Computer Forensics - Coursework Example

45 questions, worth 2 points each question worth 10 points In a criminal investigation, the prosecutor is required to provide a copy of all evidence in discovery. In these investigations, what is the minimum number of copies that should be made of each digital media device? ________
TWO
2. True or False: Of the three phases of an investigation: Acquisition, Authentication, and Analysis, Acquisition is the process of retrieving digital evidence and verifying that it is authentic. ________ FALSE
3. “A specialty field in which companies retrieve files that were deleted accidentally or purposefully” is the definition for which of the following terms? ________
a. Private Investigation
b. Computer Forensics
c. Data Recovery
d. Continuity of Operations
4. Evidence that indicates a suspect is innocent of a crime with which they are charged is known as:
a. Exculpatory Evidence
b. Hearsay Evidence
c. Physical Evidence
d. Inculpatory Evidence
5. True or False: Corporate investigators in the U.S. must use procedures that adhere to the 4th amendment to the constitution? _________ FALSE
6. The following are examples of what type of digital crime: Child Pornography, Embezzlement, Fraud, Software Piracy? ________
a. Crimes committed with a computer
b. Crimes committed against a computer
c. Crimes committed against a computer user
d. None of the Above
7. The triad of computing security includes which of the following? ________
a. Detection, response, and monitoring
b. Vulnerability assessment, detection, and monitoring
c. Vulnerability assessment, intrusion response, and investigation
d. Vulnerability assessment, intrusion response, and monitoring.
8. FAT-32 is the default file system for what operating system? ________
a. Windows XP
b. MAC OS
c. Windows 98
d. MS-DOS
9. Windows 2000 came standard with which default file system?
FAT-16, FAT-32
10. True or False: It is absolutely necessary to use a write-blocker when connecting to a digital media device containing a raw image (DD file) for the purposes of copying it. ___________ FALSE
11. List three items that should be on an evidence custody form:
a. Case number
b. name of the investigator assigned to the case
c. nature of the case
d. location where evidence was obtained
12. What section of law in Texas do you think could be used to prosecute a person who hacks into a business server and damages files? Section 1030(a)(3) 
13. True or False: As an expert, you are always obligated to prove the position taken by the person that hired you. FALSE
14. Which of the following best describes tools essential for a cyber crime investigator’s toolkit? ________
a. Flashlight, toothbrush, digital camera
b. Digital Camera, flashlight, faraday bag
c. Sketchpad, IDE to USB interface, permanent marker
d. All of the above
15. Which of the following is not a valid file system? _________
a. Reiser FS
b. FAT-32
c. NTFS
d. EXT-32
16. CFCE is a certification provided by completing training, as well as written and practical examinations conducted by which of the following? _______
a. HTCIA
b. NW3C
c. SERFTC
d. IACIS
17. ENCE is a certification provided by what vendor of forensics software? _______
a. Encase
b. Guidance Software
c. Access Data
d. Paraben
18. When imaging a hard drive, the largest file segment allowed in a proprietary format image is typically 650 MB, but it can be adjusted in some applications up to 2 GB. This 2 GB limit is caused by which of the following? ________
a. Legal requirement to have image files no larger than 2 GB.
b. Target drives formatted as FAT, where 2GB is the upper limit on file size.
c. All of the above
d. None of the above
19. The Expert Witness Image format is a proprietary format of which software vendor? ______
a. Access Data
b. Digital Intelligence
c. Guidance Software
d. Paraben
20. True or False: Password protected data can only be preserved using live acquisitions._______ TRUE
21. Handheld imaging devices are very useful in the acquisition of digital images in the field. Which of the following is not an available handheld imager? _______
a. Logicube Dossier
b. ImageMasster Forensic III
c. ExactImager II
d. None of the Above
22. MD5 and SHA-1 are both defacto standard authentication algorithms. They are both derived from what previous message digest algorithm? Hashing algorithm
23. What does RAID stand for?
redundant array of independent disks
24. When conducting remote acquisitions, what problems should you be aware of? _______
a. Data transfer speeds
b. Access permissions over the network
c. Antivirus, antispyware, and firewall programs
d. All of the above
25. True or False: FTK Imager can acquire data from a drive’s host protected area. _______
TRUE
26. True or False: Computer stored records are records such as server proxy logs and system log files generated by the computer. FALSE
27. A physical architectural description of a hard drive would include the following: _______
a. Cylinders
b. Clusters
c. Partitions
d. None of the Above
28. True or False: A computer system running Windows XP cannot have a File Allocation Table indicating where the files are stored on the disk. FALSE
29. True or False: Anime pictures of children appearing nude is considered child pornography in the U.S. _______
TRUE
30. FAT-16 supports disk partitions with a maximum storage capacity of: ________
a. 1 GB
b. 2 GB
c. 4 GB
d. 8 GB
31. File slack on a hard disk is composed of which of the following (Select all that apply): _______
a. RAM Slack
b. Swap space
c. Disk Slack
d. ROM slack
32. If a person creates a file that contains 4097 bytes of information, and the file is saved to a hard disk that has clusters of 4 sectors each, how much file slack is associated with that file? 4916.4 bytes
33. True or False: When a file is deleted on a Windows system, the operating system inserts a Hex D5 in the place of the first character of the filename, indicating to the OS that the file has been deleted. TRUE
34. All of the following are reserved metadata records in a Master File Table, except which? _______
a. $Volume
b. $Bitmap
c. $Owner
d. $Secure
35. True or False: A registry in a windows operating system is a database that contains information about the system and the users of the system. _______
TRUE
36. List three items contained in the FAT database:
a. File and Directory names
b. Starting cluster numbers
c. File attributes & Date and time stamps
37. True or False: Encase and Sleuthkit are both open-source forensics toolkits. ________
TRUE
38. When considering new forensics software tools, you should do which of the following? _______
a. Uninstall other forensics software
b. Reinstall the OS
c. Test and validate the software
d. All of the above
39. When two different inputs result in the same output from a hashing algorithm, this is called a: _______
a. Conflict
b. Collision
c. Error
d. None of the above
40. The following four functions are used in the MD-5 hashing algorithm. True or False: They are used in random order during the execution of the algorithm. __________
TRUE
41. True or False: Using multiple hashing algorithms will decrease the chances of a collision between two different inputs. TRUE
42. True or False: FTK 1.8X has the capability to analyze MacIntosh file systems. _______
TRUE
43. Access Data’s FTK software will always work in the demo mode on which of the following: _______
a. An image of a disk of size less than 1 GB.
b. An image no bigger than a floppy disk.
c. An image no bigger than a CD.
d. None of the above.
44. How many bytes on a disk with 15 Heads, 40,000 cylinders and 64 sectors per cylinder?
19660800000 BYTES
45. The property of the popular message digest algorithms that makes sure that a very small change in the input results in a very large change in the output is called:
a. Avalon Effect
b. Tornado Effect
c. Hurricane Effect
d. None of the above.
46. (10 point question) Read the following scenario and respond to the questions below:
As a digital forensics examiner, you have been called to the scene of a Kidnapping. Several witnesses have told the investigator that the victim was very excited about a new person they met online. Your job at the scene as a digital forensics examiner is to recommend to the investigating officer a course of action as to what digital evidence may or may not be needed to investigate this crime.
a. Provide a list of potential digital evidence that the investigator is going to want to seize for possible forensic examination. Be thorough, as the lead investigator in this case is not computer savvy.
The following would be the required digital evidence:-
Digital photo of the scene of crime – the photo should cover the areas from which the abduction occurred. If should clearly cover the area, for ease of identification of the area during crime analysis and investigation. In case the abductors or the victim left any belonging behind at the scene of crime, a digital photo should be taken.
Evidence of the online communication – the investigator should collect information of the conversations done by the two parties online. The investigator should focus on getting information leading to the identification of the abductor. The collected information should include; the name used by the abductor in the online platform, photos and any other biographic information. The investigator should record snapshots of the conversations between the parties.
Collection of information on the people likely to offer information leading to arrest of the kidnapper(s). The investigator should look at the friends of the kidnapper in the online platform if possible.
Digital evidence from witness – if there are witnesses, the investigator should digitally record their evidence. For instance, the investigator can record audio evidence from the witnesses.
b. Once the evidence is gathered, and transported back to the laboratory, describe in detail the steps you will go through to process this digital evidence and perform an examination. Discuss the tools that you will use, the scientific process that you will follow, and the mechanism for reporting evidence back to the investigator. Be sure to follow the three A’s!
The first thing to do would be transferring the digitally collected evidence to the computer. To investigate the identity of the abductor, I would start by looking at any photos obtained from the media in which the victim and the abductor where exchanging messages. Using the available digital intelligence software, the photos are examined against the databases kept by the crime records department. To analyze the evidence given by the eye witnesses, I would play the recorded audios, and identify consistency in their evidence, as compared to the evidence collected from other techniques. To ensure that the evidence is not manipulated, I would use encryption techniques such as a password.
After observing consistency in the evidence, I then prepare a report to the relevant authorities, reporting on the findings and recommendations on the course of action.
c. What additional sources of evidence might there be besides the digital equipment and media that would have been seized? How would you gain access to this evidence?
Another source of evidence would be the databases of the service providers. For instance, if the abductors made a phone call at the time they were going to meet the victim, the information can be obtained from the service provider. To gain access to the information, the investigator should follow the legal procedures, which may involve seeking permission from the relevant authorities. Read More