CIS 562 Week 5 Midterm Exam – Strayer University NEW

CIS/562 Week 5 Midterm Exam – Strayer NEW

Click On The Link Below To Purchase A+ Graded Material
Instant Download


Chapters 1 Through 6

Chapter 1: Computer Forensics and Investigations as a Profession


1. By the 1970s, electronic crimes were increasing, especially in the financial sector.

2. To be a successful computer forensics investigator, you must be familiar with more than one computing platform.

3. Computer investigations and forensics fall into the same category: public investigations.

4. The law of search and seizure protects the rights of all people, excluding people suspected of crimes.

5. After a judge approves and signs a search warrant, it’s ready to be executed, meaning you can collect evidence as defined by the warrant.


1. The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence.
a. Federal Rules of Evidence (FRE)
b. Department of Defense Computer Forensics Laboratory (DCFL)
d. Computer Analysis and Response Team (CART)

2. ____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
a. Data recovery c. Computer forensics
b. Network forensics d. Disaster recovery

3. ____ involves preventing data loss by using backups, uninterruptible power supply (UPS) devices, and off-site monitoring.
a. Computer forensics c. Disaster recovery
b. Data recovery d. Network forensics

4. The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime.
a. network intrusion detection c. incident response
b. computer investigations d. litigation

5. By the early 1990s, the ____ introduced training on software for forensics investigations.

6. In the Pacific Northwest, ____ meets monthly to discuss problems that law enforcement and corporations face.

7. In a ____ case, a suspect is tried for a criminal offense, such as burglary, murder, or molestation.
a. corporate c. criminal
b. civil d. fourth amendment

8. In general, a criminal case follows three stages: the complaint, the investigation, and the ____.
a. litigation c. blotter
b. allegation d. prosecution

9. Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.
a. litigation c. blotter
b. allegation d. prosecution

10. In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____.
a. blotter c. litigation report
b. exhibit report d. affidavit

11. It’s the investigator’s responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant.
a. litigation c. exhibits
b. prosecution d. reports

12. The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.
a. notarized c. recorded
b. examined d. challenged

13. Published company policies provide a(n) ____ for a business to conduct internal investigations.
a. litigation path c. line of allegation
b. allegation resource d. line of authority

14. A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.
a. warning banner c. line of authority
b. right of privacy d. right banner

15. A(n) ____ is a person using a computer to perform routine tasks other than systems administration.
a. complainant c. end user
b. user banner d. investigator

16. Without a warning banner, employees might have an assumed ____ when using a company’s computer systems and network accesses.
a. line of authority c. line of privacy
b. right of privacy d. line of right

17. In addition to warning banners that state a company’s rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations.
a. authorized requester c. line of right
b. authority of line d. authority of right

18. Most computer investigations in the private sector involve ____.
a. e-mail abuse c. Internet abuse
b. misuse of computing assets d. VPN abuse

19. Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer.
a. silver-tree c. silver-platter
b. gold-tree d. gold-platter

20. Your ____ as a computer investigation and forensics analyst is critical because it determines your credibility.
a. professional policy c. line of authority
b. oath d. professional conduct

21. Maintaining ____ means you must form and sustain unbiased opinions of your cases.
a. confidentiality c. integrity
b. objectivity d. credibility


1. ____________________ involves obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases.

2. The ____________________ to the U.S. Constitution (and each state’s constitution) protects everyone’s rights to be secure in their person, residence, and property from search and seizure.

3. The term ____________________ refers to large corporate computing systems that might include disparate or formerly independent systems.

4. When you work in the ____________________ group, you test and verify the integrity of standalone workstations and network servers.

5. The ____________________ provides a record of clues to crimes that have been committed previously.


Match each item with a statement below:
a. Computer forensics f. HTCIA
b. Network forensics g. Affidavit
c. Litigation h. Industrial espionage
d. Xtree Gold i. Line of authority
e. Case law

1. the legal process of proving guilt or innocence in court

2. recognizes file types and retrieves lost or deleted files

3. investigates data that can be retrieved from a computer’s hard disk or other storage media

4. sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence

5. allows legal counsel to use previous cases similar to the current one because the laws don’t yet exist

6. specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence

7. organization that exchanges information about techniques related to computer investigations and security

8. yields information about how a perpetrator or an attacker gained access to a network

9. involves selling sensitive or confidential company information to a competitor


1. Briefly describe the triad that makes up computer security.

2. Briefly describe the main characteristics of public investigations.

3. Briefly describe the main characteristics of private investigations.

4. What questions should an investigator ask to determine whether a computer crime was committed?

5. What are the three levels of law enforcement expertise established by CTIN?

6. What are some of the most common types of corporate computer crime?

7. What is embezzlement?

8. Briefly describe corporate sabotage.

9. What text can be used in internal warning banners?

10. Mention examples of groups that should have direct authority to request computer investigations in the corporate environment.

Chapter 2: Understanding Computer Investigations


1. Chain of custody is also known as chain of evidence.

2. Employees surfing the Internet can cost companies millions of dollars.

3. You cannot use both multi-evidence and single-evidence forms in your investigation.

4. Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several thousand pages of data.

5. A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible.


1. The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court.
a. acquisition plan c. evidence path
b. chain of custody d. evidence custody

2. When preparing a case, you can apply ____ to problem solving.
a. standard programming rules c. standard systems analysis steps
b. standard police investigation d. bottom-up analysis

3. The list of problems you normally expect in the type of case you are handling is known as the ____.
a. standard risk assessment c. standard problems form
b. chain of evidence d. problems checklist form

4. The basic plan for your investigation includes gathering the evidence, establishing the ____, and performing the forensic analysis.
a. risk assessment c. chain of custody
b. nature of the case d. location of the evidence

5. A(n) ____ helps you document what has and has not been done with both the original evidence and forensic copies of the evidence.
a. evidence custody form c. initial investigation form
b. risk assessment form d. evidence handling form

6. Use ____ to secure and catalog the evidence contained in large computer components.
a. Hefty bags c. paper bags
b. regular bags d. evidence bags

7. ____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or computer lab.
a. An antistatic wrist band c. An antistatic pad
b. Padding d. Tape

8. ____ investigations typically include spam, inappropriate and offensive message content, and harassment or threats.
a. VPN c. E-mail
b. Internet d. Phone

9. To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as a ____.
a. mobile workstation c. forensic lab
b. forensic workstation d. recovery workstation

10. You can use ____ to boot to Windows without writing any data to the evidence disk.
a. a SCSI boot up disk c. a write-blocker
b. a Windows boot up disk d. Windows XP

11. To begin conducting an investigation, you start by ____ the evidence using a variety of methods.
a. copying c. opening
b. analyzing d. reading

12. A ____ is a bit-by-bit copy of the original storage medium.
a. preventive copy c. backup copy
b. recovery copy d. bit-stream copy

13. A bit-stream image is also known as a(n) ____.
a. backup copy c. custody copy
b. forensic copy d. evidence copy

14. To create an exact image of an evidence disk, copying the ____ to a target work disk that’s identical to the evidence disk is preferable.
a. removable copy c. bit-stream image
b. backup copy d. backup image

15. ____ from Technology Pathways is a forensics data analysis tool. You can use it to acquire and analyze data from several different file systems.
a. Guidance EnCase c. DataArrest SnapCopy
b. NTI SafeBack d. ProDiscover Basic

16. Forensics tools such as ____ can retrieve deleted files for use as evidence.
a. ProDiscover Basic c. FDisk
b. ProDelete d. GainFile

17. When analyzing digital evidence, your job is to ____.
a. recover the data c. copy the data
b. destroy the data d. load the data

18. ____ can be the most time-consuming task, even when you know exactly what to look for in the evidence.
a. Evidence recovery c. Data analysis
b. Data recovery d. Evidence recording

19. When you write your final report, state what you did and what you ____.
a. did not do c. wanted to do
b. found d. could not do

20. In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____.
a. checked values c. evidence backup
b. verification d. repeatable findings

21. After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and ____.
a. critique the case c. present the case
b. repeat the case d. read the final report


1. When you are dealing with password protected files, you might need to acquire ____________________ or find an expert who can help you crack the passwords.

2. During the ____________________ design or approach to the case, you outline the general steps you need to follow to investigate the case.

3. A(n) ____________________ lists each piece of evidence on a separate page.

4. A(n) ____________________ is usually conducted to collect information from a witness or suspect about specific facts related to an investigation.

5. A(n) ____________________ is where you conduct your investigations and where most of your equipment and software are located, including the secure evidence containers.


Match each item with a statement below
a. FTK’s Internet Keyword Search f. Norton DiskEdit
b. Data recovery g. MS-DOS 6.22
c. Free space h. Multi-evidence form
d. Interrogation i. Self-evaluation
e. Forensic workstation

1. an essential part of professional growth

2. extracts all related e-mail address information for Web-based e-mail investigations

3. process of trying to get a suspect to confess to a specific incident or crime

4. a type of evidence custody form

5. also known as a computer forensics workstation

6. is the more well-known and lucrative side of the computer forensics business

7. can be used for new files that are saved or files that expand as data is added to them

8. the least intrusive (in terms of changing data) Microsoft operating system

9. an older computer forensics tool


1. What should you do to handle evidence contained in large computer components?

2. What is required to conduct an investigation involving Internet abuse?

3. What is required to conduct an investigation involving e-mail abuse?

4. What are the differences between computer forensics and data recovery?

5. Describe some of the technologies used with hardware write-blocker devices. Identify some of the more commonly used vendors and their products.

6. What are the items you need when setting up your workstation for computer forensics?

7. What additional items are useful when setting up a forensic workstation?

8. What items are needed when gathering the resources you identified in your investigation plan?

9. Describe the process of creating a bit-stream copy of an evidence disk.

10. Mention six important questions you should ask yourself when critiquing your work.

Chapter 3: The Investigator’s Office and Laboratory


1. Performing a forensic analysis of a disk 200 GB or larger can take several days and often involves running imaging software overnight and on weekends.

2. Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses.

3. If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.

4. A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.

5. Computing systems in a forensics lab should be able to process typical cases in a timely manner.


1. A ____ is where you conduct your investigations, store evidence, and do most of your work.
a. forensic workstation c. storage room
b. computer forensics lab d. workbench

2. Lab costs can be broken down into daily, ____, and annual expenses.
a. weekly c. bimonthly
b. monthly d. quarterly

3. ____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.
a. HTCN reports c. Uniform crime reports
b. IDE reports d. ASCLD reports

4. Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Windows File System.
a. NTFS c. FAT24
b. ext3 d. ext2

5. ____ was created by police officers who wanted to formalize credentials in computing investigations.

6. IACIS requires recertification every ____ years to demonstrate continuing work in the field of computer forensics.
a. 2 c. 4
b. 3 d. 5

7. What HTCN certification level requires candidates have three years of investigative experience in any discipline from law enforcement or corporate or have a college degree with one year of experience in investigations?
a. Certified Computer Crime Investigator, Basic Level
b. Certified Computer Crime Investigator, Advanced Level
c. Certified Computer Forensic Technician, Basic
d. Certified Computer Forensic Technician, Advanced

8. To preserve the integrity of evidence data, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe.
a. secure workstation c. protected PC
b. secure workbench d. secure facility

9. The EMR from a computer monitor can be picked up as far away as ____ mile.
a. 1/4 c. 3/4
b. 1/2 d. 1

10. Defense contractors during the Cold War were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____.
b. RAID d. EMR

11. A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.
a. gypsum c. wood
b. steel d. expanded metal

12. Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity.
a. once c. three times
b. twice d. four times

13. One way to investigate older and unusual computing systems is to keep track of ____ that still use these systems.
a. AICIS lists c. SIGs
b. uniform reports d. Minix

14. A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you’re analyzing.
a. disaster recovery c. configuration management
b. risk management d. security

15. You should have at least one copy of your backups on site and a duplicate copy or a previous copy of your backups stored in a safe ____ facility.
a. in-site c. off-site
b. storage d. online

16. In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery.
a. configuration management c. recovery logging
b. risk assessment d. change management

17. For labs using high-end ____ servers (such as Digital Intelligence F.R.E.D.C. or F.R.E.D.M.), you must consider methods for restoring large data sets.
a. RAID c. WAN

18. ____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment.
a. Risk configuration c. Configuration management
b. Change management d. Risk management

19. Computing components are designed to last 18 to ____ months in normal business operations.
a. 24 c. 36
b. 30 d. 42

20. In the ____, you justify acquiring newer and better resources to investigate computer forensics cases.
a. risk evaluation c. configuration plan
b. business case d. upgrade policy

21. By using ____ to attract new customers or clients, you can justify future budgets for the lab’s operation and staff.
a. pricing c. budgeting
b. marketing d. changing


1. The ______________________________ provides guidelines for managing a forensics lab and for acquiring official crime-lab certification.

2. The lab ____________________ sets up processes for managing cases and reviews them regularly.

3. For daily work production, several examiners can work together in a large open area, as long as they all have ____________________ level of authority and access need.

4. ____________________ Chapter 5, Section 3 ( describes the characteristics of a safe storage container.

5. A(n) ____________________ plan ensures that you can restore your workstations and file servers to their original condition if a catastrophic failure occurs.


Match each item with a statement below
a. FireWire f. SIG
b. Guidance Software g. MAN
c. Business case h. Norton Ghost
d. F.R.E.D.C. i. Disaster recovery plan

1. sponsors the EnCE certification program

2. a high-end RAID server from Digital Intelligence

3. a plan you can use to sell your services to your management or clients

4. stands for Metropolitan Area Network

5. tool for directly restoring files

6. addresses how to restore a workstation you reconfigured for a specific investigation

7. ruled by the IEEE 1394B standard

8. can be a valuable source of support for recovering and analyzing uncommon systems

9. certification program that regulates how crime labs are organized and managed


1. What are the duties of a lab manager?

2. Provide a brief explanation of how to plan a lab budget.

3. What are the four levels of certification offered by HTCN?

4. What are the minimum requirements for a computer investigation and forensics lab?

5. Illustrate a proper way of disposing materials on your computer investigation lab.

6. Give a brief explanation of a computer forensics lab auditing process.

7. Briefly outline the process of selecting workstations for a police computer investigation lab.

8. What peripheral devices should be stocked in your computer forensics lab?

9. Discuss the use of a laptop PC as a forensic workstation.

10. What are the questions you need to ask when planning the justification step of a business case?

Chapter 4: Data Acquisition


1. One advantage with live acquisitions is that you are able to perform repeatable processes.

2. The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file.

3. Many acquisition tools don’t copy data in the host protected area (HPA) of a disk drive.

4. FTK Imager requires that you use a device such as a USB or parallel port dongle for licensing.

5. Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.


1. For computer forensics, ____ is the task of collecting digital evidence from electronic media.
a. hashing c. lossy compression
b. data acquisition d. lossless compression

2. One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors’ computer forensics analysis tools.
a. proprietary c. AFF
b. raw d. AFD

3. Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.
a. live c. real-time
b. online d. static

4. If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.
a. passive c. live
b. static d. local

5. The most common and flexible data-acquisition method is ____.
a. Disk-to-disk copy c. Disk-to-image file copy
b. Disk-to-network copy d. Sparse data copy

6. SafeBack and SnapCopy must run from a(n) ____ system.
a. UNIX c. Linux
b. MS-DOS d. Solaris

7. If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.
a. lossless c. sparse
b. disk-to-disk d. disk-to-image

8. Image files can be reduced by as much as ____% of the original.
a. 15 c. 30
b. 25 d. 50

9. Microsoft has recently added ____ in its Vista Ultimate and Enterprise editions, which makes performing static acquisitions more difficult.
a. whole disk encryption c. recovery wizards
b. backup utilities d. NTFS

10. Linux ISO images are referred to as ____.
a. ISO CDs c. Forensic Linux
b. Live CDs d. Linux in a Box

11. The ____ command displays pages from the online help manual for information on Linux commands and their options.
a. cmd c. inst
b. hlp d. man

12. The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.
a. fdisk c. man
b. dd d. raw

13. The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.
a. raw c. dcfldd
b. bitcopy d. man

14. Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.
a. rcsum c. hashsum
b. shasum d. sha1sum

15. The ____ DOS program En.exe requires using a forensic MS-DOS boot floppy or CD and a network crossover cable.
a. ProDiscover c. DIBS USA
b. ILook d. EnCase

16. EnCase Enterprise is set up with an Examiner workstation and a Secure Authentication for EnCase (____) workstation
a. ILook c. Incident Response
b. SAFE d. Investigator

17. SnapBack DatArrest runs from a true ____ boot floppy.
a. UNIX c. Mac OS X
b. Linux d. MS-DOS

18. SnapBack DatArrest can perform a data copy of an evidence drive in ____ ways.
a. two c. four
b. three d. five

19. ____ is the only automated disk-to-disk tool that allows you to copy data to a slightly smaller target drive than the original suspect’s drive.
a. SafeBack c. SnapCopy
b. EnCase d. SMART

20. SafeBack performs a(n) ____ calculation for each sector copied to ensure data integrity
a. SHA-1 c. SHA-256
b. MC5 d. MC4

21. ____ has developed the Rapid Action Imaging Device (RAID) to make forensically sound disk copies.
a. DIBS USA c. ProDiscover
b. EnCase d. ILook


1. Bit-stream data to files copy technique creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a(n) ____________________ format.

2. ____________________ is the default format for acquisitions for Guidance Software EnCase.

3. Popular archiving tools, such as PKZip and WinZip, use an algorithm referred to as ____________________ compression.

4. Dr. Simson L. Garfinkel of Basis Technology Corporation recently developed a new open-source acquisition format called ____________________.

5. There are two types of acquisitions: static acquisitions and ____________________ acquisitions.


Match each item with a statement below
a. SafeBack f. fdisk -l
b. WinZip g. Lossy compression
c. Data acquisition h. Jaz disk
d. AFF i. EnCase
e. IXimager

1. shows the known drives connected to your computer

2. forensic tool developed by Guidance Software

3. example of a disk-to-disk copy maker tool

4. open source data acquisition format

5. used with .jpeg files to reduce file size and doesn’t affect image quality when the file is restored and viewed

6. ILook imaging tool

7. process of copying data

8. type of SCSI drive

9. example of a lossless compression tool


1. What are the advantages and disadvantages of using raw data acquisition format?

2. What are some of the features offered by proprietary data acquisition formats?

3. What are some of the design goals of AFF?

4. Explain the sparse data copy method for acquiring digital evidence.

5. What are the considerations you should have when deciding what data-acquisition method to use on your investigation?

6. Explain the use of hash algorithms to verify the integrity of lossless compressed data.

7. What are the advantages and disadvantages of using Windows acquisition tools?

8. What are the steps to update the Registry for Windows XP SP2 to enable write-protection with USB devices?

9. What are some of the main characteristics of Linux ISO images designed for computer forensics?

10. What are the requirements for acquiring data on a suspect computer using Linux?

Chapter 5: Processing Crime and Incident Scenes


1. ISPs can investigate computer abuse committed by their customers.

2. If a corporate investigator follows police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.

3. A judge can exclude evidence obtained from a poorly worded warrant.

4. The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene’s immediate location.

5. Corporate investigators always have the authority to seize all computers equipments during a corporate investigation.


1. Most federal courts have interpreted computer records as ____ evidence.
a. conclusive c. hearsay
b. regular d. direct

2. Generally, computer records are considered admissible if they qualify as a ____ record.
a. hearsay c. computer-generated
b. business d. computer-stored

3. ____ records are data the system maintains, such as system log files and proxy server logs.
a. Computer-generated c. Computer-stored
b. Business d. Hearsay

4. The FOIA was originally enacted in the ____.
a. 1940s c. 1960s
b. 1950s d. 1970s

5. Investigating and controlling computer incident scenes in the corporate environment is ____ in the criminal environment.
a. much easier than c. as difficult as
b. as easy as d. more difficult than

6. Every business or organization must have a well defined process that describes when an investigation can be initiated. At a minimum, most corporate policies require that employers have a ____ that a law or policy is being violated.
a. confirmed suspicion c. court order stating
b. proof d. reasonable suspicion

7. Confidential business data included with the criminal evidence are referred to as ____ data.
a. commingled c. public
b. exposed d. revealed

8. ____ is facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed.
a. Reasonable cause c. A subpoena
b. Probable cause d. A warrant

9. Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab.
a. evidence custody form c. affidavit
b. FOIA form d. warrant

10. Environmental and ____ issues are your primary concerns when you’re working at the scene to gather information about an incident or a crime.
a. legal c. corporate
b. safety d. physical

11. When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to prevent a hard disk from overheating to prevent damage.
a. 80 c. 95
b. 90 d. 105

12. With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible.
a. bit-stream copy utility c. initial-response field kit
b. extensive-response field kit d. seizing order

13. A(n) ____ should include all the tools you can afford to take to the field.
a. initial-response field kit c. forensic lab
b. extensive-response field kit d. forensic workstation

14. Courts consider evidence data in a computer as ____ evidence.
a. physical c. virtual
b. invalid d. logical

15. Evidence is commonly lost or corrupted through ____, which involves police officers and other professionals who aren’t part of the crime scene processing team.
a. onlookers c. FOIA laws
b. HAZMAT teams d. professional curiosity

16. When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data.
a. Homeland Security Department c. U.S. DoJ
b. Patriot Act d. U.S. DoD

17. During an investigation involving a live computer, do not cut electrical power to the running system unless it’s an older ____ or MS-DOS system.
a. Windows XP c. Windows NT
b. Windows 9x d. Windows Me

18. Certain files, such as the ____ and Security log in Windows XP, might lose essential network activity records if the power is terminated without a proper shutdown.
a. Password log c. Io.sys
b. Word log d. Event log

19. One technique for extracting evidence from large systems is called ____.
a. RAID copy c. large evidence file recovery
b. RAID imaging d. sparse acquisition

20. Real-time surveillance requires ____ data transmissions between a suspect’s computer and a network server.
a. poisoning c. blocking
b. sniffing d. preventing

21. The most common computer-related crime is ____.
a. homicide c. car stealing
b. check fraud d. sniffing


1. _____________________ can be any information stored or transmitted in digital form.

2. Private-sector organizations include businesses and _________________________ that aren’t involved in law enforcement.

3. If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have a(n) _________________________.

4. When an investigator finds a mix of information, judges often issue a(n) _________________________ to the warrant, which allows the police to separate innocent information from evidence.

5. Some computer cases involve dangerous settings. For these types of investigations, you must rely on the skills of _________________________ teams to recover evidence from the scene.


Match each item with a statement below
a. Innocent information f. Low-level investigations
b. AFIS g. Hearsay
c. EnCase Enterprise Edition h. Spector

1. covert surveillance product

2. you should rely on this when dealing with a terrorist attack

3. secondhand or indirect evidence, such as an overheard conversation

4. what most cases in the corporate environment are considered

5. agencies must comply with these laws and make documents they find and create available as public records

6. sets standards for recovering, preserving, and examining digital evidence

7. fingerprints can be tested with these systems

8. information unrelated to a computing investigation case

9. a data-collecting tool


1. Why should companies publish a policy stating their right to inspect computing assets at will?

2. Illustrate with an example the problems caused by commingled data.

3. Briefly describe the process of obtaining a search warrant.

4. What is the plain view doctrine?

5. How can you determine who is in charge of an investigation?

6. Describe the process of preparing an investigation team.

7. How can you secure a computer incident or crime scene?

8. Give some guidelines on how to video record a computer incident or crime scene.

9. Describe how to use a journal when processing a major incident or crime scene.

10. What should you do when working on an Internet investigation and the suspect’s computer is on?

Chapter 6: Working with Windows and DOS Systems


1. The type of file system an OS uses determines how data is stored on the disk.

2. One way to examine a partition’s physical level is to use a disk editor, such as Norton DiskEdit, WinHex, or Hex Workshop.

3. As data is added, the MFT can expand to take up 75% of the NTFS disk.

4. The first 5 bytes (characters) for all MFT records are MFTR0.

5. Data streams can obscure valuable evidentiary data, intentionally or by coincidence.


1. A ____ is a column of tracks on two or more disk platters.
a. cylinder c. track
b. sector d. head

2. ____ is how most manufacturers deal with a platter’s inner tracks being shorter than its outer tracks.
a. Head skew c. ZBR
b. Cylinder skew d. Areal density

3. ____ refers to the number of bits in one square inch of a disk platter.
a. Head skew c. Cylinder skew
b. Areal density d. ZBR

4. ____ is the file structure database that Microsoft originally designed for floppy disks.
b. FAT32 d. FAT

5. ____ was introduced when Microsoft created Windows NT and is the primary file system for Windows Vista.
a. FAT32 c. NTFS

6. On an NTFS disk, immediately after the Partition Boot Sector is the ____.
a. FAT c. MBR
b. HPFS d. MFT

7. Records in the MFT are referred to as ____.
a. hyperdata c. inodes
b. metadata d. infodata

8. In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.
a. 1024 c. 2048
b. 1512 d. 2512

9. The file or folder’s MFT record provides cluster addresses where the file is stored on the drive’s partition. These cluster addresses are referred to as ____.
a. virtual runs c. metaruns
b. metada d. data runs

10. When Microsoft introduced Windows 2000, it added built-in encryption to NTFS called ____.
a. EFS c. LZH
b. VFAT d. RAR

11. The purpose of the ____ is to provide a mechanism for recovering encrypted files under EFS if there’s a problem with the user’s original private key.
a. certificate escrow c. administrator certificate
b. recovery certificate d. root certificate

12. When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____.
a. IniRecord c. Registry
b. Inidata d. Metadata

13. ____, located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version.
a. Boot.ini c.
b. BootSec.dos d. NTBootdd.sys

14. ____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to NTLDR.
a. Hal.dll c.
b. Boot.ini d. BootSect.dos

15. ____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS.
a. Hal.dll c. Boot.ini
b. NTBootdd.sys d. Ntoskrnl.exe

16. ____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the %system-root%\Windows\System32\Drivers folder.
a. Hal.dll c. Ntoskrnl.exe
b. Pagefile.sys d. Device drivers

17. ____ is a hidden text file containing startup options for Windows 9x.
a. Pagefile.sys c. Msdos.sys
b. Hal.dll d. Ntoskrnl.exe

18. The ____ file provides a command prompt when booting to MS-DOS mode (DPMI).
a. Io.sys c. Config.sys
b. Autoexec.bat d.

19. ____ is a text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration.
a. Autoexec.bat c. BootSect.dos
b. Config.sys d. Io.sys

20. ____ is a batch file containing customized settings for MS-DOS that runs automatically.
a. Autoexec.bat c. Io.sys
b. Config.sys d.

21. A ____ allows you to create a representation of another computer on an existing physical computer.
a. virtual file c. logic machine
b. logic drive d. virtual machine


1. ____________________ refers to a disk’s structure of platters, tracks, and sectors.

2. In Microsoft file structures, sectors are grouped to form ____________________, which are storage allocation units of one or more sectors.

3. On Windows and DOS computer systems, the ____________________ stores information about partitions on a disk and their locations, size, and other important items.

4. Drive slack includes RAM slack (found primarily in older Microsoft OSs) and ____________________ slack.

5. On an NTFS disk, the first data set is the ____________________, which starts at sector [0] of the disk.


Match each item with a statement below:
a. File system f. NTFS
b. Tracks g. Unicode
c. Track density h. Data streams
d. Partition gap i. BitLocker
e. Drive slack

1. Microsoft’s move toward a journaling file system

2. the space between each track

3. ways data can be appended to existing files

4. the unused space between partitions

5. an international data format

6. Microsoft’s utility for protecting drive data

7. gives an OS a road map to data on a disk

8. unused space in a cluster between the end of an active file and the end of the cluster

9. concentric circles on a disk platter where data is located


1. How can you make sure a subject’s computer boots to a forensic floppy disk or CD?

2. What are some of the components of a disk drive?

3. How are disk clusters numbered by Microsoft file structures?

4. Summarize the evolution of FAT versions.

5. Briefly describe how to delete FAT files.

6. What are logical cluster numbers (LCNs)?

7. Briefly explain NTFS compressed files.

8. What are some of the features offered by current whole disk encryption tools?

9. What are BitLocker’s current hardware and software requirements?

10. Describe some of the open source whole disk encryption tools.