Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
72 Cards in this Set
- Front
- Back
|
A new process is always "called" or "created" as a result of ________.
A. the process manager reading programs from disk media B. one process requesting a program to be loaded and executed C. system processes starting new services D. the memory manager reading the program file to start execution |
Find Answer
|
|
|
Which two of the following answers do NOT describe the responsibility of the memory manager?
A. Selecting which process to run B. Allocating memory to processes C. Swapping memory from RAM to Disk D. Formatting newly allocated memory |
Selecting which process to run
Formatting newly allocated memory |
|
|
A computer's boot process begins when what event occurs?
A. The computer BIOS turns on the processor. B. The operating system loads. C. The Master Boot Record is read. D. The computer is powered on. |
The computer is powered on.
|
|
|
In the context of forensics, data is most analogous to ________.
A. files and folders B. information C. digital evidence D. bits |
digital evidence
|
|
|
Why would "RAM slack" be interesting to a forensics investigator?
A. RAM slack is padded with contiguous portions from random RAM locations. B. RAM slack is padded with contents from other files. C. RAM slack can expose what contents were previously stored on the block. D. None of the above |
Find Answer
|
|
|
Which two of the following are examples of devices that will contain flash media?
A. Storage media for routers and switches B. SATA hard drives C. USB "Thumb" Drives D. SCSI hard drives |
Find Answer
|
|
|
On recent Windows installations, the standard location for storing critical system files is ________.
A. C:/Program Files/ B. C:/System/ C. C:/Important/ D. C:/Windows/ |
C:/Windows/
|
|
|
The intersection of a hard disk's sector and track is called a ________.
A. block B. cluster C. byte D. bit |
Find Answer
|
|
|
File system drivers impose limitations and boundaries, such as ________.
A. file usage B. minimum file size C. file name length D. swap usability |
Find Answer
|
|
|
Using metadata, forensics investigators can ________. (Select the three that apply)
A. search for files that were created at a specific time B. filter files that do not contain evidence C. filter files by size D. search for file names that match patterns |
search for files that were created at a specific time
filter files by size search for file names that match patterns |
|
|
On Linux and UNIX, the /home directory structure is the standard location for storing ________.
A. user installed applications B. data specific to users C. critical system files D. temporarily deleted data |
data specific to users
|
|
|
Which one of the following is a benefit of a RAID configuration of disks?
A. Capacity B. Performance C. Redundancy D. All of the above |
All of the above
|
|
|
Data is organized as files mostly because ________. (Choose the best answer)
A. computers cannot store very large files B. it is easier for the computer to store many smaller chunks of data than it is to store one large chunk of data C. it is easier for people to store many smaller chunks of data than it is to store one large chunk of data D. people need to store their data with labels to make retrieval easier |
Find Answer
|
|
|
The ________ is the part of the disk that reads and writes bits that are stored on the ________.
A. head; platter B. platter; cylinder C. track; sector D. cylinder; head |
Find Answer
|
|
|
What purpose does an inode on Linux file systems serve? (Select the two that apply)
A. Stores information about the disk and the partitions. B. Stores metadata about a file. C. Stores the location of a file's contents by pointing to data blocks. D. Stores the software necessary to boot the computer. |
Find Answer
|
|
|
A partition sets ________ on the available space of storage devices.
A. version numbers B. block sizes C. file systems D. boundaries |
Find Answer
|
|
|
Carving tools will scan an acquired partition image in order to _______.
A. identify all files "split" into multiple parts B. reconstruct partial or complete files from fragments C. identify all RAM slack on the system D. decrypt all files or partial files |
reconstruct partial or complete files from fragments
|
|
|
A forensics lab will have dedicated areas for each of the following functions EXCEPT _________.
A. forensics examination workspace B. a secured locker area C. a continuing education training center D. well-stocked inventory |
Find Answer
|
|
|
Which one of the following function(s) is included in extraction?
A. Carving B. Decryption C. Compression D. All of the above |
All of the above
|
|
|
Investigators for digital forensics may perform all EXCEPT which of the following high-level tasks?
A. Collection of physical evidence B. Analysis of physical media C. Collection of digital evidence D. Arrest of the suspect |
Arrest of the suspect
|
|
|
The journal of a forensics specialist or expert will contain entries that provide the following functions EXCEPT _______.
A. the description of WHO did WHAT and WHEN B. the results of the examination C. any actions taken to examine the evidence D. any theories that result from the examination |
any theories that result from the examination
|
|
|
Which three of the following are facts that an investigator should know before proceeding with evidence acquisition or extraction?
A. The suspect in the investigation. B. The urgency of the request by the legal system. C. The permission and scope to acquire evidence. D. The answers being sought by the legal system. |
The urgency of the request by the legal system.
The permission and scope to acquire evidence. The answers being sought by the legal system. |
|
|
Which one of the following can occur as a result of private investigations?
A. A criminal investigation B. Loss or retention of employment C. Loss or gain of monetary funds D. All of the above |
All of the above
|
|
|
A write-blocker should be installed before imaging a drive, so that the _______ is protected.
A. integrity of the evidence B. chain of custody C. separation of evidence D. validation of the evidence |
integrity of the evidence
|
|
|
A record of the validation should be found in the _______.
A. post-mortem B. investigation plan C. investigator's journal D. documentation diary |
investigator's journal
|
|
|
_________ is performed to share information from an investigation and analyze the success / failures of a particular investigation.
A. Planning B. Journaling C. Post-Mortem D. Brainstorming |
Post-Mortem
|
|
|
Which one of the following questions is NOT one to be answered by the investigation plan?
A. Where is the evidence likely to be located? B. What age is the suspect? C. What local laws and court processes will affect this investigation? D. What skills are needed to extract the evidence? |
What age is the suspect?
|
|
|
Vulnerability assessment experts will perform the task of ________. (Select the three that apply)
A. assessing the prevalence of a known weakness by scanning entire networks B. assessing the damage and impact of an exploited vulnerability C. scanning hosts for known weaknesses and vulnerabilities D. validating the integrity of the host or network equipment |
Find Answers
|
|
|
A forensics certification provides _________.
A. a reason for continuing education B. external validation of one's forensics skills C. breadth in the computer industry D. depth in a particular subject |
external validation of one's forensics skills
|
|
|
Which three of the following would help investigators set the scope for strategies to extract evidence from acquired images?
A. The password of the suspect B. The type of files that are not sought by a warrant C. The question or questions to be answered by the evidence D. Items found in pockets of clothing owned by the suspect |
The password of the suspect
The type of files that are not sought by a warrant The question or questions to be answered by the evidence |
|
|
A process is best described as a _______.
A. list of steps to complete a procedure B. list of steps which together complete a single task or part of a task for a forensics investigation C. list of tasks which together complete a forensics investigation D. list of tasks that together complete one step in a procedure |
Find Answers
|
|
|
Separation of duties within an investigation describes how _______ and _______ should be accomplished by different staff.
A. collection of physical evidence / collection of digital evidence B. extraction / acquisition C. acquisition / validation D. All of the above |
All of the above
|
|
|
In order to maintain the _________, both a single-evidence form and a multi-evidence form are used to document and catalog evidence.
A. proper signatures B. evidence validation C. image reconstruction D. chain of custody |
chain of custody
|
|
|
According to the Federal Rules for Evidence (FRE) section 702, the opinion of an expert witness can be based on all of the following EXCEPT ________.
A. the product of consultations from peers with other expertise B. sufficient facts or data C. the product of accepted and reliable principles or methods D. application of accepted and reliable principles or methods |
the product of consultations from peers with other expertise
|
|
|
Which one of the following factors can sabotage the quality of digital evidence reports between the investigation and the presentation of the evidence to a court?
A. A forensic professional reporting the work of a retired forensic investigator. B. The promotion of the detective who had been leading a criminal investigation. C. The procedures used to analyze the data may have been invalidated by court. D. All of the above |
Find Answers
|
|
|
The best evidence rule of a case is the expectation that the evidence of a case ________.
A. is the prime evidence that prove the theory of an attorney B. has been collected with the best and most current software tools available C. is the best and most scientific evidence collection procedures for that case D. is the best available evidence given the nature of the case |
Find Answer
|
|
|
Which three "off-the-job" characteristics below are used to determine the "quality" of an expert witness?
A. Income level of the expert B. The nature of the expert's morals C. Compliance with laws expected of average citizens D. Compliance with ethic standards for average citizens |
The nature of the expert's morals
Compliance with laws expected of average citizens Compliance with ethic standards for average citizens |
|
|
Examination can be described as telling a story that ________.
A. uses digital forensic investigators to support facts of the story with evidence B. disproves alternative theories when necessary C. presents evidence by asking digital forensic investigators to provide "question answers" D. All of the above |
All of the above
|
|
|
Which two of the following standards can be used by courts to approve new technology for digital evidence collection?
A. Federal Rules of Evidence Collection (FRE) Standard B. Frye Standard C. Daubert Standard D. Gryer Standard |
Frye Standard
Daubert Standard |
|
|
Which one of the following statements is a valid principle pertaining to an informal report?
A. Do not write anything that is not a lead or a finding. B. Do not write any finding that is not supported by more than one fact. C. Do not write anything that is not clearly marked as a lead or a "work-in-progress". D. Do not write anything that will not appear in the formal report. |
Find Answer
|
|
|
Which one of the following would be considered an informal written communication?
A. An electronic document such as a spreadsheet that is attached to an email update to an attorney B. An email that updates a peer investigator on the status of a particular case C. A disk image that is sent to a peer investigator for review D. An email that notifies an attorney that all evidence has been reviewed and analyzed |
An email that updates a peer investigator on the status of a particular case
|
|
|
Forensic reports are written to answer questions about which one of the following topics? (Select the BEST answer)
A. Forensic investigations involving computer crime B. All forensic investigations C. Intrusion/Incident response and vulnerability assessment D. All incidents involving investigations, vulnerability assessment, and intrusion response |
All incidents involving investigations, vulnerability assessment, and intrusion response
|
|
|
What is the basic purpose of any digital forensic report? (Select the BEST response)
A. Report who did what and when. B. Report the conclusion of the investigation. C. Report what was done and what was found. D. List or itemize the evidence. |
Find Answer
|
|
|
What is the best response of a forensic professional to an attorney who asks a hypothetical question?
A. Provide the best answer possible given the evidence and appropriately emphasis the hypothetical nature of the question. B. Demonstrate anger and register a protest. C. Refuse to answer the question. D. Politely inform the attorney that the question is not relevant. |
Provide the best answer possible given the evidence and appropriately emphasis the hypothetical nature of the question.
|
|
|
The process of providing answers to the legal system is called ________.
A. investigation B. evidence reporting C. question answering D. deposition |
Find Answer
|
|
|
Which one of the following question answers would NOT be found in the executive summary portion of the forensic report?
A. Why the investigation was initiated B. What forensic challenges were faced and overcome in the investigation C. Who authorized the investigation D. What significant results were found |
What forensic challenges were faced and overcome in the investigation
|
|
|
Which one of the following would NOT be included in the "full documentation" of evidence collected?
A. Who collected the evidence B. What evidence was collected C. The version of software that produced the evidence D. The procedure followed to collect the evidence |
Find Answer
|
|
|
Which one of the following definitions best describes informal reports for digital forensic investigations?
A. All written or electronic reports that document results from a digital forensic investigation B. Reports on investigations that are not made directly to a judge or jury C. All oral reports that are presented to court in addition to all written or electronic documents resulting from an investigation. D. Reports on digital investigations made in casual attire to a board of directors or one's employers |
Reports on investigations that are not made directly to a judge or jury
|
|
|
Why would a digital forensic expert be expected to write "absolutely nothing unless it is a fact supported by evidence"?
A. It may confuse the forensic reporter who produces the final written report years after the investigation concludes. B. It is a principle of computer forensics to think through all statements before committing them to paper or electronic document. C. The evidence may later be excluded from the investigation. D. It may be disclosed in discovery and inadvertently cast a shadow of doubt on the case. |
It may be disclosed in discovery and inadvertently cast a shadow of doubt on the case.
|
|
|
Which one of the following is an example of formal oral reporting for a crime involving digital computers?
A. Swearing-In B. Record C. Deposition D. Testimony |
Testimony
|
|
|
A block is typically 512 ________ or more.
A. bits B. bytes C. clusters D. words |
Bytes
|
|
|
The term disk geometry refers to ________.
A. the physical dimensions of the storage media B. the number of blocks on the disk C. the total size and number of cylinders, heads, and sectors D. the number of bits that can be stored on the disk |
The total size and number of cylinders, heads, and sectors
|
|
|
The stored bits of flash media are located in ________.
A. rooms B. cells C. sectors D. blocks |
Cells
|
|
|
Which of the following are challenges to data recovery for "highly available" memory?
A. The data is distributed across several physical disks. B. The data is encrypted. C. The "highly available" solution contains unusually large and un-wieldy capacity. D. The data cannot be made unavailable for any length of time and therefore proper imaging software would be unusable. |
The data is distributed across several physical disks.
|
|
|
Which of the following statements is true about a computer's boot process?
A. The boot process begins when the Central Processing Unit is initialized. B. The user can accelerate the boot process by pressing "Windows" key (also known as the turbo button). C. The first process in Linux is called 'kernel'. D. A Power-On Self Test is performed once firmware is loaded |
A Power-On Self Test is performed once firmware is loaded.
|
|
|
Which of the following is NOT a role of the process manager?
A. Allocate memory for the data structure that contains the process metadata. B. Format the memory provided by the memory manager. C. Ensure that program execution begins in a timely manner. D. Check that memory cleanup was performed correctly. |
Allocate memory for the data structure that contains the process metadata.
|
|
|
Which one of the following would be a task of the memory manager?
A. Assign a process ID B. Move a file or folder from a thumb drive to a disk C. Guarantee that RAM is available if needed D. Format the memory that is assigned to an application |
Guarantee that RAM is available if needed
|
|
|
Which of the following would NOT contain a file system driver?
A. MBR (Master Boot Record) systems B. FAT (File Allocation Table) systems C. NTFS (New Technology File System) D. Linux EXT3 systems |
MBR (Master Boot Record) systems
|
|
|
A superblock is a data structure on a Linux or UNIX file system that contains ________.
A. file content B. version number C. file permissions D. partition size |
Partition size
|
|
|
Data that is hidden in the unused blocks of a cluster is referred to as data that is hidden in the ________.
A. disk slack space B. RAM slack C. file slack D. partition slack |
File Slack
|
|
|
The folder C:\Windows is a folder in Windows that is likely to contain ________.
A. the installation files common to any Windows installation B. user account information for Windows users C. the boot files that would prompt a user to boot another operating system D. only Windows configuration data |
The installation files common to any Windows installation
|
|
|
The /var partition on Linux and Unix is a likely candidate to store ________.
A. user default variable home directories B. user installed programs C. system log files D. configuration files for system applications |
System Log Files
|
|
|
Intel based computer hard disks (e.g. IA32 and IA64) divide the capacity of a disk into smaller units called ________.
A. tracks B. partitions C. platters D. cylinders |
Find Answer
|
|
|
Why would a disk's "bad blocks" be interesting to a forensics investigator?
A. Bad blocks are data blocks from old files that have been detected as physically "bad" and may be recovered. B. Bad blocks are reserved parts of the disk where data is stored until it is encrypted. C. Bad blocks are places where the heads of a disk can no longer read or write; so evidence is preserved from intentional deletion. D. Bad blocks are data blocks that contain evidence of a crime. |
Bad blocks are data blocks from old files that have been detected as physically "bad" and may be recovered.
|
|
|
The ________ is responsible for copying files from memory to the disk media on UNIX/Linux.
A. file system manager B. memory manager C. swap manager D. process manager |
memory manager
|
|
|
The relationship of the first process to all other processes is modeled as a(n) ________.
A. cabinet with files and folders B. photo album C. oligarchy D. family tree |
Find Answer
|
|
|
The ________ is the core of an operating system and is the part of the operating system that will load first.
A. Master Boot Record B. init C.driver D. kernel |
Find Answer
|
|
|
The most frequent interface for flash media is ________.
A. USB B. SATA C. Firewire D. SCSI |
USB
|
|
|
Which three of the following items would be stored with a file's metadata on a disk formatted to Microsoft FAT file system standard?
A. Mutable B. Long File Name C. Hidden Attribute D. System Attribute |
B. Long File Name
C. Hidden Attribute D. System Attribute |
|
|
On recent Windows installations, user specific configuration data will be located in ________.
A. C:/Documents and Settings/ B. C:/Program Files/ C. C:/Home/ D. C:/Windows/ |
C:/Documents and Settings/
|
|
|
On Linux and UNIX, the /etc director structure is the standard location for storing ________.
A. configuration files B. unusual programs C. user media files D. user log files |
Configuration Files
|
|
|
The iterative process for evidence collection is reviewing the evidence ________.
A. over several passes; each pass looking for the same evidence but with different tools B. over several passes; each pass looking for something new C. exactly one time per expert; each expert contributing different experience D. exactly one time with automated tools |
Over several passes; each pass looking for something new
|
