Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Name:
Class:
Date:
chapter 9
Indicate whether the statement is true or false.
1. One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data
you collect is essential for presenting evidence in court.
a.
True
b.
False
2. In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant.
a.
True
b.
False
3. Because attorneys do not have the right of full discovery of digital evidence, it is not possible for new evidence to come
to light while complying with a defense request for full discovery.
a.
True
b.
False
4. The advantage of recording hash values is that you can determine whether data has changed.
a.
True
b.
False
5. Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific files
or sectors.
a.
True
b.
False
Indicate the answer choice that best completes the statement or answers the question.
6. A ____________ image file containing software is intended to be bit-stream copied to floppy disks or other external
media.
a.
fdisk
b.
format
c.
dd
d.
DiskEdit
7. In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes
remotely.
a.
keygrabber
b.
keylogger
c.
packet capture
d.
protocol analyzer
8. Select the tool below that does not use dictionary attacks or brute force attacks to crack passwords:
a.
Last Bit
b.
AccessData PRTK
c.
OSForensics
d.
Passware
Name:
Class:
Date:
chapter 9
9. The term for detecting and analyzing steganography files is _________________.
a.
carving
b.
steganology
c.
steganalysis
d.
steganomics
10. A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble
bits, in order to secure the information contained inside.
a.
compiler
b.
shifter
c.
macro
d.
script
11. What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords?
a.
salted passwords
b.
scrambled passwords
c.
indexed passwords
d.
master passwords
12. Which option below is not a disk management tool?
a.
Partition Magic
b.
Partition Master
c.
GRUB
d.
HexEdit
13. Many commercial encryption programs use a technology called _____________, which is designed to recover
encrypted data if users forget their passphrases or if the user key is corrupted after a system failure.
a.
key vault
b.
key escrow
c.
bump key
d.
master key
14. Within Windows Vista and later, partition gaps are _____________ bytes in length.
a.
64
b.
128
c.
256
d.
512
15. What letter should be typed into DiskEdit in order to mark a good sector as bad?
a.
M
b.
B
c.
T
d.
D
Name:
Class:
Date:
chapter 9
16. Which password recovery method uses every possible letter, number, and character found on a keyboard?
a.
rainbow table
b.
dictionary attack
c.
hybrid attack
d.
brute-force attack
17. In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer.
a.
format
b.
fdisk
c.
grub
d.
diskpart
18. When performing a static acquisition, what should be done after the hardware on a suspect's computer has been
inventoried and documented?
a.
Inventory and documentation information should be stored on a drive and then the drive should be
reformatted.
b.
Start the suspect's computer and begin collecting evidence.
c.
The hard drive should be removed, if practical, and the system's date and time values should be recorded from
the system's CMOS.
d.
Connect the suspect's computer to the local network so that up to date forensics utilities can be utilized.
19. Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses
________________ as a way to hide its malicious code from antivirus tools.
a.
hashing
b.
bit-shifting
c.
registry edits
d.
slack space
20. The _______________________ maintains a national database of updated file hash values for a variety of OSs,
applications, and images, but does not list hash values of known illegal files.
a.
Open Hash Database
b.
HashKeeper Online
c.
National Hashed Software Reference
d.
National Software Reference Library
21. Which of the following file systems can't be analyzed by OSForensics?
a.
FAT12
b.
Ext2fs
c.
HFS+
d.
XFS
22. In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk
partition clusters?
a.
NTFS
b.
FAT
Name:
Class:
Date:
chapter 9
c.
HFSX
d.
Ext3fs
23. The AccessData program has a hashing database, ________________, which is available only with FTK, and can be
used to filter known program files from view and contains the hash values of known illegal files.
a.
DeepScan Filter
b.
Unknown File Filter (UFF)
c.
Known File Filter (KFF)
d.
FTK Hash Imager
24. The goal of recovering as much information as possible can result in ________________, in which an investigation
expands beyond the original description because of unexpected evidence found.
a.
litigation
b.
scope creep
c.
criminal charges
d.
violations
25. What format below is used for VMware images?
a.
.vhd
b.
.vmdk
c.
.s01
d.
.aff
Enter the appropriate word(s) to complete the statement.
26. In addition to steganography, _____________________ was developed as a way to protect file ownership.
27. Examining and analyzing digital evidence depend on the nature of the investigation and the amount of data to process.
Criminal investigations are limited to finding data defined in the search warrant, and _____ investigations are often
limited by court orders for discovery.
28. In ________ investigations, evidence collection tends to be fairly easy and straightforward because investigators
usually have ready access to the necessary records and files.
29. The term _____________ comes from the Greek word for "hidden writing".
30. In ProDiscover and other digital forensics tools, raw format image files (.dd extension) don't contain ________, so you
must validate them manually to ensure the integrity of data.
Match the following terms with the correct definitions below:
a.
bit-shifting
b.
block-wise hashing
c.
cover-media
d.
key-escrow
e.
Known File Filter (KFF)
f.
rainbow table
g.
salting passwords
h.
scope creep
i.
steganography
j.
stego-media
Name:
Class:
Date:
chapter 9
31. A file containing the hash value for every possible password that can be generated from a computer's keyboard.
32. A cryptographic technique for embedding information in another file for the purpose of hiding the information from
casual observers.
33. A technology designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a
system failure.
34. The process of hashing all sectors of a file and then comparing them with sectors on a suspect's disk drive to determine
whether there are any remnants of the original file that couldn't be recovered.
35. In steganalysis, the file containing the hidden message.
36. The result of an investigation expanding beyond its original description because the discovery of unexpected evidence
increases the amount of work required.
37. The pnrocess of shifting one or more digits in a binary number to the left or right to produce a different value.
38. An AccessData database containing the hash values of known legitimate and suspicious files. It's used to identify files
for evidence or eliminate them from the investigation if they are legitimate files.
39. Adding bits to a password before it's hashed so that a rainbow table can't find a matching hash value to decifer the
password.
40. In steganalysis, the original file with no hidden message.
41.
List and explain the five steganalysis methods described by Neil F. Johnson and Sushil Jajodia.
42. Explain what a digital watermark is and how it's used with data.
43. Illustrate how an investigator would detect whether a suspect's drive contains hidden partitions.
44. Describe the process of block-wise hashing.
45. For most forensics investigations, you follow the same general procedure. Summarize the steps in the procedure.
46. Describe some of the forensic processes involved in investigating an employee suspected of industrial espionage.
47.
Explain what data hiding is and list techniques used to hide data.
48. Describe what happens if a FAT partition containing bad cluster is converted to an NTFS partition, and how you miss
evidence that's being hidden.
49. Explain how bit-shifting, and related techniques, are used to hide data.
50. Why is it important to validate forensic data, and why are advanced hexadecimal editors necessary for this process?
Name:
Class:
Date:
chapter 9
Answer Key
Name:
Class:
Date:
chapter 9
Name:
Class:
Date:
chapter 9
Name:
Class:
Date:
chapter 9
