Question 1

____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there.&#10;A) Bit shifting&#10;B) Encryption&#10;C) Marking bad clusters&#10;D) Steganography

Accepted Answer

Steganography is the practice of concealing a message within another message or a physical object in such a way that only the intended recipient knows its presence. It is different from encryption, which transforms the message to make it unreadable to unauthorized parties. Steganography aims to hide the existence of the message, while encryption seeks to protect its contents. Bit shifting and marking bad clusters are not related to the art and science of hiding messages.

Question 2

Marking bad clusters data-hiding technique is more common with ____ file systems.&#10;A) NTFS&#10;B) FAT&#10;C) HFS&#10;D) Ext2fs

Accepted Answer

Marking bad clusters as a data-hiding technique is more commonly associated with FAT (File Allocation Table) file systems. This is because FAT file systems, being simpler and older compared to others like NTFS or Ext2fs, offer a straightforward way to mark clusters as bad, thus hiding data in them. This method is not as prevalent or straightforward in more complex file systems like NTFS, HFS, or Ext2fs, which have more sophisticated methods of handling file storage and bad sector marking.

Question 3

In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover.&#10;A) risk assessment reports&#10;B) investigation plans&#10;C) scope creeps&#10;D) subpoenas

Accepted Answer

Subpoenas are legal documents that specify the scope of the investigation and what data can be collected or recovered in civil and criminal cases. Risk assessment reports, investigation plans, and scope creeps do not have the authority to define the scope of the case.

Question 4

FTK cannot analyze data from image files from other vendors.

Accepted Answer

FTK is designed to work with a wide range of image file formats from different vendors. Its powerful analysis and processing capabilities can be used to extract valuable insights from these images, including deleted, hidden, or encrypted data. However, there may be some file formats that are not supported, depending on the specific version of FTK being used, so it's important to check the documentation or contact the vendor for more information.

Question 5

FTK cannot perform forensics analysis on FAT12 file systems.

Accepted Answer

FTK (Forensic Toolkit) can perform forensics analysis on FAT12 file systems. FAT12 is a file system used on very old devices such as floppy disks and early hard drives. FTK is designed to analyze and recover data from a wide range of file systems, including FAT12.

Question 6

The defense request for full discovery of digital evidence applies only to criminal cases in the United States.

Accepted Answer

The defense request for full discovery of digital evidence applies to both criminal and civil cases in the United States.

Question 7

AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data.&#10;A) KFF&#10;B) PKFT&#10;C) NTI&#10;D) NSRL

Accepted Answer

AccessData's KFF (Known File Filter) is used to compare known file hash values to files on an evidence drive or image files to identify suspicious data.

Question 8

____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search.&#10;A) Online&#10;B) Inline&#10;C) Active&#10;D) Live

Accepted Answer

Live search can continuously search for new data and can also search unallocated space on a computer or device, making it the best choice for locating hidden text or files. Online, inline, and active searches may not have the capability to search unallocated space.

Question 9

The ____ search feature allows you to look for words with extensions such as &#34;ing,&#34;&#34;ed,&#34; and so forth.&#10;A) fuzzy&#10;B) stemming&#10;C) permutation&#10;D) similar-sounding

Accepted Answer

The stemming search feature allows you to look for words with extensions such as "ing,""ed," and so forth. It is useful when you want to find variations of words that may have different endings but share the same root word. Fuzzy search refers to the ability of a search engine to find results that are similar, but not necessarily identical, to the search terms. Permutation search involves searching for all possible combinations of the query terms. Similar-sounding search refers to searching for words that sound alike but may have different spellings and meanings. None of these options specifically address the ability to find words with extensions.

Question 10

____ increases the time and resources needed to extract,analyze,and present evidence.&#10;A) Investigation plan&#10;B) Scope creep&#10;C) Litigation path&#10;D) Court order for discovery

Accepted Answer

Scope creep refers to changes, additions, or modifications to the original scope or requirements of a project. In digital forensics, scope creep can happen when additional digital devices or data sources are discovered during the investigation, leading to an increase in the time and resources needed to analyze and present the evidence.

Question 11

In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period.&#10;A) live&#10;B) indexed&#10;C) active&#10;D) inline

Accepted Answer

The answer of In FTK ____ search mode, you can...

Question 12

There are ____ searching options for keywords which FTK offers.&#10;A) 2&#10;B) 3&#10;C) 4&#10;D) 5

Accepted Answer

The answer of There are ____ searching options for keywords...

Question 13

You begin any computer forensics case by creating a(n) ____.&#10;A) investigation plan&#10;B) risk assessment report&#10;C) evidence custody form&#10;D) investigation report

Accepted Answer

The answer of You begin any computer forensics case by...

Question 14

Data ____ involves changing or manipulating a file to conceal information.&#10;A) recovery&#10;B) creep&#10;C) integrity&#10;D) hiding

Accepted Answer

The answer of Data ____ involves changing or manipulating a...

Question 15

FTK and other computer forensics programs use ____ to tag and document digital evidence.&#10;A) tracers&#10;B) hyperlinks&#10;C) bookmarks&#10;D) indents

Accepted Answer

The answer of FTK and other computer forensics programs use...

Question 16

For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.

Accepted Answer

The answer of For target drives, use only recently wiped...

Question 17

A nonsteganographic graphics file has a different size than an identical steganographic graphics file.

Accepted Answer

The answer of A nonsteganographic graphics file has a different...

Question 18

Getting a hash value with a ____ is much faster and easier than with a(n) ____.&#10;A) high-level language, assembler&#10;B) HTML editor, hexadecimal editor&#10;C) computer forensics tool, hexadecimal editor&#10;D) hexadecimal editor, computer forensics tool

Accepted Answer

The answer of Getting a hash value with a ____...

Question 19

One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it.&#10;A) Norton DiskEdit&#10;B) PartitionMagic&#10;C) System Commander&#10;D) LILO

Accepted Answer

The answer of One way to hide partitions is to...

Question 20

The term ____ comes from the Greek word for&#34;hidden writing.&#34;&#10;A) creep&#10;B) steganography&#10;C) escrow&#10;D) hashing

Accepted Answer

The answer of The term ____ comes from the Greek...

Question 21

Match each item with a statement below&#10;a.Court orders for discovery&#10;f.PRTK&#10;b.Investigation plan&#10;g.Validating digital evidence&#10;c.Digital Intelligence PDWipe&#10;h.MD5&#10;d.Live search&#10;i.System Commander&#10;e.Cabinet&#10;a password recovery program available from AccessData

Accepted Answer

The answer of Match each item with a statement below&#10;a.Court...

Question 22

To generate reports with the FTK ReportWizard, first you need to ____________________ files during an examination.

Accepted Answer

The answer of To generate reports with the FTK ReportWizard,...

Question 23

Match each item with a statement below&#10;a.Court orders for discovery&#10;f.PRTK&#10;b.Investigation plan&#10;g.Validating digital evidence&#10;c.Digital Intelligence PDWipe&#10;h.MD5&#10;d.Live search&#10;i.System Commander&#10;e.Cabinet&#10;an FTK searching option

Accepted Answer

The answer of Match each item with a statement below&#10;a.Court...

Question 24

____________________ search catalogs all words on the evidence disk so that FTK can find them quickly.

Accepted Answer

The answer of ____________________ search catalogs all words on the...

Question 25

FTK provides two options for searching for keywords: indexed search and ____________________ search.

Accepted Answer

The answer of FTK provides two options for searching for...

Question 26

Match each item with a statement below&#10;a.Court orders for discovery&#10;f.PRTK&#10;b.Investigation plan&#10;g.Validating digital evidence&#10;c.Digital Intelligence PDWipe&#10;h.MD5&#10;d.Live search&#10;i.System Commander&#10;e.Cabinet&#10;a disk-partitioning utility

Accepted Answer

The answer of Match each item with a statement below&#10;a.Court...

Question 27

Match each item with a statement below&#10;a.Court orders for discovery&#10;f.PRTK&#10;b.Investigation plan&#10;g.Validating digital evidence&#10;c.Digital Intelligence PDWipe&#10;h.MD5&#10;d.Live search&#10;i.System Commander&#10;e.Cabinet&#10;defines the investigation's goal and scope, the materials needed, and the tasks to perform

Accepted Answer

The answer of Match each item with a statement below&#10;a.Court...

Question 28

Match each item with a statement below&#10;a.Court orders for discovery&#10;f.PRTK&#10;b.Investigation plan&#10;g.Validating digital evidence&#10;c.Digital Intelligence PDWipe&#10;h.MD5&#10;d.Live search&#10;i.System Commander&#10;e.Cabinet&#10;a type of compressed file

Accepted Answer

The answer of Match each item with a statement below&#10;a.Court...

Question 29

Match each item with a statement below&#10;a.Court orders for discovery&#10;f.PRTK&#10;b.Investigation plan&#10;g.Validating digital evidence&#10;c.Digital Intelligence PDWipe&#10;h.MD5&#10;d.Live search&#10;i.System Commander&#10;e.Cabinet&#10;limit a civil investigation

Accepted Answer

The answer of Match each item with a statement below&#10;a.Court...

Question 30

____ are handy when you need to image the drive of a computer far away from your location or when you don't want a suspect to be aware of an ongoing investigation.&#10;A) Scope creeps&#10;B) Remote acquisitions&#10;C) Password recovery tools&#10;D) Key escrow utilities

Accepted Answer

The answer of ____ are handy when you need to...

Question 31

____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer's file system.

A) HDHOST
B) DiskHost
C) DiskEdit
D) HostEditor

Accepted Answer

The answer of ____ is a remote access program for...

Question 32

Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure.

A) steganography
B) key escrow
C) password backup
D) key splitting

Accepted Answer

The answer of Many commercial encryption programs use a technology...

Question 33

Match each item with a statement below&#10;a.Court orders for discovery&#10;f.PRTK&#10;b.Investigation plan&#10;g.Validating digital evidence&#10;c.Digital Intelligence PDWipe&#10;h.MD5&#10;d.Live search&#10;i.System Commander&#10;e.Cabinet&#10;a hashing algorithm

Accepted Answer

The answer of Match each item with a statement below&#10;a.Court...

Question 34

Match each item with a statement below&#10;a.Court orders for discovery&#10;f.PRTK&#10;b.Investigation plan&#10;g.Validating digital evidence&#10;c.Digital Intelligence PDWipe&#10;h.MD5&#10;d.Live search&#10;i.System Commander&#10;e.Cabinet&#10;one of the most critical aspects of computer forensics

Accepted Answer

The answer of Match each item with a statement below&#10;a.Court...

Question 35

People who want to hide data can also use advanced encryption programs, such as PGP or ____.&#10;A) NTI&#10;B) BestCrypt&#10;C) FTK&#10;D) PRTK

Accepted Answer

The answer of People who want to hide data can...

Question 36

The data-hiding technique ____________________ changes data from readable code to data that looks like binary executable code.

Accepted Answer

The answer of The data-hiding technique ____________________ changes data from...

Question 37

____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.&#10;A) Brute-force&#10;B) Dictionary&#10;C) Profile&#10;D) Statistics

Accepted Answer

The answer of ____ attacks use every possible letter, number,...

Question 38

____ recovery is a fairly easy task in computer forensic analysis.&#10;A) Data&#10;B) Partition&#10;C) Password&#10;D) Image

Accepted Answer

The answer of ____ recovery is a fairly easy task...

Question 39

Match each item with a statement below&#10;a.Court orders for discovery&#10;f.PRTK&#10;b.Investigation plan&#10;g.Validating digital evidence&#10;c.Digital Intelligence PDWipe&#10;h.MD5&#10;d.Live search&#10;i.System Commander&#10;e.Cabinet&#10;program used to clean all data from the target drive you plan to use

Accepted Answer

The answer of Match each item with a statement below&#10;a.Court...

Question 40

For most law-enforcement-related computing investigations, the investigator is limited to working with data defined in the search ____________________.

Accepted Answer

The answer of For most law-enforcement-related computing investigations, the investigator...

Question 41

How should you approach a case in which an employee is suspected of industrial espionage?

Accepted Answer

The answer of How should you approach a case in...

Question 42

Briefly describe how to use steganography for creating digital watermarks.

Accepted Answer

The answer of Briefly describe how to use steganography for...

Question 43

What are the file systems supported by FTK for forensic analysis?

Accepted Answer

The answer of What are the file systems supported by...

Question 44

Briefly describe the differences between brute-force attacks and dictionary attacks to crack passwords.

Accepted Answer

The answer of Briefly describe the differences between brute-force attacks...

Question 45

Describe the effects of scope creep on an investigation in the corporate environment.

Accepted Answer

The answer of Describe the effects of scope creep on...

Question 46

How does the Known File Filter program work?

Accepted Answer

The answer of How does the Known File Filter program...

Question 47

Describe with examples why the approach you take for a forensics case depends largely on the specific type of case you're investigating.

Accepted Answer

The answer of Describe with examples why the approach you...

Question 48

How can you validate the integrity of raw format image files with ProDiscover?

Accepted Answer

The answer of How can you validate the integrity of...

Question 49

How can you hide data by marking bad clusters?

Accepted Answer

The answer of How can you hide data by marking...

Question 50

What are the basic guidelines to identify steganography files?

Accepted Answer

The answer of What are the basic guidelines to identify...

Deck 9: Computer Forensics Analysis and Validation