C840 - DIGITAL FORENSICS IN CYBERSECURITY True/False Quizlet Compilation GRADED A

C840 - DIGITAL FORENSICS IN CYBERSECURITY True/False Quizlet Compilation GRADED A Malware forensics is also known as internet forensics. A True B False ANS*** B The Privacy Protection Act (PPA) of 1980 protects journalists from being required to turn over to law enforcement any work product or documentary material, including sources, before it is disseminated to the public. A True B False ANS*** A The term testimonial evidence refers to the process of examining malicious computer code. A True B False ANS*** B Evidence need not be locked if it is at a police station. A True B False ANS*** B Real evidence means physical objects that can be touched, held, or directly observed, such as a laptop with a suspect's fingerprints on it, or a handwritten note. A True B False ANS*** A The FBI is the premier federal agency tasked with combating cybercrime. A True B False ANS*** B When cataloging digital evidence, the primary goal is to do what? A Make bitstream images of all hard drives. B Keep the computer from being turned off. C Keep evidence from being removed from the scene. D Preserve evidence integrity. ANS*** D Your roommate can give consent to search your computer. A True B False ANS*** B The Windows Registry is essentially a repository of all settings, software, and parameters for Windows. A True B False ANS*** A The term internet forensics refers to information that forensic specialists use to support or interpret real or documentary evidence; for example, to demonstrate that the fingerprints found on a keyboard are those of a specific individual. A True B False ANS*** B PROM can be programmed only once. Data is not lost when power is removed. A True B False ANS*** A In a computer forensics investigation, ________ describes the route that evidence takes from the time you find it until the case is closed or goes to court. A Policy of separation B Rules of evidence C Law of probability D Chain of custody ANS*** D The objective in computer forensics is to recover, analyze, and present computer-based material in such a way that it can be used as evidence in a court of law. A True B False ANS*** A Demonstrative evidence means information that helps explain other evidence. An example of demonstrative evidence is a chart that explains a technical concept to the judge and jury. A True B False ANS*** A Which of the following are important to the investigator regarding logging? A Location of stored logs B Log retention C The logging methods D All of these ANS*** D A sector is the basic unit of data storage on a hard disk, which is usually 64 KB. A True B False ANS*** A The term digital evidence describes the process of piecing together where and when a user has been on the Internet. A True B False ANS*** B When computer forensics first began, most investigations were conducted according to the whim of the investigator rather than through a standardized methodology. A True B False ANS*** A If the computer is turned on when you arrive, what does the Secret Service recommend you do? A Begin your investigation immediately. B Shut down according to recommended Secret Service procedure. C Transport the computer with power on. D Unplug the machine immediately. ANS*** B The process of acquiring and analyzing information stored on physical storage media, such as computer hard drives or smartphones is the definition of anti-forensics. A True B False ANS*** B What is the essence of the Daubert standard? A That only experts can testify at trial B That the chain of custody must be preserved C That only tools or techniques that have been accepted by the scientific community are admissible at trial D That an expert must affirm that a tool or technique is valid ANS*** C The Telecommunications Act of 1996 allows for collection and use of "empty" communications, which means nonverbal and nontext communications, such as GPS information. A True B False ANS*** B Volatile memory is computer memory that requires power to maintain the data it holds, and can be changed. A True B False ANS*** A Computer forensics is the exclusive domain of law enforcement. A True B False ANS*** B Why should you note all cable connections for a computer you want to seize as evidence? A To know what hardware existed B To know what peripheral devices existed C In case other devices were connected D To know what outside connections existed ANS*** C Documentary evidence is data stored in written form, on paper, or in electronic files, such as e-mail messages and telephone call-detail records. A True B False ANS*** A Section 816 of the USA Patriot Act, titled the "Development and Support of Cybersecurity Forensic Capabilities," does what? A Calls for investigation of all cybercrimes as acts of terrorism B Calls for the establishment of regional computer forensic laboratories C Establishes guidelines for seizing hard drives D Establishes guidelines for intercepting e-mail ANS*** B In September 2005, the FCC ruled that providers of broadband Internet access and interconnected VoIP services are telecommunications carriers under CALEA and, therefore, extended CALEA to the Web and broadband access for the purpose of wiretap ability. A True B False ANS*** A According to the Electronic Communications Privacy Act of 1986, when will a law enforcement officer need a warrant to intercept e-mail? A Never B Anytime e-mail will be intercepted C Only when seizing it from the server D Only when seizing it in transit ANS*** B The Electronic Communications Privacy Act extended the consent exception guideline to e-mail monitoring, which states that one party to a conversation must give consent. A True B False ANS*** B A "protected computer" is any computer at a financial institution or a government agency. A True B False ANS*** A The International Association of Computer Investigative Specialists (IACIS) was created by ________ who wanted to formalize credentials in computing investigations. A Forensic scientists B Police officers C Government agencies D Academic computer science departments ANS*** B Software that a provider licenses to customers as a service on demand through a subscription model is known as Software on Demand. A True B False ANS*** B When you are performing forensic analysis on devices from diverse jurisdictions, the proper approach is to: A Adhere to the rules of the jurisdiction with the least restrictive requirements. B Adhere to your own best judgment. C Adhere to international requirements. D Adhere to the rules of the jurisdiction with the most restrictive requirements. ANS*** D One of the earliest uses of digital systems was to compute payroll, and one of the earliest digital crimes was taking the "half-way measure" wherein the criminal would use the half-cent variance resulting from calculating an individual's pay and move that rounded-off variation to his or her own account. A True B False ANS*** B If the organization has the need to store far more data than any single server can accommodate, and wishes to survive a network disaster, they will deploy server redundancy. A True B False ANS*** B Moore's Law applies to some of the other primary drivers of computing capability, including storage capacity, processor speed, capacity and cost, fiber optic communications, and more. A True B False ANS*** A The Patriot Act had no effect on computer forensics. A True B False ANS*** B According to Moore's law, computer power _________ at _______ the cost approximately every 18 to 24 months. ANS*** doubles; half Which of the following is not a unique characteristic of cloud computing relative to forensics? A All of these. B Evidence may be easier for multiple persons to tamper with or modify. C Evidence may be stored in binary code. D Evidence may be under different privacy rules. E Evidence may be in a different location than the suspect computer. ANS*** C It is very common for criminal enterprises to intentionally construct their own clouds with data stored in jurisdictions with rules and laws that make data retrieval for the purpose of forensics difficult or impossible. A True B False ANS*** A A hard drive failure, accidental data deletion, or similar small-scale incident will not prevent a redundant network server or SAN from continuing to provide data and services to end users. A True B False ANS*** A Any software that self-replicates is the definition of logic bomb. A True B False ANS*** B Viruses are difficult to locate, but easy to trace back to the creator. A True B False ANS*** B Trin00 is a popular DoS tool. A True B False ANS*** A What is the starting point for investigating denial of service attacks? A Firewall logs B Tracing the packets C System logs D E-mail headers ANS*** B Denial of service (DoS) attack means an attack designed to overwhelm the target system so it can no longer reply to legitimate requests for connection. A True B False ANS*** A Two major subclasses of logic bombs are investment offers and data piracy. A True B False ANS*** B The term virus refers to any software that self-replicates. A True B False ANS*** A The term fraud refers to a broad category of crime that can encompass many different activities, but essentially, any attempt to gain financial reward through deception. A True B False ANS*** A The simple act of wrongfully obtaining another person's personal data is the crime, with or without stealing any money. A True B False ANS*** A Viruses are remarkably easy to locate, but difficult to trace back to the creator. A True B False ANS*** A A logic bomb is malware that is designed to do harm to the system when some logical condition is reached. A True B False ANS*** A It is legal for employers to monitor work computers. A True B False ANS*** A Where would you seek evidence that Ophcrack had been used on a Windows Server 2008 machine? A In the IDS logs B In the logs of the server; look for the reboot of the system C In the logs of the server; look for the loading of a CD D In the firewall logs ANS*** B Rainbow table means type of password crackers that work with pre-calculated hashes of all passwords available within a certain character space. A True B False ANS*** A A SYN flood is software that self-replicates. A True B False ANS*** B A TDoS attack is possible with traditional telephone systems by using an automatic dialer to tie up target phone lines. A True B False ANS*** A A critical topic in cyberterrorism is the subject of the China Eagle Union. This group consists of several thousand Chinese hackers whose stated goal is to infiltrate Western computer systems. A True B False ANS*** A Denial of service (DoS) attack refers to the type of password crackers that work with pre-calculated hashes of all passwords available within a certain character space. A True B False ANS*** B The Tribal Flood Network (TFN) is one of the most widely deployed viruses. A True B False ANS*** B Spyware is legal. A True B False ANS*** A Technically speaking, cookies are not considered spyware. A True B False ANS*** B Fraud is using electronic communications to harass or threaten another person. A True B False ANS*** B When investigating a virus, what is the first step? A Check IDS logs. B Check firewall logs. C Trace the origin of the virus. D Document the virus. ANS*** D In December of 2009, hackers broke into computer systems and stole secret defense plans of the United States and South Korea. The information stolen included a summary of plans for military operations by South Korean and U.S. troops in case of war with North Korea, though the attacks were traced back to a Chinese IP address. This is an example of a Trojan Horse. A True B False ANS*** B Malware that executes damage when a specific condition is met is the definition of logic bomb. A True B False ANS*** A The term distributed denial of service (DDoS) attack describes the process of connecting to a server that involves three packets being exchanged. A True B False ANS*** B The use of electronic communications to harass or threaten another person is the definition of cyberstalking. A True B False ANS*** A It is legal to monitor the computers of relatives as long as they are living in your home. A True B False ANS*** B The term three-way handshake describes the use of electronic communications to harass or threaten another person. A True B False ANS*** B Logic bombs are often perpetrated by ________. A Identity thieves B Disgruntled employees C Terrorists D Hackers ANS*** B What is the primary reason to take cyberstalking seriously? A It can be annoying and distracting. B It can be a prelude to real-world violence. C It can be part of identity theft. D It can damage your system. ANS*** B Malware is any software that can monitor your activity on a computer. A True B False ANS*** B Which of the following crimes is most likely to leave e-mail evidence? A Logic bomb B DoS C Cyberstalking D Fraud ANS*** C One of the most basic tools for physically accessing a Windows machine is Ophcrack, which cracks the local passwords on Windows systems. A True B False ANS*** A The term distributed denial of service (DDoS) attack describes the process of connecting to a server that involves three packets being exchanged. A True B False ANS*** B Cold-calling is a legitimate sales technique when selling stocks. A True B False ANS*** A What is the most important reason that you not touch the actual original evidence any more than you have to? A It can lead to data degradation. B Each time you touch digital data, there is some chance of altering it. C You might be accused of planting evidence. D You might accidentally decrypt files. ANS*** B This residual information in file slack is overwritten when a new file is created. A True B False ANS*** B What is the purpose of hashing a copy of a suspect drive? A To render it read-only B To check for changes C To remove viruses D To make it secure ANS*** B An expert report is a formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted and the specialist's own curriculum vitae (CV). A True B False ANS*** A The unused space between the logical end of file and the physical end of file is the definition of bit-level information. A True B False ANS*** B Information at the level of actual 1s and 0s stored in memory or on the storage device is the definition of bit-level information. A True B False ANS*** A The first step in any investigation is to make a copy of the suspected storage device. A True B False ANS*** A You should make at least two bitstream copies of a suspect drive. A True B False ANS*** A It takes ________ occurrence(s) of overextending yourself during testimony to ruin your reputation. A At least two B Only one C Several D Only one if it is a major case ANS*** B The MD5 message-digest algorithm is used to ________. A Hash a disk to verify that a disk is not altered when you examine it B Wipe magnetic media before recycling it C Make directories on an evidence disk D View graphics files on an evidence drive ANS*** A Achieving ASCLD accreditation is a rigorous process. A lab must meet about 40 criteria to achieve accreditation. A True B False ANS*** B Bob was asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend for or against using a disk-imaging tool? A The evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file. B A simple DOS copy will not include deleted files, file slack, and other information. C There is no case for an imaging tool because it will use a closed, proprietary format that if compared with the original will not match up sector for sector. D A disk-imaging tool would check for internal self-checking and validation and have an MD5 checksum. ANS*** B Bit-level information is information at the level of actual 1s and 0s stored in memory or on the storage device, as opposed to going through the file system's interpretation. A True B False ANS*** A To preserve digital evidence, an investigator should ________. A Make a single copy of each evidence item using an approved imaging tool B Make two copies of each evidence item using different imaging tools C Store only the original evidence item D Make two copies of each evidence item using a single imaging tool ANS*** B Disk Investigator is a Linux Live CD that you use to boot a system and then use the tools. A True B False ANS*** B Information that has been processed and assembled so that it is relevant to an investigation and supports a specific finding or determination is the definition of digital evidence. A True B False ANS*** A Life span refers to how long information is reliable. A True B False ANS*** B Helix is a customized Linux Live CD used for computer forensics. A True B False ANS*** A Volatility refers to how easy it is for data to change. Registers are very volatile, whereas a CD-ROM is not. A True B False ANS*** A After imaging any drive, you must always create a hash of the original and the copy. A True B False ANS*** A The art and science of writing hidden messages is the definition of hash. A True B False ANS*** B The term steganalysis refers to the determination of whether a file or communication hides other information. A True B False ANS*** A The term scrubber refers to software that cleans unallocated space. A True B False ANS*** A Volatile data means data that changes rapidly and may be lost when the machine that holds it is powered down. A True B False ANS*** A ________ is the most commonly used hashing algorithm. ANS*** SHA1