Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Guide to Computer Forensics and Investigations, 5th ed., 9781285060033
Ch. 9 Solutions-1
Chapter 9 Solutions
Review Questions
1. Which of the following represents known files you can eliminate from an investigation? (Choose all
that apply.)
2. For which of the following reasons should you wipe a target drive?
3. The Known File Filter (KFF) can be used for which of the following purposes? (Choose all that
apply.)
4. Password recovery is included in all forensics tools. True or False?
5. After you shift a file’s bits, the hash value remains the same. True or False?
6. Which forensic image file format creates or incorporates a validation hash value in the image file?
(Choose all that apply.)
a. Expert Witness
7. ___________________ happens when an investigation goes beyond the bounds of its original
description.
8. Suppose you’re investigating an e-mail harassment case. Generally, is collecting evidence for this
type of case easier for an internal corporate investigation or a criminal investigation?
9. You’re using Disk Management to view primary and extended partitions on a suspect’s drive. The
program reports the extended partition’s total size as larger than the sum of the sizes of logical
partitions in this extended partition. What might you infer from this information?
10. Commercial encryption programs often rely on _____________________ technology to recover files
if a password or passphrase is lost.
11. Steganography is used for which of the following purposes?
Guide to Computer Forensics and Investigations, 5th ed., 9781285060033
Ch. 9 Solutions-2
12. The National Software Reference Library provides what type of resource for digital forensics
examiners?
13. In steganalysis, cover-media is which of the following?
14. Rainbow tables serve what purpose for digital forensics examinations?
15. The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the
password length. True or False?
16. If an application uses salting when creating passwords, what concerns should a forensics examiner
have when attempting to recover passwords?
17. Block-wise hashing has which of the following benefits for forensics examiners?
Hands-On Projects
Hands-On Project 9-1
The correspondence2.txt file should be identical to the original correspondence.txt file. Students
should state how reliable this method of data obfuscation is in hiding and recovering data from a file.
Hands-On Project 9-2
Make sure students list all hash values for these image files.
Hands-On Project 9-3
In searching Chris’s e-mails, students should find three messages from baspen99@aol.com. Their reports should
Hands-On Project 9-4
Students should find two e-mail messages related to kayak activities as well as an old StarOffice document
Case Projects
Case Project 9-1
Guide to Computer Forensics and Investigations, 5th ed., 9781285060033
Ch. 9 Solutions-3
Students should list steps to consider for a fraud investigation, such as collecting e-mails and examining Word and
Case Project 9-2
Because the investigation is ongoing, students should state that making a remote image of the suspect’s drive is
Case Project 9-3
