CPSC 4680 EXAM 1-2 QUESTIONS AND ANSWERS
A disaster recovery plan ensures that workstations and file servers can be restored to
their original condition in the event of a catastrophe. T/F - Answers - True
Linux Live CDs and WinFE disks do not automatically mount hard drives, but can be
used to view file systems. T/F - Answers - True
The Fourth Amendment states that only warrants "particularly describing the place to be
searched and the persons or things to be seized" can be issued. The courts have
determined that this phrase means a warrant can authorize a search of a specific place
for anything. T/F - Answers - False
Physically copying the entire drive is the only type of data-copying method used in
software acquisitions. T/F - Answers - False
Software forensics tools are grouped into command-line applications and GUI
applications. T/F - Answers - True
Which of the following options is not a subfunction of extraction?
logical data copy
decrypting
bookmarking
carving - Answers - logical data copy
When using a target drive that is FAT32 formatted, what is the maximum size limitation
for split files?
512 MB
2 GB
1 TB
1PB - Answers - 2 GB
The _______ copies evidence of intrusions to an investigation workstation automatically
for further analysis over the network.
intrusion detection system
active defense mechanism
total awareness system
intrusion monitoring system - Answers - intrusion detection system
, Addresses that allow the MFT to link to nonresident files are known as
_______________.
virtual cluster numbers
logical cluster numbers
sequential cluster numbers
polarity cluster numbers - Answers - logical cluster numbers
Which of the following is not done when preparing for a case?
Describe the nature of the case.
Identify the type of OS.
Set up covert surveillance.
Determine whether you can seize the computer or digital device - Answers - Set up
covert surveillance.
The ___________ file type uses lossy compression to reduce file size and doesn't affect
image quality when the file is restored and viewed - Answers - jpeg
_______________ proves that two sets of data are identical by calculating hash values
or using another similar method. - Answers - Verification
The ______________ rule states that to prove the content of a written document,
recording, or photograph, ordinarily the original writing, recording, or photograph is
required. - Answers - Best Evidence
Passwords are typically stored as one-way _____________ rather than in plaintext. -
Answers - hash values
Describe two methods for filtering data- separating good data from suspicious data. -
Answers - To filter data, you can use hash values to create a known good hash value
list of a fresh installation of an OS, all applications, and known good images and
documents (spreadsheets, test files, and so on). With this information, an investigator
could ignore all files on this known good list and focus on other files that aren't on this
list.
Another way to filter data is analyzing and verifying header values for known file types.
Each file type has a header value associated with a file extension, and many forensic
tools include a list of common file headers. To view these file headers, you use a
hexadecimal editor, which can tell you whether a file extension is incorrect for the file
type.
After you record the scene and shut down the system, you bag and tag the evidence.
Describe the steps to follow for bagging and tagging evidence. - Answers - The
following steps are to be followed when bagging and tagging evidence:
A disaster recovery plan ensures that workstations and file servers can be restored to
their original condition in the event of a catastrophe. T/F - Answers - True
Linux Live CDs and WinFE disks do not automatically mount hard drives, but can be
used to view file systems. T/F - Answers - True
The Fourth Amendment states that only warrants "particularly describing the place to be
searched and the persons or things to be seized" can be issued. The courts have
determined that this phrase means a warrant can authorize a search of a specific place
for anything. T/F - Answers - False
Physically copying the entire drive is the only type of data-copying method used in
software acquisitions. T/F - Answers - False
Software forensics tools are grouped into command-line applications and GUI
applications. T/F - Answers - True
Which of the following options is not a subfunction of extraction?
logical data copy
decrypting
bookmarking
carving - Answers - logical data copy
When using a target drive that is FAT32 formatted, what is the maximum size limitation
for split files?
512 MB
2 GB
1 TB
1PB - Answers - 2 GB
The _______ copies evidence of intrusions to an investigation workstation automatically
for further analysis over the network.
intrusion detection system
active defense mechanism
total awareness system
intrusion monitoring system - Answers - intrusion detection system
, Addresses that allow the MFT to link to nonresident files are known as
_______________.
virtual cluster numbers
logical cluster numbers
sequential cluster numbers
polarity cluster numbers - Answers - logical cluster numbers
Which of the following is not done when preparing for a case?
Describe the nature of the case.
Identify the type of OS.
Set up covert surveillance.
Determine whether you can seize the computer or digital device - Answers - Set up
covert surveillance.
The ___________ file type uses lossy compression to reduce file size and doesn't affect
image quality when the file is restored and viewed - Answers - jpeg
_______________ proves that two sets of data are identical by calculating hash values
or using another similar method. - Answers - Verification
The ______________ rule states that to prove the content of a written document,
recording, or photograph, ordinarily the original writing, recording, or photograph is
required. - Answers - Best Evidence
Passwords are typically stored as one-way _____________ rather than in plaintext. -
Answers - hash values
Describe two methods for filtering data- separating good data from suspicious data. -
Answers - To filter data, you can use hash values to create a known good hash value
list of a fresh installation of an OS, all applications, and known good images and
documents (spreadsheets, test files, and so on). With this information, an investigator
could ignore all files on this known good list and focus on other files that aren't on this
list.
Another way to filter data is analyzing and verifying header values for known file types.
Each file type has a header value associated with a file extension, and many forensic
tools include a list of common file headers. To view these file headers, you use a
hexadecimal editor, which can tell you whether a file extension is incorrect for the file
type.
After you record the scene and shut down the system, you bag and tag the evidence.
Describe the steps to follow for bagging and tagging evidence. - Answers - The
following steps are to be followed when bagging and tagging evidence:
