CNIT 323/420 — FINAL EXAM
QUESTIONS & ANSWERS (RATED A+)
What are the types of software forensic tools? - ANSWERcommand line applications
GUI applications
What are commonly used to copy data from a suspect's disk drive to an image file? -
ANSWERsoftware forensic tools
Where are the stored hashes for passwords in Windows found? -
ANSWERHKEY_LOCAL_MACHINE\SAM
Where does Mac OS store passwords? - ANSWERkeychain
Where does linux store passwords? - ANSWER/etc/shadow
1. Which of the following is not a graphic file type?
a. Bitmap graphics
b. Vector graphics
c. Lossy graphics
d. Metafile graphics - ANSWERc. Lossy graphics
TRUE/FALSE
Images that are in raw format must include EXIF data - ANSWERFALSE
ISO standard 27037 states: - ANSWERDigital Evidence First Responders
(DEFRs) should use validated tools
When performing tasks using digital forensic tools, which guidelines should you follow?
- ANSWERNIST's Computer Forensics Tool Testing (CFTT) program
What are the 5 major categories of tasks performed by digital forensics tools? -
ANSWERAcquisition
Validation and verification
Extraction
Reconstruction
Reporting
,____________ is making a copy of the original drive - ANSWERacquisition
TRUE/FALSE
There are 2 types of data-copying methods used in software acquisitions. -
ANSWERTRUE
Physical copying of the entire drive
Logical copying of a disk partition
TRUE/FALSE
You can view a raw image file's contents with any hexadecimal editor - ANSWERTRUE
What is a typical feature in vendor acquisition tools? - ANSWERcreating smaller
segmented files
TRUE/FALSE
Remote acquisition of files is common in smaller organizations - ANSWERFALSE
Larger organizations
Popular tools, such as AccessData and EnCase, can do remote acquisitions of
forensics drive images on a network
____________ is a way to confirm that a tool is functioning as intended -
ANSWERvalidation
______________ proves that two sets of data are identical by calculating hash values
or using another similar method - ANSWERVerification
_______________ is the confirmation by examination *and* the provision of objective
evidence that a tool, technique or procedure functions correctly *and* as intended -
ANSWERValidation
_______________ is the confirmation of a validation with laboratories' *tools*,
techniques *and* procedures. - ANSWERVerification
CRC-32, MD5, SHA-1 are examples of ___________ - ANSWERhashing
What are the subfunctions of verification? - ANSWERHashing
Filtering (based on hash value sets)
Analyzing file headers (discriminate files based on their types)
, ____________________ has compiled a list of known file (good and bad) hashes -
ANSWERNational Software Reference Library (NSRL)
TRUE/FALSE
Not many forensics tools can identify header values - ANSWERFALSE
Most forensics tools can identify header values
___________ is the recovery task in a digital investigation - ANSWERextraction
Which digital forensics tasks is the most challenging? - ANSWERextraction
TRUE/FALSE
Recovering data is the first step in analyzing an investigation's data - ANSWERTRUE
What are the subfunctions of extraction? - ANSWERData viewing
Keyword searching
Decompressing or uncompressing
Carving
Decrypting
Bookmarking or tagging
TRUE/FALSE
Keyword search always speed up analysis for investigators - ANSWERFALSE
TRUE/FALSE
From an investigation perspective, encrypted files and systems are a problem -
ANSWERTRUE
Many password recovery tools have a feature for generating potential password lists for
a _______________ attack - ANSWERpassword dictionary
If a password dictionary attack fails, you can run a ______________ attack -
ANSWERbrute-force
TRUE/FALSE
You should bookmark or record the findings during extraction and decryption -
ANSWERTRUE
Re-create a suspect drive to show what happened during a crime or an incident
describes _______________ - ANSWERreconstruction
QUESTIONS & ANSWERS (RATED A+)
What are the types of software forensic tools? - ANSWERcommand line applications
GUI applications
What are commonly used to copy data from a suspect's disk drive to an image file? -
ANSWERsoftware forensic tools
Where are the stored hashes for passwords in Windows found? -
ANSWERHKEY_LOCAL_MACHINE\SAM
Where does Mac OS store passwords? - ANSWERkeychain
Where does linux store passwords? - ANSWER/etc/shadow
1. Which of the following is not a graphic file type?
a. Bitmap graphics
b. Vector graphics
c. Lossy graphics
d. Metafile graphics - ANSWERc. Lossy graphics
TRUE/FALSE
Images that are in raw format must include EXIF data - ANSWERFALSE
ISO standard 27037 states: - ANSWERDigital Evidence First Responders
(DEFRs) should use validated tools
When performing tasks using digital forensic tools, which guidelines should you follow?
- ANSWERNIST's Computer Forensics Tool Testing (CFTT) program
What are the 5 major categories of tasks performed by digital forensics tools? -
ANSWERAcquisition
Validation and verification
Extraction
Reconstruction
Reporting
,____________ is making a copy of the original drive - ANSWERacquisition
TRUE/FALSE
There are 2 types of data-copying methods used in software acquisitions. -
ANSWERTRUE
Physical copying of the entire drive
Logical copying of a disk partition
TRUE/FALSE
You can view a raw image file's contents with any hexadecimal editor - ANSWERTRUE
What is a typical feature in vendor acquisition tools? - ANSWERcreating smaller
segmented files
TRUE/FALSE
Remote acquisition of files is common in smaller organizations - ANSWERFALSE
Larger organizations
Popular tools, such as AccessData and EnCase, can do remote acquisitions of
forensics drive images on a network
____________ is a way to confirm that a tool is functioning as intended -
ANSWERvalidation
______________ proves that two sets of data are identical by calculating hash values
or using another similar method - ANSWERVerification
_______________ is the confirmation by examination *and* the provision of objective
evidence that a tool, technique or procedure functions correctly *and* as intended -
ANSWERValidation
_______________ is the confirmation of a validation with laboratories' *tools*,
techniques *and* procedures. - ANSWERVerification
CRC-32, MD5, SHA-1 are examples of ___________ - ANSWERhashing
What are the subfunctions of verification? - ANSWERHashing
Filtering (based on hash value sets)
Analyzing file headers (discriminate files based on their types)
, ____________________ has compiled a list of known file (good and bad) hashes -
ANSWERNational Software Reference Library (NSRL)
TRUE/FALSE
Not many forensics tools can identify header values - ANSWERFALSE
Most forensics tools can identify header values
___________ is the recovery task in a digital investigation - ANSWERextraction
Which digital forensics tasks is the most challenging? - ANSWERextraction
TRUE/FALSE
Recovering data is the first step in analyzing an investigation's data - ANSWERTRUE
What are the subfunctions of extraction? - ANSWERData viewing
Keyword searching
Decompressing or uncompressing
Carving
Decrypting
Bookmarking or tagging
TRUE/FALSE
Keyword search always speed up analysis for investigators - ANSWERFALSE
TRUE/FALSE
From an investigation perspective, encrypted files and systems are a problem -
ANSWERTRUE
Many password recovery tools have a feature for generating potential password lists for
a _______________ attack - ANSWERpassword dictionary
If a password dictionary attack fails, you can run a ______________ attack -
ANSWERbrute-force
TRUE/FALSE
You should bookmark or record the findings during extraction and decryption -
ANSWERTRUE
Re-create a suspect drive to show what happened during a crime or an incident
describes _______________ - ANSWERreconstruction
