The _____ search feature allows you to look for words with extensions such as "ing", "ed", and so forth.
a. fuzzy
b. stemming
c. permutation
d. similar-sounding
In FTK ________ search mode, you can also look for files that were accessed or changed during a certain time period.
a. live
b. indexed
c. active
d. inline
One problem with hiding data using Steganography is _____.
a. Software for steganography is very expensive
b. It is very easy to discover hidden data in graphic files that use steganography.
c. The amount of information that can be successfully hidden is usually small.
d. Hiding data in graphics files requires extensive programming knowledge
C. The amount of information that can be successfully hidden is usually small
The process of converting raw picture data to another format is referred to as ______
a. JEIDA
b. rastering
c. demosaicing
d. rendering
Which of the following statements regarding live acquisitions is not true?
a. Live acquisitions are especially useful when you are dealing with active network intrusions or attacks.
b. Live acquisitions done before taking a system offline are also becoming a necessitiy because attacks might leave footprints only in ruunning processes or RAM
c. Live acquisitions follow typical forensics procedures
d. Live acquisitions require that the drive be
removed fro the suspect computer.
c. Live acquisitions follow typical forensics procedures
A common way of examining network traffic is by running the _______ command
a. Netdump
b. Slackdump
c. Coredump
d. Tcpdump
_____ is a Sysinternals command that shows all Registry data in real time on a WIndows computer
a. PsReg
b. RegExplorer
c. RegMon
d. RegHandle
The ______ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.
a. Honeynet
b. Honeypot
c. Honeywall
d. Honeyweb
______ increases the time and resources needed to extract, analyze, and present evidence.
a. Investigation plan
b. Scope creep
c. Litigation path
d. Court order for discovery
You begin any computer forensics case by creating a[n] _____
a. investigation plan
b. risk assessment report
c. evidence custody form
d. investigation report
In civil and criminal cases, the scope is often defined by search warrants or ________, which specify what data you can recover.
a. risk assessment reports
b. investigation plans
c. scope creeps
d. subpoenas
There are ___________ searching options for keywords which FTK offers.
a. 2
b. 3
c. 4
d. 5
________ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search.
a. Online
b. Inline
c. Active
d. Live
The ____ search feature allows you to look for words with extensions such as “ing,”“ed,” and so forth.
a. fuzzy
c. permutation
b. stemming
d. similar-sounding
In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period.
a. live
c. active
b. indexed
d. inline
FTK and other computer forensics programs use ____ to tag and document digital evidence.
a. tracers
c. bookmarks
b. hyperlinks
d. indents
Getting a hash value with a ____ is much faster and easier than with a[n] ____.
a. high-level language, assembler
b. HTML editor, hexadecimal editor
c. computer forensics tool, hexadecimal editor
d. hexadecimal editor, computer forensics tool
d. hexadecimal editor, computer forensics tool
AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data.
a. KFF
c. NTI
b. PKFT
d. NSRL
Data ____ involves changing or manipulating a file to conceal information.
a. recovery
c. integrity
b. creep
d. hiding
One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it.
a. Norton DiskEdit
c. System Commander
b. PartitionMagic
d. LILO
Marking bad clusters data-hiding technique is more common with ____ file systems.
a. NTFS
c. HFS
b. FAT
d. Ext2fs
The term ____ comes from the Greek word for“hidden writing.”
a. creep
c. escrow
b. steganography
d. hashing
____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there.
a. Bit shifting
c. Marking bad clusters
b. Encryption
d. Steganography
Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure.
a. steganography
c. password backup
b. key escrow
d. key splitting
People who want to hide data can also use advanced encryption programs, such as PGP or ____.
a. NTI
c. FTK
b. BestCrypt
d. PRTK
____ recovery is a fairly easy task in computer forensic analysis.
a. Data
c. Password
b. Partition
d. Image
____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.
a. Brute-force
c. Profile
b. Dictionary
d. Statistics
____ are handy when you need to image the drive of a computer far away from your location or when you don’t want a suspect to be aware of an ongoing investigation.
a. Scope creeps
b. Remote acquisitions
c. Password recovery tools
d. Key escrow utilities
____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program [FAT or NTFS] corresponding to the suspect [remote] computer’s file system.
a. HDHOST
c. DiskEdit
b. DiskHost
d. HostEditor
____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
a. Bitmap images
c. Vector graphics
b. Metafile graphics
d. Line-art images
You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.
a. graphics viewers
c. image viewers
b. image readers
d. graphics editors
____ images store graphics information as grids of individual pixels.
a. Bitmap
c. Vector
b. Raster
d. Metafiles
The process of converting raw picture data to another format is referred to as ____.
a. JEIDA
c. demosaicing
b. rastering
d. rendering
The majority of digital cameras use the ____ format to store digital pictures.
a. EXIF
c. PNG
b. TIFF
d. GIF
____ compression compresses data by permanently discarding bits of information in the file.
a. Redundant
c. Huffman
b. Lossy
d. Lossless
Recovering pieces of a file is called ____.
a. carving
c. saving
b. slacking
d. rebuilding
A[n] ____ file has a hexadecimal header value of FF D8 FF E0 00 10.
a. EPS
c. GIF
b. BMP
d. JPEG
If you can’t open an image file in an image viewer, the next step is to examine the file’s ____.
a. extension
c. header data
b. name
d. size
The uppercase letter ____ has a hexadecimal value of 41.
a. “A”
c. “G”
b. "C"
d. "Z"
The image format XIF is derived from the more common ____ file format.
a. GIF
c. BMP
b. JPEG
d. TIFF
The simplest way to access a file header is to use a[n] ____ editor
a. hexadecimal
c. disk
b. image
d. text
The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03.
a. TIFF
c. JPEG
b. XIF
d. GIF
____ is the art of hiding information inside image files.
a. Steganography
c. Graphie
b. Steganalysis
d. Steganos
____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.
a. Replacement
c. Substitution
b. Append
d. Insertion
____ steganography replaces bits of the host file with other bits of data.
a. Insertion
c. Substitution
b. Replacement
d. Append
In the following list, ____ is the only steg tool.
a. EnCase
c. DriveSpy
b. iLook d.
d. Outguess
____ has also been used to protect copyrighted material by inserting digital watermarks into a file.
a. Encryption
c. Compression
b. Steganography
d. Archiving
When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations.
a. international
c. copyright
b. forensics
d. civil
Under copyright laws, computer programs may be registered as ____.
a. literary works
c. architectural works
b. motion pictures
d. audiovisual works
Under copyright laws, maps and architectural plans may be registered as ____.
a. pantomimes and choreographic works
c. literary works
b. artistic works
d. pictorial, graphic, and sculptural works
d. pictorial, graphic, and sculptural works
____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.
a. Broadcast forensics
c. Computer forensics
b. Network forensics
d. Traffic forensics
____ hide the most valuable data at the innermost part of the network.
a. Layered network defense strategies
c. Protocols
b. Firewalls
d. NAT
a. layered netowrk defense strategies
____ forensics is the systematic tracking of incoming and outgoing traffic on your network.
a. Network
c. Criminal
b. Computer
d. Server
____ can be used to create a bootable forensic CD and perform a live acquisition.
a. Helix
c. Inquisitor
b. DTDD
d. Neon
Helix operates in two modes:Windows Live [GUI or command line] and ____.
a. command Windows
c. command Linux
b. remote GUI
d. bootable Linux
A common way of examining network traffic is by running the ____ program.
a. Netdump
c. Coredump
b. Slackdump
d. Tcpdump
____ is a suite of tools created by Sysinternals.
a. EnCase
c. R-Tools
b. PsTools
d. Knoppix
____ is a Sysinternals command that shows all Registry data in real time on a Windows computer.
a. PsReg
c. RegMon
b. RegExplorer
d. RegHandle
The PSTools ____ kills processes by name or process ID.
a. PsExec
c. PsKill
b. PsList
d. PsShutdown
____ is a popular network intrusion detection system that performs packet capture and analysis in real time.
a. Ethereal
c. Tcpdump
b. Snort
d. john
____ is the U.S. DoD computer forensics lab’s version of the dd command that comes with Knoppix-STD.
a. chntpw
c. memfetch
b. john
d. dcfldd
The Knoppix STD tool ____ enables you to reset passwords on a Windows computer, including the administrator password
a. chntpw
c. oinkmaster
b. john
d. memfetch
____ are devices and/or software placed on a network to monitor traffic.
a. Packet sniffers
c. Hubs
b. Bridges
d. Honeypots
Most packet sniffers operate on layer 2 or ____ of the OSI model.
a. 1
c. 5
b. 3
d. 7
Most packet sniffer tools can read anything captured in ____ format.
a. SYN
c. PCAP
b. DOPI
d. AIATP
In a[n] ____ attack, the attacker keeps asking your server to establish a connection.
a. SYN flood
c. brute-force attack
b. ACK flood
d. PCAP attack
____ is the text version of Ethereal, a packet sniffer tool.
a. Tcpdump
c. Etherape
b. Ethertext
d. Tethereal
____ is a good tool for extracting information from large Libpcap files.
a. Nmap
c. Pcap
b. Tcpslice
d. TCPcap
The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.
a. Honeynet
c. Honeywall
b. Honeypot
d. Honeyweb
Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack.
a. ISPs
c. zombies
b. soldiers
d. pawns
A ____ is a computer set up to look like any other machine on your network, but it lures the attacker to it.
a. honeywall
c. honeynet
b. honeypot
d. honeyhost
E-mail messages are distributed from one central server to many connected client computers, a configuration called ____.
a. client/server architecture c. client architecture
b. central distribution architecture
d. peer-to-peer architecture
a. client/server architecture
In an e-mail address, everything after the ____ symbol represents the domain name.
a.
c. @
b. .
d. -
With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk.
a. command-line
c. prompt-based
b. shell-based
d. GUI
When working on a Windows environment you can press ____ to copy the selected text to the clipboard.
a. Ctrl+A
c. Ctrl+V
b. Ctrl+C
d. Ctrl+Z
To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click ____ to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header.
a. Options
c. Properties
b. Details
d. Message Source
To retrieve an Outlook Express e-mail header right-click the message, and then click ____ to open a dialog box showing general information about the message.
a. Properties
c. Details
b. Options
d. Message Source
For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command.
a. prn
c. prnt
b. print
d. prt
To view AOL e-mail headers click Action, ____ from the menu.
a. More options
c. Options
b. Message properties
d. View Message Source
To view e-mail headers on Yahoo! click the ____ link in the Mail Options window, and then click Show all headers on incoming messages.
a. Advanced
c. Message Properties
b. General Preferences
d. More information
In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____.
a. .ost
c. .msg
b. .eml
d. .pst
____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names.
a. www.freeality.com
c. www.whatis.com
b. www.google.com
d. www.juno.com
____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size.
a. Continuous logging
c. Circular logging
b. Automatic logging
d. Server logging
The files that provide helpful information to an e-mail investigation are log files and ____ files.
a. batch
c. scripts
b. configuration
d. .rts
____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside.
a. /etc/sendmail.cf
c. /etc/var/log/maillog
b. /etc/syslog.conf
d. /var/log/maillog
Typically, UNIX installations are set to store logs such as maillog in the ____ directory.
a. /etc/Log
c. /etc/var/log
b. /log
d. /var/log
Exchange logs information about changes to its data in a[n] ____ log.
a. checkpoint
c. transaction
b. communication
d. tracking
In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk.
a. tracking
c. temporary
b. checkpoint
d. milestone
The Novell e-mail server software is called ____.
a. Sendmail
c. Sawmill
b. GroupWise
d. Guardian
GroupWise has ____ ways of organizing the mailboxes on the server.
a. 2
c. 4
b. 3
d. 5
The GroupWise logs are maintained in a standard log format in the ____ folders.
a. MIME
c. QuickFinder
b. mbox
d. GroupWise
Some e-mail systems store messages in flat plaintext files, known as a[n] ____ format.
a. POP3
c. MIME
b. mbox
d. SMTP
Investigating cell phones and mobile devices is challenging because _____.
a. some cell phones do not have SIM cards
b. no single standard exists for how and where cell phones store messages
c. cell phone batteries have a short life
d. there are so many types of cables
b. no single standard exists for how and where cell phones store messages
Which of the following items would least likely be stored on a cell phone.
a. missed calls
c. text messages
b. owner’s personal address d. photos
b. owner's personal address
Which of the following mobile phone networks is the standard in Europe and Asia?
a. GSM
c. CDMA
b. TDMA
d. OFDM
Typically, mobile phones store system data in _______ which allows service providers to reprogram phones without having to access memory chips physically.
a. SIM
c. ROM
b. RAM
d. EEPROM
_______ cards are found most commonly in GSM devices and consist of a microprocessor and EEPROM.
a. SIM
c. ROM
b. SD cards
d. RAM
This mobile phone network was designed for 4G and is less prone to interference than 3G.
a. GSM
c. CDMA
b. TDMA
d. OFDM
The operating system [OS] is stored in _______.
a. SIM
c. ROM
b. RAM
d. EEPROM
Mobile phones that use _______ cards allow you to swap them out if you travel to Europe or if you are exceeding your minutes limit.
a. SIM
c. ROM
b. SD cards
d. RAM
Which of the following represents memory that is volatile and would be lost if power to the phone were shut off?
a. SIM
c. ROM
b. EEPROM
d. RAM
The first step in mobile phone forensics is _____.
a. alerting the service provider
b. copying the voice mail
c. identifying the mobile device
d. turning off the phone
c. identifying the mobile device
Mobile phone forensics would be least likely to yield what type of information?
a. a list of previously called numbers
b. a voice signature of the suspect
c. the approximate location of the suspect when the last call was made
d. biological information such as fingerprints
d. biological information such as fingerprints
Jane has acquired a mobile phone from a fraud suspect. The phone is turned on. Which of the following actions should she take immediately?
a. scroll through the call list an write down all of the numbers called
b. place the phone in an empty paint can
c. remove the battery from the phone
d. remove the RAM from the phone
b. place the phone in an empty paint can