WGU C840 OA Digital Forensics
1. expert report ANS : A formal document prepared by a forensics specialist
to doc- ument an investigation, including a list of all tests conducted as well as
the specialist's own curriculum vitae (CV). Anything the specialist plans to testify
aboutat a trial must be included in the expert report.
2. Testimonial evidence ANS : Information that forensic specialists use to
support orinterpret real or documentary evidence; for example, to demonstrate
that the fingerprints found on a keyboard are those of a specific individual.
3. Daubert standard ANS : The standard holding that only methods and
tools widelyaccepted in the scientific community can be used in court.
4. If the computer is turned on when you arrive, what does the Secret
Service recommend you do ANS : > Shut down according to the
recommended Secret Serviceprocedure.
5. Communications Assistance to Law Enforcement Act of 1994 ANS :
The Com-munications Assistance to Law Enforcement Act of 1994 is a federal
wiretap lawfor traditional wired telephony. It was expanded to include wireless,
voice over packet, and other forms of electronic communications, including
signaling trafficand metadata.
6. Digital evidence ANS : Digital evidence is information processed and
assembled sothat it is relevant to an investigation and supports a specific finding
or determina-tion.
,7. Federal Privacy Act of 1974 ANS : The Federal Privacy Act of 1974, a
United Statesfederal law that establishes a code of Fair Information Practice that
governs the collection, maintenance, use, and dissemination of information
about individuals that is maintained in systems of records by U.S. federal
agencies.
8. Power Spy, Verity, ICU, and WorkTime ANS : Spyware
9. good fictitious e-mail response rate ANS : 1-3%
10. Which crime is most likely to leave e-mail evidence ANS : >
Cyberstalking
11. Where would you seek evidence that ophcrack had been used on
a Windows Server 2008 machine ANS : > In the logs of the server; look
for the rebootof the system
12. A SYN flood is an example of what ANS : > DoS attack
13. definition of a virus, in relation to a computer ANS : > a type of
malware thatrequires a host program or human help to propagate
14. What is the starting point for investigating the denial of service
attacks?-
ANS : Tracing the packets
,15. China Eagle Union ANS : The cyberterrorism group, the China Eagle
Union, con- sists of several thousand Chinese hackers whose stated goal is to
infiltrate Westerncomputer systems. Members and leaders of the group insist
that not only does the Chinese government have no involvement in their
activities, but that they arebreaking Chinese law and are in constant danger of
arrest and imprisonment. However, most analysts believe this group is working
with the full knowledge andsupport of the Chinese government.
16. Rules of evidence ANS : Rules that govern whether, when, how, and why
proof ofa legal case can be placed before a judge or jury.
17. file slack ANS : The unused space between the logical end of the file
and thephysical end of the file. It is also called slack space.
18. The Analysis Plan ANS : Before forensic examination can begin, an
analysis plan should be created. This plan guides work in the analysis process.
How will you gather evidence? Are there concerns about evidence being changed or
destroyed?What tools are most appropriate for this specific investigation? A
standard data analysis plan should be created and customized for specific
situations and circum-stances.
19. What is the most important reason that you not touch the actual
originalevidence any more than you have to ANS : > Each time you touch
digital data, there is some chance of altering it.
20. You should make at least two bitstream copies of a suspect drive.
ANS : TRUE
21. To preserve digital evidence, an investigator should ANS : make
two copies ofeach evidence item using different imaging tools
, 22. What would be the primary reason for you to recommend for or
against making a DOS Copy ANS : A simple DOS copy will not include
deleted files, file slack,and other information.
23. Which starting-point forensic certification covers the general
principlesand techniques of forensics, but not specific tools such as
EnCase or FTK?-
ANS : (CHFI) EC Council Certified Hacking Forensic Investigator
24. This forensic certification is open to both the public and private
sectorsand is specific to the use and mastery of FTK. Requirements
for taking the exam include completing the boot camp and Windows
forensic courses. ANS : Ac-cessData Certified Examiner. AccessData is the
creator of Forensic Toolkit (FTK)software.
1. expert report ANS : A formal document prepared by a forensics specialist
to doc- ument an investigation, including a list of all tests conducted as well as
the specialist's own curriculum vitae (CV). Anything the specialist plans to testify
aboutat a trial must be included in the expert report.
2. Testimonial evidence ANS : Information that forensic specialists use to
support orinterpret real or documentary evidence; for example, to demonstrate
that the fingerprints found on a keyboard are those of a specific individual.
3. Daubert standard ANS : The standard holding that only methods and
tools widelyaccepted in the scientific community can be used in court.
4. If the computer is turned on when you arrive, what does the Secret
Service recommend you do ANS : > Shut down according to the
recommended Secret Serviceprocedure.
5. Communications Assistance to Law Enforcement Act of 1994 ANS :
The Com-munications Assistance to Law Enforcement Act of 1994 is a federal
wiretap lawfor traditional wired telephony. It was expanded to include wireless,
voice over packet, and other forms of electronic communications, including
signaling trafficand metadata.
6. Digital evidence ANS : Digital evidence is information processed and
assembled sothat it is relevant to an investigation and supports a specific finding
or determina-tion.
,7. Federal Privacy Act of 1974 ANS : The Federal Privacy Act of 1974, a
United Statesfederal law that establishes a code of Fair Information Practice that
governs the collection, maintenance, use, and dissemination of information
about individuals that is maintained in systems of records by U.S. federal
agencies.
8. Power Spy, Verity, ICU, and WorkTime ANS : Spyware
9. good fictitious e-mail response rate ANS : 1-3%
10. Which crime is most likely to leave e-mail evidence ANS : >
Cyberstalking
11. Where would you seek evidence that ophcrack had been used on
a Windows Server 2008 machine ANS : > In the logs of the server; look
for the rebootof the system
12. A SYN flood is an example of what ANS : > DoS attack
13. definition of a virus, in relation to a computer ANS : > a type of
malware thatrequires a host program or human help to propagate
14. What is the starting point for investigating the denial of service
attacks?-
ANS : Tracing the packets
,15. China Eagle Union ANS : The cyberterrorism group, the China Eagle
Union, con- sists of several thousand Chinese hackers whose stated goal is to
infiltrate Westerncomputer systems. Members and leaders of the group insist
that not only does the Chinese government have no involvement in their
activities, but that they arebreaking Chinese law and are in constant danger of
arrest and imprisonment. However, most analysts believe this group is working
with the full knowledge andsupport of the Chinese government.
16. Rules of evidence ANS : Rules that govern whether, when, how, and why
proof ofa legal case can be placed before a judge or jury.
17. file slack ANS : The unused space between the logical end of the file
and thephysical end of the file. It is also called slack space.
18. The Analysis Plan ANS : Before forensic examination can begin, an
analysis plan should be created. This plan guides work in the analysis process.
How will you gather evidence? Are there concerns about evidence being changed or
destroyed?What tools are most appropriate for this specific investigation? A
standard data analysis plan should be created and customized for specific
situations and circum-stances.
19. What is the most important reason that you not touch the actual
originalevidence any more than you have to ANS : > Each time you touch
digital data, there is some chance of altering it.
20. You should make at least two bitstream copies of a suspect drive.
ANS : TRUE
21. To preserve digital evidence, an investigator should ANS : make
two copies ofeach evidence item using different imaging tools
, 22. What would be the primary reason for you to recommend for or
against making a DOS Copy ANS : A simple DOS copy will not include
deleted files, file slack,and other information.
23. Which starting-point forensic certification covers the general
principlesand techniques of forensics, but not specific tools such as
EnCase or FTK?-
ANS : (CHFI) EC Council Certified Hacking Forensic Investigator
24. This forensic certification is open to both the public and private
sectorsand is specific to the use and mastery of FTK. Requirements
for taking the exam include completing the boot camp and Windows
forensic courses. ANS : Ac-cessData Certified Examiner. AccessData is the
creator of Forensic Toolkit (FTK)software.
