is not recommended for a digital forensics workstation.
If you turn evidence over to law enforcement and begin working under their direction, you have become an agent of law enforcement, and are subject to the same restrictions on search and seizure as a law enforcement agent.
Which file system below is utilized by the Xbox gaming system?
The _______ is responsible for analyzing data and determining when another specialist should be called in to assist with analysis.
According to the National Institute of Standards and Technology (NIST), digital forensics involves scientifically examining and analyzing data from computer storage media so that it can be used as evidence in court.
Which option below is not a standard systems analysis step?
The _______ is not one of the three stages of a typical criminal case.
is not one of the functions of the investigations triad.
Which Microsoft OS below is the least intrusive to disks in terms of changing data?
Most digital investigations in the private sector involve misuse of computing assets.
A TEMPEST facility is designed to accomplish which of the following goals?
In order to qualify for the Certified Computer Crime Investigator, Basic Level certification, candidates must provide documentation of at least _______ cases in which they participated.
Within a computing investigation, the ability to perform a series of steps again and again to produce the same results is known as
How often should hardware be replaced within a forensics lab?
Which option below is not one of the recommended practices for maintaining a keyed padlock?
Which of the following scenarios should be covered in a disaster recovery plan?
A disaster recovery plan ensures that workstations and file servers can be restored to their original condition in the event of a catastrophe.
describes the characteristics of a safe storage container.
Because they are outdated, ribbon cables should not be considered for use within a forensics lab.
Signed into law in 1973, the _______ was/were created to ensure consistency in federal proceedings.
The recording of all updates made to a workstation or machine is referred to as configuration management.
describes an accusation of fact that a crime has been committed
What tool, currently maintained by the IRS Criminal Investigation Division and limited to use by law enforcement, can analyze and read special files that are copies of a disk?
If a police officer or investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit a(n)
User groups for a specific type of system can be very useful in a forensics investigation.
Which tool below is not recommended for use in a forensics lab?
In order to qualify for the Advanced Certified Computer Forensic Technician certification, a candidate must have _______ years of handson experience in computer forensics investigations.
is responsible for creating and monitoring lab policies for staff, and provides a safe and secure workplace for staff and evidence.
After a judge approves and signs a search warrant, the _______ is responsible for the collection of evidence as defined by the warrant.
Which option below is not a recommendation for securing storage containers?
All suspected industrial espionage cases should be treated as civil case investigations.
can be used to restore backup files directly to a workstation.
The sale of sensitive or confidential company information to a competitor is known as _______.
must be included in an affidavit to support an allegation in order to justify a warrant.
An evidence custody form does not usually contain _______.
Linux Live CDs and WinFE disks do not automatically mount hard drives, but can be used to view file systems.
What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, ediscovery, and other disciplines related to cyber investigations?
In what year was the Computer Fraud and Abuse Act passed?
In order to qualify for the Certified Computer Forensic Technician, Basic Level certification, how many hours of computer forensics training are required?
Which ISO standard below is followed by the ASCLD?
A chainofevidence form, which is used to document what has and has not been done with the original evidence and forensic copies of the evidence, is also known as a(n)
The term _______ describes a database containing informational records about crimes that have been committed previously by a criminal.
What percentage of consumers utilize Intel and AMD PCs?
The shielding of sensitive computing systems and prevention of electronic eavesdropping of any computer emissions is known as FAUST by the U.S. Department of Defense.
is a specialized viewer software program.
Candidates who complete the IACIS test successfully are designated as a _______.
Which amendment to the U.S. Constitution protects everyone’s right to be secure in their person, residence, and property from search and seizure?
Which operating system listed below is not a distribution of the Linux OS?
How long are computing components designed to last in a normal business environment?
After the evidence has been presented in a trial by jury, the jury must deliver a(n) _______.
A forensics lab should maintain a paper or electronic signin log for all visitors. What information should be in this log?
List at least three things that should be included in an audit of a digital forensics lab.
Why is it important to maintain specific temperature and humidity ranges within a forensics lab?
When creating a new forensics lab, what are some questions that should be considered when calculating the budget required? List at least three questions.
List three practices that should be followed when using a keyed padlock.
What must be done if data is found in the form of binary files, such as CAD drawings?
What is a business case used for?
What questions should someone consider prior to assisting in an interview or interrogation?
What is the difference between an interview and an interrogation?
Why must all evidence that is collected be treated with the highest level of security and accountability, even if the evidence is regarding an internal abuse investigation within an organization?
The _______ command was developed by Nicholas Harbour of the Defense Computer Forensics Laboratory.
The _______ copies evidence of intrusions to an investigation workstation automatically for further analysis over the network.
Which RAID type provides increased speed and data storage capability, but lacks redundancy?
What is the name of the Microsoft solution for whole disk encryption?
is the utility used by the ProDiscover program for remote access.
The ImageUSB utility can be used to create a bootable flash drive.
Which technology below is not a hotswappable technology?
A forensics investigator should verify that acquisition tools can copy data in the HPA of a disk drive.
FTK Imager software can acquire a drive’s host protected area.
To create a new primary partition within the fdiskinteractive utility, which letter should be typed?
Which option below is not a Linux Live CD meant for use as a digital forensics tool?
Hardware and software errors or incompatibilities are a common problem when dealing with older hard drives.
When using a target drive that is FAT32 formatted, what is the maximum size limitation for split files?
creates a virtual volume of a RAID image file, and then makes repairs on the virtual volume, which can then be restored to the original RAID.
A RAID 3 array uses distributed data and distributed parity in a manner similar to a RAID 5 array.
Computerstored records are data the system maintains, such as system log files and proxy server logs.
A _______ is not a private sector organization.
The Fourth Amendment states that only warrants “particularly describing the place to be searched and the persons or things to be seized” can be issued. The courts have determined that this phrase means a warrant can authorize a search of a specific place for
is a common cause for lost or corrupted evidence.
does not recover data in free or slack space.
is the term for a statement that is made by someone other than an actual witness to the event while testifying at a hearing.
To investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct covert surveillance with little or no cause, and access company computer systems and digital devices without a warrant.
If practical, _______ team(s) should collect and catalog digital evidence at a crime scene or lab.
Which system below can be used to quickly and accurately match fingerprints in a database?
are a special category of private sector businesses, due to their ability to investigate computer abuse committed by employees only, but not customers.
When seizing digital evidence in criminal investigations, whose standards should be followed?
An emergency situation under the PATRIOT Act is defined as the immediate risk of death or personal injury, such as finding a bomb threat in an email.
Which court case established that it is not necessary for computer programmers to testify in order to authenticate computergenerated records?
As a general rule, what should be done by forensics experts when a suspect computer is seized in a poweredon state?
would not be found in an initialresponse field kit.
The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient
The term _______ is used to describe someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest.
What does FRE stand for?
What type of media has a 30year lifespan?
You must abide by the _______ while collecting
When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space.
FAT32 is used on older Microsoft OSs, such as MSDOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.3 and 4.0.
Each MFT record starts with a header identifying it as a resident or nonresident attribute.
A computer stores system configuration and date and time information in the BIOS when power to the system is off.
Someone who wants to hide data can create hidden partitions or voids large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.
Which of the following options is not a subfunction of extraction?
What program serves as the GUI front end for accessing Sleuth Kit’s tools?
What is the goal of the NSRL project, created by NIST?
What option below is an example of a platform specific encryption tool?
What algorithm is used to decompress Windows files?
Physically copying the entire drive is the only type of datacopying method used in software acquisitions.
The physical data copy subfunction exists under the ______________ function.
All forensics acquisition tools have a method for verification of the datacopying process that compares the original drive with the image.
In general, what would a lightweight forensics workstation consist of?
What hex value is the standard indicator for jpeg graphics files?
proves that two sets of data are identical by calculating hash values or using another similar method.
The __________ Linux Live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep, and utilizes a KDE interface.
ISO standard 27037 states that the most important factors in data acquisition are the DEFR’s competency and the use of validated tools.
Software forensics tools are grouped into commandline applications and GUI applications
What tool below was written for MSDOS and was commonly used for manual digital investigations?
Which option below is not a disk management tool?
One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you collect is essential for presenting evidence in court.
In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes remotely.
The goal of recovering as much information as possible can result in ________________, in which an investigation expands beyond the original description because of unexpected evidence found.
A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in order to secure the information contained inside.
Many commercial encryption programs use a technology called _____________, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure.
The term for detecting and analyzing steganography files is _________________.
In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters?
What format below is used for VMware images?
A ____________ image file containing software is intended to be bitstream copied to floppy disks or other external media.
Which password recovery method uses every possible letter, number, and character found on a keyboard?
Which of the following file systems can’t be analyzed by OSForensics?
What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords?
When performing a static acquisition, what should be done after the hardware on a suspect’s computer has been inventoried and documented?
Within Windows Vista and later, partition gaps are _____________ bytes in length.
In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer.
What letter should be typed into DiskEdit in order to mark a good sector as bad?
Typically, antivirus tools run hashes on potential malware files, but some advanced malware uses ________________ as a way to hide its malicious code from antivirus tools.
In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant.
Because attorneys do not have the right of full discovery of digital evidence, it is not possible for new evidence to come to light while complying with a defense request for full discovery.
Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific files or sectors.
The AccessData program has a hashing database, ________________, which is available only with FTK, and can be used to filter known program files from view and contains the hash values of known illegal files.
The advantage of recording hash values is that you can determine whether data has changed.
Select the tool below that does not use dictionary attacks or brute force attacks to crack passwords:
The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but does not list hash values of known illegal files.