Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
1. Frequently the first responder to a computer crime is the network administrator.
2. netstat is a command you can use with a forensic copy of a machine to compare two
3. The Windows Registry contains a list of USB devices that have been connected to the
machine.
4. In Linux the command to set up a target forensics server to receive a copy of a drive is
5. The chain of custody accounts for the handling of evidence and documents that
handling.
6. Most Windows logs are turned on automatically.
7. Windows stores web browsing information in a file called index.dat.
8. Windows logging can be turned on and off with a tool called auditpol.exe.
9. The Windows command fc lists all active sessions to the computer.
10. The Windows Registry lists USB devices that have been connected to the machine.
Multiple Choice
1. Frequently the first responder to a computer crime is ________.
a. The network administrator
b. A law enforcement officer
c. The news media
d. None of the above
2. If you fail to handle evidence properly ___________.
a. You may damage the hard drive.
b. It may be unusable in court.
c. Law enforcement may not look at it.
d. None of the above.
3. You may use Linux to make a ______________ of the hard drive.
a. Bootable copy
b. Screen shot
c. New version
d. Forensically valid copy
4. Using Linux to wipe the target drive, the command-line command would be ___ .
a. cc
b. dd
c. nd
d. md5sum
5. Using Linux to backup your hard drive, if you want to create a hash, you would use
the command-line command ___________.
a. cc
b. dd
c. nd
d. md5sum
6. Documentation of every person who had access to evidence, how they interacted with
it, and where it was stored is called the ________________.
a. Forensic trail
b. Chain of custody
c. Audit trail
d. None of the above
7. Usually, the first thing you do to a computer to prevent further tampering is to
_________.
a. Make a backup.
b. Make a copy.
c. Take it offline.
d. Lock it in a secure room.
8. _________ can include logs, portable storage, emails, tablets, and cell phones.
a.Computer evidence
b.Ancillary hardware
c. Network devices
d. None of the above
9. Windows stores information on web address, search queries, and recently opened files
in a file called___________.
a. internet.txt
b. index.dat
c. default.dat
d. explore.exe
10. In Windows, the log that stores events from a single application or component rather
than events that might have system wide impact is the ____________ log.
a. Application
b. System
c. Forwardedevents
d. Applications and services
11. In Windows the log that contains events collected from remote computers is the
____________ log.
a. Application
b. System
c. Forwardedevents
d. Applications and services
12. The Linux log file that contains activity related to the web server is ______.
a. /var/log/kern.log
b. /var/log/apache2/*
c. /var/log/lighttpd/*
d. /var/log/apport.log
13. The Linux log file that can reveal attempts to compromise the system or the presence
of a virus or spyware is ______________.
a. /var/log/kern.log
b. /var/log/apache2/*
c. /var/log/lighttpd/*
d. /var/log/apport.log
14. _______ is a free tool that can be used to recover Windows files.
a. SearchIt
b. Disk Digger
c. FileRecover
d. None of the above
15. The Windows command to list any shared files that are currently open is
___________.
a. openfiles
b. fc
c. netstat
d. None of the above
Matching
a. Windows Registry
b. Linux
c. Chain of custody
d. Computer evidence
e. Security log
f. Auditpol.exe
g. Disk Digger
h. Netstat
i. Windows Registry
j. Openfiles
