Chat with AI
Deck 12: Digital Forensics
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/50
Play
Full screen (f)
Deck 12: Digital Forensics
1
Who is responsible for collecting copies or images of digital evidence?
A) Incident manager
C) Imager
B) Scribe
D) Forensic examiner
A) Incident manager
C) Imager
B) Scribe
D) Forensic examiner
C
2
Media that is used to collect digital evidence must be forensically ____.
A) sterile
C) hashed
B) codified
D) blocked
A) sterile
C) hashed
B) codified
D) blocked
A
3
The disadvantage of hardware tools specialized for the purpose of copying disks is that they are generally slower.
False
4
When prioritizing collected evidence, which term refers to the likelihood that the information will be useful?
A) Value
C) Analysis
B) Volatility
D) Forensics
A) Value
C) Analysis
B) Volatility
D) Forensics
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
5
A(n) ____ is used to sniff network traffic.
A) cartwheeler
C) Ethernet tap
B) write blocker
D) scribe
A) cartwheeler
C) Ethernet tap
B) write blocker
D) scribe
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
6
Which material presents a gray area of ownership?
A) Cell phones provided by the employer for the employee's use
B) An employee's personal belongings
C) The employee's physical personhood
D) Employee-purchased briefcases used to transfer work
A) Cell phones provided by the employer for the employee's use
B) An employee's personal belongings
C) The employee's physical personhood
D) Employee-purchased briefcases used to transfer work
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
7
In a dead acquisition, an investigator seeks to obtain a forensic image of the disk or device.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
8
In large organizations, ____ know operating systems and networks as well as how to interpret the information gleaned by the examiners.
A) forensic analysts
C) application programmers
B) forensic examiners
D) incident managers
A) forensic analysts
C) application programmers
B) forensic examiners
D) incident managers
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
9
An organization's ____ policy must spell out the procedures for initiating the investigative process, including management approvals.
A) organizational
C) business continuity
B) contingency planning
D) incident response (IR)
A) organizational
C) business continuity
B) contingency planning
D) incident response (IR)
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
10
In large organizations, ____ are skilled in the operations of particular tools used to gather the analysis information.
A) forensic analysts
C) application programmers
B) forensic examiners
D) incident managers
A) forensic analysts
C) application programmers
B) forensic examiners
D) incident managers
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
11
Hardware write blockers have the advantage of having been vetted more often in legal cases.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
12
Which form documents the team's activities during evidence collection?
A) Scene Sketch form
C) Photography Log form
B) Field Activity Log form
D) Field Evidence Log form
A) Scene Sketch form
C) Photography Log form
B) Field Activity Log form
D) Field Evidence Log form
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
13
The ____ handles certain cases involving credit card fraud and identity theft.
A) FBI
C) U.S. Treasury Department
B) U.S. Secret Service
D) Securities and Exchange Commission
A) FBI
C) U.S. Treasury Department
B) U.S. Secret Service
D) Securities and Exchange Commission
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
14
Who is responsible for maintaining control of the field evidence log and locker?
A) Incident manager
C) Imager
B) Scribe
D) Forensic examiner
A) Incident manager
C) Imager
B) Scribe
D) Forensic examiner
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
15
If an organization routinely searches every employee's computer or if it conducts truly random searches and uncovers potential evidentiary material, then the findings are admissible in any legal proceeding.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
16
The ____ handles computer crimes that are categorized as felonies.
A) FBI
C) U.S. Treasury Department
B) U.S. Secret Service
D) Securities and Exchange Commission
A) FBI
C) U.S. Treasury Department
B) U.S. Secret Service
D) Securities and Exchange Commission
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
17
One of the more perplexing problems in collecting digital data concerns so-called volatile information, such as the contents of a ____.
A) CD
C) USB drive
B) computer's memory
D) disk drive
A) CD
C) USB drive
B) computer's memory
D) disk drive
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
18
Countering efforts by foreign countries to steal our nation's secrets, evaluating the capabilities of terrorists in a digital age, and ____ are the FBI's highest priorities.
A) investigating crimes involving foreign currency
B) arresting local bank robbers
C) fighting cyber crime
D) murder
A) investigating crimes involving foreign currency
B) arresting local bank robbers
C) fighting cyber crime
D) murder
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
19
In a live acquisition, the investigator has a good idea of what the attacker did to the system during the compromise.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
20
Information collected in such a way that the information will be usable in a criminal or civil proceeding is known as ____.
A) data
C) triggers
B) evidence
D) forensics
A) data
C) triggers
B) evidence
D) forensics
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
21
There are various ways to prepare sterile media, but a common method is to write ____ to every block on the device to erase any previous contents and then, if needed, format the device with a file system.
A) blank spaces
C) ones
B) zeros
D) bit-streams
A) blank spaces
C) ones
B) zeros
D) bit-streams
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
22
Match each item with a statement below.
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
Must be disclosed
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
Must be disclosed
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
23
Match each item with a statement below.
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
Does extensive preprocessing of the evidence items and organizes the various items into a tabbed display
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
Does extensive preprocessing of the evidence items and organizes the various items into a tabbed display
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
24
____________________ is collecting evidence from a currently running system.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
25
In principle, the ____________________ is quite simple; basically, it is a legal record of where the evidence was at each point in its lifetime as well as documentation of each and every access there was to it.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
26
Match each item with a statement below.
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
Recovering files, images, and so forth from fragments in free space
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
Recovering files, images, and so forth from fragments in free space
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
27
Match each item with a statement below.
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
Presents an extensible forensic platform that makes it easy for trained investigators to carry out their tasks
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
Presents an extensible forensic platform that makes it easy for trained investigators to carry out their tasks
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
28
Which audience is interested in analysis report issues in terms of compliance with organizational policies?
A) Upper management
C) Attorneys
B) Forensic experts
D) Auditors
A) Upper management
C) Attorneys
B) Forensic experts
D) Auditors
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
29
A disadvantage of hardware imaging platforms is that they are ____.
A) fragmented
C) costly
B) time consuming
D) unreliable
A) fragmented
C) costly
B) time consuming
D) unreliable
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
30
Match each item with a statement below.
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
An enclosure that ensures that electromagnetic waves are blocked so that a device cannot transmit or receive radio waves while in custody
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
An enclosure that ensures that electromagnetic waves are blocked so that a device cannot transmit or receive radio waves while in custody
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
31
One way to identify a particular digital item (which is represented as a collection of bits) is by means of a cryptographic ____________________.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
32
____ forensics involves capturing a point-in-time picture of a process.
A) Bit-stream
C) Snapshot
B) Cartwheeling
D) Trigger
A) Bit-stream
C) Snapshot
B) Cartwheeling
D) Trigger
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
33
Computer ____________________ is defined as the use of technical investigation and analysis techniques to identify, collect, preserve, and analyze electronic items of potential evidentiary value so that they may be admitted as evidence in a court of law, used to support administrative action, or simply used to further analyze suspicious data.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
34
Match each item with a statement below.
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
Device that allow you to acquire the information on a drive without accidentally damaging the drive's contents
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
Device that allow you to acquire the information on a drive without accidentally damaging the drive's contents
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
35
____________________ forensics applies to all modern electronic devices, including mobile phones, personal digital assistants (PDAs), portable music players, and other electronic devices capable of storing digital information.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
36
Match each item with a statement below.
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
A technique in which a term is extended via links to subsidiary terms
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
A technique in which a term is extended via links to subsidiary terms
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
37
Match each item with a statement below.
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
Has a set of all the portable equipment and tools needed for an investigation
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
Has a set of all the portable equipment and tools needed for an investigation
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
38
Which audience is typically interested in the analysis report recommendations as to whether or not the allegations were correct?
A) Upper management
C) Attorneys
B) Forensic experts
D) Auditors
A) Upper management
C) Attorneys
B) Forensic experts
D) Auditors
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
39
Match each item with a statement below.
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
Drying agents to absorb any moisture
a.Discoverable
f.Carving
b.Cartwheeling
g.FTK
c.Jump bag
h.EnCase Forensic
d.Desiccants
i.Write blocker
e.Faraday Cage
Drying agents to absorb any moisture
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
40
Forensic investigators use ____ (also known as sector-by-sector) copying when making a forensic image of a device.
A) sector-stream
C) byte-stream
B) sector
D) bit-stream
A) sector-stream
C) byte-stream
B) sector
D) bit-stream
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
41
Describe the two teams many organizations form to tackle the task of digital forensics.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
42
Briefly describe the Windows Forensic Toolchest (WFT).
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
43
What items should an organization consider when deciding whether to employ in-house investigatory expertise?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
44
List the four steps considered to be at the heart of digital evidence collection.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
45
Why does encrypted information present challenges to forensic investigators?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
46
Describe the properties of hashes that make them ideal for identifying a particular digital item.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
47
Why is tagging equipment vital to the organization's business as evidence a very real issue for commercial organizations?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
48
Explain the usual process for maintaining a chain of custody.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
49
Describe the two detailed parts of the forensic analysis phase.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
50
Explain how to properly store evidence.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
