Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
104 Cards in this Set
- Front
- Back
The _____ search feature allows you to look for words with extensions such as "ing", "ed", and so forth.
a. fuzzy b. stemming c. permutation d. similar-sounding |
B. Stemming
|
|
In FTK ________ search mode, you can also look for files that were accessed or changed during a certain time period.
a. live b. indexed c. active d. inline |
B. indexed
|
|
One problem with hiding data using Steganography is _____.
a. Software for steganography is very expensive b. It is very easy to discover hidden data in graphic files that use steganography. c. The amount of information that can be successfully hidden is usually small. d. Hiding data in graphics files requires extensive programming knowledge |
C. The amount of information that can be successfully hidden is usually small
|
|
The process of converting raw picture data to another format is referred to as ______
a. JEIDA b. rastering c. demosaicing d. rendering |
c. demosaicing
|
|
Which of the following statements regarding live acquisitions is not true?
a. Live acquisitions are especially useful when you are dealing with active network intrusions or attacks. b. Live acquisitions done before taking a system offline are also becoming a necessitiy because attacks might leave footprints only in ruunning processes or RAM c. Live acquisitions follow typical forensics procedures d. Live acquisitions require that the drive be removed fro the suspect computer. |
c. Live acquisitions follow typical forensics procedures
|
|
A common way of examining network traffic is by running the _______ command
a. Netdump b. Slackdump c. Coredump d. Tcpdump |
D. Tcpdump
|
|
_____ is a Sysinternals command that shows all Registry data in real time on a WIndows computer
a. PsReg b. RegExplorer c. RegMon d. RegHandle |
c. RegMon
|
|
The ______ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.
a. Honeynet b. Honeypot c. Honeywall d. Honeyweb |
a. Honeynet
|
|
______ increases the time and resources needed to extract, analyze, and present evidence.
a. Investigation plan b. Scope creep c. Litigation path d. Court order for discovery |
b. Scope Creep
|
|
You begin any computer forensics case by creating a(n) _____
a. investigation plan b. risk assessment report c. evidence custody form d. investigation report |
a. investigation plan
|
|
In civil and criminal cases, the scope is often defined by search warrants or ________, which specify what data you can recover.
a. risk assessment reports b. investigation plans c. scope creeps d. subpoenas |
d. subpoenas
|
|
There are ___________ searching options for keywords which FTK offers.
a. 2 b. 3 c. 4 d. 5 |
a. 2
|
|
________ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search.
a. Online b. Inline c. Active d. Live |
d. Live
|
|
The ____ search feature allows you to look for words with extensions such as “ing,”“ed,” and so forth.
a. fuzzy c. permutation b. stemming d. similar-sounding |
b. fuzzy
|
|
In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period.
a. live c. active b. indexed d. inline |
B. indexed
|
|
FTK and other computer forensics programs use ____ to tag and document digital evidence.
a. tracers c. bookmarks b. hyperlinks d. indents |
c. bookmarks
|
|
Getting a hash value with a ____ is much faster and easier than with a(n) ____.
a. high-level language, assembler b. HTML editor, hexadecimal editor c. computer forensics tool, hexadecimal editor d. hexadecimal editor, computer forensics tool |
d. hexadecimal editor, computer forensics tool
|
|
AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data.
a. KFF c. NTI b. PKFT d. NSRL |
a. KFF
|
|
Data ____ involves changing or manipulating a file to conceal information.
a. recovery c. integrity b. creep d. hiding |
D. hiding
|
|
One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it.
a. Norton DiskEdit c. System Commander b. PartitionMagic d. LILO |
A. norton diskedit
|
|
Marking bad clusters data-hiding technique is more common with ____ file systems.
a. NTFS c. HFS b. FAT d. Ext2fs |
b. FAT
|
|
The term ____ comes from the Greek word for“hidden writing.”
a. creep c. escrow b. steganography d. hashing |
b. steganography
|
|
____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there.
a. Bit shifting c. Marking bad clusters b. Encryption d. Steganography |
d. steganorgaphy
|
|
Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure.
a. steganography c. password backup b. key escrow d. key splitting |
b. key escrow
|
|
People who want to hide data can also use advanced encryption programs, such as PGP or ____.
a. NTI c. FTK b. BestCrypt d. PRTK |
b. BestCrypt
|
|
____ recovery is a fairly easy task in computer forensic analysis.
a. Data c. Password b. Partition d. Image |
C. Password
|
|
____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.
a. Brute-force c. Profile b. Dictionary d. Statistics |
A. Brute-force
|
|
____ are handy when you need to image the drive of a computer far away from your location or when you don’t want a suspect to be aware of an ongoing investigation.
a. Scope creeps b. Remote acquisitions c. Password recovery tools d. Key escrow utilities |
B.Remote acquisitions
|
|
____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer’s file system.
a. HDHOST c. DiskEdit b. DiskHost d. HostEditor |
a. HDHOST
|
|
____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
a. Bitmap images c. Vector graphics b. Metafile graphics d. Line-art images |
c. Vector graphics
|
|
You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.
a. graphics viewers c. image viewers b. image readers d. graphics editors |
D. graphics editors
|
|
____ images store graphics information as grids of individual pixels.
a. Bitmap c. Vector b. Raster d. Metafiles |
A. Bitmap
|
|
The process of converting raw picture data to another format is referred to as ____.
a. JEIDA c. demosaicing b. rastering d. rendering |
C. demosaicing
|
|
The majority of digital cameras use the ____ format to store digital pictures.
a. EXIF c. PNG b. TIFF d. GIF |
a. EXIF
|
|
____ compression compresses data by permanently discarding bits of information in the file.
a. Redundant c. Huffman b. Lossy d. Lossless |
B. Lossy
|
|
Recovering pieces of a file is called ____.
a. carving c. saving b. slacking d. rebuilding |
A. carving
|
|
A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10.
a. EPS c. GIF b. BMP d. JPEG |
D. JPEG
|
|
If you can’t open an image file in an image viewer, the next step is to examine the file’s ____.
a. extension c. header data b. name d. size |
C. header data
|
|
The uppercase letter ____ has a hexadecimal value of 41.
a. “A” c. “G” b. "C" d. "Z" |
a. "A"
|
|
The image format XIF is derived from the more common ____ file format.
a. GIF c. BMP b. JPEG d. TIFF |
d. TIFF
|
|
The simplest way to access a file header is to use a(n) ____ editor
a. hexadecimal c. disk b. image d. text |
a. hexadecimal
|
|
The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03.
a. TIFF c. JPEG b. XIF d. GIF |
b. XIF
|
|
____ is the art of hiding information inside image files.
a. Steganography c. Graphie b. Steganalysis d. Steganos |
a. steganograpbhy
|
|
____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.
a. Replacement c. Substitution b. Append d. Insertion |
d. insertion
|
|
____ steganography replaces bits of the host file with other bits of data.
a. Insertion c. Substitution b. Replacement d. Append |
c. substitution
|
|
In the following list, ____ is the only steg tool.
a. EnCase c. DriveSpy b. iLook d. d. Outguess |
d. outguess
|
|
____ has also been used to protect copyrighted material by inserting digital watermarks into a file.
a. Encryption c. Compression b. Steganography d. Archiving |
b. steganography
|
|
When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations.
a. international c. copyright b. forensics d. civil |
c. copyright
|
|
Under copyright laws, computer programs may be registered as ____.
a. literary works c. architectural works b. motion pictures d. audiovisual works |
a. literary works
|
|
Under copyright laws, maps and architectural plans may be registered as ____.
a. pantomimes and choreographic works c. literary works b. artistic works d. pictorial, graphic, and sculptural works |
d. pictorial, graphic, and sculptural works
|
|
____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.
a. Broadcast forensics c. Computer forensics b. Network forensics d. Traffic forensics |
b. network forensics
|
|
____ hide the most valuable data at the innermost part of the network.
a. Layered network defense strategies c. Protocols b. Firewalls d. NAT |
a. layered netowrk defense strategies
|
|
____ forensics is the systematic tracking of incoming and outgoing traffic on your network.
a. Network c. Criminal b. Computer d. Server |
a. network
|
|
____ can be used to create a bootable forensic CD and perform a live acquisition.
a. Helix c. Inquisitor b. DTDD d. Neon |
a. helix
|
|
Helix operates in two modes:Windows Live (GUI or command line) and ____.
a. command Windows c. command Linux b. remote GUI d. bootable Linux |
????
|
|
A common way of examining network traffic is by running the ____ program.
a. Netdump c. Coredump b. Slackdump d. Tcpdump |
d. tcpdump
|
|
____ is a suite of tools created by Sysinternals.
a. EnCase c. R-Tools b. PsTools d. Knoppix |
b. PsTools
|
|
____ is a Sysinternals command that shows all Registry data in real time on a Windows computer.
a. PsReg c. RegMon b. RegExplorer d. RegHandle |
c. RegMon
|
|
The PSTools ____ kills processes by name or process ID.
a. PsExec c. PsKill b. PsList d. PsShutdown |
c. PsKill
|
|
____ is a popular network intrusion detection system that performs packet capture and analysis in real time.
a. Ethereal c. Tcpdump b. Snort d. john |
b. Snort
|
|
____ is the U.S. DoD computer forensics lab’s version of the dd command that comes with Knoppix-STD.
a. chntpw c. memfetch b. john d. dcfldd |
d. dcfldd
|
|
The Knoppix STD tool ____ enables you to reset passwords on a Windows computer, including the administrator password
a. chntpw c. oinkmaster b. john d. memfetch |
a. chntpw
|
|
____ are devices and/or software placed on a network to monitor traffic.
a. Packet sniffers c. Hubs b. Bridges d. Honeypots |
a. packet sniffers
|
|
Most packet sniffers operate on layer 2 or ____ of the OSI model.
a. 1 c. 5 b. 3 d. 7 |
b. 3
|
|
Most packet sniffer tools can read anything captured in ____ format.
a. SYN c. PCAP b. DOPI d. AIATP |
c. PCAP
|
|
In a(n) ____ attack, the attacker keeps asking your server to establish a connection.
a. SYN flood c. brute-force attack b. ACK flood d. PCAP attack |
a. SYN flood
|
|
____ is the text version of Ethereal, a packet sniffer tool.
a. Tcpdump c. Etherape b. Ethertext d. Tethereal |
d. Tethereal
|
|
____ is a good tool for extracting information from large Libpcap files.
a. Nmap c. Pcap b. Tcpslice d. TCPcap |
b. Tcpslice
|
|
The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.
a. Honeynet c. Honeywall b. Honeypot d. Honeyweb |
a. Honeynet
|
|
Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack.
a. ISPs c. zombies b. soldiers d. pawns |
c. zombies
|
|
A ____ is a computer set up to look like any other machine on your network, but it lures the attacker to it.
a. honeywall c. honeynet b. honeypot d. honeyhost |
b. honeypot
|
|
E-mail messages are distributed from one central server to many connected client computers, a configuration called ____.
a. client/server architecture c. client architecture b. central distribution architecture d. peer-to-peer architecture |
a. client/server architecture
|
|
In an e-mail address, everything after the ____ symbol represents the domain name.
a. c. @ b. . d. - |
c. @
|
|
With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk.
a. command-line c. prompt-based b. shell-based d. GUI |
d. GUI
|
|
When working on a Windows environment you can press ____ to copy the selected text to the clipboard.
a. Ctrl+A c. Ctrl+V b. Ctrl+C d. Ctrl+Z |
b. Ctrl + C
|
|
To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click ____ to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header.
a. Options c. Properties b. Details d. Message Source |
a. Options
|
|
To retrieve an Outlook Express e-mail header right-click the message, and then click ____ to open a dialog box showing general information about the message.
a. Properties c. Details b. Options d. Message Source |
a. Properties
|
|
For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command.
a. prn c. prnt b. print d. prt |
b. print
|
|
To view AOL e-mail headers click Action, ____ from the menu.
a. More options c. Options b. Message properties d. View Message Source |
????
|
|
To view e-mail headers on Yahoo! click the ____ link in the Mail Options window, and then click Show all headers on incoming messages.
a. Advanced c. Message Properties b. General Preferences d. More information |
?????
|
|
In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____.
a. .ost c. .msg b. .eml d. .pst |
d. .pst
|
|
____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names.
a. www.freeality.com c. www.whatis.com b. www.google.com d. www.juno.com |
a. www.freeality.com
|
|
____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size.
a. Continuous logging c. Circular logging b. Automatic logging d. Server logging |
c. circular logging
|
|
The files that provide helpful information to an e-mail investigation are log files and ____ files.
a. batch c. scripts b. configuration d. .rts |
b. configuration
|
|
____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside.
a. /etc/sendmail.cf c. /etc/var/log/maillog b. /etc/syslog.conf d. /var/log/maillog |
a. /etc/sendmail.cf
|
|
Typically, UNIX installations are set to store logs such as maillog in the ____ directory.
a. /etc/Log c. /etc/var/log b. /log d. /var/log |
d. /var/log
|
|
Exchange logs information about changes to its data in a(n) ____ log.
a. checkpoint c. transaction b. communication d. tracking |
c. transaction
|
|
In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk.
a. tracking c. temporary b. checkpoint d. milestone |
b. checkpoint
|
|
The Novell e-mail server software is called ____.
a. Sendmail c. Sawmill b. GroupWise d. Guardian |
b. GroupWise
|
|
GroupWise has ____ ways of organizing the mailboxes on the server.
a. 2 c. 4 b. 3 d. 5 |
a. 2
|
|
The GroupWise logs are maintained in a standard log format in the ____ folders.
a. MIME c. QuickFinder b. mbox d. GroupWise |
d. GroupWise
|
|
Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format.
a. POP3 c. MIME b. mbox d. SMTP |
b. mbox
|
|
Investigating cell phones and mobile devices is challenging because _____.
a. some cell phones do not have SIM cards b. no single standard exists for how and where cell phones store messages c. cell phone batteries have a short life d. there are so many types of cables |
b. no single standard exists for how and where cell phones store messages
|
|
Which of the following items would least likely be stored on a cell phone.
a. missed calls c. text messages b. owner’s personal address d. photos |
b. owner's personal address
|
|
Which of the following mobile phone networks is the standard in Europe and Asia?
a. GSM c. CDMA b. TDMA d. OFDM |
a. GSM
|
|
Typically, mobile phones store system data in _______ which allows service providers to reprogram phones without having to access memory chips physically.
a. SIM c. ROM b. RAM d. EEPROM |
d. EEPROM
|
|
_______ cards are found most commonly in GSM devices and consist of a microprocessor and EEPROM.
a. SIM c. ROM b. SD cards d. RAM |
a. SIM
|
|
This mobile phone network was designed for 4G and is less prone to interference than 3G.
a. GSM c. CDMA b. TDMA d. OFDM |
d. OFDM
|
|
The operating system (OS) is stored in _______.
a. SIM c. ROM b. RAM d. EEPROM |
c. ROM
|
|
Mobile phones that use _______ cards allow you to swap them out if you travel to Europe or if you are exceeding your minutes limit.
a. SIM c. ROM b. SD cards d. RAM |
a. SIM
|
|
Which of the following represents memory that is volatile and would be lost if power to the phone were shut off?
a. SIM c. ROM b. EEPROM d. RAM |
d. RAM
|
|
The first step in mobile phone forensics is _____.
a. alerting the service provider b. copying the voice mail c. identifying the mobile device d. turning off the phone |
c. identifying the mobile device
|
|
Mobile phone forensics would be least likely to yield what type of information?
a. a list of previously called numbers b. a voice signature of the suspect c. the approximate location of the suspect when the last call was made d. biological information such as fingerprints |
d. biological information such as fingerprints
|
|
Jane has acquired a mobile phone from a fraud suspect. The phone is turned on. Which of the following actions should she take immediately?
a. scroll through the call list an write down all of the numbers called b. place the phone in an empty paint can c. remove the battery from the phone d. remove the RAM from the phone |
b. place the phone in an empty paint can
|