Chat with AI
Deck 7: Current Computer Forensics Tools
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/50
Play
Full screen (f)
Deck 7: Current Computer Forensics Tools
1
Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers.
A) USB
B) IDE
C) LCD
D) PCMCIA
A) USB
B) IDE
C) LCD
D) PCMCIA
A
2
To make a disk acquisition with En.exe requires only a PC running ____ with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable.
A) UNIX
B) MAC OS X
C) Linux
D) MS-DOS
A) UNIX
B) MAC OS X
C) Linux
D) MS-DOS
D
3
____ is a simple drive-imaging station.
A) F.R.E.D.
B) SPARC
C) FIRE IDE
D) DiskSpy
A) F.R.E.D.
B) SPARC
C) FIRE IDE
D) DiskSpy
C
4
Many password recovery tools have a feature that allows generating potential lists for a ____ attack.
A) brute-force
B) password dictionary
C) birthday
D) salting
A) brute-force
B) password dictionary
C) birthday
D) salting
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
5
Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.
A) backup file
B) firmware
C) image file
D) recovery copy
A) backup file
B) firmware
C) image file
D) recovery copy
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
6
The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems.
A) Apple
B) Atari
C) Commodore
D) IBM
A) Apple
B) Atari
C) Commodore
D) IBM
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
7
Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command.
A) rawcp
B) dd
C) d2dump
D) dhex
A) rawcp
B) dd
C) d2dump
D) dhex
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
8
In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network.
A) Dir
B) ls
C) Copy
D) owner
A) Dir
B) ls
C) Copy
D) owner
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
9
____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk.
A) Drive-imaging
B) Disk editors
C) Workstations
D) Write-blockers
A) Drive-imaging
B) Disk editors
C) Workstations
D) Write-blockers
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
10
In software acquisition, there are three types of data-copying methods.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
11
In general, forensics workstations can be divided into ____ categories.
A) 2
B) 3
C) 4
D) 5
A) 2
B) 3
C) 4
D) 5
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
12
____ of data involves sorting and searching through all investigation data.
A) Validation
B) Discrimination
C) Acquisition
D) Reconstruction
A) Validation
B) Discrimination
C) Acquisition
D) Reconstruction
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
13
When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
14
The Windows platforms have long been the primary command-line interface OSs.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
15
The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk.
A) partition-to-partition
B) image-to-partition
C) disk-to-disk
D) image-to-disk
A) partition-to-partition
B) image-to-partition
C) disk-to-disk
D) image-to-disk
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
16
Computer forensics tools are divided into ____ major categories.
A) 2
B) 3
C) 4
D) 5
A) 2
B) 3
C) 4
D) 5
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
17
After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
18
To complete a forensic disk analysis and examination, you need to create a ____.
A) forensic disk copy
B) risk assessment
C) budget plan
D) report
A) forensic disk copy
B) risk assessment
C) budget plan
D) report
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
19
To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
20
A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____.
A) stationary workstation
B) field workstation
C) lightweight workstation
D) portable workstation
A) stationary workstation
B) field workstation
C) lightweight workstation
D) portable workstation
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
21
The ____________________ function is the most demanding of all tasks for computer investigators to master.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
22
Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file's contents.
A) testing, compressed
B) scanning, text
C) testing, pdf
D) testing, doc
A) testing, compressed
B) scanning, text
C) testing, pdf
D) testing, doc
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
23
Match each item with a statement below
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
software-enabled write-blocker
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
software-enabled write-blocker
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
24
The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.
A) NSRL
B) CFTT
C) FS-TST
D) PARTAB
A) NSRL
B) CFTT
C) FS-TST
D) PARTAB
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
25
One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.
A) disk imager
B) write-blocker
C) bit-stream copier
D) disk editor
A) disk imager
B) write-blocker
C) bit-stream copier
D) disk editor
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
26
Match each item with a statement below
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
a direct copy of a disk drive
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
a direct copy of a disk drive
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
27
The Windows application of EnCase requires a(n) ____________________ device, such as FastBloc, to prevent Windows from accessing and corrupting a suspect disk drive.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
28
Software forensic tools are grouped into command-line applications and ____________________ applications.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
29
Hardware manufacturers have designed most computer components to last about ____________________ months between failures.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
30
The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.
A) CFTT
B) NIST
C) FS-TST
D) NSRL
A) CFTT
B) NIST
C) FS-TST
D) NSRL
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
31
Match each item with a statement below
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
usually a laptop computer built into a carrying case with a small selection of peripheral options
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
usually a laptop computer built into a carrying case with a small selection of peripheral options
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
32
The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.
A) ISO 3657
B) ISO 5321
C) ISO 5725
D) ISO 17025
A) ISO 3657
B) ISO 5321
C) ISO 5725
D) ISO 17025
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
33
Match each item with a statement below
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
a tower with several bays and many peripheral devices
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
a tower with several bays and many peripheral devices
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
34
Match each item with a statement below
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
system file where passwords may have been written temporarily
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
system file where passwords may have been written temporarily
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
35
Match each item with a statement below
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
one of the first MS-DOS tools used for a computer investigation
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
one of the first MS-DOS tools used for a computer investigation
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
36
The primary hash algorithm used by the NSRL project is ____.
A) MD5
B) SHA-1
C) CRC-32
D) RC4
A) MD5
B) SHA-1
C) CRC-32
D) RC4
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
37
Match each item with a statement below
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
European term for carving
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
European term for carving
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
38
Match each item with a statement below
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
command-line disk acquisition tool from New Technologies, Inc.
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
command-line disk acquisition tool from New Technologies, Inc.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
39
Match each item with a statement below
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
letters embedded near the beginning of all JPEG files
a.JFIF
f.PDBlock
b.Lightweight workstation
g.Norton DiskEdit
c.Pagefile.sys
h.Stationary workstation
d.Salvaging
i.SafeBack
e.Raw data
letters embedded near the beginning of all JPEG files
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
40
Because there are a number of different versions of UNIX and Linux, these platforms are referred to as ____________________ platforms.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
41
Briefly explain the NIST general approach for testing computer forensics tools.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
42
Illustrate how to consider hardware needs when planning your lab budget.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
43
What are some of the advantages of using command-line forensics tools?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
44
Explain the difference between repeatable results and reproducible results.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
45
Briefly explain the purpose of the NIST NSRL project.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
46
Explain the advantages and disadvantages of GUI forensics tools.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
47
What are the five major function categories of any computer forensics tool?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
48
Explain the validation of evidence data process.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
49
Describe some of the problems you may encounter if you decide to build your own forensics workstation.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
50
Illustrate the use of a write-blocker on a Windows environment.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
