the temperature so that his home can be cooler or warmer by the time he gets home. Because of this, Jacob needs to be very careful that his wireless network is always secure. He must use long complex passwords and change the password every 90 days. Why is it important that Jacob takes these precautions? a. A hacker could turn up the water heater and scald Jacob and his family. b. A hacker could turn all the lights in the house on and off at will. c. A hacker could take control of the thermostat and make it hotter or colder at will causing damage to

the house or making Jacob and his family extremely uncomfortable. d. If a hacker breaks into his network, they can figure home and away patterns and then break into the home. ANSWER: RATIONALE:

c, d

If a hacker were to break into Jacob's wireless network and access the thermostat, the hacker could take control of the thermostat and make it hotter or colder at will. This could damage the house or make the family extremely uncomfortable. Even more dangerous, the hacker could also figure out Jacob's home and away patterns so that they could know when Jacob and his family weren't home and break in without fear of interruption.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.7 - Explain the challenges of forensics in the Internet of Anything TOPICS: Forensics of the Internet of Anything KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM 30. Colton uses a CPAP machine nightly for his sleep apnea. He has been a regular user for many years and

always has it on between the hours of 12:00 am and 8:00 am without fail. One day the police arrived at his home and asked him if he heard any screaming around 3:00 am on the night of November 30 two houses up from him. Colton said no, he wears a CPAP at night, and he also wears earplugs, so he doesn't hear noises because he's a light sleeper. The police already know Colton has a record for aggravated assault and assault with a deadly weapon and he had a reported run in with this neighbor just recently, so the police consider him a suspect. After the search gets underway, the officers want to search Colton's CPAP app on his phone. The machine reports to a central server every night the following information: Usage (how long it was used), Seal (how well the mask stayed on the user's face), Events (how many times the user stopped breathing in an hour), and Mask On/Off (how many times the mask was taken off each night). Reports are sent to his respiratory therapist as well as his smartphone so he can keep track of his usage. The report shows that for the month of November, Colton used his CPAP eight hours a night every night except for the night of November 30. On November 30, his phone app showed that two hours were missing from usage log. Colton claims he couldn't sleep and was watching TV. Usage shows total time used, not hour-by-hour. Could the missing time mean he is guilty? Choose all that apply. a. He must have committed the crime, since there were two hours missing from the usage log. b. The usage log does not give the actual time the machine was on, so those missing two hours could Copyright Cengage Learning. Powered by Cognero.

Page 15


Name:

Class:

Date:

Mod 11: Cloud Forensics and the Internet of Anything

have been at any time, and Colton could have been watching TV. c. Without other evidence, such as a weapon or an eyewitness, the usage log is only circumstantial evidence since it does not show the actual time during which the two hours were missing. d. Since Colton is on Parole, he can be taken into custody, even for circumstantial evidence. ANSWER: RATIONALE:

b, c

The usage log does not give the actual time that the machine was on, so those missing two hours could have been at any time and Colton could have been watching TV. Without other evidence, such as a weapon or an eyewitness, the usage log is only circumstantial evidence since it does not show the actual time when the two hours were missing.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.11.7 - Explain the challenges of forensics in the Internet of Anything TOPICS: Forensics of the Internet of Anything KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:11 PM DATE MODIFIED: 4/19/2024 2:11 PM

Copyright Cengage Learning. Powered by Cognero.

Page 16


Name:

Class:

Date:

Mod 12: Mobile Device Forensics 1. Kabir is examining a mobile phone when he discovers data that is not relevant to the case he is investigating.

What happens when data is found on a device that is not relevant to a case? a. Information that does not pertain to a case is deleted from the device. b. Information that does not pertain to a case is kept separate from the evidence and remains

confidential. c. Information that does not pertain to a case can be comingled with evidence as long as it is tagged as such. d. Information that does not pertain to a case must be redacted from the public record. ANSWER: RATIONALE:

d

Because phones often contain private or sensitive information, any information that does not pertain to a case must be redacted from the public record.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.1 - Describe the components of mobile devices and cellular networks TOPICS: Understanding Mobile Devices and Cellular Networks KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 2. Dhruv is doing a research paper on technologies introduced with 4G networks. While on his phone, he sees

"4G LTE" often and wants to know what it is. What is "4G LTE"? a. LTE stands for Life Time Evolution and supports 100 Mbps to 200 Mbps transmission speeds. That's

why it is called "4G LTE." b. LTE stands for Long Term Evolution and supports 45 Mbps to 144 Mbps transmission speeds. That's why it is called "4G LTE." c. LTE stands for Light Technology Evolution and supports 150 Mbps to 250 Mbps transmission speeds. That's why it is called "4G LTE." d. LTE stands for Long Time Extended and supports 200 Mbps to 300 Mbps transmission speeds. That's why it is called "4G LTE." ANSWER: RATIONALE:

b

LTE stands for Long Term Evolution and supports 45 Mbps to 144 Mbps transmission speeds. That's why it is called "4G LTE."

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.1 - Describe the components of mobile devices and cellular networks TOPICS: Understanding Mobile Devices and Cellular Networks KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 12: Mobile Device Forensics DATE MODIFIED:

4/19/2024 2:12 PM

3. Agastay is a United States Marshal. His office wants to track the cell phone of a suspicious person to see who

he meets, but he cannot do so unless he has a warrant due to the fourth amendment. Why is cell phone tracking subject to fourth amendment rights? Choose all that apply. a. The fourth amendment protects not just physical spaces but also "effects." A person's movements and

location can be considered an effect. b. The fourth amendment protects information voluntarily shared with third parties. c. Tracking an individual's cell phone can be seen as a "search" in the legal sense. Gathering detailed location information from a cell phone is akin to conducting surveillance. d. The fourth amendment protects location data collected for administrative purposes, such as toll booth records. ANSWER: RATIONALE:

a, c

The fourth amendment protects not just physical spaces but also "effects." A person's movements and location can be considered an effect, and therefore protected under the fourth amendment. Tracking an individual's cell phone can be seen as a "search" in the legal sense. Gathering detailed location information from a cell phone is akin to conducting surveillance, and therefore is protected under the fourth amendment.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.1 - Describe the components of mobile devices and cellular networks TOPICS: Understanding Mobile Devices and Cellular Networks KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 4. While investigating a suspect's home, Enzo discovers a SIM card. SIM cards carry copious amounts of

information that can be used to determine what the suspect has been doing. What is some of the information that can be found on a SIM card? Choose all that apply. a. Message information b. Attachments c. Call data d. Location information ANSWER: RATIONALE:

a, c, d

Some of the information that Enzo can find on the SIM card includes call data, message information, and location information.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.2 - Explain mobile device evidence sources Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 12: Mobile Device Forensics TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

Mobile Device Evidence Sources Bloom's: Remember/Understand 4/19/2024 2:12 PM 4/19/2024 2:12 PM

5. Irene is traveling to Germany and France and will want to communicate with friends and family at home in

America. What is the best phone solution for her? a. Buy a GSM phone so she only needs to swap SIM cards and not the phone b. Buy two phones, because having two phones is better than replacing SIM cards c. Use the phones in her hotels d. Use payphones around town because they are plentiful in Germany and France ANSWER: RATIONALE:

a

Irene should buy a GSM phone and swap SIM cards. Portability of information is what makes SIM cards so versatile. By switching the SIM cards in her phone, she can move to another cellular provider without notifying the service providers.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.2 - Explain mobile device evidence sources TOPICS: Mobile Device Evidence Sources KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 6. Quinn discovered an old PDA (personal digital assistant) during an investigation. As he was examining the

device, he found a peripheral memory slot. What types of memory cards did PDAs use? a. Read Only Memory (ROM) b. Compact Flash (CF) c. MultiMediaCard (MMC) d. Secure Digital (SD) ANSWER: RATIONALE:

b, c, d

PDAs used Compact Flash, MultiMediaCard, and Secure Digital peripheral memory cards.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.2 - Explain mobile device evidence sources TOPICS: Mobile Device Evidence Sources KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 12: Mobile Device Forensics 7. Juniper is examining a mobile phone that was found at the scene of a crime. It is a late model Android phone.

Upon further examination of the phone, she discovered a slot at the bottom of the phone that pushes out with a straight pin. When the slot opens, Juniper finds two empty square-shaped holes. On finding the holes, she knows what is missing. What does Juniper know is missing? Choose all that apply. a. ROM card b. SIM card c. EEPROM card d. removable memory card ANSWER: RATIONALE:

b, d

Juniper knows that the SIM card and the removable memory card are missing from the phone.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.2 - Explain mobile device evidence sources TOPICS: Mobile Device Evidence Sources KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 8. Ximena has been handed a phone that was discovered during a search of a suspect's home. Upon examining

the phone, she finds that much of the data is stored in the cloud and web-based services. She tells the investigator that she cannot search the phone further. What is the issue facing Ximena in searching the suspect's phone? a. Accessing the cloud-based storage of a suspect's mobile device requires the suspect's passwords. b. Accessing the cloud-based storage of a suspect's mobile device requires approval from the cloud

service provider (CSP). c. Accessing the cloud-based storage of a suspect's mobile device requires a search warrant or subpoena. d. Accessing the cloud-based storage of a suspect's mobile device requires the approval of the Internet service provider (ISP). ANSWER: RATIONALE:

c

In order for Ximena to examine the cloud and web-based services on a suspect's mobile device, a search warrant or subpoena is required.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.2 - Explain mobile device evidence sources TOPICS: Mobile Device Evidence Sources KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 12: Mobile Device Forensics DATE MODIFIED:

4/19/2024 2:12 PM

9. Kayden is examining a smartphone's SQLite database. The phone has an SSD for its internal storage. The

problem with SSDs is that, if the data is not retrieved immediately, any free space containing residual data will be lost. Why does this happen? a. Data is lost because SSDs only have a limited amount of read/writes before they fail. b. Data is lost when SSD drives perform TRIM and wear-leveling on free space through the

autovacuum function. c. Data is lost when memory cache is automatically cleaned. d. Data on SSDs tend to get corrupted over time unlike mechanical drives. ANSWER: RATIONALE:

b

Data is lost when SSD drives perform TRIM and wear-leveling on free space through the autovacuum function.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.2 - Explain mobile device evidence sources TOPICS: Mobile Device Evidence Sources KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 10. Ezra works for Andor Corporation and is responsible for administering their mobile device management

(MDM) software. What are some of the tools available to Ezra to control employees in today's BYOD ("Bring Your Own Device") to work environment? Choose all that apply. a. Enforce appropriate behavior by users b. Control who an employee might let borrow their mobile device c. Install security updates d. Create encrypted storage containers on mobile devices ANSWER: RATIONALE:

a, c, d

Mobile device management software allows administrators to enforce appropriate behavior by users, install security updates, and create encrypted storage containers on mobile devices.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.3 - Describe mobile device security features TOPICS: Mobile Device Security KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 12: Mobile Device Forensics 11. Elijah just lost his company phone and reports the loss to the IT Department. Since the phone has the MDM

management tool installed, what can the IT Department do to protect their confidential information and intellectual property (IP)? a. The MDM tool can locate the phone's location by pinging it. Then the IT Department can call the

police to recover it. b. The MDM tool can lock the phone so it cannot be unlocked. c. The MDM tool can be used to wipe the phone to ensure that its data is unrecoverable. d. The MDM tool can disable the phone completely. (Brick it.) ANSWER: RATIONALE:

c

The MDM tool can be used to wipe the phone to ensure that its data is unrecoverable.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.3 - Describe mobile device security features TOPICS: Mobile Device Security KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 12. Gianna is trying to extract data from a mobile device that has MDM enabled. She is using Cellebrite to

extract data from the mobile device but is unable to do so. Why is Gianna having problems extracting the data? a. Gianna is using the wrong tool. She needs to use a program, such as AccessData or EnCase. b. MDM is designed to resist attempts by mobile forensics extraction tools, such as Cellebrite. c. MDM is designed to be completely uncrackable. d. Gianna does not have the legal authority to extract data from the MDM-enabled device. ANSWER: RATIONALE:

b

For examiners, extracting data from a mobile device that has MDM enabled is typically difficult or impossible. MDM is designed to resist attempts by mobile forensics extraction tools, such as Cellebrite.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.3 - Describe mobile device security features TOPICS: Mobile Device Security KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 13. Juliette's company has set up MDM to auto wipe an employee's smartphone if certain scenarios occur. What

would cause an employee's smartphone to be wiped? Choose all that apply. Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 12: Mobile Device Forensics a. Attempting to change authorized wallpaper b. Any attempts to alter the phone's security features c. Accessing unapproved websites d. Accessing the phone without the appropriate access codes ANSWER: RATIONALE:

b, d

MDM can be set up to automatically wipe data on a smartphone if there are any attempts to alter the phone's security features or attempts to access the smartphone without the appropriate access codes.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.3 - Describe mobile device security features TOPICS: Mobile Device Security KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 14. Ivan is trying to access Google messages between two suspects, but they are encrypted. He can access other

messages from one suspect to different people but not the second suspect. Why can't Ivan access messages between the two suspects? a. The two suspects are using Google's Rich Communication Service (RCS), and the feature is activated

on both suspects' devices. b. One of the two suspects is using an iPhone, so messaging is encrypted both ways. c. Both suspects are using a third-party app to send messages through the Google messages application. d. The second suspect is using PGP encryption. ANSWER: RATIONALE:

a

Google has introduced end-to-end encryption using Rich Communication Service (RCS) in their Messages app. Presently, the RCS encryption only works between two devices when this feature is activated on both devices.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.3 - Describe mobile device security features TOPICS: Mobile Device Security KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 15. Finn lost their iPhone, so they put in Apple lost mode. When the Apple device is in lost mode, there are

certain functions that are turned off until a passcode is input. What are they? Choose all that apply. a. Disabling lost mode Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 12: Mobile Device Forensics b. Turning off the device c. Disabling Wi-Fi or cellular communication d. Surfing the Internet ANSWER: RATIONALE:

a, b, c

Disabling lost mode, turning off the device, and disabling the Wi-Fi or cellular communication are not possible while the mobile device is in lost mode.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.3 - Describe mobile device security features TOPICS: Mobile Device Security KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 16. Wren is examining an Android mobile phone and wants to be sure that MDM has not been installed. How

does Wren determine that MDM is not installed on the mobile phone? Choose all that apply. a. If the Stay awake option is gray, then most likely MDM is not installed. b. If the Auto-Lock option is set to "Lock Timeout," then most likely MDM is not installed. c. If the Stay awake option changes from gray to black, then most likely MDM is not installed. d. If the Auto-Lock option is set to "None," then most likely MDM is not installed. ANSWER: RATIONALE:

c, d

Wren is examining an Android device, so the signs that MDM are not installed are the following: If the Stay awake option changes from gray to black; and the AutoLock option is set to "None."

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.3 - Describe mobile device security features TOPICS: Mobile Device Security KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 17. Seth is examining two phones that he received from a recent police raid. One phone is an Android version 4

(Ice Cream Sandwich), and the other is an iPhone with iOS 8. Both phones have passwords on them, the Android phone can still have data retrieved from it, but the iPhone cannot. Why is that? Choose all that apply. a. Android phones are based on Linux and have poor encryption, so they have always been easy to

acquire data from. b. iPhones are both proprietary in their hardware and software, so they are difficult to acquire data from. c. Once a password is added to an iPhone, the device is encrypted. Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 12: Mobile Device Forensics d. The Android requires more steps to encrypt the phone than just adding a password. The suspect did

not take extra steps to encrypt the data. ANSWER: RATIONALE:

c, d

The iPhone will be encrypted as soon as a password is entered on it the first time. The Android phone will not be encrypted with only a password. Other steps must be taken to encrypt an Android phone. Android started automatically encrypting phones when passwords were added with version 5 of the OS also known as Lollipop.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.3 - Describe mobile device security features TOPICS: Mobile Device Security KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 18. During an investigation at a suspect's home, Joel discovers a mobile device attached by USB to a laptop.

When he sees this setup, he must disconnect the mobile device from the laptop immediately. Why is that important? a. The laptop can be programmed to erase data on both devices simultaneously. b. The mobile device can inject malware into the laptop directing the laptop to overwrite its hard drive

rendering the laptop useless. c. Disconnecting the devices immediately helps prevent synchronization that might occur automatically on a preset schedule and overwrite data on the device. d. If left connected, timestamps and other important metadata could be lost, making it difficult to determine if or when a crime was committed. ANSWER: RATIONALE:

c

Disconnecting the devices immediately helps prevent synchronization that might occur automatically on a preset schedule and overwrite data on the device. In other words, the evidence that a crime may have occurred may be purposely erased when specific data is synchronized between the mobile device and the laptop.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.4 - Explain mobile device acquisition processes TOPICS: Seizing and Securing Mobile Devices KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 19. Elliot needs to protect a mobile device from being accessed electronically by a suspect. Which methodology

is the preferred way to isolate a mobile device from external electronic manipulation? Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 12: Mobile Device Forensics a. Turn on airplane mode b. Use a paint can coated with radio wave-blocking paint c. Use a Faraday bag d. Turn the device off ANSWER: RATIONALE:

c

Of these described methods, the use of a Faraday bag, even if it does not have the optional power feature, is the preferred method to protect mobile devices.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.4 - Explain mobile device acquisition processes TOPICS: Seizing and Securing Mobile Devices KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 20. RAM data is nonvolatile, so it is not important if the mobile device is turned off before retrieving the data in

RAM. a. True b. False ANSWER: RATIONALE:

b

All mobile devices have volatile memory, so making sure that they do not lose power before you can retrieve RAM data is critical.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.4 - Explain mobile device acquisition processes TOPICS: Seizing and Securing Mobile Devices KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 21. Kaylee finds a phone at an investigation scene. Her first step is to determine whether the device is on or off.

After that, what are the next steps Kaylee needs to take? Choose all that apply. a. If the phone is off, leave it off. b. Attempt to find the charger and connect it as soon as possible to maximize the device's battery life. c. Turn on the device and see if there is a password on the home screen. d. Note it in your log if you cannot determine whether the device was charged at the time of seizure. ANSWER: RATIONALE:

a, b, d

If the phone is off, leave it off, attempt to find the charger and connect it as soon as possible to maximize the device's battery life, and note it in your log if you cannot

Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 12: Mobile Device Forensics

determine whether the device was charged at the time of seizure. POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.4 - Explain mobile device acquisition processes TOPICS: Seizing and Securing Mobile Devices KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 22. Jerrika seized an Android mobile device (version 4 of the OS) from a suspect's home. As she searches,

Jerrika cannot find a passcode or the charging unit for the phone. What would be the ideal outcome for this scenario? a. Since no passcode or charging unit can be found and the battery is drained, she is prevented from

extracting and examining data from the mobile phone. b. Jerrika finds the charger for the Android and discovers the device has a passcode, but the phone isn't encrypted. Now she must find a way to break the passcode to retrieve the data. (Warrant required.) c. Jerrika finds the charger and discovers there is a passcode, and the device is encrypted. d. Jerrika opens the phone and discovers that the SIM is missing. ANSWER: RATIONALE:

b

Since the Android (version 4 of the OS) only has a passcode and is not encrypted, it is easier to retrieve data from the phone. With the discovery of a passcode and the fact that the phone is not encrypted, she must find a way to break the passcode to retrieve the data. There are several ways to do this, but a search warrant will be required.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.4 - Explain mobile device acquisition processes TOPICS: Seizing and Securing Mobile Devices KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 23. Jamisha is trying to unlock an Apple iPhone and is on her ninth attempt. Her supervisor asks Jamisha how

many times she has tried, and when she tells them nine and is about to make her tenth attempt, they tell her to stop immediately. Why must Jamisha stop trying to input the password? a. After the 10th failed attempt, the phone will be locked permanently (bricked). b. After the 10th failed attempt, the phone will erase all data including the OS. c. After the 10th failed attempt, the phone will initiate a factory reset, which wipes all non-OS data. d. After the 10th failed attempt, the phone will reset to one and attempts will have to begin again. Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 12: Mobile Device Forensics ANSWER: RATIONALE:

c

After the 10th failed attempt, the phone will initiate a factory reset and will wipe all non-OS data from the device.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.5 - Describe how to extract and analyze mobile device evidence TOPICS: Mobile Device Evidence Extraction and Examination KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 24. Remi must recover information from a mobile device that was just seized from a suspect's home. Out of all

the methods of recovering information from a mobile device, which is the best way to recover it? a. Use a USB port with a USB write-blocker and connect it to a Windows computer b. Take pictures manually of each phone screen c. Static acquisition d. Acquire a forensic image ANSWER: RATIONALE:

d

The best method of retrieving information from a mobile device is by acquiring a forensic image, which might enable you to recover deleted text messages and similar data.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.5 - Describe how to extract and analyze mobile device evidence TOPICS: Mobile Device Evidence Extraction and Examination KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 25. Victor wants to examine an Android phone using a Windows computer. When he plugs the Android phone

into the computer, where will he be able to view the data, what will happen and where will he be able to access the files? a. The computer will directly access the phone, and the files will be viewable in File Explorer. b. The phone will ask for permission to connect to the computer, and the files will be viewable in File

Explorer. c. The computer will ask for permission from the phone, and the files will be viewable on the desktop. d. The phone will directly access the computer, and the files will be viewable in the documents folder. ANSWER: RATIONALE:

b

The mobile device connected to a computer will prompt Victor, asking for permission

Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 12: Mobile Device Forensics

to allow the connection. This, of course, will require that the mobile device be logged on, which means Victor will also need its passcode. The OSs will then recognize the mobile device and will access files, such as photos and videos via File Explorer. POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.5 - Describe how to extract and analyze mobile device evidence TOPICS: Mobile Device Evidence Extraction and Examination KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 26. Raven is about to begin examining an Android phone and needs to be sure that all communication channels

to the device have been shut off. What are some of the communications channels that Raven needs to manage? Choose all that apply. a. Turn on airplane mode b. Turn off Bluetooth c. Turn off time management d. Turn off screen timeout ANSWER: RATIONALE:

a, b, d

Raven will need to turn on airplane mode, turn off Bluetooth, and turn off screen timeout.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.5 - Describe how to extract and analyze mobile device evidence TOPICS: Mobile Device Evidence Extraction and Examination KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 27. Lorelie is extracting data from a mobile device and needs to store it. She needs a good USB drive, one that

can perform quickly and accurately. What type of USB drive is best for holding extracted data? Choose all that apply. a. Any USB drive from a local grocery or convenience store will be fine as all USBs get their memory

chips from the same place b. High-performance, high-endurance USB flash drives c. Storage device must use at least a QLC memory chip d. Storage device must use at least MLC or TLC memory chips ANSWER: RATIONALE:

b, d

USB devices must be "high performance" and "high endurance," especially when

Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 12: Mobile Device Forensics

working in the field. Storage devices must use at least MLC or TLC memory chips from a reputable memory manufacturer. As of now, QLC chips are not as durable as the MLC or TLC chips and tend to have lower endurance memory cells, which may result in potential concerns about the integrity of the data extracted. POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.5 - Describe how to extract and analyze mobile device evidence TOPICS: Mobile Device Evidence Extraction and Examination KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 28. Kiara needs a mobile device forensics tool that works in both Windows and Linux. Which tool works in

both Windows and Linux? a. Andriller CE b. Belkasoft c. Cellebrite d. CellHawk ANSWER: RATIONALE:

a

Kiara needs to use Andriller CE. It is a freeware Python script designed to perform forensics acquisitions and analysis on Android smartphones and tablets. Because it is a Python script, Andriller CE can run in Windows and Linux.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.6 - Describe mobile device forensics tools TOPICS: Mobile Device Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 29. Waverly needs an all-in-one digital forensics solution because her company conducts acquisitions and

analysis on traditional computing devices, cloud sources, mobile devices, and drones. a. Andriller CE b. CellHawk c. Cellebrite d. Belkasoft ANSWER: RATIONALE:

d

Waverly should look at Belkasoft Evidence Center X. This is a commercially sold all-in-one digital forensics solution (belkasoft.com/x). It contains all the tools that an

Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 12: Mobile Device Forensics

examiner needs to conduct acquisition and analysis from traditional computing devices, cloud sources, mobile devices, and drones. POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.6 - Describe mobile device forensics tools TOPICS: Mobile Device Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 30. Matteo needs a solution for his mobile forensics projects that does not rely on being computer installed and

is instead web-based. His best option is software-as-a-service (SaaS). This way, data can be processed automatically within a few minutes, instead of being manually processed by investigators. Which program should he use? a. Andriller CE b. CellHawk c. Cellebrite d. Belkasoft ANSWER: RATIONALE:

b

Hawk Analytics' CellHawk is a web-based software-as-a-service (SaaS) platform. Data can be processed automatically within a few minutes by CellHawk (assuming CellHawk supports the cellular carrier), instead of being manually processed by investigators, which could take several days or weeks.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.12.6 - Describe mobile device forensics tools TOPICS: Mobile Device Forensics Tools KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM

Copyright Cengage Learning. Powered by Cognero.

Page 15


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations 1. Ike just received an email message claiming that his uncle died and left him $100,000 dollars. But he needs to

pay a handling fee up front to receive the money. What type of scam is this? a. Phishing b. Pharming c. 419 d. Spoofing ANSWER: RATIONALE:

c

This is an example of a 419 scam. The sender promised to reward Ike financially by sending a minor payment up front.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.1 - Explain the role of email and social media in investigations TOPICS: Exploring the Role of Email in Investigations KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 2. Kiara is a forensic examiner specializing in fraud cases. She is examining email headers to determine if

emails addressed to the respondent were fraudulent. She notices that two messages had the same protocol value. So, she knew the message sent by the petitioner was fraudulent. What protocol value did Kiara see in the message header that she recognized as fraudulent? a. POP3 b. SMTP c. E/SMTP d. S/MIME ANSWER: RATIONALE:

c

The clue that the other email was a fake was in the Enhanced/Extended Simple Mail Transfer Protocol (E/SMTP) number located in the message's header. This number is unique to each message an email server transmits. The petitioner claimed that the email instructing him to purchase options was legitimate. However, the petitioner's email message header had the same E/SMTP value as the message header from the respondent. Upon deeper examination, it was revealed that the petitioner's email was fraudulent.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.1 - Explain the role of email and social media in investigations TOPICS: Exploring the Role of Email in Investigations KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations DATE MODIFIED:

4/19/2024 2:12 PM

3. Lamar receives an email message that appears to be from his boss. Upon further inspection, he determines

that the message is from a different sender. What type of email scam is this? a. Phishing b. 419 c. Pharming d. Spoofing ANSWER: RATIONALE:

d

Spoofing involves transmitting an email message with its header information altered so that its point of origin appears to be from a different sender.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.1 - Explain the role of email and social media in investigations TOPICS: Exploring the Role of Email in Investigations KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 4. You can send and receive email in two environments: via the Internet or through an extranet. a. True b. False ANSWER: RATIONALE:

b

Email can be sent and received through two environments: via the Internet or through an intranet (an internal network).

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.2 - Describe client and server roles in email TOPICS: Exploring the Client and Server Roles in Email KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 5. Overall, an intranet email system is for public use, and the Internet system is for the private use of network

users. a. True b. False ANSWER:

b

Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations RATIONALE:

Overall, an intranet email system is for the private use of network users, and Internet email systems are for public use.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.2 - Describe client and server roles in email TOPICS: Exploring the Client and Server Roles in Email KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 6. Nakos is a new employee of the Bloom company. On his first day at the office, he wants to create an email

account but is not allowed to do so. He has been told that this must be handled by the IT Department. Why can't Nakos create his own email account? Choose all that apply. a. The IT Department only allows managers to create their own email accounts. b. The IT Department has strict naming conventions that are determined by the email administrator. c. The IT Department must add a new user to user management program (such as Active Directory) to

control user access for security purposes and acceptable use policies. d. Historically, the IT Department has always overseen email accounts and must maintain consistency with this function. ANSWER: RATIONALE:

b, c

The IT Department has strict naming conventions that are determined by the email administrator, and in this role, must add new users to the company user management program (such as Active Directory) in order to control user access for security reasons and adherence to acceptable use policies.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.2 - Describe client and server roles in email TOPICS: Exploring the Client and Server Roles in Email KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 7. Park is a digital investigator whose specialty is cases that involve email. He likes intranet email cases in

particular since they tend to be easier to crack. Why is this? a. With an intranet email system, security is not an issue, so finding someone who has committed a

crime is easier than finding someone on an Internet email system. b. Only with an intranet email system, the domain name for all email addresses is the same. So, it is easier to separate incoming and outgoing email addresses. c. With an intranet email system, administrators establish email naming convention standards, so usernames fit a specified pattern making it easier to find who Park is looking for. Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations d. Intranet email logs and headers are easier to read than Internet email logs and headers. ANSWER: RATIONALE:

c

With an intranet email system, administrators establish email naming convention standards, so usernames fit a specified pattern making it easier to find who Park is looking for. In most cases, an intranet email system is specific to a company and used only by its employees, making the suspect pool smaller in size.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.2 - Describe client and server roles in email TOPICS: Exploring the Client and Server Roles in Email KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 8. Sylas is investigating a Fortune 500 company with offices around the world. He is attempting to recover

email from some employees suspected of embezzling from the company. The company uses a cloud service provider for their email services. What is the main issue Sylas could encounter when working with a company with international offices? a. Sylas could encounter stricter privacy laws that are more complex than the laws in the United States,

such as the General Data Protection Regulation (GDPR) and needs to follow all rules and regulations regarding information retrieval in those countries. b. Sylas could encounter foreign governments that will refuse to work with him so he will not be able to carry out his investigation. c. Sylas needs to follow only the laws of the United States because he is working for a company that is based in the United States, so only those laws apply. d. Sylas needs only a warrant from a judge in the United States in order to gather any evidence he may need. ANSWER: RATIONALE:

a

When working with other countries, Sylas will need to consider stricter privacy laws, such as the General Data Protection Regulation (GDPR) in the European Union, so Sylas must follow all rules and regulations regarding information retrieval in those countries. He cannot choose to follow only laws and regulations that are adjudicated in the United States.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.2 - Describe client and server roles in email TOPICS: Exploring the Client and Server Roles in Email KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations 9. Tegan lives in the state of Washington and is receiving unsolicited misleading emails from a company located

in the state of Washington. The misleading information in the subject line reads "Check Unclaimed," and in the body of the message, there is an advertisement for a debt consolidation service. This is considered spam. Tegan is annoyed about receiving this type of email and wants to report it. How does the state of Washington handle spam complaints compared to other states? a. The state of Washington has an anti-spam law making it illegal to send unsolicited commercial email

if certain conditions are met. b. The state of Washington follows the CAN-SPAM act like most other states. c. The state of Washington looks at spam issues only on a case-by-case basis. d. It is not illegal to send spam in the state of Washington, so Tegan will have to deal with this on his own. ANSWER: RATIONALE:

a

The state of Washington has an anti-spam law whereby it is illegal to send unsolicited commercial email if certain conditions are met. The first condition requires that the sender and receiver are located in the state of Washington. The computer that sent the email message is located in the state of Washington, and so is Tegan. In addition, there is misleading information in the subject line. Therefore, the state of Washington can sue the company responsible for the spam if the company does not stop sending it.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.3 - Describe tasks in investigating email crimes and violations TOPICS: Investigating Email Crimes and Violations KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 10. Julaine is a Forensic Linguistics specialist working for the Orange County Sheriff's Department. A sheriff

deputy was called to a home for a welfare check and found a person hanging from the rafters in the home. Originally, to Juliane, it looked like suicide based on how the scene looked and how the suicide letter was written. Upon further examination of the suicide note, letters the victim had written, and emails on their computer, Julaine determined that the suicide note was not written by the victim. Eventually, the sheriff also found evidence that pointed to someone else. The manner of death was changed from suicide to homicide. Why would the letter (among other things) lead the investigator toward changing the manner of death from suicide to homicide? a. The location of the note versus the location of the body. Usually, you will find suicide notes close to

a body, not across the room. b. The fingerprints left on the suicide note were from someone other than the victim. c. Based on the tone and phrasing of the suicide note versus the tone and phrasing of other letters and emails that were found on the victim's computer, it was determined that the suicide note was not written by the victim. d. All the evidence pointed toward homicide. The fingerprints on the suicide letter were the final factor. Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations ANSWER: RATIONALE:

c

Julaine looked at the tone and phrasing of the suicide note versus the tone and phrasing of letters and emails on the victim's computer, and as a result, was able to determine that the suicide note was written by someone other than the victim.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.3 - Describe tasks in investigating email crimes and violations TOPICS: Investigating Email Crimes and Violations KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 11. Annisha is examining a suspect's computer for email programs and doesn't find any on the desktop. Since

Annisha cannot find any email clients on the desktop, she needs to look at the suspect's web browser. What are some of the issues with web-based email messages? Choose all that apply. a. They are easy to use. b. They don't need warrants to be accessed. c. They are difficult to trace. d. A suspect has many choices for web email clients, so it is hard to pin down which one they could be

using. ANSWER: RATIONALE:

c, d

A suspect has many choices for web email clients, so it is hard to pin down which one they could be using. It is difficult to trace where the suspect is sending email from unless Annisha had a sample of an email that the suspect has sent. If she had a sample, she could discover more information about the email provider.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.3 - Describe tasks in investigating email crimes and violations TOPICS: Investigating Email Crimes and Violations KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 12. Maryam is an FBI agent on a drug trafficking task force. She always includes computers and electronic

communications devices in her search warrants whenever searching a suspect's home. Why is it important to include computers and other electronic communications devices in a search warrant for a suspect's home? Choose all that apply. a. There may be evidence of a crime on the hard drive of the computer or in the files of the other

communications devices. b. Fingerprints are an important part of a conviction, and because the suspect may have touched those Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations

devices, there may be fingerprints of the suspect on those devices. c. Seizing the computers and electronic communications devices might keep the suspect from locking or wiping the devices. d. Because email is a major communication medium, any crime can involve email as well as text messages and social media communications. ANSWER: RATIONALE:

a, d

Maryam has a couple of reasons to include computers and electronic communications devices in search warrants. There may be evidence of a crime on the hard drive of the computer or in the files of the other communications devices, and because email is a major communication medium, any crime can involve email as well as text messages and social media communications.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.3 - Describe tasks in investigating email crimes and violations TOPICS: Investigating Email Crimes and Violations KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 13. Derek is investigating a case involving online threats toward a poll worker during the last election cycle. The

poll worker was receiving increasingly disturbing emails from an individual. Eventually, Derek was able to catch the individual by searching the email messages he sent to the poll worker. How did Derek use the sent email to find the suspect? a. Derek examined the Enhanced/Extended Simple Mail Transfer Protocol (E/SMTP) ID and noticed it

was identical to other email coming from the same email address, so he was able to pinpoint the suspect's location. b. Derek examined the headers and encoding at the beginning and ending of the suspect's emails to trace the route the emails took through servers. That information allowed Derek to pinpoint the sender's location. c. Through forensic linguistics, Derek was able to ascertain that the suspect was the same person sending the email messages because they had the same tone and style. He then searched a known database of suspects who are guilty of email threats and found the suspect. d. The suspect signed his name to the message, and Derek was able to track him that way. ANSWER: RATIONALE:

b

Derek examined the headers and encoding at the beginning and ending of the suspect's emails to trace the route the emails took through servers. The IP address found in the email header allowed Derek to pinpoint the sender's location.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.3 - Describe tasks in investigating email crimes and violations TOPICS: Investigating Email Crimes and Violations Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations KEYWORDS: DATE CREATED: DATE MODIFIED:

Bloom's: Apply 4/19/2024 2:12 PM 4/19/2024 2:12 PM

14. Edric is an email administrator for Tandem Corporation. One of his responsibilities is to log system

operations and message traffic. What is the purpose for Edric logging this information? Choose all that apply. a. Scan email for spam b. Recover emails in case of a disaster c. Make sure the firewall and email filters work correctly d. Enforce company policy ANSWER: RATIONALE:

b, c, d

Edric logs systems operations and message traffic to recover emails in case of an emergency, make sure firewall and email filters work correctly, and enforce company policy.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.4 - Explain the use of email server logs TOPICS: Understanding Email Servers and Server Logs KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 15. Gallagher is examining email logs for his latest case. However, not all email logs are the same. They are

dependent on the email administrator and what that person wants to track. What are a few of the data points an email administrator would want to keep track of in an email log? Choose all that apply. a. The IP address from which the email was sent b. The size and type of email attachments c. Time and date the email server received the email d. Time and date the client computer accessed the email ANSWER: RATIONALE:

a, c, d

A few of the data points that an email administrator wants to keep track of are the IP address from which the email was sent, the time and date the email server received the email, and the time and date the client computer accessed the email. There are more data points to be logged; it depends on a company's email retention policies and any compliance requirements that must be met.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.4 - Explain the use of email server logs TOPICS: Understanding Email Servers and Server Logs Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations KEYWORDS: DATE CREATED: DATE MODIFIED:

Bloom's: Remember/Understand 4/19/2024 2:12 PM 4/19/2024 2:12 PM

16. Hailey is working on a case where the suspect is using a web-based email provider. She wants to get access

to the suspect's email, but this suspect was only discovered three days ago, and the crime happened two months ago. What are Hailey's issues with this scenario? Choose all that apply. a. Hailey needs a warrant to get access to the email provider, so it will take some time before she gets

access to the suspect's emails. b. The email provider only keeps email logs for 30 days before overwriting them. So, Hailey might lose out on the opportunity to seize key information from possible email sent by the suspect. c. The email provider's administrator may not log the information that Hailey wants. d. The email provider may try to deny access to Hailey even though they are being served a warrant. ANSWER: RATIONALE:

a, b

First, because it is a public email provider, Hailey needs a warrant to get access to the provider, so it may take some time before she gets access to the suspect's emails. In this case, the suspect was found only three days ago, and the crime happened 60 days ago. The email provider may only keep email logs for 30 days before overwriting them. So, Hailey might lose out on the opportunity to seize key information from possible email sent by the suspect.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.4 - Explain the use of email server logs TOPICS: Understanding Email Servers and Server Logs KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 17. The forward slash (/) is used in Windows file paths, and the backslash (\) is used in Unix\Linux file paths. a. True b. False ANSWER: RATIONALE:

b

The forward slash (/) is used in UNIX/Linux file paths, and the backslash (\) is used in Windows file paths.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.4 - Explain the use of email server logs TOPICS: Understanding Email Servers and Server Logs KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations DATE MODIFIED:

4/19/2024 2:12 PM

18. Iian is a forensic examiner investigating a case at VLOS Enterprises. The email administrator for the

company is running a UNIX email server, and Iian discovered that all email is stored on the local email server. Since Iian needs to access those email messages, and they are on the server, how will Iian gain access to the suspect's email without the suspect's knowledge? a. The UNIX administrator can grant Iian direct access to the suspect's email folder on the server. b. The UNIX administrator can download all the suspect's email from the suspect's email folder onto a

thumb drive for Iian to peruse. c. The UNIX administrator can give access to the suspect's email by mirroring their email connection to another computer so Iian can watch the suspect's email in real time. d. The UNIX administrator can create an email group and add Iian to the same group as the suspect. ANSWER: RATIONALE:

d

Because all email is saved on the server, the UNIX administrator can create an email group and add Iian to the same group as the suspect, which will give him access to the suspect's email without the suspect's knowledge.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.4 - Explain the use of email server logs TOPICS: Understanding Email Servers and Server Logs KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 19. Jamielee has been called to a client's office to investigate an employee who has been accused of email

harassment. The client uses Exchange server for all its email. How will Jamielee be able to investigate the employee since she does not have any special forensics tools with her? a. Jamielee can ask the email administrator to put the tracking log into verbose mode. b. Jamielee can use the "diagnostic log" in the Windows Event Viewer. c. Jamielee can use the .tmp file to examine the logs. d. Jamielee can use the checkpoint file to recover the employee's email. ANSWER: RATIONALE:

a

Jamielee can have the email administrator download the tracking log. Exchange servers maintain a log called tracking.log that tracks messages. Since the Message Tracking feature was enabled, the email administrator can select verbose (detailed) logging, and then Jamielee could see the timestamp, IP address of the sending computer, and the email's contents or body.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.4 - Explain the use of email server logs Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

Understanding Email Servers and Server Logs Bloom's: Apply 4/19/2024 2:12 PM 4/19/2024 2:12 PM

20. Farley is a forensics examiner specializing in email forensics. He does not like it when an email

administrator uses log rotation instead of logging. Why does Farley dislike log rotation? a. Log rotation makes it harder to recover logs over time. b. Log rotation removes email header information, so it is impossible to see who wrote an email. c. Log rotation overwrites the log file after a certain size or time. After the log is overwritten, the log

cannot be recovered except if it has been backed up. d. Log rotation triples the amount of work Farley must do to recover log files because, depending upon the number of days that the logs are kept, that will determine the number of log files Farley must review to find the right files. ANSWER: RATIONALE:

c

Farley dislikes log rotation because it overwrites the log file after a certain size or timeframe. After the log is overwritten, the log cannot be recovered except if it has been backed up. If the log was not backed up or is corrupted, then that log is no longer available.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.4 - Explain the use of email server logs TOPICS: Understanding Email Servers and Server Logs KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 21. Kaegan is starting a new company that specializes in email forensics. He mostly investigates crimes where

the email client is Outlook or Outlook Express. There are many tools to choose from. What are some of the tools available to Kaegan? Choose all that apply. a. DataNumen b. FINALeMAIL c. Fookes Aid4Mail and MailBag Assistant d. Oxygen Forensic Detective ANSWER: RATIONALE:

a, b, c

DataNumen, FINALeMAIL, and Fookes Aid4Mail and MailBag Assistant all work with Outlook and Outlook Express.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.5 - Describe some specialized email forensics tools Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

Using Specialized Email Forensics Tools Bloom's: Remember/Understand 4/19/2024 2:12 PM 4/19/2024 2:12 PM

22. Landon is trying to locate where an email administrator stores the email system's .db files. He uses .log as

his search criteria in a third-party tool. What log files, related to email, will Landon find? Choose all that apply. a. Logged events for attachments received b. Logged events for messages c. Logged events for messages rejected d. Logged events for accounts accessing email ANSWER: RATIONALE:

b, d

Landon will find logged events for messages and logged events for accounts accessing email.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.5 - Describe some specialized email forensics tools TOPICS: Using Specialized Email Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 23. Maalik is a forensic examiner investigating email crimes. He uses data recovery tools all the time to recover

email to extract data from computers. He is excellent at his job but does not have much experience with how email systems work. He wants to be an expert witness, but his boss told him he can't. Why is Maalik unlikely to be a good expert witness? a. To be a successful expert witness, Maalik needs to be able to explain how data recovery tools work to

laypeople. Maalik knows how the tools work, but he doesn't know how to explain them in simple terms. b. To be a successful expert witness, Maalik must understand and explain the email systems' functions to laypeople. However, he lacks the ability to explain email systems in a simple manner. c. To be a successful expert witness, Maalik must be able to explain all types of email systems and data recovery tools in a way that attorneys and laypeople can understand. d. To be a successful expert witness, Maalik must understand email systems and be a member of a forensics organization so he can demonstrate to a jury that he has ethical standards. ANSWER: RATIONALE:

b

POINTS: QUESTION TYPE:

1 Multiple Choice

To be a successful expert witness, Maalik must understand and explain the email systems' functions to laypeople. However, he does not have that experience, so he does not have the ability to explain email systems simply.

Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.5 - Describe some specialized email forensics tools TOPICS: Using Specialized Email Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 24. Nori is examining email to determine whether there is enough evidence to request a warrant. After

comparing email logs with the messages, what are some of Nori's next steps to make that determination? a. Verify any attachments to the account b. Verify email account c. Verify date and time stamp d. Verify IP address ANSWER: RATIONALE:

b, c, d

After comparing email logs with the messages, Nori's next steps are to verify the email account, date and time stamp, the IP address, and the message ID, which was not on this list. Once those items are verified, and it is determined that there is enough evidence, then Nori can request a warrant.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.5 - Describe some specialized email forensics tools TOPICS: Using Specialized Email Forensics Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 25. Shani needs to reconstruct email data from an ISO image. She is researching the best tool to accomplish that.

What tool should Shani use? a. Magnet AXIOM b. OSF Forensics c. Exterro FTK d. DataNumen ANSWER: RATIONALE:

d

DataNumen is one of the better email recovery tools on the market. It can recover files from VMware, Virtual PC, as well as ISO images and other types of file backups.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.5 - Describe some specialized email forensics tools Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

Using Specialized Email Forensics Tools Bloom's: Remember/Understand 4/19/2024 2:12 PM 4/19/2024 2:12 PM

26. Oakley needs to extract only email data from the .evolution directory on a suspect's computer. He plans on

using a Windows computer to read the data. How does Oakley accomplish the task of making the email data readable on his Windows computer? a. Oakley used the Linux tar command to create a tarball of the entire .evolution directory and

uncompress it so that a hexadecimal editor on any OS can read it. b. Oakley used the Linux uncompress command to uncompress the entire .evolution directory email file so that a hexadecimal editor on any OS can read it. c. Oakley used the Linux cp command to copy the files of the entire .evolution directory so that a hexadecimal editor on any OS can read it. d. Oakley used the Linux ls command to list all of the files in the entire .evolution directory so that a hexadecimal editor on any OS can read it. ANSWER: RATIONALE:

a

Oakley needed to extract only email data from the suspect's computer, so he used the Linux tar command to create a tarball of the entire .evolution directory. Then he uncompresses the data so he can use a hexadecimal editor in Windows to read it. A tarball can be read by a hexadecimal editor on any OS.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.5 - Describe some specialized email forensics tools TOPICS: Using Specialized Email Forensics Tools KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 27. Padilla is a forensics investigator for the Milwaukee Police Department, and the department is investigating

a suspect who is under suspicion for fraud and money laundering. Padilla is investigating multiple crimes the suspect may have committed along with the crimes he is under suspicion for committing. Why would Padilla include probable cause for each crime the suspect is believed to have committed when requesting a warrant? a. In case Padilla needs additional warrants since he included probable cause for other possible crimes b. So that a single warrant is needed to cover all areas of interest c. So that a single warrant can cover all areas, even areas out of scope, of the original warrant if more

evidence is found during the search d. So the suspect's defense attorney cannot say their defendant's Fourth Amendment (protection against unreasonable search and seizure without probable cause) rights were violated ANSWER: RATIONALE:

b

Including probable cause for each suspected crime only covers the first warrant

Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations

requested. Padilla needs to request each warrant separately, so it does not matter that he included probable cause for each crime the suspect is believed to have committed for the first warrant. POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.5 - Describe some specialized email forensics tools TOPICS: Using Specialized Email Forensics Tools KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 28. Wynn is investigating possible intellectual property theft using an employee's social media accounts.

Through social media usage, it was determined that the employee took intellectual property from her previous employer and went to work for a competitor. What type of information on the employee's social media accounts did Wynn probably find? Choose all that apply. a. LinkedIn profile of the employee stating they started at a new company and the start date was before

the end date at the old company. b. Pictures of the employee on Facebook at their new company dated after they left the old company. c. The employee explaining on LinkedIn that they took files from their old job because they were treated badly, and they had created them anyway. d. Post on Facebook that she is having a great time at her new company. Dated after she left her old company. ANSWER: RATIONALE:

a, c

Images and posts after the end date of the previous job do not have any bearing on the case. But photos on their LinkedIn profile of the new company before they left the old company combined with the employee's complaints of mistreatment as a reason for taking files from the company that "they created anyway" are red flags and most likely constitutes intellectual property theft. Any work product created while working at a company and resulting in payment by that company becomes company property.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.6 - Explain how to apply digital forensics methods to investigating social media communications and channel-based messaging tools TOPICS: Applying Digital Forensics Methods to Social Media Communications and Channel-Based Messaging Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 29. Jailbreaking refers to the process of circumventing provider and user security measures to get low-level OS

and file system access on a mobile device. Copyright Cengage Learning. Powered by Cognero.

Page 15


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations a. True b. False ANSWER: RATIONALE:

a

Jailbreaking refers to the process of circumventing provider and user security measures to get low-level OS and file system access on a mobile device. After jailbreaking, the social media content on a mobile device is no longer protected and can be accessed by forensic examiners.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.6 - Explain how to apply digital forensics methods to investigating social media communications and channel-based messaging tools TOPICS: Applying Digital Forensics Methods to Social Media Communications and Channel-Based Messaging Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 30. Zel is investigating a case that requires review of a suspect's data on multiple social media sites over

multiple jurisdictions around the world. As an investigator, Zel is not allowed to physically touch or retrieve information from the machines. How must Zel go about getting evidence from these social media sites? a. Zel must get a warrant or subpoena to get the information, and then the vendors must supply it to

him. b. Zel must contact the local law enforcement agency in every country that the social media site is in and ask them for assistance. c. Zel must get the FBI involved and file an emergency request for information to force the social media sites to hand over the information. d. Zel must make a formal request to the social media sites for the information and hope they respond favorably. ANSWER: RATIONALE:

a

Zel must get a warrant or subpoena to get the information, and then the vendors must supply it to him. Without a warrant or subpoena, social media sites do not have to give Zel anything.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.13.6 - Explain how to apply digital forensics methods to investigating social media communications and channel-based messaging tools TOPICS: Applying Digital Forensics Methods to Social Media Communications and Channel-Based Messaging Tools KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM Copyright Cengage Learning. Powered by Cognero.

Page 16


Name:

Class:

Date:

Mod 13: Email and Social Media Investigations

Copyright Cengage Learning. Powered by Cognero.

Page 17


Name:

Class:

Date:

Mod 14: e-Discovery 1. Electronically stored information (ESI) refers to any electronically created or stored information, except for

cloud-based data. a. True b. False ANSWER: RATIONALE:

b

Electronically stored information refers to information that is created or stored electronically. This also includes storage on DVDs, CDs, laptops, cell phones, other electronic devices, and the cloud.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.1 - Describe e-discovery and its relationship to digital forensics TOPICS: Overview of e-Discovery, Rules, and Policies KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 2. Shawn is currently studying Rule 41 of the Federal Rules of Criminal Procedure (FRCrP). What is the subject

matter of Rule 41? a. Rule 41 of the FRCrP was introduced in 1970 to include ESI as part of discoverable material, and in

2006, the FRCrP was updated to address additional issues related to ESI. b. Rule 41 of the FRCrP was updated in 2006 to ensure that ESI is considered early in the process of discovery to allow sufficient time for a complete discovery process involving ESI. Rule 41 (b) added the clause "provisions for disclosure or discovery of electronically stored information." c. Rule 41 tries to address what can happen if a party tries to hide information. Typically, during the initial meetings, the parties can agree upon what information will be provided. Also, a clawback provision is often included in the agreement in case privileged or sensitive information is inadvertently given to the opposing party. d. Rule 41 is in regard to Search and Seizure and addresses how evidence can be obtained in criminal investigations. ANSWER: RATIONALE:

d

In terms of using digital evidence in criminal proceedings, the document "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations," which was created in 2002 by the Department of Justice, addresses how to get search warrants and how to seize things over time, especially electronic evidence. Rule 41 of the FRCrP, titled "Search and Seizure," addresses how evidence can be obtained in criminal investigations.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.1 - Describe e-discovery and its relationship to digital forensics TOPICS: Overview of e-Discovery, Rules, and Policies Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 14: e-Discovery KEYWORDS: DATE CREATED: DATE MODIFIED:

Bloom's: Remember/Understand 4/19/2024 2:12 PM 4/19/2024 2:12 PM

3. The Computer Fraud and Abuse Act (CFAA) was enacted in 1986 to broaden the range of computer crimes

covered by federal law. This included unauthorized access to networks and computers, which became crucial as hackers became more active. a. True b. False ANSWER: RATIONALE:

a

In 1986, the Computer Fraud and Abuse Act (CFAA) was passed to expand the scope of computer crimes covered by federal law to include those related to the unauthorized access of networks and computers, which became important as hackers became more active.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.1 - Describe e-discovery and its relationship to digital forensics TOPICS: Overview of e-Discovery, Rules, and Policies KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 4. Malcolm is currently pursuing a pre-law degree with a keen interest in the intersection of law and computer

science. He is currently researching two related fields, namely e-discovery and Digital Forensics. While there is some overlap between these two fields, he wants to understand what sets them apart from each other. What are the key differences between e-discovery and digital forensics? Choose all that apply. a. In e-discovery, while the investigator may have an idea of what they are looking for, their job is more

along the lines of solving a puzzle. In digital forensics, the investigators know that they are looking for information related to a contract dispute, intellectual property rights, product defect, or false financial information, for instance. b. In e-discovery, the two parties involved in a litigation e-discovery process will ask the opposing party for data specifically related to the subject of the litigation. In digital forensics, on the other hand, the investigator is typically looking for information related to a criminal matter, corporate espionage, or a civil suit. c. In digital forensics, while the investigator may have an idea of what they are looking for, their job is more along the lines of solving a puzzle. In e-discovery, the investigators know that they are looking for information related to a contract dispute, intellectual property rights, product defect, or false financial information, for instance. d. In e-discovery, while the investigator may have an idea of what they are looking for, their job is more along the line of solving a puzzle. In digital forensics, the investigators know that they are looking for information related to a contract dispute, intellectual property rights, product defect, or false financial information, for instance. Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 14: e-Discovery ANSWER: RATIONALE:

b, c

In e-discovery, the two parties involved in a litigation e-discovery process will ask the opposing party for data specifically related to the subject of the litigation. The investigators know that they are looking for information related to a contract dispute, intellectual property rights, product defect, or false financial information, for instance. In digital forensics, on the other hand, the investigator is typically looking for information related to a criminal matter, corporate espionage, or a civil suit. While the investigator may have an idea of what they are looking for, their job is more along the lines of solving a puzzle. E-discovery experts tend to view digital forensics as part of their process, while digital forensics experts often see the two fields as overlapping.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.1 - Describe e-discovery and its relationship to digital forensics TOPICS: Overview of e-Discovery, Rules, and Policies KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 5. The Federal Rules of Evidence (FRE) are a set of guidelines that regulate the presentation and use of

evidence in legal proceedings in federal courts in the United States. These rules aim to ensure that the evidence presented during a trial is valid, pertinent, and impartial. Taryn, an intern at a law firm, must familiarize herself with the key aspects of the Federal Rules of Evidence (FRE) before working with any of the attorneys. One of these rules is Privilege. Therefore, Taryn needs to understand how to apply the Privilege rule to the Federal Rules of Evidence (FRE). So how can she do this? a. This rule recognizes communication made in the presence of third parties who are not covered by

privilege, so it is protected. b. This rule recognizes certain routine documents or facts also covered by the work product doctrine limitation. c. This rule recognizes certain privileges that protect certain confidential communications, such as attorney-client privilege, doctor-patient privilege, and spousal privilege. d. This rule recognizes communications made during business that are not made to seek legal advice. ANSWER: RATIONALE:

c

POINTS: QUESTION TYPE: HAS VARIABLES:

1 Multiple Choice False

This rule acknowledges specific privileges that safeguard certain confidential communications. These include attorney-client privilege, which protects communications made for the purpose of seeking legal advice, doctor-patient privilege, which protects communications made for the purpose of obtaining medical diagnosis or treatment, and spousal privilege, which protects communications made between spouses during a valid marriage.

Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 14: e-Discovery LEARNING OBJECTIVES: Ceng.GuideForens.25.14.1 - Describe e-discovery and its relationship to digital forensics TOPICS: Overview of e-Discovery, Rules, and Policies KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 6. The Federal Rules of Civil Procedure (FRCP) are a standardized and organized set of regulations that

determine how civil lawsuits are conducted in the federal courts of the United States. The main objectives of the FRCP are to guarantee that civil cases are resolved fairly, efficiently, and consistently. One particular rule that the FRCP sets forth is related to Discovery Procedures. How are discovery procedures applied in civil litigation? Choose all that apply. a. Discovery of third-party witnesses who are not part of the litigation is detailed in the FRCP. b. The FRCP outlines the rules for discovery, allowing parties to obtain relevant information from each

other. Discovery is a crucial aspect of civil litigation, enabling parties to gather evidence, assess the strengths and weaknesses of their cases, and promote settlement discussions. c. The FRCP addresses a detailed framework for protecting legal research. d. Rule 34 applies to the discovery process in the Requests for Production of Electronically Stored Information (ESI), which allows parties to request the production of electronically stored information, and parties must address the form in which ESI should be produced. ANSWER: RATIONALE:

b, d

There are two answers. 1. The FRCP outlines the rules for discovery, allowing parties to obtain relevant information from each other. Discovery is a crucial aspect of civil litigation, enabling parties to gather evidence, assess the strengths and weaknesses of their cases, and promote settlement discussions. 2. Rule 34 applies to the discovery process in the Requests for Production of Electronically Stored Information (ESI), which allows parties to request the production of electronically stored information, and parties must address the form in which ESI should be produced.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.1 - Describe e-discovery and its relationship to digital forensics TOPICS: Overview of e-Discovery, Rules, and Policies KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 7. Victor's main responsibility at the accounting firm is to create and implement policies regarding the retention,

storage, and disposal of documents, records, and electronic communications. Which department could Victor be working in? Choose all that apply. a. Records management b. Ruman resources c. Accounting department Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 14: e-Discovery d. Information governance ANSWER: RATIONALE:

a, d

Document and email retention is typically managed by the records management or information governance department. They are responsible for establishing policies, procedures, and systems to ensure proper handling, storage, and disposal of documents and emails in accordance with legal and regulatory requirements.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.1 - Describe e-discovery and its relationship to digital forensics TOPICS: Overview of e-Discovery, Rules, and Policies KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 8. In a common-law system, the precedent set by evolving case law can change existing laws and practices. On

the other hand, in civil law nations, if a law specifically related to the issues in dispute does not exist, the case cannot be tried. Which of these countries are common-law nations? Choose all that apply. a. Russia b. United Kingdom c. China d. United States ANSWER: RATIONALE:

b, d

Common law is a legal system characterized by case law and precedent whereby the decisions made by judges in past cases serve as a binding authority in similar future cases. Nations that follow a common-law system include the United Kingdom and the United States.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.2 - Explain the impact of case law on e-discovery TOPICS: The Impact of Case Law on e-Discovery KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 9. Lucas frequently uses his work email address to send personal emails to his doctors and lawyers. These

emails often contain sensitive information such as his Social Security number and birth date. Despite being warned by his IT department, Lucas continues to disregard their advice regarding the risks of sending personal information from his work email address. Why is it considered bad email protocol to send personal information from a work email address? a. It may be seized during the course of an investigation into the company. Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 14: e-Discovery b. It's not encrypted. c. It can be used against him in a court of law. d. It's a fireable offense. ANSWER: RATIONALE:

a

While it may be a possible fireable offense if there is an acceptable use policy in place, for this chapter, any information placed in a company email may be seized during the course of an investigation into his company, and his personally identifiable information (PII) may no longer be private.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.2 - Explain the impact of case law on e-discovery TOPICS: The Impact of Case Law on e-Discovery KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 10. Lincoln is an attorney in the United States, which follows common law. He is currently working on a case

similar to a previous one that established a precedent regarding an individual's right to privacy under the Fourth Amendment. Since the United States is a common-law nation, how might this precedent impact the outcome of Lincoln's case? a. The old Amendment must be completely changed. b. A new Amendment must be established. c. A new precedent can be established for interpreting the right to privacy under the Fourth

Amendment. d. A new precedent cannot be established for interpreting the right to privacy under the Fourth Amendment, so the original ruling stands. ANSWER: RATIONALE:

c

A new precedent can be established for interpreting the right to privacy under the existing law. In this instance, the new case overrode the original case and established a new precedent for interpreting the right to privacy under the Fourth Amendment.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.2 - Explain the impact of case law on e-discovery TOPICS: The Impact of Case Law on e-Discovery KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 11. Kinsley is feeling overwhelmed by the numerous legal acronyms. She wants to know what EDRM and

FIRAC stand for, as they both relate to the legal process. However, she is not sure which specific part of the Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 14: e-Discovery

legal process each one refers to. What do EDRM and FIRAC mean? a. The FIRAC framework outlines the stages of the e-discovery process. E-discovery refers to the

process of discovering, collecting, and producing electronically stored information (ESI) in legal cases. EDRM is a legal research and writing method used to analyze and solve legal issues, particularly in the context of legal memoranda. b. The FIRAC Framework addresses the protection of PII and several issues related to e-discovery. EDRM is a legal research and writing method used to analyze and solve legal issues, particularly in the context of legal memoranda. c. The EDRM framework outlines the stages of the e-discovery process. E-discovery refers to the process of discovering, collecting, and producing electronically stored information (ESI) in legal cases. FIRAC is a legal research and writing method used to analyze and solve legal issues, particularly in the context of legal memoranda. d. The FIRAC Framework addresses document and email retention, and it also covers records tampering and document retention. Note that it only applies to publicly traded companies. The EDRM framework outlines the stages of the e-discovery process. E-discovery refers to the process of discovering, collecting, and producing electronically stored information (ESI) in legal cases. ANSWER: RATIONALE:

c

The FIRAC (facts, issues, rules and references, analysis, and conclusions) method is an approach to legal analysis. The FIRAC method can be a useful tool for evaluating cases and determining their relevance to the specific issues you are facing as a digital forensics investigator. The Electronic Discovery Reference Model (EDRM) is a conceptual framework created by Tom Gelbmann and George Socha in 2005 to address how to process ESI in a legal case or an investigation. It was created specifically for e-discovery, and there is a large international group that maintains the model and has various working groups. The EDRM was developed to ensure ESI makes its way to court in both civil and criminal cases.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.3 - Outline the phases of Electronic Discovery Reference Model and the e-discovery case flow TOPICS: EDRM and e-Discovery Case Flow KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 12. The Information Governance Reference Model (IGRM) addresses stakeholders and factors that impact

information governance. These factors include users, security, privacy, legal, and risk. a. True b. False ANSWER: RATIONALE:

a

The Information Governance Reference Model (IGRM), which feeds into the steps of the EDRM, is a framework and set of guidelines developed in 2012 to help

Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 14: e-Discovery

companies manage their information resources. It addresses stakeholders and factors that impact information governance, including users, security, privacy, legal, and risk. POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.3 - Outline the phases of Electronic Discovery Reference Model and the e-discovery case flow TOPICS: EDRM and e-Discovery Case Flow KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 13. Mahoney works in the information governance department at Senco. He closely collaborates with the IT

department, as they are responsible for data storage infrastructure and associated data. When it comes to managing and handling data, certain crucial areas demand attention. What are those areas? Choose all that apply. a. Data security b. Data privacy c. Risk d. Document management ANSWER: RATIONALE:

a, b, c

The IT team is responsible for monitoring and managing the data storage infrastructure to ensure effective data management. This is closely linked to security and privacy considerations. Another crucial aspect is risk management, which is influenced by the industry in which the company operates. For instance, food services are a different risk than banking services.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.3 - Outline the phases of Electronic Discovery Reference Model and the e-discovery case flow TOPICS: EDRM and e-Discovery Case Flow KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 14. Nia is interning with a law firm that specializes in litigation. The attorney instructs her to research Rule 26(f)

of the FRCP. What is rule 26(f) of the FRCP? a. Rule 26(f) of the FRCP mandates that data is not altered and that files are not damaged or deleted. b. Rule 26(f) of the FRCP mandates that the parties "meet and confer" early in a litigation to agree on

what constitutes relevant data, what formats should be used, and what metadata should be included. Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 14: e-Discovery c. Rule 26(f) of the FRCP mandates that information collected must be readily available as well as

legally defensible. d. Rule 26(f) of the FRCP mandates that all documents be redacted and deduplicated to reduce the amount of data included as part of e-discovery by identifying and removing duplicate documents, emails, and other types of data. ANSWER: RATIONALE:

b

Rule 26(f) of the FRCP mandates that the parties "meet and confer" early in a litigation to agree on what constitutes relevant data, what formats should be used, and what metadata should be included.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.3 - Outline the phases of Electronic Discovery Reference Model and the e-discovery case flow TOPICS: EDRM and e-Discovery Case Flow KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 15. Mia is collaborating with a new lawyer on a case. The lawyer is consistently emphasizing the significance of

preservation in the ERDM stages. Why is preservation so important? Choose all that apply. a. Preservation means the information collected must be readily accessible as well as legally defensible,

meaning that it will stand up to a challenge in court. b. Preservation means checking for documents that include content that is covered by attorney-client privilege or is attorney work product and must be removed unless the client grants permission to include them. c. Preservation means ensuring that data is not altered, and that files are not damaged or deleted. d. As items or parts of items are redacted, the potential for this repetition increases. Items that may be redacted include employee or client names, Social Security numbers, and confidential corporate information. The duty to preserve goes into effect with the litigation hold. ANSWER: RATIONALE:

c, d

Preservation means ensuring that data is not altered, and that files are not damaged or deleted. These steps may be ongoing-and repeated-for weeks and possibly months depending on the case. As items or parts of items are redacted, the potential for this repetition increases. Items that may be redacted include employee or client names, Social Security numbers, and confidential corporate information. That is why preservation is so very important. The duty to preserve goes into effect with the litigation hold.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.3 - Outline the phases of Electronic Discovery Reference Model and the e-discovery case flow Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 14: e-Discovery TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

EDRM and e-Discovery Case Flow Bloom's: Remember/Understand 4/19/2024 2:12 PM 4/19/2024 2:12 PM

16. Naim was asked by an attorney if the documents she recovered during e-discovery were legally defensible.

What does legally defensible mean? a. The documents do not have a solid legal foundation. b. The documents will stand up to a challenge in court. c. The documents are in a format that can be recovered. d. The documents have been encrypted properly. ANSWER: RATIONALE:

b

The information collected must be readily accessible as well as legally defensible, meaning that it will stand up to a challenge in court.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.3 - Outline the phases of Electronic Discovery Reference Model and the e-discovery case flow TOPICS: EDRM and e-Discovery Case Flow KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 17. In the realm of criminal cases, the discovery process, including e-discovery, is influenced by criminal case

law that imposes distinct and sometimes more rigorous discovery requirements. Notably, there exists a specific doctrine mandating the prosecution to disclose all exculpatory evidence to the defense team, regardless of whether it has been explicitly requested. What is the name of this particular doctrine? a. The Regan doctrine b. The Janson doctrine c. The Brady doctrine d. The Bush doctrine ANSWER: RATIONALE:

c

POINTS: QUESTION TYPE: HAS VARIABLES:

1 Multiple Choice False

In criminal cases, the discovery process-including e-discovery-are also impacted by criminal case law that has different and often more stringent discovery requirements. For instance, the Brady doctrine, whose name comes from the case of Brady v. Maryland, requires the prosecution to produce all exculpatory evidence to the defense team even if it is not specifically requested. There are other doctrines that could cause a criminal case to be thrown out.

Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 14: e-Discovery LEARNING OBJECTIVES: Ceng.GuideForens.25.14.3 - Outline the phases of Electronic Discovery Reference Model and the e-discovery case flow TOPICS: EDRM and e-Discovery Case Flow KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 18. During the first part of the processing stage, the actual work begins. This phase involves examining all

container file types, including .zip files, .tar files, and various compression-based formats. The focus then shifts toward retrieving relevant emails and their attachments. After that, the processing is expanded to include other designated file types, such as audio and image files. What is this stage called? a. Processing b. Retrieval c. Ingestion d. Decoupling ANSWER: RATIONALE:

c

The first part of the processing stage, where the real work begins, is what the EDRM task force refers to as "ingestion." All container file types need to be searched, including .zip files, .tar files, and other compression-based file formats. Then, the relevant emails and their attachments need to be retrieved. Next, the other file types as mentioned above, such as audio and image files, need to be processed.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.3 - Outline the phases of Electronic Discovery Reference Model and the e-discovery case flow TOPICS: EDRM and e-Discovery Case Flow KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 19. Hector has just received a set of e-discovery files. Before beginning the review and analysis phase, several

steps must be completed. What are those steps? Choose all that apply. a. Data backup b. Virus scan c. Hash value d. Exception list ANSWER: RATIONALE:

b, c, d

After the data has been retrieved, the files need to be scanned for viruses. As with any digital forensics investigation, a hash value should be generated for each file. The next step is creating an exceptions list, which should be properly isolated and stored. This is where the review and analysis phases begin. Note that these phases may loop

Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 14: e-Discovery

back to processing. POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.3 - Outline the phases of Electronic Discovery Reference Model and the e-discovery case flow TOPICS: EDRM and e-Discovery Case Flow KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 20. Brigid is assisting an attorney in the presentation phase of EDRM. Presentations can take place at various

times. When can they occur? Choose all that apply. a. Deposition or hearing b. Mediation c. Trial d. Between the two parties ANSWER: RATIONALE:

a, b, c

The final phase of the EDRM mode is the presentation phase. Presentation may occur at a deposition or hearing, during mediation, or at a trial with a judge and jury present.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.3 - Outline the phases of Electronic Discovery Reference Model and the e-discovery case flow TOPICS: EDRM and e-Discovery Case Flow KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 21. Asher is employed by a defense attorney who is about to enter the discovery phase of a trial. The client

possesses information that they wish to keep confidential. How can the client avoid disclosing discoverable information? Choose all that apply. a. Expressly make the claim b. Do not produce or disclose those documents for discovery c. Do not make a claim you have documents to disclose d. Describe the nature of the documents, communications, or tangible things not produced or disclosed-

and do so in a manner that, without revealing information itself privileged or protected, will enable other parties to assess the claim ANSWER:

a, d

Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 14: e-Discovery RATIONALE:

When a party withholds information otherwise discoverable by claiming that the information is privileged or subject to protection as trial-preparation material, the party must: expressly make the claim; and describe the nature of the documents, communications, or tangible things not produced or disclosed-and do so in a manner that, without revealing information itself privileged or protected, will enable other parties to assess the claim.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.3 - Outline the phases of Electronic Discovery Reference Model and the e-discovery case flow TOPICS: EDRM and e-Discovery Case Flow KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 22. Alexa is reviewing e-discovery documents when she discovers a file containing confidential information

about a new type of electric motor. This information is protected as intellectual property. However, the company is currently facing a lawsuit from a competitor who is alleging patent infringement. The patent infringement lawsuit is based on a process used to manufacture the coils surrounding the magnets in the electric motor. The client wants to prevent the opposing counsel from accessing this document. Since the lawsuit is about patent infringement relating to the coils used in the electric motor, in simplistic terms, how does Alexa think the judge is likely to rule on this case? a. It is irrelevant to the case and can be excluded. b. It is relevant to the case and must be included. c. This is a matter for the attorneys to determine between themselves. d. It is up to the defendant as to whether they want to withhold the document. ANSWER: RATIONALE:

b

Although the document was marked intellectual property, the company was facing a lawsuit regarding the coils surrounding the magnets surrounding the electric motor. Therefore, more than likely, the judge would rule that the document was relevant and should be included in e-discovery.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.3 - Outline the phases of Electronic Discovery Reference Model and the e-discovery case flow TOPICS: EDRM and e-Discovery Case Flow KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 23. The field of e-discovery is specialized, and the software related to it is referred to as a horizontal market, Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 14: e-Discovery

meaning that only a certain type of clientele uses the software. a. True b. False ANSWER: RATIONALE:

b

The field of e-discovery is specialized, and the software is related to what is referred to as a vertical market, meaning that only a certain type of clientele uses the software.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.4 - List some common e-discovery tools TOPICS: Common e-Discovery Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 24. Clarice is researching e-discovery tools. She is seeking a tool that can redact bulk-level and personally

identifiable information (PII). In addition, the software must have the ability to search for specific items such as key terms, names, and emails. Which software would be best suited for her needs? a. Digital WarRoom b. Nextpoint c. Logickull d. CaseFleet ANSWER: RATIONALE:

c

Logickull takes a traditional approach to e-discovery; however, it also includes newer technology. The software performs redactions at the bulk level and on PII. Like many other e-discovery tools, it can connect to Box, Google Drive, Slack, and other cloudbased services. The software searches for key terms, names, emails, and other specific items.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.4 - List some common e-discovery tools TOPICS: Common e-Discovery Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 25. Edgar is in search of an e-discovery tool that can efficiently analyze evidence and identify connections that

might otherwise be overlooked. Since timelines play a crucial role in his law firm, the tool should be capable of building cases chronologically and tying people and events together. Additionally, the team also requires software that can create presentations based on initial disclosures, cross-examinations, or complaints. Which software would be best for Edgar and his team? Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 14: e-Discovery a. Digital WarRoom b. Logickull c. Nextpoint d. CaseFleet ANSWER: RATIONALE:

d

CaseFleet is intended to be used in conjunction with e-discovery software. It analyzes evidence and identifies connections that might be otherwise missed. The strength of this software is in managing information by timelines. For instance, the software can help the e-discovery team build a case chronology that ties people and events together. CaseFleet also has a reporting feature that can generate presentations based on whether it is looking at initial disclosure, cross-examination, or a complaint. The software also offers full-text searching along with report generation.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.4 - List some common e-discovery tools TOPICS: Common e-Discovery Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 26. Kathy requires a cloud-based tool that can be used by her legal team while on the move for all tasks leading

up to the presentation. She wants data analytics to speed up the process of searching and retrieving data, and she doesn't want to buy new software every year to keep up with changing laws. What's the best e-discovery solution for her? a. Discovery Attender b. iConect c. Nextpoint d. Exterro ANSWER: RATIONALE:

c

Nextpoint is a cloud-based software used by legal teams and lawyers for all items leading up to the presentation. The software uses data analytics to help expedite data search and retrieval. Its pricing model is per user. They do not have an on-premises version.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.4 - List some common e-discovery tools TOPICS: Common e-Discovery Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM Copyright Cengage Learning. Powered by Cognero.

Page 15


Name:

Class:

Date:

Mod 14: e-Discovery DATE MODIFIED:

4/19/2024 2:12 PM

27. Duane's law firm specializes in digital forensics and e-discovery. They are interested in finding an e-

discovery platform that has components related to government, incident response, and data governance. Due to the firm's small IT department, they prefer to use a third-party to manage the platform rather than using the software in-house. What's the best software for Duane's needs? a. Exterro b. iConect c. Digital WarRoom d. Nextpoint ANSWER: RATIONALE:

b

iConect offers an e-discovery platform that includes components related to government, incident response, and data governance, all of which can have an impact on digital forensics and e-discovery. The software can be used in-house or accessed through Microsoft Azure or an approved third party.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.4 - List some common e-discovery tools TOPICS: Common e-Discovery Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 28. Gabryle's company is searching for a cloud-based solution that provides complete control over the data to

avoid any unauthorized alteration or deletion. The platform must have the capability to put an application-level hold to enable users to access Google Drive, One Drive, SharePoint, and similar resources. Also, it is crucial that the platform can redact confidential data such as PII, HIPAA, privileged, and attorney-client information to ensure the security of sensitive data. What's the best software solution to fit Gabryle's needs? a. Exterro b. iConect c. Digital WarRoom d. Nextpoint ANSWER: RATIONALE:

a

Exterro offers purely cloud-based e-discovery software that is useful in case of a litigation hold (or even the anticipation of a hold). It is important to ensure that the data is not altered or deleted. Exterro provides an application-level hold that allows the user to focus on specific resources like Google Drive, One Drive, and SharePoint. The software also manages enterprise-level holds, so there is no need for individuals to handle them. This even applies to handwritten notes and cell phones. Additionally, the software can redact parts of a document for confidentiality, PII, HIPAA, privileged, and attorney-client issues.

Copyright Cengage Learning. Powered by Cognero.

Page 16


Name:

Class:

Date:

Mod 14: e-Discovery POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.4 - List some common e-discovery tools TOPICS: Common e-Discovery Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 29. Enzo is in the process of purchasing software for his firm. He is considering both e-discovery and digital

forensics software, given the nature of his company's operations. He is particularly interested in a startup that is about to launch new software. The software has many features that Enzo can use, but he must keep a very important factor result in mind before making any purchase decision. What result does Enzo need to keep in mind? a. The software must be able to correctly identify files. b. The software must be able to verify chain of custody. c. The software must be able to verify chain of command. d. The software must be able to validate the timestamps of files. ANSWER: RATIONALE:

b

The results of an investigation using e-discovery software must be able to be presented in court, which means the software must be able to verify chain of custody.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.4 - List some common e-discovery tools TOPICS: Common e-Discovery Tools KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM 30. Brynda is deciding between e-discovery and digital forensics software. Forensic software can be used in

some e-discovery cases; however, the desired outcomes are not always the same. What's the main difference between e-discovery and digital forensics software? a. Digital forensics software is specifically created to detect, gather, and handle electronic information

mainly for legal proceedings. Meanwhile, E-discovery software involves a methodical investigation of digital devices and data to find evidence for a particular investigation, usually related to a crime or a security incident. b. E-discovery refers to the process of identifying and retrieving relevant electronic documents, emails, and other information for legal purposes. It is commonly utilized in civil litigation and regulatory matters. On the other hand, digital forensics is a broader discipline that involves analyzing entire digital systems, including servers, computers, mobile devices, and networks. Its primary objective is to uncover evidence related to a specific incident or crime. Copyright Cengage Learning. Powered by Cognero.

Page 17


Name:

Class:

Date:

Mod 14: e-Discovery c. E-discovery software is specifically created to detect, gather, and handle electronic information

mainly for legal proceedings. Meanwhile, digital forensics software involves a methodical investigation of digital devices and data to find evidence for a particular investigation, usually related to a crime or a security incident. d. Digital forensics refers to the process of identifying and retrieving relevant electronic documents, emails, and other information for legal purposes. It is commonly utilized in civil litigation and regulatory matters. On the other hand, e-discovery is a broader discipline that involves analyzing entire digital systems, including servers, computers, mobile devices, and networks. Its primary objective is to uncover evidence related to a specific incident or crime. ANSWER: RATIONALE:

b, c

E-discovery, also known as electronic discovery, is a process that involves identifying, collecting, and processing electronic information that may be required for legal proceedings. It is commonly used in litigation, regulatory compliance, and internal investigations to find relevant electronic evidence. E-discovery deals with the identification and retrieval of relevant electronic documents, emails, and other information that may be needed in legal matters. It is a useful tool in civil litigation and regulatory affairs. Digital forensics is a process that involves the systematic examination of digital devices and data to find evidence for a specific investigation, which is usually related to a crime or security incident. The scope of digital forensics is quite broad as it aims to reconstruct events and actions from digital artifacts, and it involves analyzing entire digital systems such as computers, servers, mobile devices, and networks. The primary goal of digital forensics is to uncover evidence that is related to a specific incident or crime.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.14.4 - List some common e-discovery tools TOPICS: Common e-Discovery Tools KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:12 PM DATE MODIFIED: 4/19/2024 2:12 PM

Copyright Cengage Learning. Powered by Cognero.

Page 18


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities 1. Ethics are the rules you internalize and use to measure your performance. a. True b. False ANSWER: RATIONALE:

a

Ethics are the rules you internalize and use to measure your performance. The standards that others apply to you or that you're compelled to adhere to by external forces, such as licensing bodies, can be called ethics, but they are more accurately described as rules of conduct.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.1 - Explain how ethics and codes apply to expert witnesses TOPICS: Applying Ethics and Codes to Expert Witnesses KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 2. Palo is a forensics examiner testifying in a case. He is rendering an opinion based on his education, training,

and experience. What type of witness is Palo being? a. Defense witness b. Fact witness c. Expert witness d. Prosecution witness ANSWER: RATIONALE:

c

Palo is rendering an opinion based on his education, training, and experience; therefore, he is an expert witness.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.1 - Explain how ethics and codes apply to expert witnesses TOPICS: Applying Ethics and Codes to Expert Witnesses KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 3. Hildi is a well-known and successful expert witness on computer forensics and fraud. She receives a call from

an attorney asking her what her opinion is regarding a case they are working on involving a client who's been hiding money. Hildi asks the attorney to send her significant material on the case for her to make an evaluation. They say, "That's ok," and hang up. What was probably happening in this scenario? a. The attorney probably was looking for free advice. b. The attorney probably was curious about what Hildi thought about fraud in general. Copyright Cengage Learning. Powered by Cognero.

Page 1


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities c. The attorney was probably opinion shopping. d. The attorney probably wanted to ask Hildi for a favor. ANSWER: RATIONALE:

c

In this scenario, the attorney was probably opinion shopping. They wanted to find out if Hildi would have a favorable opinion about their case before hiring Hildi.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.1 - Explain how ethics and codes apply to expert witnesses TOPICS: Applying Ethics and Codes to Expert Witnesses KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 4. Chloe is a forensics examiner who has been working for an attorney on a harassment case. The opposing

counsel is looking to get her disqualified. How do attorneys discover what expert witnesses have testified to in the past? a. They search previous cases that the examiner has worked on. b. They do opposition research. c. They ask questions in the deposition. d. They search deposition banks. ANSWER: RATIONALE:

d

Attorneys search deposition banks for information on expert witnesses. If there's a change in an expert's position on a point, the expert needs to explain why their position has changed, such as recent developments in technology, new tools with new capabilities, or the facts of the current case as opposed to a previous case.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.1 - Explain how ethics and codes apply to expert witnesses TOPICS: Applying Ethics and Codes to Expert Witnesses KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 5. Expert witnesses can testify even if they were not present when the event occurred or did not handle the data

storage device personally. a. True b. False ANSWER: RATIONALE:

a

Expert witnesses can testify even if they were not present when the event occurred, or

Copyright Cengage Learning. Powered by Cognero.

Page 2


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities

they did not handle the data storage device personally. POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.1 - Explain how ethics and codes apply to expert witnesses TOPICS: Applying Ethics and Codes to Expert Witnesses KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 6. Liam is an expert witness and is always careful and professional in his work by considering certain factors

before taking a case. What factors is Liam considering? Choose all that apply. a. Is there trust between the attorney and the investigator, do they work well together, and does the

attorney pay well for the investigator's services? b. What are some differences between the attorney's motives and the investigator's duty that might affect how the investigator acts, or is expected to act, as an expert witness? c. Is the function of the expert witness in conflict with the investigator's code of professional responsibility? d. As an expert witness, should he anticipate that the opposing counsel will look at the codes of professional responsibility of the organizations of which he is a member? ANSWER: RATIONALE:

b, c, d

Liam must consider the following factors: What are some differences between the attorney's motives and the investigator's duty that might affect how the investigator acts, or is expected to act, as an expert witness? Is the function of the expert witness in conflict with the investigator's code of professional responsibility? As an expert witness, should he anticipate that the opposing counsel will look at the codes of professional responsibility of the organizations of which he is a member?

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.1 - Explain how ethics and codes apply to expert witnesses TOPICS: Applying Ethics and Codes to Expert Witnesses KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 7. Haven prides herself on her code of ethics. She belongs to a professional organization that has a code of

ethics for forensic examiners to follow and was also a member of the Scouts, which is a youth group that instills a moral code of conduct into their members. Her boss thinks she will make an excellent witness as a forensics examiner. Why does Haven's boss believe she will be an excellent witness? Choose all that apply. a. Haven belongs to an organization that has a code of ethics forensic examiners to follow. b. Haven seems like a good person. Her boss has a good feeling about her. Copyright Cengage Learning. Powered by Cognero.

Page 3


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities c. Haven was a member of a youth group that instills a moral code of conduct into their members (the

Scouts). d. Haven's boss has witnessed that she is very likable, explains difficult concepts to others in the office by making them easy to understand, and she has been to court several times as an observer so she knows what testifying will be like. ANSWER: RATIONALE:

a, c

Because Haven is a member of an organization that has a code of ethics for forensics examiners and she has been a member of the Scouts, chances are she would be ethical since she has internalized rules and morals from both organizations.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.1 - Explain how ethics and codes apply to expert witnesses TOPICS: Applying Ethics and Codes to Expert Witnesses KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 8. Ethan is an expert witness in the technical aspects of data recovery. He has made it known that he prefers one

type of data recovery method over others and prefers recovering data only by that method. Why does this make Ethan a bad expert witness in a trial setting? a. He is biased toward one method of data recovery. b. His data recovery techniques are flawed. c. He is not using the best method of data recovery. d. He does not know what he is doing. ANSWER: RATIONALE:

a

Because Ethan is biased toward one type of data recovery method, he is not using best practices that includes using multiple recovery methods to ensure that no data is missed.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.1 - Explain how ethics and codes apply to expert witnesses TOPICS: Applying Ethics and Codes to Expert Witnesses KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 9. Miguel belongs to the International Society of Forensic Computer Examiners (ISFCE). What are some of the

guidelines that Miguel should follow as a member of this organization? Choose all that apply. a. Conduct examinations based on best practices Copyright Cengage Learning. Powered by Cognero.

Page 4


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities b. Maintain the utmost objectivity in all forensic examinations and present findings accurately c. Testify only on your knowledge in all matters before any board, court, or proceedings d. Avoid any action that would appear to be a conflict of interest ANSWER: RATIONALE:

b, d

Miguel should maintain the utmost objectivity in all forensic examinations, present findings accurately, and avoid any actions that would appear to be a conflict of interest.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.2 - Explain how other organizations’ codes of ethics apply to expert testimony TOPICS: Organizations with Codes of Ethics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 10. Hannah is a member of the International High Technology Crime Investigation Association (HTCIA). The

organization provides a detailed Code of Ethics of Professional Standards Conduct for its members. What are some of the core values Hannah must adhere to when testifying? Choose all that apply. a. The HTCIA values the Truth uncovered within digital information and the effective techniques used

to uncover that Truth, so that no one is wrongfully convicted. b. The HTCIA values the Integrity of its members and the evidence they expose through common investigative and digital forensics best practices, including specialized techniques used to gather digital evidence. c. The HTCIA instills in its members the fact that matters or knowledge learned in an examination must be kept confidential without an order from a court of competent jurisdiction or the client's express permission. d. Members of the HTCIA are expected to maintain their integrity by reporting other members who violate the code of conduct values. ANSWER: RATIONALE:

a, b

The core values Hannah must follow are the following: (1) The HTCIA values the Truth uncovered within digital information and the effective techniques used to uncover that Truth, so that no one is wrongfully convicted. (2) The HTCIA values the Integrity of its members and the evidence they expose through common investigative and digital forensics best practices, including specialized techniques used to gather digital evidence.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.2 - Explain how other organizations’ codes of ethics apply to expert testimony TOPICS: Organizations with Codes of Ethics Copyright Cengage Learning. Powered by Cognero.

Page 5


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities KEYWORDS: DATE CREATED: DATE MODIFIED:

Bloom's: Remember/Understand 4/19/2024 2:13 PM 4/19/2024 2:13 PM

11. The American Bar Association (ABA) is a licensing body for the state licensing boards of the United States. a. True b. False ANSWER: RATIONALE:

b

The American Bar Association (ABA) is not a licensing body, but the ABA's Model Code of Professional Responsibility (Model Code) and its successor, the Model Rules of Professional Conduct (Model Rules), are the basis of state licensing bodies' codes. In the United States, attorneys are licensed by individual states.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.2 - Explain how other organizations’ codes of ethics apply to expert testimony TOPICS: Organizations with Codes of Ethics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 12. Fabian is working toward becoming an expert witness. He has years of experience in the field, has published

papers in journals, and he is well respected. He now wants to join an organization with a code of ethics so that he can show to potential clients that he follows a code of published ethics. However, he is not too sure about reporting on other members in his field if they violate the organization's code of conduct because everyone makes mistakes. Which organization does Fabian want to avoid? a. The International Society of Forensic Computer Examiners (ISFCE) b. The International High Technology Crime Investigation Association (HTCIA) c. The International Association of Computer Investigative Specialists (IACIS) d. The American Bar Association (ABA) ANSWER: RATIONALE:

a

Members of the International Society of Forensic Computer Examiners (ISFCE) are expected to maintain their integrity by reporting other members who violate their code of conduct.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.2 - Explain how other organizations’ codes of ethics apply to expert testimony TOPICS: Organizations with Codes of Ethics KEYWORDS: Bloom's: Remember/Understand Copyright Cengage Learning. Powered by Cognero.

Page 6


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities DATE CREATED: DATE MODIFIED:

4/19/2024 2:13 PM 4/19/2024 2:13 PM

13. Xinia is a member of the International Association of Computer Investigative Specialists (IACIS). One of

the organization's guiding principles is to conduct examinations based on established, validated principles. What are some of those principles? Choose all that apply. a. Preserve the integrity of digital evidence b. Uncover the truth within digital information and use effective techniques to do so c. Conduct thorough analysis without altering the original data d. Adhere to legal and ethical standards throughout the investigation ANSWER: RATIONALE:

a, c, d

Some of the established, validated principles for conduction of a digital forensics examination are as follows: preserve the integrity of digital evidence, conduct a thorough analysis without altering the original data, and adhere to legal and ethical standards throughout the investigation.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.2 - Explain how other organizations’ codes of ethics apply to expert testimony TOPICS: Organizations with Codes of Ethics KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 14. Edsel is a forensics expert, and in this role, he helps the judge or jury understand a fact or an issue.

According to a standard established in a lawsuit, the expert has the "ethical responsibility to present a complete and unbiased picture of the research relevant to the case at hand." What lawsuit established this standard? a. JDB v. North Carolina b. Fry v. United States c. Kumho Tire Co. v. Carmichael d. Daubert v. Merrell Dow Pharmaceuticals, Inc. ANSWER: RATIONALE:

d

Daubert v. Merrell Dow Pharmaceuticals, Inc. established that it is the role of the expert to provide reliable and valid testimony. The expert has the "ethical responsibility to present a complete and unbiased picture of the research relevant to the case at hand."

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.3 - Identify ethical challenges in expert testimony TOPICS: Dealing with Ethical Challenges Copyright Cengage Learning. Powered by Cognero.

Page 7


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities KEYWORDS: DATE CREATED: DATE MODIFIED:

Bloom's: Remember/Understand 4/19/2024 2:13 PM 4/19/2024 2:13 PM

15. Maddox has been retained by an attorney to be an expert witness for a harassment case. The attorney now

has ethical responsibilities for Maddox as his expert witness. What are some of those responsibilities? Choose all that apply. a. A fair statement of the case or situation b. Adequate time to review evidence and prepare a report c. A reasonable timeline for payment for services rendered d. A reasonable opportunity to examine the data ANSWER: RATIONALE:

a, b, d

Some of the attorney's ethical responsibilities for Maddox include a fair statement of the case or situation, adequate time to review evidence and prepare a report, and a reasonable opportunity to examine the data.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.3 - Identify ethical challenges in expert testimony TOPICS: Dealing with Ethical Challenges KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 16. Paddy has created some new tools for data recovery that are faster and better than the existing tools available

today. But they are untested. He is anxious to try them out on a case, but his supervising attorney says no. Why would the attorney not want Paddy to use his new tools? Choose all that apply. a. The new tools have not been validated against existing commonly used or commercially available

tools. b. The attorney must pay Paddy for his new tools before they can be submitted to the court. c. If the court deems the tools unreliable, the evidence Paddy recovered with them might not be admitted or admitted with limiting instructions. d. The attorney's malpractice insurance company does not want untested tools used in the case. ANSWER: RATIONALE:

a, c

The attorney does not want to use Paddy's new tools because they have not been validated against commonly used or commercially available tools, and if the court deems the tools unreliable, the evidence that Paddy recovered with them might not be admitted or admitted with limiting instructions.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.3 - Identify ethical challenges in expert testimony Copyright Cengage Learning. Powered by Cognero.

Page 8


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities TOPICS: KEYWORDS: DATE CREATED: DATE MODIFIED:

Dealing with Ethical Challenges Bloom's: Remember/Understand 4/19/2024 2:13 PM 4/19/2024 2:13 PM

17. Nicole created some new tools for her exclusive use because she did not like any of the existing tools on the

market. She decided to "borrow" some code from one of the commercial tools she liked because the tool worked well. The opposing counsel in the case has asked to see the source code for Nicole's tools. What will be the likely outcome of this scenario? a. As long as the opposing counsel does not find the code, Nicole will likely be fine. b. Nicole did not do anything wrong, so she will not have to face prosecution. c. Nicole only committed a minor infraction. The case can still move forward, and the evidence will

still be used. d. Nicole could be in violation of copyright law, and there could be serious criminal and civil liability implications for her. ANSWER: RATIONALE:

d

Nicole was "borrowing" code from another product and incorporated it into her own. She did not acknowledge or pay royalties, so that could be a violation of copyright law and is considered theft. In addition, this situation could result in major embarrassment for Nicole, could have serious criminal and civil liability implications for her, and could adversely impact the attorney who retained her as well as the case she "borrowed" the code for.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.3 - Identify ethical challenges in expert testimony TOPICS: Dealing with Ethical Challenges KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 18. Joli needs X-Ways Forensics for a case she is working on. Her company doesn't have it, and she doesn't own

it either, so she decides to borrow it from a colleague. Although the tool has been verified and is commercially available, it is a bad idea for Joli to use it. Why is it a bad idea? Choose all that apply. a. If Joli is using borrowed tools from another person or tools inappropriately acquired, her reputation

and integrity will be damaged. b. Since Joli does not have X-Ways Forensics, she may not have the experience to use it properly. c. Since Joli does not have X-Ways Forensics, her computer and office may not have the system resources required to use it. d. Evidence Joli may have discovered may be disqualified by a judge. ANSWER: RATIONALE:

a, d

To defend their client, an opposing attorney may demand that Joli verify that the

Copyright Cengage Learning. Powered by Cognero.

Page 9


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities

digital forensics tools used are licensed to her or her organization. If she is using borrowed tools from another person or tools inappropriately acquired, her reputation and integrity will be damaged. Any work or opinions she has will be viewed with suspicion. Also, evidence she might have discovered may be disqualified by a judge. POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.3 - Identify ethical challenges in expert testimony TOPICS: Dealing with Ethical Challenges KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 19. Ashtyn is a new forensics examiner working in the private sector. A friend advised him to create an intake

form for all requested examinations. What is the purpose of an intake form? Choose all that apply. a. Document the parties involved in the case b. Ascertain the nature of the examination c. Document any technical information about the hardware and software needed to perform the

examination d. Identify possible conflicts of interest ANSWER: RATIONALE:

b, c, d

The intake form serves several purposes: ascertain the nature of the examination; document any technical information about the hardware and software needed to perform the examination; and identify possible conflicts of interest.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.3 - Identify ethical challenges in expert testimony TOPICS: Dealing with Ethical Challenges KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 20. Faruq is starting a new company as an expert witness. One of the first things he needs to do before taking on

clients is to develop an intake form. What are some of the general sections needed to be on the form? Choose all that apply. a. Case information b. Examination instructions c. Digital evidence information d. Opposing party information ANSWER:

a, b, c

Copyright Cengage Learning. Powered by Cognero.

Page 10


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities RATIONALE:

Some of the information that needs to be noted on an intake form include case information, examination instructions, and digital evidence information.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.3 - Identify ethical challenges in expert testimony TOPICS: Dealing with Ethical Challenges KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 21. As a preliminary process, you can speak about a hypothetical case to a potential client or attorney as long as

there is no mention of a specific person, organization, incident, or crime before an intake form is completed and the retainer fee received. a. True b. False ANSWER: RATIONALE:

a

As a preliminary process, you can speak about a hypothetical case to a potential client or attorney as long as there is no mention of a specific person, organization, incident, or crime before an intake form is completed and the retainer fee received.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.3 - Identify ethical challenges in expert testimony TOPICS: Dealing with Ethical Challenges KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 22. Jamaca has been hired by an attorney to be an expert witness on a stalking case. The opposing counsel has

decided to inquire about her personal finances. Does opposing counsel have the right to do that and why? a. Opposing counsel wants to know how successful you are as an expert witness-it is inappropriate. b. This is a tactic that opposing counsel uses all the time on expert witnesses-it is appropriate. c. Unless the inquiry is about compensation terms for the current case, it is inappropriate. d. The attorney that hired Jamaca wants to be sure that she has no unexplainable financial issues before

committing her as an expert witness-it is appropriate. ANSWER: RATIONALE:

c

POINTS: QUESTION TYPE:

1 Multiple Choice

Since the inquiry is not about the current case, it is inappropriate. It could be that opposing counsel wants to intimidate Jamaca by using her financial status against her.

Copyright Cengage Learning. Powered by Cognero.

Page 11


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.3 - Identify ethical challenges in expert testimony TOPICS: Dealing with Ethical Challenges KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 23. Galen is at a deposition with both his supervising attorney and the opposing counsel. The deposition is being

held by the opposing counsel at the opposing counsel's office. To Galen, the room feels too hot, the shades are all the way open, and there is no water to drink in the conference room. How can this deposition be characterized? Choose all that apply. a. The opposing counsel is not aware there are any issues. Bringing them to the opposing counsel's

attention could fix the situation. b. The opposing counsel could be trying to make Galen uncomfortable so that he will be distracted. c. The opposing counsel chose the wrong time of day to hold a deposition in that conference room, and it is simply too hot. d. It is just a coincidence that the conference room has been set up with these issues. ANSWER: RATIONALE:

a, b

In a professional legal environment, any attorney will have their staff prepare a conference room for a deposition. That includes making sure that there is water, the room is at a comfortable temperature, and that the shades (if there are windows) are at the right height to protect against the sun. The opposing counsel, in this case, may not be aware that the room is disagreeable. If Galen asks, they might fix it. Or this room was set up intentionally to make Galen feel uncomfortable, in which case he should note the conditions to the attorney who set up the deposition and ask them to correct the situation. If the situation is not resolved, these conditions should be noted in the record.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.3 - Identify ethical challenges in expert testimony TOPICS: Dealing with Ethical Challenges KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 24. Isadore is a data carving expert. He has been hired by the District Attorney's Office for a very delicate case.

The case involves child pornography. They caught the criminal who created and distributed the material, and now, the suspect is being put on trial. Isadore despises these kinds of people, and he knows, for him, complete impartiality will be difficult. What choice does Isadore have in this scenario? a. Isadore can withdraw from the case if he is unable to be impartial. b. Isadore must follow the standards set forth by Daubert v. Merrell Dow Pharmaceuticals, Inc. Copyright Cengage Learning. Powered by Cognero.

Page 12


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities

regardless of his personal feelings. c. Isadore must do everything he can to help the District Attorney win a guilty plea. d. Isadore should ignore exculpatory evidence and focus only on inculpatory evidence. ANSWER: RATIONALE:

b

The time for Isadore to back out would have been BEFORE he agreed to do the job he was hired for by the District Attorney, not after. So, Isadore must follow the standards set forth by Daubert v. Merrell Dow Pharmaceuticals, Inc. regardless of his personal feelings.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.3 - Identify ethical challenges in expert testimony TOPICS: Dealing with Ethical Challenges KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 25. A peer review request may come from another examiner interested in improving their work product but not

from an attorney wanting a second opinion for their client or against an opposing attorney or client. Peer reviews may only come from other examiners. a. True b. False ANSWER: RATIONALE:

b

A peer review request may come from another examiner interested in improving their work product or from an attorney wanting a second opinion for their client or against an opposing attorney or client.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.4 - Perform peer reviews of digital forensics examinations TOPICS: Performing Peer Reviews for Digital Forensics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 26. Ivette has been asked to conduct a peer review for an attorney for a second opinion for their client. Ivette has

ethical obligations she must follow when reviewing cases. What are they? Choose all that apply. a. To be as forthright and as thorough as possible when reviewing a case b. To charge a fair hourly rate and determine a fair number of hours of work c. If necessary, to examine the digital evidence to confirm, validate, or dispute the other examiner's

findings Copyright Cengage Learning. Powered by Cognero.

Page 13


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities d. To not talk about the case to anyone else outside of the attorney and their team ANSWER: RATIONALE:

a, c

Ivette's ethical obligations to the attorney who hired her are to be as forthright and as thorough as possible when reviewing a case, and if necessary, examine the digital evidence to confirm, validate, or dispute the other examiner's findings.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.4 - Perform peer reviews of digital forensics examinations TOPICS: Performing Peer Reviews for Digital Forensics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 27. Jacques has been asked to write a single-blind peer review. There are some other types of peer reviews.

What are they? Choose all that apply. a. Open review b. Double-open review c. Triple-blind review d. Double-blind review ANSWER: RATIONALE:

a, c, d

Other reviews include the following. Open review: The creator will typically post on a forum for reviewers' feedback. Double-blind review: The creator and reviewer are unknown to each other. Triple-blind review: The creator, reviewer, and editor are anonymous to each other.

POINTS: 1 QUESTION TYPE: Multiple Response HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.4 - Perform peer reviews of digital forensics examinations TOPICS: Performing Peer Reviews for Digital Forensics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 28. Georgi has been asked to join a peer review committee. He will be working on single-, double-, and triple-

blind peer reviews with his committee. What is the purpose of these types of reviews? a. To ensure that the content of the review is legitimate and not plagiarized b. To eliminate or minimize the bias of the reviewer c. Allows for communication between the creator and the reviewer to minimize any confusion and

misunderstandings or to improve a report d. To get as many opinions as possible from others, both experts and nonexperts Copyright Cengage Learning. Powered by Cognero.

Page 14


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities ANSWER: RATIONALE:

b

The purpose of the single-, double-, and triple-blind peer reviews is to eliminate or minimize bias of the reviewer.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.4 - Perform peer reviews of digital forensics examinations TOPICS: Performing Peer Reviews for Digital Forensics KEYWORDS: Bloom's: Remember/Understand DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 29. Halden is a digital forensics examiner and has been asked to conduct a peer review for a colleague. In the

field of digital forensics, a different type of peer review will be done for a colleague versus an attorney. What type of peer review will Halden most likely be conducting? a. A collaborative review b. A single-blind review c. An open review d. A double-blind review ANSWER: RATIONALE:

a

Specific to digital forensics, an examiner will most likely be asked to conduct a collaborative review for a colleague and a single-blind or double-blind review for an attorney.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.4 - Perform peer reviews of digital forensics examinations TOPICS: Performing Peer Reviews for Digital Forensics KEYWORDS: Bloom's: Apply DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM 30. Hawkins has an excellent reputation as a digital forensics examiner, and attorneys from all over the country

seek his expertise. He has been asked to peer review a case for an attorney who is suing a major tobacco company. The peer review is against the digital forensic examiner's report that the attorney for the defendant (the tobacco company) provided. Hawkins' father died from lung cancer due to smoking about 10 years ago. What is Hawkins' responsibility to the attorney who hired him in this scenario? a. Hawkins must identify and state his personal bias in the report given that his father died of lung

cancer. b. Hawkins must withdraw from the peer review due to his personal loss. c. Because this is a peer review, it doesn't matter if Hawkins discloses his father's death. Copyright Cengage Learning. Powered by Cognero.

Page 15


Name:

Class:

Date:

Mod 15: Ethics and Professional Responsibilities d. Hawkins' only responsibility to the attorney who hired him is that he is thorough and clear in his

report. ANSWER: RATIONALE:

a

This is not a case before the court, it is a peer review. As long as Hawkins identifies his personal biases in the report and notifies the attorney that his father died of lung cancer from smoking, it is the attorney's decision whether to keep Hawkins or hire someone else. Because Hawkins has such a good reputation in digital forensics, the attorney may simply note the issue and continue with Hawkins on his team.

POINTS: 1 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: Ceng.GuideForens.25.15.4 - Perform peer reviews of digital forensics examinations TOPICS: Performing Peer Reviews for Digital Forensics KEYWORDS: Bloom's: Analyze/Create/Evaluate DATE CREATED: 4/19/2024 2:13 PM DATE MODIFIED: 4/19/2024 2:13 PM

Copyright Cengage Learning. Powered by Cognero.

Page 16


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.