|
Photorec
3. After the evidence has been presented in a trial by jury, the jury must deliver a(n) ______.
|
|
a.
|
exhibit
|
|
|
b.
|
affidavit
|
|
|
c.
|
allegation
|
|
|
d.
|
Verdict
|
4. A TEMPEST facility is designed to accomplish which of the following goals?
|
|
a.
|
Prevent data loss by maintaining consistent backups.
|
|
|
b.
|
Shield sensitive computing systems and prevent electronic eavesdropping of computer emissions.
|
|
|
c.
|
Ensure network security from the Internet using comprehensive security software.
|
|
|
d.
|
Protect the integrity of data.
|
5. Which option below is not a recommendation for securing storage containers?
|
|
a.
|
The container should be located in a restricted area.
|
|
|
b.
|
Only authorized access should be allowed, and it should be kept to a minimum.
|
|
|
c.
|
Evidence containers should remain locked when they aren't under direct supervision.
|
|
|
d.
|
Rooms with evidence containers should have a secured wireless network.
|
6. What is the name of the Microsoft solution for whole disk encryption?
|
|
a.
|
DriveCrypt
|
|
|
b.
|
TrueCrypt
|
|
|
c.
|
BitLocker
|
|
|
d.
|
SecureDrive
|
7. What should you do while copying data on a suspect's computer that is still live?
|
|
a.
|
Open files to view contents.
|
|
|
b.
|
Make notes regarding everything you do.
|
|
|
c.
|
Conduct a Google search of unknown extensions using the computer.
|
|
|
d.
|
Check Facebook for additional suspects.
|
8.
When seizing digital evidence in criminal investigations, whose standards should be followed?
|
|
a.
|
U.S. DOJ
|
|
|
b.
|
ISO/IEC
|
|
|
c.
|
IEEE
|
|
|
d.
|
ITU
|
9. As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state?
|
|
a.
|
The power cable should be pulled.
|
|
|
b.
|
The system should be shut down gracefully.
|
|
|
c.
|
The power should be left on.
|
|
|
d.
|
The decision should be left to the Digital Evidence First Responder (DEFR).
|
10. What is the purpose of the reconstruction function in a forensics investigation?
|
|
a.
|
Re-create a suspect's drive to show what happened during a crime or incident.
|
|
|
b.
|
Prove that two sets of data are identical.
|
|
|
c.
|
Copy all information from a suspect's drive, including information that may have been hidden.
|
|
|
d.
|
Generate reports or logs that detail the processes undertaken by a forensics investigator.
|
11. A keyword search is part of the analysis process within what forensic function?
|
|
a.
|
reporting
|
|
|
b.
|
reconstruction
|
|
|
c.
|
extraction
|
|
|
d.
|
Acquisition
|
12. As part of a forensics investigation, you need to recover the logon and logoff history information on a Linux based OS. Where can this information be found?
|
|
a.
|
/var/log/utmp
|
|
|
b.
|
/var/log/wtmp
|
|
|
c.
|
/var/log/userlog
|
|
|
d.
|
/var/log/system.log
|
13. What kind of graphics file combines bitmap and vector graphics types?
|
|
a.
|
metafile
|
|
|
b.
|
bitmap
|
|
|
c.
|
jpeg
|
|
|
d.
|
Tif
|
14. What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords?
|
|
a.
|
salted passwords
|
|
|
b.
|
scrambled passwords
|
|
|
c.
|
indexed passwords
|
|
|
d.
|
master passwords
|
15. When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and documented?
|
|
a.
|
Inventory and documentation information should be stored on a drive and then the drive should be reformatted.
|
|
|
b.
|
Start the suspect's computer and begin collecting evidence.
|
|
|
c.
|
The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.
|
|
|
d.
|
Connect the suspect's computer to the local network so that up to date forensics utilities can be utilized.
|
16. What processor instruction set is required in order to utilize virtualization software?
|
|
a.
|
AMD-VT
|
|
|
b.
|
Intel VirtualBit
|
|
|
c.
|
Virtual Machine Extensions (VMX)
|
|
|
d.
|
Virtual Hardware Extensions (VHX)
|
17. What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses?
|
|
a.
|
tcpdump
|
|
|
b.
|
Argus
|
|
|
c.
|
Ngrep
|
|
|
d.
|
Tcpslice
|
18. Select below the program within the PsTools suite that allows you to run processes remotely:
|
|
a.
|
PsService
|
|
|
b.
|
PsPasswd
|
|
|
c.
|
PsRemote
|
|
|
d.
|
PsExec
|
19. What information is not typically included in an e-mail header?
|
|
a.
|
The sender's physical location
|
|
|
b.
|
The originating IP address
|
|
|
c.
|
The unique ID of the e-mail
|
|
|
d.
|
The originating domain
|
20. What type of Facebook profile is usually only given to law enforcement with a warrant?
|
|
a.
|
private profile
|
|
|
b.
|
advanced profile
|
|
|
c.
|
basic profile
|
|
|
d.
|
Neoprint profile
|
21. Which e-mail recovery program below can recover files from VMware and VirtualPC virtual machines, as well as ISOs and other types of file backups?
|
|
a.
|
Fookes Aid4mail
|
|
|
b.
|
DataNumen Outlook Repair
|
|
|
c.
|
EnCase Forensics
|
|
|
d.
|
AccessData FTK
|
22. What type of mobile forensics method listed by NIST guidelines involves looking at a device's content page by page and taking pictures?
|
|
a.
|
Manual extraction
|
|
|
b.
|
Chip-off
|
|
|
c.
|
Micro read
|
|
|
d.
|
Logical extraction
|
23. Within NIST guidelines for mobile forensics methods, the ______________ method requires physically removing flash memory chips and gathering information at the binary level.
|
|
a.
|
Chip-off
|
|
|
b.
|
Logical extraction
|
|
|
c.
|
Micro read
|
|
|
d.
|
Manual extraction
|
24. Which of the following is NOT a service level for the cloud?
|
|
a.
|
Platform as a service
|
|
|
b.
|
Infrastructure as a service
|
|
|
c.
|
Virtualization as a service
|
|
|
d.
|
Software as a service
|
25. What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing?
|
|
a.
|
Amazon EC2
|
|
|
b.
|
IBM Cloud
|
|
|
c.
|
Salesforce
|
|
|
d.
|
HP Helion
|
26. With cloud systems running in a virtual environment, _______________ can give you valuable information before, during, and after an incident.
|
|
a.
|
carving
|
|
|
b.
|
live acquisition
|
|
|
c.
|
RAM
|
|
|
d.
|
Snapshot
|
27. Which of the following is not one of the five mechanisms the government can use to get electronic information from a provider?
|
|
a.
|
search warrants
|
|
|
b.
|
subpoenas
|
|
|
c.
|
court orders
|
|
|
d.
|
seizure order
|
28. Within a computing investigation, the ability to perform a series of steps again and again to produce the same results is known as _______.
|
|
a.
|
repeatable findings
|
|
|
b.
|
reloadable steps
|
|
|
c.
|
verifiable reporting
|
|
|
d.
|
evidence reporting
|
29. A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in order to secure the information contained inside.
|
|
a.
|
compiler
|
|
|
b.
|
shifter
|
|
|
c.
|
macro
|
|
|
d.
|
script
|
30. Which system below can be used to quickly and accurately match fingerprints in a database?
|
|
a.
|
Fingerprint Identification Database (FID)
|
|
|
b.
|
Systemic Fingerprint Database (SFD)
|
|
|
c.
|
Automated Fingerprint Identification System (AFIS)
|
|
|
d.
|
Dynamic Fingerprint Matching System (DFMS)
|
|