![]() ![]() True or False? Which of the following is true of most drive-imaging tools? They ensure that the original drive doesn't become corrupt and damage the digital evidence and they create a copy of the original drive. True or False? False A live acquisition is considered an acceptable practice in digital forensic. Building a forensic workstation is more expensive than purchasing one. What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller? It enables you to remove and reconnect drives without having to shut down your workstation, which saves time in processing the evidence drive. ![]() True or False? False The verification function does which of the following? Proves that two sets of data are identical via hash values. True or False? False Hash values are used for which of the following purposes? Filtering known good files from potentially suspicious data and validating that the original data hasn't changed In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True or False? True Hashing, filtering, and file header analysis make up which function of digital forensic tools? Validation and verification Hardware acquisition tools typically have built-in software for data analysis? True or False? False The reconstruction function is needed for which of the following purposes Re-create a suspect drive to show what happened, create a copy of a driver for other investigators, and recover file headers List three subfunctions of the extraction function data viewing, keyword searching, decompressing and compressing, carving, decrypting, and bookmarking or tagging Data can't be written to a disk with a command-line tool. Command line and GUI According to ISO standard 27037, which of the following is an important factor in data acquisition? The DEFR's competency and Use of validate tools One reason to choose logical acquisition is an encrypted drive. ![]() Forensic software tools are grouped into _ and _ applications. The second component stores the number of clusters assigned to the data run, and the third component contains the starting cluster address value (the LCN or the VCN). True or False? True EFS can encrypt which of the following? files, folders, and volumes What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? the file is unencrypted automatically What are the functions of a data run's field components in an MFT record? Data runs have three components the first declares how many bytes are required in the attribute field to store the number of bytes needed for the second and third components. ![]() An image of a suspect drive can be loaded on a virtual machine. Which of the following Windows 8 file contains user-specific information? Ntuser.dat Virtual machines have which of the following limitations when running on a host computer? Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. Device drivers contain what kind of information? Instructions for the OS on how to interface with hardware devices. Why was EFI boot firmware developed? Provides better protection from malware than what the BIOS gives. The first VCN for a nonresident file is listed as 0. If a file has become fragmented, it can have two or more VCNs. True or False? True In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive? No dat from RAM is copied to RAM slack on a disk drive What's a virtual cluster number? It represents the assigned clusters of files that are nonresident in the MFT. What does MFT stand for? Master File Table In NTFS, files smaller than 512 bytes are stored in the MFT. NTFS uses Unicode, an international data format. With NTFS you had more control over files and folders (directories) than with FAT file systems. It provides more information about a file, including security features, file ownership, and other file attributes. List two features NTFS has that FAT does not. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |