What certification program, sponsored by ISC2, requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations?
a. Certified Computer Crime Investigator
b. Certified Forensic Computer Examiner
c. Certified Cyber Forensics Professional
d. EnCase Certified Examiner
_______ is the utility used by the ProDiscover program for remote access.
Which court case established that it is not necessary for computer programmers to testify in order to authenticate computer-generated records?
a. United States v. Walser
b. United States v. Salgado
c. United States v. Wong
d. United States v. Carey
Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files?
a. Advanced Capture Image
b. Advanced Forensics Disk
c. Advanced Open Capture
d. Advanced Forensic Format
Which of the following options is not a subfunction of extraction?
a. logical data copy
What percentage of consumers utilize Intel and AMD PCs?
What algorithm is used to decompress Windows files?
A TEMPEST facility is designed to accomplish which of the following goals?
a. Prevent data loss by maintaining consistent backups.
b. Ensure network security from the Internet using comprehensive security software.
c. Shield sensitive computing systems and prevent electronic eavesdropping of computer emissions.
d. Protect the integrity of data.
You must abide by the _______ while collecting evidence.
a. Fourth Amendment
b. Federal Rules of Evidence
c. Fifth Amendment
d. state's Rules of Evidence
When seizing digital evidence in criminal investigations, whose standards should be followed?
a. U.S. DOJ
In what mode do most write-blockers run?
a. BIOS mode
b. RW mode
c. Shell mode
d. GUI mode
Which RAID type utilizes mirrored striping, providing fast access and redundancy?
a. RAID 5
b. RAID 1
c. RAID 3
d. RAID 10
_______ describes the characteristics of a safe storage container.
b. SSO 990
The __________ Linux Live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep, and utilizes a KDE interface.
The _______ command was developed by Nicholas Harbour of the Defense Computer Forensics Laboratory.
Which option below is not a Linux Live CD meant for use as a digital forensics tool?
a. Kali Linux
b. Penguin Sleuth
Reconstructing fragments of files that have been deleted from a suspect drive, is known as ____________ in North America.
To create a new primary partition within the fdisk interactive utility, which letter should be typed?
The _______ switch can be used with the split command to adjust the size of segmented volumes created by the dd command.
The Linux command _______ can be used to list the current disk devices connected to the computer.
a. show drives
b. ls -l
c. fdisk -l
_______ is not one of the functions of the investigations triad.
a. Network intrusion detection and incident response
b. Digital investigations
c. Vulnerability/threat assessment and risk management
d. Data recovery
The Linux command _____ can be used to write bit-stream data to files.
After the evidence has been presented in a trial by jury, the jury must deliver a(n) _______.
When using a target drive that is FAT32 formatted, what is the maximum size limitation for split files?
a. 1 PB
b. 2 GB
c. 512 MB
d. 1 TB
In what year was the Computer Fraud and Abuse Act passed?
The sale of sensitive or confidential company information to a competitor is known as _______.
a. industrial sabotage
b. industrial collusion
c. industrial espionage
d. industrial betrayal
The term _______ describes rooms filled with extremely large disk systems that are typically used by large business data centers.
a. data well
b. server farm
c. storage room
d. storage hub
How long are computing components designed to last in a normal business environment?
a. 14 to 26 months
b. 18 to 36 months
c. 12 to 16 months
d. 36 to 90 months
Which option below is not a standard systems analysis step?
a. Mitigate or minimize the risks.
b. Share evidence with experts outside of the investigation.
c. Obtain and copy an evidence drive.
d. Determine a preliminary design or approach to the case.
The ProDiscover utility makes use of the proprietary _______________ file format.
What tool below was written for MS-DOS and was commonly used for manual digital investigations?
c. Norton DiskEdit
Which technology below is not a hot-swappable technology?
a. FireWire 1394A
The _______ copies evidence of intrusions to an investigation workstation automatically for further analysis over the network.
a. total awareness system
b. intrusion detection system
c. active defense mechanism
d. intrusion monitoring system
Which system below can be used to quickly and accurately match fingerprints in a database?
a. Fingerprint Identification Database (FID)
b. Systemic Fingerprint Database (SFD)
c. Dynamic Fingerprint Matching System (DFMS)
d. Automated Fingerprint Identification System (AFIS)
As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state?
a. The power cable should be pulled.
b. The power should be left on.
c. The decision should be left to the Digital Evidence First Responder (DEFR).
d. The system should be shut down gracefully.
Which Microsoft OS below is the least intrusive to disks in terms of changing data?
a. Windows 7
b. Windows XP
c. MS-DOS 6.22
d. Windows 95
A _______ is not a private sector organization.
a. small to medium business
c. non-government organization
d. large corporation
A keyword search is part of the analysis process within what forensic function?
The term _______ describes a database containing informational records about crimes that have been committed previously by a criminal.
a. police blogger
b. police blotter
c. police ledger
d. police recorder
What should you do while copying data on a suspect's computer that is still live?
a. Open files to view contents.
b. Conduct a Google search of unknown extensions using the computer.
c. Make notes regarding everything you do.
d. Check Facebook for additional suspects.
A chain-of-evidence form, which is used to document what has and has not been done with the original evidence and forensic copies of the evidence, is also known as a(n) _______.
a. evidence tracking form
b. single-evidence form
c. multi-evidence form
d. evidence custody form
_______ are a special category of private sector businesses, due to their ability to investigate computer abuse committed by employees only, but not customers.
a. News networks
c. Law firms
Which operating system listed below is not a distribution of the Linux OS?
What does FRE stand for?
a. Federal Regulations for Evidence
b. Federal Rules of Evidence
c. Federal Rules for Equipment
d. Federal Rights for Everyone
After a judge approves and signs a search warrant, the _______ is responsible for the collection of evidence as defined by the warrant.
a. Digital Evidence Specialist
b. Digital Evidence Scene Investigator
c. Digital Evidence Recorder
d. Digital Evidence First Responder
The _______ is not one of the three stages of a typical criminal case.
d. civil suit
In order to qualify for the Certified Computer Crime Investigator, Basic Level certification, candidates must provide documentation of at least _______ cases in which they participated.
What option below is an example of a platform specific encryption tool?
d. Pretty Good Privacy (PGP)
What program serves as the GUI front end for accessing Sleuth Kit's tools?
Which option below is not a recommendation for securing storage containers?
a. Evidence containers should remain locked when they aren't under direct supervision.
b. Rooms with evidence containers should have a secured wireless network.
c. The container should be located in a restricted area.
d. Only authorized access should be allowed, and it should be kept to a minimum.