Question 1

The ____ file is used by the system to assist with virtual memory paging and is quite large.&#10;A)Hiberfil.sys&#10;B)IO.sys&#10;C)Virtfile.sys&#10;D)Pagefile.sys

Accepted Answer

The pagefile.sys file is used by the Windows operating system as virtual memory paging and is quite large. This file is used when the system runs out of physical memory (RAM) and needs to move some of it to the hard drive to free up space.

Question 2

Each RP folder contains a set of files that were changed since the last Restore Point.

Accepted Answer

Each RP folder contains a collection of files that have been altered or modified since the previous Restore Point was created.

Question 3

A forensic examiner must be familiar with the structure and operation of different file systems and operating systems.

Accepted Answer

A forensic examiner must have knowledge about different file systems and operating systems to understand how data is stored, accessed, and deleted on a digital device during an investigation. This helps the examiner to locate and recover potential evidence and also analyze it accurately. Failure to understand different file systems and operating systems can lead to missed evidence, incomplete analysis, and inaccurate results.

Question 4

A ____ of a hard disk is a bit by bit duplicate,including the boot sector,the partition table,all partitions,hidden files,bad sectors,and even the unallocated space on the hard drive.&#10;A)usable copy&#10;B)forensic copy&#10;C)bit copy&#10;D)file copy

Accepted Answer

The description matches the definition of a forensic copy, which is a complete bit-by-bit duplicate of a hard drive, including all data and metadata. This type of copy is often used for legal or investigative purposes, as it provides an accurate and complete record of the original drive. Choices A, C, and D do not accurately describe a forensic copy.

Question 5

The printer spool files will have extensions of ____.&#10;A).ips and .ipl&#10;B).spl and .ips&#10;C).spl and .shd&#10;D).spl and .splx

Accepted Answer

Print spool files have extensions .spl and .shd, where .spl contains the actual print job data and .shd contains job settings and printer information. Option A is incorrect as .ipl and .ips are not commonly used printer spool file extensions. Option B is incorrect as .ips is not a valid printer spool file extension, whereas .spl is. Option D is incorrect as .splx is not a valid printer spool file extension.

Question 6

The FAT stores files in dynamic chains of ____________________.

Accepted Answer

The answer of The FAT stores files in dynamic chains...

Question 7

The ____ file is used when Windows goes into hibernation.&#10;A)Hiberfil.sys&#10;B)Pagefile.sys&#10;C)IO.sys&#10;D)BOOT.INI

Accepted Answer

When Windows goes into hibernation, all the current system settings and open files are saved to a special file called hiberfil.sys on the system's hard drive. This file is required for the hibernation process and is used to restore the system to its previous state when it is resumed from hibernation. Therefore, A) Hiberfil.sys is the correct answer.

Question 8

Information that is transferred to an external device should also have a(n)____ calculated to verify integrity during collection and at a later date.&#10;A)MD5 hash&#10;B)RC4 hash&#10;C)DES hash&#10;D)RSA hash

Accepted Answer

MD5 hash is commonly used for data integrity verification during data transfer and storage. It generates a unique fixed-size output (hash value) based on the input data, which can be used to compare the original and the received data for any changes or errors. RC4, DES, and RSA are encryption algorithms and not suitable for data integrity verification purposes.

Question 9

A ____ contains a copy of the Registry that existed at the time the Restore Point was created.&#10;A)snapshot folder&#10;B)registry directory&#10;C)hive folder&#10;D)revert folder

Accepted Answer

A snapshot folder contains a snapshot or copy of the entire system, including the Registry, at the time the Restore Point was created. It allows the system to be restored to a previous state if there are any issues or problems. The other options (B, C, and D) are not accurate descriptions of a Restore Point or its components.

Question 10

____ will search through a file or folder and report on all the ASCII strings it finds.&#10;A)Ascii.exe&#10;B)Strings.exe&#10;C)Names.exe&#10;D)Parse.exe

Accepted Answer

The "Strings.exe" command is specifically designed to search through files and report on ASCII strings.

Question 11

The first thing you want to do before analyzing network traffic is make sure you have permission to look at it.

Accepted Answer

The answer of The first thing you want to do...

Question 12

Working with the Registry is easy for the inexperienced user.

Accepted Answer

The answer of Working with the Registry is easy for...

Question 13

____ is a very common file system used by computers and is supported by many different operating systems.&#10;A)File Allocation Table&#10;B)File Arrangement Table&#10;C)File Allocation Tree&#10;D)File Attribute Tree

Accepted Answer

The answer of ____ is a very common file system...

Question 14

The ____________________ is a written record of all interaction with the evidence from the moment it is acquired to the moment it is released.

Accepted Answer

The answer of The ____________________ is a written record of...

Question 15

____________________ tools are programs designed to look at specific data structures within the operating system.

Accepted Answer

The answer of ____________________ tools are programs designed to look...

Question 16

A network of honeypots is called a(n)____________________.

Accepted Answer

The answer of A network of honeypots is called a(n)____________________....

Question 17

The ____ provides the platform on which computer hardware is managed and made available to the computer software applications.&#10;A)application software&#10;B)network software&#10;C)operating system&#10;D)router software

Accepted Answer

The answer of The ____ provides the platform on which...

Question 18

The ____________________ contains items that were recently deleted from a Windows computer system.

Accepted Answer

The answer of The ____________________ contains items that were recently...

Question 19

Using the System Reset tool a Restore Point may be chosen and the system returned back to that point in time.

Accepted Answer

The answer of Using the System Reset tool a Restore...

Question 20

A ____ is a hardware device or software program designed to prevent any write operations from taking place on the original media.&#10;A)read-blocker&#10;B)selective write filter&#10;C)selective filter&#10;D)write-blocker

Accepted Answer

The answer of A ____ is a hardware device or...

Question 21

List the skills that you need to become proficient at analyzing malware.

Accepted Answer

The answer of List the skills that you need to...

Question 22

List the steps in the incident response process.

Accepted Answer

The answer of List the steps in the incident response...

Question 23

MATCHING&#10;Match each item with a statement below.&#10;a.Restore Point&#10;d.Slack space&#10;b.CSIRT&#10;e.Honeypot&#10;c.Regular expression&#10;The part of a cluster that is not used when a file is written to it

Accepted Answer

The answer of MATCHING&#10;Match each item with a statement below.&#10;a.Restore...

Question 24

List five laws that have been put into effect to help monitor and control the use of electronic communication systems and computers as well as provide guidelines for prosecution of computer and information-related crimes.

Accepted Answer

The answer of List five laws that have been put...

Question 25

MATCHING&#10;Match each item with a statement below.&#10;a.Restore Point&#10;d.Slack space&#10;b.CSIRT&#10;e.Honeypot&#10;c.Regular expression&#10;A computer that is made deliberately vulnerable in order to make it attractive to hackers

Accepted Answer

The answer of MATCHING&#10;Match each item with a statement below.&#10;a.Restore...

Question 26

What is the pre-incident preparation that must take place for a CSIRT?

Accepted Answer

The answer of What is the pre-incident preparation that must...

Question 27

MATCHING&#10;Match each item with a statement below.&#10;a.Restore Point&#10;d.Slack space&#10;b.CSIRT&#10;e.Honeypot&#10;c.Regular expression&#10;A symbolic representation of a family of strings that can be generated from the expression

Accepted Answer

The answer of MATCHING&#10;Match each item with a statement below.&#10;a.Restore...

Question 28

MATCHING&#10;Match each item with a statement below.&#10;a.Restore Point&#10;d.Slack space&#10;b.CSIRT&#10;e.Honeypot&#10;c.Regular expression&#10;A group of individuals at an organization responsible for detecting,investigating,solving,and documenting computer security incidents

Accepted Answer

The answer of MATCHING&#10;Match each item with a statement below.&#10;a.Restore...

Question 29

List UNIX/Linux systems files that are of particular interest to the forensic examiner.

Accepted Answer

The answer of List UNIX/Linux systems files that are of...

Question 30

MATCHING&#10;Match each item with a statement below.&#10;a.Restore Point&#10;d.Slack space&#10;b.CSIRT&#10;e.Honeypot&#10;c.Regular expression&#10;A snapshot of the state of the system at a point in time

Accepted Answer

The answer of MATCHING&#10;Match each item with a statement below.&#10;a.Restore...

Deck 24: Forensic Techniques