978-0789757463 Chapter 14

1. Frequently the first responder to a computer crime is the network administrator.

2. netstat is a command you can use with a forensic copy of a machine to compare two

3. The Windows Registry contains a list of USB devices that have been connected to the

machine.

4. In Linux the command to set up a target forensics server to receive a copy of a drive is

5. The chain of custody accounts for the handling of evidence and documents that

handling.

6. Most Windows logs are turned on automatically.

7. Windows stores web browsing information in a file called index.dat.

8. Windows logging can be turned on and off with a tool called auditpol.exe.

9. The Windows command fc lists all active sessions to the computer.

10. The Windows Registry lists USB devices that have been connected to the machine.

Multiple Choice

1. Frequently the first responder to a computer crime is ________.

a. The network administrator

b. A law enforcement officer

c. The news media

d. None of the above

2. If you fail to handle evidence properly ___________.

a. You may damage the hard drive.

b. It may be unusable in court.

c. Law enforcement may not look at it.

d. None of the above.

3. You may use Linux to make a ______________ of the hard drive.

a. Bootable copy

b. Screen shot

c. New version

d. Forensically valid copy

4. Using Linux to wipe the target drive, the command-line command would be ___ .

a. cc

b. dd

c. nd

d. md5sum

5. Using Linux to backup your hard drive, if you want to create a hash, you would use

the command-line command ___________.

a. cc

b. dd

c. nd

d. md5sum

6. Documentation of every person who had access to evidence, how they interacted with

it, and where it was stored is called the ________________.

a. Forensic trail

b. Chain of custody

c. Audit trail

d. None of the above

7. Usually, the first thing you do to a computer to prevent further tampering is to

_________.

a. Make a backup.

b. Make a copy.

c. Take it offline.

d. Lock it in a secure room.

8. _________ can include logs, portable storage, emails, tablets, and cell phones.

a.Computer evidence

b.Ancillary hardware

c. Network devices

d. None of the above

9. Windows stores information on web address, search queries, and recently opened files

in a file called___________.

a. internet.txt

b. index.dat

c. default.dat

d. explore.exe

10. In Windows, the log that stores events from a single application or component rather

than events that might have system wide impact is the ____________ log.

a. Application

b. System

c. Forwardedevents

d. Applications and services

11. In Windows the log that contains events collected from remote computers is the

____________ log.

a. Application

b. System

c. Forwardedevents

d. Applications and services

12. The Linux log file that contains activity related to the web server is ______.

a. /var/log/kern.log

b. /var/log/apache2/*

c. /var/log/lighttpd/*

d. /var/log/apport.log

13. The Linux log file that can reveal attempts to compromise the system or the presence

of a virus or spyware is ______________.

a. /var/log/kern.log

b. /var/log/apache2/*

c. /var/log/lighttpd/*

d. /var/log/apport.log

14. _______ is a free tool that can be used to recover Windows files.

a. SearchIt

b. Disk Digger

c. FileRecover

d. None of the above

15. The Windows command to list any shared files that are currently open is

___________.

a. openfiles

b. fc

c. netstat

d. None of the above

Matching

a. Windows Registry

b. Linux

c. Chain of custody

d. Computer evidence

e. Security log

f. Auditpol.exe

g. Disk Digger

h. Netstat

i. Windows Registry

j. Openfiles