Name:
Class:
Date:
Indicate whether the statement is true or false.
1. The law requires search warrants to contain specific descriptions of what’s to be seized. For cloud environments, the
property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect.
a.
True
b.
False
2. The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET).
a.
True
b.
False
3. In the United States, the Electronic Communications Privacy Act (ECPA) describes 5 mechanisms the government can
use to get electronic information from a provider.
a.
True
b.
False
4. Specially trained system and network administrators are often a CSP’s first responders.
a.
True
b.
False
5. A search warrant can be used in any kind of case, either civil or criminal.
a.
True
b.
False
Indicate the answer choice that best completes the statement or answers the question.
6. The __________________ Dropbox file stores information on shared directories associated with a Dropbox user
account and file transfers between Dropbox and the client’s system.
a.
filecache.dbx
b.
read_filejournal
c.
filetx.log
d.
filecache.dll
7. Select the folder below that is most likely to contain Dropbox files for a specific user:
a.
C:\Dropbox
b.
C:\Users\username\Dropbox
c.
C:\Users\Dropbox
d.
C:\Users\username\AppData\Dropbox
8. What cloud application offers a variety of cloud services, including automation and CRM, cloud application
development, and Web site marketing?
a.
IBM Cloud
b.
Amazon EC2
c.
Salesforce
Name:
Class:
Date:
d.
HP Helion
9. In a prefetch file, the application’s last access date and time are at offset _______________.
a.
0x80
b.
0x88
c.
0x90
d.
0xD4
10. Metadata in a prefetch file contains an application’s _____________ times in UTC format and a counter of how many
times the application has run since the prefect file was created.
a.
MAC
b.
ACL
c.
startup / access
d.
log event
11. The Google drive file _________________ contains a detailed list of a user’s cloud transactions.
a.
loggedtransactions.log
b.
sync_log.log
c.
transact_user.db
d.
history.db
12. A _________________ is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on
the fly; it’s accessed through the application’s Web interface.
a.
programming language
b.
management plane
c.
backdoor
d.
configuration manager
13. The __________________________ is an organization that has developed resource documentation for CSPs and their
staff. It provides guidance for privacy agreements, security measures, questionnaires, and more.
a.
OpenStack Framework Alliance
b.
Cloud Security Alliance
c.
Cloud Architecture Group
d.
vCloud Security Advisory Panel
14. Which is not a valid method of deployment for a cloud?
a.
public
b.
private
c.
community
d.
targeted
15. A ________________ is written by a judge to compel someone to do or not do something, such as a CSP producing
user logon activities.
a.
court order
b.
subpoena
Name:
Class:
Date:
c.
warrant
d.
temporary restraining order
16. The ______________ tool can be used to bypass a virtual machine’s hypervisor, and can be used with OpenStack.
a.
OpenForensics
b.
FROST
c.
WinHex
d.
ARC
17. Which of the following is NOT a service level for the cloud?
a.
Software as a service
b.
Virtualization as a service
c.
Platform as a service
d.
Infrastructure as a service
18. At what offset is a prefetch file’s create date & time located?
a.
0x80
b.
0x88
c.
0x90
d.
0x98
19. Which of the following is not one of the five mechanisms the government can use to get electronic information from a
provider?
a.
search warrants
b.
subpoenas
c.
court orders
d.
seizure order
20. Where is the snapshot database created by Google Drive located in Windows?
a.
C:\Program Files\Google\Drive
b.
C:\Users\username\AppData\Local\\Google\Drive
c.
C:\Users\username\Google\Google Drive
d.
C:\Google\Drive
21. Which of the following is not a valid source for cloud forensics training?
a.
(ISC)2 Certified Cyber Forensics Professional
b.
INFOSEC Intitute
c.
Sans Cloud Forensics with F-Response
d.
A+ Security
22. To reduce the time it takes to start applications, Microsoft has created __________ files, which contain the DLL
pathnames and metadata used by applications.
a.
cache
b.
prefetch
Name:
Class:
Date:
c.
config
d.
temp
23. What information below is not something recorded in Google Drive’s snapshot.db file?
a.
file access records
b.
URL pathnames
c.
modified and created times
d.
file SHA values and sizes
24. What cloud service listed below provides a freeware type 1 hypervisor used for public and private clouds?
a.
Cisco Cloud Computing
b.
Amazon EC2
c.
XenServer and XenCenter Windows Management Console
d.
HP Helion
25. With cloud systems running in a virtual environment, _______________ can give you valuable information before,
during, and after an incident.
a.
RAM
b.
snapshot
c.
live acquisition
d.
carving
Enter the appropriate word(s) to complete the statement.
26. The __________________ file contains cid (client ID), clientType, clientVersion, device, deviceID, and timeUtc
values relevant to OneDrive.
27. The _____________ cloud service is most likely found on a desktop or a server, although it could also be found on a
company network or the remote service provider’s infrastructure.
28. The ________________ script converts Dropbox’s config.db into a readable text file.
29. A _____________ is a contract between a CSP and a customer that describes what services are being provided and at
what level.
30. __________________ uses an “ideal lattice” mathematical formula to encrypt data.
a.
cloud service providers (CSPs)
b.
community cloud
c.
deprovisioning
d.
hybrid cloud
e.
infrastructure as a service (IaaS)
f.
multitenancy
g.
private cloud
h.
provisioning
i.
public cloud
j.
spoliation
31. A shared cloud service that provides access to common or shared data.
Name:
Class:
Date:
32. Allocating cloud resources, such as additional disk space.
33. A cloud service dedicated to a single organization.
34. Deallocating cloud resources that were assigned to a user or an organization.
35. With this cloud service level, an organization supplies its own OS, applications, databases, and operations staff, and
the cloud provider is responsible only for selling or leasing the hardware.
36. A principle of software architecture in which a single installation of a program runs on a server accessed by multiple
entities (tenants). when software is access by tenants in multiple jurisdictions, conflicts in copyright and licensing laws
might result.
37. Vendors that provide on-demand network access to a shared pool of resources (typically remote data storage or Web
applications)
38. Destroying, altering, hiding, or failing to preserve evidence, whether it’s intentional or a result of negligence.
39. A cloud service that’s available to the general public.
40. A cloud deployment model that combines public, private, or community cloud services under one cloud. Segregation
of data is used to protect private cloud storage and applications.
41. Describe the role of incident first responders, and discuss some factors that should be addressed with first responders.
42. Explain what a government agency subpoena is, and describe how it is used.
43. Explain what a service level agreement is.
44. Describe how the Forensic Open-Stack Tools (FROST) bypasses a virtual machine’s hypervisor.
45. Explain what non-government and civil litigation subpoenas are, and describe how they work.
46. Explain what a court order is, and describe how it is used.
47. Explain why digital forensics examiners should be most concerned with restrictions applied to customers and security
measures.
48. What capabilities should a forensic tool have to handle acquiring data from the cloud?
49. Explain what “anti-forensics” is, and provide detail on some anti-forensics tactics.
50. Discuss the four different types of cloud deployment methods.
Name:
Class:
Date:
Name:
Class:
Date:
Name:
Class:
Date:
Name:
Class:
Date: