Question 1

You can use ____ to boot to Windows without writing any data to the evidence disk.&#10;A) a SCSI boot up disk&#10;B) a Windows boot up disk&#10;C) a write-blocker&#10;D) Windows XP

Accepted Answer

A write-blocker is a hardware device that allows read-only access to the evidence disk, ensuring that no data can be written to it during the boot process. This is the best choice for booting to Windows without affecting the evidence disk. The other options do not provide the same level of protection against accidentally writing data to the evidence disk.

Question 2

To begin conducting an investigation, you start by ____ the evidence using a variety of methods.&#10;A) copying&#10;B) analyzing&#10;C) opening&#10;D) reading

Accepted Answer

A

Question 3

To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as a ____.&#10;A) mobile workstation&#10;B) forensic workstation&#10;C) forensic lab&#10;D) recovery workstation

Accepted Answer

A forensic workstation is a specially configured PC designed for conducting digital forensic investigations and analysis. It typically has write-blocking devices, specialized software and hardware, and other features necessary for ensuring evidence preservation and avoiding contamination. A mobile workstation may be used in some cases, but it may not have all the necessary features, while a forensic lab is a more extensive facility for conducting forensic analyses. A recovery workstation may be used for data recovery but may not have the necessary features for forensic analysis.

Question 4

The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court.&#10;A) acquisition plan&#10;B) chain of custody&#10;C) evidence path&#10;D) evidence custody

Accepted Answer

The term "chain of custody" refers to the documentation and tracking of the movement of evidence from its initial discovery to its presentation in court. It ensures that the evidence is handled properly and is not compromised or tampered with, which is essential for maintaining its integrity and admissibility in court. An acquisition plan may be a part of the overall process, but it does not encompass the entire route of the evidence. Evidence path and evidence custody are not commonly used terms in this context.

Question 5

A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible.

Accepted Answer

A bit-stream copy is an exact duplicate of the original disk, making it as reliable as the original for analysis or evidence in forensic investigations. It preserves every bit and byte, including deleted files and unallocated space, ensuring no data is missed.

Question 6

When preparing a case, you can apply ____ to problem solving.&#10;A) standard programming rules&#10;B) standard police investigation&#10;C) standard systems analysis steps&#10;D) bottom-up analysis

Accepted Answer

Standard systems analysis steps can be applied to problem solving when preparing a case. This involves identifying the problem, gathering information, analyzing the information, developing solutions, and implementing the best solution. This approach can be useful in identifying potential causes of the case and developing a strategy to address them. Standard programming rules and bottom-up analysis may not be the most applicable approaches for preparing a case. Standard police investigation may be relevant in criminal cases, but not necessarily in all case types.

Question 7

____ from Technology Pathways is a forensics data analysis tool. You can use it to acquire and analyze data from several different file systems.&#10;A) Guidance EnCase&#10;B) NTI SafeBack&#10;C) DataArrest SnapCopy&#10;D) ProDiscover Basic

Accepted Answer

ProDiscover Basic is the forensics data analysis tool from Technology Pathways that allows for acquisition and analysis of data from multiple file systems. Guidance EnCase is a well-known tool in the industry, but it is not from Technology Pathways. NTI SafeBack and DataArrest SnapCopy are not forensics data analysis tools.

Question 8

____ investigations typically include spam, inappropriate and offensive message content, and harassment or threats.&#10;A) VPN&#10;B) Internet&#10;C) E-mail&#10;D) Phone

Accepted Answer

E-mail investigations typically involve reviewing messages for spam, inappropriate or offensive content, and any instances of harassment or threats. VPNs, the Internet, and phones may be involved in the investigation, but they are not specific to e-mail investigations.

Question 9

____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or computer lab.&#10;A) An antistatic wrist band&#10;B) Padding&#10;C) An antistatic pad&#10;D) Tape

Accepted Answer

Padding is the best choice to prevent damage to the evidence during transportation. It provides a layer of protection and absorbs any shock or impact that may occur during transit. Antistatic wrist bands and pads are used to prevent electrostatic discharge and are not directly related to protecting the evidence during transportation. Tape may damage or contaminate the evidence and is not recommended for use.

Question 10

Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several thousand pages of data.

Accepted Answer

Printouts can become cumbersome when dealing with large volumes of data, such as log files with thousands of pages. It is more practical to use electronic forms of data presentation, such as digital files or data visualization tools.

Question 11

The basic plan for your investigation includes gathering the evidence, establishing the ____, and performing the forensic analysis.&#10;A) risk assessment&#10;B) nature of the case&#10;C) chain of custody&#10;D) location of the evidence

Accepted Answer

The answer of The basic plan for your investigation includes...

Question 12

Use ____ to secure and catalog the evidence contained in large computer components.&#10;A) Hefty bags&#10;B) regular bags&#10;C) paper bags&#10;D) evidence bags

Accepted Answer

The answer of Use ____ to secure and catalog the...

Question 13

A ____ is a bit-by-bit copy of the original storage medium.&#10;A) preventive copy&#10;B) recovery copy&#10;C) backup copy&#10;D) bit-stream copy

Accepted Answer

The answer of A ____ is a bit-by-bit copy of...

Question 14

To create an exact image of an evidence disk, copying the ____ to a target work disk that's identical to the evidence disk is preferable.&#10;A) removable copy&#10;B) backup copy&#10;C) bit-stream image&#10;D) backup image

Accepted Answer

The answer of To create an exact image of an...

Question 15

A(n) ____ helps you document what has and has not been done with both the original evidence and forensic copies of the evidence.&#10;A) evidence custody form&#10;B) risk assessment form&#10;C) initial investigation form&#10;D) evidence handling form

Accepted Answer

The answer of A(n) ____ helps you document what has...

Question 16

Employees surfing the Internet can cost companies millions of dollars.

Accepted Answer

The answer of Employees surfing the Internet can cost companies...

Question 17

Chain of custody is also known as chain of evidence.

Accepted Answer

The answer of Chain of custody is also known as...

Question 18

You cannot use both multi-evidence and single-evidence forms in your investigation.

Accepted Answer

The answer of You cannot use both multi-evidence and single-evidence...

Question 19

The list of problems you normally expect in the type of case you are handling is known as the ____.&#10;A) standard risk assessment&#10;B) chain of evidence&#10;C) standard problems form&#10;D) problems checklist form

Accepted Answer

The answer of The list of problems you normally expect...

Question 20

A bit-stream image is also known as a(n) ____.&#10;A) backup copy&#10;B) forensic copy&#10;C) custody copy&#10;D) evidence copy

Accepted Answer

The answer of A bit-stream image is also known as...

Question 21

Match each item with a statement below&#10;a.FTK's Internet Keyword Search&#10;f.Norton DiskEdit&#10;b.Data recovery&#10;g.MS-DOS 6.22&#10;c.Free space&#10;h.Multi-evidence form&#10;d.Interrogation&#10;i.Self-evaluation&#10;e.Forensic workstation&#10;also known as a computer forensics workstation

Accepted Answer

The answer of Match each item with a statement below&#10;a.FTK's...

Question 22

When you write your final report, state what you did and what you ____.&#10;A) did not do&#10;B) found&#10;C) wanted to do&#10;D) could not do

Accepted Answer

The answer of When you write your final report, state...

Question 23

Match each item with a statement below&#10;a.FTK's Internet Keyword Search&#10;f.Norton DiskEdit&#10;b.Data recovery&#10;g.MS-DOS 6.22&#10;c.Free space&#10;h.Multi-evidence form&#10;d.Interrogation&#10;i.Self-evaluation&#10;e.Forensic workstation&#10;an essential part of professional growth

Accepted Answer

The answer of Match each item with a statement below&#10;a.FTK's...

Question 24

A(n) ____________________ lists each piece of evidence on a separate page.

Accepted Answer

The answer of A(n) ____________________ lists each piece of evidence...

Question 25

Match each item with a statement below&#10;a.FTK's Internet Keyword Search&#10;f.Norton DiskEdit&#10;b.Data recovery&#10;g.MS-DOS 6.22&#10;c.Free space&#10;h.Multi-evidence form&#10;d.Interrogation&#10;i.Self-evaluation&#10;e.Forensic workstation&#10;the least intrusive (in terms of changing data) Microsoft operating system

Accepted Answer

The answer of Match each item with a statement below&#10;a.FTK's...

Question 26

Match each item with a statement below&#10;a.FTK's Internet Keyword Search&#10;f.Norton DiskEdit&#10;b.Data recovery&#10;g.MS-DOS 6.22&#10;c.Free space&#10;h.Multi-evidence form&#10;d.Interrogation&#10;i.Self-evaluation&#10;e.Forensic workstation&#10;a type of evidence custody form

Accepted Answer

The answer of Match each item with a statement below&#10;a.FTK's...

Question 27

When you are dealing with password protected files, you might need to acquire ____________________ or find an expert who can help you crack the passwords.

Accepted Answer

The answer of When you are dealing with password protected...

Question 28

When analyzing digital evidence, your job is to ____.&#10;A) recover the data&#10;B) destroy the data&#10;C) copy the data&#10;D) load the data

Accepted Answer

The answer of When analyzing digital evidence, your job is...

Question 29

Match each item with a statement below&#10;a.FTK's Internet Keyword Search&#10;f.Norton DiskEdit&#10;b.Data recovery&#10;g.MS-DOS 6.22&#10;c.Free space&#10;h.Multi-evidence form&#10;d.Interrogation&#10;i.Self-evaluation&#10;e.Forensic workstation&#10;extracts all related e-mail address information for Web-based e-mail investigations

Accepted Answer

The answer of Match each item with a statement below&#10;a.FTK's...

Question 30

Forensics tools such as ____ can retrieve deleted files for use as evidence.&#10;A) ProDiscover Basic&#10;B) ProDelete&#10;C) FDisk&#10;D) GainFile

Accepted Answer

The answer of Forensics tools such as ____ can retrieve...

Question 31

____ can be the most time-consuming task, even when you know exactly what to look for in the evidence.&#10;A) Evidence recovery&#10;B) Data recovery&#10;C) Data analysis&#10;D) Evidence recording

Accepted Answer

The answer of ____ can be the most time-consuming task,...

Question 32

During the ____________________ design or approach to the case, you outline the general steps you need to follow to investigate the case.

Accepted Answer

The answer of During the ____________________ design or approach to...

Question 33

A(n) ____________________ is usually conducted to collect information from a witness or suspect about specific facts related to an investigation.

Accepted Answer

The answer of A(n) ____________________ is usually conducted to collect...

Question 34

After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and ____.&#10;A) critique the case&#10;B) repeat the case&#10;C) present the case&#10;D) read the final report

Accepted Answer

The answer of After you close the case and make...

Question 35

Match each item with a statement below&#10;a.FTK's Internet Keyword Search&#10;f.Norton DiskEdit&#10;b.Data recovery&#10;g.MS-DOS 6.22&#10;c.Free space&#10;h.Multi-evidence form&#10;d.Interrogation&#10;i.Self-evaluation&#10;e.Forensic workstation&#10;process of trying to get a suspect to confess to a specific incident or crime

Accepted Answer

The answer of Match each item with a statement below&#10;a.FTK's...

Question 36

Match each item with a statement below&#10;a.FTK's Internet Keyword Search&#10;f.Norton DiskEdit&#10;b.Data recovery&#10;g.MS-DOS 6.22&#10;c.Free space&#10;h.Multi-evidence form&#10;d.Interrogation&#10;i.Self-evaluation&#10;e.Forensic workstation&#10;is the more well-known and lucrative side of the computer forensics business

Accepted Answer

The answer of Match each item with a statement below&#10;a.FTK's...

Question 37

In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____.&#10;A) checked values&#10;B) verification&#10;C) evidence backup&#10;D) repeatable findings

Accepted Answer

The answer of In any computing investigation, you should be...

Question 38

Match each item with a statement below&#10;a.FTK's Internet Keyword Search&#10;f.Norton DiskEdit&#10;b.Data recovery&#10;g.MS-DOS 6.22&#10;c.Free space&#10;h.Multi-evidence form&#10;d.Interrogation&#10;i.Self-evaluation&#10;e.Forensic workstation&#10;an older computer forensics tool

Accepted Answer

The answer of Match each item with a statement below&#10;a.FTK's...

Question 39

A(n) ____________________ is where you conduct your investigations and where most of your equipment and software are located, including the secure evidence containers.

Accepted Answer

The answer of A(n) ____________________ is where you conduct your...

Question 40

Match each item with a statement below&#10;a.FTK's Internet Keyword Search&#10;f.Norton DiskEdit&#10;b.Data recovery&#10;g.MS-DOS 6.22&#10;c.Free space&#10;h.Multi-evidence form&#10;d.Interrogation&#10;i.Self-evaluation&#10;e.Forensic workstation&#10;can be used for new files that are saved or files that expand as data is added to them

Accepted Answer

The answer of Match each item with a statement below&#10;a.FTK's...

Question 41

What are the items you need when setting up your workstation for computer forensics?

Accepted Answer

The answer of What are the items you need when...

Question 42

Describe some of the technologies used with hardware write-blocker devices. Identify some of the more commonly used vendors and their products.

Accepted Answer

The answer of Describe some of the technologies used with...

Question 43

What are the differences between computer forensics and data recovery?

Accepted Answer

The answer of What are the differences between computer forensics...

Question 44

What items are needed when gathering the resources you identified in your investigation plan?

Accepted Answer

The answer of What items are needed when gathering the...

Question 45

What should you do to handle evidence contained in large computer components?

Accepted Answer

The answer of What should you do to handle evidence...

Question 46

Describe the process of creating a bit-stream copy of an evidence disk.

Accepted Answer

The answer of Describe the process of creating a bit-stream...

Question 47

What is required to conduct an investigation involving e-mail abuse?

Accepted Answer

The answer of What is required to conduct an investigation...

Question 48

Mention six important questions you should ask yourself when critiquing your work.

Accepted Answer

The answer of Mention six important questions you should ask...

Question 49

What is required to conduct an investigation involving Internet abuse?

Accepted Answer

The answer of What is required to conduct an investigation...

Question 50

What additional items are useful when setting up a forensic workstation?

Accepted Answer

The answer of What additional items are useful when setting...

Deck 2: Understanding Computer Investigations