Category Archives: CIS 562 Complete Class Solution

Need help with your exams and quizzes?

Visit www.hwgala.com

search through our website for Exams and Quizzes Solutions, Assignments and Discussion Questions and ACE your class.If you cannot find what you are looking for, email us at
writersorg@gmail.com

CIS 562 Final Exam

CIS 562 Week 11 Final Exam – Strayer

Click On The Link Below To Purchase:

http://www.hwmojo.com/products/cis-562-final-exam

 

Chapters 7 Through 16

Chapter 7: Current Computer Forensics Tools

TRUE/FALSE

1. When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.

2. In software acquisition, there are three types of data-copying methods.

3. To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.

4. The Windows platforms have long been the primary command-line interface OSs.

5. After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.

MULTIPLE CHOICE

1. Computer forensics tools are divided into ____ major categories.
a. 2 c. 4
b. 3 d. 5

2. Software forensics tools are commonly used to copy data from a suspect’s disk drive to a(n) ____.
a. backup file c. image file
b. firmware d. recovery copy

3. To make a disk acquisition with En.exe requires only a PC running ____ with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable.
a. UNIX c. Linux
b. MAC OS X d. MS-DOS

4. Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command.
a. rawcp c. d2dump
b. dd d. dhex

5. ____ of data involves sorting and searching through all investigation data.
a. Validation c. Acquisition
b. Discrimination d. Reconstruction

6. Many password recovery tools have a feature that allows generating potential lists for a ____ attack.
a. brute-force c. birthday
b. password dictionary d. salting

7. The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk.
a. partition-to-partition c. disk-to-disk
b. image-to-partition d. image-to-disk

8. To complete a forensic disk analysis and examination, you need to create a ____.
a. forensic disk copy c. budget plan
b. risk assessment d. report

9. The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems.
a. Apple c. Commodore
b. Atari d. IBM

10. In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network.
a. Dir c. Copy
b. ls d. owner

11. In general, forensics workstations can be divided into ____ categories.
a. 2 c. 4
b. 3 d. 5

12. A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____.
a. stationary workstation c. lightweight workstation
b. field workstation d. portable workstation

13. ____ is a simple drive-imaging station.
a. F.R.E.D. c. FIRE IDE
b. SPARC d. DiskSpy

14. ____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk.
a. Drive-imaging c. Workstations
b. Disk editors d. Write-blockers

15. Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers.
a. USB c. LCD
b. IDE d. PCMCIA

16. The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.
a. CFTT c. FS-TST
b. NIST d. NSRL

17. The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.
a. ISO 3657 c. ISO 5725
b. ISO 5321 d. ISO 17025

18. The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.
a. NSRL c. FS-TST
b. CFTT d. PARTAB

19. The primary hash algorithm used by the NSRL project is ____.
a. MD5 c. CRC-32
b. SHA-1 d. RC4

20. One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.
a. disk imager c. bit-stream copier
b. write-blocker d. disk editor

21. Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file’s contents.
a. testing, compressed c. testing, pdf
b. scanning, text d. testing, doc

COMPLETION

1. Software forensic tools are grouped into command-line applications and ____________________ applications.

2. The Windows application of EnCase requires a(n) ____________________ device, such as FastBloc, to prevent Windows from accessing and corrupting a suspect disk drive.

3. The ____________________ function is the most demanding of all tasks for computer investigators to master.

4. Because there are a number of different versions of UNIX and Linux, these platforms are referred to as ____________________ platforms.

5. Hardware manufacturers have designed most computer components to last about ____________________ months between failures.

MATCHING

Match each item with a statement below
a. JFIF f. PDBlock
b. Lightweight workstation g. Norton DiskEdit
c. Pagefile.sys h. Stationary workstation
d. Salvaging i. SafeBack
e. Raw data

1. letters embedded near the beginning of all JPEG files

2. European term for carving

3. a direct copy of a disk drive

4. usually a laptop computer built into a carrying case with a small selection of peripheral options

5. one of the first MS-DOS tools used for a computer investigation

6. software-enabled write-blocker

7. system file where passwords may have been written temporarily

8. a tower with several bays and many peripheral devices

9. command-line disk acquisition tool from New Technologies, Inc.

SHORT ANSWER

1. What are the five major function categories of any computer forensics tool?

2. Explain the validation of evidence data process.

3. What are some of the advantages of using command-line forensics tools?

4. Explain the advantages and disadvantages of GUI forensics tools.

5. Illustrate how to consider hardware needs when planning your lab budget.

6. Describe some of the problems you may encounter if you decide to build your own forensics workstation.

7. Illustrate the use of a write-blocker on a Windows environment.

8. Briefly explain the NIST general approach for testing computer forensics tools.

9. Explain the difference between repeatable results and reproducible results.

10. Briefly explain the purpose of the NIST NSRL project.

Chapter 8: Macintosh and Linux Boot Processes and File Systems

TRUE/FALSE

1. If a file contains information, it always occupies at least one allocation block.

2. Older Macintosh computers use the same type of BIOS firmware commonly found in PC-based systems.

3. GPL and BSD variations are examples of open-source software.

4. A UNIX or Linux computer has two boot blocks, which are located on the main hard disk.

5. Under ISO 9660 for DVDs, the Micro-UDF (M-UDF) function has been added to allow for long filenames.

MULTIPLE CHOICE

1. Macintosh OS X is built on a core called ____.
a. Phantom c. Darwin
b. Panther d. Tiger

2. In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored.
a. resource c. blocks
b. node d. inodes

3. The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is ____.
a. 32,768 c. 58,745
b. 45,353 d. 65,535

4. On older Macintosh OSs all information about the volume is stored in the ____.
a. Master Directory Block (MDB) c. Extents Overflow File (EOF)
b. Volume Control Block (VCB) d. Volume Bitmap (VB)

5. With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.
a. Extents overflow file c. Master Directory Block
b. Volume Bitmap d. Volume Control Block

6. On Mac OSs, File Manager uses the ____ to store any information not in the MDB or Volume Control Block (VCB).
a. volume information block c. catalog
b. extents overflow file d. master directory block

7. Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement.
a. AIX c. GPL
b. BSD d. GRUB

8. The standard Linux file system is ____.
a. NTFS c. HFS+
b. Ext3fs d. Ext2fs

9. Ext2fs can support disks as large as ____ TB and files as large as 2 GB.
a. 4 c. 10
b. 8 d. 12

10. Linux is unique in that it uses ____, or information nodes, that contain descriptive information about each file or directory.
a. xnodes c. infNodes
b. extnodes d. inodes

11. To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of ____.
a. -1 c. 1
b. 0 d. 2

12. ____ components define the file system on UNIX.
a. 2 c. 4
b. 3 d. 5

13. The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive.
a. superblock c. boot block
b. data block d. inode block

14. LILO uses a configuration file named ____ located in the /Etc directory.
a. Lilo.conf c. Lilo.config
b. Boot.conf d. Boot.config

15. Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of OSs.
a. 1989 c. 1994
b. 1991 d. 1995

16. On a Linux computer, ____ is the path for the first partition on the primary master IDE disk drive.
a. /dev/sda1 c. /dev/hda1
b. /dev/hdb1 d. /dev/ide1

17. There are ____ tracks available for the program area on a CD.
a. 45 c. 99
b. 50 d. 100

18. The ____ provides several software drivers that allow communication between the OS and the SCSI component.
a. International Organization of Standardization (ISO)
b. Advanced SCSI Programming Interface (ASPI)
c. CLV
d. EIDE

19. All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard ____ ribbon or shielded cable.
a. 40-pin c. 80-pin
b. 60-pin d. 120-pin

20. ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable.
a. 70 c. 96
b. 83 d. 100

21. IDE ATA controller on an old 486 PC doesn’t recognize disk drives larger than 8.4 ____.
a. KB c. GB
b. MB d. TB

COMPLETION

1. Before OS X, Macintosh uses the ____________________, in which files are stored in directories, or folders, that can be nested in other folders.

2. The Macintosh file system has ____________________ descriptors for the end of file (EOF).

3. ____________________ is a journaling version of Ext2fs that reduces file recovery time after a crash.

4. When you turn on the power to a UNIX workstation, instruction code located in firmware on the system’s CPU loads into RAM. This firmware is called ____________________ code because it’s located in ROM.

5. CD players that are 12X or faster read discs by using a(n) _____________________ system.

MATCHING

Match each item with a statement below
a. File Manager f. Volume
b. Inode blocks g. ls
c. ISO 9660 h. Catalog
d. LILO i. Finder
e. Clumps

1. older Linux boot manager utility

2. Macintosh tool that works with the OS to keep track of files and maintain users’ desktops

3. any storage medium used to store files

4. the list command on Linux

5. maintains relationships between files and directories on a volume on a Mac OS

6. the first data after the superblock on a UNIX or Linux file system

7. ISO standard for CDs

8. Mac OS utility that handles reading, writing, and storing data to physical media

9. groups of contiguous allocation blocks

SHORT ANSWER

1. Explain the relation between allocation blocks and logical block on a Mac OS file system.

2. Explain the use of B*-trees on Mac OS 9 file system.

3. Explain the use of forensic tools for Macintosh systems.

4. What are the functions of the superblock on a UNIX or Linux file system?

5. What is a bad block inode on Linux?

6. What is a continuation inode?

7. Describe the CD creation process.

8. Write a brief history of SCSI.

9. Explain the problems you can encounter with pre-ATA-33 devices when connecting them to current PCs.

10. What problems can hidden partitions on IDE devices cause to forensic investigators?

Chapter 9: Computer Forensics Analysis and Validation

TRUE/FALSE

1. The defense request for full discovery of digital evidence applies only to criminal cases in the United States.

2. For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.

3. FTK cannot perform forensics analysis on FAT12 file systems.

4. FTK cannot analyze data from image files from other vendors.

5. A nonsteganographic graphics file has a different size than an identical steganographic graphics file.

MULTIPLE CHOICE

1. ____ increases the time and resources needed to extract,analyze,and present evidence.
a. Investigation plan c. Litigation path
b. Scope creep d. Court order for discovery

2. You begin any computer forensics case by creating a(n) ____.
a. investigation plan c. evidence custody form
b. risk assessment report d. investigation report

3. In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover.
a. risk assessment reports c. scope creeps
b. investigation plans d. subpoenas

4. There are ____ searching options for keywords which FTK offers.
a. 2 c. 4
b. 3 d. 5

5. ____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search.
a. Online c. Active
b. Inline d. Live

6. The ____ search feature allows you to look for words with extensions such as “ing,”“ed,” and so forth.
a. fuzzy c. permutation
b. stemming d. similar-sounding

7. In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period.
a. live c. active
b. indexed d. inline

8. FTK and other computer forensics programs use ____ to tag and document digital evidence.
a. tracers c. bookmarks
b. hyperlinks d. indents

9. Getting a hash value with a ____ is much faster and easier than with a(n) ____.
a. high-level language, assembler
b. HTML editor, hexadecimal editor
c. computer forensics tool, hexadecimal editor
d. hexadecimal editor, computer forensics tool

10. AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data.
a. KFF c. NTI
b. PKFT d. NSRL

11. Data ____ involves changing or manipulating a file to conceal information.
a. recovery c. integrity
b. creep d. hiding

12. One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it.
a. Norton DiskEdit c. System Commander
b. PartitionMagic d. LILO

13. Marking bad clusters data-hiding technique is more common with ____ file systems.
a. NTFS c. HFS
b. FAT d. Ext2fs

14. The term ____ comes from the Greek word for“hidden writing.”
a. creep c. escrow
b. steganography d. hashing

15. ____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there.
a. Bit shifting c. Marking bad clusters
b. Encryption d. Steganography

16. Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure.
a. steganography c. password backup
b. key escrow d. key splitting

17. People who want to hide data can also use advanced encryption programs, such as PGP or ____.
a. NTI c. FTK
b. BestCrypt d. PRTK

18. ____ recovery is a fairly easy task in computer forensic analysis.
a. Data c. Password
b. Partition d. Image

19. ____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.
a. Brute-force c. Profile
b. Dictionary d. Statistics

20. ____ are handy when you need to image the drive of a computer far away from your location or when you don’t want a suspect to be aware of an ongoing investigation.
a. Scope creeps c. Password recovery tools
b. Remote acquisitions d. Key escrow utilities

21. ____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer’s file system.
a. HDHOST c. DiskEdit
b. DiskHost d. HostEditor

COMPLETION

1. For most law-enforcement-related computing investigations, the investigator is limited to working with data defined in the search ____________________.

2. FTK provides two options for searching for keywords: indexed search and ____________________ search.

3. ____________________ search catalogs all words on the evidence disk so that FTK can find them quickly.

4. To generate reports with the FTK ReportWizard, first you need to ____________________ files during an examination.

5. The data-hiding technique ____________________ changes data from readable code to data that looks like binary executable code.

MATCHING

Match each item with a statement below
a. Court orders for discovery f. PRTK
b. Investigation plan g. Validating digital evidence
c. Digital Intelligence PDWipe h. MD5
d. Live search i. System Commander
e. Cabinet

1. defines the investigation’s goal and scope, the materials needed, and the tasks to perform

2. a hashing algorithm

3. one of the most critical aspects of computer forensics

4. a type of compressed file

5. an FTK searching option

6. a password recovery program available from AccessData

7. a disk-partitioning utility

8. program used to clean all data from the target drive you plan to use

9. limit a civil investigation

SHORT ANSWER

1. Describe the effects of scope creep on an investigation in the corporate environment.

2. Describe with examples why the approach you take for a forensics case depends largely on the specific type of case you’re investigating.

3. How should you approach a case in which an employee is suspected of industrial espionage?

4. What are the file systems supported by FTK for forensic analysis?

5. How does the Known File Filter program work?

6. How can you validate the integrity of raw format image files with ProDiscover?

7. How can you hide data by marking bad clusters?

8. Briefly describe how to use steganography for creating digital watermarks.

9. What are the basic guidelines to identify steganography files?

10. Briefly describe the differences between brute-force attacks and dictionary attacks to crack passwords.

Chapter 10: Recovering Graphics Files

TRUE/FALSE

1. Bitmap images are collections of dots, or pixels, that form an image.

PTS: 1 REF: 398

2. Operating systems do not have tools for recovering image files.

PTS: 1 REF: 405

3. If a graphics file is fragmented across areas on a disk, first you must recover all the fragments to re-create the file.

PTS: 1 REF: 405

4. With many computer forensics tools, you can open files with external viewers.

PTS: 1 REF: 425

5. Steganography cannot be used with file formats other than image files.

PTS: 1 REF: 428

MULTIPLE CHOICE

1. ____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
a. Bitmap images c. Vector graphics
b. Metafile graphics d. Line-art images

PTS: 1 REF: 398

2. You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.
a. graphics viewers c. image viewers
b. image readers d. graphics editors

PTS: 1 REF: 398

3. ____ images store graphics information as grids of individual pixels.
a. Bitmap c. Vector
b. Raster d. Metafiles

PTS: 1 REF: 398

4. The process of converting raw picture data to another format is referred to as ____.
a. JEIDA c. demosaicing
b. rastering d. rendering

PTS: 1 REF: 401

5. The majority of digital cameras use the ____ format to store digital pictures.
a. EXIF c. PNG
b. TIFF d. GIF

PTS: 1 REF: 401

6. ____ compression compresses data by permanently discarding bits of information in the file.
a. Redundant c. Huffman
b. Lossy d. Lossless

PTS: 1 REF: 404

7. Recovering pieces of a file is called ____.
a. carving c. saving
b. slacking d. rebuilding

PTS: 1 REF: 405

8. A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10.
a. EPS c. GIF
b. BMP d. JPEG

PTS: 1 REF: 408

9. If you can’t open an image file in an image viewer, the next step is to examine the file’s ____.
a. extension c. header data
b. name d. size

PTS: 1 REF: 414

10. The uppercase letter ____ has a hexadecimal value of 41.
a. “A” c. “G”
b. “C” d. “Z”

PTS: 1 REF: 417

11. The image format XIF is derived from the more common ____ file format.
a. GIF c. BMP
b. JPEG d. TIFF

PTS: 1 REF: 423

12. The simplest way to access a file header is to use a(n) ____ editor
a. hexadecimal c. disk
b. image d. text

PTS: 1 REF: 423

13. The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03.
a. TIFF c. JPEG
b. XIF d. GIF

PTS: 1 REF: 425

14. ____ is the art of hiding information inside image files.
a. Steganography c. Graphie
b. Steganalysis d. Steganos

PTS: 1 REF: 425

15. ____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.
a. Replacement c. Substitution
b. Append d. Insertion

PTS: 1 REF: 426

16. ____ steganography replaces bits of the host file with other bits of data.
a. Insertion c. Substitution
b. Replacement d. Append

PTS: 1 REF: 426

17. In the following list, ____ is the only steg tool.
a. EnCase c. DriveSpy
b. iLook d. Outguess

PTS: 1 REF: 429

18. ____ has also been used to protect copyrighted material by inserting digital watermarks into a file.
a. Encryption c. Compression
b. Steganography d. Archiving

PTS: 1 REF: 430

19. When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations.
a. international c. copyright
b. forensics d. civil

PTS: 1 REF: 430

20. Under copyright laws, computer programs may be registered as ____.
a. literary works c. architectural works
b. motion pictures d. audiovisual works

PTS: 1 REF: 430

21. Under copyright laws, maps and architectural plans may be registered as ____.
a. pantomimes and choreographic works c. literary works
b. artistic works d. pictorial, graphic, and sculptural works

PTS: 1 REF: 430

COMPLETION

1. A graphics program creates and saves one of three types of image files: bitmap, vector, or ____________________.

2. ____________________ is the process of coding of data from a larger form to a smaller form.

3. The ____________________ is the best source for learning more about file formats and their associated extensions.

4. All ____________________ files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 2A.

5. The two major forms of steganography are ____________________ and substitution.

MATCHING

Match each item with a statement below
a. Pixels f. Steganalysis tools
b. Hex Workshop g. GIMP
c. Adobe Illustrator h. XIF
d. Microsoft Office Picture Manager i. Metafile graphics
e. JPEG

1. drawing program that creates vector files

2. Gnome graphics editor

3. image format derived from the TIFF file format

4. combinations of bitmap and vector images

5. short for “picture elements”

6. are also called steg tools

7. graphics file format that uses lossy compression

8. tool used to rebuild image file headers

9. Microsoft image viewer

SHORT ANSWER

1. Briefly describe the Exchangeable Image File (EXIF) format.

2. Explain how lossless compression relates to image file formats.

3. How does vector quantization (VQ) compress data?

4. Explain how someone can use a disk editor tool to mark clusters as “bad” clusters.

5. Identify and describe some image viewers.

6. Write a brief history of steganography.

7. Describe how to hide information on an 8-bit bitmap image file using substitution steganography.

8. Explain how steganalysis tools work.

9. Give a brief overview of copyright laws pertaining to graphics within and outside the U.S.

10. Present a list of categories covered under copyright laws in the U.S.

Chapter 11: Virtual Machines, Network Forensics, and Live Acquisitions

TRUE/FALSE

1. When intruders break into a network, they rarely leave a trail behind.

PTS: 1 REF: 442

2. Network forensics is a fast, easy process.

PTS: 1 REF: 447

3. PsList from PsTools allows you to list detailed information about processes.

PTS: 1 REF: 450

4. With the Knoppix STD tools on a portable CD, you can examine almost any network system.

PTS: 1 REF: 451

5. Ngrep cannot be used to examine e-mail headers or IRC chats.

PTS: 1 REF: 455

MULTIPLE CHOICE

1. ____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.
a. Broadcast forensics c. Computer forensics
b. Network forensics d. Traffic forensics

PTS: 1 REF: 442

2. ____ hide the most valuable data at the innermost part of the network.
a. Layered network defense strategies c. Protocols
b. Firewalls d. NAT

PTS: 1 REF: 442

3. ____ forensics is the systematic tracking of incoming and outgoing traffic on your network.
a. Network c. Criminal
b. Computer d. Server

PTS: 1 REF: 442

4. ____ can be used to create a bootable forensic CD and perform a live acquisition.
a. Helix c. Inquisitor
b. DTDD d. Neon

PTS: 1 REF: 445

5. Helix operates in two modes:Windows Live (GUI or command line) and ____.
a. command Windows c. command Linux
b. remote GUI d. bootable Linux

PTS: 1 REF: 445

6. A common way of examining network traffic is by running the ____ program.
a. Netdump c. Coredump
b. Slackdump d. Tcpdump

PTS: 1 REF: 448

7. ____ is a suite of tools created by Sysinternals.
a. EnCase c. R-Tools
b. PsTools d. Knoppix

PTS: 1 REF: 450

8. ____ is a Sysinternals command that shows all Registry data in real time on a Windows computer.
a. PsReg c. RegMon
b. RegExplorer d. RegHandle

PTS: 1 REF: 450

9. The PSTools ____ kills processes by name or process ID.
a. PsExec c. PsKill
b. PsList d. PsShutdown

PTS: 1 REF: 450

10. ____ is a popular network intrusion detection system that performs packet capture and analysis in real time.
a. Ethereal c. Tcpdump
b. Snort d. john

PTS: 1 REF: 451

11. ____ is the U.S. DoD computer forensics lab’s version of the dd command that comes with Knoppix-STD.
a. chntpw c. memfetch
b. john d. dcfldd

PTS: 1 REF: 451

12. The Knoppix STD tool ____ enables you to reset passwords on a Windows computer, including the administrator password
a. chntpw c. oinkmaster
b. john d. memfetch

PTS: 1 REF: 451

13. ____ are devices and/or software placed on a network to monitor traffic.
a. Packet sniffers c. Hubs
b. Bridges d. Honeypots

PTS: 1 REF: 454

14. Most packet sniffers operate on layer 2 or ____ of the OSI model.
a. 1 c. 5
b. 3 d. 7

PTS: 1 REF: 454

15. Most packet sniffer tools can read anything captured in ____ format.
a. SYN c. PCAP
b. DOPI d. AIATP

PTS: 1 REF: 455

16. In a(n) ____ attack, the attacker keeps asking your server to establish a connection.
a. SYN flood c. brute-force attack
b. ACK flood d. PCAP attack

PTS: 1 REF: 455

17. ____ is the text version of Ethereal, a packet sniffer tool.
a. Tcpdump c. Etherape
b. Ethertext d. Tethereal

PTS: 1 REF: 455

18. ____ is a good tool for extracting information from large Libpcap files.
a. Nmap c. Pcap
b. Tcpslice d. TCPcap

PTS: 1 REF: 455

19. The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.
a. Honeynet c. Honeywall
b. Honeypot d. Honeyweb

PTS: 1 REF: 458

20. Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack.
a. ISPs c. zombies
b. soldiers d. pawns

PTS: 1 REF: 458

21. A ____ is a computer set up to look like any other machine on your network, but it lures the attacker to it.
a. honeywall c. honeynet
b. honeypot d. honeyhost

PTS: 1 REF: 459

COMPLETION

1. ____________________ is a layered network defense strategy developed by the National Security Agency (NSA).

2. The term ____________________ means how long a piece of information lasts on a system.

3. ____________________ logs record traffic in and out of a network.

4. The PSTools ____________________ tool allows you to suspend processes.

ANS: PsSuspend

5. The U.K. Honeynet Project has created the ____________________. It contains the honeywall and honeypot on a bootable memory stick.

MATCHING

Match each item with a statement below
a. Cyberforensics f. Trojan horse
b. Ethereal g. Knoppix
c. Tripwire h. PsShutdown
d. PsGetSid i. oinkmaster
e. PsLoggedOn

1. displays who’s logged on locally

2. displays the security identifier (SID) of a computer or user

3. an audit control program that detects anomalies in traffic and sends an alert automatically

4. usually refers to network forensics

5. a bootable Linux CD intended for computer and network forensics

6. shuts down and optionally restarts a computer

7. helps manage snort rules so that you can specify what items to ignore as regular traffic and what items should raise alarms

8. a network analysis tool

9. type of malware

SHORT ANSWER

1. Why is testing networks as important as testing servers?

2. When are live acquisitions useful?

3. What is the general procedure for a live acquisition?

4. Detail a standard procedure for network forensics investigations.

5. How should you proceed if your network forensic investigation involves other companies?

6. Describe some of the Windows tools available at Sysinternals.

7. What are some of the tools included with the PSTools suite?

8. What is Knoppix-STD?

9. What are some of the tools included with Knoppix STD?

10. Explain The Auditor tool.

Chapter 12: E-mail Investigations

TRUE/FALSE

1. For computer investigators, tracking intranet e-mail is relatively easy because the accounts use standard names established by the network or e-mail administrator.

PTS: 1 REF: 470

2. You can always rely on the return path in an e-mail header to show the source account of an e-mail message.

PTS: 1 REF: 482

3. E-mail programs either save e-mail messages on the client computer or leave them on the server.

PTS: 1 REF: 483

4. All e-mail servers are databases that store multiple users’ e-mails.

PTS: 1 REF: 485

5. Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication.

PTS: 1 REF: 489

MULTIPLE CHOICE

1. E-mail messages are distributed from one central server to many connected client computers, a configuration called ____.
a. client/server architecture c. client architecture
b. central distribution architecture d. peer-to-peer architecture

PTS: 1 REF: 469

2. In an e-mail address, everything after the ____ symbol represents the domain name.
a.  c. @
b. . d. –

PTS: 1 REF: 470

3. With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk.
a. command-line c. prompt-based
b. shell-based d. GUI

PTS: 1 REF: 472

4. When working on a Windows environment you can press ____ to copy the selected text to the clipboard.
a. Ctrl+A c. Ctrl+V
b. Ctrl+C d. Ctrl+Z

PTS: 1 REF: 473

5. To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click ____ to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header.
a. Options c. Properties
b. Details d. Message Source

PTS: 1 REF: 473

6. To retrieve an Outlook Express e-mail header right-click the message, and then click ____ to open a dialog box showing general information about the message.
a. Properties c. Details
b. Options d. Message Source

PTS: 1 REF: 473

7. For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command.
a. prn c. prnt
b. print d. prt

PTS: 1 REF: 477

8. To view AOL e-mail headers click Action, ____ from the menu.
a. More options c. Options
b. Message properties d. View Message Source

PTS: 1 REF: 478

9. To view e-mail headers on Yahoo! click the ____ link in the Mail Options window, and then click Show all headers on incoming messages.
a. Advanced c. Message Properties
b. General Preferences d. More information

PTS: 1 REF: 480

10. In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____.
a. .ost c. .msg
b. .eml d. .pst

PTS: 1 REF: 483

11. ____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names.
a. www.freeality.com c. www.whatis.com
b. www.google.com d. www.juno.com

PTS: 1 REF: 484

12. ____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size.
a. Continuous logging c. Circular logging
b. Automatic logging d. Server logging

PTS: 1 REF: 485

13. The files that provide helpful information to an e-mail investigation are log files and ____ files.
a. batch c. scripts
b. configuration d. .rts

PTS: 1 REF: 487

14. ____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside.
a. /etc/sendmail.cf c. /etc/var/log/maillog
b. /etc/syslog.conf d. /var/log/maillog

PTS: 1 REF: 487

15. Typically, UNIX installations are set to store logs such as maillog in the ____ directory.
a. /etc/Log c. /etc/var/log
b. /log d. /var/log

PTS: 1 REF: 488

16. Exchange logs information about changes to its data in a(n) ____ log.
a. checkpoint c. transaction
b. communication d. tracking

PTS: 1 REF: 489

17. In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk.
a. tracking c. temporary
b. checkpoint d. milestone

PTS: 1 REF: 489

18. The Novell e-mail server software is called ____.
a. Sendmail c. Sawmill
b. GroupWise d. Guardian

PTS: 1 REF: 491

19. GroupWise has ____ ways of organizing the mailboxes on the server.
a. 2 c. 4
b. 3 d. 5

PTS: 1 REF: 491

20. The GroupWise logs are maintained in a standard log format in the ____ folders.
a. MIME c. QuickFinder
b. mbox d. GroupWise

PTS: 1 REF: 491

21. Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format.
a. POP3 c. MIME
b. mbox d. SMTP

PTS: 1 REF: 500

COMPLETION

1. You can send and receive e-mail in two environments:via the ____________________ or an intranet (an internal network).

2. An e-mail address in the Return-Path line of an e-mail header is usually indicated as the ____________________ field in an e-mail message.

3. Administrators usually set e-mail servers to ____________________ logging mode.

4. In UNIX e-mail servers, the ____________________ file simply specifies where to save different types of e-mail log files.

5. Vendor-unique e-mail file systems, such as Microsoft .pst or .ost, typically use ____________________ formatting, which can be difficult to read with a text or hexadecimal editor.

MATCHING

Match each item with a statement below:
a. Contacts f. Notepad
b. Pico g. CISCO Pix
c. syslogd file h. www.whatis.com
d. www.arin.net i. Pine
e. PU020101.db

1. Web site to check file extensions and match the file to a program

2. command line e-mail program used with UNIX

3. text editor used with Windows

4. the first folder the GroupWise server shares

5. text editor used with UNIX

6. the electronic address book in Outlook

7. a network firewall device

8. a registry Web site

9. includes e-mail logging instructions

SHORT ANSWER

1. Describe how e-mail account names are created on an intranet environment.

2. Describe the process of examining e-mail messages when you have access to the victim’s computer and when this access is not possible.

3. What are the steps for retrieving e-mail headers on Pine?

4. What are the steps for viewing e-mail headers in Hotmail?

5. What kind of information can you find in an e-mail header?

6. Explain how to handle attachments during an e-mail investigation.

7. Why are network router logs important during an e-mail investigation?

8. What kind of information is normally included in e-mail logs?

9. Provide a brief description of Microsoft Exchange Server. Additionally, explain the differences between .edb and .stm files.

10. Briefly explain how to use AccessData FTK to recover e-mails.

Chapter 13: Cell Phone and Mobile Device Forensics

TRUE/FALSE

1. Many people store more information on their cell phones than they do on their computers.

PTS: 1 REF: 514

2. Investigating cell phones and mobile devices is a relatively easy task in digital forensics.

PTS: 1 REF: 514

3. TDMA can operate in the cell phone (800 to 1000 MHz) or PCS (1900 MHz) frequency.

PTS: 1 REF: 516

4. Typically, phones developed for use on a GSM network are compatible with phones designed for a CDMA network.

PTS: 1 REF: 516

5. Portability of information is what makes SIM cards so versatile.

PTS: 1 REF: 517

MULTIPLE CHOICE

1. Developed during WWII, this technology,____, was patented by Qualcomm after the war.
a. iDEN c. GSM
b. CDMA d. EDGE

PTS: 1 REF: 515

2. The ____ digital network divides a radio frequency into time slots.
a. TDMA c. FDMA
b. CDMA d. EDGE

PTS: 1 REF: 515

3. The ____ network is a digital version of the original analog standard for cell phones.
a. TDMA c. CDMA
b. EDGE d. D-AMPS

PTS: 1 REF: 515

4. The ____ digital network, a faster version of GSM, is designed to deliver data.
a. TDMA c. EDGE
b. iDEN d. D-AMPS

PTS: 1 REF: 515

5. TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life.
a. IS-136 c. IS-236
b. IS-195 d. IS-361

PTS: 1 REF: 516

6. Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips.
a. EROM c. EEPROM
b. PROM d. ROM

PTS: 1 REF: 517

7. ____ cards are found most commonly in GSM devices and consist of a microprocessor and from 16 KB to 4 MB of EEPROM.
a. SD c. SDD
b. MMC d. SIM

PTS: 1 REF: 517

8. ____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth.
a. SDHCs c. CFs
b. PDAs d. MMCs

PTS: 1 REF: 518

9. The file system for a SIM card is a ____ structure.
a. volatile c. hierarchical
b. circular d. linear

PTS: 1 REF: 520

10. The SIM file structure begins with the root of the system (____).
a. EF c. DF
b. MF d. DCS

PTS: 1 REF: 520

11. Paraben Software is a leader in mobile forensics software and offers several tools, including ____, which can be used to acquire data from a variety of phone models.
a. BitPim c. MOBILedit!
b. DataPilot d. Device Seizure

PTS: 1 REF: 522

12. In a Windows environment, BitPim stores files in ____ by default.
a. My Documents\BitPim c. My Documents\BitPim\Forensics Files
b. My Documents\Forensics Files\BitPim d. My Documents\BitPim\Files

PTS: 1 REF: 522

13. ____ is a forensics software tool containing a built-in write blocker.
a. GSMCon c. SIMedit
b. MOBILedit! d. 3GPim

PTS: 1 REF: 522

COMPLETION

1. So far, there have been three generations of mobile phones: analog, digital personal communications service (PCS), and ____________________.

2. Most Code Division Multiple Access (CDMA) networks conform to IS-95, created by the ______________________.

3. Global System for Mobile Communications (GSM) uses the ______________________ technique, so multiple phones take turns sharing a channel.

4. The 3G standard was developed by the ______________________ under the United Nations.

5. Mobile devices can range from simple phones to small computers, also called ______________________.

MATCHING

Match each item with a statement below:
a. CDMA c. EDGE
b. iDEN d. ROM

1. proprietary protocol developed by Motorola

2. nonvolatile memory

3. standard developed specifically for 3G

4. one of the most common digital networks, it uses the full radio frequency spectrum to define channels

SHORT ANSWER

1. What is some of the information that can be stored in a cell phone?

2. What is the bandwidth offered by 3G mobile phones?

3. What are the three main components used for cell phone communications?

4. Briefly describe cell phone hardware.

5. Identify several uses of SIM cards.

6. Identify and define three kinds of peripheral memory cards used with PDAs.

7. How can you isolate a mobile device from incoming signals?

8. What are the four categories of information that can be retrieved from a SIM card?

9. What is the general procedure to access the content on a mobile phone SIM card?

10. What are some of the features offered by SIMCon?

Chapter 14: Report Writing for High-Tech Investigations

TRUE/FALSE

1. Besides presenting facts, reports can communicate expert opinion.

PTS: 1 REF: 530

2. A verbal report is more structured than a written report.

PTS: 1 REF: 532

3. If you must write a preliminary report, use words such as “preliminary copy,”“draft copy,” or “working draft.”

PTS: 1 REF: 535

4. As with any research paper, write the report abstract last.

PTS: 1 REF: 536

5. When writing a report, use a formal, technical style.

PTS: 1 REF: 537

MULTIPLE CHOICE

1. Attorneys can now submit documents electronically in many courts; the standard format in federal courts is ____.
a. Microsoft Word (DOC) c. Encapsulated Postscript (EPS)
b. Portable Document Format (PDF) d. Postscript (PS)

PTS: 1 REF: 531

2. A(n) ____ is a document that lets you know what questions to expect when you are testifying.
a. written report c. examination plan
b. affidavit d. subpoena

PTS: 1 REF: 532

3. You can use the ____ to help your attorney learn the terms and functions used in computer forensics.
a. verbal report c. final report
b. preliminary report d. examination plan

PTS: 1 REF: 532

4. A written report is frequently a(n) ____ or a declaration.
a. subpoena c. deposition
b. affidavit d. perjury

PTS: 1 REF: 532

5. If a report is long and complex, you should provide a(n) ____.
a. appendix c. table of contents
b. glossary d. abstract

PTS: 1 REF: 536

6. A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute).
a. written report c. examination plan
b. verbal report d. cross-examination report

PTS: 1 REF: 532

7. In the past, the method for expressing an opinion has been to frame a ____ question based on available factual evidence.
a. hypothetical c. challenging
b. nested d. contradictory

PTS: 1 REF: 533

8. An expert’s opinion is governed by FRE, Rule ____, and the corresponding rule in many states.
a. 705 c. 805
b. 755 d. 855

PTS: 1 REF: 534

9. Remember that anything you write down as part of your examination for a report is subject to ____ from the opposing attorney.
a. subpoena c. publishing
b. discovery d. deposition

PTS: 1 REF: 535

10. A written preliminary report is considered a ____ document because opposing counsel can demand discovery on it.
a. low-risk c. high-risk
b. middle-risk d. no-risk

PTS: 1 REF: 535

11. The abstract should be one or two paragraphs totaling about 150 to ____ words.
a. 200 c. 300
b. 250 d. 350

PTS: 1 REF: 536

12. ____ provide additional resource material not included in the body of the report.
a. Conclusion c. Discussion
b. References d. Appendixes

PTS: 1 REF: 536

13. Typically, report writers use one of two numbering systems: decimal numbering or ____ numbering.
a. legal-sequential c. arabic-sequential
b. roman-sequential d. letter-sequential

PTS: 1 REF: 538

14. A report using the ____ numbering system divides material into sections and restarts numbering with each main section.
a. roman-sequential c. legal-sequential
b. decimal d. indent

PTS: 1 REF: 538

15. In the main section of your report, you typically cite references with the ____ enclosed in parentheses.
a. year of publication and author’s last name
b. author’s last name
c. author’s last name and year of publication
d. year of publication

PTS: 1 REF: 541

16. Save broader generalizations and summaries for the report’s ____.
a. appendixes c. conclusion
b. introduction d. discussion

PTS: 1 REF: 541

17. The report’s ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements.
a. abstract c. introduction
b. conclusion d. reference

PTS: 1 REF: 541

18. If necessary, you can include ____ containing material such as raw data, figures not used in the body of the report, and anticipated exhibits.
a. conclusions c. references
b. discussions d. appendixes

PTS: 1 REF: 542

19. Reports and logs generated by forensic tools are typically in plaintext format, a word processor format, or ____ format.
a. PDF c. PS
b. HTML d. TXT

PTS: 1 REF: 543

20. Files with extensions .ods and ____ are created using OpenOffice Calc.
a. .sxc c. .dcx
b. .xls d. .qpr

PTS: 1 REF: 543

21. Files with extension ____ are created using Microsoft Outlook Express.
a. .sxc c. .dbx
b. .doc d. .ods

PTS: 1 REF: 543

COMPLETION

1. Lawyers use services called _________________________ (libraries), which store examples of expert witnesses’ previous testimony.

2. The report body consists of the introduction and _________________________ sections.

3. When writing a report, _________________________ means the tone of language you use to address the reader.

4. _________________________ assist readers in scanning the text quickly by highlighting the main points and logical development of information.

5. The ______________________________ system is frequently used when writing pleadings.

MATCHING

Match each item with a statement below
a. Decimal numbering f. Verbal report
b. Lay witness g. Spoliation
c. FTK h. Conclusion section
d. Examination plan i. MD5
e. Signposts

1. draw reader’s attention to a point in your report.

2. a report layout system

3. used by an attorney to guide an expert witness in his or her testimony

4. computer forensics software tool

5. lawyers jargon for destroying or concealing evidence

6. stands for Message Digest 5

7. typically takes place in an attorney’s office where the attorney requests your consultant’s report

8. starts by referring to the report’s purpose, states the main points, draws conclusions, and possibly renders an opinion

9. a witness testifying to personally observed facts

SHORT ANSWER

1. What are the report requirements for civil cases as specified on Rule 26, FRCP?

2. Briefly explain how to limit your report to specifics.

3. What are the areas of investigation usually addressed by a verbal report?

4. Explain how hypothetical questions can be used to ensure that you as a witness are basing your opinion on facts expected to be supported by evidence.

5. What are the four conditions required for an expert witness to testify to an opinion or conclusion?

6. What is the basic structure of a report?

7. Provide some guidelines for writing an introduction section for a report.

8. What do you need to consider to produce clear, concise reports?

9. Explain how to use supportive material on a report.

10. How should you explain examination and data collection methods?

Chapter 15: Expert Testimony in High-Tech Investigations

TRUE/FALSE

1. As an expert witness, you have opinions about what you have found or observed.

PTS: 1 REF: 558

2. Create a formal checklist of your procedures that’s applied to all your cases or include such a checklist in your report.

PTS: 1 REF: 559

3. As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.

PTS: 1 REF: 559

4. Like a job resume, your CV should be geared for a specific trial.

PTS: 1 REF: 561

5. Part of what you have to deliver to the jury is a person they can trust to help them figure out something that’s beyond their expertise.

PTS: 1 REF: 565

MULTIPLE CHOICE

1. When cases go to trial, you as a forensics examiner can play one of ____ roles.
a. 2 c. 4
b. 3 d. 5

PTS: 1 REF: 558

2. When you give ____ testimony, you present this evidence and explain what it is and how it was obtained.
a. technical/scientific c. lay witness
b. expert d. deposition

PTS: 1 REF: 558

3. Validate your tools and verify your evidence with ____ to ensure its integrity.
a. hashing algorithms c. steganography
b. watermarks d. digital certificates

PTS: 1 REF: 559

4. For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you’re constantly enhancing your skills through training, teaching, and experience.
a. testimony c. examination plan
b. CV d. deposition

PTS: 1 REF: 561

5. If your CV is more than ____ months old, you probably need to update it to reflect new cases and additional training.
a. 2 c. 4
b. 3 d. 5

PTS: 1 REF: 561

6. ____ is a written list of objections to certain testimony or exhibits.
a. Defendant c. Plaintiff
b. Empanelling the jury d. Motion in limine

PTS: 1 REF: 562

7. Regarding a trial, the term ____ means rejecting potential jurors.
a. voir dire c. strikes
b. rebuttal d. venireman

PTS: 1 REF: 563

8. ____ from both plaintiff and defense is an optional phase of the trial. Generally, it’s allowed to cover an issue raised during cross-examination.
a. Rebuttal c. Closing arguments
b. Plaintiff d. Opening statements

PTS: 1 REF: 563

9. If a microphone is present during your testimony, place it ____ to eight inches from you.
a. 3 c. 5
b. 4 d. 6

PTS: 1 REF: 565

10. Jurors typically average just over ____ years of education and an eighth-grade reading level.
a. 9 c. 11
b. 10 d. 12

PTS: 1 REF: 565

11. ____ is an attempt by opposing attorneys to prevent you from serving on an important case.
a. Conflict of interest c. Deposition
b. Warrant d. Conflicting out

PTS: 1 REF: 568

12. ____ evidence is evidence that exonerates or diminishes the defendant’s liability.
a. Rebuttal c. Inculpatory
b. Plaintiff d. Exculpatory

PTS: 1 REF: 569

13. You provide ____ testimony when you answer questions from the attorney who hired you.
a. direct c. examination
b. cross d. rebuttal

PTS: 1 REF: 569

14. The ____ is the most important part of testimony at a trial.
a. cross-examination c. rebuttal
b. direct examination d. motions in limine

PTS: 1 REF: 569

15. Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony.
a. setup c. compound
b. open-ended d. rapid-fire

PTS: 1 REF: 569

16. Leading questions such as “Isn’t it true that forensics experts always destroy their handwritten notes?” are referred to as ____ questions.
a. hypothetical c. setup
b. attorney d. nested

PTS: 1 REF: 570

17. Sometimes opposing attorneys ask several questions inside one question; this practice is called ____ questions.
a. leading c. compound
b. hypothetical d. rapid-fire

PTS: 1 REF: 571

18. A ____ differs from a trial testimony because there is no jury or judge.
a. rebuttal c. civil case
b. plaintiff d. deposition

PTS: 1 REF: 573

19. There are two types of depositions: ____ and testimony preservation.
a. examination c. direct
b. discovery d. rebuttal

PTS: 1 REF: 573

20. Discuss any potential problems with your attorney ____ a deposition.
a. before c. during
b. after d. during direct examination at

PTS: 1 REF: 574

21. A(n) ____ hearing generally addresses the administrative agency’s subject matter and seeks evidence in your testimony on a subject for which it’s contemplating making a rule.
a. administrative c. legislative
b. judicial d. direct

PTS: 1 REF: 575

COMPLETION

1. The ______________________ of evidence supports the integrity of your evidence.

2. Depending on your attorney’s needs, you might provide only your opinion and technical expertise to him or her instead of testifying in court; this role is called a(n) _______________________.

3. _____________________ is a pretrial motion to exclude certain evidence because it would prejudice the jury.

4. At a trial, _____________________ are statements that organize the evidence and state the applicable law.

5. The purpose of the _____________________ is for the opposing attorney to preview your testimony before trial.

MATCHING

Match each item with a statement below
a. Plaintiff f. CV
b. Motion in limine g. Testimony preservation deposition
c. Voir dire of venireman h. Voir dire
d. Opening statements i. MD5
e. Discovery deposition

1. part of the discovery process for trial

2. presents the case during a trial

3. provide an overview of the case during a trial

4. questioning potential jurors to see whether they’re qualified

5. usually requested by your client to preserve your testimony in case of schedule conflicts or health problems

6. a hashing algorithm

7. lists your professional experience

8. an expert witness qualification phase

9. allows the judge to decide whether certain evidence should be admitted when the jury isn’t present

SHORT ANSWER

1. What are the differences between a technical or scientific witness and an expert witness?

2. What should you do when preparing for testimony?

3. What are some of the questions you should consider when preparing your testimony?

4. What are some of the technical definitions that you should prepare before your testimony?

5. What are some of the reasons to avoid contact with news media during a case?

6. What are the procedures followed during a trial?

7. What should you do when you find exculpatory evidence?

8. How can you deal with rapid-fire questions during a cross-examination?

9. Explain the differences between discovery deposition and testimony preservation deposition.

10. Briefly describe judicial hearings.

Chapter 16: Ethics for the Expert Witness

TRUE/FALSE

1. People need ethics to help maintain their balance, especially in difficult and contentious situations.

PTS: 1 REF: 596

2. In the United States, there’s no state or national licensing body for computer forensics examiners.

PTS: 1 REF: 597

3. Experts should be paid in full for all previous work and for the anticipated time required for testimony.

PTS: 1 REF: 600

4. Expert opinions cannot be presented without stating the underlying factual basis.

PTS: 1 REF: 601

5. The American Bar Association (ABA) is a licensing body.

PTS: 1 REF: 603

MULTIPLE CHOICE

1. The most important laws applying to attorneys and witnesses are the ____.
a. professional codes of conduct c. rules of evidence
b. rules of ethics d. professional ethics

PTS: 1 REF: 597

2. Computer forensics examiners have two roles: scientific/technical witness and ____ witness.
a. expert c. discovery
b. direct d. professional

PTS: 1 REF: 597

3. Attorneys search ____ for information on expert witnesses.
a. disqualification banks c. examination banks
b. deposition banks d. cross-examination banks

PTS: 1 REF: 598

4. ____ questions can give you the factual structure to support and defend your opinion.
a. Setup c. Rapid-fire
b. Compound d. Hypothetical

PTS: 1 REF: 601

5. FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful.
a. 702 c. 704
b. 703 d. 705

PTS: 1 REF: 601

6. FRE ____ describes whether basis for the testimony is adequate.
a. 700 c. 702
b. 701 d. 703

PTS: 1 REF: 601

7. The ABA’s ____ contains provisions limiting the fees experts can receive for their services.
a. Code 703 c. Rule 26
b. Model Code d. Code 26-1.a

PTS: 1 REF: 603

8. The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients.
a. ISFCE c. ABA
b. IACIS d. HTCIA

PTS: 1 REF: 603

9. ____ are the experts who testify most often.
a. Civil engineers c. Chemical engineers
b. Computer forensics experts d. Medical professionals

PTS: 1 REF: 604

10. ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities.
a. AMA’s law c. APA’s Ethics Code
b. ABA’s Model Rule d. ABA’s Model Codes

PTS: 1 REF: 605

11. The ____ Ethics Code cautions psychologists about the limitations of assessment tools.
a. ABA’s c. AMA’s
b. APA’s d. ADA’s

PTS: 1 REF: 605

COMPLETION

1. _____________________ are the rules you internalize and use to measure your performance.

2. _____________________ are standards that others apply to you or that you are compelled to adhere to by external forces, such as licensing bodies.

3. Some attorneys contact many experts as a ploy to disqualify them or prevent opposing counsel from hiring them; this practice is called “____________________.”

4. The ____________________ is the foundation of medical ethics.

5. For psychologists, the most broadly accepted set of guidelines governing their conduct as experts is the _____________________ (APA’s) Ethical Principles of Psychologists and Code of Conduct.

MATCHING

Match each item with a statement below:
a. Ethics c. Disqualification
b. Federal Rules of Evidence (FRE) d. IACIS

1. provides a well-defined, simple guide for expected behavior of computer forensics examiners

2. prescribe the methods by which experts appear at trial

3. one of the effects of violating court rules or laws

4. help you maintain your self-respect and the respect of your profession

SHORT ANSWER

1. Briefly describe the issues related to an attorney’s “opinion shopping.”

2. What are some of the factors courts have used in determining whether to disqualify an expert?

3. Describe some of the traps for unwary experts.

4. What are some of the most obvious ethical errors?

5. What are some of the guidelines included in the ISFCE code of ethics?

6. What are some of the requirements included in the HTCIA core values?

7. What are some of standards for IACIS members that apply to testifying?

8. What are the five recommendations set out by the AMA’s policy on expert witness testimony?

9. Why is it difficult to enforce any professional organization’s ethical guidelines?

10. What are the ethical responsibilities owed to you by your attorney?

CIS 562 Week 11 Final Exam – Strayer University New

CIS/562 Week 11 Final Exam – Strayer New

Click On The Link Below To Purchase A+ Graded Material
Instant Download

http://budapp.net/CIS-562-Final-Exam-Week-11-Strayer-NEW-CIS562W11E.htm

 

Chapters 7 Through 16

Chapter 7: Current Computer Forensics Tools

TRUE/FALSE

1. When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.

2. In software acquisition, there are three types of data-copying methods.

3. To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.

4. The Windows platforms have long been the primary command-line interface OSs.

5. After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.

MULTIPLE CHOICE

1. Computer forensics tools are divided into ____ major categories.
a. 2 c. 4
b. 3 d. 5

2. Software forensics tools are commonly used to copy data from a suspect’s disk drive to a(n) ____.
a. backup file c. image file
b. firmware d. recovery copy

3. To make a disk acquisition with En.exe requires only a PC running ____ with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable.
a. UNIX c. Linux
b. MAC OS X d. MS-DOS

4. Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command.
a. rawcp c. d2dump
b. dd d. dhex

5. ____ of data involves sorting and searching through all investigation data.
a. Validation c. Acquisition
b. Discrimination d. Reconstruction

6. Many password recovery tools have a feature that allows generating potential lists for a ____ attack.
a. brute-force c. birthday
b. password dictionary d. salting

7. The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk.
a. partition-to-partition c. disk-to-disk
b. image-to-partition d. image-to-disk

8. To complete a forensic disk analysis and examination, you need to create a ____.
a. forensic disk copy c. budget plan
b. risk assessment d. report

9. The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems.
a. Apple c. Commodore
b. Atari d. IBM

10. In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network.
a. Dir c. Copy
b. ls d. owner

11. In general, forensics workstations can be divided into ____ categories.
a. 2 c. 4
b. 3 d. 5

12. A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____.
a. stationary workstation c. lightweight workstation
b. field workstation d. portable workstation

13. ____ is a simple drive-imaging station.
a. F.R.E.D. c. FIRE IDE
b. SPARC d. DiskSpy

14. ____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk.
a. Drive-imaging c. Workstations
b. Disk editors d. Write-blockers

15. Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers.
a. USB c. LCD
b. IDE d. PCMCIA

16. The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.
a. CFTT c. FS-TST
b. NIST d. NSRL

17. The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.
a. ISO 3657 c. ISO 5725
b. ISO 5321 d. ISO 17025

18. The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.
a. NSRL c. FS-TST
b. CFTT d. PARTAB

19. The primary hash algorithm used by the NSRL project is ____.
a. MD5 c. CRC-32
b. SHA-1 d. RC4

20. One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.
a. disk imager c. bit-stream copier
b. write-blocker d. disk editor

21. Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file’s contents.
a. testing, compressed c. testing, pdf
b. scanning, text d. testing, doc

COMPLETION

1. Software forensic tools are grouped into command-line applications and ____________________ applications.

2. The Windows application of EnCase requires a(n) ____________________ device, such as FastBloc, to prevent Windows from accessing and corrupting a suspect disk drive.

3. The ____________________ function is the most demanding of all tasks for computer investigators to master.

4. Because there are a number of different versions of UNIX and Linux, these platforms are referred to as ____________________ platforms.

5. Hardware manufacturers have designed most computer components to last about ____________________ months between failures.

MATCHING

Match each item with a statement below
a. JFIF f. PDBlock
b. Lightweight workstation g. Norton DiskEdit
c. Pagefile.sys h. Stationary workstation
d. Salvaging i. SafeBack
e. Raw data

1. letters embedded near the beginning of all JPEG files

2. European term for carving

3. a direct copy of a disk drive

4. usually a laptop computer built into a carrying case with a small selection of peripheral options

5. one of the first MS-DOS tools used for a computer investigation

6. software-enabled write-blocker

7. system file where passwords may have been written temporarily

8. a tower with several bays and many peripheral devices

9. command-line disk acquisition tool from New Technologies, Inc.

SHORT ANSWER

1. What are the five major function categories of any computer forensics tool?

2. Explain the validation of evidence data process.

3. What are some of the advantages of using command-line forensics tools?

4. Explain the advantages and disadvantages of GUI forensics tools.

5. Illustrate how to consider hardware needs when planning your lab budget.

6. Describe some of the problems you may encounter if you decide to build your own forensics workstation.

7. Illustrate the use of a write-blocker on a Windows environment.

8. Briefly explain the NIST general approach for testing computer forensics tools.

9. Explain the difference between repeatable results and reproducible results.

10. Briefly explain the purpose of the NIST NSRL project.

Chapter 8: Macintosh and Linux Boot Processes and File Systems

TRUE/FALSE

1. If a file contains information, it always occupies at least one allocation block.

2. Older Macintosh computers use the same type of BIOS firmware commonly found in PC-based systems.

3. GPL and BSD variations are examples of open-source software.

4. A UNIX or Linux computer has two boot blocks, which are located on the main hard disk.

5. Under ISO 9660 for DVDs, the Micro-UDF (M-UDF) function has been added to allow for long filenames.

MULTIPLE CHOICE

1. Macintosh OS X is built on a core called ____.
a. Phantom c. Darwin
b. Panther d. Tiger

2. In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored.
a. resource c. blocks
b. node d. inodes

3. The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is ____.
a. 32,768 c. 58,745
b. 45,353 d. 65,535

4. On older Macintosh OSs all information about the volume is stored in the ____.
a. Master Directory Block (MDB) c. Extents Overflow File (EOF)
b. Volume Control Block (VCB) d. Volume Bitmap (VB)

5. With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.
a. Extents overflow file c. Master Directory Block
b. Volume Bitmap d. Volume Control Block

6. On Mac OSs, File Manager uses the ____ to store any information not in the MDB or Volume Control Block (VCB).
a. volume information block c. catalog
b. extents overflow file d. master directory block

7. Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement.
a. AIX c. GPL
b. BSD d. GRUB

8. The standard Linux file system is ____.
a. NTFS c. HFS+
b. Ext3fs d. Ext2fs

9. Ext2fs can support disks as large as ____ TB and files as large as 2 GB.
a. 4 c. 10
b. 8 d. 12

10. Linux is unique in that it uses ____, or information nodes, that contain descriptive information about each file or directory.
a. xnodes c. infNodes
b. extnodes d. inodes

11. To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of ____.
a. -1 c. 1
b. 0 d. 2

12. ____ components define the file system on UNIX.
a. 2 c. 4
b. 3 d. 5

13. The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive.
a. superblock c. boot block
b. data block d. inode block

14. LILO uses a configuration file named ____ located in the /Etc directory.
a. Lilo.conf c. Lilo.config
b. Boot.conf d. Boot.config

15. Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of OSs.
a. 1989 c. 1994
b. 1991 d. 1995

16. On a Linux computer, ____ is the path for the first partition on the primary master IDE disk drive.
a. /dev/sda1 c. /dev/hda1
b. /dev/hdb1 d. /dev/ide1

17. There are ____ tracks available for the program area on a CD.
a. 45 c. 99
b. 50 d. 100

18. The ____ provides several software drivers that allow communication between the OS and the SCSI component.
a. International Organization of Standardization (ISO)
b. Advanced SCSI Programming Interface (ASPI)
c. CLV
d. EIDE

19. All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard ____ ribbon or shielded cable.
a. 40-pin c. 80-pin
b. 60-pin d. 120-pin

20. ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable.
a. 70 c. 96
b. 83 d. 100

21. IDE ATA controller on an old 486 PC doesn’t recognize disk drives larger than 8.4 ____.
a. KB c. GB
b. MB d. TB

COMPLETION

1. Before OS X, Macintosh uses the ____________________, in which files are stored in directories, or folders, that can be nested in other folders.

2. The Macintosh file system has ____________________ descriptors for the end of file (EOF).

3. ____________________ is a journaling version of Ext2fs that reduces file recovery time after a crash.

4. When you turn on the power to a UNIX workstation, instruction code located in firmware on the system’s CPU loads into RAM. This firmware is called ____________________ code because it’s located in ROM.

5. CD players that are 12X or faster read discs by using a(n) _____________________ system.

MATCHING

Match each item with a statement below
a. File Manager f. Volume
b. Inode blocks g. ls
c. ISO 9660 h. Catalog
d. LILO i. Finder
e. Clumps

1. older Linux boot manager utility

2. Macintosh tool that works with the OS to keep track of files and maintain users’ desktops

3. any storage medium used to store files

4. the list command on Linux

5. maintains relationships between files and directories on a volume on a Mac OS

6. the first data after the superblock on a UNIX or Linux file system

7. ISO standard for CDs

8. Mac OS utility that handles reading, writing, and storing data to physical media

9. groups of contiguous allocation blocks

SHORT ANSWER

1. Explain the relation between allocation blocks and logical block on a Mac OS file system.

2. Explain the use of B*-trees on Mac OS 9 file system.

3. Explain the use of forensic tools for Macintosh systems.

4. What are the functions of the superblock on a UNIX or Linux file system?

5. What is a bad block inode on Linux?

6. What is a continuation inode?

7. Describe the CD creation process.

8. Write a brief history of SCSI.

9. Explain the problems you can encounter with pre-ATA-33 devices when connecting them to current PCs.

10. What problems can hidden partitions on IDE devices cause to forensic investigators?

Chapter 9: Computer Forensics Analysis and Validation

TRUE/FALSE

1. The defense request for full discovery of digital evidence applies only to criminal cases in the United States.

2. For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.

3. FTK cannot perform forensics analysis on FAT12 file systems.

4. FTK cannot analyze data from image files from other vendors.

5. A nonsteganographic graphics file has a different size than an identical steganographic graphics file.

MULTIPLE CHOICE

1. ____ increases the time and resources needed to extract,analyze,and present evidence.
a. Investigation plan c. Litigation path
b. Scope creep d. Court order for discovery

2. You begin any computer forensics case by creating a(n) ____.
a. investigation plan c. evidence custody form
b. risk assessment report d. investigation report

3. In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover.
a. risk assessment reports c. scope creeps
b. investigation plans d. subpoenas

4. There are ____ searching options for keywords which FTK offers.
a. 2 c. 4
b. 3 d. 5

5. ____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search.
a. Online c. Active
b. Inline d. Live

6. The ____ search feature allows you to look for words with extensions such as “ing,”“ed,” and so forth.
a. fuzzy c. permutation
b. stemming d. similar-sounding

7. In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period.
a. live c. active
b. indexed d. inline

8. FTK and other computer forensics programs use ____ to tag and document digital evidence.
a. tracers c. bookmarks
b. hyperlinks d. indents

9. Getting a hash value with a ____ is much faster and easier than with a(n) ____.
a. high-level language, assembler
b. HTML editor, hexadecimal editor
c. computer forensics tool, hexadecimal editor
d. hexadecimal editor, computer forensics tool

10. AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data.
a. KFF c. NTI
b. PKFT d. NSRL

11. Data ____ involves changing or manipulating a file to conceal information.
a. recovery c. integrity
b. creep d. hiding

12. One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it.
a. Norton DiskEdit c. System Commander
b. PartitionMagic d. LILO

13. Marking bad clusters data-hiding technique is more common with ____ file systems.
a. NTFS c. HFS
b. FAT d. Ext2fs

14. The term ____ comes from the Greek word for“hidden writing.”
a. creep c. escrow
b. steganography d. hashing

15. ____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there.
a. Bit shifting c. Marking bad clusters
b. Encryption d. Steganography

16. Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure.
a. steganography c. password backup
b. key escrow d. key splitting

17. People who want to hide data can also use advanced encryption programs, such as PGP or ____.
a. NTI c. FTK
b. BestCrypt d. PRTK

18. ____ recovery is a fairly easy task in computer forensic analysis.
a. Data c. Password
b. Partition d. Image

19. ____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.
a. Brute-force c. Profile
b. Dictionary d. Statistics

20. ____ are handy when you need to image the drive of a computer far away from your location or when you don’t want a suspect to be aware of an ongoing investigation.
a. Scope creeps c. Password recovery tools
b. Remote acquisitions d. Key escrow utilities

21. ____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer’s file system.
a. HDHOST c. DiskEdit
b. DiskHost d. HostEditor

COMPLETION

1. For most law-enforcement-related computing investigations, the investigator is limited to working with data defined in the search ____________________.

2. FTK provides two options for searching for keywords: indexed search and ____________________ search.

3. ____________________ search catalogs all words on the evidence disk so that FTK can find them quickly.

4. To generate reports with the FTK ReportWizard, first you need to ____________________ files during an examination.

5. The data-hiding technique ____________________ changes data from readable code to data that looks like binary executable code.

MATCHING

Match each item with a statement below
a. Court orders for discovery f. PRTK
b. Investigation plan g. Validating digital evidence
c. Digital Intelligence PDWipe h. MD5
d. Live search i. System Commander
e. Cabinet

1. defines the investigation’s goal and scope, the materials needed, and the tasks to perform

2. a hashing algorithm

3. one of the most critical aspects of computer forensics

4. a type of compressed file

5. an FTK searching option

6. a password recovery program available from AccessData

7. a disk-partitioning utility

8. program used to clean all data from the target drive you plan to use

9. limit a civil investigation

SHORT ANSWER

1. Describe the effects of scope creep on an investigation in the corporate environment.

2. Describe with examples why the approach you take for a forensics case depends largely on the specific type of case you’re investigating.

3. How should you approach a case in which an employee is suspected of industrial espionage?

4. What are the file systems supported by FTK for forensic analysis?

5. How does the Known File Filter program work?

6. How can you validate the integrity of raw format image files with ProDiscover?

7. How can you hide data by marking bad clusters?

8. Briefly describe how to use steganography for creating digital watermarks.

9. What are the basic guidelines to identify steganography files?

10. Briefly describe the differences between brute-force attacks and dictionary attacks to crack passwords.

Chapter 10: Recovering Graphics Files

TRUE/FALSE

1. Bitmap images are collections of dots, or pixels, that form an image.

PTS: 1 REF: 398

2. Operating systems do not have tools for recovering image files.

PTS: 1 REF: 405

3. If a graphics file is fragmented across areas on a disk, first you must recover all the fragments to re-create the file.

PTS: 1 REF: 405

4. With many computer forensics tools, you can open files with external viewers.

PTS: 1 REF: 425

5. Steganography cannot be used with file formats other than image files.

PTS: 1 REF: 428

MULTIPLE CHOICE

1. ____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
a. Bitmap images c. Vector graphics
b. Metafile graphics d. Line-art images

PTS: 1 REF: 398

2. You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.
a. graphics viewers c. image viewers
b. image readers d. graphics editors

PTS: 1 REF: 398

3. ____ images store graphics information as grids of individual pixels.
a. Bitmap c. Vector
b. Raster d. Metafiles

PTS: 1 REF: 398

4. The process of converting raw picture data to another format is referred to as ____.
a. JEIDA c. demosaicing
b. rastering d. rendering

PTS: 1 REF: 401

5. The majority of digital cameras use the ____ format to store digital pictures.
a. EXIF c. PNG
b. TIFF d. GIF

PTS: 1 REF: 401

6. ____ compression compresses data by permanently discarding bits of information in the file.
a. Redundant c. Huffman
b. Lossy d. Lossless

PTS: 1 REF: 404

7. Recovering pieces of a file is called ____.
a. carving c. saving
b. slacking d. rebuilding

PTS: 1 REF: 405

8. A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10.
a. EPS c. GIF
b. BMP d. JPEG

PTS: 1 REF: 408

9. If you can’t open an image file in an image viewer, the next step is to examine the file’s ____.
a. extension c. header data
b. name d. size

PTS: 1 REF: 414

10. The uppercase letter ____ has a hexadecimal value of 41.
a. “A” c. “G”
b. “C” d. “Z”

PTS: 1 REF: 417

11. The image format XIF is derived from the more common ____ file format.
a. GIF c. BMP
b. JPEG d. TIFF

PTS: 1 REF: 423

12. The simplest way to access a file header is to use a(n) ____ editor
a. hexadecimal c. disk
b. image d. text

PTS: 1 REF: 423

13. The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03.
a. TIFF c. JPEG
b. XIF d. GIF

PTS: 1 REF: 425

14. ____ is the art of hiding information inside image files.
a. Steganography c. Graphie
b. Steganalysis d. Steganos

PTS: 1 REF: 425

15. ____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.
a. Replacement c. Substitution
b. Append d. Insertion

PTS: 1 REF: 426

16. ____ steganography replaces bits of the host file with other bits of data.
a. Insertion c. Substitution
b. Replacement d. Append

PTS: 1 REF: 426

17. In the following list, ____ is the only steg tool.
a. EnCase c. DriveSpy
b. iLook d. Outguess

PTS: 1 REF: 429

18. ____ has also been used to protect copyrighted material by inserting digital watermarks into a file.
a. Encryption c. Compression
b. Steganography d. Archiving

PTS: 1 REF: 430

19. When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations.
a. international c. copyright
b. forensics d. civil

PTS: 1 REF: 430

20. Under copyright laws, computer programs may be registered as ____.
a. literary works c. architectural works
b. motion pictures d. audiovisual works

PTS: 1 REF: 430

21. Under copyright laws, maps and architectural plans may be registered as ____.
a. pantomimes and choreographic works c. literary works
b. artistic works d. pictorial, graphic, and sculptural works

PTS: 1 REF: 430

COMPLETION

1. A graphics program creates and saves one of three types of image files: bitmap, vector, or ____________________.

2. ____________________ is the process of coding of data from a larger form to a smaller form.

3. The ____________________ is the best source for learning more about file formats and their associated extensions.

4. All ____________________ files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 2A.

5. The two major forms of steganography are ____________________ and substitution.

MATCHING

Match each item with a statement below
a. Pixels f. Steganalysis tools
b. Hex Workshop g. GIMP
c. Adobe Illustrator h. XIF
d. Microsoft Office Picture Manager i. Metafile graphics
e. JPEG

1. drawing program that creates vector files

2. Gnome graphics editor

3. image format derived from the TIFF file format

4. combinations of bitmap and vector images

5. short for “picture elements”

6. are also called steg tools

7. graphics file format that uses lossy compression

8. tool used to rebuild image file headers

9. Microsoft image viewer

SHORT ANSWER

1. Briefly describe the Exchangeable Image File (EXIF) format.

2. Explain how lossless compression relates to image file formats.

3. How does vector quantization (VQ) compress data?

4. Explain how someone can use a disk editor tool to mark clusters as “bad” clusters.

5. Identify and describe some image viewers.

6. Write a brief history of steganography.

7. Describe how to hide information on an 8-bit bitmap image file using substitution steganography.

8. Explain how steganalysis tools work.

9. Give a brief overview of copyright laws pertaining to graphics within and outside the U.S.

10. Present a list of categories covered under copyright laws in the U.S.

Chapter 11: Virtual Machines, Network Forensics, and Live Acquisitions

TRUE/FALSE

1. When intruders break into a network, they rarely leave a trail behind.

PTS: 1 REF: 442

2. Network forensics is a fast, easy process.

PTS: 1 REF: 447

3. PsList from PsTools allows you to list detailed information about processes.

PTS: 1 REF: 450

4. With the Knoppix STD tools on a portable CD, you can examine almost any network system.

PTS: 1 REF: 451

5. Ngrep cannot be used to examine e-mail headers or IRC chats.

PTS: 1 REF: 455

MULTIPLE CHOICE

1. ____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.
a. Broadcast forensics c. Computer forensics
b. Network forensics d. Traffic forensics

PTS: 1 REF: 442

2. ____ hide the most valuable data at the innermost part of the network.
a. Layered network defense strategies c. Protocols
b. Firewalls d. NAT

PTS: 1 REF: 442

3. ____ forensics is the systematic tracking of incoming and outgoing traffic on your network.
a. Network c. Criminal
b. Computer d. Server

PTS: 1 REF: 442

4. ____ can be used to create a bootable forensic CD and perform a live acquisition.
a. Helix c. Inquisitor
b. DTDD d. Neon

PTS: 1 REF: 445

5. Helix operates in two modes:Windows Live (GUI or command line) and ____.
a. command Windows c. command Linux
b. remote GUI d. bootable Linux

PTS: 1 REF: 445

6. A common way of examining network traffic is by running the ____ program.
a. Netdump c. Coredump
b. Slackdump d. Tcpdump

PTS: 1 REF: 448

7. ____ is a suite of tools created by Sysinternals.
a. EnCase c. R-Tools
b. PsTools d. Knoppix

PTS: 1 REF: 450

8. ____ is a Sysinternals command that shows all Registry data in real time on a Windows computer.
a. PsReg c. RegMon
b. RegExplorer d. RegHandle

PTS: 1 REF: 450

9. The PSTools ____ kills processes by name or process ID.
a. PsExec c. PsKill
b. PsList d. PsShutdown

PTS: 1 REF: 450

10. ____ is a popular network intrusion detection system that performs packet capture and analysis in real time.
a. Ethereal c. Tcpdump
b. Snort d. john

PTS: 1 REF: 451

11. ____ is the U.S. DoD computer forensics lab’s version of the dd command that comes with Knoppix-STD.
a. chntpw c. memfetch
b. john d. dcfldd

PTS: 1 REF: 451

12. The Knoppix STD tool ____ enables you to reset passwords on a Windows computer, including the administrator password
a. chntpw c. oinkmaster
b. john d. memfetch

PTS: 1 REF: 451

13. ____ are devices and/or software placed on a network to monitor traffic.
a. Packet sniffers c. Hubs
b. Bridges d. Honeypots

PTS: 1 REF: 454

14. Most packet sniffers operate on layer 2 or ____ of the OSI model.
a. 1 c. 5
b. 3 d. 7

PTS: 1 REF: 454

15. Most packet sniffer tools can read anything captured in ____ format.
a. SYN c. PCAP
b. DOPI d. AIATP

PTS: 1 REF: 455

16. In a(n) ____ attack, the attacker keeps asking your server to establish a connection.
a. SYN flood c. brute-force attack
b. ACK flood d. PCAP attack

PTS: 1 REF: 455

17. ____ is the text version of Ethereal, a packet sniffer tool.
a. Tcpdump c. Etherape
b. Ethertext d. Tethereal

PTS: 1 REF: 455

18. ____ is a good tool for extracting information from large Libpcap files.
a. Nmap c. Pcap
b. Tcpslice d. TCPcap

PTS: 1 REF: 455

19. The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.
a. Honeynet c. Honeywall
b. Honeypot d. Honeyweb

PTS: 1 REF: 458

20. Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack.
a. ISPs c. zombies
b. soldiers d. pawns

PTS: 1 REF: 458

21. A ____ is a computer set up to look like any other machine on your network, but it lures the attacker to it.
a. honeywall c. honeynet
b. honeypot d. honeyhost

PTS: 1 REF: 459

COMPLETION

1. ____________________ is a layered network defense strategy developed by the National Security Agency (NSA).

2. The term ____________________ means how long a piece of information lasts on a system.

3. ____________________ logs record traffic in and out of a network.

4. The PSTools ____________________ tool allows you to suspend processes.

ANS: PsSuspend

5. The U.K. Honeynet Project has created the ____________________. It contains the honeywall and honeypot on a bootable memory stick.

MATCHING

Match each item with a statement below
a. Cyberforensics f. Trojan horse
b. Ethereal g. Knoppix
c. Tripwire h. PsShutdown
d. PsGetSid i. oinkmaster
e. PsLoggedOn

1. displays who’s logged on locally

2. displays the security identifier (SID) of a computer or user

3. an audit control program that detects anomalies in traffic and sends an alert automatically

4. usually refers to network forensics

5. a bootable Linux CD intended for computer and network forensics

6. shuts down and optionally restarts a computer

7. helps manage snort rules so that you can specify what items to ignore as regular traffic and what items should raise alarms

8. a network analysis tool

9. type of malware

SHORT ANSWER

1. Why is testing networks as important as testing servers?

2. When are live acquisitions useful?

3. What is the general procedure for a live acquisition?

4. Detail a standard procedure for network forensics investigations.

5. How should you proceed if your network forensic investigation involves other companies?

6. Describe some of the Windows tools available at Sysinternals.

7. What are some of the tools included with the PSTools suite?

8. What is Knoppix-STD?

9. What are some of the tools included with Knoppix STD?

10. Explain The Auditor tool.

Chapter 12: E-mail Investigations

TRUE/FALSE

1. For computer investigators, tracking intranet e-mail is relatively easy because the accounts use standard names established by the network or e-mail administrator.

PTS: 1 REF: 470

2. You can always rely on the return path in an e-mail header to show the source account of an e-mail message.

PTS: 1 REF: 482

3. E-mail programs either save e-mail messages on the client computer or leave them on the server.

PTS: 1 REF: 483

4. All e-mail servers are databases that store multiple users’ e-mails.

PTS: 1 REF: 485

5. Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication.

PTS: 1 REF: 489

MULTIPLE CHOICE

1. E-mail messages are distributed from one central server to many connected client computers, a configuration called ____.
a. client/server architecture c. client architecture
b. central distribution architecture d. peer-to-peer architecture

PTS: 1 REF: 469

2. In an e-mail address, everything after the ____ symbol represents the domain name.
a.  c. @
b. . d. –

PTS: 1 REF: 470

3. With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk.
a. command-line c. prompt-based
b. shell-based d. GUI

PTS: 1 REF: 472

4. When working on a Windows environment you can press ____ to copy the selected text to the clipboard.
a. Ctrl+A c. Ctrl+V
b. Ctrl+C d. Ctrl+Z

PTS: 1 REF: 473

5. To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click ____ to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header.
a. Options c. Properties
b. Details d. Message Source

PTS: 1 REF: 473

6. To retrieve an Outlook Express e-mail header right-click the message, and then click ____ to open a dialog box showing general information about the message.
a. Properties c. Details
b. Options d. Message Source

PTS: 1 REF: 473

7. For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command.
a. prn c. prnt
b. print d. prt

PTS: 1 REF: 477

8. To view AOL e-mail headers click Action, ____ from the menu.
a. More options c. Options
b. Message properties d. View Message Source

PTS: 1 REF: 478

9. To view e-mail headers on Yahoo! click the ____ link in the Mail Options window, and then click Show all headers on incoming messages.
a. Advanced c. Message Properties
b. General Preferences d. More information

PTS: 1 REF: 480

10. In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____.
a. .ost c. .msg
b. .eml d. .pst

PTS: 1 REF: 483

11. ____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names.
a. www.freeality.com c. www.whatis.com
b. www.google.com d. www.juno.com

PTS: 1 REF: 484

12. ____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size.
a. Continuous logging c. Circular logging
b. Automatic logging d. Server logging

PTS: 1 REF: 485

13. The files that provide helpful information to an e-mail investigation are log files and ____ files.
a. batch c. scripts
b. configuration d. .rts

PTS: 1 REF: 487

14. ____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside.
a. /etc/sendmail.cf c. /etc/var/log/maillog
b. /etc/syslog.conf d. /var/log/maillog

PTS: 1 REF: 487

15. Typically, UNIX installations are set to store logs such as maillog in the ____ directory.
a. /etc/Log c. /etc/var/log
b. /log d. /var/log

PTS: 1 REF: 488

16. Exchange logs information about changes to its data in a(n) ____ log.
a. checkpoint c. transaction
b. communication d. tracking

PTS: 1 REF: 489

17. In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk.
a. tracking c. temporary
b. checkpoint d. milestone

PTS: 1 REF: 489

18. The Novell e-mail server software is called ____.
a. Sendmail c. Sawmill
b. GroupWise d. Guardian

PTS: 1 REF: 491

19. GroupWise has ____ ways of organizing the mailboxes on the server.
a. 2 c. 4
b. 3 d. 5

PTS: 1 REF: 491

20. The GroupWise logs are maintained in a standard log format in the ____ folders.
a. MIME c. QuickFinder
b. mbox d. GroupWise

PTS: 1 REF: 491

21. Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format.
a. POP3 c. MIME
b. mbox d. SMTP

PTS: 1 REF: 500

COMPLETION

1. You can send and receive e-mail in two environments:via the ____________________ or an intranet (an internal network).

2. An e-mail address in the Return-Path line of an e-mail header is usually indicated as the ____________________ field in an e-mail message.

3. Administrators usually set e-mail servers to ____________________ logging mode.

4. In UNIX e-mail servers, the ____________________ file simply specifies where to save different types of e-mail log files.

5. Vendor-unique e-mail file systems, such as Microsoft .pst or .ost, typically use ____________________ formatting, which can be difficult to read with a text or hexadecimal editor.

MATCHING

Match each item with a statement below:
a. Contacts f. Notepad
b. Pico g. CISCO Pix
c. syslogd file h. www.whatis.com
d. www.arin.net i. Pine
e. PU020101.db

1. Web site to check file extensions and match the file to a program

2. command line e-mail program used with UNIX

3. text editor used with Windows

4. the first folder the GroupWise server shares

5. text editor used with UNIX

6. the electronic address book in Outlook

7. a network firewall device

8. a registry Web site

9. includes e-mail logging instructions

SHORT ANSWER

1. Describe how e-mail account names are created on an intranet environment.

2. Describe the process of examining e-mail messages when you have access to the victim’s computer and when this access is not possible.

3. What are the steps for retrieving e-mail headers on Pine?

4. What are the steps for viewing e-mail headers in Hotmail?

5. What kind of information can you find in an e-mail header?

6. Explain how to handle attachments during an e-mail investigation.

7. Why are network router logs important during an e-mail investigation?

8. What kind of information is normally included in e-mail logs?

9. Provide a brief description of Microsoft Exchange Server. Additionally, explain the differences between .edb and .stm files.

10. Briefly explain how to use AccessData FTK to recover e-mails.

Chapter 13: Cell Phone and Mobile Device Forensics

TRUE/FALSE

1. Many people store more information on their cell phones than they do on their computers.

PTS: 1 REF: 514

2. Investigating cell phones and mobile devices is a relatively easy task in digital forensics.

PTS: 1 REF: 514

3. TDMA can operate in the cell phone (800 to 1000 MHz) or PCS (1900 MHz) frequency.

PTS: 1 REF: 516

4. Typically, phones developed for use on a GSM network are compatible with phones designed for a CDMA network.

PTS: 1 REF: 516

5. Portability of information is what makes SIM cards so versatile.

PTS: 1 REF: 517

MULTIPLE CHOICE

1. Developed during WWII, this technology,____, was patented by Qualcomm after the war.
a. iDEN c. GSM
b. CDMA d. EDGE

PTS: 1 REF: 515

2. The ____ digital network divides a radio frequency into time slots.
a. TDMA c. FDMA
b. CDMA d. EDGE

PTS: 1 REF: 515

3. The ____ network is a digital version of the original analog standard for cell phones.
a. TDMA c. CDMA
b. EDGE d. D-AMPS

PTS: 1 REF: 515

4. The ____ digital network, a faster version of GSM, is designed to deliver data.
a. TDMA c. EDGE
b. iDEN d. D-AMPS

PTS: 1 REF: 515

5. TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life.
a. IS-136 c. IS-236
b. IS-195 d. IS-361

PTS: 1 REF: 516

6. Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips.
a. EROM c. EEPROM
b. PROM d. ROM

PTS: 1 REF: 517

7. ____ cards are found most commonly in GSM devices and consist of a microprocessor and from 16 KB to 4 MB of EEPROM.
a. SD c. SDD
b. MMC d. SIM

PTS: 1 REF: 517

8. ____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth.
a. SDHCs c. CFs
b. PDAs d. MMCs

PTS: 1 REF: 518

9. The file system for a SIM card is a ____ structure.
a. volatile c. hierarchical
b. circular d. linear

PTS: 1 REF: 520

10. The SIM file structure begins with the root of the system (____).
a. EF c. DF
b. MF d. DCS

PTS: 1 REF: 520

11. Paraben Software is a leader in mobile forensics software and offers several tools, including ____, which can be used to acquire data from a variety of phone models.
a. BitPim c. MOBILedit!
b. DataPilot d. Device Seizure

PTS: 1 REF: 522

12. In a Windows environment, BitPim stores files in ____ by default.
a. My Documents\BitPim c. My Documents\BitPim\Forensics Files
b. My Documents\Forensics Files\BitPim d. My Documents\BitPim\Files

PTS: 1 REF: 522

13. ____ is a forensics software tool containing a built-in write blocker.
a. GSMCon c. SIMedit
b. MOBILedit! d. 3GPim

PTS: 1 REF: 522

COMPLETION

1. So far, there have been three generations of mobile phones: analog, digital personal communications service (PCS), and ____________________.

2. Most Code Division Multiple Access (CDMA) networks conform to IS-95, created by the ______________________.

3. Global System for Mobile Communications (GSM) uses the ______________________ technique, so multiple phones take turns sharing a channel.

4. The 3G standard was developed by the ______________________ under the United Nations.

5. Mobile devices can range from simple phones to small computers, also called ______________________.

MATCHING

Match each item with a statement below:
a. CDMA c. EDGE
b. iDEN d. ROM

1. proprietary protocol developed by Motorola

2. nonvolatile memory

3. standard developed specifically for 3G

4. one of the most common digital networks, it uses the full radio frequency spectrum to define channels

SHORT ANSWER

1. What is some of the information that can be stored in a cell phone?

2. What is the bandwidth offered by 3G mobile phones?

3. What are the three main components used for cell phone communications?

4. Briefly describe cell phone hardware.

5. Identify several uses of SIM cards.

6. Identify and define three kinds of peripheral memory cards used with PDAs.

7. How can you isolate a mobile device from incoming signals?

8. What are the four categories of information that can be retrieved from a SIM card?

9. What is the general procedure to access the content on a mobile phone SIM card?

10. What are some of the features offered by SIMCon?

Chapter 14: Report Writing for High-Tech Investigations

TRUE/FALSE

1. Besides presenting facts, reports can communicate expert opinion.

PTS: 1 REF: 530

2. A verbal report is more structured than a written report.

PTS: 1 REF: 532

3. If you must write a preliminary report, use words such as “preliminary copy,”“draft copy,” or “working draft.”

PTS: 1 REF: 535

4. As with any research paper, write the report abstract last.

PTS: 1 REF: 536

5. When writing a report, use a formal, technical style.

PTS: 1 REF: 537

MULTIPLE CHOICE

1. Attorneys can now submit documents electronically in many courts; the standard format in federal courts is ____.
a. Microsoft Word (DOC) c. Encapsulated Postscript (EPS)
b. Portable Document Format (PDF) d. Postscript (PS)

PTS: 1 REF: 531

2. A(n) ____ is a document that lets you know what questions to expect when you are testifying.
a. written report c. examination plan
b. affidavit d. subpoena

PTS: 1 REF: 532

3. You can use the ____ to help your attorney learn the terms and functions used in computer forensics.
a. verbal report c. final report
b. preliminary report d. examination plan

PTS: 1 REF: 532

4. A written report is frequently a(n) ____ or a declaration.
a. subpoena c. deposition
b. affidavit d. perjury

PTS: 1 REF: 532

5. If a report is long and complex, you should provide a(n) ____.
a. appendix c. table of contents
b. glossary d. abstract

PTS: 1 REF: 536

6. A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute).
a. written report c. examination plan
b. verbal report d. cross-examination report

PTS: 1 REF: 532

7. In the past, the method for expressing an opinion has been to frame a ____ question based on available factual evidence.
a. hypothetical c. challenging
b. nested d. contradictory

PTS: 1 REF: 533

8. An expert’s opinion is governed by FRE, Rule ____, and the corresponding rule in many states.
a. 705 c. 805
b. 755 d. 855

PTS: 1 REF: 534

9. Remember that anything you write down as part of your examination for a report is subject to ____ from the opposing attorney.
a. subpoena c. publishing
b. discovery d. deposition

PTS: 1 REF: 535

10. A written preliminary report is considered a ____ document because opposing counsel can demand discovery on it.
a. low-risk c. high-risk
b. middle-risk d. no-risk

PTS: 1 REF: 535

11. The abstract should be one or two paragraphs totaling about 150 to ____ words.
a. 200 c. 300
b. 250 d. 350

PTS: 1 REF: 536

12. ____ provide additional resource material not included in the body of the report.
a. Conclusion c. Discussion
b. References d. Appendixes

PTS: 1 REF: 536

13. Typically, report writers use one of two numbering systems: decimal numbering or ____ numbering.
a. legal-sequential c. arabic-sequential
b. roman-sequential d. letter-sequential

PTS: 1 REF: 538

14. A report using the ____ numbering system divides material into sections and restarts numbering with each main section.
a. roman-sequential c. legal-sequential
b. decimal d. indent

PTS: 1 REF: 538

15. In the main section of your report, you typically cite references with the ____ enclosed in parentheses.
a. year of publication and author’s last name
b. author’s last name
c. author’s last name and year of publication
d. year of publication

PTS: 1 REF: 541

16. Save broader generalizations and summaries for the report’s ____.
a. appendixes c. conclusion
b. introduction d. discussion

PTS: 1 REF: 541

17. The report’s ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements.
a. abstract c. introduction
b. conclusion d. reference

PTS: 1 REF: 541

18. If necessary, you can include ____ containing material such as raw data, figures not used in the body of the report, and anticipated exhibits.
a. conclusions c. references
b. discussions d. appendixes

PTS: 1 REF: 542

19. Reports and logs generated by forensic tools are typically in plaintext format, a word processor format, or ____ format.
a. PDF c. PS
b. HTML d. TXT

PTS: 1 REF: 543

20. Files with extensions .ods and ____ are created using OpenOffice Calc.
a. .sxc c. .dcx
b. .xls d. .qpr

PTS: 1 REF: 543

21. Files with extension ____ are created using Microsoft Outlook Express.
a. .sxc c. .dbx
b. .doc d. .ods

PTS: 1 REF: 543

COMPLETION

1. Lawyers use services called _________________________ (libraries), which store examples of expert witnesses’ previous testimony.

2. The report body consists of the introduction and _________________________ sections.

3. When writing a report, _________________________ means the tone of language you use to address the reader.

4. _________________________ assist readers in scanning the text quickly by highlighting the main points and logical development of information.

5. The ______________________________ system is frequently used when writing pleadings.

MATCHING

Match each item with a statement below
a. Decimal numbering f. Verbal report
b. Lay witness g. Spoliation
c. FTK h. Conclusion section
d. Examination plan i. MD5
e. Signposts

1. draw reader’s attention to a point in your report.

2. a report layout system

3. used by an attorney to guide an expert witness in his or her testimony

4. computer forensics software tool

5. lawyers jargon for destroying or concealing evidence

6. stands for Message Digest 5

7. typically takes place in an attorney’s office where the attorney requests your consultant’s report

8. starts by referring to the report’s purpose, states the main points, draws conclusions, and possibly renders an opinion

9. a witness testifying to personally observed facts

SHORT ANSWER

1. What are the report requirements for civil cases as specified on Rule 26, FRCP?

2. Briefly explain how to limit your report to specifics.

3. What are the areas of investigation usually addressed by a verbal report?

4. Explain how hypothetical questions can be used to ensure that you as a witness are basing your opinion on facts expected to be supported by evidence.

5. What are the four conditions required for an expert witness to testify to an opinion or conclusion?

6. What is the basic structure of a report?

7. Provide some guidelines for writing an introduction section for a report.

8. What do you need to consider to produce clear, concise reports?

9. Explain how to use supportive material on a report.

10. How should you explain examination and data collection methods?

Chapter 15: Expert Testimony in High-Tech Investigations

TRUE/FALSE

1. As an expert witness, you have opinions about what you have found or observed.

PTS: 1 REF: 558

2. Create a formal checklist of your procedures that’s applied to all your cases or include such a checklist in your report.

PTS: 1 REF: 559

3. As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.

PTS: 1 REF: 559

4. Like a job resume, your CV should be geared for a specific trial.

PTS: 1 REF: 561

5. Part of what you have to deliver to the jury is a person they can trust to help them figure out something that’s beyond their expertise.

PTS: 1 REF: 565

MULTIPLE CHOICE

1. When cases go to trial, you as a forensics examiner can play one of ____ roles.
a. 2 c. 4
b. 3 d. 5

PTS: 1 REF: 558

2. When you give ____ testimony, you present this evidence and explain what it is and how it was obtained.
a. technical/scientific c. lay witness
b. expert d. deposition

PTS: 1 REF: 558

3. Validate your tools and verify your evidence with ____ to ensure its integrity.
a. hashing algorithms c. steganography
b. watermarks d. digital certificates

PTS: 1 REF: 559

4. For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you’re constantly enhancing your skills through training, teaching, and experience.
a. testimony c. examination plan
b. CV d. deposition

PTS: 1 REF: 561

5. If your CV is more than ____ months old, you probably need to update it to reflect new cases and additional training.
a. 2 c. 4
b. 3 d. 5

PTS: 1 REF: 561

6. ____ is a written list of objections to certain testimony or exhibits.
a. Defendant c. Plaintiff
b. Empanelling the jury d. Motion in limine

PTS: 1 REF: 562

7. Regarding a trial, the term ____ means rejecting potential jurors.
a. voir dire c. strikes
b. rebuttal d. venireman

PTS: 1 REF: 563

8. ____ from both plaintiff and defense is an optional phase of the trial. Generally, it’s allowed to cover an issue raised during cross-examination.
a. Rebuttal c. Closing arguments
b. Plaintiff d. Opening statements

PTS: 1 REF: 563

9. If a microphone is present during your testimony, place it ____ to eight inches from you.
a. 3 c. 5
b. 4 d. 6

PTS: 1 REF: 565

10. Jurors typically average just over ____ years of education and an eighth-grade reading level.
a. 9 c. 11
b. 10 d. 12

PTS: 1 REF: 565

11. ____ is an attempt by opposing attorneys to prevent you from serving on an important case.
a. Conflict of interest c. Deposition
b. Warrant d. Conflicting out

PTS: 1 REF: 568

12. ____ evidence is evidence that exonerates or diminishes the defendant’s liability.
a. Rebuttal c. Inculpatory
b. Plaintiff d. Exculpatory

PTS: 1 REF: 569

13. You provide ____ testimony when you answer questions from the attorney who hired you.
a. direct c. examination
b. cross d. rebuttal

PTS: 1 REF: 569

14. The ____ is the most important part of testimony at a trial.
a. cross-examination c. rebuttal
b. direct examination d. motions in limine

PTS: 1 REF: 569

15. Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony.
a. setup c. compound
b. open-ended d. rapid-fire

PTS: 1 REF: 569

16. Leading questions such as “Isn’t it true that forensics experts always destroy their handwritten notes?” are referred to as ____ questions.
a. hypothetical c. setup
b. attorney d. nested

PTS: 1 REF: 570

17. Sometimes opposing attorneys ask several questions inside one question; this practice is called ____ questions.
a. leading c. compound
b. hypothetical d. rapid-fire

PTS: 1 REF: 571

18. A ____ differs from a trial testimony because there is no jury or judge.
a. rebuttal c. civil case
b. plaintiff d. deposition

PTS: 1 REF: 573

19. There are two types of depositions: ____ and testimony preservation.
a. examination c. direct
b. discovery d. rebuttal

PTS: 1 REF: 573

20. Discuss any potential problems with your attorney ____ a deposition.
a. before c. during
b. after d. during direct examination at

PTS: 1 REF: 574

21. A(n) ____ hearing generally addresses the administrative agency’s subject matter and seeks evidence in your testimony on a subject for which it’s contemplating making a rule.
a. administrative c. legislative
b. judicial d. direct

PTS: 1 REF: 575

COMPLETION

1. The ______________________ of evidence supports the integrity of your evidence.

2. Depending on your attorney’s needs, you might provide only your opinion and technical expertise to him or her instead of testifying in court; this role is called a(n) _______________________.

3. _____________________ is a pretrial motion to exclude certain evidence because it would prejudice the jury.

4. At a trial, _____________________ are statements that organize the evidence and state the applicable law.

5. The purpose of the _____________________ is for the opposing attorney to preview your testimony before trial.

MATCHING

Match each item with a statement below
a. Plaintiff f. CV
b. Motion in limine g. Testimony preservation deposition
c. Voir dire of venireman h. Voir dire
d. Opening statements i. MD5
e. Discovery deposition

1. part of the discovery process for trial

2. presents the case during a trial

3. provide an overview of the case during a trial

4. questioning potential jurors to see whether they’re qualified

5. usually requested by your client to preserve your testimony in case of schedule conflicts or health problems

6. a hashing algorithm

7. lists your professional experience

8. an expert witness qualification phase

9. allows the judge to decide whether certain evidence should be admitted when the jury isn’t present

SHORT ANSWER

1. What are the differences between a technical or scientific witness and an expert witness?

2. What should you do when preparing for testimony?

3. What are some of the questions you should consider when preparing your testimony?

4. What are some of the technical definitions that you should prepare before your testimony?

5. What are some of the reasons to avoid contact with news media during a case?

6. What are the procedures followed during a trial?

7. What should you do when you find exculpatory evidence?

8. How can you deal with rapid-fire questions during a cross-examination?

9. Explain the differences between discovery deposition and testimony preservation deposition.

10. Briefly describe judicial hearings.

Chapter 16: Ethics for the Expert Witness

TRUE/FALSE

1. People need ethics to help maintain their balance, especially in difficult and contentious situations.

PTS: 1 REF: 596

2. In the United States, there’s no state or national licensing body for computer forensics examiners.

PTS: 1 REF: 597

3. Experts should be paid in full for all previous work and for the anticipated time required for testimony.

PTS: 1 REF: 600

4. Expert opinions cannot be presented without stating the underlying factual basis.

PTS: 1 REF: 601

5. The American Bar Association (ABA) is a licensing body.

PTS: 1 REF: 603

MULTIPLE CHOICE

1. The most important laws applying to attorneys and witnesses are the ____.
a. professional codes of conduct c. rules of evidence
b. rules of ethics d. professional ethics

PTS: 1 REF: 597

2. Computer forensics examiners have two roles: scientific/technical witness and ____ witness.
a. expert c. discovery
b. direct d. professional

PTS: 1 REF: 597

3. Attorneys search ____ for information on expert witnesses.
a. disqualification banks c. examination banks
b. deposition banks d. cross-examination banks

PTS: 1 REF: 598

4. ____ questions can give you the factual structure to support and defend your opinion.
a. Setup c. Rapid-fire
b. Compound d. Hypothetical

PTS: 1 REF: 601

5. FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful.
a. 702 c. 704
b. 703 d. 705

PTS: 1 REF: 601

6. FRE ____ describes whether basis for the testimony is adequate.
a. 700 c. 702
b. 701 d. 703

PTS: 1 REF: 601

7. The ABA’s ____ contains provisions limiting the fees experts can receive for their services.
a. Code 703 c. Rule 26
b. Model Code d. Code 26-1.a

PTS: 1 REF: 603

8. The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients.
a. ISFCE c. ABA
b. IACIS d. HTCIA

PTS: 1 REF: 603

9. ____ are the experts who testify most often.
a. Civil engineers c. Chemical engineers
b. Computer forensics experts d. Medical professionals

PTS: 1 REF: 604

10. ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities.
a. AMA’s law c. APA’s Ethics Code
b. ABA’s Model Rule d. ABA’s Model Codes

PTS: 1 REF: 605

11. The ____ Ethics Code cautions psychologists about the limitations of assessment tools.
a. ABA’s c. AMA’s
b. APA’s d. ADA’s

PTS: 1 REF: 605

COMPLETION

1. _____________________ are the rules you internalize and use to measure your performance.

2. _____________________ are standards that others apply to you or that you are compelled to adhere to by external forces, such as licensing bodies.

3. Some attorneys contact many experts as a ploy to disqualify them or prevent opposing counsel from hiring them; this practice is called “____________________.”

4. The ____________________ is the foundation of medical ethics.

5. For psychologists, the most broadly accepted set of guidelines governing their conduct as experts is the _____________________ (APA’s) Ethical Principles of Psychologists and Code of Conduct.

MATCHING

Match each item with a statement below:
a. Ethics c. Disqualification
b. Federal Rules of Evidence (FRE) d. IACIS

1. provides a well-defined, simple guide for expected behavior of computer forensics examiners

2. prescribe the methods by which experts appear at trial

3. one of the effects of violating court rules or laws

4. help you maintain your self-respect and the respect of your profession

SHORT ANSWER

1. Briefly describe the issues related to an attorney’s “opinion shopping.”

2. What are some of the factors courts have used in determining whether to disqualify an expert?

3. Describe some of the traps for unwary experts.

4. What are some of the most obvious ethical errors?

5. What are some of the guidelines included in the ISFCE code of ethics?

6. What are some of the requirements included in the HTCIA core values?

7. What are some of standards for IACIS members that apply to testifying?

8. What are the five recommendations set out by the AMA’s policy on expert witness testimony?

9. Why is it difficult to enforce any professional organization’s ethical guidelines?

10. What are the ethical responsibilities owed to you by your attorney?

CIS 562 Week 9 Assignment 4 – Strayer University New

CIS/562 Week 9 Assignment 4 – Strayer New

Click On The Link Below To Purchase A+ Graded Material
Instant Download

http://budapp.net/CIS-562-Assignment-4-Strayer-New-CIS562A4.htm

 

Assignment 4: Email Harassment

Suppose you are an internal investigator for a large software development company. The Human Resources Department has requested you investigate the accusations that one employee has been harassing another over both the corporate Exchange email system and Internet-based Yahoo! email.

Write a four to five (4-5) page paper in which you:
1. Create an outline of the steps you would take in examining the email accusations that have been identified.
2. Describe the information that can be discovered in email headers and determine how this information could potentially be used as evidence in the investigation.
3. Analyze differences between forensic analysis on the corporate Exchange system and the Internet-based Yahoo! System. Use this analysis to determine the challenges that exist for an investigator when analyzing email sent from an Internet-based email system outside of the corporate network.
4. Select one (1) software-based forensic tool for email analysis that you would utilize in this investigation. Describe its use, features, and how it would assist in this scenario.
5. Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.

Your assignment must follow these formatting requirements:
• Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
• Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.

CIS 562 Week 8 Case Study 3 – Strayer University New

CIS/562 Week 8 Case Study 3 – Strayer New

Click On The Link Below To Purchase A+ Graded Material
Instant Download

http://budapp.net/CIS-562-Week-8-Case-Study-3-Strayer-New-CIS562W8C.htm

 

Case Study 3: Analyzing Stuxnet

Read the article titled, “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History” located at the Wired link below:
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1

Write a three to four (3-4) page paper in which you:
1. Explain the forensic technique Symantec researchers employed in order to receive the traffic sent by Stuxnet-infected computers and describe what their analysis uncovered.
2. Identify what researchers were surprised to discover with Stuxnet’s malicious DLL file. Assess this significant function of malware and what potential dangers it could present in the future.
3. Determine the primary reason that critical infrastructures are open to attacks which did not seem possible just a couple of decades earlier.
4. Decide whether or not an appropriate case has been made in which Stuxnet was indeed a targeted attack on an Iranian nuclear facility, based on the evidence and conclusions of the researchers. Provide your rationale with your response.
5. Use at least two (2) quality resources in this assignment other than the article linked above. Note: Wikipedia and similar Websites do not qualify as quality resources.

Your assignment must follow these formatting requirements:
• Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
• Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.

CIS 562 Week 9 Assignment 4 – Strayer University New

CIS/562 Week 9 Assignment 4 – Strayer New

Click On The Link Below To Purchase A+ Graded Material
Instant Download

http://budapp.net/CIS-562-Assignment-4-Strayer-New-CIS562A4.htm

 

Assignment 4: Email Harassment

Suppose you are an internal investigator for a large software development company. The Human Resources Department has requested you investigate the accusations that one employee has been harassing another over both the corporate Exchange email system and Internet-based Yahoo! email.

Write a four to five (4-5) page paper in which you:
1. Create an outline of the steps you would take in examining the email accusations that have been identified.
2. Describe the information that can be discovered in email headers and determine how this information could potentially be used as evidence in the investigation.
3. Analyze differences between forensic analysis on the corporate Exchange system and the Internet-based Yahoo! System. Use this analysis to determine the challenges that exist for an investigator when analyzing email sent from an Internet-based email system outside of the corporate network.
4. Select one (1) software-based forensic tool for email analysis that you would utilize in this investigation. Describe its use, features, and how it would assist in this scenario.
5. Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.

Your assignment must follow these formatting requirements:
• Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
• Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.

CIS 562 Week 8 Case Study 3 – Strayer University New

CIS/562 Week 8 Case Study 3 – Strayer New

Click On The Link Below To Purchase A+ Graded Material
Instant Download

http://budapp.net/CIS-562-Week-8-Case-Study-3-Strayer-New-CIS562W8C.htm

 

Case Study 3: Analyzing Stuxnet

Read the article titled, “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History” located at the Wired link below:
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1

Write a three to four (3-4) page paper in which you:
1. Explain the forensic technique Symantec researchers employed in order to receive the traffic sent by Stuxnet-infected computers and describe what their analysis uncovered.
2. Identify what researchers were surprised to discover with Stuxnet’s malicious DLL file. Assess this significant function of malware and what potential dangers it could present in the future.
3. Determine the primary reason that critical infrastructures are open to attacks which did not seem possible just a couple of decades earlier.
4. Decide whether or not an appropriate case has been made in which Stuxnet was indeed a targeted attack on an Iranian nuclear facility, based on the evidence and conclusions of the researchers. Provide your rationale with your response.
5. Use at least two (2) quality resources in this assignment other than the article linked above. Note: Wikipedia and similar Websites do not qualify as quality resources.

Your assignment must follow these formatting requirements:
• Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
• Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.

CIS 562 Week 11 Final Exam – Strayer University New

CIS/562 Week 11 Final Exam – Strayer New

Click On The Link Below To Purchase A+ Graded Material
Instant Download

http://budapp.net/CIS-562-Final-Exam-Week-11-Strayer-NEW-CIS562W11E.htm

 

Chapters 7 Through 16

Chapter 7: Current Computer Forensics Tools

TRUE/FALSE

1. When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.

2. In software acquisition, there are three types of data-copying methods.

3. To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.

4. The Windows platforms have long been the primary command-line interface OSs.

5. After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.

MULTIPLE CHOICE

1. Computer forensics tools are divided into ____ major categories.
a. 2 c. 4
b. 3 d. 5

2. Software forensics tools are commonly used to copy data from a suspect’s disk drive to a(n) ____.
a. backup file c. image file
b. firmware d. recovery copy

3. To make a disk acquisition with En.exe requires only a PC running ____ with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable.
a. UNIX c. Linux
b. MAC OS X d. MS-DOS

4. Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command.
a. rawcp c. d2dump
b. dd d. dhex

5. ____ of data involves sorting and searching through all investigation data.
a. Validation c. Acquisition
b. Discrimination d. Reconstruction

6. Many password recovery tools have a feature that allows generating potential lists for a ____ attack.
a. brute-force c. birthday
b. password dictionary d. salting

7. The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk.
a. partition-to-partition c. disk-to-disk
b. image-to-partition d. image-to-disk

8. To complete a forensic disk analysis and examination, you need to create a ____.
a. forensic disk copy c. budget plan
b. risk assessment d. report

9. The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems.
a. Apple c. Commodore
b. Atari d. IBM

10. In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network.
a. Dir c. Copy
b. ls d. owner

11. In general, forensics workstations can be divided into ____ categories.
a. 2 c. 4
b. 3 d. 5

12. A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____.
a. stationary workstation c. lightweight workstation
b. field workstation d. portable workstation

13. ____ is a simple drive-imaging station.
a. F.R.E.D. c. FIRE IDE
b. SPARC d. DiskSpy

14. ____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk.
a. Drive-imaging c. Workstations
b. Disk editors d. Write-blockers

15. Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers.
a. USB c. LCD
b. IDE d. PCMCIA

16. The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.
a. CFTT c. FS-TST
b. NIST d. NSRL

17. The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.
a. ISO 3657 c. ISO 5725
b. ISO 5321 d. ISO 17025

18. The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.
a. NSRL c. FS-TST
b. CFTT d. PARTAB

19. The primary hash algorithm used by the NSRL project is ____.
a. MD5 c. CRC-32
b. SHA-1 d. RC4

20. One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.
a. disk imager c. bit-stream copier
b. write-blocker d. disk editor

21. Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file’s contents.
a. testing, compressed c. testing, pdf
b. scanning, text d. testing, doc

COMPLETION

1. Software forensic tools are grouped into command-line applications and ____________________ applications.

2. The Windows application of EnCase requires a(n) ____________________ device, such as FastBloc, to prevent Windows from accessing and corrupting a suspect disk drive.

3. The ____________________ function is the most demanding of all tasks for computer investigators to master.

4. Because there are a number of different versions of UNIX and Linux, these platforms are referred to as ____________________ platforms.

5. Hardware manufacturers have designed most computer components to last about ____________________ months between failures.

MATCHING

Match each item with a statement below
a. JFIF f. PDBlock
b. Lightweight workstation g. Norton DiskEdit
c. Pagefile.sys h. Stationary workstation
d. Salvaging i. SafeBack
e. Raw data

1. letters embedded near the beginning of all JPEG files

2. European term for carving

3. a direct copy of a disk drive

4. usually a laptop computer built into a carrying case with a small selection of peripheral options

5. one of the first MS-DOS tools used for a computer investigation

6. software-enabled write-blocker

7. system file where passwords may have been written temporarily

8. a tower with several bays and many peripheral devices

9. command-line disk acquisition tool from New Technologies, Inc.

SHORT ANSWER

1. What are the five major function categories of any computer forensics tool?

2. Explain the validation of evidence data process.

3. What are some of the advantages of using command-line forensics tools?

4. Explain the advantages and disadvantages of GUI forensics tools.

5. Illustrate how to consider hardware needs when planning your lab budget.

6. Describe some of the problems you may encounter if you decide to build your own forensics workstation.

7. Illustrate the use of a write-blocker on a Windows environment.

8. Briefly explain the NIST general approach for testing computer forensics tools.

9. Explain the difference between repeatable results and reproducible results.

10. Briefly explain the purpose of the NIST NSRL project.

Chapter 8: Macintosh and Linux Boot Processes and File Systems

TRUE/FALSE

1. If a file contains information, it always occupies at least one allocation block.

2. Older Macintosh computers use the same type of BIOS firmware commonly found in PC-based systems.

3. GPL and BSD variations are examples of open-source software.

4. A UNIX or Linux computer has two boot blocks, which are located on the main hard disk.

5. Under ISO 9660 for DVDs, the Micro-UDF (M-UDF) function has been added to allow for long filenames.

MULTIPLE CHOICE

1. Macintosh OS X is built on a core called ____.
a. Phantom c. Darwin
b. Panther d. Tiger

2. In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored.
a. resource c. blocks
b. node d. inodes

3. The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is ____.
a. 32,768 c. 58,745
b. 45,353 d. 65,535

4. On older Macintosh OSs all information about the volume is stored in the ____.
a. Master Directory Block (MDB) c. Extents Overflow File (EOF)
b. Volume Control Block (VCB) d. Volume Bitmap (VB)

5. With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.
a. Extents overflow file c. Master Directory Block
b. Volume Bitmap d. Volume Control Block

6. On Mac OSs, File Manager uses the ____ to store any information not in the MDB or Volume Control Block (VCB).
a. volume information block c. catalog
b. extents overflow file d. master directory block

7. Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement.
a. AIX c. GPL
b. BSD d. GRUB

8. The standard Linux file system is ____.
a. NTFS c. HFS+
b. Ext3fs d. Ext2fs

9. Ext2fs can support disks as large as ____ TB and files as large as 2 GB.
a. 4 c. 10
b. 8 d. 12

10. Linux is unique in that it uses ____, or information nodes, that contain descriptive information about each file or directory.
a. xnodes c. infNodes
b. extnodes d. inodes

11. To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of ____.
a. -1 c. 1
b. 0 d. 2

12. ____ components define the file system on UNIX.
a. 2 c. 4
b. 3 d. 5

13. The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive.
a. superblock c. boot block
b. data block d. inode block

14. LILO uses a configuration file named ____ located in the /Etc directory.
a. Lilo.conf c. Lilo.config
b. Boot.conf d. Boot.config

15. Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of OSs.
a. 1989 c. 1994
b. 1991 d. 1995

16. On a Linux computer, ____ is the path for the first partition on the primary master IDE disk drive.
a. /dev/sda1 c. /dev/hda1
b. /dev/hdb1 d. /dev/ide1

17. There are ____ tracks available for the program area on a CD.
a. 45 c. 99
b. 50 d. 100

18. The ____ provides several software drivers that allow communication between the OS and the SCSI component.
a. International Organization of Standardization (ISO)
b. Advanced SCSI Programming Interface (ASPI)
c. CLV
d. EIDE

19. All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard ____ ribbon or shielded cable.
a. 40-pin c. 80-pin
b. 60-pin d. 120-pin

20. ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable.
a. 70 c. 96
b. 83 d. 100

21. IDE ATA controller on an old 486 PC doesn’t recognize disk drives larger than 8.4 ____.
a. KB c. GB
b. MB d. TB

COMPLETION

1. Before OS X, Macintosh uses the ____________________, in which files are stored in directories, or folders, that can be nested in other folders.

2. The Macintosh file system has ____________________ descriptors for the end of file (EOF).

3. ____________________ is a journaling version of Ext2fs that reduces file recovery time after a crash.

4. When you turn on the power to a UNIX workstation, instruction code located in firmware on the system’s CPU loads into RAM. This firmware is called ____________________ code because it’s located in ROM.

5. CD players that are 12X or faster read discs by using a(n) _____________________ system.

MATCHING

Match each item with a statement below
a. File Manager f. Volume
b. Inode blocks g. ls
c. ISO 9660 h. Catalog
d. LILO i. Finder
e. Clumps

1. older Linux boot manager utility

2. Macintosh tool that works with the OS to keep track of files and maintain users’ desktops

3. any storage medium used to store files

4. the list command on Linux

5. maintains relationships between files and directories on a volume on a Mac OS

6. the first data after the superblock on a UNIX or Linux file system

7. ISO standard for CDs

8. Mac OS utility that handles reading, writing, and storing data to physical media

9. groups of contiguous allocation blocks

SHORT ANSWER

1. Explain the relation between allocation blocks and logical block on a Mac OS file system.

2. Explain the use of B*-trees on Mac OS 9 file system.

3. Explain the use of forensic tools for Macintosh systems.

4. What are the functions of the superblock on a UNIX or Linux file system?

5. What is a bad block inode on Linux?

6. What is a continuation inode?

7. Describe the CD creation process.

8. Write a brief history of SCSI.

9. Explain the problems you can encounter with pre-ATA-33 devices when connecting them to current PCs.

10. What problems can hidden partitions on IDE devices cause to forensic investigators?

Chapter 9: Computer Forensics Analysis and Validation

TRUE/FALSE

1. The defense request for full discovery of digital evidence applies only to criminal cases in the United States.

2. For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.

3. FTK cannot perform forensics analysis on FAT12 file systems.

4. FTK cannot analyze data from image files from other vendors.

5. A nonsteganographic graphics file has a different size than an identical steganographic graphics file.

MULTIPLE CHOICE

1. ____ increases the time and resources needed to extract,analyze,and present evidence.
a. Investigation plan c. Litigation path
b. Scope creep d. Court order for discovery

2. You begin any computer forensics case by creating a(n) ____.
a. investigation plan c. evidence custody form
b. risk assessment report d. investigation report

3. In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover.
a. risk assessment reports c. scope creeps
b. investigation plans d. subpoenas

4. There are ____ searching options for keywords which FTK offers.
a. 2 c. 4
b. 3 d. 5

5. ____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search.
a. Online c. Active
b. Inline d. Live

6. The ____ search feature allows you to look for words with extensions such as “ing,”“ed,” and so forth.
a. fuzzy c. permutation
b. stemming d. similar-sounding

7. In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period.
a. live c. active
b. indexed d. inline

8. FTK and other computer forensics programs use ____ to tag and document digital evidence.
a. tracers c. bookmarks
b. hyperlinks d. indents

9. Getting a hash value with a ____ is much faster and easier than with a(n) ____.
a. high-level language, assembler
b. HTML editor, hexadecimal editor
c. computer forensics tool, hexadecimal editor
d. hexadecimal editor, computer forensics tool

10. AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data.
a. KFF c. NTI
b. PKFT d. NSRL

11. Data ____ involves changing or manipulating a file to conceal information.
a. recovery c. integrity
b. creep d. hiding

12. One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it.
a. Norton DiskEdit c. System Commander
b. PartitionMagic d. LILO

13. Marking bad clusters data-hiding technique is more common with ____ file systems.
a. NTFS c. HFS
b. FAT d. Ext2fs

14. The term ____ comes from the Greek word for“hidden writing.”
a. creep c. escrow
b. steganography d. hashing

15. ____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there.
a. Bit shifting c. Marking bad clusters
b. Encryption d. Steganography

16. Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure.
a. steganography c. password backup
b. key escrow d. key splitting

17. People who want to hide data can also use advanced encryption programs, such as PGP or ____.
a. NTI c. FTK
b. BestCrypt d. PRTK

18. ____ recovery is a fairly easy task in computer forensic analysis.
a. Data c. Password
b. Partition d. Image

19. ____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.
a. Brute-force c. Profile
b. Dictionary d. Statistics

20. ____ are handy when you need to image the drive of a computer far away from your location or when you don’t want a suspect to be aware of an ongoing investigation.
a. Scope creeps c. Password recovery tools
b. Remote acquisitions d. Key escrow utilities

21. ____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer’s file system.
a. HDHOST c. DiskEdit
b. DiskHost d. HostEditor

COMPLETION

1. For most law-enforcement-related computing investigations, the investigator is limited to working with data defined in the search ____________________.

2. FTK provides two options for searching for keywords: indexed search and ____________________ search.

3. ____________________ search catalogs all words on the evidence disk so that FTK can find them quickly.

4. To generate reports with the FTK ReportWizard, first you need to ____________________ files during an examination.

5. The data-hiding technique ____________________ changes data from readable code to data that looks like binary executable code.

MATCHING

Match each item with a statement below
a. Court orders for discovery f. PRTK
b. Investigation plan g. Validating digital evidence
c. Digital Intelligence PDWipe h. MD5
d. Live search i. System Commander
e. Cabinet

1. defines the investigation’s goal and scope, the materials needed, and the tasks to perform

2. a hashing algorithm

3. one of the most critical aspects of computer forensics

4. a type of compressed file

5. an FTK searching option

6. a password recovery program available from AccessData

7. a disk-partitioning utility

8. program used to clean all data from the target drive you plan to use

9. limit a civil investigation

SHORT ANSWER

1. Describe the effects of scope creep on an investigation in the corporate environment.

2. Describe with examples why the approach you take for a forensics case depends largely on the specific type of case you’re investigating.

3. How should you approach a case in which an employee is suspected of industrial espionage?

4. What are the file systems supported by FTK for forensic analysis?

5. How does the Known File Filter program work?

6. How can you validate the integrity of raw format image files with ProDiscover?

7. How can you hide data by marking bad clusters?

8. Briefly describe how to use steganography for creating digital watermarks.

9. What are the basic guidelines to identify steganography files?

10. Briefly describe the differences between brute-force attacks and dictionary attacks to crack passwords.

Chapter 10: Recovering Graphics Files

TRUE/FALSE

1. Bitmap images are collections of dots, or pixels, that form an image.

PTS: 1 REF: 398

2. Operating systems do not have tools for recovering image files.

PTS: 1 REF: 405

3. If a graphics file is fragmented across areas on a disk, first you must recover all the fragments to re-create the file.

PTS: 1 REF: 405

4. With many computer forensics tools, you can open files with external viewers.

PTS: 1 REF: 425

5. Steganography cannot be used with file formats other than image files.

PTS: 1 REF: 428

MULTIPLE CHOICE

1. ____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
a. Bitmap images c. Vector graphics
b. Metafile graphics d. Line-art images

PTS: 1 REF: 398

2. You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.
a. graphics viewers c. image viewers
b. image readers d. graphics editors

PTS: 1 REF: 398

3. ____ images store graphics information as grids of individual pixels.
a. Bitmap c. Vector
b. Raster d. Metafiles

PTS: 1 REF: 398

4. The process of converting raw picture data to another format is referred to as ____.
a. JEIDA c. demosaicing
b. rastering d. rendering

PTS: 1 REF: 401

5. The majority of digital cameras use the ____ format to store digital pictures.
a. EXIF c. PNG
b. TIFF d. GIF

PTS: 1 REF: 401

6. ____ compression compresses data by permanently discarding bits of information in the file.
a. Redundant c. Huffman
b. Lossy d. Lossless

PTS: 1 REF: 404

7. Recovering pieces of a file is called ____.
a. carving c. saving
b. slacking d. rebuilding

PTS: 1 REF: 405

8. A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10.
a. EPS c. GIF
b. BMP d. JPEG

PTS: 1 REF: 408

9. If you can’t open an image file in an image viewer, the next step is to examine the file’s ____.
a. extension c. header data
b. name d. size

PTS: 1 REF: 414

10. The uppercase letter ____ has a hexadecimal value of 41.
a. “A” c. “G”
b. “C” d. “Z”

PTS: 1 REF: 417

11. The image format XIF is derived from the more common ____ file format.
a. GIF c. BMP
b. JPEG d. TIFF

PTS: 1 REF: 423

12. The simplest way to access a file header is to use a(n) ____ editor
a. hexadecimal c. disk
b. image d. text

PTS: 1 REF: 423

13. The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03.
a. TIFF c. JPEG
b. XIF d. GIF

PTS: 1 REF: 425

14. ____ is the art of hiding information inside image files.
a. Steganography c. Graphie
b. Steganalysis d. Steganos

PTS: 1 REF: 425

15. ____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.
a. Replacement c. Substitution
b. Append d. Insertion

PTS: 1 REF: 426

16. ____ steganography replaces bits of the host file with other bits of data.
a. Insertion c. Substitution
b. Replacement d. Append

PTS: 1 REF: 426

17. In the following list, ____ is the only steg tool.
a. EnCase c. DriveSpy
b. iLook d. Outguess

PTS: 1 REF: 429

18. ____ has also been used to protect copyrighted material by inserting digital watermarks into a file.
a. Encryption c. Compression
b. Steganography d. Archiving

PTS: 1 REF: 430

19. When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations.
a. international c. copyright
b. forensics d. civil

PTS: 1 REF: 430

20. Under copyright laws, computer programs may be registered as ____.
a. literary works c. architectural works
b. motion pictures d. audiovisual works

PTS: 1 REF: 430

21. Under copyright laws, maps and architectural plans may be registered as ____.
a. pantomimes and choreographic works c. literary works
b. artistic works d. pictorial, graphic, and sculptural works

PTS: 1 REF: 430

COMPLETION

1. A graphics program creates and saves one of three types of image files: bitmap, vector, or ____________________.

2. ____________________ is the process of coding of data from a larger form to a smaller form.

3. The ____________________ is the best source for learning more about file formats and their associated extensions.

4. All ____________________ files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 2A.

5. The two major forms of steganography are ____________________ and substitution.

MATCHING

Match each item with a statement below
a. Pixels f. Steganalysis tools
b. Hex Workshop g. GIMP
c. Adobe Illustrator h. XIF
d. Microsoft Office Picture Manager i. Metafile graphics
e. JPEG

1. drawing program that creates vector files

2. Gnome graphics editor

3. image format derived from the TIFF file format

4. combinations of bitmap and vector images

5. short for “picture elements”

6. are also called steg tools

7. graphics file format that uses lossy compression

8. tool used to rebuild image file headers

9. Microsoft image viewer

SHORT ANSWER

1. Briefly describe the Exchangeable Image File (EXIF) format.

2. Explain how lossless compression relates to image file formats.

3. How does vector quantization (VQ) compress data?

4. Explain how someone can use a disk editor tool to mark clusters as “bad” clusters.

5. Identify and describe some image viewers.

6. Write a brief history of steganography.

7. Describe how to hide information on an 8-bit bitmap image file using substitution steganography.

8. Explain how steganalysis tools work.

9. Give a brief overview of copyright laws pertaining to graphics within and outside the U.S.

10. Present a list of categories covered under copyright laws in the U.S.

Chapter 11: Virtual Machines, Network Forensics, and Live Acquisitions

TRUE/FALSE

1. When intruders break into a network, they rarely leave a trail behind.

PTS: 1 REF: 442

2. Network forensics is a fast, easy process.

PTS: 1 REF: 447

3. PsList from PsTools allows you to list detailed information about processes.

PTS: 1 REF: 450

4. With the Knoppix STD tools on a portable CD, you can examine almost any network system.

PTS: 1 REF: 451

5. Ngrep cannot be used to examine e-mail headers or IRC chats.

PTS: 1 REF: 455

MULTIPLE CHOICE

1. ____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.
a. Broadcast forensics c. Computer forensics
b. Network forensics d. Traffic forensics

PTS: 1 REF: 442

2. ____ hide the most valuable data at the innermost part of the network.
a. Layered network defense strategies c. Protocols
b. Firewalls d. NAT

PTS: 1 REF: 442

3. ____ forensics is the systematic tracking of incoming and outgoing traffic on your network.
a. Network c. Criminal
b. Computer d. Server

PTS: 1 REF: 442

4. ____ can be used to create a bootable forensic CD and perform a live acquisition.
a. Helix c. Inquisitor
b. DTDD d. Neon

PTS: 1 REF: 445

5. Helix operates in two modes:Windows Live (GUI or command line) and ____.
a. command Windows c. command Linux
b. remote GUI d. bootable Linux

PTS: 1 REF: 445

6. A common way of examining network traffic is by running the ____ program.
a. Netdump c. Coredump
b. Slackdump d. Tcpdump

PTS: 1 REF: 448

7. ____ is a suite of tools created by Sysinternals.
a. EnCase c. R-Tools
b. PsTools d. Knoppix

PTS: 1 REF: 450

8. ____ is a Sysinternals command that shows all Registry data in real time on a Windows computer.
a. PsReg c. RegMon
b. RegExplorer d. RegHandle

PTS: 1 REF: 450

9. The PSTools ____ kills processes by name or process ID.
a. PsExec c. PsKill
b. PsList d. PsShutdown

PTS: 1 REF: 450

10. ____ is a popular network intrusion detection system that performs packet capture and analysis in real time.
a. Ethereal c. Tcpdump
b. Snort d. john

PTS: 1 REF: 451

11. ____ is the U.S. DoD computer forensics lab’s version of the dd command that comes with Knoppix-STD.
a. chntpw c. memfetch
b. john d. dcfldd

PTS: 1 REF: 451

12. The Knoppix STD tool ____ enables you to reset passwords on a Windows computer, including the administrator password
a. chntpw c. oinkmaster
b. john d. memfetch

PTS: 1 REF: 451

13. ____ are devices and/or software placed on a network to monitor traffic.
a. Packet sniffers c. Hubs
b. Bridges d. Honeypots

PTS: 1 REF: 454

14. Most packet sniffers operate on layer 2 or ____ of the OSI model.
a. 1 c. 5
b. 3 d. 7

PTS: 1 REF: 454

15. Most packet sniffer tools can read anything captured in ____ format.
a. SYN c. PCAP
b. DOPI d. AIATP

PTS: 1 REF: 455

16. In a(n) ____ attack, the attacker keeps asking your server to establish a connection.
a. SYN flood c. brute-force attack
b. ACK flood d. PCAP attack

PTS: 1 REF: 455

17. ____ is the text version of Ethereal, a packet sniffer tool.
a. Tcpdump c. Etherape
b. Ethertext d. Tethereal

PTS: 1 REF: 455

18. ____ is a good tool for extracting information from large Libpcap files.
a. Nmap c. Pcap
b. Tcpslice d. TCPcap

PTS: 1 REF: 455

19. The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.
a. Honeynet c. Honeywall
b. Honeypot d. Honeyweb

PTS: 1 REF: 458

20. Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack.
a. ISPs c. zombies
b. soldiers d. pawns

PTS: 1 REF: 458

21. A ____ is a computer set up to look like any other machine on your network, but it lures the attacker to it.
a. honeywall c. honeynet
b. honeypot d. honeyhost

PTS: 1 REF: 459

COMPLETION

1. ____________________ is a layered network defense strategy developed by the National Security Agency (NSA).

2. The term ____________________ means how long a piece of information lasts on a system.

3. ____________________ logs record traffic in and out of a network.

4. The PSTools ____________________ tool allows you to suspend processes.

ANS: PsSuspend

5. The U.K. Honeynet Project has created the ____________________. It contains the honeywall and honeypot on a bootable memory stick.

MATCHING

Match each item with a statement below
a. Cyberforensics f. Trojan horse
b. Ethereal g. Knoppix
c. Tripwire h. PsShutdown
d. PsGetSid i. oinkmaster
e. PsLoggedOn

1. displays who’s logged on locally

2. displays the security identifier (SID) of a computer or user

3. an audit control program that detects anomalies in traffic and sends an alert automatically

4. usually refers to network forensics

5. a bootable Linux CD intended for computer and network forensics

6. shuts down and optionally restarts a computer

7. helps manage snort rules so that you can specify what items to ignore as regular traffic and what items should raise alarms

8. a network analysis tool

9. type of malware

SHORT ANSWER

1. Why is testing networks as important as testing servers?

2. When are live acquisitions useful?

3. What is the general procedure for a live acquisition?

4. Detail a standard procedure for network forensics investigations.

5. How should you proceed if your network forensic investigation involves other companies?

6. Describe some of the Windows tools available at Sysinternals.

7. What are some of the tools included with the PSTools suite?

8. What is Knoppix-STD?

9. What are some of the tools included with Knoppix STD?

10. Explain The Auditor tool.

Chapter 12: E-mail Investigations

TRUE/FALSE

1. For computer investigators, tracking intranet e-mail is relatively easy because the accounts use standard names established by the network or e-mail administrator.

PTS: 1 REF: 470

2. You can always rely on the return path in an e-mail header to show the source account of an e-mail message.

PTS: 1 REF: 482

3. E-mail programs either save e-mail messages on the client computer or leave them on the server.

PTS: 1 REF: 483

4. All e-mail servers are databases that store multiple users’ e-mails.

PTS: 1 REF: 485

5. Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication.

PTS: 1 REF: 489

MULTIPLE CHOICE

1. E-mail messages are distributed from one central server to many connected client computers, a configuration called ____.
a. client/server architecture c. client architecture
b. central distribution architecture d. peer-to-peer architecture

PTS: 1 REF: 469

2. In an e-mail address, everything after the ____ symbol represents the domain name.
a.  c. @
b. . d. –

PTS: 1 REF: 470

3. With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk.
a. command-line c. prompt-based
b. shell-based d. GUI

PTS: 1 REF: 472

4. When working on a Windows environment you can press ____ to copy the selected text to the clipboard.
a. Ctrl+A c. Ctrl+V
b. Ctrl+C d. Ctrl+Z

PTS: 1 REF: 473

5. To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click ____ to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header.
a. Options c. Properties
b. Details d. Message Source

PTS: 1 REF: 473

6. To retrieve an Outlook Express e-mail header right-click the message, and then click ____ to open a dialog box showing general information about the message.
a. Properties c. Details
b. Options d. Message Source

PTS: 1 REF: 473

7. For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command.
a. prn c. prnt
b. print d. prt

PTS: 1 REF: 477

8. To view AOL e-mail headers click Action, ____ from the menu.
a. More options c. Options
b. Message properties d. View Message Source

PTS: 1 REF: 478

9. To view e-mail headers on Yahoo! click the ____ link in the Mail Options window, and then click Show all headers on incoming messages.
a. Advanced c. Message Properties
b. General Preferences d. More information

PTS: 1 REF: 480

10. In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____.
a. .ost c. .msg
b. .eml d. .pst

PTS: 1 REF: 483

11. ____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names.
a. www.freeality.com c. www.whatis.com
b. www.google.com d. www.juno.com

PTS: 1 REF: 484

12. ____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size.
a. Continuous logging c. Circular logging
b. Automatic logging d. Server logging

PTS: 1 REF: 485

13. The files that provide helpful information to an e-mail investigation are log files and ____ files.
a. batch c. scripts
b. configuration d. .rts

PTS: 1 REF: 487

14. ____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside.
a. /etc/sendmail.cf c. /etc/var/log/maillog
b. /etc/syslog.conf d. /var/log/maillog

PTS: 1 REF: 487

15. Typically, UNIX installations are set to store logs such as maillog in the ____ directory.
a. /etc/Log c. /etc/var/log
b. /log d. /var/log

PTS: 1 REF: 488

16. Exchange logs information about changes to its data in a(n) ____ log.
a. checkpoint c. transaction
b. communication d. tracking

PTS: 1 REF: 489

17. In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk.
a. tracking c. temporary
b. checkpoint d. milestone

PTS: 1 REF: 489

18. The Novell e-mail server software is called ____.
a. Sendmail c. Sawmill
b. GroupWise d. Guardian

PTS: 1 REF: 491

19. GroupWise has ____ ways of organizing the mailboxes on the server.
a. 2 c. 4
b. 3 d. 5

PTS: 1 REF: 491

20. The GroupWise logs are maintained in a standard log format in the ____ folders.
a. MIME c. QuickFinder
b. mbox d. GroupWise

PTS: 1 REF: 491

21. Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format.
a. POP3 c. MIME
b. mbox d. SMTP

PTS: 1 REF: 500

COMPLETION

1. You can send and receive e-mail in two environments:via the ____________________ or an intranet (an internal network).

2. An e-mail address in the Return-Path line of an e-mail header is usually indicated as the ____________________ field in an e-mail message.

3. Administrators usually set e-mail servers to ____________________ logging mode.

4. In UNIX e-mail servers, the ____________________ file simply specifies where to save different types of e-mail log files.

5. Vendor-unique e-mail file systems, such as Microsoft .pst or .ost, typically use ____________________ formatting, which can be difficult to read with a text or hexadecimal editor.

MATCHING

Match each item with a statement below:
a. Contacts f. Notepad
b. Pico g. CISCO Pix
c. syslogd file h. www.whatis.com
d. www.arin.net i. Pine
e. PU020101.db

1. Web site to check file extensions and match the file to a program

2. command line e-mail program used with UNIX

3. text editor used with Windows

4. the first folder the GroupWise server shares

5. text editor used with UNIX

6. the electronic address book in Outlook

7. a network firewall device

8. a registry Web site

9. includes e-mail logging instructions

SHORT ANSWER

1. Describe how e-mail account names are created on an intranet environment.

2. Describe the process of examining e-mail messages when you have access to the victim’s computer and when this access is not possible.

3. What are the steps for retrieving e-mail headers on Pine?

4. What are the steps for viewing e-mail headers in Hotmail?

5. What kind of information can you find in an e-mail header?

6. Explain how to handle attachments during an e-mail investigation.

7. Why are network router logs important during an e-mail investigation?

8. What kind of information is normally included in e-mail logs?

9. Provide a brief description of Microsoft Exchange Server. Additionally, explain the differences between .edb and .stm files.

10. Briefly explain how to use AccessData FTK to recover e-mails.

Chapter 13: Cell Phone and Mobile Device Forensics

TRUE/FALSE

1. Many people store more information on their cell phones than they do on their computers.

PTS: 1 REF: 514

2. Investigating cell phones and mobile devices is a relatively easy task in digital forensics.

PTS: 1 REF: 514

3. TDMA can operate in the cell phone (800 to 1000 MHz) or PCS (1900 MHz) frequency.

PTS: 1 REF: 516

4. Typically, phones developed for use on a GSM network are compatible with phones designed for a CDMA network.

PTS: 1 REF: 516

5. Portability of information is what makes SIM cards so versatile.

PTS: 1 REF: 517

MULTIPLE CHOICE

1. Developed during WWII, this technology,____, was patented by Qualcomm after the war.
a. iDEN c. GSM
b. CDMA d. EDGE

PTS: 1 REF: 515

2. The ____ digital network divides a radio frequency into time slots.
a. TDMA c. FDMA
b. CDMA d. EDGE

PTS: 1 REF: 515

3. The ____ network is a digital version of the original analog standard for cell phones.
a. TDMA c. CDMA
b. EDGE d. D-AMPS

PTS: 1 REF: 515

4. The ____ digital network, a faster version of GSM, is designed to deliver data.
a. TDMA c. EDGE
b. iDEN d. D-AMPS

PTS: 1 REF: 515

5. TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life.
a. IS-136 c. IS-236
b. IS-195 d. IS-361

PTS: 1 REF: 516

6. Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips.
a. EROM c. EEPROM
b. PROM d. ROM

PTS: 1 REF: 517

7. ____ cards are found most commonly in GSM devices and consist of a microprocessor and from 16 KB to 4 MB of EEPROM.
a. SD c. SDD
b. MMC d. SIM

PTS: 1 REF: 517

8. ____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth.
a. SDHCs c. CFs
b. PDAs d. MMCs

PTS: 1 REF: 518

9. The file system for a SIM card is a ____ structure.
a. volatile c. hierarchical
b. circular d. linear

PTS: 1 REF: 520

10. The SIM file structure begins with the root of the system (____).
a. EF c. DF
b. MF d. DCS

PTS: 1 REF: 520

11. Paraben Software is a leader in mobile forensics software and offers several tools, including ____, which can be used to acquire data from a variety of phone models.
a. BitPim c. MOBILedit!
b. DataPilot d. Device Seizure

PTS: 1 REF: 522

12. In a Windows environment, BitPim stores files in ____ by default.
a. My Documents\BitPim c. My Documents\BitPim\Forensics Files
b. My Documents\Forensics Files\BitPim d. My Documents\BitPim\Files

PTS: 1 REF: 522

13. ____ is a forensics software tool containing a built-in write blocker.
a. GSMCon c. SIMedit
b. MOBILedit! d. 3GPim

PTS: 1 REF: 522

COMPLETION

1. So far, there have been three generations of mobile phones: analog, digital personal communications service (PCS), and ____________________.

2. Most Code Division Multiple Access (CDMA) networks conform to IS-95, created by the ______________________.

3. Global System for Mobile Communications (GSM) uses the ______________________ technique, so multiple phones take turns sharing a channel.

4. The 3G standard was developed by the ______________________ under the United Nations.

5. Mobile devices can range from simple phones to small computers, also called ______________________.

MATCHING

Match each item with a statement below:
a. CDMA c. EDGE
b. iDEN d. ROM

1. proprietary protocol developed by Motorola

2. nonvolatile memory

3. standard developed specifically for 3G

4. one of the most common digital networks, it uses the full radio frequency spectrum to define channels

SHORT ANSWER

1. What is some of the information that can be stored in a cell phone?

2. What is the bandwidth offered by 3G mobile phones?

3. What are the three main components used for cell phone communications?

4. Briefly describe cell phone hardware.

5. Identify several uses of SIM cards.

6. Identify and define three kinds of peripheral memory cards used with PDAs.

7. How can you isolate a mobile device from incoming signals?

8. What are the four categories of information that can be retrieved from a SIM card?

9. What is the general procedure to access the content on a mobile phone SIM card?

10. What are some of the features offered by SIMCon?

Chapter 14: Report Writing for High-Tech Investigations

TRUE/FALSE

1. Besides presenting facts, reports can communicate expert opinion.

PTS: 1 REF: 530

2. A verbal report is more structured than a written report.

PTS: 1 REF: 532

3. If you must write a preliminary report, use words such as “preliminary copy,”“draft copy,” or “working draft.”

PTS: 1 REF: 535

4. As with any research paper, write the report abstract last.

PTS: 1 REF: 536

5. When writing a report, use a formal, technical style.

PTS: 1 REF: 537

MULTIPLE CHOICE

1. Attorneys can now submit documents electronically in many courts; the standard format in federal courts is ____.
a. Microsoft Word (DOC) c. Encapsulated Postscript (EPS)
b. Portable Document Format (PDF) d. Postscript (PS)

PTS: 1 REF: 531

2. A(n) ____ is a document that lets you know what questions to expect when you are testifying.
a. written report c. examination plan
b. affidavit d. subpoena

PTS: 1 REF: 532

3. You can use the ____ to help your attorney learn the terms and functions used in computer forensics.
a. verbal report c. final report
b. preliminary report d. examination plan

PTS: 1 REF: 532

4. A written report is frequently a(n) ____ or a declaration.
a. subpoena c. deposition
b. affidavit d. perjury

PTS: 1 REF: 532

5. If a report is long and complex, you should provide a(n) ____.
a. appendix c. table of contents
b. glossary d. abstract

PTS: 1 REF: 536

6. A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute).
a. written report c. examination plan
b. verbal report d. cross-examination report

PTS: 1 REF: 532

7. In the past, the method for expressing an opinion has been to frame a ____ question based on available factual evidence.
a. hypothetical c. challenging
b. nested d. contradictory

PTS: 1 REF: 533

8. An expert’s opinion is governed by FRE, Rule ____, and the corresponding rule in many states.
a. 705 c. 805
b. 755 d. 855

PTS: 1 REF: 534

9. Remember that anything you write down as part of your examination for a report is subject to ____ from the opposing attorney.
a. subpoena c. publishing
b. discovery d. deposition

PTS: 1 REF: 535

10. A written preliminary report is considered a ____ document because opposing counsel can demand discovery on it.
a. low-risk c. high-risk
b. middle-risk d. no-risk

PTS: 1 REF: 535

11. The abstract should be one or two paragraphs totaling about 150 to ____ words.
a. 200 c. 300
b. 250 d. 350

PTS: 1 REF: 536

12. ____ provide additional resource material not included in the body of the report.
a. Conclusion c. Discussion
b. References d. Appendixes

PTS: 1 REF: 536

13. Typically, report writers use one of two numbering systems: decimal numbering or ____ numbering.
a. legal-sequential c. arabic-sequential
b. roman-sequential d. letter-sequential

PTS: 1 REF: 538

14. A report using the ____ numbering system divides material into sections and restarts numbering with each main section.
a. roman-sequential c. legal-sequential
b. decimal d. indent

PTS: 1 REF: 538

15. In the main section of your report, you typically cite references with the ____ enclosed in parentheses.
a. year of publication and author’s last name
b. author’s last name
c. author’s last name and year of publication
d. year of publication

PTS: 1 REF: 541

16. Save broader generalizations and summaries for the report’s ____.
a. appendixes c. conclusion
b. introduction d. discussion

PTS: 1 REF: 541

17. The report’s ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements.
a. abstract c. introduction
b. conclusion d. reference

PTS: 1 REF: 541

18. If necessary, you can include ____ containing material such as raw data, figures not used in the body of the report, and anticipated exhibits.
a. conclusions c. references
b. discussions d. appendixes

PTS: 1 REF: 542

19. Reports and logs generated by forensic tools are typically in plaintext format, a word processor format, or ____ format.
a. PDF c. PS
b. HTML d. TXT

PTS: 1 REF: 543

20. Files with extensions .ods and ____ are created using OpenOffice Calc.
a. .sxc c. .dcx
b. .xls d. .qpr

PTS: 1 REF: 543

21. Files with extension ____ are created using Microsoft Outlook Express.
a. .sxc c. .dbx
b. .doc d. .ods

PTS: 1 REF: 543

COMPLETION

1. Lawyers use services called _________________________ (libraries), which store examples of expert witnesses’ previous testimony.

2. The report body consists of the introduction and _________________________ sections.

3. When writing a report, _________________________ means the tone of language you use to address the reader.

4. _________________________ assist readers in scanning the text quickly by highlighting the main points and logical development of information.

5. The ______________________________ system is frequently used when writing pleadings.

MATCHING

Match each item with a statement below
a. Decimal numbering f. Verbal report
b. Lay witness g. Spoliation
c. FTK h. Conclusion section
d. Examination plan i. MD5
e. Signposts

1. draw reader’s attention to a point in your report.

2. a report layout system

3. used by an attorney to guide an expert witness in his or her testimony

4. computer forensics software tool

5. lawyers jargon for destroying or concealing evidence

6. stands for Message Digest 5

7. typically takes place in an attorney’s office where the attorney requests your consultant’s report

8. starts by referring to the report’s purpose, states the main points, draws conclusions, and possibly renders an opinion

9. a witness testifying to personally observed facts

SHORT ANSWER

1. What are the report requirements for civil cases as specified on Rule 26, FRCP?

2. Briefly explain how to limit your report to specifics.

3. What are the areas of investigation usually addressed by a verbal report?

4. Explain how hypothetical questions can be used to ensure that you as a witness are basing your opinion on facts expected to be supported by evidence.

5. What are the four conditions required for an expert witness to testify to an opinion or conclusion?

6. What is the basic structure of a report?

7. Provide some guidelines for writing an introduction section for a report.

8. What do you need to consider to produce clear, concise reports?

9. Explain how to use supportive material on a report.

10. How should you explain examination and data collection methods?

Chapter 15: Expert Testimony in High-Tech Investigations

TRUE/FALSE

1. As an expert witness, you have opinions about what you have found or observed.

PTS: 1 REF: 558

2. Create a formal checklist of your procedures that’s applied to all your cases or include such a checklist in your report.

PTS: 1 REF: 559

3. As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.

PTS: 1 REF: 559

4. Like a job resume, your CV should be geared for a specific trial.

PTS: 1 REF: 561

5. Part of what you have to deliver to the jury is a person they can trust to help them figure out something that’s beyond their expertise.

PTS: 1 REF: 565

MULTIPLE CHOICE

1. When cases go to trial, you as a forensics examiner can play one of ____ roles.
a. 2 c. 4
b. 3 d. 5

PTS: 1 REF: 558

2. When you give ____ testimony, you present this evidence and explain what it is and how it was obtained.
a. technical/scientific c. lay witness
b. expert d. deposition

PTS: 1 REF: 558

3. Validate your tools and verify your evidence with ____ to ensure its integrity.
a. hashing algorithms c. steganography
b. watermarks d. digital certificates

PTS: 1 REF: 559

4. For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you’re constantly enhancing your skills through training, teaching, and experience.
a. testimony c. examination plan
b. CV d. deposition

PTS: 1 REF: 561

5. If your CV is more than ____ months old, you probably need to update it to reflect new cases and additional training.
a. 2 c. 4
b. 3 d. 5

PTS: 1 REF: 561

6. ____ is a written list of objections to certain testimony or exhibits.
a. Defendant c. Plaintiff
b. Empanelling the jury d. Motion in limine

PTS: 1 REF: 562

7. Regarding a trial, the term ____ means rejecting potential jurors.
a. voir dire c. strikes
b. rebuttal d. venireman

PTS: 1 REF: 563

8. ____ from both plaintiff and defense is an optional phase of the trial. Generally, it’s allowed to cover an issue raised during cross-examination.
a. Rebuttal c. Closing arguments
b. Plaintiff d. Opening statements

PTS: 1 REF: 563

9. If a microphone is present during your testimony, place it ____ to eight inches from you.
a. 3 c. 5
b. 4 d. 6

PTS: 1 REF: 565

10. Jurors typically average just over ____ years of education and an eighth-grade reading level.
a. 9 c. 11
b. 10 d. 12

PTS: 1 REF: 565

11. ____ is an attempt by opposing attorneys to prevent you from serving on an important case.
a. Conflict of interest c. Deposition
b. Warrant d. Conflicting out

PTS: 1 REF: 568

12. ____ evidence is evidence that exonerates or diminishes the defendant’s liability.
a. Rebuttal c. Inculpatory
b. Plaintiff d. Exculpatory

PTS: 1 REF: 569

13. You provide ____ testimony when you answer questions from the attorney who hired you.
a. direct c. examination
b. cross d. rebuttal

PTS: 1 REF: 569

14. The ____ is the most important part of testimony at a trial.
a. cross-examination c. rebuttal
b. direct examination d. motions in limine

PTS: 1 REF: 569

15. Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony.
a. setup c. compound
b. open-ended d. rapid-fire

PTS: 1 REF: 569

16. Leading questions such as “Isn’t it true that forensics experts always destroy their handwritten notes?” are referred to as ____ questions.
a. hypothetical c. setup
b. attorney d. nested

PTS: 1 REF: 570

17. Sometimes opposing attorneys ask several questions inside one question; this practice is called ____ questions.
a. leading c. compound
b. hypothetical d. rapid-fire

PTS: 1 REF: 571

18. A ____ differs from a trial testimony because there is no jury or judge.
a. rebuttal c. civil case
b. plaintiff d. deposition

PTS: 1 REF: 573

19. There are two types of depositions: ____ and testimony preservation.
a. examination c. direct
b. discovery d. rebuttal

PTS: 1 REF: 573

20. Discuss any potential problems with your attorney ____ a deposition.
a. before c. during
b. after d. during direct examination at

PTS: 1 REF: 574

21. A(n) ____ hearing generally addresses the administrative agency’s subject matter and seeks evidence in your testimony on a subject for which it’s contemplating making a rule.
a. administrative c. legislative
b. judicial d. direct

PTS: 1 REF: 575

COMPLETION

1. The ______________________ of evidence supports the integrity of your evidence.

2. Depending on your attorney’s needs, you might provide only your opinion and technical expertise to him or her instead of testifying in court; this role is called a(n) _______________________.

3. _____________________ is a pretrial motion to exclude certain evidence because it would prejudice the jury.

4. At a trial, _____________________ are statements that organize the evidence and state the applicable law.

5. The purpose of the _____________________ is for the opposing attorney to preview your testimony before trial.

MATCHING

Match each item with a statement below
a. Plaintiff f. CV
b. Motion in limine g. Testimony preservation deposition
c. Voir dire of venireman h. Voir dire
d. Opening statements i. MD5
e. Discovery deposition

1. part of the discovery process for trial

2. presents the case during a trial

3. provide an overview of the case during a trial

4. questioning potential jurors to see whether they’re qualified

5. usually requested by your client to preserve your testimony in case of schedule conflicts or health problems

6. a hashing algorithm

7. lists your professional experience

8. an expert witness qualification phase

9. allows the judge to decide whether certain evidence should be admitted when the jury isn’t present

SHORT ANSWER

1. What are the differences between a technical or scientific witness and an expert witness?

2. What should you do when preparing for testimony?

3. What are some of the questions you should consider when preparing your testimony?

4. What are some of the technical definitions that you should prepare before your testimony?

5. What are some of the reasons to avoid contact with news media during a case?

6. What are the procedures followed during a trial?

7. What should you do when you find exculpatory evidence?

8. How can you deal with rapid-fire questions during a cross-examination?

9. Explain the differences between discovery deposition and testimony preservation deposition.

10. Briefly describe judicial hearings.

Chapter 16: Ethics for the Expert Witness

TRUE/FALSE

1. People need ethics to help maintain their balance, especially in difficult and contentious situations.

PTS: 1 REF: 596

2. In the United States, there’s no state or national licensing body for computer forensics examiners.

PTS: 1 REF: 597

3. Experts should be paid in full for all previous work and for the anticipated time required for testimony.

PTS: 1 REF: 600

4. Expert opinions cannot be presented without stating the underlying factual basis.

PTS: 1 REF: 601

5. The American Bar Association (ABA) is a licensing body.

PTS: 1 REF: 603

MULTIPLE CHOICE

1. The most important laws applying to attorneys and witnesses are the ____.
a. professional codes of conduct c. rules of evidence
b. rules of ethics d. professional ethics

PTS: 1 REF: 597

2. Computer forensics examiners have two roles: scientific/technical witness and ____ witness.
a. expert c. discovery
b. direct d. professional

PTS: 1 REF: 597

3. Attorneys search ____ for information on expert witnesses.
a. disqualification banks c. examination banks
b. deposition banks d. cross-examination banks

PTS: 1 REF: 598

4. ____ questions can give you the factual structure to support and defend your opinion.
a. Setup c. Rapid-fire
b. Compound d. Hypothetical

PTS: 1 REF: 601

5. FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful.
a. 702 c. 704
b. 703 d. 705

PTS: 1 REF: 601

6. FRE ____ describes whether basis for the testimony is adequate.
a. 700 c. 702
b. 701 d. 703

PTS: 1 REF: 601

7. The ABA’s ____ contains provisions limiting the fees experts can receive for their services.
a. Code 703 c. Rule 26
b. Model Code d. Code 26-1.a

PTS: 1 REF: 603

8. The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients.
a. ISFCE c. ABA
b. IACIS d. HTCIA

PTS: 1 REF: 603

9. ____ are the experts who testify most often.
a. Civil engineers c. Chemical engineers
b. Computer forensics experts d. Medical professionals

PTS: 1 REF: 604

10. ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities.
a. AMA’s law c. APA’s Ethics Code
b. ABA’s Model Rule d. ABA’s Model Codes

PTS: 1 REF: 605

11. The ____ Ethics Code cautions psychologists about the limitations of assessment tools.
a. ABA’s c. AMA’s
b. APA’s d. ADA’s

PTS: 1 REF: 605

COMPLETION

1. _____________________ are the rules you internalize and use to measure your performance.

2. _____________________ are standards that others apply to you or that you are compelled to adhere to by external forces, such as licensing bodies.

3. Some attorneys contact many experts as a ploy to disqualify them or prevent opposing counsel from hiring them; this practice is called “____________________.”

4. The ____________________ is the foundation of medical ethics.

5. For psychologists, the most broadly accepted set of guidelines governing their conduct as experts is the _____________________ (APA’s) Ethical Principles of Psychologists and Code of Conduct.

MATCHING

Match each item with a statement below:
a. Ethics c. Disqualification
b. Federal Rules of Evidence (FRE) d. IACIS

1. provides a well-defined, simple guide for expected behavior of computer forensics examiners

2. prescribe the methods by which experts appear at trial

3. one of the effects of violating court rules or laws

4. help you maintain your self-respect and the respect of your profession

SHORT ANSWER

1. Briefly describe the issues related to an attorney’s “opinion shopping.”

2. What are some of the factors courts have used in determining whether to disqualify an expert?

3. Describe some of the traps for unwary experts.

4. What are some of the most obvious ethical errors?

5. What are some of the guidelines included in the ISFCE code of ethics?

6. What are some of the requirements included in the HTCIA core values?

7. What are some of standards for IACIS members that apply to testifying?

8. What are the five recommendations set out by the AMA’s policy on expert witness testimony?

9. Why is it difficult to enforce any professional organization’s ethical guidelines?

10. What are the ethical responsibilities owed to you by your attorney?

CIS 562 Week 4 Case Study 1 – Strayer University NEW

CIS/562 Week 4 Case Study 1 – Strayer NEW

Click On The Link Below To Purchase A+ Graded Material
Instant Download

http://www.hwgala.com/CIS-562-Week-4-Case-Study-1-Strayer-NEW-CIS562W4C.htm

 

Case Study 1: Attacking More Than Just the Enterprise

Suppose you are a security director for a consulting firm that implements, secures, investigates, and supports point-of-sale (POS) for small and medium businesses (SMBs) in the retail industry.

Read the article titled, “Verizon DBIR 2012: Automated large-scale attacks taking down SMBs” located at the following SearchSecurity link: http://searchsecurity.techtarget.com.au/news/2240147412/Verizon-DBIR-2012-Automated-large-scale-attacks-taking-down-SMBs.

Write a three to four (3-4) page paper in which you:
1. Evaluate the recent trend toward attacking small and medium businesses and identify the benefits that these types of businesses have which attract attackers.
2. Compare and contrast the digital forensic operations of small-sized companies to large companies in terms of costs, personnel, inexperience, naivety, etc.
3. Explain the common purpose of attacks on point-of-sale (POS) systems and identify why you as a security professional would have cause for concern for your customers’ POS systems.
4. Assess why and how these POS systems have become a prime target for hacking groups.
5. Examine the forensics challenges that exist for investigations on POS systems.
6. Use at least two (2) quality resources in this assignment other than the article linked above. Note: Wikipedia and similar Websites do not qualify as quality resources.

Your assignment must follow these formatting requirements:
• Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
• Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.

CIS 562 Week 5 Assignment 2 – Strayer University NEW

CIS/562 Week 5 Assignment 2 – Strayer NEW

Click On The Link Below To Purchase A+ Graded Material
Instant Download

http://www.hwgala.com/CIS-562-Assignment-2-Strayer-NEW-CIS562A2.htm

 

Assignment 2: Data Acquisition Lecture

This assignment consists of two (2) parts: a written paper and a PowerPoint presentation. You must submit both parts as separate files for the completion of this assignment. Label each file name according to the section of the assignment it is written for. Additionally, you may create and / or assume all necessary assumptions needed for the completion of this assignment.

Imagine you’ve been sought out as a guest lecturer at a local university for a computer forensics course. You have been asked to prepare a paper for the students, as well as a PowerPoint presentation, regarding data acquisition in a forensics investigation.

Part 1: Written Paper
1. Write a four to five (4-5) page paper in which you:
a. Analyze the four (4) methods of data acquisition to determine how an investigator selects the appropriate method to use in a given situation.
b. Determine how an investigator can plan for hardware, software, and / or general failures during data acquisition.
c. Justify the necessity of validating data acquisition and determine the negative effects on an investigation if this step is not performed.
d. Describe the acquisition procedures and tools for Windows and Linux data acquisitions.
e. Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.

Your assignment must follow these formatting requirements:
• Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
• Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.
Part 2: PowerPoint Presentation
Use Microsoft PowerPoint or an open source alternative, such as OpenOffice, to:
2. Create a five to ten (5-10) slide PowerPoint presentation in which you:
a. Summarize the concepts from your written paper in Part 1 of this assignment for the lecture you would give to the class regarding data acquisition in a forensics investigation.
b. Use a professional technically written style to graphically convey the information.

CIS 562 Week 7 Case Study 2 – Strayer University New

CIS/562 Week 7 Case Study 2 – Strayer New

Click On The Link Below To Purchase A+ Graded Material
Instant Download

http://www.hwgala.com/CIS-562-Week-7-Case-Study-2-Strayer-New-CIS562W7C.htm

 

Case Study 2: Forced Decryption Ruled Unconstitutional

Read the article titled, “U.S. Courts Rule For–and Against–Protecting a Suspect’s Hard Drives” located at the following IEEE Spectrum link: http://spectrum.ieee.org/riskfactor/computing/it/us-courts-rule-for-and-against-protecting-a-suspects-hard-drives

Write a three to four (3-4) page paper in which you:
1. Analyze the decision by the 11th U.S. Circuit of Appeals to determine whether you believe the decision rendered was correct or incorrect based on the evidence suspected by the government.
2. Evaluate the effect of this ruling on forensic investigations from a forensics standpoint and determine whether or not you would consider this an “open door” for criminal activity. Justify your answer.
3. Take a position on whether or not you believe technology is moving too fast for the judicial system. Suggest at least two (2) improvements that the courts can make in order to catch up and / or keep up with the advancements in technology issues and crimes.
4. Use at least two (2) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.

Your assignment must follow these formatting requirements:
• Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
• Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.