Chat with AI
Deck 6: Current Computer Forensics Tools
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/50
Play
Full screen (f)
Deck 6: Current Computer Forensics Tools
1
A keyword search is part of the analysis process within what forensic function?
A)reconstruction
B)acquisition
C)extraction
D)reporting
A)reconstruction
B)acquisition
C)extraction
D)reporting
C
2
What program serves as the GUI front end for accessing Sleuth Kit's tools?
A)KDE
B)DetectiveGUI
C)Autopsy
D)SMART
A)KDE
B)DetectiveGUI
C)Autopsy
D)SMART
C
3
Which of the following options is not a subfunction of extraction?
A)carving
B)decrypting
C)logical data copy
D)bookmarking
A)carving
B)decrypting
C)logical data copy
D)bookmarking
C
4
All forensics acquisition tools have a method for verification of the data-copying process that compares the original drive with the image.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
5
In what temporary location below might passwords be stored?
A)pagefile.sys
B)Windows registry
C)system32.dll
D)CD-ROM drive
A)pagefile.sys
B)Windows registry
C)system32.dll
D)CD-ROM drive
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
6
Software forensics tools are grouped into command-line applications and GUI applications
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
7
ISO standard 27037 states that the most important factors in data acquisition are the DEFR's competency and the use of validated tools.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
8
What hex value is the standard indicator for jpeg graphics files?
A)FF D9
B)F8 D8
C)FF D8
D)AB CD
A)FF D9
B)F8 D8
C)FF D8
D)AB CD
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
9
What algorithm is used to decompress Windows files?
A)Shannon-Fano
B)Fibonacci
C)Lempel-Ziv
D)Zopfli
A)Shannon-Fano
B)Fibonacci
C)Lempel-Ziv
D)Zopfli
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
10
In general, what would a lightweight forensics workstation consist of?
A)A tower with several bays and many peripheral devices
B)A laptop computer with almost as many bays and peripherals as a tower
C)A laptop computer built into a carrying case with a small selection of peripheral options
D)A tablet with peripherals and forensics apps
A)A tower with several bays and many peripheral devices
B)A laptop computer with almost as many bays and peripherals as a tower
C)A laptop computer built into a carrying case with a small selection of peripheral options
D)A tablet with peripherals and forensics apps
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
11
The physical data copy subfunction exists under the ______________ function.
A)acquisition
B)validation / verification
C)extraction
D)reporting
A)acquisition
B)validation / verification
C)extraction
D)reporting
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
12
Reconstructing fragments of files that have been deleted from a suspect drive, is known as ____________ in North America.
A)salvaging
B)scraping
C)carving
D)sculpting
A)salvaging
B)scraping
C)carving
D)sculpting
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
13
_______________ proves that two sets of data are identical by calculating hash values or using another similar method.
A)Validation
B)Compilation
C)Integration
D)Verification
A)Validation
B)Compilation
C)Integration
D)Verification
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
14
Making a logical acquisition of a drive with whole disk encryption can result in unreadable files.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
15
Physically copying the entire drive is the only type of data-copying method used in software acquisitions.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
16
What option below is an example of a platform specific encryption tool?
A)Pretty Good Privacy (PGP)
B)GnuPG
C)TrueCrypt
D)BitLocker
A)Pretty Good Privacy (PGP)
B)GnuPG
C)TrueCrypt
D)BitLocker
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
17
What is the goal of the NSRL project, created by NIST?
A)Collect known hash values for commercial software and OS files using MD5 hashes.
B)Collect known hash values for commercial software and OS files using SHA hashes.
C)Create hash values for illegal files and distribute the information to law enforcement.
D)Search for collisions in hash values, and contribute to fixing hashing programs.
A)Collect known hash values for commercial software and OS files using MD5 hashes.
B)Collect known hash values for commercial software and OS files using SHA hashes.
C)Create hash values for illegal files and distribute the information to law enforcement.
D)Search for collisions in hash values, and contribute to fixing hashing programs.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
18
The ProDiscover utility makes use of the proprietary _______________ file format.
A).eve
B).pro
C).img
D).iso
A).eve
B).pro
C).img
D).iso
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
19
What tool below was written for MS-DOS and was commonly used for manual digital investigations?
A)Norton DiskEdit
B)ByteBack
C)DataLifter
D)SMART
A)Norton DiskEdit
B)ByteBack
C)DataLifter
D)SMART
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
20
Passwords are typically stored as one-way _____________ rather than in plaintext.
A)variables
B)hex values
C)hashes
D)slack spaces
A)variables
B)hex values
C)hashes
D)slack spaces
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
21
The __________ Linux Live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep, and utilizes a KDE interface.
A)Ubuntu
B)Helix3
C)Arch
D)Kali
A)Ubuntu
B)Helix3
C)Arch
D)Kali
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
22
Match each term with its definition:
-?The process of rebuilding data files; one of the required functions of digital forensics tools.
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
-?The process of rebuilding data files; one of the required functions of digital forensics tools.
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
23
The purpose of having a ______________ function in a forensics tool is to re-create a suspect drive to show what happened during a crime or incident.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
24
The _____________ utility is designed to be installed on Linux distributions, and can be used to analyze a variety of different file systems, while also offering the ability to use plugins.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
25
Which of the following is stated within the ISO 27037 standard?
A)Digital Evidence First Responders should use validated tools.
B)Software forensics tools must provide a GUI interface.
C)Software forensics tools must use the Windows OS.
D)Hardware acquisition tools can only use CRC-32 hashing.
A)Digital Evidence First Responders should use validated tools.
B)Software forensics tools must provide a GUI interface.
C)Software forensics tools must use the Windows OS.
D)Hardware acquisition tools can only use CRC-32 hashing.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
26
In what mode do most write-blockers run??
A)?GUI mode
B)?Shell mode
C)BIOS mode
D)RW mode
A)?GUI mode
B)?Shell mode
C)BIOS mode
D)RW mode
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
27
Match each term with its definition:
-The process of creating a duplicate image of data; one of the required functions of digital forensics tools?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
-The process of creating a duplicate image of data; one of the required functions of digital forensics tools?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
28
Match each term with its definition:
-An attack that uses a collection of words or phrases that might be passwords for an encrypted file.
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
-An attack that uses a collection of words or phrases that might be passwords for an encrypted file.
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
29
Match each term with its definition:
-The process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the required functions of digital forensics tools.?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
-The process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the required functions of digital forensics tools.?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
30
Match each term with its definition:
-A method of finding files or other information by entering relevant characters, words, or phrases in a search tool?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
-A method of finding files or other information by entering relevant characters, words, or phrases in a search tool?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
31
The NIST ________________ program establishes guidelines for selecting and using forensics tools.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
32
When performing disk acquisition, the raw data format is typically created with the UNIX/ Linux _____________ command.
A)format
B)dd
C)dump
D)tar
A)format
B)dd
C)dump
D)tar
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
33
Match each term with its definition:
-The process of trying every combination of characters--letters, numbers, and special characters typically found on a keyboard-- to find a matching password or passphrase value for an encrypted file?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
-The process of trying every combination of characters--letters, numbers, and special characters typically found on a keyboard-- to find a matching password or passphrase value for an encrypted file?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
34
__________ can be platform specific, such as BitLocker, or done with third-party tools, such as Pretty Good Privacy (PGP) and GNuPG
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
35
Match each term with its definition:
-A way to confirm that a tool is functioning as intended; one of the functions of digital forensics tools.?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
-A way to confirm that a tool is functioning as intended; one of the functions of digital forensics tools.?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
36
What is the purpose of the reconstruction function in a forensics investigation?
A)Prove that two sets of data are identical.
B)Copy all information from a suspect's drive, including information that may have been hidden.
C)Re-create a suspect's drive to show what happened during a crime or incident.
D)Generate reports or logs that detail the processes undertaken by a forensics investigator.
A)Prove that two sets of data are identical.
B)Copy all information from a suspect's drive, including information that may have been hidden.
C)Re-create a suspect's drive to show what happened during a crime or incident.
D)Generate reports or logs that detail the processes undertaken by a forensics investigator.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
37
Match each term with its definition:
-A NIST project with the goal of collecting all known hash values for commercial software and OS files?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
-A NIST project with the goal of collecting all known hash values for commercial software and OS files?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
38
Match each term with its definition:
-A hardware device or software program that prevents a computer from writing data to an evidence drive?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
-A hardware device or software program that prevents a computer from writing data to an evidence drive?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
39
Match each term with its definition:
-A project sponsored by the National Institute of Standards and Technology to manage research on digital forensics tools?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
-A project sponsored by the National Institute of Standards and Technology to manage research on digital forensics tools?
A)acquisition
B)brute-force attack
C)Computer Forensics Tool Testing (CFTT)
D)extraction
E)keyword search
F)National Software Reference Library (NSRL)
G)password dictionary attack
H)reconstruction
I)validation
J)write-blocker
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
40
The National Software Reference Library has compiled a list of known ___________ for a variety of OSs, applications, and images.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
41
Explain the difference between validation and verification.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
42
What two different options are available for write blockers, and how do these options work?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
43
List three of the six subfunctions that exist under the reconstruction function.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
44
In general, forensics workstations can be divided into what categories? Explain each category.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
45
List the five (5) categories of functions that are meant as guidelines for evaluating digital forensic tools, with subfunctions for refining data analysis and recovery and ensuring data quality.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
46
How does a password dictionary attack work?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
47
Name at least four subfunctions of the extraction function that are used in forensics investigations.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
48
Describe two methods for filtering data- separating good data from suspicious data.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
49
What are the three minimum steps of a basic digital forensics examination protocol?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
50
What guidelines exist for the selection and use of forensics software? Name at least three.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
