Question 1

Preservation of digital evidence can involve which of the following?&#10;A) Collecting computer hardware&#10;B) Making a forensic image of storage media&#10;C) Copying the files that are needed from storage media&#10;D) All of the above

Accepted Answer

All of the options listed are part of the process of preserving digital evidence. Collecting computer hardware ensures that the physical devices are secured. Making a forensic image of storage media is a standard practice to capture an exact copy of the data at a specific point in time without altering the original evidence. Copying files that are needed from storage media, when done correctly, is also a method of preserving digital evidence, especially when it's impractical to seize or image the entire device.

Question 2

When a computer contains digital evidence, it is always advisable to turn it off immediately.

Accepted Answer

Turning a computer off can potentially alter or destroy digital evidence. It is often recommended to leave it on and allow forensic experts to handle it properly.

Question 3

Examination of digital evidence includes (but is not limited to) which of the following activities?&#10;A) Seizure, preservation, and documentation&#10;B) Recovery, harvesting, and reduction&#10;C) Experimentation, fusion, and correlation&#10;D) Arrest, interviewing, and trial

Accepted Answer

B

Question 4

Evidence can be related to its source in which of the following ways?&#10;A) Top, middle, bottom&#10;B) IP address, MD5 value, filename, date-time stamps&#10;C) Production, segment, alteration, location&#10;D) Parent, uncle, orphan

Accepted Answer

The answer of Evidence can be related to its source...

Question 5

Issues to be aware of when connecting to a computer over a network and collecting information include:&#10;A) Creating and following a set of standard operating procedures&#10;B) Keeping a log of actions taken during the collection process&#10;C) Documenting which server actually contains the data that's being collected&#10;D) All of the above

Accepted Answer

All the options listed are important considerations when connecting to a computer over a network and collecting information. Standard operating procedures ensure consistency and compliance, logging actions provides an audit trail, and documenting the server location ensures accurate data collection.

Question 6

Although it was not designed with evidence collection in mind, can still be useful for examining network traffic.&#10;A) EnCase&#10;B) FTK&#10;C) Wireshark&#10;D) CHKDSK

Accepted Answer

Wireshark is a network protocol analyzer that, while not specifically designed for evidence collection, can be very useful for examining and capturing live network traffic, which can be relevant in forensic investigations.

Question 7

Different types of analysis include which of the following?&#10;A) Relational (e.g., link analysis) and temporal (e.g., timeline analysis)&#10;B) Cryptography&#10;C) Metadata hashing&#10;D) Digital photography

Accepted Answer

Relational analysis (link analysis) and temporal analysis (timeline analysis) are types of analysis used to understand relationships and time-based patterns, respectively, which are applicable in various fields such as intelligence, research, and data science. Cryptography, metadata hashing, and digital photography are tools or techniques rather than types of analysis.

Question 8

Chain of custody enables anyone to determine where a piece of evidence has been, who handled it when, and what was done to it since it was seized.

Accepted Answer

Chain of custody is a process that tracks the movement and handling of evidence from the time it is collected until it is presented in court, ensuring its integrity and authenticity by documenting each person who handled it and any actions taken with it.

Question 9

Information security professionals submit samples of log files associated with certain intrusion tools to help others detect attacks on the mailing lists at:&#10;A) Bugtraq&#10;B) Sam Spade&#10;C) CNET&#10;D) Security Focus

Accepted Answer

Bugtraq is a mailing list where security professionals share information about vulnerabilities, including log files associated with intrusion tools, to help detect and mitigate attacks.

Question 10

Which of the following are situations where a bitstream copy may not be viable?&#10;A) The hard drive is too large to copy.&#10;B) The system cannot be shut down.&#10;C) The digital investigator does not have authority to copy the entire drive.&#10;D) All of the above.

Accepted Answer

Bitstream copies can be challenged by various factors such as the physical size of the drive, operational constraints that prevent system shutdown, and legal or authorization limitations on what can be copied. These scenarios impact the feasibility or legality of creating a complete bitstream copy.

Question 11

A forensic image of a hard disk drive preserves the partition table.

Accepted Answer

The answer of A forensic image of a hard disk...

Question 12

It is not necessary to sanitize/wipe a hard drive purchased directly from a manufacturer.

Accepted Answer

The answer of It is not necessary to sanitize/wipe a...

Question 13

Which of the following is NOT an information gathering process?&#10;A) Scanning the system remotely&#10;B) Studying security audit reports&#10;C) Attempting to bypass logon security&#10;D) Examining e-mail headers

Accepted Answer

The answer of Which of the following is NOT an...

Question 14

Analysis of digital evidence includes which of the following activities?&#10;A) Seizure, preservation, and documentation&#10;B) Recovery, harvesting, and reduction&#10;C) Experimentation, fusion, and correlation&#10;D) Arrest, interviewing, and trial

Accepted Answer

The answer of Analysis of digital evidence includes which of...

Question 15

Occasionally, an intrusion detection system may trigger an alarm caused by an innocent packet that coincidentally contains intrusion class characteristics. This type of alert is called:&#10;A) False warning&#10;B) Failsafe&#10;C) DEF con&#10;D) False positive

Accepted Answer

The answer of Occasionally, an intrusion detection system may trigger...

Question 16

When a website is under investigation, before obtaining authorization to seize the systems it is necessary to:&#10;A) Determine where the web servers are located&#10;B) Inform personnel at the web server location that you'll be coming to seize the systems&#10;C) Conduct a reconnaissance probe of the target website&#10;D) None of the above

Accepted Answer

The answer of When a website is under investigation, before...

Question 17

No two files can have the same MD5 value.

Accepted Answer

The answer of No two files can have the same...

Question 18

Unlike law enforcement, system administrators are permitted to on their network when it is necessary to protect the network and the data it contains.&#10;A) Open unread e-mails.&#10;B) Monitor network traffic.&#10;C) Modify system logs.&#10;D) Divulge user personal information.

Accepted Answer

The answer of Unlike law enforcement, system administrators are permitted...

Question 19

A forensic image of a drive preserves which of the following?&#10;A) Memory contents&#10;B) File slack and unallocated space&#10;C) System date and time&#10;D) Screen contents

Accepted Answer

The answer of A forensic image of a drive preserves...

Question 20

All forensic tools acquire digital evidence from storage media in the same way.

Accepted Answer

The answer of All forensic tools acquire digital evidence from...

Question 21

The chance of two different files having the same MD5 value is roughly one in 340 billion billion billion billion which is approximately equivalent to winning 30,000 billion billion billion first prizes in the Hong Kong Mark Six - the lotto game in Hong Kong which randomly picks 6 numbers from 1 to 47 with a one in 10,737,573 chance of winning first prize.

Accepted Answer

The answer of The chance of two different files having...

Question 22

If you are investigating a homicide and, while executing a search warrant, you find a computer in the suspect's home that appears to contain child pornography, what would you do?

Accepted Answer

The answer of If you are investigating a homicide and,...

Question 23

After the MD5 value of a piece of digital evidence has been calculated, any change in that piece of evidence can be detected.

Accepted Answer

The answer of After the MD5 value of a piece...

Question 24

Other than verifying the integrity of a file, how can the MD5 value of a file be useful?

Accepted Answer

The answer of Other than verifying the integrity of a...

Question 25

It is not possible to recover deleted system or network log files.

Accepted Answer

The answer of It is not possible to recover deleted...

Question 26

What is the difference between a class characteristic and an individualizing characteristic? Give examples of each involving digital evidence.

Accepted Answer

The answer of What is the difference between a class...

Question 27

TCP/IP network traffic never contains useful class characteristics.

Accepted Answer

The answer of TCP/IP network traffic never contains useful class...

Question 28

When seeking authorization to search a network and digital evidence that may exist in more than one jurisdiction it is not necessary to obtain a search warrant for each location.

Accepted Answer

The answer of When seeking authorization to search a network...

Question 29

A digital evidence class characteristic is similar to toolmark analysis in the physical world.

Accepted Answer

The answer of A digital evidence class characteristic is similar...

Question 30

What are the limitations of the message digest of digital evidence?

Accepted Answer

The answer of What are the limitations of the message...

Question 31

When drawing up an affidavit for a warrant, it is important to specifically mention all desired digital evidence.

Accepted Answer

The answer of When drawing up an affidavit for a...

Question 32

Digital investigators should remember that evidence can reside in unexpected places, such as network routers.

Accepted Answer

The answer of Digital investigators should remember that evidence can...

Question 33

How would you search for all image files on a disk? Explain the rationale of your approach.

Accepted Answer

The answer of How would you search for all image...

Question 34

Active monitoring is time consuming, invasive, and costly and should only be used as a last resort.

Accepted Answer

The answer of Active monitoring is time consuming, invasive, and...

Question 35

What does a digital signature tell you?

Accepted Answer

The answer of What does a digital signature tell you?...

Deck 22: Applying Forensic Science to Networks