Embed Code - If you would like this activity on your web page, copy the script below and paste it into
your web page.
Normal Size Small Size show me how
| Question | Answer |
|---|
| Data streams can obscure valuable evidentiary data, intentionally or by coincidence
| true
|
| A ____ is a column of tracks on two or more disk platters.
| cylinder
|
| ____ is how most manufacturers deal with a platter’s inner tracks being shorter than its outer tracks.
| ZBR
|
| ____ is the file structure database that Microsoft originally designed for floppy disks.
| FAT
|
| ____ was introduced when Microsoft created Windows NT and is the primary file system for Windows Vista
| NTFS
|
| On an NTFS disk, immediately after the Partition Boot Sector is the ____.
| MFT
|
| Records in the MFT are referred to as ____.
| metadata
|
| In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each
| 1024
|
| The file or folder’s MFT record provides cluster addresses where the file is stored on the drive’s partition. These cluster addresses are referred to as ____.
| data runs
|
| When Microsoft introduced Windows 2000, it added built-in encryption to NTFS called ____.
| EFS
|
| The purpose of the ____ is to provide a mechanism for recovering encrypted files under EFS if there’s a problem with the user’s original private key.
| recovery certificate
|
| When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____.
| Registry
|
| ____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to NTLDR.
| NTDetect.com
|
| ____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS.
| NTBootdd.sys
|
| ____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the %system-root%\Windows\System32\Drivers folder.
| Device drivers
|
| ____ is a hidden text file containing startup options for Windows 9x.
| Msdos.sys
|
| The ____ file provides a command prompt when booting to MS-DOS mode (DPMI).
| Command.com
|
| ____ is a text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration.
| Config.sys
|
| ____ is a batch file containing customized settings for MS-DOS that runs automatically.
| Autoexec.bat
|
| A ____ allows you to create a representation of another computer on an existing physical computer.
| virtual machine
|
| In software acquisition, there are three types of data-copying methods.
| false
|
| To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.
| true
|
| The Windows platforms have long been the primary command-line interface OSs.
| false
|
| After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.
| true
|
| Computer forensics tools are divided into ____ major categories.
| 2
|
| Software forensics tools are commonly used to copy data from a suspect’s disk drive to a(n) ____.
| image file
|
| To make a disk acquisition with En.exe requires only a PC running ____ with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable.
| ms-dos
|
| Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command.
| dd
|
| ____ of data involves sorting and searching through all investigation data.
| Discrimination
|
| Many password recovery tools have a feature that allows generating potential lists for a ____ attack.
| password dictionary
|
| The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk.
| disk-to-disk
|
| To complete a forensic disk analysis and examination, you need to create a ____.
| report
|
| The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems.
| IBM
|
| In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network.
| Dir
|
| In general, forensics workstations can be divided into ____ categories.
| 3
|
| A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____.
| portable workstation
|
| ____ is a simple drive-imaging station.
| FIRE IDE
|
| ____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk.
| Write-blockers
|
| Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers.
| USB
|
| The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.
| NIST
|
| The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.
| ISO 5725
|
| The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.
| NSRL
|
| The primary hash algorithm used by the NSRL project is ____.
| SHA-1
|
| One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.
| disk editor
|
| Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file’s contents
| testing, compressed
|
| Macintosh OS X is built on a core called ____.
| Darwin
|
| In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored.
| resource
|
| The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is ____.
| 65,535
|
| On older Macintosh OSs all information about the volume is stored in the ____.
| Master Directory Block (MDB)
|
| With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.
| Volume Bitmap
|
| On Mac OSs, File Manager uses the ____ to store any information not in the MDB or Volume Control Block (VCB).
| extents overflow file
|
| Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement.
| GPL
|
| The standard Linux file system is ____.
| Ext2fs
|
| Ext2fs can support disks as large as ____ TB and files as large as 2 GB.
| 4
|
| Linux is unique in that it uses ____, or information nodes, that contain descriptive information about each file or directory.
| inodes
|
| To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of ____.
| 0
|
| ____ components define the file system on UNIX.
| 4
|
| The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive.
| data block
|
| LILO uses a configuration file named ____ located in the /Etc directory.
| Lilo.conf
|
| Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of OSs.
| 1995
|
| On a Linux computer, ____ is the path for the first partition on the primary master IDE disk drive.
| /dev/hda1
|
| There are ____ tracks available for the program area on a CD.
| 99
|
| The ____ provides several software drivers that allow communication between the OS and the SCSI component.
| Advanced SCSI Programming Interface (ASPI)
|
| All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard ____ ribbon or shielded cable.
| 40-pin
|
| ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable.
| 100
|
| IDE ATA controller on an old 486 PC doesn’t recognize disk drives larger than 8.4 ____.
| GB
|
| FTK cannot analyze data from image files from other vendors.
| false
|
| A nonsteganographic graphics file has a different size than an identical steganographic graphics file.
| false
|
| ____ increases the time and resources needed to extract,analyze,and present evidence.
| scope creep
|
| You begin any computer forensics case by creating a(n) ____.
| investigation plan
|
| In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover.
| subpoenas
|
| There are ____ searching options for keywords which FTK offers.
| 2
|
| ____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search.
| Live
|
| The ____ search feature allows you to look for words with extensions such as “ing,”“ed,” and so forth.
| stemming
|
| In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period.
| indexed
|
| FTK and other computer forensics programs use ____ to tag and document digital evidence.
| bookmarks
|
| Getting a hash value with a ____ is much faster and easier than with a(n) ____.
| hexadecimal editor, computer forensics tool
|
| AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data.
| KFF
|
| Data ____ involves changing or manipulating a file to conceal information.
| hiding
|
| One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it.
| Norton DiskEdit
|
| Marking bad clusters data-hiding technique is more common with ____ file systems.
| FAT
|
| The term ____ comes from the Greek word for“hidden writing.”
| steganography
|
| ____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there.
| Steganography
|
| Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure.
| key escrow
|
| People who want to hide data can also use advanced encryption programs, such as PGP or ____.
| BestCrypt
|
| ____ recovery is a fairly easy task in computer forensic analysis.
| Password
|
| ____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.
| Brute-force
|
| ____ are handy when you need to image the drive of a computer far away from your location or when you don’t want a suspect to be aware of an ongoing investigation.
| Remote acquisitions
|
| ____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer’s file system.
| HDHOST
|
| With many computer forensics tools, you can open files with external viewers.
| true
|
| Steganography cannot be used with file formats other than image files.
| false
|
| ____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
| Vector graphics
|
| You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.
| graphics editors
|
| ____ images store graphics information as grids of individual pixels.
| Bitmap
|
| The process of converting raw picture data to another format is referred to as ____.
| demosaicing
|
| The majority of digital cameras use the ____ format to store digital pictures
| EXIF
|
| ____ compression compresses data by permanently discarding bits of information in the file.
| Lossy
|
| Recovering pieces of a file is called ____.
| carving
|
| A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10.
| JPEG
|
| If you can’t open an image file in an image viewer, the next step is to examine the file’s ____.
| header data
|
| The uppercase letter ____ has a hexadecimal value of 41.
| "A"
|
| The image format XIF is derived from the more common ____ file format.
| TIFF
|
| The simplest way to access a file header is to use a(n) ____ editor
| hexadecimal
|
| The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03.
| XIF
|
| ____ is the art of hiding information inside image files.
| Steganography
|
| ____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.
| Insertion
|
| ____ steganography replaces bits of the host file with other bits of data.
| Substitution
|
| In the following list, ____ is the only steg tool.
| Outguess
|
| ____ has also been used to protect copyrighted material by inserting digital watermarks into a file.
| Steganography
|
| When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations.
| copyright
|
| Under copyright laws, computer programs may be registered as ____.
| literary works
|
| Under copyright laws, maps and architectural plans may be registered as ____.
| pictorial, graphic, and sculptural works
|
| A graphics program creates and saves one of three types of image files: bitmap, vector, or ____________________.
| metafile
|
| ____________________ is the process of coding of data from a larger form to a smaller form.
| Data compression
|
| The ____________________ is the best source for learning more about file formats and their associated extensions.
| internet
|
| All ____________________ files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 2A.
| TIFF
|
| The two major forms of steganography are ____________________ and substitution.
| insertion
|
| ____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.
| Network forensics
|
| ____ forensics is the systematic tracking of incoming and outgoing traffic on your network.
| Network
|
| A common way of examining network traffic is by running the ____ program.
| Tcpdump
|
| ____ is a popular network intrusion detection system that performs packet capture and analysis in real time.
| Snort
|
| ____ is the U.S. DoD computer forensics lab’s version of the dd command that comes with Knoppix-STD.
| dcfldd
|
| ____ are devices and/or software placed on a network to monitor traffic.
| Packet sniffers
|
| Most packet sniffers operate on layer 2 or ____ of the OSI model.
| 3
|
| ____ is the text version of Ethereal, a packet sniffer tool.
| Tethereal
|
| The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.
| Honeynet
|
| Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack.
| zombies
|
| E-mail messages are distributed from one central server to many connected client computers, a configuration called ____.
| client/server architecture
|
| With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk.
| GUI
|
| When working on a Windows environment you can press ____ to copy the selected text to the clipboard.
| Ctrl+C
|
| To retrieve an Outlook Express e-mail header right-click the message, and then click ____ to open a dialog box showing general information about the message.
| Properties
|
| In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____.
| .pst
|
| ____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names.
| www.freeality.com
|
| ____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside.
| /etc/sendmail.cf
|
| Typically, UNIX installations are set to store logs such as maillog in the ____ directory.
| /var/log
|
| In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk.
| checkpoint
|
| The Novell e-mail server software is called ____.
| GroupWise
|
| Developed during WWII, this technology,____, was patented by Qualcomm after the war.
| CDMA
|
| The ____ digital network divides a radio frequency into time slots.
| TDMA
|
| TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life.
| IS-136
|
| Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips.
| EEPROM
|
| ____ cards are found most commonly in GSM devices and consist of a microprocessor and from 16 KB to 4 MB of EEPROM.
| SIM
|
| ____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth.
| PDAs
|
| The file system for a SIM card is a ____ structure.
| hierarchical
|
| The SIM file structure begins with the root of the system (____).
| MF
|
| Paraben Software is a leader in mobile forensics software and offers several tools, including ____, which can be used to acquire data from a variety of phone models.
| Device Seizure
|
| In a Windows environment, BitPim stores files in ____ by default.
| My Documents\BitPim
|
Which type of tool can be used to compare results and verify a new tool by viewing data in its raw format? Command-line disk acquisition tool from New Technologies, Inc.
