Name:
Class:
Date:
Chapter 01: Understanding the Digital Forensics Profession and Investigations True / False 1. By the 1970s, electronic crimes were increasing, especially in the financial sector. a. True b. False ANSWER: True POINTS: 1 REFERENCES: An Overview of Digital Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/23/2017 12:33 PM 2. To be a successful computer forensics investigator, you must be familiar with more than one computing platform. a. True b. False ANSWER: True POINTS: 1 REFERENCES: An Overview of Digital Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/11/2017 12:20 PM 3. Computer investigations and forensics fall into the same category: public investigations. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/1/2017 11:55 AM 4. The law of search and seizure protects the rights of all people, excluding people suspected of crimes. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 1
Name:
Class:
Date:
Chapter 01: Understanding the Digital Forensics Profession and Investigations DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/1/2017 11:55 AM 5. After a judge approves and signs a search warrant, it’s ready to be executed, meaning you can collect evidence as defined by the warrant. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/1/2017 11:55 AM 6. Maintaining credibility means you must form and sustain unbiased opinions of your cases. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Maintaining Professional Conduct QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/23/2017 12:43 PM DATE MODIFIED: 5/8/2018 2:29 PM 7. The definition of digital forensics has evolved over the years from simply involving securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases. a. True b. False ANSWER: True POINTS: 1 REFERENCES: An Overview of Digital Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/23/2017 1:22 PM DATE MODIFIED: 12/23/2017 1:23 PM 8. The Fourth Amendment to the U.S. Constitution (and each state’s constitution) protects everyone’s rights to be secure in their person, residence, and property from search and seizure. a. True b. False ANSWER: True Copyright Cengage Learning. Powered by Cognero.
Page 2
Name:
Class:
Date:
Chapter 01: Understanding the Digital Forensics Profession and Investigations POINTS: 1 REFERENCES: An Overview of Digital Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/23/2017 1:25 PM DATE MODIFIED: 12/23/2017 1:26 PM 9. When you work in the enterprise digital group, you test and verify the integrity of standalone workstations and network servers. a. True b. False ANSWER: False POINTS: 1 REFERENCES: An Overview of Digital Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/23/2017 1:28 PM DATE MODIFIED: 12/23/2017 3:32 PM 10. The police blotter provides a record of clues to crimes that have been committed previously. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/23/2017 1:30 PM DATE MODIFIED: 12/23/2017 3:33 PM Multiple Choice 11. Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence? a. Computer Forensic Institute b. Computer Forensics Laboratory c. Cyber Investigative Joint Task Force d. Computer Analysis and Response Team ANSWER: d POINTS: 1 REFERENCES: An Overview of Digital Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 12:30 PM Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 01: Understanding the Digital Forensics Profession and Investigations 12. A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing? a. Data recovery b. Disk restoration c. Digital forensics d. Disaster recovery ANSWER: a POINTS: 1 REFERENCES: An Overview of Digital Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/8/2018 2:13 PM 13. Which group often works as part of a team to secure an organization’s computers and networks? a. Computer analysts b. Data recovery engineers c. Forensics investigators d. Network monitors ANSWER: c POINTS: 1 REFERENCES: An Overview of Digital Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 11:37 AM 14. Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime? a. Network intrusion detection b. Digital investigations c. Incident response d. Litigation ANSWER: b POINTS: 1 REFERENCES: An Overview of Digital Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 12:06 PM 15. Which agency introduced training on software for forensics investigations by the early 1990s? a. IACIS b. FLETC c. CERT d. DDBIA ANSWER: a POINTS: 1 REFERENCES: An Overview of Digital Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 01: Understanding the Digital Forensics Profession and Investigations DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 12:06 PM 16. Which Pacific Northwest agency meets to discuss problems that digital forensics examiners encounter? a. IACIS b. CTIN c. FTK d. FLETC ANSWER: b POINTS: 1 REFERENCES: An Overview of Digital Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 11:40 AM 17. Which type of case involves charges such as burglary, murder, or molestation? a. Corporate b. Civil c. Criminal d. Judicial ANSWER: c POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 7:36 AM 18. What is the third stage of a criminal case, after the complaint and the investigation? a. Resolution b. Allegation c. Negotiation d. Prosecution ANSWER: d POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/7/2018 11:28 AM 19. What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant? a. A blotter b. An exhibit report c. A litigation report d. An affidavit ANSWER: d POINTS: 1 REFERENCES: Preparing for Digital Investigations Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 01: Understanding the Digital Forensics Profession and Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 11:56 AM 20. When an investigator seeks a search warrant, which of the following must be included in an affidavit to support the allegation of a crime? a. Subpoena b. Exculpatory evidence c. Exhibits d. Authorized requester ANSWER: c POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/8/2018 2:10 PM 21. What must be done, under oath, to verify that the information in the affidavit is true? a. It must be notarized. b. It must be examined. c. It must be recorded. d. It must be challenged. ANSWER: a POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 11:48 AM 22. What do published company policies provide for a business that enables them to conduct internal investigations? a. Absolute process b. Judicial authorization c. Legitimate justification d. Line of authority ANSWER: d POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 11:50 AM 23. What usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will? a. A warning banner b. A statement of responsibilities Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 01: Understanding the Digital Forensics Profession and Investigations c. An alarm trigger d. A consent authorization ANSWER: a POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 12:08 PM 24. What term refers to a person using a computer to perform routine tasks other than systems administration? a. Complainant b. Consumer c. End user d. Customer ANSWER: c POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 12:08 PM 25. Which term refers to an accusation or supposition of fact that a crime has been committed and is made by the complainant, based on the incident? a. Assertion b. Allegation c. Declaration d. Contention ANSWER: b POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 12:09 PM 26. Without a warning banner, what right might employees assume they have when using a company’s computer systems and network accesses? a. Authority b. Privacy c. Consent d. Anonymity ANSWER: b POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 12:09 PM Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 01: Understanding the Digital Forensics Profession and Investigations 27. What term refers to the individual who has the power to conduct digital forensic investigations? a. Authorized requester b. Security chief c. Corporate investigator d. Independent ombudsperson ANSWER: a POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 12:09 PM 28. What is most often the focus of digital investigations in the private sector? a. E-mail abuse b. Misuse of digital assets c. Internet abuse d. VPN abuse ANSWER: b POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 12:10 PM 29. Which doctrine, found to be unconstitutional, was used to allow a civilian or private-sector investigative agent to deliver evidence obtained in a manner that violated the Fourth Amendment to a law enforcement agency? a. Silver-tree b. Gold-tree c. Silver-platter d. Gold-platter ANSWER: c POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 12:10 PM 30. What investigator characteristic, which includes ethics, morals, and standards of behavior, determines the investigator's credibility? a. Investigatory acumen b. Fidelity to oath of office c. Line of authority d. Professional conduct ANSWER: d POINTS: 1 REFERENCES: Maintaining Professional Conduct QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 01: Understanding the Digital Forensics Profession and Investigations HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/7/2018 11:26 AM Matching Match each item with a statement below: a. Digital forensics b. Network forensics c. Industrial espionage d. Xtree Gold e. Case law f. Interrogation g. Affidavit h. Authorized requester i. Line of authority j. Single-evidence form REFERENCES: An Overview of Digital Forensics Preparing a Digital Forensics Investigation Procedures for Private-Sector High-Tech Investigations Preparing for Digital Investigations QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 5/4/2018 8:09 AM 31. Involves selling sensitive or confidential company information to a competitor ANSWER: c POINTS: 1 32. Recognizes file types and retrieves lost or deleted files ANSWER: d POINTS: 1 33. The application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data ANSWER: a POINTS: 1 34. Sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence ANSWER: g POINTS: 1 35. Allows legal counsel to use previous cases similar to the current one because the laws don’t yet exist Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 01: Understanding the Digital Forensics Profession and Investigations ANSWER: e POINTS: 1 36. Specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence ANSWER: i POINTS: 1 37. The process of trying to get a suspect to confess to a specific incident or crime ANSWER: f POINTS: 1 38. Yields information about how attackers gain access to a network along with files they might have copied, examined, or tampered with ANSWER: b POINTS: 1 39. A person who has the power to initiate investigations in a corporate environment ANSWER: h POINTS: 1 40. Lists each piece of evidence on a separate page ANSWER: j POINTS: 1 Subjective Short Answer 41. Briefly describe the triad that makes up computer security. ANSWER: Investigators often work as a team to make computers and networks secure in an organization. The computer investigations function is one of three in a triad that makes up computing security. In an enterprise network environment, the triad consists of the following parts: * Vulnerability assessment and risk management * Network intrusion detection and incident response * Computer investigations POINTS: 1 REFERENCES: An Overview of Digital Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/1/2017 11:55 AM 42. Briefly describe the main characteristics of public-sector investigations. ANSWER: In general, public-sector investigations involve government agencies responsible for criminal investigations and prosecution. Government agencies range from municipal, county, and state Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 01: Understanding the Digital Forensics Profession and Investigations or provincial police departments to federal law enforcement agencies. These organizations must observe legal guidelines of their jurisdictions, such as Article 8 in the Charter of Rights of Canada and the Fourth Amendment to the U.S. Constitution restricting government search and seizure. POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/23/2017 1:45 PM 43. Briefly describe the main characteristics of private-sector investigations. ANSWER: Private-sector investigations focus more on policy violations, such as not adhering to Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. However, criminal acts, such as corporate espionage, can also occur. So although private-sector investigations often start as civil cases, they can develop into criminal cases; likewise, a criminal case can have implications leading to a civil case. If you follow good forensics procedures, the evidence found in your examinations can make the transition between civil and criminal cases. POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/23/2017 2:43 PM 44. What questions should an investigator ask to determine whether a computer crime was committed? ANSWER: In a criminal case, a suspect is charged for a criminal offense, such as burglary, murder, molestation, or fraud. To determine whether there was a computer crime, an investigator asks questions such as the following: What was the tool used to commit the crime? Was it a simple trespass? Was it a theft, a burglary, or vandalism? Did the perpetrator infringe on someone else’s rights by cyberstalking or e-mail harassment? POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/25/2017 1:23 PM 45. What are some examples of text for internal banner messages? ANSWER: Depending on the type of organization, the following text can be used in internal warning banners: Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 01: Understanding the Digital Forensics Profession and Investigations • Access to this system and network is restricted. • Use of this system and network is for official business only. • Systems and networks are subject to monitoring at any time by the owner. • Using this system implies consent to monitoring by the owner. • Unauthorized or illegal users of this system or network will be subject to discipline or prosecution. • Users of this system agree that they have no expectation of privacy relating to all activity performed on this system. POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/23/2017 2:51 PM 46. What are some of the most common types of private-sector computer crime? ANSWER: Private-sector computer crimes can involve e-mail harassment; gender and age discrimination; white-collar crimes (defined by the FBI, www.fbi.gov/investigate/whitecollar-crime), such as falsification of data, embezzlement, and sabotage; and industrial espionage, which involves selling sensitive or confidential company information to a competitor. Anyone with access to a computer can commit these crimes. POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/25/2017 1:12 PM 47. What is the role of an authorized requester? ANSWER: Businesses are advised to specify an authorized requester who has the power to initiate investigations. Executive management should define a policy to avoid conflicts from competing interests in organizations. In large organizations, competition for funding or management support can become so fierce that people might create false allegations of misconduct to prevent competing departments from delivering a proposal for the same source of funds. To avoid inappropriate investigations, executive management must also define and limit who’s authorized to request a computer investigation and forensics analysis. Generally, the fewer groups with authority to request a computer investigation, the better. POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/25/2017 1:12 PM Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 01: Understanding the Digital Forensics Profession and Investigations 48. Briefly describe hostile work environment. ANSWER: Most digital investigations in the private sector involve misuse of digital assets. Typically, this misuse is referred to as “company rules violation.” Digital abuse complaints often center on e-mail and Internet misuse by employees but could involve other digital resources, such as using company software to produce a product for personal profit. The scope of an e-mail investigation ranges from excessive use of a company’s e-mail system for personal use to making threats or harassing others via e-mail. Some common e-mail abuses involve transmitting offensive messages. These types of messages can create a hostile work environment that can result in an employee’s civil lawsuit against a company that does nothing to prevent or respond to it (in other words, implicitly condones the e-mail abuse). POINTS: 1 REFERENCES: Preparing for Digital Investigations QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/23/2017 3:01 PM 49. Why is confidentiality critical in the private-sector environment? ANSWER: In the private-sector environment, confidentiality is critical, especially when dealing with employees who have been terminated. The agreement between the company and the employee might have been to represent the termination as a layoff or resignation in exchange for no bad references. If you give case details and the employee’s name to others, your company could be liable for breach of contract. POINTS: 1 REFERENCES: Maintaining Professional Conduct QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/23/2017 3:05 PM 50. How can you begin assessing a case? ANSWER: You can begin assessing this case as follows: • Situation—Employee abuse of resources. • Nature of the case—Side business conducted on the company computer. • Specifics of the case—The employee is reportedly conducting a side business on his company computer that involves registering domain names for clients and setting up their Web sites at local ISPs. Co-workers have complained that he’s been spending too much time on his own business and not performing his assigned work duties. Company policy states that all company-owned digital assets are subject to inspection by company management at any time. Employees have no expectation of privacy when operating company computer systems. • Type of evidence—Small-capacity USB drive connected to a company computer. • Known disk format—NTFS. • Location of evidence—One USB drive recovered from the employee’s assigned computer. Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 01: Understanding the Digital Forensics Profession and Investigations POINTS: 1 REFERENCES: Preparing a Digital Forensics Investigation QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 11:55 AM DATE MODIFIED: 12/23/2017 3:09 PM
Copyright Cengage Learning. Powered by Cognero.
Page 14
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 02: The Investigator’s Office and Laboratory True / False 1. A forensics analysis of a 6 TB disk, for example, can take several days or weeks. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/18/2018 6:19 PM 2. Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/1/2017 12:57 PM 3. If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Determining the Physical Requirements for a Digital Forensics Lab QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/1/2017 12:57 PM 4. A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Selecting a Basic Forensic Workstation Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 02: The Investigator’s Office and Laboratory QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/1/2017 12:57 PM 5. Computing systems in a forensics lab should be able to process typical cases in a timely manner. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Selecting a Basic Forensic Workstation QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/1/2017 12:57 PM 6. By using marketing to attract new customers or clients, you can justify future budgets for the lab’s operation and staff. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Building a Business Case for Developing a Forensics Lab QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/18/2018 7:06 PM DATE MODIFIED: 1/18/2018 7:13 PM 7. The ANSI-ASQ National Accreditation Board (ANAB) is a wholly owned subsidiary of the American Society of Crime Laboratory Directors (ASCLD). a. True b. False ANSWER: False POINTS: 1 REFERENCES: Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/18/2018 7:09 PM DATE MODIFIED: 1/18/2018 7:13 PM 8. The lab manager sets up processes for managing cases and reviews them regularly. a. True b. False ANSWER: True Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 02: The Investigator’s Office and Laboratory POINTS: 1 REFERENCES: Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/18/2018 7:12 PM DATE MODIFIED: 1/18/2018 7:12 PM 9. For daily work production, several examiners can work together in a large open area, as long as they all have different levels of authority and access needs. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Determining the Physical Requirements for a Digital Forensics Lab QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/18/2018 7:14 PM DATE MODIFIED: 1/18/2018 7:15 PM 10. Chapter 5, Section 3, of the NISPOM describes the characteristics of a safe storage container. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Determining the Physical Requirements for a Digital Forensics Lab QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/18/2018 7:16 PM DATE MODIFIED: 1/18/2018 7:17 PM Multiple Choice 11. At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work? a. The forensic workstation b. The digital forensics lab c. The data management room d. The computer analysis lab ANSWER: b POINTS: 1 REFERENCES: Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 11:30 AM Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 02: The Investigator’s Office and Laboratory 12. At what levels should lab costs be broken down? a. Daily, weekly, and monthly b. Weekly, monthly, and annually c. Monthly, bimonthly, and quarterly d. Monthly, quarterly, and annually ANSWER: d POINTS: 1 REFERENCES: Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:14 PM 13. What reports are generated at the local, state, and federal levels to show the types and frequency of crimes committed? a. Officer activity reports b. Cooperative agreement reports c. Uniform crime reports d. Mandated crime reports ANSWER: c POINTS: 1 REFERENCES: Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 11:35 AM 14. In addition to FAT16, FAT32, and Resilient File System, which file system can Windows hard disks also use? a. NTFS b. ext3 c. FAT24 d. ext2 ANSWER: a POINTS: 1 REFERENCES: Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:14 PM 15. What organization was created by police officers in order to formalize credentials for digital investigators? a. HTCN b. NISPOM c. TEMPEST d. IACIS ANSWER: d POINTS: 1 REFERENCES: Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:17 PM Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 02: The Investigator’s Office and Laboratory 16. How frequently does IACIS require recertification to demonstrate continuing work in the field of computer forensics? a. Every 2 years b. Every 3 years c. Every 4 years d. Every 5 years ANSWER: b POINTS: 1 REFERENCES: Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 6/4/2018 3:01 PM 17. What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases? a. Certified Computer Crime Investigator, Basic Level b. Certified Computer Crime Investigator, Advanced Level c. Certified Computer Forensic Technician, Basic d. Certified Computer Forensic Technician, Advanced ANSWER: c POINTS: 1 REFERENCES: Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/18/2018 6:40 PM 18. What kind of forensic investigation lab best preserves the integrity of evidence? a. A shielded enclosure b. A protected entity c. A fortified workplace d. A secure facility ANSWER: d POINTS: 1 REFERENCES: Determining the Physical Requirements for a Digital Forensics Lab QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:56 PM 19. At what distance can the EMR from a computer monitor be picked up? a. 1/4 mile b. 1/2 mile c. 3/4 mile d. 1 mile ANSWER: b POINTS: 1 REFERENCES: Determining the Physical Requirements for a Digital Forensics Lab Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 02: The Investigator’s Office and Laboratory QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 6/4/2018 2:59 PM 20. During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. What did the U.S. Department of Defense call this special computer-emission shielding? a. TEMPEST b. RAID c. NISPOM d. EMR ANSWER: a POINTS: 1 REFERENCES: Determining the Physical Requirements for a Digital Forensics Lab QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:16 PM 21. What material is recommended for secure storage containers and cabinets? a. Gypsum b. Steel c. Wood d. Expanded metal ANSWER: b POINTS: 1 REFERENCES: Determining the Physical Requirements for a Digital Forensics Lab QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 11:45 AM 22. How frequently should floors and carpets in the computer forensic lab be cleaned to help minimize dust that can cause static electricity? a. At least once a week b. At least twice a week c. At least three times a week d. At least four times a week ANSWER: a POINTS: 1 REFERENCES: Determining the Physical Requirements for a Digital Forensics Lab QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:54 PM 23. Which resource can be helpful when investigating older and unusual computing systems? a. AICIS lists b. Uniform reports Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 02: The Investigator’s Office and Laboratory c. Forums and blogs d. Minix ANSWER: c POINTS: 1 REFERENCES: Selecting a Basic Forensic Workstation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 11:49 AM 24. What type of plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you’re analyzing? a. Disaster recovery b. Risk management c. Configuration management d. Security ANSWER: a POINTS: 1 REFERENCES: Selecting a Basic Forensic Workstation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 11:55 AM 25. Where should your computer backups be kept? a. Any convenient location b. A colleague's computer c. An off-site facility d. In the Cloud ANSWER: c POINTS: 1 REFERENCES: Selecting a Basic Forensic Workstation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 11:59 AM 26. What process refers to recording all the updates made to a workstation? a. Configuration management b. Risk minimization c. Recovery logging d. Change logging ANSWER: a POINTS: 1 REFERENCES: Selecting a Basic Forensic Workstation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:01 PM Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 02: The Investigator’s Office and Laboratory 27. Methods for restoring large data sets are important for labs using which type of servers? a. RAID b. ISDN c. WAN d. TEMPEST ANSWER: a POINTS: 1 REFERENCES: Selecting a Basic Forensic Workstation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:04 PM 28. Which activity involves determining how much risk is acceptable for any process or operation? a. Risk configuration b. Risk analysis c. Risk control d. Risk management ANSWER: d POINTS: 1 REFERENCES: Selecting a Basic Forensic Workstation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:07 PM 29. What is the maximum amount of time computing components are designed to last in normal business operations? a. 24 months b. 30 months c. 36 months d. 42 months ANSWER: c POINTS: 1 REFERENCES: Selecting a Basic Forensic Workstation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:05 PM 30. In what process is the acquisition of newer and better resources for investigation justified? a. Conducting a risk evaluation b. Building a business case c. Modifying the configuration plan d. Creating an upgrade policy ANSWER: b POINTS: 1 REFERENCES: Building a Business Case for Developing a Forensics Lab QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:10 PM Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 02: The Investigator’s Office and Laboratory Matching Match each item with a statement below a. Lab manager b. Guidance Software c. Business case d. FREDC e. ANAB f. Uniform Crime Report g. SCADA h. Norton Ghost i. Disaster recovery plan j. IACIS REFERENCES: Building a Business Case for Developing a Forensics Lab Selecting a Basic Forensic Workstation Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/22/2018 5:56 PM 31. Sponsors the EnCE certification program ANSWER: b POINTS: 1 32. A high-end RAID server from Digital Intelligence ANSWER: d POINTS: 1 33. A plan you can use to sell your services to your management or clients ANSWER: c POINTS: 1 34. Stands for supervisory control and data acquisition ANSWER: g POINTS: 1 35. Tool for directly restoring files ANSWER: h POINTS: 1 36. Addresses how to restore a workstation you reconfigured for a specific investigation ANSWER: i POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 02: The Investigator’s Office and Laboratory 37. Creates and monitors lab policies for staff and provides a safe and secure workplace for staff and evidence ANSWER: a POINTS: 1 38. Identifies the number of hard disk types, such as SATA or SCSI, and the OS used to commit crimes ANSWER: f POINTS: 1 39. Provides accreditation of crime and forensics labs worldwide ANSWER: e POINTS: 1 40. One of the oldest professional digital forensics organizations ANSWER: j POINTS: 1 Subjective Short Answer 41. What are the duties of a lab manager? ANSWER: The lab manager sets up the processes for managing cases and reviews them regularly. Besides performing general management tasks, such as promoting group consensus in decision making, maintaining fiscal responsibility for lab needs, and enforcing ethical standards among staff members, the lab manager plans updates for the lab, such as new hardware and software purchases. The lab manager also establishes and promotes quality assurance processes for the lab’s staff to follow, such as outlining what to do when a case arrives, logging evidence, specifying who can enter the lab, and establishing guidelines for filing reports. To ensure the lab’s efficiency, the lab manager also sets reasonable production schedules for processing work. POINTS: 1 REFERENCES: Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/18/2018 8:04 PM 42. Provide a brief explanation of how to plan a lab budget. ANSWER: Lab costs can be broken down into monthly, quarterly, and annual expenses. The better you understand these expenses, the better you can delegate resources for each investigation. Using a spreadsheet program helps you keep track of past investigation expenses so that you can extrapolate expected future costs. Remember that expenses include purchasing computer hardware and software, renting facility space, and trained personnel. When creating a budget, start by estimating the number of cases your lab expects to examine and identifying the types of computers you’re likely to examine, such as Windows PCs, Apple systems, or Linux workstations. Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 02: The Investigator’s Office and Laboratory POINTS: 1 REFERENCES: Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/18/2018 8:08 PM 43. What are the four levels of certification offered by HTCN? ANSWER: Certified Computer Crime Investigator, Basic Level Certified Computer Crime Investigator, Advanced Level Certified Computer Forensic Technician, Basic Certified Computer Forensic Technician, Advanced POINTS: 1 REFERENCES: Understanding Forensics Lab Accreditation Requirements QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/1/2017 12:57 PM 44. What are the minimum requirements for a computer investigation and forensics lab? ANSWER: Small room with true floor-to-ceiling walls Door access with a locking mechanism (limited to authorized users, including cleaning crews), which can be a regular key lock, combination lock, or an electronic lock capable of logging who accessed it Secure container, such as a safe or heavy-duty file cabinet with a quality padlock that prevents drawers from opening Visitor’s log with legible entries listing all people who have accessed the lab and showing the date, time in, and time out POINTS: 1 REFERENCES: Determining the Physical Requirements for a Digital Forensics Lab QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/18/2018 8:15 PM 45. Illustrate a proper way of disposing materials on your computer investigation lab. ANSWER: Maintain two separate trash containers, one to store items unrelated to an investigation, such as discarded CDs, and the other for sensitive material that requires special handling to make sure it’s destroyed. Using separate trash containers maintains the integrity of criminal investigation processes and protects trade secrets and attorney-client privileged communications in a private company. Several commercially bonded firms specialize in disposing of sensitive materials, and you should hire one to help maintain the integrity of your investigations. Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 02: The Investigator’s Office and Laboratory POINTS: 1 REFERENCES: Determining the Physical Requirements for a Digital Forensics Lab QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/18/2018 8:18 PM 46. Give a brief explanation of a computer forensics lab auditing process. ANSWER: To make sure security policies and practices are followed, conduct routine inspections to audit your lab and evidence storage containers. Audits should include, but aren’t limited to, the following facility components and practices: - Inspect the lab’s ceiling, floor, roof, and exterior walls at least once a month, looking for anything unusual or new. - Inspect doors to make sure they close and lock correctly. - Check locks to see whether they need to be replaced or changed. - Review visitor logs to see whether they’re being used properly. - Review log sheets for evidence containers to determine when they have been opened and closed. - At the end of every workday, secure any evidence that’s not being processed on a forensic workstation. POINTS: 1 REFERENCES: Determining the Physical Requirements for a Digital Forensics Lab QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/18/2018 8:20 PM 47. Briefly outline the process of selecting workstations for a police computer investigation lab. ANSWER: For small, local police departments, most work involves Windows PCs, Macintosh systems, and mobile devices. A small police department's digital forensics lab could be limited to one multipurpose forensic workstation with one or two basic workstations or high-end laptops. POINTS: 1 REFERENCES: Selecting a Basic Forensic Workstation QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/18/2018 8:26 PM 48. What peripheral devices should be stocked in your computer forensics lab? ANSWER: In addition to workstations and software, all labs should have a wide assortment of cables and spare expansion slot cards. Consider stocking your forensics lab with the following peripheral devices: * A digital camera capable of still and motion recording Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 02: The Investigator’s Office and Laboratory * Assorted antistatic bags * An external CD/DVD drive * 40-pin 18-inch and 36-inch IDE cables, both ATA-33 and ATA-100 or faster * Ribbon cables for floppy disks * Extra USB 3.0 or newer cables and SATA cards and associated cables * Extra SCSI cards, preferably ultra-wide * Graphics cards, both Peripheral Component Interconnect (PCI) and Accelerated Graphics Port (AGP) * Assorted FireWire and USB adapters * A variety of hard drives and USB drives (as many as you can afford and in as wide a variety as possible) * At least two 2.5-inch adapters from notebook IDE hard drives to standard IDE/ATA drives, SATA drives, and so on * Computer hand tools, such as Phillips and flathead screwdrivers, a socket wrench, any vendor-specific tools, a small flashlight, and an antistatic wrist strap POINTS: 1 REFERENCES: Selecting a Basic Forensic Workstation QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/18/2018 8:30 PM 49. Discuss the use of a laptop PC as a forensic workstation. ANSWER: Improvements in hardware technology offer more flexibility in digital forensics. You can now use a laptop system with USB 3.0 or SATA hard disks to create a lightweight, mobile forensic workstation. Improved throughput speeds of data transfer on laptops also make it easier to create images of suspect drives, especially in the field. POINTS: 1 REFERENCES: Selecting a Basic Forensic Workstation QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/18/2018 8:33 PM 50. What are the questions you need to ask when planning the justification step of a business case? ANSWER: Before you can start, you need to justify to the person controlling the budget the reason a lab is needed. This justification step requires asking the following questions: * What type of digital investigation service is needed for your organization? * Who are the potential customers for this service, and how will it be budgeted—as an internal operation (police department or company security department, for instance)—or an external operation (a for-profit business venture)? * How will you advertise your services to customers? * What time-management techniques will you use? * Where will the initial and sustaining budget for business operations come from? POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 02: The Investigator’s Office and Laboratory REFERENCES: Building a Business Case for Developing a Forensics Lab QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/18/2018 8:35 PM
Copyright Cengage Learning. Powered by Cognero.
Page 14
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 03: Data Acquisition True / False 1. If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Determining the Best Acquisition Method QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/27/2017 4:42 PM 2. The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-toimage file. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Contingency Planning for Image Acquisitions QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/27/2017 4:44 PM 3. Some acquisition tools don’t copy data in the host protected area (HPA) of a disk drive. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Contingency Planning for Image Acquisitions QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/27/2017 4:47 PM 4. FTK Imager requires that you use a device such as a USB dongle for licensing. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Using Acquisition Tools QUESTION TYPE: True / False Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 03: Data Acquisition HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/27/2017 4:49 PM 5. Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Performing RAID Data Acquisitions QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/27/2017 5:24 PM 6. In Autopsy and many other forensics tools raw format image files don’t contain metadata. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Validating Data Acquisitions QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/27/2017 6:01 PM DATE MODIFIED: 12/27/2017 6:03 PM 7. Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Validating Data Acquisitions QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/27/2017 6:04 PM DATE MODIFIED: 12/27/2017 6:06 PM 8. A separate manual validation is recommended for all raw acquisitions at the time of analysis. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Validating Data Acquisitions Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 03: Data Acquisition QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/27/2017 6:12 PM DATE MODIFIED: 12/27/2017 6:13 PM 9. Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Performing RAID Data Acquisitions QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/27/2017 6:17 PM DATE MODIFIED: 12/27/2017 6:18 PM 10. There’s no simple method for getting an image of a RAID server’s disks. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Performing RAID Data Acquisitions QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/27/2017 6:31 PM DATE MODIFIED: 12/27/2017 6:32 PM Multiple Choice 11. Which type of format acquisition leaves the investigator unable to share an image between different vendors’ computer forensics analysis tools? a. Proprietary b. Raw c. AFF d. AFD ANSWER: a POINTS: 1 REFERENCES: Understanding Storage Formats for Digital Evidence QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 1:15 PM 12. What type of acquisition is typically done on a computer seized during a police raid? a. Live b. Online Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 03: Data Acquisition c. Real-time d. Static ANSWER: d POINTS: 1 REFERENCES: Determining the Best Acquisition Method QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:40 PM 13. What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available? a. Passive b. Static c. Live d. Local ANSWER: c POINTS: 1 REFERENCES: Determining the Best Acquisition Method QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 1:16 PM 14. What is the most common and flexible data-acquisition method? a. Disk-to-disk copy b. Disk-to-network copy c. Disk-to-image file copy d. Sparse data copy ANSWER: c POINTS: 1 REFERENCES: Determining the Best Acquisition Method QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:42 PM 15. If your time is limited, what type of acquisition data copy method should you consider? a. Lossless b. Disk-to-disk c. Sparse d. Disk-to-image ANSWER: c POINTS: 1 REFERENCES: Determining the Best Acquisition Method QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:43 PM 16. By what percentage can lossless compression reduce image file size? Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 03: Data Acquisition a. 15% b. 25% c. 30% d. 50% ANSWER: d POINTS: 1 REFERENCES: Determining the Best Acquisition Method QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:46 PM 17. What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult? a. Whole disk encryption b. Backup utilities c. Recovery wizards d. NTFS ANSWER: a POINTS: 1 REFERENCES: Contingency Planning for Image Acquisitions QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:48 PM 18. What term refers to Linux ISO images that can be burned to a CD or DVD? a. ISO CDs b. Linux Live CDs c. Forensic Linux d. Linux in a Box ANSWER: b POINTS: 1 REFERENCES: Using Acquisition Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:49 PM 19. What command displays pages from the online help manual for information on Linux commands and their options? a. cmd b. hlp c. inst d. man ANSWER: d POINTS: 1 REFERENCES: Using Acquisition Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/8/2018 11:42 AM Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 03: Data Acquisition 20. What command creates a raw format file that most computer forensics analysis tools can read? a. fdisk b. dd c. man d. raw ANSWER: b POINTS: 1 REFERENCES: Using Acquisition Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/8/2018 12:44 PM 21. What command works similarly to the dd command but has many features designed for computer forensics acquisitions? a. raw b. bitcopy c. dcfldd d. man ANSWER: c POINTS: 1 REFERENCES: Using Acquisition Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:53 PM 22. In addition to md5sum, which hashing algorithm utility is included with current distributions of Linux? a. sha386sum b. md1deep c. SHAKE d. sha1sum ANSWER: d POINTS: 1 REFERENCES: Validating Data Acquisitions QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:02 PM 23. What option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512? a. md5sum b. hashlog c. checksum d. hash ANSWER: d POINTS: 1 REFERENCES: Validating Data Acquisitions QUESTION TYPE: Multiple Choice HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 03: Data Acquisition DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:55 PM 24. What does Autopsy use to validate an image? a. RC4 b. MD5 c. AFF d. AFD ANSWER: b POINTS: 1 REFERENCES: Validating Data Acquisitions QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 12:56 PM 25. What older Microsoft disk compression tool eliminates only slack disk space between files? a. PKZip b. DriveSpace c. WinRAR d. WinZip ANSWER: b POINTS: 1 REFERENCES: Determining the Best Acquisition Method QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/27/2017 5:36 PM DATE MODIFIED: 5/7/2018 1:19 PM 26. In addition to RAID 0, what type of RAID configuration is available for Windows XP, 2000, and NT servers and workstations? a. RAID 1 b. RAID 4 c. RAID 2 d. RAID 5 ANSWER: a POINTS: 1 REFERENCES: Performing RAID Data Acquisitions QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/27/2017 6:21 PM DATE MODIFIED: 5/7/2018 1:02 PM 27. In which RAID configuration do two or more disk drives become one large volume, so the computer views the disks as a single disk? a. RAID 0 b. RAID 1 c. RAID 5 d. RAID 6 ANSWER: a POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 03: Data Acquisition REFERENCES: Performing RAID Data Acquisitions QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/27/2017 6:24 PM DATE MODIFIED: 5/7/2018 1:03 PM 28. Which RAID configuration, also called mirrored striping, is a combination of RAID 1 and RAID 0? a. RAID 0 b. RAID 6 c. RAID 5 d. RAID 10 ANSWER: d POINTS: 1 REFERENCES: Performing RAID Data Acquisitions QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/27/2017 6:27 PM DATE MODIFIED: 5/7/2018 1:54 PM 29. Which RAID configuration offers the greatest access speed and most robust data recovery capability? a. RAID 0 b. RAID 10 c. RAID 15 d. RAID 16 ANSWER: c POINTS: 1 REFERENCES: Performing RAID Data Acquisitions QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/27/2017 6:30 PM DATE MODIFIED: 6/4/2018 3:23 PM 30. What type of acquisition is used for most remote acquisitions? a. Static b. Live c. Sparse d. Hot ANSWER: b POINTS: 1 REFERENCES: Using Remote Network Acquisition Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/27/2017 6:33 PM DATE MODIFIED: 5/7/2018 1:07 PM Matching Match each item with a statement below a. F-Response Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 03: Data Acquisition b. WinZip c. ImageUSB d. AFF e. IXImager f. fdisk -l g. Lossy compression h. PDServer i. Guidance Software j. RAID REFERENCES: Determining the Best Acquisition Method Performing RAID Data Acquisitions Understanding Storage Formats for Digital Evidence Using Acquisition Tools Using Remote Network Acquisition Tools QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/28/2017 5:10 PM 31. Shows the known drives connected to your computer ANSWER: f POINTS: 1 32. The first forensics vendor to develop a remote acquisition and analysis tool ANSWER: i POINTS: 1 33. Vendor-neutral specialty remote access utility designed to work with any digital forensics program ANSWER: a POINTS: 1 34. Open source data acquisition format ANSWER: d POINTS: 1 35. Used with .jpeg files to reduce file size and doesn’t affect image quality when the file is restored and viewed ANSWER: g POINTS: 1 36. ILookIX acquisition tool ANSWER: e POINTS: 1 37. PassMark Software acquisition tool for its OSForensics analysis product ANSWER: c Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 03: Data Acquisition POINTS: 1 38. ProDiscover utility for remote access ANSWER: h POINTS: 1 39. Example of a lossless compression tool ANSWER: b POINTS: 1 40. A computer configuration involving two or more physical disks ANSWER: j POINTS: 1 Subjective Short Answer 41. What are the advantages and disadvantages of using raw data acquisition format? ANSWER: The advantages of the raw format are fast data transfers and the capability to ignore minor data read errors on the source drive. In addition, most forensics tools can read the raw format, making it a universal acquisition format for most tools. One disadvantage of the raw format is that it requires as much storage space as the original disk or data set. Another disadvantage is that some raw format tools, typically freeware versions, might not collect marginal (bad) sectors on the source drive, meaning they have a low threshold of retry reads on weak media spots on a drive. Many commercial tools have a much higher threshold of retry reads to ensure that all data is collected. POINTS: 1 REFERENCES: Understanding Storage Formats for Digital Evidence QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/27/2017 6:59 PM 42. What are some of the features offered by proprietary data acquisition formats? ANSWER: Most commercial computer forensics tools have their own formats for collecting digital evidence. Proprietary formats typically offer several features that complement the vendor’s analysis tool, such as the following: * The option to compress or not compress image files of a suspect drive, thus saving space on the target drive * The capability to split an image into smaller segmented files for archiving purposes, such as to CDs or DVDs, with data integrity checks integrated into each segment * The capability to integrate metadata into the image file, such as date and time of the acquisition, hash value (for self-authentication) of the original disk or medium, investigator or examiner name, and comments or case details. POINTS: 1 REFERENCES: Understanding Storage Formats for Digital Evidence QUESTION TYPE: Subjective Short Answer Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 03: Data Acquisition HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/1/2017 12:57 PM 43. What are some of the design goals of AFF? ANSWER: Dr. Simson L. Garfinkel developed an open-source acquisition format called Advanced Forensic Format (AFF). This format has the following design goals: • Capable of producing compressed or uncompressed image files • No size restriction for disk-to-image files • Space in the image file or segmented files for metadata • Simple design with extensibility • Open source for multiple computing platforms and OSs • Internal consistency checks for self-authentication POINTS: 1 REFERENCES: Understanding Storage Formats for Digital Evidence QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/27/2017 7:02 PM 44. Explain the sparse data copy method for acquiring digital evidence. ANSWER: Collecting evidence from a large drive can take several hours. If your time is limited, consider using a logical acquisition or sparse acquisition data copy method. A logical acquisition captures only specific files of interest to the case or specific types of files. A sparse acquisition is similar but also collects fragments of unallocated (deleted) data; use this method only when you don’t need to examine the entire drive. An example of a logical acquisition is an e-mail investigation that requires collecting only Outlook .pst or .ost files. Another example is collecting only specific records from a large RAID server. If you have to recover data from a RAID or storage area network (SAN) server with several exabytes (EB) or more of data storage, the logical method might be the only way you can acquire the evidence. POINTS: 1 REFERENCES: Determining the Best Acquisition Method QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/27/2017 7:07 PM 45. What are the considerations you should have when deciding what data-acquisition method to use on your investigation? ANSWER: To determine which acquisition method to use for an investigation, consider the size of the source (suspect) disk, whether you can retain the source disk as evidence or must return it to the owner, how much time you have to perform the acquisition, and where the evidence is Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 03: Data Acquisition located. POINTS: 1 REFERENCES: Determining the Best Acquisition Method QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/27/2017 7:10 PM 46. Explain the use of hash algorithms to verify the integrity of lossless compressed data. ANSWER: An easy way to test lossless compression is to perform an MD5 or SHA-1 hash on a file before and after it’s compressed. If the compression is done correctly, both versions have the same hash value. If the hashes don’t match, that means something corrupted the compressed file, such as a hardware or software error. As an added precaution, perform two separate hashes with different algorithms, such as MD5 and SHA-1. This step isn’t mandatory; however, it’s a good way to establish that nothing has changed during data processing. POINTS: 1 REFERENCES: Determining the Best Acquisition Method QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/27/2017 7:09 PM 47. What are the advantages and disadvantages of using Windows acquisition tools? ANSWER: Many forensics software vendors have developed acquisition tools that run in Windows. These tools make acquiring evidence from a suspect drive more convenient, especially when you use them with hot-swappable devices, such as USB-3, FireWire 1394A and 1394B, or SATA, to connect disks to your workstation. Using acquisition tools with current OSs, such as Windows and Linux, has some drawbacks, however. Because Windows and Linux can easily contaminate an evidence drive when it’s mounted, you must protect it with a well-tested write-blocking hardware device. The automatic mounting process updates boot files by changing metadata, such as the most recent access time. In addition, some countries haven’t yet accepted the use of write-blocking devices for data acquisitions. Check with your legal counsel for evidence standards in your community or country. POINTS: 1 REFERENCES: Using Acquisition Tools QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/27/2017 7:48 PM 48. What are some of the main characteristics of Linux ISO images designed for computer forensics? Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 03: Data Acquisition ANSWER:
A few Linux ISO images are designed specifically for digital forensics, however. These images contain additional utilities that aren’t typically installed in normal Linux distributions. They’re also configured not to mount, or to mount as read-only, any connected storage media, such as USB drives. This feature protects the media’s integrity for the purpose of acquiring and analyzing data. To access media, you have to give specific instructions to the Live CD boot session through a GUI utility or a shell command prompt. Mounting drives from a shell gives you more control over them. See the man page for the mount command (by typing man mount at the shell prompt) to learn what options are available for your Linux distribution. POINTS: 1 REFERENCES: Using Acquisition Tools QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/27/2017 7:50 PM 49. What are the requirements for acquiring data on a suspect computer using Linux? ANSWER: A unique feature of a forensics Linux Live CD is that it can mount and read most drives. To perform a data acquisition on a suspect computer, all you need are the following: * A forensics Linux Live CD * A USB, FireWire, or SATA external drive with cables * Knowledge of how to alter the suspect computer’s BIOS to boot from the Linux Live CD * Knowledge of which shell commands to use for the data acquisition POINTS: 1 REFERENCES: Using Acquisition Tools QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/27/2017 7:52 PM 50. Briefly describe ILookIX IXImager. ANSWER: IXImager runs from a bootable thumb drive or CD/DVD. It’s a stand-alone proprietary format acquisition tool designed to work only with ILookIX. It can acquire single drives and RAID drives. It supports IDE (PATA), SCSI, USB, and FireWire devices. The IXImager proprietary format can be converted to a raw format if other analysis tools are used. For more information on IXImager, see www.perlustro.com/solutions/eforensics/iximager. POINTS: 1 REFERENCES: Using Other Forensics Acquisition Tools QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/27/2017 7:54 PM DATE MODIFIED: 12/27/2017 7:55 PM Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 03: Data Acquisition
Copyright Cengage Learning. Powered by Cognero.
Page 14
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 04: Processing Crime and Incident Scenes True / False 1. ISPs can investigate computer abuse committed by their customers. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Collecting Evidence in Private-Sector Incident Scenes QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/1/2017 12:57 PM 2. If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Collecting Evidence in Private-Sector Incident Scenes QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 2/2/2018 12:17 PM 3. A judge can exclude evidence obtained from a poorly worded warrant. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Processing Law Enforcement Crime Scenes QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/1/2017 12:57 PM 4. The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene’s immediate location. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Securing a Digital Incident or Crime Scene Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 04: Processing Crime and Incident Scenes QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/1/2017 12:57 PM 5. Corporate investigators always have the authority to seize all computer equipment during a corporate investigation. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Seizing Digital Evidence at the Scene QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/4/2018 5:26 PM 6. The most common computer-related crime is check fraud. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Reviewing a Case QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/1/2018 2:43 PM DATE MODIFIED: 6/4/2018 3:49 PM 7. Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which always get funding from the government or other agencies. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Collecting Evidence in Private-Sector Incident Scenes QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/1/2018 2:52 PM DATE MODIFIED: 1/1/2018 2:53 PM 8. Some cases involve dangerous settings. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene. a. True b. False Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 04: Processing Crime and Incident Scenes ANSWER: True POINTS: 1 REFERENCES: Preparing for a Search QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/1/2018 2:55 PM DATE MODIFIED: 1/1/2018 2:58 PM 9. If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Collecting Evidence in Private-Sector Incident Scenes QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/1/2018 4:15 PM DATE MODIFIED: 1/1/2018 4:17 PM 10. When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant, which allows the police to present all evidence together. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Processing Law Enforcement Crime Scenes QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/1/2018 4:18 PM DATE MODIFIED: 6/4/2018 3:27 PM Multiple Choice 11. When federal courts are evaluating digital evidence from computer-generated records, what exception is applied to hearsay? a. Digital-records authenticity exception b. Computer-generated records exception c. Business-records exception d. Best-evidence rule exception ANSWER: c POINTS: 1 REFERENCES: Identifying Digital Evidence QUESTION TYPE: Multiple Choice HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 04: Processing Crime and Incident Scenes DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/8/2018 2:22 PM 12. Under what circumstances are digital records considered admissible? a. They are hearsay records b. They are business records c. They are computer-generated records d. They are computer-stored records ANSWER: b POINTS: 1 REFERENCES: Identifying Digital Evidence QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 6/4/2018 3:29 PM 13. What type of records are considered data that the system maintains, such as system log files and proxy server logs? a. Computer-generated b. Business c. Computer-stored d. Hearsay ANSWER: a POINTS: 1 REFERENCES: Identifying Digital Evidence QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/8/2018 11:43 AM 14. When was the Freedom of Information Act originally enacted? a. 1940s b. 1950s c. 1960s d. 1970s ANSWER: c POINTS: 1 REFERENCES: Collecting Evidence in Private-Sector Incident Scenes QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 1:35 PM 15. Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes? a. Investigating and controlling the scene is much b. Investigating and controlling the scene is equally easier in private sector environments. easy in both environments. c. Investigating and controlling the scene is equally d. Investigating and controlling the scene is more difficult in both environments. difficult in private sector environments. ANSWER: a Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 04: Processing Crime and Incident Scenes POINTS: 1 REFERENCES: Collecting Evidence in Private-Sector Incident Scenes QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 6/4/2018 3:32 PM 16. At a minimum, what do most company policies require that employers have in order to initiate an investigation? a. Confirmed suspicion that a law or policy is being b. Proof that a law or policy is being violated. violated. c. Court order stating that a law or policy is being d. Reasonable suspicion that a law or policy is being violated. violated. ANSWER: d POINTS: 1 REFERENCES: Collecting Evidence in Private-Sector Incident Scenes QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 1:42 PM 17. When confidential business data are included with the criminal evidence, what are they referred to as? a. Commingled data b. Exposed data c. Public data d. Revealed data ANSWER: a POINTS: 1 REFERENCES: Collecting Evidence in Private-Sector Incident Scenes QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 6/4/2018 3:34 PM 18. What standard is used to determine whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest? a. Reasonable cause b. Probable cause c. Reasonable suspicion d. Burden of Proof ANSWER: b POINTS: 1 REFERENCES: Processing Law Enforcement Crime Scenes QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:41 PM Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 04: Processing Crime and Incident Scenes 19. What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab? a. An evidence custody form b. A FOIA form c. An affidavit d. A warrant ANSWER: d POINTS: 1 REFERENCES: Preparing for a Search QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 6/4/2018 3:34 PM 20. In addition to environmental issues, what issues are the investigator's primary concerns when working at the scene to gather information about an incident or a crime? a. Legal b. Safety c. Corporate d. Interpersonal ANSWER: b POINTS: 1 REFERENCES: Preparing for a Search QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:33 PM 21. When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action? a. 80 degrees or higher b. 90 degrees or higher c. 95 degrees or higher d. 105 degrees or higher ANSWER: a POINTS: 1 REFERENCES: Preparing for a Search QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 6/4/2018 3:37 PM 22. What will allow the investigator to arrive at a scene, acquire the needed data, and return to the lab as quickly as possible? a. A bit-stream copy utility b. An extensive-response field kit c. An initial-response field kit d. A seizing order ANSWER: c POINTS: 1 REFERENCES: Preparing for a Search Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 04: Processing Crime and Incident Scenes QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 1:50 PM 23. Which type of kit should include all the tools the investigator can afford to take to the field? a. An initial-response field kit b. An extensive-response field kit c. A forensic lab kit d. A forensic workstation kit ANSWER: b POINTS: 1 REFERENCES: Preparing for a Search QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 1:52 PM 24. What type of evidence do courts consider evidence data in a computer to be? a. Physical b. Invalid c. Virtual d. Logical ANSWER: a POINTS: 1 REFERENCES: Identifying Digital Evidence QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 6/5/2018 1:32 PM 25. The presence of police officers and other professionals who aren’t part of the crime scene-processing team may result in the loss or corruption of data through which process? a. Deliberate destruction b. Police malfeasance c. Data drift d. Professional curiosity ANSWER: d POINTS: 1 REFERENCES: Securing a Digital Incident or Crime Scene QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 1:56 PM 26. When seizing computer evidence in criminal investigations, which organization's standards should be followed? a. Department of Homeland Security b. NSA c. U.S. DOJ d. U.S. DoD ANSWER: c Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 04: Processing Crime and Incident Scenes POINTS: 1 REFERENCES: Seizing Digital Evidence at the Scene QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 6/4/2018 3:46 PM 27. Power should not be cut during an investigation involving a live computer, unless it is what type of system? a. A Linux or FreeBSD system b. An older Windows or MS-DOS system c. An Android or iOS system d. A macOS or SkyOS system ANSWER: b POINTS: 1 REFERENCES: Seizing Digital Evidence at the Scene QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 6/5/2018 4:43 PM 28. What type of files might lose essential network activity records if power is terminated without a proper shutdown? a. Password logs b. Word logs c. Io.sys files d. Event logs ANSWER: d POINTS: 1 REFERENCES: Seizing Digital Evidence at the Scene QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:03 PM 29. Which technique can be used for extracting evidence from large systems? a. RAID copy b. RAID imaging c. Large evidence file recovery d. Sparse acquisition ANSWER: d POINTS: 1 REFERENCES: Seizing Digital Evidence at the Scene QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:04 PM 30. What is required for real-time surveillance of a suspect’s computer activity? a. Poisoning data transmissions between a suspect’s b. Sniffing data transmissions between a suspect’s computer and a network server. computer and a network server. Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 04: Processing Crime and Incident Scenes c. Blocking data transmissions between a suspect’s computer and a network server. ANSWER: b POINTS: 1 REFERENCES: Reviewing a Case QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:06 PM
d. Preventing data transmissions between a suspect’s computer and a network server.
Matching Match each item with a statement below a. Innocent information b. AFIS c. EnCase Enterprise Edition d. FOIA e. SWGDE f. Low-level investigations g. Hearsay h. Spector i. HAZMAT j. PATRIOT Act REFERENCES: Collecting Evidence in Private-Sector Incident Scenes Identifying Digital Evidence Processing Law Enforcement Crime Scenes Reviewing a Case Securing a Digital Incident or Crime Scene QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/1/2018 4:08 PM 31. covert surveillance product ANSWER: c POINTS: 1 32. you should rely on this when dealing with a terrorist attack ANSWER: i POINTS: 1 33. a statement made while testifying at a hearing by someone other than an actual witness to the event ANSWER: g POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 04: Processing Crime and Incident Scenes 34. what most cases in the private sector environment are considered ANSWER: f POINTS: 1 35. agencies must comply with these laws and make documents they find and create available as public records ANSWER: d POINTS: 1 36. sets standards for recovering, preserving, and examining digital evidence ANSWER: e POINTS: 1 37. fingerprints can be tested with these systems ANSWER: b POINTS: 1 38. information unrelated to a computing investigation case ANSWER: a POINTS: 1 39. a data-collecting tool ANSWER: h POINTS: 1 40. in 2001 redefined how ISPs and large organizations operate and maintain their records ANSWER: j POINTS: 1 Subjective Short Answer 41. Why should companies publish a policy stating their right to inspect computing assets at will? ANSWER: If a company doesn’t display a warning banner or publish a policy stating that it reserves the right to inspect computing assets at will, employees have an expectation of privacy. When an employee is being investigated, this expected privacy prevents the employer from legally conducting an intrusive investigation. A well-defined company policy, therefore, should state that an employer has the right to examine, inspect, or access any company-owned computing assets. If a company issues a policy statement to all employees, the employer can investigate digital assets at will without any privacy right restrictions; this practice might violate the privacy laws of countries in the EU, for example. As a standard practice, companies should use both warning banners and policy statements. For example, if an incident is escalated to a criminal complaint, prosecutors prefer showing juries warning banners instead of policy manuals. A warning banner leaves a much stronger impression on a jury. POINTS: 1 REFERENCES: Collecting Evidence in Private-Sector Incident Scenes QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 04: Processing Crime and Incident Scenes STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/1/2018 3:04 PM 42. Illustrate with an example the problems caused by commingled data. ANSWER: Suppose that during an examination, you find adult and child pornography. Further examination of the subject’s hard disk reveals that the employee has been collecting child pornography in separate folders on his workstation’s hard drive. In the United States, possessing child pornography is a crime under federal and state criminal statutes. These situations aren’t uncommon and make life difficult for investigators who don’t want to be guilty of possession of this contraband on their forensic workstations. You survey the remaining content of the subject’s drive and find that he’s a lead engineer for the team developing your company’s latest high-tech bicycle. He has placed the child pornography images in a subfolder where the bicycle plans are stored. By doing so, he has commingled contraband with company’s confidential design plans for the bicycle. Your discovery poses two problems in dealing with this contraband evidence. First, you must report the crime to the police; all U.S. states and most countries have legal and moral codes when evidence of sexual exploitation of children is found. Second, you must also protect sensitive company information. Letting the high-tech bicycle information become part of the criminal evidence might make it public record, and the design work will then be available to competitors. Your first step is to ask your organization’s attorney how to deal with the commingled contraband data and sensitive design plans. POINTS: 1 REFERENCES: Collecting Evidence in Private-Sector Incident Scenes QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/1/2018 3:11 PM 43. Briefly describe the process of obtaining a search warrant. ANSWER: With probable cause, a police officer can obtain a search warrant from a judge that authorizes a search and seizure of specific evidence related to the criminal complaint. The Fourth Amendment states that only warrants “particularly describing the place to be searched and the persons or things to be seized” can be issued. POINTS: 1 REFERENCES: Processing Law Enforcement Crime Scenes QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/1/2018 3:13 PM 44. What is the plain view doctrine? ANSWER: When approaching or investigating a crime scene, you might find evidence related to the Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 04: Processing Crime and Incident Scenes crime but not in the location the warrant specifies. You might also find evidence of another unrelated crime. In these situations, this evidence is subject to the plain view doctrine. The plain view doctrine states that objects falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a warrant and can be introduced into evidence. For the plain view doctrine to apply, three criteria must be met: • The officer is where he or she has a legal right to be. • Ordinary senses must not be enhanced by advanced technology in any way, such as with binoculars. • Any discovery must be by chance. POINTS: 1 REFERENCES: Processing Law Enforcement Crime Scenes QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/1/2018 3:16 PM 45. How can you determine who is in charge of an investigation? ANSWER: Private-sector investigations usually require only one person to respond to an incident or crime scene. Processing evidence usually involves acquiring an image of a suspect’s drive. In law enforcement, however, many investigations need additional staff to collect all evidence quickly. For large-scale investigations, a crime or incident scene leader should be designated. Anyone assigned to a large-scale investigation scene should cooperate with the designated leader to ensure that the team addresses all details when collecting evidence. POINTS: 1 REFERENCES: Preparing for a Search QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/1/2018 3:19 PM 46. Describe the process of preparing an investigation team. ANSWER: Before you initiate the search and seizure of digital evidence at incident or crime scenes, you must review all the available facts, plans, and objectives with the investigation team you have assembled. The goal of scene processing is to collect and secure digital evidence successfully. The better prepared you are, the fewer problems you encounter when you carry out the plan to collect data.
POINTS: REFERENCES: QUESTION TYPE: HAS VARIABLES:
Keep in mind that digital evidence is volatile. Develop the skills to assess the facts quickly, make your plan, gather the needed resources, and collect data from the incident or crime scene. In some digital investigations, responding slowly might result in the loss of important evidence for the case. 1 Preparing for a Search Subjective Short Answer False
Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 04: Processing Crime and Incident Scenes STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/1/2018 3:22 PM 47. How can you secure a computer incident or crime scene? ANSWER: Investigators secure an incident or crime scene to preserve the evidence and to keep information about the incident or crime confidential. Information made public could jeopardize the investigation. If you’re in charge of securing a digital incident or crime scene, use barrier tape to prevent bystanders from entering the scene accidentally, and ask police officers or security guards to prevent others from entering the scene or taking photos and videos with smartphones and other digital devices. Legal authority for an incident scene includes trespassing violations; for a crime scene, it includes obstructing justice or failing to comply with a police officer. Access to the scene should be restricted to only those people who have a specific reason to be there. The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene’s immediate location. In this way, you avoid overlooking an area that might be part of the scene. Shrinking the scene’s perimeter is easier than expanding it. POINTS: 1 REFERENCES: Securing a Digital Incident or Crime Scene QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/1/2018 3:27 PM 48. Give some guidelines on how to video record a computer incident or crime scene. ANSWER: Take video and still recordings of the area around the computer or digital device. Start by recording the overall scene, and then record details with close-up shots, including the back of all computers. Before recording the back of each computer, place numbered or lettered labels on each cable to help identify which cable is connected to which plug, in case you need to reassemble components at the lab. Make sure you take close-ups of all cable connections, including keyloggers (devices used to log keystrokes) and dongle devices used with software as part of the licensing agreement. Record the area around the computer, including the floor and ceiling, and all access points to the computer, such as doors and windows. Be sure to look under any tables or desks for anything taped to the underside of a table or desk drawer or on the floor out of view. If the area has ceiling panels—false ceiling tiles—remove them and record that area, too. Slowly pan or zoom the camera to prevent blurring in the video image, and maintain a camera log for all shots you take. POINTS: 1 REFERENCES: Seizing Digital Evidence at the Scene QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/1/2018 3:32 PM 49. Describe how to use a journal when processing a major incident or crime scene. Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 04: Processing Crime and Incident Scenes ANSWER:
Keep a journal to document your activities. Include the date and time you arrive on the scene, the people you encounter, and notes on every important task you perform. Update the journal as you process the scene. With mobile devices, you can easily record a log of what you’re doing; just be sure to check who has access to your mobile device. POINTS: 1 REFERENCES: Seizing Digital Evidence at the Scene QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/1/2018 3:34 PM 50. What should you do when working on an Internet investigation and the suspect’s computer is on? ANSWER: If you’re working on a network or Internet investigation and the computer is on, save data in any current applications as safely as possible and record all active windows or shell sessions. Don’t examine folders or network connections or press any keys unless it’s necessary. For systems that are powered on and running, photograph the screens. If windows are open but minimized, expanding them so that you can photograph them is safe. As a precaution, write down the contents of each window. POINTS: 1 REFERENCES: Seizing Digital Evidence at the Scene QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/1/2018 3:36 PM
Copyright Cengage Learning. Powered by Cognero.
Page 14
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 05: Working with Windows and CLI Systems True / False 1. The type of file system an OS uses determines how data is stored on the disk. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding File Systems QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/1/2017 12:57 PM 2. One way to examine a partition’s physical level is to use a disk editor, such as WinHex, or Hex Workshop. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Exploring Microsoft File Structures QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/25/2018 6:03 PM 3. As data is added, the MFT can expand to take up 75% of the NTFS disk. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Examining NTFS Disks QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 12/1/2017 12:57 PM 4. The first 5 bytes (characters) for all MFT records are FILE. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Examining NTFS Disks QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 05: Working with Windows and CLI Systems DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 2/2/2018 5:44 PM 5. Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Examining NTFS Disks QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/25/2018 6:16 PM 6. Typically, a virtual machine consists of just one file. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Understanding Virtual Machines QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/25/2018 7:24 PM DATE MODIFIED: 1/25/2018 7:28 PM 7. From a network forensics standpoint, there are no potential issues related to using virtual machines. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Understanding Virtual Machines QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/25/2018 7:30 PM DATE MODIFIED: 1/25/2018 7:32 PM 8. In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Exploring Microsoft File Structures Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 05: Working with Windows and CLI Systems QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/25/2018 8:29 PM DATE MODIFIED: 1/25/2018 8:31 PM 9. Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Exploring Microsoft File Structures QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/25/2018 8:34 PM DATE MODIFIED: 1/25/2018 8:44 PM 10. It’s possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Exploring Microsoft File Structures QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 1/25/2018 8:39 PM DATE MODIFIED: 1/25/2018 8:46 PM Multiple Choice 11. What term refers to a column of tracks on two or more disk platters? a. Cylinder b. Sector c. Track d. Head ANSWER: a POINTS: 1 REFERENCES: Understanding File Systems QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:32 PM 12. How do most manufacturers deal with a platter’s inner tracks having a smaller circumference than its outer tracks? a. Head skew b. Cylinder skew c. ZBR d. Areal density Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 05: Working with Windows and CLI Systems ANSWER: c POINTS: 1 REFERENCES: Understanding File Systems QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:32 PM 13. What term refers to the number of bits in one square inch of a disk platter? a. Head skew b. Areal density c. Cylinder skew d. ZBR ANSWER: b POINTS: 1 REFERENCES: Understanding File Systems QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:17 PM 14. Which acronym refers to the file structure database that Microsoft originally designed for floppy disks? a. NTFS b. FAT32 c. VFAT d. FAT ANSWER: d POINTS: 1 REFERENCES: Exploring Microsoft File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:32 PM 15. Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10? a. FAT32 b. VFAT c. NTFS d. HPFS ANSWER: c POINTS: 1 REFERENCES: Examining NTFS Disks QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:20 PM 16. What is on an NTFS disk immediately after the Partition Boot Sector? Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 05: Working with Windows and CLI Systems a. FAT b. HPFS c. MBR d. MFT ANSWER: d POINTS: 1 REFERENCES: Examining NTFS Disks QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:32 PM 17. What are records in the MFT called? a. Hyperdata b. Metadata c. Inodedata d. Infodata ANSWER: b POINTS: 1 REFERENCES: Examining NTFS Disks QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:22 PM 18. In the NTFS MFT, all files and folders are stored in separate records of how many bytes each? a. 1024 b. 1512 c. 2048 d. 2512 ANSWER: a POINTS: 1 REFERENCES: Examining NTFS Disks QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:57 PM 19. The file or folder’s MFT record provides cluster addresses where the file is stored on the drive’s partition. What are these cluster addresses called? a. Virtual runs b. Metadata c. Metaruns d. Data runs ANSWER: d POINTS: 1 REFERENCES: Examining NTFS Disks QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:27 PM Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 05: Working with Windows and CLI Systems 20. What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced? a. EFS b. VFAT c. LZH d. RAR ANSWER: a POINTS: 1 REFERENCES: Examining NTFS Disks QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:33 PM 21. Which certificate provides a mechanism for recovering files encrypted with EFS if there is a problem with the user’s original private key? a. Escrow certificate b. Recovery certificate c. Administrator certificate d. Root certificate ANSWER: b POINTS: 1 REFERENCES: Examining NTFS Disks QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:59 PM 22. When Microsoft created Windows 95, into what were initialization (.ini) files consolidated? a. The inirecord b. The inidata c. The registry d. The metadata ANSWER: c POINTS: 1 REFERENCES: Understanding the Windows Registry QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:34 PM 23. What specifies the Windows XP path installation and contains options for selecting the Windows version? a. Boot.ini b. BootSec.dos c. NTDetect.com d. NTBootdd.sys ANSWER: a POINTS: 1 REFERENCES: Understanding Microsoft Startup Tasks QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 05: Working with Windows and CLI Systems HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:45 PM 24. Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr? a. Hal.dll b. Boot.ini c. NTDetect.com d. BootSect.dos ANSWER: c POINTS: 1 REFERENCES: Understanding Microsoft Startup Tasks QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:45 PM 25. Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS? a. Hal.dll b. NTBootdd.sys c. Boot.ini d. Ntoskrnl.exe ANSWER: b POINTS: 1 REFERENCES: Understanding Microsoft Startup Tasks QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:44 PM 26. What contains instructions for the OS for hardware devices, such as the keyboard, mouse, and video card? a. Hal.dll b. Pagefile.sys c. Ntoskrnl.exe d. Device drivers ANSWER: d POINTS: 1 REFERENCES: Understanding Microsoft Startup Tasks QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:38 PM 27. Which filename refers to a core Win32 subsystem DLL file? a. Pagefile.sys b. Hal.dll c. User32.sys d. Ntoskrnl.exe ANSWER: c Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 05: Working with Windows and CLI Systems POINTS: 1 REFERENCES: Understanding Microsoft Startup Tasks QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:44 PM 28. Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM? a. Hal.dll b. Ntkrnlpa.exe c. BootSect.dos d. Io.sys ANSWER: b POINTS: 1 REFERENCES: Understanding Microsoft Startup Tasks QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:43 PM 29. Which filename refers to the Windows XP system service dispatch stubs to executables functions and internal support functions? a. Ntdll.dll b. User32.dll c. Advapi32.dll d. Gdi32.dll ANSWER: a POINTS: 1 REFERENCES: Understanding Microsoft Startup Tasks QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:43 PM 30. What enables the user to run another OS on an existing physical computer (known as the host computer) by emulating a computer’s hardware environment? a. A virtual file b. A logic drive c. A logic machine d. A virtual machine ANSWER: d POINTS: 1 REFERENCES: Understanding Virtual Machines QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 5/7/2018 2:47 PM Matching Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 05: Working with Windows and CLI Systems Match each item with a statement below: a. File system b. Tracks c. Track density d. Partition gap e. Drive slack f. NTFS g. Unicode h. Alternate data streams i. BitLocker j. Partition Boot Sector REFERENCES: Examining NTFS Disks Exploring Microsoft File Structures Understanding File Systems Understanding Whole Disk Encryption QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 2/5/2018 2:38 PM 31. Microsoft’s move toward a journaling file system ANSWER: f POINTS: 1 32. The space between each track ANSWER: c POINTS: 1 33. Ways data can be appended to existing files ANSWER: h POINTS: 1 34. The unused space between partitions ANSWER: d POINTS: 1 35. An international data format ANSWER: g POINTS: 1 36. Microsoft’s utility for protecting drive data ANSWER: i POINTS: 1 37. Gives an OS a road map to data on a disk Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 05: Working with Windows and CLI Systems ANSWER: a POINTS: 1 38. Unused space in a cluster between the end of an active file's content and the end of the cluster ANSWER: e POINTS: 1 39. Concentric circles on a disk platter where data is located ANSWER: b POINTS: 1 40. The first data set on an NTFS disk, which starts at sector[0] of the disk and can expand to 16 sectors ANSWER: j POINTS: 1 Subjective Short Answer 41. How can you make sure a subject’s computer boots to a forensic floppy disk or CD? ANSWER: When a subject’s computer starts, you must make sure it boots to a forensically configured CD, DVD, or USB drive, because booting to the hard disk overwrites and changes evidentiary data. To do this, you access the CMOS setup by monitoring the computer during the bootstrap process to identify the correct key or keys to use. The bootstrap process, which is contained in ROM, tells the computer how to proceed. As the computer starts, the screen usually displays the key or keys, such as the Delete key, you press to open the CMOS setup screen. You can also try unhooking the keyboard to force the system to tell you what keys to use. The key you press to access CMOS depends on the computer’s BIOS. If necessary, you can change the boot sequence so that the OS accesses the CD/DVD drive, for example, before any other boot device. Each BIOS vendor’s screen is different, but you can refer to the vendor’s documentation or Web site for instructions on changing the boot sequence. POINTS: 1 REFERENCES: Understanding File Systems QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/25/2018 8:51 PM 42. What are some of the components of a disk drive? ANSWER: Following is a list of disk drive components: * Geometry—Geometry refers to a disk’s logical structure of platters, tracks, and sectors. * Head—The head is the device that reads and writes data to a drive. There are two heads per platter that read and write the top and bottom sides. * Tracks—Tracks are concentric circles on a disk platter where data is located. * Cylinders—A cylinder is a column of tracks on two or more disk platters. Typically, each Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 05: Working with Windows and CLI Systems platter has two surfaces: top and bottom. * Sectors—A sector is a section on a track, usually made up of 512 bytes. POINTS: 1 REFERENCES: Understanding File Systems QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/25/2018 8:56 PM 43. How are disk clusters numbered by Microsoft file structures? ANSWER: Clusters are numbered sequentially starting at 0 in NTFS and 2 in FAT. The first sector of all disks contains a system area, the boot record, and a file structure database. The OS assigns these cluster numbers, which are referred to as logical addresses. They point to relative cluster positions; for example, cluster address 100 is 98 clusters from cluster address 2. Sector numbers, however, are referred to as physical addresses because they reside at the hardware or firmware level and go from address 0 (the first sector on the disk) to the last sector on the disk. Clusters and their addresses are specific to a logical disk drive, which is a disk partition. POINTS: 1 REFERENCES: Exploring Microsoft File Structures QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/25/2018 9:36 PM 44. Summarize the evolution of FAT versions. ANSWER: The following list summarizes the evolution of FAT versions: * FAT12—This version is used specifically for floppy disks, so it has a limited amount of storage space. It was originally designed for MS-DOS 1.0, the first Microsoft OS, used for floppy disk drives and drives up to 16 MB. * FAT16—To handle large disks, Microsoft developed FAT16, which is still used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.5 and 4.0. FAT16 supports disk partitions with a maximum storage capacity of 4 GB. * FAT32—When disk technology improved and disks larger than 2 GB were created, Microsoft released FAT32, which can access larger drives. * exFAT—Developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks. The exFAT file system can store very large files, such as digital images, video, and audio files. * VFAT—Developed to handle files with more than eight-character filenames and threecharacter extensions; introduced with Windows 95. VFAT is an extension of other FAT file systems. POINTS: 1 REFERENCES: Understanding File Systems Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 05: Working with Windows and CLI Systems QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/25/2018 9:42 PM 45. Briefly describe how to delete FAT files. ANSWER: When a file is deleted in Windows Explorer or with the MS-DOS delete command, the OS inserts a HEX E5 (0xE5) in the filename’s first letter position in the associated directory entry. This value tells the OS that the file is no longer available and a new file can be written to the same cluster location. In the FAT file system, when a file is deleted, the only modifications made are that the directory entry is marked as a deleted file, with the HEX E5 character replacing the first letter of the filename, and the FAT chain for that file is set to 0. The data in the file remains on the disk drive. The area of the disk where the deleted file resides becomes unallocated disk space (also called “free disk space”). The unallocated disk space is now available to receive new data from newly created files or other files needing more space as they grow. Most forensics tools can recover data still residing in this area. POINTS: 1 REFERENCES: Understanding File Systems QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/25/2018 9:54 PM 46. What are logical cluster numbers (LCNs)? ANSWER: To understand how data runs are assigned for nonresident MFT records, you should know that when a disk is created as an NTFS file structure, the OS assigns logical clusters to the entire disk partition. These assigned clusters, called logical cluster numbers (LCNs), are sequentially numbered from the beginning of the disk partition, starting with the value 0. LCNs become the addresses that allow the MFT to link to nonresident files (files outside the MFT) on the disk’s partition. POINTS: 1 REFERENCES: Examining NTFS Disks QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/25/2018 9:56 PM 47. Briefly explain NTFS compressed files. ANSWER: To improve data storage on disk drives, NTFS provides compression similar to FAT Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 05: Working with Windows and CLI Systems DriveSpace 3, a Windows 98 compression utility. With NTFS, you can compress files, folders, or entire volumes. With FAT16, you can compress only a volume. On a Windows NT or later system, compressed data is displayed normally when you view it in Windows Explorer or applications such as Microsoft Word. During an investigation, typically you work from an image of a compressed disk, folder, or file. Most forensics tools can uncompress and analyze compressed Windows data, including data compressed with the Lempel-Ziv-Huffman (LZH) algorithm and in formats such as PKZip, WinZip, and GNU gzip. However, forensics tools might have difficulty with thirdparty compression utilities, such as the .rar format. If you identify third-party compressed data, you need to uncompress it with the utility that created it. POINTS: 1 REFERENCES: Examining NTFS Disks QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/25/2018 9:59 PM 48. What are some of the features offered by current whole disk encryption tools? ANSWER: Current whole disk encryption tools offer the following features that computer forensics examiners should be aware of: * Preboot authentication, such as a single sign-on password, fingerprint scan, or token (USB device) * Full or partial disk encryption with secure hibernation, such as activating a passwordprotected screen saver * Advanced encryption algorithms, such as AES and IDEA * Key management function that uses a challenge-and-response method to reset passwords or passphrases POINTS: 1 REFERENCES: Understanding Whole Disk Encryption QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/25/2018 10:01 PM 49. What are BitLocker’s current hardware and software requirements? ANSWER: BitLocker’s current hardware and software requirements are as follows: * A computer capable of running Windows Vista or later (non-home editions) * The Trusted Platform Module (TPM) microchip, version 1.2 or newer * A computer BIOS compliant with Trusted Computing Group (TCG) * Two NTFS partitions for the OS and an active system volume with available space * The BIOS configured so that the hard drive boots first before checking the CD/DVD drive or other bootable peripherals Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 05: Working with Windows and CLI Systems POINTS: 1 REFERENCES: Understanding Whole Disk Encryption QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/25/2018 10:03 PM 50. Describe some third-party disk encryption tools. ANSWER: The following list describes some available third-party WDE utilities: • Endpoint Encryption (www.symantec.com/products/endpoint-encryption) can be used on PCs, laptops, and removable media to secure an entire disk volume. This tool works in Windows Server 2008 and later and Windows 7 and later. • Voltage SecureFile (www.voltage.com/products/data-security/hpe-securefile/) is designed for an enterprise computing environment. • Jetico BestCrypt Volume Encryption (www.jetico.com/products/personalprivacy/bestcrypt-volume-encryption) provides WDE for older MS-DOS and current Windows systems. POINTS: 1 REFERENCES: Understanding Whole Disk Encryption QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:57 PM DATE MODIFIED: 1/25/2018 10:07 PM
Copyright Cengage Learning. Powered by Cognero.
Page 14
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 06: Current Digital Forensics Tools True / False 1. When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 12/1/2017 12:58 PM 2. In software acquisition, there are three types of data-copying methods. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 12/1/2017 12:58 PM 3. To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/1/2018 7:55 PM 4. Computers used several OSs before Windows and MS-DOS dominated the market. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 06: Current Digital Forensics Tools QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/1/2018 8:02 PM 5. After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Validating and Testing Forensics Software QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 12/1/2017 12:58 PM 6. Software forensic tools are grouped into command-line applications and GUI applications. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/1/2018 9:38 PM DATE MODIFIED: 2/1/2018 9:39 PM 7. The validation function is the most challenging of all tasks for computer investigators to master. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/1/2018 9:40 PM DATE MODIFIED: 2/1/2018 9:41 PM 8. Although a disk editor gives you the most flexibility in testing, it might not be capable of examining a compressed file’s contents. a. True b. False Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 06: Current Digital Forensics Tools ANSWER: True POINTS: 1 REFERENCES: Validating and Testing Forensics Software QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/1/2018 9:43 PM DATE MODIFIED: 2/1/2018 9:44 PM 9. Because there are a number of different versions of UNIX and Linux, these OSs are referred to as CLI platforms. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Digital Forensics Software Tools QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/1/2018 9:45 PM DATE MODIFIED: 2/1/2018 9:46 PM 10. Hardware manufacturers have designed most computer components to last about 36 months between failures. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Digital Forensics Hardware Tools QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/1/2018 9:47 PM DATE MODIFIED: 2/1/2018 9:48 PM Multiple Choice 11. Which digital forensics tool is categorized as a single-purpose hardware component? a. Tableau T35es-R2 SATA/IDE eSATA bridge b. Safeback c. Magnet Forensics AXIOM d. AccessData FTK ANSWER: a POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 6/5/2018 12:11 PM Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 06: Current Digital Forensics Tools 12. Where do software forensics tools copy data from a suspect’s disk drive? a. A backup file b. Firmware c. An image file d. A recovery copy ANSWER: c POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 4:58 PM 13. Which tool enables the investigator to acquire the forensic image and process it in the same step? a. Magnet DEFR b. Magnet FTK c. Magnet dd d. Magnet AXIOM ANSWER: d POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 3:41 PM 14. What Linux command is used to create the raw data format? a. rawcp b. dd c. d2dump d. dhex ANSWER: b POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 3:41 PM 15. Which activity involves sorting and searching through investigation findings to separate good data and suspicious data? a. Validation b. Filtering c. Acquisition d. Reconstruction ANSWER: b POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 06: Current Digital Forensics Tools DATE MODIFIED: 5/7/2018 3:41 PM 16. Many password recovery tools have a feature for generating potential password lists for which type of attack? a. Brute-force b. Password dictionary c. Birthday d. Salting ANSWER: b POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 3:41 PM 17. Which type of copy from the suspect disk to the target location does the simplest method of duplicating a disk drive make? a. Partition-to-partition b. Image-to-partition c. Disk-to-image d. Image-to-disk ANSWER: c POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 3:40 PM 18. What must be created to complete a forensic disk analysis and examination? a. A forensic disk copy b. A risk assessment c. A budget plan d. A report ANSWER: d POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 3:40 PM 19. The first MS-DOS tools that analyzed and extracted data from floppy disks and hard disks were used with which type of PC file systems? a. Apple b. Windows c. UNIX d. IBM ANSWER: d POINTS: 1 REFERENCES: Digital Forensics Software Tools Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 06: Current Digital Forensics Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 6/4/2018 3:56 PM 20. In Windows 2000 and later, which command shows you the file owner if you have multiple users on the system or network? a. dir b. ls c. Copy d. owner ANSWER: a POINTS: 1 REFERENCES: Digital Forensics Software Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 3:39 PM 21. Building your own forensics workstation: a. is always less expensive than choosing a vendorsupplied workstation. c. is inappropriate in the private sector.
b. requires the time and skills necessary to support the chosen hardware. d. limits you to only one peripheral device per CPU because of potential conflicts.
ANSWER: b POINTS: 1 REFERENCES: Digital Forensics Hardware Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 6/5/2018 12:37 PM 22. What do you call a forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation? a. A quasi-workstation b. A field workstation c. A lightweight workstation d. A portable workstation ANSWER: d POINTS: 1 REFERENCES: Digital Forensics Hardware Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:00 PM 23. What type of disk is commonly used with Sun Solaris systems? a. F.R.E.D. b. SPARC Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 06: Current Digital Forensics Tools c. FIRE IDE d. DiskSpy ANSWER: b POINTS: 1 REFERENCES: Digital Forensics Hardware Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:02 PM 24. What is the general term for software or hardware that is used to protect evidence disks by preventing data from being written to them? a. Drive-protectors b. Disk-blockers c. Data-protectors d. Write-blockers ANSWER: d POINTS: 1 REFERENCES: Digital Forensics Hardware Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 3:38 PM 25. Devices used to prevent data from being written to a disk can connect to a computer through FireWire, SATA, PATA, and SCSI controllers as well as which other type of controller? a. USB 2.0 and 3.0 b. IDE c. LCD d. PCMCIA ANSWER: a POINTS: 1 REFERENCES: Digital Forensics Hardware Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 6/4/2018 4:01 PM 26. Which entity publishes articles, provides tools, and creates procedures for testing and validating computer forensics software? a. CFTT b. NIST c. FS-TST d. NSRL ANSWER: b POINTS: 1 REFERENCES: Validating and Testing Forensics Software QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 06: Current Digital Forensics Tools DATE MODIFIED: 5/7/2018 3:28 PM 27. Which standards document demands accuracy for all aspects of the testing process? a. ISO 3657 b. ISO 5321 c. ISO 5725 d. ISO 17025 ANSWER: c POINTS: 1 REFERENCES: Validating and Testing Forensics Software QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 3:29 PM 28. Which NIST project manages research on forensics tools? a. NSRL b. CFTT c. FS-TST d. PARTAB ANSWER: b POINTS: 1 REFERENCES: Validating and Testing Forensics Software QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 6/4/2018 4:10 PM 29. What is the primary hash algorithm used by the NIST project created to collect all known hash values for commercial software and OS files? a. MD5 b. SHA-1 c. CRC-32 d. RC4 ANSWER: b POINTS: 1 REFERENCES: Validating and Testing Forensics Software QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 6/4/2018 4:13 PM 30. Which type of tool can be used to compare results and verify a new tool by viewing data in its raw format? a. A disk imager b. A write-blocker c. A bit-stream copier d. A disk editor ANSWER: d POINTS: 1 REFERENCES: Validating and Testing Forensics Software QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 06: Current Digital Forensics Tools HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 3:36 PM Matching Match each item with a statement below a. FF D8 b. Lightweight workstation c. Pagefile.sys d. Salvaging e. Raw data f. PDBlock g. Norton DiskEdit h. Stationary workstation i. SafeBack j. ISO 27037 REFERENCES: Digital Forensics Hardware Tools Digital Forensics Software Tools Evaluating Digital Forensics Tool Needs QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/5/2018 6:29 PM 31. A standard indicator for graphics files ANSWER: a POINTS: 1 32. European term for carving ANSWER: d POINTS: 1 33. A bit-for-bit copy of a data file, a disk partition, or an entire drive ANSWER: e POINTS: 1 34. Usually a laptop computer built into a carrying case with a small selection of peripheral options ANSWER: b POINTS: 1 35. One of the first MS-DOS tools used for digital investigations ANSWER: g POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 06: Current Digital Forensics Tools 36. Software-enabled write-blocker ANSWER: f POINTS: 1 37. System file where passwords may have been written temporarily ANSWER: c POINTS: 1 38. A tower with several bays and many peripheral devices ANSWER: h POINTS: 1 39. Command-line disk acquisition tool from New Technologies, Inc. ANSWER: i POINTS: 1 40. States that Digital Evidence First Responders (DEFRs) should use validated tools ANSWER: j POINTS: 1 Subjective Short Answer 41. What are the five major function categories of any digital forensics tool? ANSWER: All digital forensic tools, both hardware and software, perform specific functions. These functions are grouped into five major categories, each with subfunctions for refining data analysis and recovery and ensuring data quality: Acquisition Validation and discrimination Extraction Reconstruction Reporting POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/1/2018 9:52 PM 42. Explain the validation of evidence data process. ANSWER: Validation and verification functions work hand in hand. Validation is a way to confirm that a tool is functioning as intended, and verification proves that two sets of data are identical by calculating hash values or using another similar method. How data hashing is used depends on the investigation, but using a hashing algorithm on the entire suspect drive and all its files is a standard practice. This method produces a unique hexadecimal value for ensuring that the original data hasn’t changed and copies are of the same unchanged data or image. Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 06: Current Digital Forensics Tools POINTS: 1 REFERENCES: Evaluating Digital Forensics Tool Needs QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/1/2018 9:57 PM 43. What are some of the advantages of using command-line forensics tools? ANSWER: One advantage of using command-line tools for an investigation is that they require few system resources because they’re designed to run in minimal configurations. In fact, most tools fit on bootable media (USB drives, CDs, and DVDs). Conducting an initial inquiry or a complete investigation with bootable media can save time and effort. Most tools also produce a text report that fits on a USB drive or other removable media. POINTS: 1 REFERENCES: Digital Forensics Software Tools QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/1/2018 9:59 PM 44. Explain the advantages and disadvantages of GUI forensics tools. ANSWER: GUI tools have several advantages, such as ease of use, the capability to perform multiple tasks, and no requirement to learn older OSs. Their disadvantages range from excessive resource requirements (such as needing large amounts of RAM) and producing inconsistent results because of the type of OS used. Another concern with using GUI tools is that they create investigators' dependence on using only one tool. In some situations, GUI tools don’t work and a command-line tool is required. POINTS: 1 REFERENCES: Digital Forensics Software Tools QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/1/2018 10:01 PM 45. Illustrate how to consider hardware needs when planning your lab budget. ANSWER: You should plan your hardware needs carefully, especially if you have budget limitations. Include in your planning the amount of time you expect the forensic workstation to be running, how often you expect hardware failures, consultant and vendor fees to support the hardware, and how often to anticipate replacing forensic workstations. The longer you expect the forensic workstation to be running, the more you need to anticipate physical equipment failure and the expense of replacement equipment. POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 06: Current Digital Forensics Tools REFERENCES: Digital Forensics Hardware Tools QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/1/2018 10:04 PM 46. Describe some of the problems you may encounter if you decide to build your own forensics workstation. ANSWER: To decide whether you want to build your own workstation, first ask “How much do I have to spend?” Building a forensic workstation isn’t as difficult as it sounds but can quickly become expensive if you aren’t careful. If you have the time and skill to build your own forensic workstation, you can customize it to your needs and save money, although you might have trouble finding support for problems that develop. For example, peripheral devices might conflict with one another, or components might fail. If you build your own forensic workstation, you should be able to support the hardware. You also need to identify what you intend to analyze. If you’re analyzing SPARC disks from workstations in a company network, for example, you need to include a SPARC drive with a write-protector on your forensic workstation. POINTS: 1 REFERENCES: Digital Forensics Hardware Tools QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/1/2018 10:06 PM 47. Illustrate the use of a write-blocker on a Windows environment. ANSWER: In the Windows environment, when a write-blocker is installed on an attached disk drive, the drive appears as any other attached disk. You can navigate to the blocked drive with any Windows application, such as File Explorer, to view files or use Word to read files. When you copy data to the blocked drive or write updates to a file with Word, Windows shows that the data copy is successful. However, the write-blocker actually discards the written data—in other words, data is written to null. When you restart the workstation and examine the blocked disk, you won’t see the data or files you copied to it previously. POINTS: 1 REFERENCES: Digital Forensics Hardware Tools QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/1/2018 10:09 PM 48. Briefly explain the NIST general approach for testing computer forensics tools. ANSWER: NIST has created criteria for testing computer forensics tools, which are included in the article “General Test Methodology for Computer Forensic Tools” (version 1.9, November 7, 2001), available at www.cftt.nist.gov/testdocs.html. This article addresses the lack of Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 06: Current Digital Forensics Tools specifications for what forensics tools should do and the importance of tools meeting judicial scrutiny. The criteria are based on standard testing methods and ISO 17025 criteria for testing when no current standards are available. POINTS: 1 REFERENCES: Validating and Testing Forensics Software QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/1/2018 10:11 PM 49. Explain the difference between repeatable results and reproducible results. ANSWER: “Repeatable results” means that if you work in the same lab on the same machine, you generate the same results. “Reproducible results” means that if you’re in a different lab and working on a different machine, the tool still retrieves the same information. POINTS: 1 REFERENCES: Validating and Testing Forensics Software QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 12/1/2017 12:58 PM 50. Briefly explain the purpose of the NIST NSRL project. ANSWER: The purpose of the NSRL project is to reduce the number of known files, such as OS or program files, included in a forensics examination of a drive, so that only unknown files are left. You can also use the RDS to locate and identify known bad files, such as illegal images and malware, on a suspect drive. POINTS: 1 REFERENCES: Validating and Testing Forensics Software QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/1/2018 10:15 PM
Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 07: Linux and Macintosh File Systems True / False 1. If a file contains information, it always occupies at least one allocation block. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/7/2018 7:55 PM 2. macOS is built with the new Apple File System (APFS). The current version offers better security, encryption, and performance speeds, but users can't mount HFS+ drives. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/7/2018 7:54 PM 3. Some notable UNIX distributions included Silicon Graphics, Inc. (SGI) IRIX, Santa Cruz Operation (SCO) UnixWare, Sun Solaris, IBM AIX, and HP-UX. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/7/2018 7:54 PM 4. Windows OSs do not have a kernel. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: True / False Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 07: Linux and Macintosh File Systems HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/7/2018 8:03 PM 5. The pipe (|) character redirects the output of the command preceding it. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/12/2018 10:58 AM 6. All disks have more storage capacity than the manufacturer states. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/8/2018 5:34 PM DATE MODIFIED: 2/8/2018 5:36 PM 7. Before OS X, the Hierarchical File System (HFS) was used, in which files are stored in directories (folders) that can be nested in other directories. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/8/2018 5:55 PM DATE MODIFIED: 2/8/2018 5:56 PM 8. The HFS and HFS+ file systems have four descriptors for the end of a file (EOF). a. True b. False ANSWER: False POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 07: Linux and Macintosh File Systems REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/8/2018 5:57 PM DATE MODIFIED: 2/8/2018 5:57 PM 9. Ext3 is a journaling version of Ext2 that has a built-in file recovery mechanism used after a crash. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/8/2018 6:00 PM DATE MODIFIED: 2/12/2018 11:14 AM 10. In macOS volume fragmentation is kept to a minimum by removing clumps from larger files. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/8/2018 6:09 PM DATE MODIFIED: 2/8/2018 6:10 PM Multiple Choice 11. Macintosh moved to the Intel processor and became UNIX based with which operating system? a. El Capitan b. High Sierra c. OS X d. Lion ANSWER: c POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:02 PM 12. In older versions of macOS, in which fork are file metadata and application information stored? a. Resource b. Node Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 07: Linux and Macintosh File Systems c. Block d. Inode ANSWER: a POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:03 PM 13. In macOS, in addition to allocation blocks, what kind of blocks do volumes have? a. Master blocks b. Clumped blocks c. Clustered blocks d. Logical blocks ANSWER: d POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:03 PM 14. In older versions of macOS, where is all information about the volume stored? a. The Master Directory Block (MDB) b. The Volume Control Block (VCB) c. The Extents Overflow File (EOF) d. The Volume Bitmap (VB) ANSWER: a POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:04 PM 15. What macOS system application tracks each block on a volume to determine which blocks are in use and which ones are available to receive data? a. Then Extents Overflow File b. The Volume Bitmap c. The Master Directory Block d. The Volume Control Block ANSWER: b POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:05 PM Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 07: Linux and Macintosh File Systems 16. In macOS, what stores any file information not in the Master Directory Block or Volume Control Block? a. The Volume Information Block b. The Extents Overflow File c. The catalog d. The Master Data Block ANSWER: b POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:07 PM 17. Which term is often used when discussing Linux because technically, Linux is only the core of the OS? a. Module b. Root c. Kernel d. GRUB ANSWER: c POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:07 PM 18. What was the early standard Linux file system? a. NTFS b. Ext3 c. HFS+ d. Ext2 ANSWER: d POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:07 PM 19. What is the largest disk partition Ext4f can support? a. 4 TB b. 8 TB c. 10 TB d. 16 TB ANSWER: d POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:12 PM Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 07: Linux and Macintosh File Systems 20. What contains file and directory metadata and provides a mechanism for linking data stored in data blocks? a. Xnodes b. Extnodes c. InfNodes d. Inodes ANSWER: d POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:08 PM 21. At what hard link count is a file effectively deleted? a. -1 b. 0 c. 1 d. 2 ANSWER: b POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:08 PM 22. How many components define the file system on UNIX/Linux? a. Two b. Three c. Four d. Five ANSWER: c POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:08 PM 23. Where are directories and files stored on a disk drive? a. The superblock b. The data block c. The boot block d. The inode block ANSWER: b POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 07: Linux and Macintosh File Systems DATE MODIFIED: 5/7/2018 5:08 PM 24. In Linux, in which directory are most system configuration files stored? a. /etc b. /home c. /dev d. /var ANSWER: a POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:08 PM 25. In Linux, in which directory are most applications and commands stored? a. /home b. /var c. /etc d. /usr ANSWER: d POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:10 PM 26. On a Linux computer, by what are file systems exported to remote hosts represented? a. /etc/fstab b. /var/run/utmp c. /etc/exports d. /var/log/wtmp ANSWER: c POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:10 PM 27. On a Linux computer, what contains group memberships for the local system? a. /etc/passwd b. /etc/shadow c. /etc/group d. /etc/fstab ANSWER: c POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 07: Linux and Macintosh File Systems DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:10 PM 28. In a file's inode, what are the first 10 pointers called? a. Direct pointers b. Indirect pointers c. Double pointers d. Triple pointers ANSWER: b POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:14 PM 29. In macOS, which fork typically contains data the user creates? a. The data fork b. The content fork c. The user fork d. The resource fork ANSWER: a POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:11 PM 30. In macOS, when working with an application file, which fork contains additional information, such as menus, dialog boxes, icons, executable code, and controls? a. The application fork b. The system fork c. The data fork d. The resource fork ANSWER: d POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/7/2018 5:11 PM Matching Match each item with a statement below a. Autopsy b. Inode blocks c. Tarball d. Sleuth Kit Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 07: Linux and Macintosh File Systems e. Clumps f. Volume g. Pipe (|) h. Catalog i. Kali Linux j. OSForensics REFERENCES:
Examining Linux File Structures Understanding Macintosh File Structures Using Linux Forensics Tools QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/8/2018 7:11 PM 31. A free Linux forensics tool ANSWER: d POINTS: 1 32. Linux distribution that contains several forensics tools ANSWER: i POINTS: 1 33. Any storage medium used to store files ANSWER: f POINTS: 1 34. Redirects the output of the command preceding it on Linux ANSWER: g POINTS: 1 35. Maintains relationships between files and directories on a volume on macOS ANSWER: h POINTS: 1 36. The first data after the superblock on a UNIX or Linux file system ANSWER: b POINTS: 1 37. A highly compressed data file containing one or more files or directories and their contents ANSWER: c POINTS: 1 38. Sleuth Kit's Web browser interface ANSWER: a POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 07: Linux and Macintosh File Systems 39. Groups of contiguous allocation blocks ANSWER: e POINTS: 1 40. Commercial forensics tool for analyzing UNIX and Linux file systems ANSWER: j POINTS: 1 Subjective Short Answer 41. Explain the relation between allocation blocks and logical block on a Mac OS file system. ANSWER: Volumes have allocation blocks and logical blocks. A logical block is a collection of data that cannot exceed 512 bytes. When you save a file, it is assigned to an allocation block, which is a group of consecutive logical blocks. As volumes increase in size, one allocation block might be composed of three or more logical blocks. If a file contains information, it always occupies one allocation block. For example, if a data fork contains only 11 bytes of data, it occupies one allocation block (512 bytes) on a disk, which leaves more than 500 bytes empty in the data fork. POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/8/2018 6:17 PM 42. Explain the use of B*-trees on early Mac OS file systems. ANSWER: In early Mac versions, the B*-tree file system is also used to organize the directory hierarchy and file block mapping. In this file system, files are nodes (records or objects) containing file data.Each node is 512 bytes. The nodes containing actual file data are called leaf nodes; they are the bottom level of a B*-tree file. The B*-tree also has the following nodes that handle file information: * The header node stores information about the B*-tree file. * The index node stores link information to previous and next nodes. * The map node stores a node descriptor and map record. POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/8/2018 6:21 PM 43. Explain Disk Arbitration features of forensic tools for Macintosh systems. Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 07: Linux and Macintosh File Systems ANSWER:
BlackBag Technologies Macintosh Forensic Software and SubRosaSoft MacForensicsLab have a function for disabling and enabling Disk Arbitration, which is a macOS feature for disabling and enabling automatic mounting when a drive is connected via a USB or FireWire device (see www.appleexaminer.com). Being able to turn off the mount function in macOS allows you to connect a suspect drive to a Mac without a write-blocking device. POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/8/2018 6:26 PM 44. What are the functions of the superblock on a UNIX or Linux file system? ANSWER: The superblock contains vital information about the system and is considered part of the metadata. It specifies the disk geometry and available space and keeps track of all inodes. The superblock also manages the file system, including configuration information, such as block size for the drive, file system names, blocks reserved for inodes, and volume name. Multiple copies of the superblock ae kept in different locations on the disk to prevent losing such important information. POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/8/2018 6:39 PM 45. What is a bad block inode on Linux? ANSWER: All disks have more storage capacity than the manufacturer states. For example, a 240 GB disk might actually have 240.5 GB free space because disks always have bad sectors. Windows doesn’t keep track of bad sectors, but Linux does in an inode called the bad block inode. The root inode is inode 2, and the bad block inode is inode 1. Some forensic tools ignore inode 1 and fail to recover valuable data for cases. Someone trying to mislead an investigator can access the bad block inode, list good sectors in it, and then hide information in these supposedly “bad” sectors. POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 07: Linux and Macintosh File Systems DATE MODIFIED:
2/8/2018 6:41 PM
46. What is a data block in Linux file systems? ANSWER: The data block is where directories and files are stored on a disk drive. This location is linked directly to inodes. As in Microsoft file systems, the Linux file system on a PC has 512-byte sectors. A data block is equivalent to a cluster of disk sectors on a FAT or NTFS volume. Blocks range from 1024 to 4096 bytes each on a Linux volume. POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/8/2018 6:45 PM 47. Briefly describe acquisition methods in macOS. ANSWER: To examine a computer running macOS, you need to make an image of the drive, using the same techniques described in Chapter 5. You should be aware of some exceptions, however, caused by Apple design and engineering. (In addition, removing the drive from a Mac Mini case is difficult, and attempting to do so without Apple factory training could damage the computer. A MacBook Air poses similar problems, as you need special Apple screwdrivers to open the case.) You need a macOS-compatible forensic boot CD/DVD to make an image, which then must be written to an external drive, such as a FireWire or USB drive. Larger macOS systems are constructed much like desktop PCs, making removal of the hard drive easier. POINTS: 1 REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 2/8/2018 6:30 PM DATE MODIFIED: 2/8/2018 6:31 PM 48. Briefly describe image examination methods for macOS. ANSWER: After making an acquisition, the next step is examining the image of the file system with a forensics tool. The tool you use depends on the image file’s format. For example, if you used EnCase, FTK, or X-Ways Forensics to create an Expert Witness (.e0l) image, you must use one of these tools to analyze the image. If you made a raw format image, you can use any of the following tools: • BlackBag Technologies Macintosh Forensic Software (OS X only) • SubRosaSoft MacForensicsLab (OS X only) • Guidance Software EnCase • Recon Mac OS X Forensics with Palladin • X-Ways Forensics • AccessData FTK POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 07: Linux and Macintosh File Systems REFERENCES: Understanding Macintosh File Structures QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 2/8/2018 6:32 PM DATE MODIFIED: 2/8/2018 6:34 PM 49. Briefly describe hard links in Linux systems. ANSWER: A hard link is a pointer that allows accessing the same file by different filenames (RuteUsers-Guide/Linux Dictionary V 0.16, www.tldp.org/LDP/LinuxDictionary/html/index.html). The filenames refer to the same inode and physical location on a drive. Originally, hard links were used so that people with different logins could access the same physical file. If one person changed the file, the changes would be apparent when another user opened the file. POINTS: 1 REFERENCES: Examining Linux File Structures QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 2/8/2018 6:56 PM DATE MODIFIED: 2/8/2018 6:57 PM 50. Briefly describe Foremost as a Linux Forensics tool. ANSWER: The U.S. Air Force Office of Special Investigations and the Center for Information Systems Security Studies and Research developed a specialized freeware tool called Foremost (see http://foremost.sourceforge.net). Foremost is a carving tool that can read many image file formats, such as raw and Expert Witness. It has a configuration file, foremost.conf, listing the most common file headers, footers, and data structures. If a file format isn’t included in this file, it can be added by using a hex editor to determine the new format’s header and footer values and a text editor to update the file. This file is typically in the /usr/local/etc directory and contains instructions on updating it. POINTS: 1 REFERENCES: Using Linux Forensics Tools QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 2/8/2018 6:58 PM DATE MODIFIED: 2/8/2018 7:01 PM
Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 08: Recovering Graphics Files True / False 1. Bitmap images are collections of dots, or pixels, in a grid format that form a graphic. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Recognizing a Graphics File QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/13/2018 10:20 PM 2. Operating systems do not have tools for recovering image files. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Understanding Data Compression QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 12/1/2017 12:58 PM 3. If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding Data Compression QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/13/2018 10:30 PM 4. With many computer forensics tools, you can open files with external viewers. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Identifying Unknown File Formats QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 08: Recovering Graphics Files DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 12/1/2017 12:58 PM 5. Steganography cannot be used with file formats other than image files. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Identifying Unknown File Formats QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 12/1/2017 12:58 PM 6. Under copyright laws, maps and architectural plans may be registered as pictorial, graphic, and sculptural works. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding Copyright Issues with Graphics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/13/2018 11:01 PM DATE MODIFIED: 2/13/2018 11:02 PM 7. A graphics program creates and saves one of three types of image files: bitmap, vector, or XIF. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Recognizing a Graphics File QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/13/2018 11:02 PM DATE MODIFIED: 2/13/2018 11:03 PM 8. The Internet is the best source for learning more about file formats and their extensions. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Identifying Unknown File Formats QUESTION TYPE: True / False Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 08: Recovering Graphics Files HAS VARIABLES: False DATE CREATED: 2/13/2018 11:04 PM DATE MODIFIED: 2/13/2018 11:05 PM 9. All TIF files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 3B. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Identifying Unknown File Formats QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/13/2018 11:06 PM DATE MODIFIED: 2/13/2018 11:07 PM 10. The two major forms of steganography are insertion and substitution. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Identifying Unknown File Formats QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/13/2018 11:08 PM DATE MODIFIED: 2/13/2018 11:09 PM Multiple Choice 11. What kinds of images are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes? a. Bitmap images b. Metafile graphics c. Vector graphics d. Line-art images ANSWER: c POINTS: 1 REFERENCES: Recognizing a Graphics File QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 9:46 AM 12. What tools are used to create, modify, and save bitmap, vector, and metafile graphics? a. Graphics viewers b. Image readers c. Image viewers d. Graphics editors Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 08: Recovering Graphics Files ANSWER: d POINTS: 1 REFERENCES: Recognizing a Graphics File QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 9:45 AM 13. Which images store graphics information as grids of pixels? a. Bitmap b. Raster c. Vector d. Metafile ANSWER: a POINTS: 1 REFERENCES: Recognizing a Graphics File QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:46 AM 14. What is the process of converting raw picture data to another format called? a. Abstracting b. Rastering c. Demosaicing d. Rendering ANSWER: c POINTS: 1 REFERENCES: Recognizing a Graphics File QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:24 PM 15. In which format are most digital photographs stored? a. EXIF b. TIFF c. PNG d. GIF ANSWER: a POINTS: 1 REFERENCES: Recognizing a Graphics File QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:25 PM 16. Which type of compression compresses data permanently by discarding bits of information in the file? a. Redundant b. Lossy Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 08: Recovering Graphics Files c. Huffman d. Lossless ANSWER: b POINTS: 1 REFERENCES: Understanding Data Compression QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:46 PM 17. What term refers to recovering fragments of a file? a. Carving b. Slacking c. Saving d. Rebuilding ANSWER: a POINTS: 1 REFERENCES: Understanding Data Compression QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:27 PM 18. Which JFIF format has a hexadecimal value of FFD8 FFE0 in the first four bytes? a. EPS b. BMP c. GIF d. JPEG ANSWER: d POINTS: 1 REFERENCES: Understanding Data Compression QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:28 PM 19. If a graphics file cannot be opened in an image viewer, what should the next step be? a. Examining the file's extension b. Examining the file's name c. Examining the file's header data d. Examining the file's size ANSWER: c POINTS: 1 REFERENCES: Understanding Data Compression QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:45 PM 20. Which uppercase letter has a hexadecimal value 41? Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 08: Recovering Graphics Files a. “A” b. “C” c. “G” d. “Z” ANSWER: a POINTS: 1 REFERENCES: Understanding Data Compression QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:30 PM 21. From which file format is the image format XIF derived? a. GIF b. JPEG c. BMP d. TIF ANSWER: d POINTS: 1 REFERENCES: Identifying Unknown File Formats QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:31 PM 22. What is the simplest way to access a file header? a. Use a hexadecimal editor b. Use an image editor c. Use a disk editor d. Use a text editor ANSWER: a POINTS: 1 REFERENCES: Identifying Unknown File Formats QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:33 PM 23. Which header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03? a. TIFF b. XIF c. JPEG d. GIF ANSWER: b POINTS: 1 REFERENCES: Identifying Unknown File Formats QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:33 PM Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 08: Recovering Graphics Files 24. Which term refers to a data-hiding technique that uses host files to cover the contents of a secret message? a. Steganography b. Steganalysis c. Graphie d. Steganos ANSWER: a POINTS: 1 REFERENCES: Identifying Unknown File Formats QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:34 PM 25. Which data-hiding technique places data from the secret file into the host file without displaying the secret data when the host file is viewed in its associated program? a. Replacement b. Pixelation c. Substitution d. Insertion ANSWER: d POINTS: 1 REFERENCES: Identifying Unknown File Formats QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 6/5/2018 1:35 PM 26. Which data-hiding technique replaces bits of the host file with other bits of data? a. Insertion b. Replacement c. Substitution d. Pixelation ANSWER: c POINTS: 1 REFERENCES: Identifying Unknown File Formats QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 6/5/2018 1:36 PM 27. What is another term for steganalysis tools? a. Image editors b. Image tools c. Hexadecimal editors d. Steg tools ANSWER: d POINTS: 1 REFERENCES: Identifying Unknown File Formats QUESTION TYPE: Multiple Choice HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 08: Recovering Graphics Files DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:38 PM 28. What technique has been used to protect copyrighted material by inserting digital watermarks into a file? a. Encryption b. Steganography c. Compression d. Archiving ANSWER: b POINTS: 1 REFERENCES: Understanding Copyright Issues with Graphics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:39 PM 29. What type of laws should computer investigators be especially aware of when working with image files in order to avoid infringement violations? a. International b. Forensics c. Copyright d. Civil ANSWER: c POINTS: 1 REFERENCES: Understanding Copyright Issues with Graphics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:42 PM 30. How may computer programs be registered under copyright laws? a. As literary works b. As motion pictures c. As architectural works d. As audiovisual works ANSWER: a POINTS: 1 REFERENCES: Understanding Copyright Issues with Graphics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/7/2018 5:40 PM Matching Match each item with a statement below a. Pixels b. Hex Workshop c. Adobe Illustrator Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 08: Recovering Graphics Files d. Raster image e. JPEG f. PNG g. GIMP h. Resolution i. Metafile graphics j. Data compression REFERENCES: Recognizing a Graphics File Understanding Data Compression QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 2/14/2018 9:02 AM 31. Drawing program that creates vector files ANSWER: c POINTS: 1 32. Gnome graphics editor ANSWER: g POINTS: 1 33. Determines the amount of detail that is displayed ANSWER: h POINTS: 1 34. Combinations of bitmap and vector images ANSWER: i POINTS: 1 35. Short for “picture elements” ANSWER: a POINTS: 1 36. Graphics file format that uses lossless compression ANSWER: f POINTS: 1 37. Graphics file format that uses lossy compression ANSWER: e POINTS: 1 38. A disk editor tool ANSWER: b POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 08: Recovering Graphics Files 39. collection of pixels stored in rows to make images easy to print ANSWER: d POINTS: 1 40. Process of coding of data from a larger form to a smaller form ANSWER: j POINTS: 1 Subjective Short Answer 41. Briefly describe the Exchangeable Image File (EXIF) format. ANSWER: Most digital photographs are stored in the Exchangeable Image File (Exif) format. The Japan Electronics and Information Technology Industries Association (JEITA) developed it as a standard for storing metadata in JPEG and TIF files. When a digital photo is taken, information about the device (such as model, make, and serial number) and settings (such as shutter speed, focal length, resolution, date, and time) are stored in the graphics file. Most digital devices store graphics files as Exif JPEG files. POINTS: 1 REFERENCES: Recognizing a Graphics File QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 2/13/2018 11:17 PM 42. Explain how lossless compression relates to image file formats. ANSWER: Lossless compression techniques reduce file size without removing data. When you uncompress a file that uses lossless compression, you restore all its information. GIF and Portable Network Graphics (PNG) file formats reduce file size with lossless compression, which saves file space by using mathematical formulas to represent data in a file. These formulas generally use one of two algorithms: Huffman or Lempel-Ziv-Welch (LZW) coding. Each algorithm uses a code to represent redundant bits of data. For example, if a graphics file contains a large red area, the algorithm can set 1 byte to red and set another byte to specify 200 red bytes instead of having to store 200 red bytes. Therefore, only 2 bytes are used. POINTS: 1 REFERENCES: Understanding Data Compression QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 2/13/2018 11:20 PM Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 08: Recovering Graphics Files 43. How does vector quantization (VQ) compress data? ANSWER: One form of lossy compression, vector quantization (VQ), uses complex algorithms to determine what data to discard based on vectors in the graphics file. In simple terms,VQ discards bits in much the same way rounding off decimal values discards numbers. POINTS: 1 REFERENCES: Understanding Data Compression QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 2/13/2018 11:22 PM 44. Write a brief history of steganography. ANSWER: Steganography has been used since ancient times. Greek rulers used this technique to send covert messages to diplomats and troops via messengers. To hide messages, rulers shaved their messengers’ heads and tattooed messages on their scalps. After the messengers's hair grew enough to cover the message, they left for their destinations, where they shaved their heads so that recipients could read the message. This method was a clever way to send and retrieve encrypted information, but it was inefficient because the messengers’ hair took a long time to grow back, and only a limited amount of space was available to write messages. However, it enabled the Greeks to send secret messages until their enemies discovered this early form of steganography and began intercepting messengers. POINTS: 1 REFERENCES: Identifying Unknown File Formats QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 2/13/2018 11:28 PM 45. Describe how to hide information on an 8-bit bitmap image file using substitution steganography. ANSWER: For example, if you use an 8-bit graphics file, each pixel is represented by 8 bits of data containing information about the color each pixel displays onscreen. The bits are prioritized from left to right, such as 11101100. The first bit on the left is the most significant bit (MSB), and the last bit on the right is the least significant bit (LSB). As the names suggest, changing the MSB affects the pixel display more than changing the LSB does. Furthermore, you can usually change only the last two LSBs in an image without producing a noticeable change in the shade of color the pixel displays.
POINTS: REFERENCES:
For example, if your secret message is converted to binary form to equal 01101100 and you want to embed this secret message into a picture, you alter the last 2bits of four pixels. You break the binary form into sections of two, as in 01 10 11 00, and insert the bits into the last 2 bits of each pixel. 1 Identifying Unknown File Formats
Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 08: Recovering Graphics Files QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 2/13/2018 11:31 PM 46. Explain how to use steganalysis tools. ANSWER: You can use several different steganalysis tools (also called “steg tools”) to detect, decode, and record hidden data, even in files that have been renamed to protect their contents. A steganalysis tool can also detect variations of an image. If a graphics file has been renamed, a steganalysis tool can identify the file format from the file header and indicate whether the file contains an image. Although steganalysis tools can help identify hidden data, steganography is generally difficult to detect. In fact, if steganography is done correctly, in most cases you can’t detect the hidden data unless you can compare the altered file with the original file. Check to see whether the file size, image quality, or file extensions have changed. If so, you might be dealing with a steganography image. POINTS: 1 REFERENCES: Identifying Unknown File Formats QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 2/13/2018 11:37 PM 47. Give a brief overview of copyright laws pertaining to graphics within and outside the U.S. ANSWER: The U.S.Copyright Office Web site defines precisely how copyright laws pertain to graphics (see www.copyright.gov for information on the 1976 Copyright Act). Copyright laws as they pertain to the Internet, however, aren’t as clear. For example, a server in another country might host a Web site, which could mean it’s regulated by copyright laws in that country. Because each country has its own copyright laws, enforcement can be difficult. Contrary to what some might believe, there’s no international copyright law. POINTS: 1 REFERENCES: Understanding Copyright Issues with Graphics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 12/1/2017 12:59 PM 48. Present a list of categories covered under copyright laws in the U.S. ANSWER: Copyrightable works include the following categories: 1. literary works; Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 08: Recovering Graphics Files 2. musical works, including any accompanying words; 3. dramatic works, including any accompanying music; 4. pantomimes and choreographic works; 5. pictorial, graphic, and sculptural works; 6. motion pictures and other audiovisual works; 7. sound recordings; 8. architectural works. POINTS: 1 REFERENCES: Understanding Copyright Issues with Graphics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 12/1/2017 12:59 PM 49. How does the number of colors a monitor displays affects image quality? ANSWER: A setting that affects image quality is the number of colors the monitor displays. Graphics files can have different amounts of color per pixel, but each file must support colors with bits of space. The following list shows the number of bits per colored pixel: • 1 bit = 2 colors • 4 bits = 16 colors • 8 bits = 256 colors • 16 bits = 65,536 colors • 24 bits = 16,777,216 colors • 32 bits = 4,294,967,296 colors Bitmap and raster files use as much of the color palette as possible. However, when you save a bitmap or raster file, the resolution and color might change, depending on the colors in the original file and whether the file format supports these colors. POINTS: 1 REFERENCES: Recognizing a Graphics File QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 2/14/2018 9:03 AM DATE MODIFIED: 2/16/2018 12:19 PM 50. Briefly describe fair use. ANSWER: A short direct quote for news reporting or critiques is considered fair use, and the material’s originator or owner doesn’t have to be paid. Material used for noncommercial and educational purposes also falls under the fair use guideline. These distinctions can get complicated, however. For example, an instructor copying parts of a book to use as handouts in a class setting is operating within the fair use guideline. On the other hand, if the instructor sends the book to a printer to copy and pays the printer, a copyright violation has occurred because a commercial printer was paid to copy the book, even though the copies were to be used for educational purposes. POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 08: Recovering Graphics Files REFERENCES: Understanding Copyright Issues with Graphics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 2/14/2018 9:06 AM DATE MODIFIED: 2/16/2018 12:19 PM
Copyright Cengage Learning. Powered by Cognero.
Page 14
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 09: Digital Forensics Analysis and Validation True / False 1. The defense request for full discovery of digital evidence applies only to criminal cases in the United States. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 12/1/2017 12:58 PM 2. For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 12/1/2017 12:58 PM 3. Autopsy for Windows cannot perform forensics analysis on FAT file systems. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/28/2018 10:32 AM 4. Autopsy for Windows cannot analyze data from image files from other vendors. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 09: Digital Forensics Analysis and Validation DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/21/2018 5:30 PM 5. When two files look the same when viewed but one has an invisible digital watermark, they appear to be the same file except for their sizes. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 6/5/2018 1:46 PM 6. Several password-cracking tools are available for handling password-protected data or systems. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/21/2018 6:43 PM DATE MODIFIED: 2/21/2018 6:44 PM 7. Most organizations keep e-mail for longer than 90 days. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/21/2018 6:54 PM DATE MODIFIED: 2/21/2018 6:55 PM 8. Some encryption schemes are so complex that the time to crack them can be measured in days, weeks, years, and even decades. a. True b. False ANSWER: True POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 09: Digital Forensics Analysis and Validation REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/21/2018 7:54 PM DATE MODIFIED: 2/21/2018 7:57 PM 9. Private-sector cases, such as employee abuse investigations, might not specify limitations in recovering data. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/21/2018 7:56 PM DATE MODIFIED: 2/28/2018 10:33 AM 10. For static acquisitions, remove the original drive from the computer, if practical, and then check the date and time values in the system’s CMOS. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 2/21/2018 7:59 PM DATE MODIFIED: 2/21/2018 8:09 PM Multiple Choice 11. What does scope creep typically do? a. Virtually guarantees a conviction and b. Increases the time and resources needed to extract, analyze, substantial penalty and present data c. Leads to the discovery and prosecution of d. Creates overburdened staff who become careless with their other crimes work ANSWER: b POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 8:11 AM Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 09: Digital Forensics Analysis and Validation 12. What should be created in order to begin a digital forensics case? a. An investigation plan b. A risk assessment report c. An evidence custody list d. An investigation report ANSWER: a POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 8:12 AM 13. In addition to search warrants, what defines the scope of civil and criminal cases? a. Risk assessment reports b. Investigator preferences c. Lab policies and procedures d. Subpoenas ANSWER: d POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 6:52 AM 14. Which program has an indexed version of the NIST NSRL of MD5 hashes that can be imported to enhance searching for and eliminating known OS and application files? a. Autopsy b. AccessData c. WinHex d. KFF ANSWER: a POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 8:13 AM 15. Because digital forensics tools have limitations in performing hashing, what tools should be used to ensure data integrity? a. High-level language assemblers b. HTML editors c. Hexadecimal editors d. Steganalysis tools ANSWER: c POINTS: 1 REFERENCES: Validating Forensic Data QUESTION TYPE: Multiple Choice HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 09: Digital Forensics Analysis and Validation DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 9:55 AM 16. Which AccessData feature compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data? a. KFF b. PKFT c. NTI d. NSRL ANSWER: a POINTS: 1 REFERENCES: Validating Forensic Data QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 8:07 AM 17. Which activity involves changing or manipulating a file to conceal information? a. Data fudging b. Data deception c. Data dumping d. Data hiding ANSWER: d POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 6:55 AM 18. Which Windows disk partition utility can be used to hide partitions? a. Norton DiskEdit b. PartitionMagic c. System Commander d. diskpart ANSWER: d POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 6:56 AM 19. The data-hiding technique involving marking bad clusters is more commonly used with what type of file system? a. NTFS b. FAT c. HFS d. Ext2fs ANSWER: b POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 09: Digital Forensics Analysis and Validation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 6:58 AM 20. Which term comes from the Greek word for “hidden writing”? a. Cryptography b. Steganography c. Lexicography d. Hagiography ANSWER: b POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 6/5/2018 1:47 PM 21. When both the original file with no hidden message and the converted file with the hidden message are available, what analysis method is recommended by Johnson and Jajodia? a. Message-only attack b. Known message attack c. Chosen message attack d. Known cover attack ANSWER: d POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 6/5/2018 1:56 PM 22. What technology is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure? a. Passphrase splitting b. Key escrow c. Passphrase escrow d. Key splitting ANSWER: b POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 7:31 AM 23. Which program incorporates an advanced encryption technique that can be used to hide data? a. NTI b. BestCrypt c. FTK d. PRTK Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 09: Digital Forensics Analysis and Validation ANSWER: b POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 9:59 AM 24. Which type of recovery is becoming more common in digital forensic analysis? a. Data b. Partition c. Password d. Image ANSWER: c POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 7:37 AM 25. What type of attacks use every possible letter, number, and character found on a keyboard when cracking a password? a. Brute-force b. Dictionary c. Profile d. Statistics ANSWER: a POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 7:37 AM 26. Many password-protected OSs and applications store passwords in the form of which type of hash values? a. SSL b. MD5 c. SSH d. AES ANSWER: b POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 7:45 AM 27. Which action alters hash values, making cracking passwords more difficult? a. Salting passwords b. Hash morphing Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 09: Digital Forensics Analysis and Validation c. Rainbow tabling d. Code twisting ANSWER: a POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 5/8/2018 7:48 AM 28. What limits the data that can be sought in a criminal investigation? a. The search warrant b. The legal definition of the purported crime c. The agency's policies and procedures d. The applicable administrative rule ANSWER: a POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 2/21/2018 5:51 PM DATE MODIFIED: 5/8/2018 7:50 AM 29. Which data-hiding technique changes data from readable code to data that looks like binary executable code? a. Marking bad clusters b. Partition-shifting c. Partition hiding d. Bit-shifting ANSWER: d POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 2/21/2018 5:56 PM DATE MODIFIED: 5/8/2018 7:51 AM 30. Which hashing algorithm is provided by WinHex? a. AES b. SHA-1 c. RC4 d. CRC ANSWER: b POINTS: 1 REFERENCES: Validating Forensic Data QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 2/21/2018 6:16 PM DATE MODIFIED: 5/8/2018 7:55 AM Matching Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 09: Digital Forensics Analysis and Validation Match each item with a statement below a. Court orders for discovery b. Investigation plan c. Digital Intelligence PDWipe d. Salting password e. Cover-media f. PRTK g. Validating digital evidence h. Stego-media i. Quantum computing j. Rainbow table REFERENCES: Addressing Data-Hiding Techniques Determining What Data to Collect and Analyze Validating Forensic Data QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/24/2018 5:14 PM 31. Defines the investigation’s goal and scope, the materials needed, and the tasks to perform ANSWER: b POINTS: 1 32. The converted cover-media file that stores the hidden message ANSWER: h POINTS: 1 33. One of the most critical aspects of computer forensics ANSWER: g POINTS: 1 34. The original file with no hidden message ANSWER: e POINTS: 1 35. Designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure ANSWER: d POINTS: 1 36. A password recovery program available from AccessData ANSWER: f POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 09: Digital Forensics Analysis and Validation 37. Progressing to make any current encryption schemes obsolete ANSWER: i POINTS: 1 38. Program used to clean all data from the target drive you plan to use ANSWER: c POINTS: 1 39. Limit a civil investigation ANSWER: a POINTS: 1 40. A file containing the hash values for every possible password that can be generated from a computer’s keyboard ANSWER: j POINTS: 1 Subjective Short Answer 41. Describe the effects of scope creep on an investigation in the corporate environment. ANSWER: In a private-sector environment, however, especially if litigation is involved or anticipated, the company attorney often directs the investigator to recover as much information as possible. Satisfying this demand becomes a major undertaking with many hours of tedious work. These types of investigations can also result in scope creep, in which an investigation expands beyond the original description because o unexpected evidence. Scope creep increases the time and resources needed to extract, analyze, and present all the evidence. POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/21/2018 6:48 PM 42. Describe with examples why the approach you take for a forensics case depends largely on the specific type of case you’re investigating. ANSWER: For example, gathering evidence for an e-mail harassment case might involve little more than accessing network logs and e-mail server backups to locate specific messages. Your approach, however, depends on whether the case is an internal organizational investigation or a civil or criminal investigation carried out by law enforcement. In an internal investigation, evidence collection tends to be fairly easy and straightforward because private-sector investigators usually have ready access to the necessary records and files. In contrast, when investigating a criminal cyberstalking case, you need to contact the ISP and e-mail service. Some companies have systems set up to handle these situations, but others do not. Many organizations don’t keep e-mail for longer than 90 days, and some keep it for far less time. POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 09: Digital Forensics Analysis and Validation REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/21/2018 6:54 PM 43. How should you approach a case in which an employee is suspected of industrial espionage? ANSWER: An investigation of an employee suspected of industrial espionage can require the most work. Before initiating this type of investigation, make sure the organization, whether it’s a private company or a public agency, has set up rules of use and limitations of privacy rights, as described in Chapter 1. For these investigations, you might need to set up a surveillance camera to monitor the employee’s activities in the office. You might also need to plant a software or hardware keylogger (for capturing keystrokes remotely), and you need to engage the network administrator’s services to monitor Internet and network activities. In this situation, you might want to do a remote acquisition of the employee’s drive, and then use another tool to determine that peripheral devices have been accessed. POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/21/2018 6:57 PM 44. What are the file systems supported by Autopsy for forensic analysis? ANSWER: Autopsy can perform forensic analysis on the following file systems: * Microsoft FAT, NTFS, ExFAT, UFS1, and UFS2 * ISO 9660 and YAFFS2 * Mac HFS+ and HFSX * Linux Ext2fs, Ext3fs, and Ext4fs POINTS: 1 REFERENCES: Determining What Data to Collect and Analyze QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/24/2018 5:11 PM 45. How does the Known File Filter program work? ANSWER: AccessData has its own hashing database, Known File Filter (KFF), which is available only with FTK. KFF filters known program files, such as winword.exe, from view and contains Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 09: Digital Forensics Analysis and Validation the hash values of known illegal files, such as child pornography. It then compares known file hash values with files on your evidence drive or image files to see whether they contain suspicious data. Periodically, AccessData updates these known hash values and posts an updated KFF. POINTS: 1 REFERENCES: Validating Forensic Data QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/21/2018 7:02 PM 46. How can you validate the integrity of image files with AccessData FTK Imager? ANSWER: Commercial digital forensics tools have built-in validation features for image acquisitions. These tools generate MD5 and SHA-1 hash values for the data in image files. For example, in AccessData FTK Imager, when you select the Expert Witness (.E01) or SMART (.S01) format, additional options are available for hashing all the data. FTK Imager then inserts a report into the .E01 or .S01 file that lists MD5 and SHA-1 hash values. Autopsy has a similar feature called E01 Verifier for verifying an Expert Witness image file. POINTS: 1 REFERENCES: Validating Forensic Data QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/21/2018 7:05 PM 47. How can you hide data by marking bad clusters? ANSWER: One data-hiding technique used in FAT file systems is placing sensitive or incriminating data in free or slack space on disk partition clusters. This technique, although not common now, involves using older utilities, such as Norton DiskEdit, developed by Symantec as part of its Norton Utilities suite. In Norton DiskEdit, you can mark good clusters as bad clusters in the FAT table. The OS then considers these clusters unusable. The only way they can be accessed from the OS is by changing them to good clusters with a disk editor.
POINTS: REFERENCES: QUESTION TYPE: HAS VARIABLES:
To mark a good cluster as bad in Norton DiskEdit, you type the letter B in the FAT entry corresponding to that cluster when examining the FAT table. You can then use any DOS disk editor to write and read data to this cluster, which is effectively hidden because it appears as bad to the OS. 1 Addressing Data-Hiding Techniques Subjective Short Answer False
Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 09: Digital Forensics Analysis and Validation STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/21/2018 7:08 PM 48. Briefly describe how to use steganography for creating digital watermarks. ANSWER: The term steganography comes from the Greek word for“hidden writing.”It’s defined as hiding messages in such a way that only the intended recipient knows the message is there. In addition to steganography, digital watermarking was developed as a way to protect file ownership. Some digital watermarks are designed to be visible—for example, to notify users that an image is copyrighted. The digital watermarks used for steganography aren’t usually visible. For example, when viewing two files that look the same, but one has an invisible digital watermark, they appear to be the same file. Their file sizes might even be identical. However, if you run an MD5 or SHA-1 hash comparison on both files, you’ll find that the hash values aren’t equal. POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/21/2018 7:12 PM 49. Briefly describe known cover attack and known message attack. ANSWER: • Known cover attack—Used when the cover-media, the original file with no hidden message, and the stego-media, the converted cover-media file that stores the hidden message, are available for analysis. By analyzing the original and steganography files, further comparisons can be made to identify common patterns that might help decipher the message. • Known message attack—Used when the hidden message is revealed later, allowing further analysis of new messages. Similar to the known cover attack, this method uses comparative analysis to decipher the message. Because the message is known, deciphering it takes less effort. POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/21/2018 7:15 PM 50. Briefly describe the differences between brute-force attacks and dictionary attacks to crack passwords. ANSWER: Brute-force attacks use every possible letter, number, and character found on a keyboard. Eventually, a brute-force attack can crack any password; however, this method can require a Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 09: Digital Forensics Analysis and Validation lot of time and processing power, especially if the password is very long. In a dictionary attack, the program uses common words found in the dictionary and tries them as passwords. Most password crackers have dictionaries in a variety of languages, including English, French, Russian, and even Swahili. With some password-cracking tools, you can import additional unique words that are typically extracted from evidence. POINTS: 1 REFERENCES: Addressing Data-Hiding Techniques QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:58 PM DATE MODIFIED: 2/21/2018 7:17 PM
Copyright Cengage Learning. Powered by Cognero.
Page 14
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics True / False 1. When intruders break into a network, they rarely leave a trail behind. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 12/1/2017 12:59 PM 2. Network forensics is a fast, easy process. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 12/1/2017 12:59 PM 3. Virtual machines are now common for both personal and business use. a. True b. False ANSWER: True POINTS: 1 REFERENCES: An Overview of Virtual Machine Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/5/2018 5:58 PM 4. Virtual machines (VMs) help offset hardware costs for companies. a. True b. False ANSWER: True POINTS: 1 REFERENCES: An Overview of Virtual Machine Forensics QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/5/2018 5:58 PM 5. Type 2 hypervisors cannot be used on laptops. a. True b. False ANSWER: False POINTS: 1 REFERENCES: An Overview of Virtual Machine Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/5/2018 5:58 PM 6. Type 1 hypervisors are usually the ones you find loaded on a suspect machine. a. True b. False ANSWER: False POINTS: 1 REFERENCES: An Overview of Virtual Machine Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/5/2018 6:10 PM DATE MODIFIED: 3/5/2018 6:18 PM 7. Before attempting to install a type 2 hypervisor, you need to enable virtualization in the BIOS before attempting to create a VM. a. True b. False ANSWER: True POINTS: 1 REFERENCES: An Overview of Virtual Machine Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/5/2018 6:14 PM DATE MODIFIED: 3/5/2018 6:19 PM 8. In network forensics, you have to restore the drive to see how malware that attackers have installed on the system works. a. True b. False ANSWER: True POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics REFERENCES: Network Forensics Overview QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/5/2018 6:54 PM DATE MODIFIED: 3/5/2018 6:55 PM 9. A honeywall is a computer set up to look like any other machine on your network, but it lures the attacker to it. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/5/2018 7:15 PM DATE MODIFIED: 3/5/2018 7:16 PM 10. Network logs record traffic in and out of a network. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/5/2018 7:17 PM DATE MODIFIED: 3/5/2018 7:17 PM Multiple Choice 11. Which type of forensics can help you determine whether a system is truly under attack or a user has inadvertently installed an untested patch or custom program? a. Intrusion forensics b. Network forensics c. DDoS forensics d. Traffic forensics ANSWER: b POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:21 AM 12. Which type of strategy hides the most valuable data at the innermost part of the network? Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics a. Layered network defense b. Firewalls c. Intrusion deflection d. Operations mode ANSWER: a POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:26 AM 13. What type of software runs virtual machines? a. A hypervisor b. A digital simulator c. A virtual server d. A systems mirror ANSWER: a POINTS: 1 REFERENCES: An Overview of Virtual Machine Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:28 AM 14. Which type of virtual machine software is typically, but not exclusively, loaded on servers or workstations with a lot of RAM and storage? a. Type 1 b. Type 2 c. Type 3 d. Type 4 ANSWER: a POINTS: 1 REFERENCES: An Overview of Virtual Machine Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 6/5/2018 2:01 PM 15. Which product responded to the need for security and performance by producing different CPU designs? a. Parallels Virtualization b. Hyper-V c. KVM d. Virtualization Technology (VT) ANSWER: d POINTS: 1 REFERENCES: An Overview of Virtual Machine Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:31 AM Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics 16. Which program can be used to examine network traffic? a. Netdump b. Slackdump c. Coredump d. Tcpdump ANSWER: d POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:33 AM 17. Which tool lists all open network sockets, including those hidden by rootkits? a. EnCase b. Memoryze c. R-Tools d. Knoppix ANSWER: b POINTS: 1 REFERENCES: Performing Live Acquisitions QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:34 AM 18. What determines how long a piece of information lasts on a system? a. Continuity level b. Longevity c. Order of volatility d. Liveness ANSWER: c POINTS: 1 REFERENCES: Performing Live Acquisitions QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:35 AM 19. Which network defense strategy, developed by the National Security Agency (NSA), has three modes of protection? a. Anti-Rootkit b. Layered Defense c. Defense in Depth d. PsShutdown ANSWER: c POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics DATE MODIFIED: 5/8/2018 8:58 AM 20. Which tool allows network traffic to be viewed graphically? a. Ethereal b. Etherape c. Tcpdump d. john ANSWER: b POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:38 AM 21. Which network protocol analyzer can be programmed to examine TCP headers to find the SYN flag? a. Memorizer b. John c. Memfetch d. Tethereal ANSWER: d POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:54 AM 22. Which tool is useful for extracting information from large Libpcap files? a. Tcpslice b. John c. Oinkmaster d. Memfetch ANSWER: a POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:41 AM 23. What are packet analyzers? a. Devices or software placed on a network to monitor traffic c. Software placed on a network to identify open sockets hidden by rootkits ANSWER: a POINTS: 1 REFERENCES: Network Forensics Overview
b. Devices or software used to generate lists of incoming IP addresses for each network port d. Devices placed on a network to entice attackers and then record their activities
Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 6/5/2018 2:30 PM 24. On which OSI model layers do most packet analyzers operate? a. Layers 1 or 2 b. Layers 2 or 3 c. Layers 3 or 4 d. Layers 4 or 5 ANSWER: b POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:45 AM 25. Which format can be read by most packet analyzer tools? a. SYN b. DOPI c. Pcap d. AIATP ANSWER: c POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:46 AM 26. In which type of attack does the attacker keep asking the server to establish a connection? a. SYN flood b. ACK flood c. Brute-force attack d. PCAP attack ANSWER: a POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 10:16 AM 27. Which tool was designed as an easy-to-use interface for inspecting and analyzing large tcpdump files? a. Tcpread b. Ethertext c. Etherape d. Netdude ANSWER: d POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics REFERENCES: Network Forensics Overview QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:55 AM 28. Which tool probes, collects, and analyzes session data? a. Nmap b. Argus c. Pcap d. TCPcap ANSWER: b POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:56 AM 29. Which project was developed to make information widely available in an attempt to thwart Internet and network hackers? a. Honeynet b. Honeypot c. Honeywall d. Honeyweb ANSWER: a POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:51 AM 30. What term is used for the machines used in a DDoS attack? a. Dupes b. Soldiers c. Zombies d. Pawns ANSWER: c POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 8:52 AM Matching Match each item with a statement below Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics a. Type 1 hypervisor b. Tethereal c. Tripwire d. Layered network defense strategy e. Wireshark f. Virtual Machine Extensions (VMX) g. Type 2 hypervisor h. Parallels Desktop i. KVM j. Kali Linux REFERENCES: Performing Live Acquisitions An Overview of Virtual Machine Forensics Network Forensics Overview QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/5/2018 8:26 PM 31. Can be used in a real-time environment to open saved trace files from packet captures ANSWER: e POINTS: 1 32. Sets up layers of protection to hide the most valuable data at the innermost part of the network ANSWER: d POINTS: 1 33. An audit control program that detects anomalies in traffic and sends an alert automatically ANSWER: c POINTS: 1 34. Runs on "bare metal" and doesn't require a separate OS ANSWER: a POINTS: 1 35. Rests on top of an existing OS ANSWER: g POINTS: 1 36. Created for Macintosh users who also use Windows applications ANSWER: h POINTS: 1 37. Hypervisor for the Linux OS ANSWER: i POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics 38. A network protocol analyzer ANSWER: b POINTS: 1 39. Instruction sets necessary to use virtualization ANSWER: f POINTS: 1 40. The updated version of BackTrack ANSWER: j POINTS: 1 Subjective Short Answer 41. Why is testing networks as important as testing servers? ANSWER: Testing networks is as important as testing servers. You need to be up to date on the latest methods intruders use to infiltrate networks as well as methods internal employees use to sabotage networks. In the early and mid-1990s, approximately 70% of network attacks were caused by employees. Since then, this problem has been compounded by contract employees, who often have the same level of network privileges as full-time employees. In addition, small companies of fewer than 10 employees often don’t consider security precautions against internal threats necessary, so they can be more susceptible to problems caused by employees revealing proprietary information to competitors. However, increasing use of the Internet has caused a rise in external threats, so internal and external threats are currently about 50-50. POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 10:17 AM 42. When are live acquisitions useful? ANSWER: Live acquisitions are especially useful when you’re dealing with active network intrusions or attacks or if you suspect employees are accessing network areas they shouldn’t. Live acquisitions done before taking a system offline are also becoming a necessity because attacks might leave footprints only in running processes or RAM; for example, some malware disappears after a system is restarted. In addition, information in RAM is lost after you turn off a suspect system. However, after you do a live acquisition, information on the system has changed because your actions affect RAM and running processes, which also means the information can’t be reproduced. Therefore, live acquisitions don’t follow typical forensics procedures. POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics REFERENCES: Performing Live Acquisitions QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/5/2018 7:23 PM 43. What is the general procedure for a live acquisition? ANSWER: The following steps show the general procedure for a live acquisition, although investigators differ on exact steps: 1. Create or download a bootable forensic CD or USB drive, and test it before using it on a suspect drive. If the suspect system is on your network and you can access it remotely, add the necessary network forensics tools to your workstation. If not, insert the bootable forensics CD/USB in the suspect system. 2. Make sure you keep a log of all your actions; documenting your actions and reasons for those actions is critical. 3. A network drive is ideal as a place to send the information you collect. If you don’t have one available, connect an external drive to the suspect system for collecting data. Be sure to note this step in your log. 4. Next, copy the physical memory (RAM). WindowsScope (www.windowsscope.com), Magnet AXIOM, OSForensics, FTK Imager, and similar tools can copy the RAM for you. 5. The next step varies, depending on the incident you’re investigating. With an intrusion, for example, you might want to see whether a rootkit exists by using a tool such as Malwarebytes Anti-RootKit or PC Hunter. You can also access the system’s firmware to see whether it has changed, create an image of the drive over the network, or shut down the system and make a static acquisition later. 6. Be sure to get a forensically sound digital hash value of all files you recover during the live acquisition to make sure they aren’t altered later. POINTS: 1 REFERENCES: Performing Live Acquisitions QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/5/2018 7:28 PM 44. Detail some of the tools for performing a live acquisition in Windows. ANSWER: Several tools are available for capturing RAM. For example, Mandiant Memoryze (www.fireeye.com/services/freeware/memoryze.html) lists all open network sockets, including those hidden by rootkits. It also works on both 32-bit and 64-bit systems. Belkasoft RamCapturer (https://belkasoft.com/ram-capturer) is available in 32-bit and 64-bit versions and can run from a USB drive. Another tool is Kali Linux, the updated version of BackTrack (covered in more detail in Chapter 7). It still has more than 300 tools, but outdated or obsolete ones have been eliminated. Kali Linux contains password crackers, network sniffers, and freeware forensics tools. For more Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics details, go to www.kali.org/official-documentation/. POINTS: 1 REFERENCES: Performing Live Acquisitions QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/5/2018 7:57 PM 45. How should you proceed if your network forensic investigation involves other companies? ANSWER: As with all investigations, keep preservation of evidence in mind. Your investigation might turn up other companies that have been compromised. In much the same way you wouldn’t turn over proprietary company information to become public record, you shouldn’t reveal information discovered about other companies. In these situations, the best course of action is to contact the companies and enlist their aid in tracking down network intruders. Depending on the situation, at some point you might have to report the incident to federal authorities. POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/5/2018 7:58 PM 46. How do cloud service providers complicate investigating virtual networks? ANSWER: Say you’re dealing with a cloud service provider (CSP) that hosts networks for several to hundreds of companies. As stated in the Journal of Cybersecurity article, network forensics investigations in the cloud are hampered by the very qualities that make the cloud appealing—elasticity and flexibility. If needed (and it’s allowed in the service level agreement), a new server can come online to deal with load balancing. In addition, automatic failovers are in place, which may or may not be in the same physical location as the server. Add to that hundreds or even thousands of NICs with the same IP address and MAC address, and you can see that traditional physical network forensics can’t handle these arrangements. POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/5/2018 8:02 PM Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics 47. Briefly describe Intel's Virtualization Technology (VT). ANSWER: Before attempting to install a type 2 hypervisor, you need to enable virtualization in the BIOS before attempting to create a VM. Intel Virtualization Technology (VT) has responded to the need for security and performance by producing different CPU designs. With one design, you must go into the BIOS to enable virtualization (which is a hardware function, not an OS function). The other CPU design doesn’t support virtualization. To determine whether your CPU supports virtualization, first look in Control Panel to find out what type of CPU your device has, and then do a search on this particular CPU at http://ark.intel.com/Products/VirtualizationTechnology. POINTS: 1 REFERENCES: An Overview of Virtual Machine Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/5/2018 8:08 PM 48. What are some of the steps for conducting a forensic analysis of virtual machines? ANSWER: Following a consistent procedure when you’re conducting a forensic analysis of VMs is crucial. Here’s an overview: 1. Image the host machine. 2. Locate the virtualization software and VMs, using the information you’ve learned about file extensions and network adapters. 3. Export from the host machine all files associated with VMs, including log files, virtual adapters, and snapshots. 4. Record the hash values of these associated files. Typically, forensics software can perform this task as part of the export function. 5. Next, you can open a VM as an image file in forensics software and create a forensic image of it or mount the VM as a drive and then image it or do a live search. POINTS: 1 REFERENCES: An Overview of Virtual Machine Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/5/2018 8:11 PM 49. Describe type 1 and type 2 hypervisors. ANSWER: There are two types of hypervisors: type 1 and type 2. A type 1 hypervisor runs on “bare metal,” meaning it loads on physical hardware and doesn’t require a separate OS, although many type 1 hypervisors incorporate Linux-based operating systems. Literally thousands of VMs can be hosted on a single type 1 hypervisor and many more on a cluster of these hosts. A type 2 hypervisor rests on top of an existing OS, such as Windows, Linux, or macOS. POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 10: Virtual Machine Forensics, Live Acquisitions, and Network Forensics REFERENCES: An Overview of Virtual Machine Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/5/2018 8:13 PM 50. What are the differences between a honeypot and a honeywall? ANSWER: A honeypot is a computer set up to look like any other machine on your network; its purpose is to lure attackers to your network, but it contains no information of real value. You can take the honeypot offline to analyze it and not affect the running of your network. Honeywalls are computers set up to monitor what’s happening to honeypots on your network and record what attackers are doing (see www.honeynet.org/papers/cdrom/). Honeypots and honeywalls are commonly used to attract intruders and see what they’re attempting to do on a network. POINTS: 1 REFERENCES: Network Forensics Overview QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/5/2018 8:05 PM
Copyright Cengage Learning. Powered by Cognero.
Page 14
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 11: E-mail and Social Media Investigations True / False 1. For digital investigators, tracking intranet e-mail is easier because accounts use standard names the administrator establishes. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Exploring the Roles of the Client and Server in E-mail QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/8/2018 5:39 PM 2. Investigating crimes or policy violations involving e-mail is different than investigating other types of computer abuse and crimes. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/8/2018 5:57 PM 3. E-mail programs either save e-mail messages on the client computer or leave them on the server. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 12/1/2017 12:59 PM 4. All e-mail servers use databases that store multiple users’ e-mails. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Understanding E-mail Servers Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 11: E-mail and Social Media Investigations QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/8/2018 5:46 PM 5. Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding E-mail Servers QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 12/1/2017 12:59 PM 6. Forensic linguistics encompasses civil cases, criminal cases, cyberterrorism cases, and other legal proceedings. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/8/2018 6:15 PM DATE MODIFIED: 3/8/2018 6:16 PM 7. E-mail crimes and violations rarely depend on the city, state, and country in which the e-mail originated. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/8/2018 6:35 PM DATE MODIFIED: 3/9/2018 11:18 AM 8. Evidence artifacts vary depending on the social media channel and the device. a. True b. False ANSWER: True POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 11: E-mail and Social Media Investigations REFERENCES: Applying Digital Forensics Methods to Social Media Communications QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/8/2018 6:51 PM DATE MODIFIED: 3/9/2018 11:17 AM 9. A challenge with using social media data in court is authenticating the author and the information. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Applying Digital Forensics Methods to Social Media Communications QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/8/2018 6:52 PM DATE MODIFIED: 3/8/2018 6:53 PM 10. You can send and receive e-mail in two environments: via the Internet or an intranet (an internal network). a. True b. False ANSWER: True POINTS: 1 REFERENCES: Exploring the Roles of the Client and Server in E-mail QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/8/2018 6:58 PM DATE MODIFIED: 3/8/2018 6:58 PM Multiple Choice 11. What name is used for the configuration typically used for e-mail messages that are distributed from a central server to many connected client computers? a. Client/server architecture b. Central distribution architecture c. Client architecture d. Peer-to-peer architecture ANSWER: a POINTS: 1 REFERENCES: Exploring the Roles of the Client and Server in E-mail QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:41 AM 12. In an e-mail address, what symbol separates the domain name from the rest of the address? Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 11: E-mail and Social Media Investigations a. # b. . c. @ d. ANSWER: c POINTS: 1 REFERENCES: Exploring the Roles of the Client and Server in E-mail QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:04 AM 13. In what type of e-mail programs can the user copy an e-mail message by dragging the message to a storage medium, such as a folder or drive? a. Command-line b. Shell-based c. Prompt-based d. GUI ANSWER: d POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:42 AM 14. What is the main information being sought when examining e-mail headers? a. The date and time the e-mail was sent b. The originating e-mail's domain name or an IP address c. The type of attachments included, if any d. The types of encryption used ANSWER: b POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:12 AM 15. To retrieve e-mail headers in Microsoft Outlook, what option should be clicked after the e-mail has been selected? a. File, Options b. Source Details c. File, Properties d. Message Source ANSWER: c POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 10:25 AM Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 11: E-mail and Social Media Investigations 16. In Web-based e-mail, how are messages displayed and saved? a. As web pages b. As .rtf files c. As .txt files d. As CSS codes ANSWER: a POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:18 AM 17. In which discipline do professionals listen to voice recordings to determine who’s speaking or read e-mail and other writings known to be by a certain person and determine whether that person wrote the e-mail or letter in question? a. Communication forensics b. Forensic linguistics c. Linguistic analysis d. Communication linguistics ANSWER: b POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:20 AM 18. To view Gmail Web e-mail headers, what should be clicked after the e-mail has been opened and the down arrow next to the Reply circular arrow has been clicked? a. More options b. Message properties c. Options d. Show original ANSWER: d POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 6/5/2018 2:33 PM 19. To view e-mail headers on Yahoo!, what should be clicked on after "More" has been selected? a. Advanced b. General Preferences c. Message Properties d. View Raw Message ANSWER: d POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 11: E-mail and Social Media Investigations HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 6/5/2018 2:34 PM 20. In Microsoft Outlook, what file extension is used with saved sent, drafted, deleted, and received e-mails? a. .ost b. .eml c. .msg d. .pst ANSWER: d POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:23 AM 21. Which site can be used to verify the names of domains a message is flowing through? a. www.dkim.org b. www.google.com c. www.whatis.com d. www.juno.com ANSWER: a POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:24 AM 22. Which type of logging allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size? a. Continuous logging b. Automatic logging c. Circular logging d. Server logging ANSWER: c POINTS: 1 REFERENCES: Understanding E-mail Servers QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:24 AM 23. Which files provide helpful information to an e-mail investigation? a. Configuration and batch files b. Log and configuration files c. Log files and scripts d. .rts and .txt files ANSWER: b POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 11: E-mail and Social Media Investigations REFERENCES: Understanding E-mail Servers QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:26 AM 24. Which location contains configuration information for Sendmail? a. /etc/sendmail.cf b. /etc/syslog.conf c. /etc/var/log/maillog d. /var/log/maillog ANSWER: a POINTS: 1 REFERENCES: Understanding E-mail Servers QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:27 AM 25. In which directory do UNIX installations typically store logs? a. /etc/Log b. /log c. /etc/var/log d. /var/log ANSWER: d POINTS: 1 REFERENCES: Understanding E-mail Servers QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:28 AM 26. In which log does Exchange log information about changes to its data? a. Checkpoint b. Communication c. Transaction d. Tracking ANSWER: c POINTS: 1 REFERENCES: Understanding E-mail Servers QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:44 AM 27. In Exchange, what type of file is inserted in the transaction log to mark the last point at which the database was written to disk in order to prevent loss of data? a. Tracking b. Checkpoint c. Temporary d. Milestone Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 11: E-mail and Social Media Investigations ANSWER: b POINTS: 1 REFERENCES: Understanding E-mail Servers QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:32 AM 28. In Microsoft Exchange, which file is responsible for messages formatted with MAPI? a. .edb b. .cfg c. .mbx d. .mapi ANSWER: a POINTS: 1 REFERENCES: Understanding E-mail Servers QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:33 AM 29. Which information from Facebook simply tells you the last time a person logged on, the person's e-mail address and mobile number, and whether the account can be viewed publicly? a. Extended subscriber b. Advanced subscriber c. Subscriber profile d. Basic subscriber ANSWER: d POINTS: 1 REFERENCES: Applying Digital Forensics Methods to Social Media Communications QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 6/5/2018 2:40 PM 30. What format is used for the flat plaintext files some e-mail systems use for message storage? a. POP3 b. mbox c. css d. SMTP ANSWER: b POINTS: 1 REFERENCES: Using Specialized E-mail Forensics Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:47 AM Matching Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 11: E-mail and Social Media Investigations Match each item with a statement below: a. OSNs b. Neoprint c. Phishing e-mails d. www.arin.net e. ESMTP number f. Notepad+ g. Forensic linguistics h. Electronic Communications Privacy Act (ECPA) i. TextEdit j. Messaging Application Programming Interface (MAPI) REFERENCES: Understanding E-mail Servers Applying Digital Forensics Methods to Social Media Communications Exploring the Role of E-mail in Investigations Investigating E-mail Crimes and Violations QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/8/2018 8:16 PM 31. A privacy law in the United States ANSWER: h POINTS: 1 32. Text editor for macOS ANSWER: i POINTS: 1 33. Text editor used with Windows ANSWER: f POINTS: 1 34. Unique to each message an e-mail server transmits ANSWER: e POINTS: 1 35. Facebook extended subscriber info profile ANSWER: b POINTS: 1 36. Used to conduct business, brag about criminal activities, raise money, and have class discussions ANSWER: a POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 11: E-mail and Social Media Investigations 37. Where language and the law intersect ANSWER: g POINTS: 1 38. A registry Web site ANSWER: d POINTS: 1 39. Attempt to get personal information by luring readers with false promises ANSWER: c POINTS: 1 40. A Microsoft system that enables different e-mail applications to work together ANSWER: j POINTS: 1 Subjective Short Answer 41. Describe how e-mail account names are created on an intranet environment. ANSWER: In most cases, an intranet e-mail system is specific to a company, used only by its employees, and regulated by its business practices, which usually include strict security and acceptable use policies. For example, network users can’t create their own e-mail accounts, and usernames tend to follow some type of naming convention that the e-mail administrator determines. For example, for John Smith at Some Company, jsmith is the username followed by the company’s domain name, somecompany.com, to create the e-mail address jsmith@somecompany.com. POINTS: 1 REFERENCES: Exploring the Roles of the Client and Server in E-mail QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/8/2018 7:02 PM 42. Describe the process of examining e-mail messages when you have access to the victim’s computer and when this access is not possible. ANSWER: After you have determined that a crime has been committed involving e-mail, access the victim’s computer or mobile device to recover the evidence on it. Using the victim’s e-mail client, find and copy any potential evidence. It might be necessary to log on to the e-mail service and access any protected or encrypted files or folders. If you can’t actually sit down at the victim’s computer, you might have to guide the victim on the phone to open and print a copy of an offending message, including the header. The header contains unique identifying numbers, such as the IP address of the server that sent the message. This information helps you trace the e-mail to the suspect. POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 11: E-mail and Social Media Investigations REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/8/2018 7:05 PM 43. What are the steps for copying an e-mail message in Outlook or Outlook Express? ANSWER: If Outlook or Outlook Express is installed on your computer, follow these steps: 1. Insert a USB drive into a USB port. 2. Open File Explorer, navigate to the USB drive, and leave this window open. 3. Start Outlook by going to the Start screen, typing Outlook, and pressing Enter. 4. In the Mail Folders pane, click the folder containing the message you want to copy. For example, click the Inbox folder. A list of messages in that folder is displayed in the pane in the middle. Click the message you want to copy. 5. Resize the Outlook window so that you can see the message you want to copy and the USB drive icon in File Explorer. 6. Drag the message from the Outlook window to the USB drive icon in File Explorer. 7. Click the File tab, and then click Print to open the Print pane. After printing the e-mail so that you have a copy to include in your final report, exit Outlook. POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/8/2018 7:07 PM 44. What is forensic linguistics? ANSWER: A related field that has developed in the past few decades is forensic linguistics, which is where language and the law intersect. The International Association of Forensic Linguists (www.iafl.org/forensic.php) divides this field into four categories: language and law, language in the legal process, language as evidence, and research/teaching. Think about getting e-mails from people you know. Based on the words that are used, you can almost picture the senders’ facial expressions, such as smiles or frowns, and you can probably tell when the language doesn’t sound like them, which might indicate they didn’t write the emails. POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 11: E-mail and Social Media Investigations DATE MODIFIED:
3/8/2018 7:10 PM
45. What kind of information can you find in an e-mail header? ANSWER: The main piece of information you’re looking for is the originating e-mail’s domain address or an IP address. Other helpful information includes the date and time the message was sent, filenames of any attachments, and unique message number, if it’s supplied. POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/8/2018 7:12 PM 46. Explain how to handle attachments during an e-mail investigation. ANSWER: An attachment can be any type of file, from a program to a picture. If a message includes an attachment, investigate it as a supporting piece of evidence. If you’re working with the victim, the attachment is usually still attached to the e-mail. If you’re investigating a suspect’s computer, remember to work with the copied version. On a suspect’s computer or forensic image, search for the attached file with a forensics tool or the OS’s Search or Find feature to determine whether the file was saved and still exists on the drive. If you’re investigating an e-mail attachment with an unfamiliar file extension, such as .mdf, you can search the Internet to find out what program creates a file of this type. POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/8/2018 7:15 PM 47. Why are network router logs important during an e-mail investigation? ANSWER: Network administrators maintain logs of the inbound and outbound traffic routers handle. Routers have rules to allow or deny traffic based on source or destination IP address. In most cases, a router is set up to track all traffic flowing through its ports. Using these logs, you can determine the path a transmitted e-mail has taken. The network administrator who manages routers can supply the log files you need. Review the router logs to find the victim’s (recipient’s) e-mail, and look for the unique ID number. POINTS: 1 REFERENCES: Investigating E-mail Crimes and Violations QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 11: E-mail and Social Media Investigations TOPICS: DATE CREATED: DATE MODIFIED:
Critical Thinking 12/1/2017 12:59 PM 3/8/2018 7:52 PM
48. What kind of information is normally included in e-mail logs? ANSWER: E-mail logs generally identify the e-mail messages an account received, the IP address from which they were sent, the time and date the e-mail server received them, the time and date the client computer accessed the e-mail, the e-mail contents, system-specific information, and any other information the e-mail administrator wants to track. These e-mail logs are usually formatted in plain text and can be read by using a basic text editor, such as Notepad or vim. POINTS: 1 REFERENCES: Understanding E-mail Servers QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/8/2018 7:54 PM 49. Provide a brief description of Microsoft Exchange Server. ANSWER: Exchange Server, generally called Exchange, is the Microsoft e-mail server software. Exchange uses an Exchange database and is based on the Microsoft Extensible Storage Engine (ESE), which uses several files in different combinations to provide e-mail service. The files most useful to an investigation are .edb database files, checkpoint files, and temporary files. In older versions of Exchange, .edb files were the database files you needed. An .edb file is responsible for messages formatted with Messaging Application Programming Interface (MAPI), a Microsoft system that enables different e-mail applications to work together. POINTS: 1 REFERENCES: Understanding E-mail Servers QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/8/2018 7:57 PM 50. Briefly explain forensic tools for social media investigations. ANSWER: Software for social media forensics is being developed, but not many tools are available. A number of social media tools that were free or inexpensive have now been incorporated into forensics suites, such as FTK Social Analyzer, or offer only 14-day to 30-day trials. In addition, there are many questions about how the information these tools gather can be used in court or in arbitration. Investigators often run into the problem of finding information unrelated to a case, and sometimes they must stop to get another warrant or subpoena, such as investigating a claim of fraud and finding evidence of corporate espionage. Using social Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 11: E-mail and Social Media Investigations media forensics software might also require getting the permission of people whose information is being examined. POINTS: 1 REFERENCES: Applying Digital Forensics Methods to Social Media Communications QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/8/2018 8:00 PM
Copyright Cengage Learning. Powered by Cognero.
Page 14
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 12: Mobile Device Forensics and the Internet of Anything True / False 1. Many people store more information on smartphones and tablets than on computers. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/14/2018 12:26 PM 2. Investigating smartphones and other mobile devices is a relatively easy task in digital forensics. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/14/2018 12:31 PM 3. TDMA can operate in the cell phone (800 to 1000 MHz) or PCS (1900 MHz) frequency. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 12/1/2017 12:59 PM 4. Most basic phones use the same OSs as PCs. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 12: Mobile Device Forensics and the Internet of Anything DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/14/2018 1:07 PM 5. Portability of information is what makes SIM cards so versatile. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 12/1/2017 12:59 PM 6. In 2010, both VMware and BlackBerry were thinking of developing type 2 hypervisors for mobile devices. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding Forensics in the Internet of Anything QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/14/2018 1:20 PM DATE MODIFIED: 3/14/2018 1:20 PM 7. Because bring your own device (BYOD) has become a business standard, investigators must consider how to keep employees’ personal data separate from case evidence. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding Forensics in the Internet of Anything QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/14/2018 1:21 PM DATE MODIFIED: 3/14/2018 1:22 PM 8. The IoA will eventually include 4G smart devices, and 4G mobile networks. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Understanding Forensics in the Internet of Anything Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 12: Mobile Device Forensics and the Internet of Anything QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/14/2018 1:23 PM DATE MODIFIED: 3/14/2018 1:24 PM 9. Gaming consoles such as the Sony PlayStation and Xbox are safe because they don't contain information hackers might try to intercept and collect. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Understanding Forensics in the Internet of Anything QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/14/2018 1:24 PM DATE MODIFIED: 3/14/2018 1:25 PM 10. Research on wearable computers has been conducted at MIT labs for more than a decade, and these computers are now moving into working reality. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding Forensics in the Internet of Anything QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/14/2018 1:25 PM DATE MODIFIED: 3/14/2018 1:26 PM Multiple Choice 11. What technology, developed during WWII, uses the full radio spectrum to define channels and is now used in the U.S. by Sprint, U.S. Cellular, and Verizon? a. iDEN b. CDMA c. GSM d. EDGE ANSWER: b POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:57 AM 12. Which type of digital network divides a radio frequency into time slots? Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 12: Mobile Device Forensics and the Internet of Anything a. TDMA b. CDMA c. FDMA d. EDGE ANSWER: a POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:58 AM 13. Which type of network is a digital version of the original analog standard for cell phones? a. TDMA b. EDGE c. CDMA d. D-AMPS ANSWER: d POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 9:59 AM 14. Which type of digital network is a faster version of GSM, designed to deliver data? a. TDMA b. iDEN c. EDGE d. D-AMPS ANSWER: c POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 10:00 AM 15. Which standard introduced sleep mode to enhance battery life? a. IS-136 b. IS-195 c. IS-236 d. IS-361 ANSWER: a POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 10:01 AM Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 12: Mobile Device Forensics and the Internet of Anything 16. Where do phones typically store system data? a. EROM b. PROM c. EEPROM d. ROM ANSWER: c POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 10:02 AM 17. What type of cards, consisting of a microprocessor and internal memory, are usually found in GSM devices? a. SD b. MMC c. SDD d. SIM ANSWER: d POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 10:04 AM 18. Which devices have been replaced by iPods, iPads, and other mobile devices for personal use? a. SDHCs b. PDAs c. CFs d. MMCs ANSWER: b POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 10:04 AM 19. What structure is used for the file system for a SIM card? a. Volatile b. Circular c. Hierarchical d. Linear ANSWER: c POINTS: 1 REFERENCES: Understanding Acquisition Procedures for Mobile Devices QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 10:06 AM Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 12: Mobile Device Forensics and the Internet of Anything 20. What does the SIM file structure begin with? a. Elementary data (EF) b. The root of the system (MF) c. Directory files (DF) d. Network data (DCS) ANSWER: b POINTS: 1 REFERENCES: Understanding Acquisition Procedures for Mobile Devices QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 10:08 AM 21. Which tool, provided by Paraben Software, examines Internet of Things (IoT) devices, has a bootloader for locked mobile devices, and can perform data parsing and cloud data capture? a. BitPim b. DataPilot c. MOBILedit! d. E3:DS ANSWER: d POINTS: 1 REFERENCES: Understanding Acquisition Procedures for Mobile Devices QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 10:10 AM 22. In a Windows environment, what is the default storage location used by BitPim? a. My Documents\BitPim b. My Documents\Forensics Files\BitPim c. My Documents\BitPim\Forensics Files d. My Documents\BitPim\Files ANSWER: a POINTS: 1 REFERENCES: Understanding Acquisition Procedures for Mobile Devices QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 10:12 AM 23. Which forensics software tool contains a built-in write blocker? a. GSMCon b. MOBILedit c. SIMedit d. 3GPim ANSWER: b POINTS: 1 REFERENCES: Understanding Acquisition Procedures for Mobile Devices QUESTION TYPE: Multiple Choice HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 12: Mobile Device Forensics and the Internet of Anything DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 5/8/2018 10:13 AM 24. The Enhanced Data GSM Environment (EDGE) standard was developed specifically for which type of service? a. CDMA b. OFDM c. D-AMPS d. 3G ANSWER: d POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/14/2018 12:57 PM DATE MODIFIED: 5/8/2018 10:15 AM 25. What entity created the Interim Standards used in mobile communications? a. Telecommunications Industry Association b. Global System Communications Industry c. International Telecommunications Union d. Global Telecommunications Association ANSWER: a POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/14/2018 12:59 PM DATE MODIFIED: 5/8/2018 10:17 AM 26. What technique, in which multiple phones take turns sharing a channel, does the Global System for Mobile Communications (GSM) use? a. Orthogonal Frequency Division Multiplexing b. Time Division Multiple Access c. Enhanced Data GSM Environment d. Code Division Multiple Access ANSWER: b POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/14/2018 1:02 PM DATE MODIFIED: 5/8/2018 10:22 AM 27. What entity developed the 3G standard? a. Telecommunications Industry Association b. Global System Communications Industry c. International Telecommunications Union d. Global Telecommunications Association ANSWER: c POINTS: 1 REFERENCES: Understanding Mobile Device Forensics Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 12: Mobile Device Forensics and the Internet of Anything QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/14/2018 1:06 PM DATE MODIFIED: 5/8/2018 10:20 AM 28. How much internal memory do mobile devices have? a. Up to 8 GB b. Up to 32 GB c. Up to 16 GB d. Up to 64 GB ANSWER: d POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/14/2018 1:08 PM DATE MODIFIED: 5/8/2018 10:25 AM 29. Which tool, used by government agencies, retrieves data from smartphones, GPS devices, tablets, music players, and drones? a. Micro Systemation XRY b. BitPim c. MOBILedit Forensic d. DataPilor ANSWER: a POINTS: 1 REFERENCES: Understanding Acquisition Procedures for Mobile Devices QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/14/2018 1:13 PM DATE MODIFIED: 5/8/2018 10:26 AM 30. Which Cellebrite mobile forensics tool is often used by law enforcement and the military? a. MOBILedit Forensics b. UFED Reader c. BitPim d. DataPilot ANSWER: b POINTS: 1 REFERENCES: Understanding Acquisition Procedures for Mobile Devices QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/14/2018 1:17 PM DATE MODIFIED: 5/8/2018 10:27 AM Matching Match each item with a statement below: a. CDMA Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 12: Mobile Device Forensics and the Internet of Anything b. iDEN c. EDGE d. ROM e. Internet of Anything f. Internet of Things g. Google Glass h. Universal Forensics Extraction Device (UFED) i. DataPilot j. Vehicle system forensics REFERENCES: Understanding Forensics in the Internet of Anything Understanding Acquisition Procedures for Mobile Devices Understanding Mobile Device Forensics QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/14/2018 2:13 PM 31. Proprietary protocol developed by Motorola ANSWER: b POINTS: 1 32. Nonvolatile memory ANSWER: d POINTS: 1 33. Standard developed specifically for 3G ANSWER: c POINTS: 1 34. One of the most common digital networks, it uses the full radio frequency spectrum to define channels ANSWER: a POINTS: 1 35. A stand-alone portable device with software that can be loaded on a computer ANSWER: h POINTS: 1 36. Includes the ever-growing number of physical devices connected on the Internet ANSWER: f POINTS: 1 37. Includes cars, homes, pets, livestock, and applications for making all these things work together ANSWER: e POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 12: Mobile Device Forensics and the Internet of Anything 38. Has a collection of cables that can interface with phones made by Nokia, Motorola, Samsung, among others ANSWER: i POINTS: 1 39. Addresses the many parts that have sensors in cars ANSWER: j POINTS: 1 40. Available to access the Internet or take pictures while walking ANSWER: g POINTS: 1 Subjective Short Answer 41. What is some of the information that can be stored in a cell phone? ANSWER: Depending on your phone’s model, the following items might be stored on it: * Incoming, outgoing, and missed calls * Text and Short Message Service (SMS) messages * E-mail accounts * Instant-messaging (IM) logs * Web pages * Photos, videos, and music files * Calendars and address books * Social media account information * GPS data * Voice recordings and voicemail * Bank account logins * Access to your home POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/14/2018 1:40 PM 42. Briefly describe Long Term Evolution (LTE). ANSWER: This technology, designed for GSM and Universal Mobile Telecommunications Systems (UMTS) technology, supports 45 Mbps to 144 Mbps transmission speeds. Commonly called “4G LTE.”
POINTS: REFERENCES: QUESTION TYPE:
LTE was part of the requirements created in 2008 by the International Telecommunication Union Radio (ITU-R) for carriers to be considered 4G. 1 Understanding Mobile Device Forensics Subjective Short Answer
Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 12: Mobile Device Forensics and the Internet of Anything HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/14/2018 1:43 PM 43. What are the three main components used for cell phone communications? ANSWER: As described in NIST SP 800-101, three main components are used for communication with these cells: * Base transceiver station (BTS)—This component is made up of radio transceiver equipment that defines cells and communicates with mobile phones; it’s sometimes referred to as a cell phone tower, although the tower is only one part of the BTS equipment. * Base station controller (BSC)—This combination of hardware and software manages BTSs and assigns channels by connecting to the mobile switching center. * Mobile switching center (MSC)—This component connects calls by routing digital packets for the network and relies on a database to support subscribers. This central database contains account data, location data, and other key information needed during an investigation. If you have to retrieve information from a carrier’s central database, you usually need a warrant or subpoena. POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 12/1/2017 12:59 PM 44. Briefly describe cell phone hardware. ANSWER: Mobile devices can range from simple phones to smartphones, tablets, and smartwatches. The hardware consists of a microprocessor, ROM, RAM, a digital signal processor, a radio module, a microphone and speaker, hardware interfaces (such as keypads, cameras, and GPS devices), and an LCD display. Many have removable memory cards and up to 64 GB of internal memory, and Bluetooth and Wi-Fi are now included in most mobile devices. POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/14/2018 1:47 PM 45. Identify several uses of SIM cards. ANSWER: GSM refers to mobile phones as “mobile stations” and divides a station into two parts: the SIM card and the mobile equipment (ME), which is the remainder of the phone. The Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 12: Mobile Device Forensics and the Internet of Anything SIM card is necessary for the ME to work and serves several additional purposes: * Identifies the subscriber to the network * Stores service-related information * Can be used to back up device POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/14/2018 1:50 PM 46. Identify and define three kinds of peripheral memory cards used with PDAs. ANSWER: A number of peripheral memory cards are used with PDAs: * Compact Flash (CF)—CF cards are used for extra storage and work much the same way as PCMCIA cards. * MultiMedia Card (MMC)—MMC cards were designed for mobile phones, but they can be used with PDAs to provide another storage area. * Secure Digital (SD)—SD cards are similar to MMCs but have added security features to protect data; they are now used on smartphones. POINTS: 1 REFERENCES: Understanding Mobile Device Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/14/2018 1:52 PM 47. How can you isolate a mobile device from incoming signals? ANSWER: To isolate the device from incoming signals you can use one of the following options: * Place the device in airplane mode, if this feature is available. * Place the device in a paint can, preferably one that previously contained radio wave– blocking paint. * Use a Faraday bag that conforms to Faraday wire cage standards. Many allow plugging a unit into a power source. * Turn the device off. POINTS: 1 REFERENCES: Understanding Acquisition Procedures for Mobile Devices QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 12: Mobile Device Forensics and the Internet of Anything DATE MODIFIED:
3/14/2018 1:55 PM
48. What are the four categories of information that can be retrieved from a SIM card? ANSWER: You can retrieve quite a bit of data from a SIM card. The information that can be retrieved falls into four categories: * Service-related data, such as identifiers for the SIM card and subscriber * Call data, such as numbers dialed * Message information * Location information POINTS: 1 REFERENCES: Understanding Acquisition Procedures for Mobile Devices QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/14/2018 1:56 PM 49. What is the general procedure to access the content on a mobile phone SIM card? ANSWER: The general procedure is as follows: 1. Remove the device's back panel. 2. Remove the battery. 3. Remove the SIM card from its holder. 4. Insert the SIM card into the card reader, which you insert into your forensic workstation’s USB port. POINTS: 1 REFERENCES: Understanding Acquisition Procedures for Mobile Devices QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/14/2018 1:58 PM 50. What are the three 5G categories, according to the ITU? ANSWER: Currently, the ITU has divided 5G into three categories: • enhanced Mobile BroadBand (eMBB)—Provides more bandwidth to increase digital connectivity for users • Ultra-reliable and Low-latency Communications (uRLLC)—Focuses on devices such as self-driving cars • massive Machine Type Communications (mMTC)—Focuses on smart cities POINTS: 1 REFERENCES: Understanding Forensics in the Internet of Anything QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 12: Mobile Device Forensics and the Internet of Anything STUDENT ENTRY MODE: Basic TOPICS: Critical thinking DATE CREATED: 12/1/2017 12:59 PM DATE MODIFIED: 3/14/2018 2:00 PM
Copyright Cengage Learning. Powered by Cognero.
Page 14
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 13: Cloud Forensics True / False 1. The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET). a. True b. False ANSWER: True POINTS: 1 REFERENCES: An Overview of Cloud Computing QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 3/19/2018 1:26 PM 2. A search warrant can be used in any kind of case, either civil or criminal. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Legal Challenges in Cloud Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 3/19/2018 11:08 AM 3. Specially trained system and network administrators are often a CSP's first responders. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Technical Challenges in Cloud Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 3/19/2018 11:08 AM 4. The law requires search warrants to contain specific descriptions of what’s to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Legal Challenges in Cloud Forensics QUESTION TYPE: True / False Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 13: Cloud Forensics HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 3/19/2018 1:31 PM 5. In the United States, the Electronic Communications Privacy Act (ECPA) describes five mechanisms the government can use to get electronic information from a provider. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Legal Challenges in Cloud Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 3/19/2018 1:33 PM 6. In 1999, Salesforce.com developed a customer relationship management (CRM) Web service that applied digital marketing research to business subscribers so that they could do their own market analysis; this service eventually led the way to the cloud. a. True b. False ANSWER: True POINTS: 1 REFERENCES: An Overview of Cloud Computing QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/19/2018 5:13 PM DATE MODIFIED: 3/19/2018 5:14 PM 7. The platform as a service cloud service is most likely found on a desktop or a server, although it could also be found on a company network or the remote service provider's infrastructure. a. True b. False ANSWER: True POINTS: 1 REFERENCES: An Overview of Cloud Computing QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/19/2018 6:31 PM DATE MODIFIED: 3/19/2018 6:31 PM 8. Homomorphic encryption uses an "ideal lattice" mathematical formula to encrypt data. a. True b. False Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 13: Cloud Forensics ANSWER: True POINTS: 1 REFERENCES: Acquisitions in the Cloud QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/19/2018 6:33 PM DATE MODIFIED: 3/19/2018 6:34 PM 9. Remote acquisitions are often easier because you’re usually dealing with large volumes of data. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Acquisitions in the Cloud QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/19/2018 6:35 PM DATE MODIFIED: 3/19/2018 6:36 PM 10. Magnet AXIOM Cloud can retrieve information from Skype, Instagram, Twitter, iCloud, but not from Facebook Messenger. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Tools for Cloud Forensics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/19/2018 6:37 PM DATE MODIFIED: 3/19/2018 6:39 PM Multiple Choice 11. Metadata in a prefetch file contains an application's ____ times in UTC format and a counter of how many times the application has run since the prefect file was created. a. MAC b. ACL c. startup / access d. log event ANSWER: a POINTS: 1 REFERENCES: Conducting a Cloud Investigation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 13: Cloud Forensics DATE MODIFIED: 3/20/2018 6:31 PM 12. Which organization has developed resource documentation for cloud service providers and their staff and provides guidance for privacy agreements, security measures, and other issues? a. OpenStack Framework Alliance b. Cloud Security Alliance c. Cloud Architecture Group d. Cloud Security Advisory Panel ANSWER: b POINTS: 1 REFERENCES: Technical Challenges in Cloud Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 11:41 AM 13. In which cloud service level are applications delivered via the Internet? a. Software as a service b. Virtualization as a service c. Platform as a service d. Infrastructure as a service ANSWER: a POINTS: 1 REFERENCES: An Overview of Cloud Computing QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 6/5/2018 2:43 PM 14. What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing? a. IBM Cloud b. Amazon EC2 c. Salesforce d. HP Helion ANSWER: c POINTS: 1 REFERENCES: An Overview of Cloud Computing QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 3/20/2018 6:26 PM 15. What document, issued by a judge, compels the recipient to do or not do something? a. A court order b. A subpoena c. A warrant d. A temporary restraining order ANSWER: a POINTS: 1 REFERENCES: Legal Challenges in Cloud Forensics Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 13: Cloud Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 11:06 AM 16. What files, created by Microsoft, contain the DLL pathnames and metadata used by applications and reduce the time it takes to start applications? a. Cache b. Prefetch c. Config d. Temp ANSWER: b POINTS: 1 REFERENCES: Conducting a Cloud Investigation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 11:37 AM 17. What is Microsoft's SkyDrive now called? a. Teams b. Box c. MS Drive d. OneDrive ANSWER: d POINTS: 1 REFERENCES: Conducting a Cloud Investigation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 11:11 AM 18. With cloud systems running in a virtual environment, what can be used to give the investigator valuable information before, during, and after an incident? a. RAM analysis b. Snapshots c. Live acquisition d. Carving ANSWER: b POINTS: 1 REFERENCES: Acquisitions in the Cloud QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 11:12 AM 19. Which type of order requires that the government offer specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation? a. A search warrant b. A subpoena Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 13: Cloud Forensics c. A court order d. A subpoena with prior notice ANSWER: c POINTS: 1 REFERENCES: Legal Challenges in Cloud Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 11:21 AM 20. A government entity must show that there is probable cause to believe the contents of a wire communication, an electronic communication, or other records are relevant to an ongoing criminal investigation to obtain which type of order? a. A subpoena b. A TRO c. A court order with prior notice d. A search warrant ANSWER: d POINTS: 1 REFERENCES: Legal Challenges in Cloud Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 12:30 PM 21. Which tool can be used to bypass a virtual machine's hypervisor, and can be used with OpenStack? a. OpenForensics b. FROST c. WinHex d. ARC ANSWER: b POINTS: 1 REFERENCES: Tools for Cloud Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 11:22 AM 22. What cloud service provides a freeware type 1 hypervisor used for public and private clouds? a. Cisco Cloud Computing b. Amazon EC2 c. XenServer and XenCenter Windows Management Console d. HP Helion ANSWER: c POINTS: 1 REFERENCES: An Overview of Cloud Computing QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 11:22 AM Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 13: Cloud Forensics 23. Which folder is most likely to contain Dropbox files for a specific user? a. C:\Dropbox b. C:\Users\username\Dropbox c. C:\Users\Dropbox d. C:\Users\username\AppData\Dropbox ANSWER: b POINTS: 1 REFERENCES: Conducting a Cloud Investigation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 11:23 AM 24. Which type of tool has application programming interfaces (APIs) that allow reconfiguring a cloud on the fly and is accessed through the application's Web interface? a. A programming editor b. A management plane c. A backdoor d. A configuration manager ANSWER: b POINTS: 1 REFERENCES: Tools for Cloud Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 11:25 AM 25. Which Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system? a. filecache.dbx b. read_filejournal c. filetx.log d. filecache.dll ANSWER: a POINTS: 1 REFERENCES: Conducting a Cloud Investigation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 11:26 AM 26. At what offset are the application's last access date and time located in a prefetch file? a. 0x80 b. 0x88 c. 0x90 d. 0xD4 ANSWER: c POINTS: 1 REFERENCES: Conducting a Cloud Investigation QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 13: Cloud Forensics HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 11:30 AM 27. At what offset is a prefetch file's create date and time located? a. 0x80 b. 0x88 c. 0x90 d. 0x98 ANSWER: a POINTS: 1 REFERENCES: Conducting a Cloud Investigation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 11:30 AM 28. Which cloud forensics training program is limited to law enforcement personnel? a. (ISC)2 Certified Cyber Forensics Professional b. INFOSEC Institute c. Sans Cloud Forensics with F-Response d. National Institute of Justice Digital Forensics Training ANSWER: d POINTS: 1 REFERENCES: Technical Challenges in Cloud Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 11:39 AM 29. Where is the snapshot database created by Google Drive located in Windows? a. C:\Program Files\Google\Drive b. C:\Users\username\AppData\Local\Google\Drive\user_default c. C:\Users\username\Google\Google d. C:\Google\Drive Drive ANSWER: b POINTS: 1 REFERENCES: Conducting a Cloud Investigation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 3/20/2018 6:30 PM 30. Which Google Drive file contains a detailed list of a user's cloud transactions? a. loggedtransactions.log b. sync_log.log c. transact_user.db d. history.db ANSWER: b POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 13: Cloud Forensics REFERENCES: Conducting a Cloud Investigation QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 6/5/2018 2:44 PM Matching Match each item with a statement below a. Cloud service providers (CSPs) b. Community cloud c. Deprovisioning d. Hybrid cloud e. Infrastructure as a service (IaaS) f. Multitenancy g. Private cloud h. Cloud service agreements (CSAs) i. Public cloud j. Spoliation REFERENCES: An Overview of Cloud Computing Legal Challenges in Cloud Forensics QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 3/19/2018 5:05 PM 31. A way to bring people together for a specific purpose, for example, to access to common files. ANSWER: b POINTS: 1 32. Also called "master service agreements." ANSWER: h POINTS: 1 33. Can only be accessed by people who have the necessary credentials. ANSWER: g POINTS: 1 34. Poses a serious legal challenge in cloud forensics. ANSWER: c POINTS: 1 35. Customers can rent hardware, such as servers and workstations, and install whatever OSs and applications they need. ANSWER: e POINTS: 1 36. Many different unrelated businesses and users share the same applications and storage space. ANSWER: f POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 13: Cloud Forensics 37. Use a variety of approaches and systems to build their cloud systems, such as servers using distributive processing methods with data farms for storage. ANSWER: a POINTS: 1 38. Failing to preserve evidence. ANSWER: j POINTS: 1 39. A cloud service that's available to the general public. ANSWER: i POINTS: 1 40. Enables a company to keep some information private and designate other files as public or community information. ANSWER: d POINTS: 1 Subjective Short Answer 41. Explain why digital forensics examiners should be most concerned with restrictions applied to customers and security measures. ANSWER: Digital forensics examiners should be most concerned with restrictions applied to customers and security measures. These CSP components must state who is authorized to access data and what the limitations are in conducting acquisitions for an investigation. Because many cloud vendors spread data storage systems across multiple countries, the CSP should also address any multi-jurisdiction concerns and define how conflicts between laws of different countries will be resolved. POINTS: 1 REFERENCES: Legal Challenges in Cloud Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 3/19/2018 4:14 PM 42. Explain what "anti-forensics" is, and provide detail on some anti-forensics tactics. ANSWER: Destroying ESI that’s potential evidence is called “anti-forensics.” Anti-forensics tactics are used in cloud environments as well as in other network environments. Hackers might obfuscate incriminating files or hide them by the simple technique of changing file extensions. Specialized malware for defeating evidence collection can add time to an investigation and result in the loss of valuable evidence. Additional methods for antiforensics include inserting malware programs in other files, using encryption to obfuscate malware programs activated through other malware programs, and using data-hiding utilities that append malware to existing files. Other techniques affect file metadata by changing the modify and last access times. Changing file timestamps can make it difficult to develop a timeline of a hacker’s activities. POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 13: Cloud Forensics REFERENCES: Technical Challenges in Cloud Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 3/19/2018 11:08 AM 43. Describe how the Forensic Open-Stack Tools (FROST) bypasses a virtual machine's hypervisor. ANSWER: With FROST, collected data is placed in the cloud’s management plane, which is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it’s accessed through the application’s Web interface. Because the hypervisor is bypassed, special malware can take control of the virtual session and deny or alter access. It can also prevent or interfere with forensic analysis and data collection. POINTS: 1 REFERENCES: Tools for Cloud Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 12:24 PM 44. Explain what a government agency subpoena is, and describe how it is used. ANSWER: U.S. Code 18 states that customer communications and records can’t be knowingly divulged to any person or entity, although it allows specific exceptions to government agencies. This type of subpoena is used to get information when it’s believed there’s a danger of death or serious physical injury or to get information for the National Center for Missing and Exploited Children. U.S. federal courts interpret this as meaning that no Stored Communications Act provision permits disclosure for a civil discovery order unless the order comes from a government entity: “Subpoena may not be enforced consistent with the plain language of the Privacy Act because the exceptions enumerated in § 2702(b) do not include civil discovery subpoenas.” POINTS: 1 REFERENCES: Legal Challenges in Cloud Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 3/19/2018 4:19 PM 45. Explain what non-government and civil litigation subpoenas are, and describe how they work. ANSWER: Non-government and civil litigation subpoenas are used to produce information from private parties for litigation. An example of how they apply to a CSP can be seen in Flagg v. City of Detroit (252 F.R.D. 346, E.D. Mich., 2008). A CSP received a civil subpoena for the production of electronically stored information (ESI) in the cloud, including text messages sent or received by city employees who used mobile devices supplied by SkyTel. Although the court determined that this data could be subject to discovery under the Federal Rules of Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 13: Cloud Forensics Civil Procedure, it denied the subpoena because the evidence could have been acquired more easily by making an ESI discovery request to the cloud users. POINTS: 1 REFERENCES: Legal Challenges in Cloud Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 12:25 PM 46. Explain what a service level agreement is. ANSWER: Organizations that sell cloud services have cloud service agreements (CSAs) with their customers, which are also called “master service agreements” or "service legal agreements (SLAs)." A CSA is a contract between a CSP and the customer that describes what services are being provided and at what level. It should also specify support options, penalties for services not provided, system performance (periods of downtime and uptime, for example), fees, provided software or hardware, and so forth. POINTS: 1 REFERENCES: Legal Challenges in Cloud Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 12:26 PM 47. What capabilities should a forensic tool have to handle acquiring data from the cloud? ANSWER: Tools must be able to identify, label, record, and acquire data from the cloud. To meet the elastic nature of clouds, tools must be able to expand and contract their data storage capabilities as the demand for services changes. Additionally, clouds are set up for multitenancy, meaning many different unrelated businesses and users share the same applications and storage space, so forensics tools must be able to separate each customer’s data. Finally, because cloud operations typically run in a virtual environment, forensics tools should have the capability to examine virtual systems. POINTS: 1 REFERENCES: An Overview of Cloud Computing QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 12:27 PM 48. Explain what a court order is, and describe how it is used. ANSWER: Court orders are written by judges to compel someone to do or not do something, such as a CSP producing user logon activities. Under U.S. Code 18, court orders are available only to government agencies. In U.S. federal courts, it’s interpreted as meaning that a court order can be issued by “any court that is a court of competent jurisdiction” only if the government Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 13: Cloud Forensics agency “offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.” When a state government agency is involved, a court order can’t be issued if the laws of the state prohibit it. POINTS: 1 REFERENCES: Legal Challenges in Cloud Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 3/19/2018 11:08 AM 49. Describe the role of incident first responders, and discuss some factors that should be addressed with first responders. ANSWER: Typically, CSPs have personnel trained to respond to network incidents, such as system and network administrators who handle normal support services for the cloud. When a network intrusion occurs, they become first responders to the incident. If a CSP doesn’t have an internal first responder team, the forensics examiner should organize CSP staff to handle these tasks. Some factors to address include the following: • • •
Will the CSP’s operations staff be cooperative and follow directions, and will management issue orders stating that you’re the leader of the investigation? Do you need to brief staff about operations security? For example, you might need to explain that they should talk only to others who have a need to know about the incident and the investigation’s activities. Do you need to train staff in evidence collection procedures, including the chain of custody?
POINTS: 1 REFERENCES: Technical Challenges in Cloud Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 3/19/2018 4:30 PM 50. Discuss the four different types of cloud deployment methods. ANSWER: A public cloud is accessible to anyone, and typically, the only identification required is an email address. This deployment method offers no security, but it’s popular because of its ease of use. Next is a private cloud, which can be accessed only by people who have the necessary credentials, such as logon names and passwords; sometimes location is used as a way to restrict access, too. Most companies have private clouds. A community cloud is a way to bring people together for a specific purpose. For example, say a city wants all small businesses to have access to the same documents and templates. By creating a community cloud, the city can make these files accessible to those who have a current business license. A hybrid cloud enables a company to keep some information private and designate other files as public or community information. Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 13: Cloud Forensics POINTS: 1 REFERENCES: An Overview of Cloud Computing QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 3/19/2018 11:08 AM DATE MODIFIED: 5/8/2018 12:28 PM
Copyright Cengage Learning. Powered by Cognero.
Page 14
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 14: Report Writing for High-Tech Investigations True / False 1. Besides presenting facts, reports can communicate expert opinion. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding the Importance of Reports QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 12/1/2017 1:00 PM 2. A verbal report is more structured than a written report. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Understanding the Importance of Reports QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 12/1/2017 1:00 PM 3. If you must write a preliminary report, use words such as “preliminary copy,” “draft copy,” or “working draft.” a. True b. False ANSWER: False POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 6/5/2018 2:45 PM 4. As with any research paper, write the report abstract last. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 14: Report Writing for High-Tech Investigations DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 12/1/2017 1:00 PM 5. When writing a report, use a formal, technical style. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 12/1/2017 1:00 PM 6. When writing a report, style means the tone of language you use to address the reader. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/16/2018 4:33 PM DATE MODIFIED: 3/16/2018 4:34 PM 7. The decimal numbering system is frequently used when writing pleadings. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/16/2018 4:34 PM DATE MODIFIED: 3/16/2018 4:35 PM 8. Lawyers use services called deposition banks (libraries), which store examples of expert witnesses’ previous testimony. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Understanding the Importance of Reports QUESTION TYPE: True / False Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 14: Report Writing for High-Tech Investigations HAS VARIABLES: False DATE CREATED: 3/16/2018 4:36 PM DATE MODIFIED: 3/16/2018 4:37 PM 9. Signposts assist readers in scanning the text quickly by highlighting the main points and logical development of information. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/16/2018 4:38 PM DATE MODIFIED: 3/16/2018 4:39 PM 10. For civil cases, including those involving digital forensics investigations, U.S. district courts consider optional that expert witnesses submit written reports. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Understanding the Importance of Reports QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/16/2018 4:40 PM DATE MODIFIED: 3/16/2018 4:41 PM Multiple Choice 11. What is the standard format in U.S. federal courts for the electronic submission of documents? a. Microsoft Word (DOC) b. Portable Document Format (PDF) c. Encapsulated Postscript (EPS) d. Postscript (PS) ANSWER: b POINTS: 1 REFERENCES: Understanding the Importance of Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 11:53 AM 12. Which document serves as a guideline for knowing what questions an investigator should expect when testifying? a. A pre-appearance report b. Testimony guidelines c. An examination plan d. Expert witness guidelines Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 14: Report Writing for High-Tech Investigations ANSWER: c POINTS: 1 REFERENCES: Understanding the Importance of Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 11:55 AM 13. What is most appropriately used to help an attorney learn the terms and functions used in digital forensics? a. A glossary b. Preliminary testimony c. A final report d. An examination plan ANSWER: d POINTS: 1 REFERENCES: Understanding the Importance of Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 11:57 AM 14. A written report is often submitted as what type of document? a. A subpoena b. An affidavit c. A court order d. A deposition ANSWER: b POINTS: 1 REFERENCES: Understanding the Importance of Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 11:59 AM 15. What should be provided if a report is long and complex? a. An appendix b. A glossary c. A table of contents d. An abstract ANSWER: d POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 12:00 PM 16. Which document is sworn to under oath and penalty of perjury, or a comparable false swearing statute? a. A written report b. An investigation plan Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 14: Report Writing for High-Tech Investigations c. An examination plan d. A cross-examination report ANSWER: a POINTS: 1 REFERENCES: Understanding the Importance of Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 12:02 PM 17. What type of question should an attorney ask to allow an investigator to offer an opinion? a. A hypothetical question based on available factual b. A nested question based on prior testimony evidence c. A challenging question based on weak evidence d. A contradictory question based on conflicting evidence ANSWER: a POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 12:07 PM 18. Which Federal Rule of Evidence rule governs expert opinions? a. 705 b. 755 c. 805 d. 855 ANSWER: a POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 12:08 PM 19. Anything an investigator writes down as part of examination for a report in a civil litigation case is subject to which action from the opposing attorney? a. Subpoena b. Discovery c. Publication d. Deposition ANSWER: b POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 14: Report Writing for High-Tech Investigations DATE MODIFIED: 5/8/2018 12:10 PM 20. Because opposing counsel can demand discovery on them, what are written preliminary reports considered to be? a. Low-risk documents b. Middle-risk documents c. High-risk documents d. No-risk documents ANSWER: c POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 12:12 PM 21. How many words should an abstract contain? a. 150 to 200 b. 200 to 250 c. 250 to 300 d. 300 to 350 ANSWER: a POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 12:14 PM 22. Under FRCP, Rule 26, where must the investigator's curriculum vitae be placed unless the bona fides are integrated elsewhere? a. Conclusions b. References c. Discussions d. Appendixes ANSWER: d POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 12:38 PM 23. In addition to decimal numbering, what numbering system can be used in a written report? a. Legal-sequential b. Roman-sequential c. Arabic-sequential d. Letter-sequential ANSWER: a POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 14: Report Writing for High-Tech Investigations HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 12:16 PM 24. Which numbering system is being used if the report writer divides material into sections and restarts numbering with each main section? a. Roman-sequential b. Decimal c. Legal-sequential d. Indent ANSWER: b POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 12:18 PM 25. What format is typically used to cite references in the main body of a report? a. The full name of the author and the year of publication are included in parentheses b. The last name of the author is included in parentheses c. The author’s last name and the year of publication are included in parentheses d. The year of publication is included in parentheses ANSWER: c POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 12:42 PM 26. What section of a report should contain broader generalizations? a. The appendixes b. The introduction c. The conclusion d. The discussion ANSWER: c POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 12:23 PM 27. What section of a report should restate the objectives, aims, and key questions and summarize the findings with clear, concise statements? a. The appendix b. The conclusion Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 14: Report Writing for High-Tech Investigations c. The introduction d. The references ANSWER: b POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 12:24 PM 28. What section of a report can be used for material such as raw data, figures not used in the body of the report, and anticipated exhibits? a. The conclusions b. The discussions c. The references d. The appendixes ANSWER: d POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 12:36 PM 29. In addition to text, word processing, and spreadsheet formats, which format is used for forensic reports and logs generated by forensic tools? a. PDF b. HTML c. PS d. TXT ANSWER: b POINTS: 1 REFERENCES: Generating Report Findings with Forensics Software Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 6/5/2018 2:48 PM 30. What sections of a report are included in the report body? a. The introduction and discussion b. The results and conclusions c. The abstract and introduction d. The appendixes ANSWER: a POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 5/8/2018 12:40 PM Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 14: Report Writing for High-Tech Investigations Matching Match each item with a statement below a. Decimal numbering b. Lay witness c. Autopsy d. Examination plan e. Signposts f. Verbal report g. Spoliation h. Conclusion section i. MD5 j. Appendixes REFERENCES: Guidelines for Writing Reports Understanding the Importance of Reports Generating Report Findings with Forensics Software Tools QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 3/16/2018 5:23 PM 31. Draw reader’s attention to a point in your report. ANSWER: e POINTS: 1 32. A report numbering system ANSWER: a POINTS: 1 33. Used by an attorney to guide an expert witness in his or her testimony ANSWER: d POINTS: 1 34. A forensics software tool ANSWER: c POINTS: 1 35. Lawyers jargon for destroying or concealing evidence ANSWER: g POINTS: 1 36. Stands for Message Digest 5 ANSWER: i POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 14: Report Writing for High-Tech Investigations 37. Typically takes place in an attorney’s office where the attorney requests your consultant’s report ANSWER: f POINTS: 1 38. Starts by referring to the report’s purpose, states the main points, draws conclusions, and possibly renders an opinion ANSWER: h POINTS: 1 39. A witness testifying to personally observed facts ANSWER: b POINTS: 1 40. Considered additional material on a report and might not be examined by readers ANSWER: j POINTS: 1 Subjective Short Answer 41. What are the report requirements for civil cases as specified on Rule 26, FRCP? ANSWER: For civil cases, including those involving digital forensics investigations, U.S. district courts require that expert witnesses submit written reports; state courts are also starting to require reports from expert witnesses, although the details of report requirements vary. Therefore, if you’re a digital forensics examiner involved in a civil case, you must write a report explaining your investigation and findings. Specifically, Rule 26, FRCP, requires that parties who anticipate calling an expert witness to testify must provide a copy of the expert’s written report that includes all opinions, the basis for the opinions, and the information considered in coming to those opinions. The report must also include related exhibits, such as photographs or diagrams, and the witness’s curriculum vitae listing all publications he or she contributed to during the preceding 10 years. (These publications do not have to be relevant to the case.) POINTS: 1 REFERENCES: Understanding the Importance of Reports QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 3/16/2018 4:51 PM 42. Briefly explain how to limit your report to specifics. ANSWER: The client (who might be an attorney, a detective, or an investigator) should define the investigation’s goal or mission. All reports to the client should start by stating this mission or goal, which is usually to find information on a specific subject, recover certain important documents, or recover certain types of files or files with specific dates and times. Clearly defining the goals reduces the time and cost of the examination and is especially important with the increasing size of hard drives and complexity of networks. Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 14: Report Writing for High-Tech Investigations Before you begin writing, identify your audience and the purpose of the report to help you focus on specifics. Remember that if the audience has little technical knowledge, you might have to dedicate part of the report to educating readers on technical issues. You can do this with a set of several stock paragraphs that you keep on hand, although you should update these stock definitions periodically. POINTS: 1 REFERENCES: Understanding the Importance of Reports QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 3/16/2018 4:54 PM 43. What are the areas of investigation usually addressed by a verbal report? ANSWER: A verbal report is usually a preliminary report and addresses areas of investigation yet to be completed, such as the following: * Tests that haven’t been concluded * Interrogatories that the lawyer might want to address to opposing parties * Document production, either requests for production (to parties) or subpoenas (to nonparties, people who have information but aren’t a named party in the case) * Determining who should be deposed and the plan for deposing them POINTS: 1 REFERENCES: Understanding the Importance of Reports QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 3/16/2018 4:55 PM 44. Explain how hypothetical questions can be used to ensure that you as a witness are basing your opinion on facts expected to be supported by evidence. ANSWER: The law requires that an expert who doesn’t have personal knowledge about the system or the occurrence must state opinions by response to hypothetical questions, which ask the expert witness to express an opinion based on hypothetical facts without referring to a particular system or situation. In this regard, you as a forensics investigator (an expert witness) differ from an ordinary witness. You didn’t see or hear the incident in dispute; you’re giving evidence as an opinion based on professional knowledge and experience, even if you might never have seen the system, data, or scene. Although the rules of evidence have relaxed requirements on the way in which an expert renders an opinion, structuring hypothetical questions for your own use helps ensure that you’re basing your opinion on facts expected to be supported by evidence. State the facts needed to answer the question, and don’t include any unnecessary facts. You might want to address alternative facts, however, if they allow your opinion to remain the same. The expression “alternative facts” might seem contradictory, but it simply means competing facts. Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 14: Report Writing for High-Tech Investigations In a civil case, if there weren’t alternative possible facts, the case would not be at trial; it would have been decided at summary judgment. POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 3/17/2018 2:23 PM 45. What are the four conditions required for an expert witness to testify to an opinion or conclusion? ANSWER: As an expert witness, you can testify to an opinion, or conclusion if these basic conditions are met: * The opinion, inferences, or conclusions depend on special knowledge, skill, or training not within the ordinary experience of lay witnesses or jurors. * The witness must be shown to be qualified as a true expert in the field (which is why the curriculum vitae is important). * The witness must testify to a reasonable degree of certainty (probability) about his or her opinion, inference, or conclusion. * At minimum, expert witnesses must know the relevant data (facts) on which their opinion, inference, or conclusion is based, and they must be prepared to testify in response to a hypothetical question that sets forth the underlying evidence. POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 3/16/2018 5:04 PM 46. What is the basic structure of a report? ANSWER: A report usually includes the sections shown in the following list, although the order varies depending on organizational guidelines or case requirements: * Abstract (or summary) * Table of contents * Body of report * Conclusion * References * Glossary * Acknowledgements * Appendixes POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Subjective Short Answer Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 14: Report Writing for High-Tech Investigations HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 3/16/2018 5:05 PM 47. Provide some guidelines for writing an introduction section for a report. ANSWER: The introduction should state the report’s purpose (the questions to be answered) and show that you’re aware of its terms of reference. You should also state any methods used and any limitations and indicate how the report is structured. It’s important to justify why you’re writing the report, so make sure you answer the question “What is the problem?” You should also give readers a map of what you’re delivering. Introduce the problem, moving from broader issues to the specific problem, finishing the introduction with the precise aims of the report (key questions). Craft this introduction carefully, setting up the processes you used to develop the information in logical order. Refer to relevant facts, ideas, and theories as well as related research by other authors. Organize discussion sections logically under headings to reflect how you classify information and to ensure that your information remains relevant to the investigation. POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 3/17/2018 2:26 PM 48. What do you need to consider to produce clear, concise reports? ANSWER: To produce clear, concise reports, you should assess the quality of your writing. Consider the following criteria: * Communicative quality—Is it easy to read? Think of your readers and how to make the report appealing to them. * Ideas and organization—Is the information relevant and clearly organized? * Grammar and vocabulary—Is the language simple and direct so that the meaning is clear and the text isn’t repetitive? However, technical terms should be used consistently; you shouldn’t try to use variety for these terms. Using different words for the same thing might raise questions. * Punctuation and spelling—Are they accurate and consistent? POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 3/16/2018 5:09 PM Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 14: Report Writing for High-Tech Investigations 49. Explain how to use supportive material on a report. ANSWER: Use supporting material such as figures, tables, data, and equations to help tell the story as it unfolds. Refer to this material in the text and integrate the points they make into your writing. Number figures and tables sequentially as they’re introduced (for example, Figure 1, Figure 2, and so forth with another sequence for Table 1, Table 2, and so on). Figure captions should supply descriptive information. In charts, label all axes and include units of measure. Insert a figure or table after the paragraph in which it’s first mentioned, or gather all supporting material in one place after the references section (before any appendixes). POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 3/17/2018 2:27 PM 50. How should you explain examination and data collection methods? ANSWER: Explain how you studied the problem, which should follow logically from the purpose of the report. Depending on the kind of data, this section might contain subsections on examination procedures, materials or equipment, data collection and sources, and analytical or statistical techniques. Supply enough detail for readers to understand what you did. Data collection is a critical portion of the report. Without good data recording in a lab notebook or file, completing a report beyond this point is futile. If your data collection process becomes the subject of discovery or examination, presenting data in a well-organized manner is important. Use tables in your report to illustrate how data was handled and examined. As mentioned, tables should be labeled clearly as to their content and numbered for ease of referral. POINTS: 1 REFERENCES: Guidelines for Writing Reports QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 12/1/2017 1:00 PM DATE MODIFIED: 3/16/2018 5:13 PM
Copyright Cengage Learning. Powered by Cognero.
Page 14
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 15: Expert Testimony in Digital Investigations True / False 1. As an expert witness, you have opinions about what you have found or observed. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 10:24 AM 2. You should create a formal checklist of your procedures that’s applied to all your cases or include such a checklist in your report. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 10:24 AM 3. As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 10:24 AM 4. Like a job resume, your CV should be geared for a specific trial. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: True / False Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 15: Expert Testimony in Digital Investigations HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 10:24 AM 5. Part of what you have to deliver to the jury is a person they can trust to help them figure out something that’s beyond their expertise. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 10:24 AM 6. The chain of custody of evidence supports the integrity of your evidence. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/20/2018 3:44 PM DATE MODIFIED: 3/20/2018 3:45 PM 7. Depending on your attorney’s needs, you might give him or her just your opinion and technical expertise instead of testifying in court; this role is called an expert witness. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/20/2018 3:47 PM DATE MODIFIED: 3/20/2018 6:43 PM 8. Motion in limine includes voir dire of venireman, strikes, and seating of jurors. a. True b. False ANSWER: False Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 15: Expert Testimony in Digital Investigations POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/20/2018 3:49 PM DATE MODIFIED: 3/20/2018 3:50 PM 9. During opening statements, both attorneys provide an overview of the case, with the plaintiff’s attorney going last. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/20/2018 3:51 PM DATE MODIFIED: 3/20/2018 3:52 PM 10. Whether you’re serving as an expert witness or a fact witness, be professional and polite when presenting yourself to any attorney or the court. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/20/2018 3:52 PM DATE MODIFIED: 3/20/2018 3:53 PM Multiple Choice 11. How many roles might a forensics examiner play in a trial? a. 2 b. 3 c. 4 d. 5 ANSWER: a POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 12:46 PM Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 15: Expert Testimony in Digital Investigations 12. In which type of testimony does the investigator present evidence and explain what it is and how it was obtained? a. Technical/scientific b. Expert c. Lay witness d. Real ANSWER: a POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 12:47 PM 13. What should you use to verify evidence and thus ensure its integrity? a. Hash algorithms b. Watermarks c. Steganography d. Digital certificates ANSWER: a POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 6/5/2018 3:06 PM 14. What should the forensics specialist keep updated and complete in order to support his or her role as an expert and document enhancement of skills through training, teaching, and experience? a. His or her testimony b. His or her CV c. The examination plan d. The deposition ANSWER: b POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 12:52 PM 15. How often should the document describing your expertise and used to quality your testimony be updated to reflect new cases and additional training? a. At least every 2 months b. At least every 3 months c. At least every 3 weeks d. At least every 5 weeks ANSWER: b POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: Multiple Choice HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 15: Expert Testimony in Digital Investigations DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 6/5/2018 3:17 PM 16. Which motion provides a written list of objections to certain testimony or exhibits? a. A motion for nolle prosequi b. A Daubert motion c. A motion to dismiss d. Motion in limine ANSWER: d POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:03 PM 17. What term refers to rejecting potential jurors? a. Voir dire b. Rebuttal c. Striking d. Venire ANSWER: c POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:04 PM 18. What optional phase of a trial typically involves an issue raised during cross-examination of a witness? a. Rebuttal b. Conferencing c. Closing arguments d. In camera proceedings ANSWER: a POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:52 PM 19. How close should a microphone be to the person testifying? a. 3 to 4 inches b. 4 to 5 inches c. 5 to 6 inches d. 6 to 8 inches ANSWER: d POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 15: Expert Testimony in Digital Investigations HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:11 PM 20. How many years of education does the typical juror have? a. 9 b. 10 c. 11 d. 12 ANSWER: d POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:11 PM 21. What method might be used by opposing attorneys to prevent an investigator from serving on an important case? a. A motion to suppress b. A Daubert motion c. Counter-deposing d. Conflicting out ANSWER: d POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:41 PM 22. What term refers to evidence that exonerates or diminishes the defendant’s liability? a. Rebuttal b. Direct c. Inculpatory d. Exculpatory ANSWER: d POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:16 PM 23. What type of testimony occurs when the investigator answers questions from the attorney who hired the investigator? a. Direct b. Primary c. Lay d. Rebuttal ANSWER: a POINTS: 1 REFERENCES: Testifying in Court Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 15: Expert Testimony in Digital Investigations QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 6/5/2018 3:18 PM 24. What is the most important part of an investigator's testimony at a trial? a. Cross-examination b. Direct examination c. Rebuttal d. Redirect examination ANSWER: b POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:19 PM 25. Generally, the best approach an attorney can take in direct examination is to ask the investigator what type of questions? a. Setup b. Open-ended c. Compound d. Rapid-fire ANSWER: b POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:21 PM 26. Leading questions such as “Isn’t it true that forensics experts always destroy their handwritten notes” are referred to as what type of questions? a. Hypothetical b. Trick c. Setup d. Nested ANSWER: c POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:23 PM 27. What type of questions ask several questions inside one question? a. Leading b. Hypothetical c. Compound d. Rapid-fire Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 15: Expert Testimony in Digital Investigations ANSWER: c POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:24 PM 28. How is a deposition different from trial testimony? a. Depositions follow a different pattern of examination c. A deposition cannot be video recorded ANSWER: d POINTS: 1 REFERENCES: Preparing for a Deposition or Hearing QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 6/5/2018 3:39 PM
b. A deposition must take place at the court of jurisdiction d. No judge or jury is present during a deposition
29. Which type of deposition is used to give an opposing attorney the chance to conduct what amounts to a direct examination and cross-examination of a witness? a. Testimony preservation b. Discovery c. Preliminary d. Interrogatory ANSWER: b POINTS: 1 REFERENCES: Preparing for a Deposition or Hearing QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:33 PM 30. Which practice is advisable when an investigator gives a deposition? a. Pause before answering difficult questions to give b. Avoid correcting even the most minor of errors your attorney time to object. made during the deposition. c. Omit information that might be controversial or d. If asked, be harsh in criticism of other subject to alternative interpretations. investigators. ANSWER: a POINTS: 1 REFERENCES: Preparing for a Deposition or Hearing QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 15: Expert Testimony in Digital Investigations DATE MODIFIED: 5/8/2018 1:38 PM Subjective Short Answer 31. What are the differences between a fact witness and an expert witness? ANSWER: As a fact witness, you provide only the facts you have found in your investigation—any evidence that meets the relevance standard and is more probative than prejudicial. When you give technical or scientific testimony, you present this evidence and explain what it is and how it was obtained. You don’t offer conclusions, only the facts and ordinary inferences based on that evidence. However, as an expert witness, you have opinions about what you have found or observed. You form these opinions from experience and deductive reasoning based on facts found during an investigation. In fact, it’s your opinion that makes you an expert witness. POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 2:32 PM 32. What should you do when preparing for testimony? ANSWER: When preparing for testimony, establish communication early with your attorney. Before you start processing evidence, learn about the victim, the complainant, opposing experts or fact witnesses, and the opposing attorney as soon as possible. Learn the basic points of the dispute. As you learn about the case, take notes, but keep them in rough draft form and record only the facts, keeping your opinions to a minimum. POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 2:34 PM 33. What are some of the questions you should consider when preparing your testimony? ANSWER: Consider the following questions when preparing your testimony: * What is the client’s overall theory of the case? * What is my story of the case (the central facts relevant to my testimony)? * What can I say with confidence? * How does my opinion fit into the theory of the case? * What is the scope of the case? Have I gone too far? * Have I identified the client’s needs for how my testimony fits into the overall theory of the case? Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 15: Expert Testimony in Digital Investigations POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 2:36 PM 34. What are some of the technical definitions that you should prepare before your testimony? ANSWER: The following are examples of definitions to prepare ahead of time for your testimony: * Digital forensics or computer forensics * CRC-32, MD5, and SHA-1 hashing algorithms * Image files and bit-stream copies * File slack and unallocated (free) space * File timestamps * Computer log files * Folder or directory * Hardware * Software * Operating system POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 2:37 PM 35. What are some of the reasons to avoid contact with news media during a case? ANSWER: Some legal actions generate interest from the news media, but you should avoid contact with news media, especially during a case, for the following reasons: * Your comments could harm the case and create a record that can be used against you. * You have no control over the context of the information a journalist publishes. * You can’t rely on a journalist’s promises of confidentiality. Journalists have been known to be aggressive in getting information, and their interests do not coincide with yours or your client’s. Be on guard at all times because your comments could be interpreted in a manner that taints your impartiality in this case and future cases. Even after the case is resolved, avoid discussing details with the press. POINTS: 1 REFERENCES: Preparing for Testimony QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 15: Expert Testimony in Digital Investigations DATE CREATED: DATE MODIFIED:
3/20/2018 10:24 AM 3/20/2018 2:39 PM
36. What are the procedures followed during a trial? ANSWER: Before you are called to testify in court, you should become familiar with the usual procedures followed during a trial. First, your attorney examines you about your qualifications to demonstrate to the court that you are competent as an expert witness or a fact witness. The opposing counsel might then cross-examine you on your qualifications (perhaps in an attempt to discredit you). Next, your attorney guides you through your testimony, and then opposing counsel can cross-examines you on your testimony. Your attorney might then have an opportunity for redirect examination of material addressed in cross-examination. After your testimony, you might be called back to update your testimony, or you might be called as a rebuttal witness. POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 3:19 PM 37. What should you do when you find exculpatory evidence? ANSWER: If you’re working for a prosecutor in a criminal case and believe you have found exculpatory evidence (evidence that exonerates or diminishes the defendant’s liability), you have an obligation to ensure that the evidence isn’t concealed. Initially, you should report the evidence (emphasizing its exculpatory nature) to the prosecutor handling the case. Be sure you document communicating your concern to the prosecutor. If this information isn’t disclosed to the defense attorney in a reasonable time, you can report it to the prosecutor’s supervisor. Be sure to document this communication, too. Documentation of each attempt to induce disclosure and your reasoning is important to protect your reputation. If these efforts still don’t result in disclosure, you can report the lack of disclosure to the judge. Be sure you have documented your attempts to bring the matter to the prosecutor’s attention before bringing it to the judge. Don’t communicate directly with the defense attorney; reporting evidence to the judge fulfills your obligation. POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 3:22 PM 38. How can you deal with rapid-fire questions during a cross-examination? ANSWER: During examinations, lawyers aren’t supposed to ask another question until you have finished Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 15: Expert Testimony in Digital Investigations answering the current question. However, the opposing counsel sometimes uses rapid-fire questions during cross-examination that are meant to throw you off. Taking a moment to turn toward the jury before you answer gives you more control over the timing and speed opposing attorney’s examination. Even though your attorney should object by saying, “Counsel has not allowed the witness to answer the question,” don’t be afraid to regroup and restate your answers if you get confused during your testimony. Jurors will sympathize because often they are confused by the opposing attorney’s questions, too. POINTS: 1 REFERENCES: Testifying in Court QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:50 PM 39. Explain the differences between discovery deposition and testimony preservation deposition. ANSWER: There are two types of depositions: discovery and testimony preservation. A discovery deposition is part of the discovery process for trial. The opposing attorney who requested the deposition often conducts the equivalent of a direct examination and a cross-examination. A testimony preservation deposition is usually requested by your client to preserve your testimony in case of schedule conflicts or health problems. These depositions are often video recorded in addition to the written transcript, and your testimony is entered by playing the video recording for the jury. In some cases, you can set the deposition at your laboratory or have lab facilities available, which can make it easier to conduct demonstrations and produce better testimony. POINTS: 1 REFERENCES: Preparing for a Deposition or Hearing QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 3:28 PM 40. Briefly describe judicial hearings. ANSWER: A judicial hearing is held in court to determine the admissibility of certain evidence before trial. No jury is present, but evidentiary suppression hearings are usually held early in the case to determine whether a criminal case moves forward or is dismissed. Generally, they focus more on your procedure in obtaining and preserving evidence than on the substance of the evidence or your opinion. They can also include the basis or authority (warrant or probable cause) for you conducting the examination. In most criminal cases, the defense attorney seeks to suppress any evidence for which there’s an arguable basis for rejection. POINTS: 1 REFERENCES: Preparing for a Deposition or Hearing Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 15: Expert Testimony in Digital Investigations QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 10:24 AM Matching Match each item with a statement below a. Conflicting out b. Curriculum vitae (CV) c. Deposition d. Discovery deposition e. Expert witness f. Fact witness g. Testimony preservation deposition h. Voir dire i. Motion in limine j. Closing arguments REFERENCES: Preparing for a Deposition or Hearing Testifying in Court Preparing for Testimony QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 3:43 PM 41. The opposing attorney sets the deposition and often conducts the equivalent of both direct and cross-examination. A discovery deposition is considered part of the discovery process. ANSWER: d POINTS: 1 42. The practice of opposing attorneys trying to prevent you from testifying by claiming you have discussed the case with them and, therefore, have a conflict of interest. ANSWER: a POINTS: 1 43. A deposition held to preserve your testimony in case of schedule conflicts or health problems; it’s usually video recorded in addition to the written transcript. ANSWER: g POINTS: 1 44. A pretrial motion to exclude or limit the use of certain evidence because its potential to prejudice the jury would exceed its probative value. ANSWER: i POINTS: 1 45. This type of testimony reports only the facts (findings of an investigation); no opinion is given in court. ANSWER: f Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 15: Expert Testimony in Digital Investigations POINTS: 1 46. In this qualification phase of testimony, your attorney asks you questions to elicit the qualifications that make you an expert witness. ANSWER: h POINTS: 1 47. Give the opposing counsel a chance to preview your testimony before trial. ANSWER: c POINTS: 1 48. An extensive outline of your professional history that includes education, training, work, and what cases you have worked o as well as training you have conducted or contributed to. ANSWER: b POINTS: 1 49. This type of testimony reports opinions based on experience and facts gathered during an investigation. ANSWER: e POINTS: 1 50. Statements that organize the evidence and state the applicable law. ANSWER: j POINTS: 1
Copyright Cengage Learning. Powered by Cognero.
Page 14
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 16: Ethics for the Expert Witness True / False 1. People need ethics to help maintain their balance, especially in difficult and contentious situations. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 10:24 AM 2. In the United States, there’s no state or national licensing body for digital forensics examiners. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/21/2018 5:31 PM 3. Experts should be paid in full for all previous work and for the anticipated time required for testimony. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 10:24 AM 4. Expert opinions cannot be presented without stating the underlying factual basis. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 1
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 16: Ethics for the Expert Witness DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 10:24 AM 5. The American Bar Association (ABA) is a licensing body. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Organizations with Codes of Ethics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 10:24 AM 6. When searching for specific record information, sometimes you see duplicate files with the same name that have different data runs, meaning the file was written to disk more than once on separate occasions. a. True b. False ANSWER: True POINTS: 1 REFERENCES: An Ethics Exercise QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/21/2018 6:29 PM DATE MODIFIED: 3/21/2018 6:30 PM 7. As an expert witness, you can't testify if you weren’t present when the event occurred. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/21/2018 6:39 PM DATE MODIFIED: 3/21/2018 6:40 PM 8. When you’re aware of a possible disqualification issue, bring it to the attention of the opposing attorney. a. True b. False ANSWER: False POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses Copyright Cengage Learning. Powered by Cognero.
Page 2
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 16: Ethics for the Expert Witness QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/21/2018 6:45 PM DATE MODIFIED: 3/21/2018 6:46 PM 9. No single source offers a definitive code of ethics for expert witnesses, so you must draw on standards from other organizations to form your own ethical standards. a. True b. False ANSWER: True POINTS: 1 REFERENCES: Organizations with Codes of Ethics QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/21/2018 6:48 PM DATE MODIFIED: 3/21/2018 6:49 PM 10. There are inherent conflicts between the goals of attorneys and the goals of scientists or technicians (experts). a. True b. False ANSWER: True POINTS: 1 REFERENCES: Ethical Difficulties in Expert Testimony QUESTION TYPE: True / False HAS VARIABLES: False DATE CREATED: 3/21/2018 6:51 PM DATE MODIFIED: 3/21/2018 6:51 PM Multiple Choice 11. What are the most important laws applying to attorneys and witnesses? a. Professional codes of conduct b. Rules of ethics c. Rules of evidence d. Professional ethics ANSWER: c POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:52 PM 12. Forensic examiners may serve as what types of witnesses? a. Fact and expert b. Expert and direct Copyright Cengage Learning. Powered by Cognero.
Page 3
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 16: Ethics for the Expert Witness c. Expert and discovery d. Direct and professional ANSWER: a POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:54 PM 13. What resource might attorneys use to search for information on expert witnesses? a. Disqualification banks b. Deposition banks c. Examination banks d. Cross-examination banks ANSWER: b POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 6/5/2018 3:43 PM 14. What type of questions can give the investigator the factual structure to support and defend his or her opinion? a. Setup b. Compound c. Rapid-fire d. Hypothetical ANSWER: d POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:56 PM 15. Which Federal Rule of Evidence is used to determine whether the expert is qualified and whether the expert opinion can be helpful? a. 702 b. 703 c. 704 d. 705 ANSWER: a POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:58 PM Copyright Cengage Learning. Powered by Cognero.
Page 4
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 16: Ethics for the Expert Witness 16. Which Federal Rule of Evidence is used to determine whether the basis for testimony is adequate? a. 700 b. 701 c. 702 d. 703 ANSWER: d POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 2:43 PM 17. Which organization has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients? a. ISFCE b. IACIS c. ABA d. HTCIA ANSWER: c POINTS: 1 REFERENCES: Organizations with Codes of Ethics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 1:07 PM 18. Which document offers comprehensive guidance for psychologists, with an entire section devoted to forensics activities? a. AMA’s Code of Conduct b. ABA’s Model Rule c. APA’s Ethics Code d. ABA’s Model Codes ANSWER: c POINTS: 1 REFERENCES: Organizations with Codes of Ethics QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 2:02 PM 19. Which standard states that, to provide reliable and valid testimony, the expert has the “ethical responsibility to present a complete and unbiased picture of the . . . research relevant to the case at hand?” a. The APA standard b. The Daubert standard c. The ABA standard d. The IACIS standard ANSWER: b POINTS: 1 REFERENCES: Ethical Difficulties in Expert Testimony QUESTION TYPE: Multiple Choice HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 5
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 16: Ethics for the Expert Witness DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 2:43 PM 20. Attorneys who contact many experts as a ploy to disqualify them or prevent opposing counsel from hiring them are using what practice? a. Conflicting out b. Blocking c. Disqualification d. Discrimination ANSWER: a POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 2:50 PM 21. Which outcome, when caused by an ethical lapse, could effectively be a death sentence for a career as an expert witness? a. Disqualification b. Discrimination c. Conflicting out d. Identification ANSWER: a POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 2:08 PM 22. How can an investigator minimize any challenges an opposing attorney could make to discredit the investigator's report or testimony? a. Provide only nonspecific conclusions in written b. Include as much detail as possible, even when it is reports. irrelevant to the issue c. Avoid using technical terms when a lay term can d. Be as thorough as possible during the forensic convey a similar meaning examination ANSWER: d POINTS: 1 REFERENCES: An Ethics Exercise QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 2:23 PM 23. In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous contact with an opposing party? a. Hewlett-Packard Co. v. EMC Corp b. Tidemann v. Nadler Golf Car Sales, Inc. Copyright Cengage Learning. Powered by Cognero.
Page 6
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 16: Ethics for the Expert Witness c. Wang Laboratories, Inc. v. Toshiba Corp d. Tidemann v. Toshiba Corp ANSWER: c POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/21/2018 6:27 PM 24. Suppose you have been hired to determine whether a corrupted file was intentionally altered or altered by a virus. Your forensic examination did not find evidence of a virus and did not find evidence of intentional alteration. What conclusion can you offer? a. The file was accidentally corrupted. b. The cause of the file's corruption is unknown. c. The file was corrupted by unknown malware. d. The file was corrupted by a software malfunction. ANSWER: b POINTS: 1 REFERENCES: An Ethics Exercise QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 2:32 PM 25. Which action isn’t usually punitive, but can be embarrassing for the professional and potentially for the attorney who retained the professional? a. Recertification b. Conflicting out c. Admonition d. Disqualification ANSWER: d POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 2:16 PM 26. Which term refers to internalized rules used to measure one's own performance? a. Norms b. Ethics c. Standards d. Codes ANSWER: b POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM Copyright Cengage Learning. Powered by Cognero.
Page 7
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 16: Ethics for the Expert Witness DATE MODIFIED: 5/8/2018 2:47 PM 27. Requesting which of these will deter attorneys from communicating with an investigator solely for the purpose of disqualifying that investigator? a. A case list b. A retainer c. A juror list d. A certification ANSWER: b POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 2:54 PM 28. Which of the following options would represent a valid retainer? a. 2 to 8 hours of your usual billable rate b. A verbal agreement c. A complete discussion of an ongoing case d. Dissemination of evidence ANSWER: a POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 2:34 PM 29. What is reduced by knowing who the parties in a case are? a. The possibility of collaboration b. The possibility of conflict of interest c. The possibility of mistrial d. The possibility of contradiction ANSWER: b POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 2:48 PM 30. What can a consultant who doesn't testify earn for finding testifying experts or investigative leads? a. A contingency fee b. A retainer c. A stake in a case d. A settlement percentage ANSWER: a POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 8
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 16: Ethics for the Expert Witness HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 5/8/2018 2:40 PM Matching Match each item with a statement below: a. Ethics b. Federal Rules of Evidence (FRE) c. Disqualification d. IACIS e. Codes of professional conduct or responsibility f. Contingency fees g. Ethics Code h. HTCIA i. ISFCE j. Expert witness REFERENCES: Applying Ethics and Codes to Expert Witnesses Organizations with Codes of Ethics QUESTION TYPE: Matching HAS VARIABLES: False DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/22/2018 3:22 PM 31. Provides a well-defined, simple guide for expected behavior of forensics examiners. ANSWER: d POINTS: 1 32. An organization that provides guidelines for its members in the form of a Code of Ethics on how they are expected to perform their duties as forensics examiners. ANSWER: i POINTS: 1 33. Prescribe the methods by which experts appear before the court. ANSWER: b POINTS: 1 34. APA's Ethical Principles of Psychologists and Code of Conduct. ANSWER: g POINTS: 1 35. Are not allowed except in certain limited circumstances. ANSWER: f POINTS: 1 36. Help you maintain your self-respect and the respect of your profession. ANSWER: a POINTS: 1 37. An organization that provides a detailed Code of Ethics of Professional Standards Conduct for its members. Copyright Cengage Learning. Powered by Cognero.
Page 9
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 16: Ethics for the Expert Witness ANSWER: h POINTS: 1 38. Standards that others apply to you or that you're compelled to adhere to by external forces. ANSWER: e POINTS: 1 39. One of the effects of violating court rules or laws. ANSWER: c POINTS: 1 40. A type of witness that is expected to present unbiased, specialized, and technical evidence to a jury. ANSWER: j POINTS: 1 Subjective Short Answer 41. Briefly describe the issues related to an attorney’s “opinion shopping.” ANSWER: If you’re going to have a long and productive career as an expert witness, beware of attorneys’ opinion shopping. An attorney might be willing to risk your career to improve the prospect of success in a case—and can always find another expert for the next case. The most effective way to prevent opinion shopping is to require that the attorney retaining your services send you enough material on the case for you to make an evaluation. Distinguishing opinion shopping from the process of attempting to disqualify experts by creating conflicts can be difficult, however. POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/21/2018 7:06 PM 42. What are some of the factors courts have used in determining whether to disqualify an expert? ANSWER: Factors courts have used in determining whether to disqualify an expert include the following: * Whether the attorney informed the expert that their discussions were confidential * Whether the expert reviewed materials marked as confidential or attorney work product * Whether the expert was asked to sign a confidentiality agreement * Number of discussions held over a period of time * The type of documents that were reviewed (publicly filed or confidential) * The type of information conveyed to the expert—whether it included general or specific data or included confidential information, trial strategies, plans for method of proof, and so forth * The amount of time involved in discussions or meetings between the expert and attorney * Whether the expert provided the attorney with confidential information Copyright Cengage Learning. Powered by Cognero.
Page 10
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 16: Ethics for the Expert Witness * Whether the attorney formally retained the expert * Whether the expert voiced concerns about being retained * Whether the expert was requested to perform services for the attorney * Whether the attorney compensated the expert POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 10:24 AM 43. Describe some of the traps for unwary experts. ANSWER: Expert witnesses should be cautious about the following potential traps, even though some aren’t laid deliberately: * What are some differences between the attorney’s motives and the investigator’s duty that might affect how the investigator acts, or is expected to act, as an expert witness? * Is the function of the expert witness in conflict with the investigator’s code of professional responsibility? * Attorneys look at witnesses’ codes of professional responsibility based on organizations that they are members of. As an expert witness, you should anticipate that the opposing counsel will look at your organization memberships and those organizations’ codes of professional responsibility. POINTS: 1 REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/21/2018 7:10 PM 44. What are some of the most obvious ethical errors? ANSWER: Avoid obvious ethical errors, such as the following: * Don’t alter data or present false data. * Don’t report work that was not done. * Don’t ignore available contradictory data. * Don’t do work beyond your expertise or competence. * Don’t allow the attorney who retained you to influence your opinion in an unauthorized way. (Keep in mind that there are authorized points of influence, such as the attorney framing a hypothetical question for you or asking you to answer specific questions.) * Don’t accept an assignment if it cannot reasonably be done in the allowed time. * Don’t reach a conclusion before you have done complete research. * Don’t fail to report possible conflicts of interest. POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 11
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 16: Ethics for the Expert Witness REFERENCES: Applying Ethics and Codes to Expert Witnesses QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/21/2018 7:11 PM 45. What are some of the guidelines included in the ISFCE code of ethics? ANSWER: The ISFCE code of ethics includes guidelines such as the following: * Maintain the utmost objectivity in all forensic examinations and present findings accurately. * Conduct examinations based on established, validated principles. * Testify truthfully in all matters before any board, court, or proceeding. * Avoid any action that would appear to be a conflict of interest. * Never misrepresent training, credentials, or association membership. * Never reveal any confidential matters or knowledge learned in an examination without an order from a court of competent jurisdiction or the client’s express permission. POINTS: 1 REFERENCES: Organizations with Codes of Ethics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 10:24 AM 46. What are some of the requirements included in the HTCIA core values? ANSWER: In its bylaws, the International High Technology Crime Investigation Association (HTCIA) provides a detailed Code of Ethics of Professional Standards Conduct for its members. HTCIA core values include the following requirements related to testifying: * The HTCIA values the Truth uncovered within digital information and the effective techniques used to uncover that Truth, so that no one is wrongfully convicted. * The HTCIA values the Integrity of its members and the evidence they expose through common investigative and digital forensic best practices, including specialized techniques used to gather digital evidence. POINTS: 1 REFERENCES: Organizations with Codes of Ethics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/21/2018 7:14 PM Copyright Cengage Learning. Powered by Cognero.
Page 12
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 16: Ethics for the Expert Witness 47. What are some of standards for IACIS members that apply to testifying? ANSWER: The standards for IACIS members that apply to testifying include the following: * Maintain the highest level of objectivity in all forensic examinations and accurately present the facts involved. * Examine and analyze evidence in a case thoroughly. * Conduct examinations based upon established, validated principles. * Render opinions having a basis that is demonstratively reasonable. * Not withhold any findings, whether inculpatory or exculpatory, that would cause the facts of a case to be misrepresented or distorted. POINTS: 1 REFERENCES: Organizations with Codes of Ethics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/21/2018 7:15 PM 48. Why is it difficult to enforce any professional organization’s ethical guidelines? ANSWER: Enforcing any professional organization’s ethical guidelines is difficult. The principles can be enforced only against members of the organization, and if the expert chooses to withdraw from the organization, there’s no effective mechanism to enforce the guidelines, unless the organization is a licensing agency. For forensics examiners testifying as experts, this means an organization has limited influence over examiners as witnesses in the form of peer pressure and reputation among peers. In addition, without a specific organization to oversee and comment on current expert testimony standards or transgressions, it’s difficult to identify and investigate violations or to apprise an organization’s members of acceptable methodologies and standards. POINTS: 1 REFERENCES: Ethical Difficulties in Expert Testimony QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/21/2018 7:17 PM 49. What are the ethical responsibilities owed to you by your attorney? ANSWER: Your attorney owes you a fair statement of the case or situation, adequate time to review evidence and prepare your report, and a reasonable opportunity to examine data, conduct testing, and investigate the matter before rendering an opinion. If the attorney wants you to render an opinion quickly and without adequate opportunity to review, be cautious. He might be trying to get you to commit based on inadequate information, or he’s trying to rush you because he hasn’t kept track of critical dates and is under pressure to meet a deadline. The attorney might also hold you under subpoena for an excessive amount of time waiting to testify. This might reflect difficulties in anticipating the amount of time required for other witnesses’ testimony; however, you should be paid for the waiting time per the fee Copyright Cengage Learning. Powered by Cognero.
Page 13
SOURCE: Browsegrades.net
Name:
Class:
Date:
Chapter 16: Ethics for the Expert Witness agreement. Making any portion of your fee dependent on a favorable report is inappropriate and should be a breach of the fee agreement. You are owed fair compensation for your time and work under the terms of the fee agreement. POINTS: 1 REFERENCES: Ethical Difficulties in Expert Testimony QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic TOPICS: Critical Thinking DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/20/2018 10:24 AM 50. Why would the use of standard tools, such as those that are commercially created, be preferable over personally created tools? ANSWER: The tools you use to recover, control, and track evidence are subject to review by opposing parties. If the court deems them unreliable, the evidence you recovered with them might not be admitted or might be admitted with a limiting instruction. If you use standard tools— commonly used tools or commercially available tools—you simplify the process of validating them. Tools you've created, if they’re designed for a specific purpose and have been tested adequately to validate their accuracy for that purpose, might have advantages that you can demonstrate to a judge, who ultimately determines whether evidence is admissible. For example, a tool you’ve created could be more compact or run more efficiently than other comparable tools. You’re still required to validate these personal tools, however, and might have to share their source code for analysis. Remember that “borrowing” code from other products or incorporating other tools into your own without acknowledgment or paying royalties could be a violation of copyright law and is considered theft. In addition, it can result in major embarrassment for you, could have serious criminal and civil liability implications, and could adversely affect the attorney who retained you. POINTS: 1 REFERENCES: Ethical Difficulties in Expert Testimony QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 3/20/2018 10:24 AM DATE MODIFIED: 3/21/2018 7:24 PM
Copyright Cengage Learning. Powered by Cognero.
Page 14
SOURCE: Browsegrades.net