Question 1

What is the name for the device that allows read-only access to all accessible data on a drive and keeps anything from being written to an original drive?&#10;A) wiping tool&#10;B) write-blocker&#10;C) EnCase&#10;D) Cell-brite

Accepted Answer

A write-blocker is a hardware device used in digital forensics investigations to prevent any data from being written to a storage device while providing read-only access to the data on the drive. It is important in maintaining the integrity of evidence and preventing any data tampering. Wiping tool, EnCase, and Cell-brite are not write-blocker devices.

Question 2

What US government agency operates the Computer Forensic Tool Testing Project?&#10;A) National Institute of Standards and Technology (NIST)&#10;B) National Security Agency (NSA)&#10;C) Internet Crime Complaint Center (IC3)&#10;D) Action Fraud

Accepted Answer

The Computer Forensic Tool Testing (CFTT) Project is operated by the National Institute of Standards and Technology (NIST) in the United States. The project provides objective and empirical testing of computer forensic software tools so that digital forensic examiners can make informed decisions about which tools to use in their investigations.

Question 3

Which of the following is not a specific criteria identified for imaging tools by NIST?&#10;A) the tool shall log I/O errors&#10;B) tools shall not alter the original disk&#10;C) tools shall be affordable&#10;D) tools shall make a duplicate or image of an original disk

Accepted Answer

NIST does not list affordability as a specific criteria for imaging tools. The other three choices are all specific criteria identified by NIST.

Question 4

What is the term used to refer to the organization of a hard drive into separate storage spaces?&#10;A) extracting&#10;B) partitioning&#10;C) wiping&#10;D) carving

Accepted Answer

Partitioning refers to the organization of a hard drive into separate storage spaces, allowing for different operating systems or types of files to be stored separately. Extracting refers to the process of pulling data out of a file or archive. Wiping refers to the process of securely erasing data from a storage device. Carving refers to the process of recovering data from a damaged or corrupted storage device.

Question 5

What is the term used to refer to files that have been manipulated in order to conceal the contents of the original file?&#10;A) cleaned files&#10;B) wiped files&#10;C) deleted files&#10;D) hidden files

Accepted Answer

Hidden files are files that have been manipulated or protected through security measures to conceal their contents. Cleaning, wiping, and deleting files all refer to actions that permanently remove or erase data, rather than concealing it.

Question 6

What is the term used to refer to the copy and capture of original data files in a way that makes them available for analyses that minimizes the likelihood of error?&#10;A) preservation&#10;B) instant process&#10;C) carving&#10;D) wiping

Accepted Answer

The term preservation refers to the process of creating and maintaining a copy of original data files in a way that ensures their authenticity and integrity. This is typically done to prevent data loss, ensure data accuracy, and facilitate further analysis. This process usually involves making multiple copies of the original data files, storing them in secure locations, and implementing strict access control measures to prevent unauthorized access or modifications. By preserving the original data files, organizations can ensure that they have a reliable and accurate record of their data that can be used for future reference or analysis.

Question 7

When an examiner validates that the hard drive image they are working with is an authentic duplicate of the original, they use a unique algorithm to generate a:&#10;A) copy&#10;B) digi-bit&#10;C) hash value&#10;D) partitioned file

Accepted Answer

When validating the authenticity of a hard drive image, an examiner uses a unique algorithm to generate a hash value. This value is a digital fingerprint of the original data, and can be used to compare against other hash values to ensure that the data has not been altered or tampered with. Therefore, the best choice is C, hash value.

Question 8

What phrase references the process of searching for files and extracting that data without considering the larger file systems?&#10;A) file signature&#10;B) wiping&#10;C) partitioning&#10;D) file carving

Accepted Answer

File carving is the process of searching for files and extracting that data without considering the larger file systems.

Deck 10: Acquisition and Examination of Forensic Evidence