Chat with AI
Deck 2: Understanding Computer Investigations
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/50
Play
Full screen (f)
Deck 2: Understanding Computer Investigations
1
You can use ____ to boot to Windows without writing any data to the evidence disk.
A) a SCSI boot up disk
B) a Windows boot up disk
C) a write-blocker
D) Windows XP
A) a SCSI boot up disk
B) a Windows boot up disk
C) a write-blocker
D) Windows XP
C
2
To begin conducting an investigation, you start by ____ the evidence using a variety of methods.
A) copying
B) analyzing
C) opening
D) reading
A) copying
B) analyzing
C) opening
D) reading
A
3
To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as a ____.
A) mobile workstation
B) forensic workstation
C) forensic lab
D) recovery workstation
A) mobile workstation
B) forensic workstation
C) forensic lab
D) recovery workstation
B
4
The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court.
A) acquisition plan
B) chain of custody
C) evidence path
D) evidence custody
A) acquisition plan
B) chain of custody
C) evidence path
D) evidence custody
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
5
A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
6
When preparing a case, you can apply ____ to problem solving.
A) standard programming rules
B) standard police investigation
C) standard systems analysis steps
D) bottom-up analysis
A) standard programming rules
B) standard police investigation
C) standard systems analysis steps
D) bottom-up analysis
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
7
____ from Technology Pathways is a forensics data analysis tool. You can use it to acquire and analyze data from several different file systems.
A) Guidance EnCase
B) NTI SafeBack
C) DataArrest SnapCopy
D) ProDiscover Basic
A) Guidance EnCase
B) NTI SafeBack
C) DataArrest SnapCopy
D) ProDiscover Basic
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
8
____ investigations typically include spam, inappropriate and offensive message content, and harassment or threats.
A) VPN
B) Internet
C) E-mail
D) Phone
A) VPN
B) Internet
C) E-mail
D) Phone
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
9
____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or computer lab.
A) An antistatic wrist band
B) Padding
C) An antistatic pad
D) Tape
A) An antistatic wrist band
B) Padding
C) An antistatic pad
D) Tape
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
10
Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several thousand pages of data.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
11
The basic plan for your investigation includes gathering the evidence, establishing the ____, and performing the forensic analysis.
A) risk assessment
B) nature of the case
C) chain of custody
D) location of the evidence
A) risk assessment
B) nature of the case
C) chain of custody
D) location of the evidence
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
12
Use ____ to secure and catalog the evidence contained in large computer components.
A) Hefty bags
B) regular bags
C) paper bags
D) evidence bags
A) Hefty bags
B) regular bags
C) paper bags
D) evidence bags
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
13
A ____ is a bit-by-bit copy of the original storage medium.
A) preventive copy
B) recovery copy
C) backup copy
D) bit-stream copy
A) preventive copy
B) recovery copy
C) backup copy
D) bit-stream copy
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
14
To create an exact image of an evidence disk, copying the ____ to a target work disk that's identical to the evidence disk is preferable.
A) removable copy
B) backup copy
C) bit-stream image
D) backup image
A) removable copy
B) backup copy
C) bit-stream image
D) backup image
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
15
A(n) ____ helps you document what has and has not been done with both the original evidence and forensic copies of the evidence.
A) evidence custody form
B) risk assessment form
C) initial investigation form
D) evidence handling form
A) evidence custody form
B) risk assessment form
C) initial investigation form
D) evidence handling form
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
16
Employees surfing the Internet can cost companies millions of dollars.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
17
Chain of custody is also known as chain of evidence.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
18
You cannot use both multi-evidence and single-evidence forms in your investigation.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
19
The list of problems you normally expect in the type of case you are handling is known as the ____.
A) standard risk assessment
B) chain of evidence
C) standard problems form
D) problems checklist form
A) standard risk assessment
B) chain of evidence
C) standard problems form
D) problems checklist form
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
20
A bit-stream image is also known as a(n) ____.
A) backup copy
B) forensic copy
C) custody copy
D) evidence copy
A) backup copy
B) forensic copy
C) custody copy
D) evidence copy
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
21
Match each item with a statement below
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
also known as a computer forensics workstation
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
also known as a computer forensics workstation
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
22
When you write your final report, state what you did and what you ____.
A) did not do
B) found
C) wanted to do
D) could not do
A) did not do
B) found
C) wanted to do
D) could not do
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
23
Match each item with a statement below
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
an essential part of professional growth
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
an essential part of professional growth
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
24
A(n) ____________________ lists each piece of evidence on a separate page.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
25
Match each item with a statement below
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
the least intrusive (in terms of changing data) Microsoft operating system
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
the least intrusive (in terms of changing data) Microsoft operating system
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
26
Match each item with a statement below
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
a type of evidence custody form
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
a type of evidence custody form
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
27
When you are dealing with password protected files, you might need to acquire ____________________ or find an expert who can help you crack the passwords.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
28
When analyzing digital evidence, your job is to ____.
A) recover the data
B) destroy the data
C) copy the data
D) load the data
A) recover the data
B) destroy the data
C) copy the data
D) load the data
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
29
Match each item with a statement below
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
extracts all related e-mail address information for Web-based e-mail investigations
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
extracts all related e-mail address information for Web-based e-mail investigations
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
30
Forensics tools such as ____ can retrieve deleted files for use as evidence.
A) ProDiscover Basic
B) ProDelete
C) FDisk
D) GainFile
A) ProDiscover Basic
B) ProDelete
C) FDisk
D) GainFile
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
31
____ can be the most time-consuming task, even when you know exactly what to look for in the evidence.
A) Evidence recovery
B) Data recovery
C) Data analysis
D) Evidence recording
A) Evidence recovery
B) Data recovery
C) Data analysis
D) Evidence recording
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
32
During the ____________________ design or approach to the case, you outline the general steps you need to follow to investigate the case.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
33
A(n) ____________________ is usually conducted to collect information from a witness or suspect about specific facts related to an investigation.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
34
After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and ____.
A) critique the case
B) repeat the case
C) present the case
D) read the final report
A) critique the case
B) repeat the case
C) present the case
D) read the final report
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
35
Match each item with a statement below
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
process of trying to get a suspect to confess to a specific incident or crime
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
process of trying to get a suspect to confess to a specific incident or crime
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
36
Match each item with a statement below
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
is the more well-known and lucrative side of the computer forensics business
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
is the more well-known and lucrative side of the computer forensics business
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
37
In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____.
A) checked values
B) verification
C) evidence backup
D) repeatable findings
A) checked values
B) verification
C) evidence backup
D) repeatable findings
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
38
Match each item with a statement below
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
an older computer forensics tool
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
an older computer forensics tool
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
39
A(n) ____________________ is where you conduct your investigations and where most of your equipment and software are located, including the secure evidence containers.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
40
Match each item with a statement below
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
can be used for new files that are saved or files that expand as data is added to them
a.FTK's Internet Keyword Search
f.Norton DiskEdit
b.Data recovery
g.MS-DOS 6.22
c.Free space
h.Multi-evidence form
d.Interrogation
i.Self-evaluation
e.Forensic workstation
can be used for new files that are saved or files that expand as data is added to them
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
41
What are the items you need when setting up your workstation for computer forensics?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
42
Describe some of the technologies used with hardware write-blocker devices. Identify some of the more commonly used vendors and their products.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
43
What are the differences between computer forensics and data recovery?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
44
What items are needed when gathering the resources you identified in your investigation plan?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
45
What should you do to handle evidence contained in large computer components?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
46
Describe the process of creating a bit-stream copy of an evidence disk.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
47
What is required to conduct an investigation involving e-mail abuse?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
48
Mention six important questions you should ask yourself when critiquing your work.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
49
What is required to conduct an investigation involving Internet abuse?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
50
What additional items are useful when setting up a forensic workstation?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
