Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Name:
Class:
Date:
chapter 6
Indicate whether the statement is true or false.
1. Physically copying the entire drive is the only type of data-copying method used in software acquisitions.
a.
True
b.
False
2. Software forensics tools are grouped into command-line applications and GUI applications
a.
True
b.
False
3. Making a logical acquisition of a drive with whole disk encryption can result in unreadable files.
a.
True
b.
False
4. ISO standard 27037 states that the most important factors in data acquisition are the DEFR's competency and the use of
validated tools.
a.
True
b.
False
5. All forensics acquisition tools have a method for verification of the data-copying process that compares the original
drive with the image.
a.
True
b.
False
Indicate the answer choice that best completes the statement or answers the question.
6. The physical data copy subfunction exists under the ______________ function.
a.
acquisition
b.
validation / verification
c.
extraction
d.
reporting
7. A keyword search is part of the analysis process within what forensic function?
a.
reconstruction
b.
acquisition
c.
extraction
d.
reporting
8. What algorithm is used to decompress Windows files?
a.
Shannon-Fano
b.
Fibonacci
c.
Lempel-Ziv
d.
Zopfli
9. In what temporary location below might passwords be stored?
Name:
Class:
Date:
chapter 6
a.
pagefile.sys
b.
Windows registry
c.
system32.dll
d.
CD-ROM drive
10. The ProDiscover utility makes use of the proprietary _______________ file format.
a.
.eve
b.
.pro
c.
.img
d.
.iso
11. What tool below was written for MS-DOS and was commonly used for manual digital investigations?
a.
Norton DiskEdit
b.
ByteBack
c.
DataLifter
d.
SMART
12. Passwords are typically stored as one-way _____________ rather than in plaintext.
a.
variables
b.
hex values
c.
hashes
d.
slack spaces
13. In general, what would a lightweight forensics workstation consist of?
a.
A tower with several bays and many peripheral devices
b.
A laptop computer with almost as many bays and peripherals as a tower
c.
A laptop computer built into a carrying case with a small selection of peripheral options
d.
A tablet with peripherals and forensics apps
14. What is the goal of the NSRL project, created by NIST?
a.
Collect known hash values for commercial software and OS files using MD5 hashes.
b.
Collect known hash values for commercial software and OS files using SHA hashes.
c.
Create hash values for illegal files and distribute the information to law enforcement.
d.
Search for collisions in hash values, and contribute to fixing hashing programs.
15. What option below is an example of a platform specific encryption tool?
a.
Pretty Good Privacy (PGP)
b.
GnuPG
c.
TrueCrypt
d.
BitLocker
16. Reconstructing fragments of files that have been deleted from a suspect drive, is known as ____________ in North
America.
a.
salvaging
Name:
Class:
Date:
chapter 6
b.
scraping
c.
carving
d.
sculpting
17. _______________ proves that two sets of data are identical by calculating hash values or using another similar
method.
a.
Validation
b.
Compilation
c.
Integration
d.
Verification
18. Which of the following options is not a subfunction of extraction?
a.
carving
b.
decrypting
c.
logical data copy
d.
bookmarking
19. What program serves as the GUI front end for accessing Sleuth Kit's tools?
a.
KDE
b.
DetectiveGUI
c.
Autopsy
d.
SMART
20. What hex value is the standard indicator for jpeg graphics files?
a.
FF D9
b.
F8 D8
c.
FF D8
d.
AB CD
21. The __________ Linux Live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and
MBoxGrep, and utilizes a KDE interface.
a.
Ubuntu
b.
Helix3
c.
Arch
d.
Kali
22. What is the purpose of the reconstruction function in a forensics investigation?
a.
Prove that two sets of data are identical.
b.
Copy all information from a suspect's drive, including information that may have been hidden.
c.
Re-create a suspect's drive to show what happened during a crime or incident.
d.
Generate reports or logs that detail the processes undertaken by a forensics investigator.
23. When performing disk acquisition, the raw data format is typically created with the UNIX/Linux _____________
command.
a.
format
Name:
Class:
Date:
chapter 6
b.
dd
c.
dump
d.
tar
24. Which of the following is stated within the ISO 27037 standard?
a.
Digital Evidence First Responders should use validated tools.
b.
Software forensics tools must provide a GUI interface.
c.
Software forensics tools must use the Windows OS.
d.
Hardware acquisition tools can only use CRC-32 hashing.
25. In what mode do most write-blockers run?
a.
GUI mode
b.
Shell mode
c.
BIOS mode
d.
RW mode
Enter the appropriate word(s) to complete the statement.
26. The National Software Reference Library has compiled a list of known ___________ for a variety of OSs,
applications, and images.
27. __________ can be platform specific, such as BitLocker, or done with third-party tools, such as Pretty Good Privacy
(PGP) and GNuPG
28. The purpose of having a ______________ function in a forensics tool is to re-create a suspect drive to show what
happened during a crime or incident.
29. The NIST ________________ program establishes guidelines for selecting and using forensics tools.
30. The _____________ utility is designed to be installed on Linux distributions, and can be used to analyze a variety of
different file systems, while also offering the ability to use plugins.
a.
acquisition
b.
brute-force attack
c.
Computer Forensics Tool Testing (CFTT)
d.
extraction
e.
keyword search
f.
National Software Reference Library (NSRL)
g.
password dictionary attack
h.
reconstruction
i.
validation
j.
write-blocker
31. The process of trying every combination of characters--letters, numbers, and special characters typically found on a
keyboard-- to find a matching password or passphrase value for an encrypted file
32. The process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the
required functions of digital forensics tools.
33. A hardware device or software program that prevents a computer from writing data to an evidence drive
Name:
Class:
Date:
chapter 6
34. An attack that uses a collection of words or phrases that might be passwords for an encrypted file.
35. A NIST project with the goal of collecting all known hash values for commercial software and OS files
36. The process of creating a duplicate image of data; one of the required functions of digital forensics tools
37. A project sponsored by the National Institute of Standards and Technology to manage research on digital forensics
tools
38. A way to confirm that a tool is functioning as intended; one of the functions of digital forensics tools.
39. The process of rebuilding data files; one of the required functions of digital forensics tools.
40. A method of finding files or other information by entering relevant characters, words, or phrases in a search tool
41. What are the three minimum steps of a basic digital forensics examination protocol?
42. What guidelines exist for the selection and use of forensics software? Name at least three.
43. List three of the six subfunctions that exist under the reconstruction function.
44. What two different options are available for write blockers, and how do these options work?
45. In general, forensics workstations can be divided into what categories? Explain each category.
46. Explain the difference between validation and verification.
47. How does a password dictionary attack work?
48. Name at least four subfunctions of the extraction function that are used in forensics investigations.
49. List the five (5) categories of functions that are meant as guidelines for evaluating digital forensic tools, with
subfunctions for refining data analysis and recovery and ensuring data quality.
50. Describe two methods for filtering data- separating good data from suspicious data.
Name:
Class:
Date:
chapter 6
Answer Key
Name:
Class:
Date:
chapter 6
Name:
Class:
Date:
chapter 6
Name:
Class:
Date:
chapter 6
