Assignment
Q1. The sale of sensitive or confidential company information to a competitor is known as _______.
a. industrial sabotage
b. industrial espionage
c. industrial collusion
d. industrial betrayal
Q2. What tool, currently maintained by the IRS Criminal Investigation Division and limited to use by law enforcement, can analyze and read special files that are copies of a disk?
a. AccessData Forensic Toolkit
b. DeepScan
c. ILook
d. Photorec
Q3. After the evidence has been presented in a trial by jury, the jury must deliver a(n) ______.
a. exhibit
b. affidavit
c. allegation
d. Verdict
Q4. A TEMPEST facility is designed to accomplish which of the following goals?
a. Prevent data loss by maintaining consistent backups.
b. Shield sensitive computing systems and prevent electronic eavesdropping of computer emissions.
c. Ensure network security from the Internet using comprehensive security software.
d. Protect the integrity of data.
Q5. Which option below is not a recommendation for securing storage containers?
a. The container should be located in a restricted area.
b. Only authorized access should be allowed, and it should be kept to a minimum.
c. Evidence containers should remain locked when they aren't under direct supervision.
d. Rooms with evidence containers should have a secured wireless network.
Q6. What is the name of the Microsoft solution for whole disk encryption?
a. DriveCrypt
b. TrueCrypt
c. BitLocker
d. SecureDrive
Q7. What should you do while copying data on a suspect's computer that is still live?
a. Open files to view contents.
b. Make notes regarding everything you do.
c. Conduct a Google search of unknown extensions using the computer.
d. Check Facebook for additional suspects.
Q8. When seizing digital evidence in criminal investigations, whose standards should be followed?
a. U.S. DOJ
b. ISO/IEC
c. IEEE
d. ITU
Q9. As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state?
a. The power cable should be pulled.
b. The system should be shut down gracefully.
c. The power should be left on.
d. The decision should be left to the Digital Evidence First Responder (DEFR).
Q10. What is the purpose of the reconstruction function in a forensics investigation?
a. Re-create a suspect's drive to show what happened during a crime or incident.
b. Prove that two sets of data are identical.
c. Copy all information from a suspect's drive, including information that may have been hidden.
d. Generate reports or logs that detail the processes undertaken by a forensics investigator.
Q11. A keyword search is part of the analysis process within what forensic function?
a. reporting
b. reconstruction
c. extraction
d. Acquisition
Q12. As part of a forensics investigation, you need to recover the logon and logoff history information on a Linux based OS. Where can this information be found?
a. /var/log/utmp
b. /var/log/wtmp
c. /var/log/userlog
d. /var/log/system.log
Q13. What kind of graphics file combines bitmap and vector graphics types?
a. metafile
b. bitmap
c. jpeg
d. Tif
Q14. What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords?
a. salted passwords
b. scrambled passwords
c. indexed passwords
d. master passwords
Q15. When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and documented?
a. Inventory and documentation information should be stored on a drive and then the drive should be reformatted.
b. Start the suspect's computer and begin collecting evidence.
c. The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.
d. Connect the suspect's computer to the local network so that up to date forensics utilities can be utilized.
Q16. What processor instruction set is required in order to utilize virtualization software?
a. AMD-VT
b. Intel VirtualBit
c. Virtual Machine Extensions (VMX)
d. Virtual Hardware Extensions (VHX)
Q17. What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses?
a. tcpdump
b. Argus
c. Ngrep
d. Tcpslice
Q18. Select below the program within the PsTools suite that allows you to run processes remotely:
a. PsService
b. PsPasswd
c. PsRemote
d. PsExec
Q19. What information is not typically included in an e-mail header?
a. The sender's physical location
b. The originating IP address
c. The unique ID of the e-mail
d. The originating domain
Q20. What type of Facebook profile is usually only given to law enforcement with a warrant?
a. private profile
b. advanced profile
c. basic profile
d. Neoprint profile
Q21. Which e-mail recovery program below can recover files from VMware and VirtualPC virtual machines, as well as ISOs and other types of file backups?
a. Fookes Aid4mail
b. DataNumen Outlook Repair
c. EnCase Forensics
d. AccessData FTK
Q22. What type of mobile forensics method listed by NIST guidelines involves looking at a device's content page by page and taking pictures?
a. Manual extraction
b. Chip-off
c. Micro read
d. Logical extraction
Q23. Within NIST guidelines for mobile forensics methods, the ______________ method requires physically removing flash memory chips and gathering information at the binary level.
a. Chip-off
b. Logical extraction
c. Micro read
d. Manual extraction
Q24. Which of the following is NOT a service level for the cloud?
a. Platform as a service
b. Infrastructure as a service
c. Virtualization as a service
d. Software as a service
Q25. What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing?
a. Amazon EC2
b. IBM Cloud
c. Salesforce
d. HP Helion
Q26. With cloud systems running in a virtual environment, _______________ can give you valuable information before, during, and after an incident.
a. carving
b. live acquisition
c. RAM
d. Snapshot
Q27. Which of the following is not one of the five mechanisms the government can use to get electronic information from a provider?
a. search warrants
b. subpoenas
c. court orders
d. seizure order
Q28. Within a computing investigation, the ability to perform a series of steps again and again to produce the same results is known as _______.
a. repeatable findings
b. reloadable steps
c. verifiable reporting
d. evidence reporting
Q29. A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in order to secure the information contained inside.
a. compiler
b. shifter
c. macro
d. script
Q30. Which system below can be used to quickly and accurately match fingerprints in a database?
a. Fingerprint Identification Database (FID)
b. Systemic Fingerprint Database (SFD)
c. Automated Fingerprint Identification System (AFIS)
d. Dynamic Fingerprint Matching System (DFMS).