Some Reviews for Midterm -...

http://quizlet.com/12459315/computer-forensics-flash-cards/

Some Reviews for Midterm

True/False

_T_ 1. By the 1970s, electronic crimes were increasing, especially in the financial sector.

_T__ 2. To be a successful computer forensics investigator, you must be familiar with more than one computingplatform.

_F__ 3. Computer investigations and forensics fall into the same category: public investigations.

_F__ 4. The law of search and seizure protects the rights of all people, excluding people suspected of crimes.

_T__ 5. After a judge approves and signs a search warrant, it’s ready to be executed, meaning you can collectevidence as defined by the warrant.

_T__ 6. Chain of custody is also known as chain of evidence.

_T__ 7. Employees surfing the Internet can cost companies millions of dollars.

_F__ 8. You cannot use both multi-evidence and single-evidence forms in your investigation.

_T__ 9. Many attorneys like to have printouts of the data you have recovered, but printouts can present problemswhen you have log files with several thousand pages of data.

_F__ 10. A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk wheneverpossible.

_T__ 11. Performing a forensic analysis of a disk 200 GB or larger can take several days and often involves runningimaging software overnight and on weekends.

_F__ 12. Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCasetraining courses.

_F__ 13. If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need tobe repaired immediately.

_T__ 14. A good working practice is to use less powerful workstations for mundane tasks and multipurposeworkstations for the higher-end analysis tasks.

_T__ 15. Computing systems in a forensics lab should be able to process typical cases in a timely manner.

_F__ 16. One advantage with live acquisitions is that you are able to perform repeatable processes.

_F__ 17. The most common and time-consuming technique for preserving evidence is creating a duplicate copy of yourevidence image file.

_T__ 18. Many acquisition tools don’t copy data in the host protected area (HPA) of a disk drive.

_T__ 19. FTK Imager requires that you use a device such as a USB or parallel port dongle for licensing.

_F__ 20. Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.

_F__ 21. ISPs can investigate computer abuse committed by their customers.

_T__ 22. If a corporate investigator follows police instructions to gather additional evidence without a search warrantafter you have reported the crime, you run the risk of becoming an agent of law enforcement.


T 23. A judge can exclude evidence obtained from a poorly worded warrant.

_T__ 24. The reason for the standard practice of securing an incident or crime scene is to expand the area of controlbeyond the scene’s immediate location.

____ 25. Corporate investigators always have the authority to seize all computers equipments during a corporateinvestigation.

Multiple Choices

____ 26. The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence.a. Federal Rules of Evidence (FRE) b.Department of Defense Computer Forensics Laboratory (DCFL) c. DIBS d. Computer Analysis and Response Team (CART)

____ 27. ____ involves recovering information from a computer that was deleted by mistake or lost during a powersurge or server crash, for example.a. Data recovery c. Computer forensicsb. Network forensics d. Disaster recovery

____ 28. ____ involves preventing data loss by using backups, uninterruptible power supply (UPS) devices, andoff-site monitoring.a. Computer forensics c. Disaster recoveryb. Data recovery d. Network forensics

____ 29. The ____ group manages investigations and conducts forensic analysis of systems suspected of containingevidence related to an incident or a crime.a. network intrusion detection c. incident responseb. computer investigations d. litigation

____ 30. By the early 1990s, the ____ introduced training on software for forensics investigations.a. IACIS c. CERTb. FLETC d. DDBIA

____ 31. In the Pacific Northwest, ____ meets monthly to discuss problems that law enforcement and corporationsface.a. IACIS c. FTKb. CTIN d. FLETC

____ 32. In a ____ case, a suspect is tried for a criminal offense, such as burglary, murder, or molestation.a. corporate c. criminalb. civil d. fourth amendment

____ 33. In general, a criminal case follows three stages: the complaint, the investigation, and the ____.a. litigation c. blotterb. allegation d. prosecution

____ 34. Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that acrime has been committed.a. litigation c. blotterb. allegation d. prosecution

____ 35. In a criminal or public case, if you have enough information to support a search warrant, the prosecutingattorney might direct you to submit a(n) ____.a. blotter c. litigation report


b. exhibit report d. affidavit

Computer Forensic- Midterm


____ 36. It’s the investigator’s responsibility to write the affidavit, which must include ____ (evidence) that support theallegation to justify the warrant.a. litigation c. exhibitsb. prosecution d. reports

____ 37. The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.a. notarized c. recordedb. examined d. challenged

____ 38. Published company policies provide a(n) ____ for a business to conduct internal investigations.a. litigation path c. line of allegationb. allegation resource d. line of authority

____ 39. A ____ usually appears when a computer starts or connects to the company intranet, network, or virtualprivate network (VPN) and informs end users that the organization reserves the right to inspect computersystems and network traffic at will.a. warning banner c. line of authorityb. right of privacy d. right banner

____ 40. A(n) ____ is a person using a computer to perform routine tasks other than systems administration.a. complainant c. end userb. user banner d. investigator

____ 41. Without a warning banner, employees might have an assumed ____ when using a company’s computersystems and network accesses.a. line of authority c. line of privacyb. right of privacy d. line of right

____ 42. In addition to warning banners that state a company’s rights of computer ownership, businesses shouldspecify a(n) ____ who has the power to conduct investigations.a. authorized requester c. line of rightb. authority of line d. authority of right

____ 43. Most computer investigations in the private sector involve ____.a. e-mail abuse c. Internet abuseb. misuse of computing assets d. VPN abuse

____ 44. Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigativeagent delivers evidence to a law enforcement officer.a. silver-tree c. silver-platterb. gold-tree d. gold-platter

____ 45. Your ____ as a computer investigation and forensics analyst is critical because it determines your credibility.a. professional policy c. line of authorityb. oath d. professional conduct

____ 46. Maintaining ____ means you must form and sustain unbiased opinions of your cases.a. confidentiality c. integrityb. objectivity d. credibility

____ 47. The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court.a. acquisition plan c. evidence pathb. chain of custody d. evidence custody

____ 48. When preparing a case, you can apply ____ to problem solving.a. standard programming rules c. standard systems analysis stepsb. standard police investigation d. bottom-up analysis

____ 49. The list of problems you normally expect in the type of case you are handling is known as the ____.



a. standard risk assessment c. standard problems formb. chain of evidence d. problems checklist form

____ 50. The basic plan for your investigation includes gathering the evidence, establishing the ____, and performingthe forensic analysis.a. risk assessment c. chain of custodyb. nature of the case d. location of the evidence

____ 51. A(n) ____ helps you document what has and has not been done with both the original evidence and forensiccopies of the evidence.a. evidence custody form c. initial investigation formb. risk assessment form d. evidence handling form

____ 52. Use ____ to secure and catalog the evidence contained in large computer components.a. Hefty bags c. paper bagsb. regular bags d. evidence bags

____ 53. ____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, orcomputer lab.a. An antistatic wrist band c. An antistatic padb. Padding d. Tape

____ 54. ____ investigations typically include spam, inappropriate and offensive message content, and harassment orthreats.a. VPN c. E-mailb. Internet d. Phone

____ 55. To conduct your investigation and analysis, you must have a specially configured personal computer (PC)known as a ____.a. mobile workstation c. forensic labb. forensic workstation d. recovery workstation

____ 56. You can use ____ to boot to Windows without writing any data to the evidence disk.a. a SCSI boot up disk c. a write-blockerb. a Windows boot up disk d. Windows XP

____ 57. To begin conducting an investigation, you start by ____ the evidence using a variety of methods.a. copying c. openingb. analyzing d. reading

____ 58. A ____ is a bit-by-bit copy of the original storage medium.a. preventive copy c. backup copyb. recovery copy d. bit-stream copy

____ 59. A bit-stream image is also known as a(n) ____.a. backup copy c. custody copyb. forensic copy d. evidence copy

____ 60. To create an exact image of an evidence disk, copying the ____ to a target work disk that’s identical to theevidence disk is preferable.a. removable copy c. bit-stream imageb. backup copy d. backup image

____ 61. ____ from Technology Pathways is a forensics data analysis tool. You can use it to acquire and analyze datafrom several different file systems.a. Guidance EnCase c. DataArrest SnapCopyb. NTI SafeBack d. ProDiscover Basic


____ 62. Forensics tools such as ____ can retrieve deleted files for use as evidence.


a. ProDiscover Basic c. FDiskb. ProDelete d. GainFile

____ 63. When analyzing digital evidence, your job is to ____.a. recover the data c. copy the datab. destroy the data d. load the data

____ 64. ____ can be the most time-consuming task, even when you know exactly what to look for in the evidence.a. Evidence recovery c. Data analysisb. Data recovery d. Evidence recording

____ 65. When you write your final report, state what you did and what you ____.a. did not do c. wanted to dob. found d. could not do

____ 66. In any computing investigation, you should be able to repeat the steps you took and produce the same results.This capability is referred to as ____.a. checked values c. evidence backupb. verification d. repeatable findings

____ 67. After you close the case and make your final report, you need to meet with your department or a group offellow investigators and ____.a. critique the case c. present the caseb. repeat the case d. read the final report

____ 68. A ____ is where you conduct your investigations, store evidence, and do most of your work.a. forensic workstation c. storage roomb. computer forensics lab d. workbench

____ 69. Lab costs can be broken down into daily, ____, and annual expenses.a. weekly c. bimonthlyb. monthly d. quarterly

____ 70. ____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.a. HTCN reports c. Uniform crime reportsb. IDE reports d. ASCLD reports

____ 71. Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and WindowsFile System.a. NTFS c. FAT24b. ext3 d. ext2

____ 72. ____ was created by police officers who wanted to formalize credentials in computing investigations.a. HTCN c. TEMPESTb. NISPOM d. IACIS

____ 73. IACIS requires recertification every ____ years to demonstrate continuing work in the field of computerforensics.a. 2 c. 4b. 3 d. 5

____ 74. What HTCN certification level requires candidates have three years of investigative experience in anydiscipline from law enforcement or corporate or have a college degree with one year of experience ininvestigations?


a. Certified Computer Crime Investigator, Basic Level b. Certified Computer Crime Investigator, Advanced Level c. Certified Computer Forensic Technician, Basic d. Certified Computer Forensic Technician, Advanced


____ 75. To preserve the integrity of evidence data, your lab should function as an evidence locker or safe, making it a____ or a secure storage safe.a. secure workstation c. protected PCb. secure workbench d. secure facility

____ 76. The EMR from a computer monitor can be picked up as far away as ____ mile.a. 1/4 c. 3/4b. 1/2 d. 1

____ 77. Defense contractors during the Cold War were required to shield sensitive computing systems and preventelectronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this specialcomputer-emission shielding ____.a. TEMPEST c. NISPOMb. RAID d. EMR

____ 78. A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or externalpadlock.a. gypsum c. woodb. steel d. expanded metal

____ 79. Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimizedust that can cause static electricity.a. once c. three timesb. twice d. four times

____ 80. One way to investigate older and unusual computing systems is to keep track of ____ that still use thesesystems.a. AICIS lists c. SIGsb. uniform reports d. Minix

____ 81. A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by avirus from a drive you’re analyzing.a. disaster recovery c. configuration managementb. risk management d. security

____ 82. You should have at least one copy of your backups on site and a duplicate copy or a previous copy of yourbackups stored in a safe ____ facility.a. in-site c. off-siteb. storage d. online

____ 83. In addition to performing routine backups, record all the updates you make to your workstation by using aprocess called ____ when planning for disaster recovery.a. configuration management c. recovery loggingb. risk assessment d. change management

____ 84. For labs using high-end ____ servers (such as Digital Intelligence F.R.E.D.C. or F.R.E.D.M.), you mustconsider methods for restoring large data sets.a. RAID c. WANb. ISDN d. TEMPEST

____ 85. ____ involves determining how much risk is acceptable for any process or operation, such as replacingequipment.


a. Risk configuration c. Configuration managementb. Change management d. Risk management

____ 86. Computing components are designed to last 18 to ____ months in normal business operations.a. 24 c. 36b. 30 d. 42


____ 87. In the ____, you justify acquiring newer and better resources to investigate computer forensics cases.a. risk evaluation c. configuration planb. business case d. upgrade policy

____ 88. By using ____ to attract new customers or clients, you can justify future budgets for the lab’s operation andstaff.a. pricing c. budgetingb. marketing d. changing

____ 89. For computer forensics, ____ is the task of collecting digital evidence from electronic media.a. hashing c. lossy compressionb. data acquisition d. lossless compression

____ 90. One major disadvantage of ____ format acquisitions is the inability to share an image between differentvendors’ computer forensics analysis tools.a. proprietary c. AFFb. raw d. AFD

____ 91. Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.a. live c. real-timeb. online d. static

____ 92. If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.a. passive c. liveb. static d. local

____ 93. The most common and flexible data-acquisition method is ____.a. Disk-to-disk copy c. Disk-to-image file copyb. Disk-to-network copy d. Sparse data copy

____ 94. SafeBack and SnapCopy must run from a(n) ____ system.a. UNIX c. Linuxb. MS-DOS d. Solaris

____ 95. If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.a. lossless c. sparseb. disk-to-disk d. disk-to-image

____ 96. Image files can be reduced by as much as ____% of the original.a. 15 c. 30b. 25 d. 50

____ 97. Microsoft has recently added ____ in its Vista Ultimate and Enterprise editions, which makes performingstatic acquisitions more difficult.a. whole disk encryption c. recovery wizardsb. backup utilities d. NTFS

____ 98. Linux ISO images are referred to as ____.a. ISO CDs c. Forensic Linux


b. Live CDs d. Linux in a Box____ 99. The ____ command displays pages from the online help manual for information on Linux commands and

their options.a. cmd c. instb. hlp d. man

____ 100. The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.


a. fdisk c. manb. dd d. raw

____ 101. The ____ command, works similarly to the dd command but has many features designed for computerforensics acquisitions.a. raw c. dcflddb. bitcopy d. man

____ 102. Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.a. rcsum c. hashsumb. shasum d. sha1sum

____ 103. The ____ DOS program En.exe requires using a forensic MS-DOS boot floppy or CD and a networkcrossover cable.a. ProDiscover c. DIBS USA

b. ILook d. EnCase

____ 104. EnCase Enterprise is set up with an Examiner workstation and a Secure Authentication for EnCase (____)workstationa. ILook c. Incident Response

b.SAFE d. Investigator

____ 105. SnapBack DatArrest runs from a true ____ boot floppy.a. UNIX c. Mac OS Xb. Linux d. MS-DOS

____ 106. SnapBack DatArrest can perform a data copy of an evidence drive in ____ ways.a. two c. fourb. three d. five

____ 107. ____ is the only automated disk-to-disk tool that allows you to copy data to a slightly smaller target drive thanthe original suspect’s drive.

a. SafeBack c.SnapCopy

b. EnCase d. SMART

____ 108. SafeBack performs a(n) ____ calculation for each sector copied to ensure data integritya. SHA-1 c. SHA-256b. MC5 d. MC4

____ 109. ____ has developed the Rapid Action Imaging Device (RAID) to make forensically sound disk copies.


a. DIBS USA c. ProDiscoverb. EnCase d. ILook

____ 110. Most federal courts have interpreted computer records as ____ evidence.a. conclusive c. hearsayb. regular d. direct

____ 111. Generally, computer records are considered admissible if they qualify as a ____ record.a. hearsay c. computer-generatedb. business d. computer-stored

____ 112. ____ records are data the system maintains, such as system log files and proxy server logs.a. Computer-generated c. Computer-storedb. Business d. Hearsay

____ 113. The FOIA was originally enacted in the ____.a. 1940s c. 1960sb. 1950s d. 1970s


____ 114. Investigating and controlling computer incident scenes in the corporate environment is ____ in the criminalenvironment.a. much easier than c. as difficult asb. as easy as d. more difficult than

____ 115. Every business or organization must have a well defined process that describes when an investigation can be initiated. At a minimum, most corporate policies require that employers have a ____ that a law or policy isbeing violated.a. confirmed suspicion c. court order statingb. proof d. reasonable suspicion

____ 116. Confidential business data included with the criminal evidence are referred to as ____ data.a. commingled c. publicb. exposed d. revealed

____ 117. ____ is facts or circumstances that would lead a reasonable person to believe a crime has been committed oris about to be committed.a. Reasonable cause c. A subpoenab. Probable cause d. A warrant

____ 118. Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them toa lab.a. evidence custody form c. affidavitb. FOIA form d. warrant

____ 119. Environmental and ____ issues are your primary concerns when you’re working at the scene to gatherinformation about an incident or a crime.a. legal c. corporateb. safety d. physical

____ 120. When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to prevent a hard disk from overheating to prevent damage.a. 80 c. 95b. 90 d. 105

____ 121. With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly aspossible.a. bit-stream copy utility c. initial-response field kitb. extensive-response field kit d. seizing order

____ 122. A(n) ____ should include all the tools you can afford to take to the field.a. initial-response field kit c. forensic labb. extensive-response field kit d. forensic workstation

____ 123. Courts consider evidence data in a computer as ____ evidence.a. physical c. virtualb. invalid d. logical

____ 124. Evidence is commonly lost or corrupted through ____, which involves police officers and other professionalswho aren’t part of the crime scene processing team.a. onlookers c. FOIA laws


b. HAZMAT teams d. professional curiosity____ 125. When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data.

a. Homeland Security Department c. U.S. DoJb. Patriot Act d. U.S. DoD



____ 126. During an investigation involving a live computer, do not cut electrical power to the running system unlessit’s an older ____ or MS-DOS system.a. Windows XP c. Windows NTb. Windows 9x d. Windows Me

____ 127. Certain files, such as the ____ and Security log in Windows XP, might lose essential network activity recordsif the power is terminated without a proper shutdown.a. Password log c. Io.sysb. Word log d. Event log

____ 128. One technique for extracting evidence from large systems is called ____.a. RAID copy c. large evidence file recoveryb. RAID imaging d. sparse acquisition

____ 129. Real-time surveillance requires ____ data transmissions between a suspect’s computer and a network server.a. poisoning c. blockingb. sniffing d. preventing

____ 130. The most common computer-related crime is ____.a. homicide c. car stealingb. check fraud d. sniffing

Short Answer

131. Briefly describe the triad that makes up computer security.

132. Briefly describe the main characteristics of public investigations.

133. Briefly describe the main characteristics of private investigations.

134. What questions should an investigator ask to determine whether a computer crime was committed?

135. What are the three levels of law enforcement expertise established by CTIN?

136. What are some of the most common types of corporate computer crime?

137. What is embezzlement?

138. Briefly describe corporate sabotage.

139. What text can be used in internal warning banners?

140. Mention examples of groups that should have direct authority to request computer investigations in the corporate environment.

141. What should you do to handle evidence contained in large computer components?

142. What is required to conduct an investigation involving Internet abuse?

143. What is required to conduct an investigation involving e-mail abuse?

144. What are the differences between computer forensics and data recovery?

145. Describe some of the technologies used with hardware write-blocker devices. Identify some of the more commonly used vendors and their products.

146. What are the items you need when setting up your workstation for computer forensics?

147. What additional items are useful when setting up a forensic workstation?


148. What items are needed when gathering the resources you identified in your investigation plan?

149. Describe the process of creating a bit-stream copy of an evidence disk.

150. Mention six important questions you should ask yourself when critiquing your work.

151. What are the duties of a lab manager?

152. Provide a brief explanation of how to plan a lab budget.

153. What are the four levels of certification offered by HTCN?

154. What are the minimum requirements for a computer investigation and forensics lab?

155. Illustrate a proper way of disposing materials on your computer investigation lab.

156. Give a brief explanation of a computer forensics lab auditing process.

157. Briefly outline the process of selecting workstations for a police computer investigation lab.

158. What peripheral devices should be stocked in your computer forensics lab?

159. Discuss the use of a laptop PC as a forensic workstation.

160. What are the questions you need to ask when planning the justification step of a business case?

161. What are the advantages and disadvantages of using raw data acquisition format?

162. What are some of the features offered by proprietary data acquisition formats?

163. What are some of the design goals of AFF?

164. Explain the sparse data copy method for acquiring digital evidence.

165. What are the considerations you should have when deciding what data-acquisition method to use on your investigation?

166. Explain the use of hash algorithms to verify the integrity of lossless compressed data.

167. What are the advantages and disadvantages of using Windows acquisition tools?

168. What are the steps to update the Registry for Windows XP SP2 to enable write-protection with USB devices?

169. What are some of the main characteristics of Linux ISO images designed for computer forensics?

170. What are the requirements for acquiring data on a suspect computer using Linux?

171. Why should companies publish a policy stating their right to inspect computing assets at will?

172. Illustrate with an example the problems caused by commingled data.

173. Briefly describe the process of obtaining a search warrant.

174. What is the plain view doctrine?

175. How can you determine who is in charge of an investigation?

176. Describe the process of preparing an investigation team.

177. How can you secure a computer incident or crime scene?

178. Give some guidelines on how to video record a computer incident or crime scene.



179. Describe how to use a journal when processing a major incident or crime scene.

180. What should you do when working on an Internet investigation and the suspect’s computer is on?


Some Reviews for Midterm -...

Documents

Transcript of Some Reviews for Midterm -...