Windows Registry and Forensics
Hilda has been asked to examine the suspect's computer registry for information that might be useful in her company's latest investigation. Why is examining the registry important to Hilda's examination?
a. It's a database containing system and user information.
b. It's a database where data files are kept.
c. It's a database where only user information is kept.
d. It's a database where only system information is kept.
a. It's a database containing system and user information.
Destiny was trying to check the sudo version in Kali Linux, but nothing happened. She was typing sudo -v, but that did not work. Why wasn't Destiny getting a response to her command?
a. She was using incorrect syntax.
b. It was the wrong command.
c. Linux commands are case sensitive.
d. The command was incomplete.
c. Linux commands are case sensitive.
Destiny is searching for digital photos that are in the Exchangeable Image File (Exif) format. What type of information can Destiny recover from photos using the Exif file format? Choose all that apply. (2)
a. Latitude and longitude location
b. Date and time
c. Camera owner's name
d. Type of film being used
a. Latitude and longitude location
b. Date and time
Jennifer is about to take over a computer crime case at Amcore lab. Before she begins, must verify that the chain of custody has not been broken. She discovers that the seal on the container on the suspect's hard drive has been broken and there is no signature on the sign out sheet that someone took the hard drive for analysis. How does this affect the chain of custody?
a. It does nothing to the chain of custody.
b. It only affects authenticity.
c. It breaks the chain of custody.
d. The custody of the data's journey is now refutable but can still be admissible.
c. It breaks the chain of custody.
Xiang Liu is writing her report. Her mentor Steve Lu reminds Xiang that "objectivity is critical when writing a report." This is a very important statement. Why do you think Steve reminded her about objectivity? (2)
a. She must be biased in her writing.
b. She must communicate calm, detached observations in her report.
c. It's better to identify flaws rather than to allow opposing counsel to do it for her.
d. She should use passive voice in her writing.
b. She must communicate calm, detached observations in her report.
c. It's better to identify flaws rather than to allow opposing counsel to do it for her.
Joaquim is examining the registry in a recent Windows 10 acquisition and is looking for stored information for the current logged-on user. Which key should Joaquim examine?
a. HKEY_LOCAL_MACHINE
b. HKEY_CURRENT_CONFIG
c. HKEY_USERS
d. HKEY_CLASSES_ROOT
c. HKEY_USERS
Ben needs to locate the machine name and the Linux kernel version number for a forensics examination he's working on. What command should Ben use to find it?
a. uname -a
b. cat
c. grep
d. ~/my.log
a. uname -a
Quentin was examining a Windows OS for trace evidence of videos on a drive he just acquired. There may still be evidence on the drive though the original files were deleted. It is not an image file, so what is Quentin looking for?
a. Database file
b. Text file
c. Spreadsheet file
d. Video player file
a. Database file
Haris is presented with a case by a client involving employee termination. He hasn't been told about the case yet, but he can guess. What are some of the predominate types of issues that occur in an employee termination case?
a. Working from home
b. Creating a hostile work environment
c. Playing games
d. Surfing the Internet
b. Creating a hostile work environment
Helga is writing her report. It's going to be long and complex, so she needs to create an abstract. She puts the abstract at the beginning of the report. What is the reason Helga puts the abstract at the beginning of the report? (2)
a. More people read the abstract than the entire report.
b. The abstract summarizes the report.
c. The abstract names the guilty party.
d. The abstract is the conclusion of the case.
a. More people read the abstract than the entire report.
b. The abstract summarizes the report.
Ebony is a computer forensics technician at a crime scene. She finds a closed laptop on a desk that is in hibernation mode. With her forensics tools in place, she needs to find evidence as quickly as possible. Where should Ebony look first?
a. Pagefile.sys
b. Recycle.Bin
c. Hiberfile.sys
d. Internet history files
c. Hiberfile.sys
Devlin is searching for evidence in Linux by looking for bad blocks using Autopsy. He discovers inode 1 and proceeds to examine it. What commands should Devlin use when examining inode 1 to safeguard the important information found there? Choose all that apply. (2)
a. gke2fs
b. mke2fs
c. d2fsck
d. e2fsck
b. mke2fs
d. e2fsck
Isabella finds a jpeg file on a hard drive and discovers that the image quality is bad. Although camera quality can affect image quality, what other issue can cause image quality with a jpeg to degrade?
a. JPEG files use lossy compression and saving it multiple times with different names removes bits of data that reduces image quality.
b. JPEG files use lossy compression and saving it multiple times with the same name reduces image quality.
c. JPEG files require high-quality hardware in order to be viewed and printed properly.
d. JPEG data loss is not significant for the average user to ever notice. It takes special tools to tell there has been a degradation of quality.
a. JPEG files use lossy compression and saving it multiple times with different names removes bits of data that reduces image quality.
Fumiko will be conducting an investigation involving Internet abuse on a client's internal private network. What will he need to gather from his client's network administrator? (2)
a. The suspect's computer IP address
b. The client's ISP IP address
c. The client's router IP address
d. The organization's Internet proxy server logs
a. The suspect's computer IP address
d. The organization's Internet proxy server logs
Amelia is about to begin work on a new forensic examination. As she is preparing to process the evidence, the one thing that she must always keep in mind is to keep her opinions to a minimum. Why is it important for Amelia to keep her opinions to a minimum during an examination? (2)
a. Amelia must keep her opinions to a minimum to maintain her experience.
b. Amelia must keep her opinions to a minimum to maintain her composure.
c. Amelia must keep her opinions to a minimum to maintain her impartiality.
d. Amelia must keep her opinions to a minimum to maintain her credibility.
c. Amelia must keep her opinions to a minimum to maintain her impartiality.
d. Amelia must keep her opinions to a minimum to maintain her credibility.
Jada is examining $Recycling.Bin folder from a suspect's computer. How can the $Recycling.Bin folder be helpful to Jada in finding evidence of a crime?
a. The $Recycling.Bin folder can contain deleted files that may show criminal activity.
b. The $Recycling.Bin folder can contain saved files that may show criminal activity.
c. The $Recycling.Bin folder can contain recently deleted drives that may show criminal activity.
d. The $Recycling.Bin folder can contain saved drives that may show criminal activity.
a. The $Recycling.Bin folder can contain deleted files that may show criminal activity.
Farrell has decided to use the dc3dd command over the dd and dcfldd commands because it offers additional features specifically designed for computer forensics and data recovery purposes. What are some of the additional features found in the dc3dd command? Choose all that apply.
a. Enhanced hashing
b. Data verification
c. Data analysis
d. Error logging
a. Enhanced hashing
b. Data verification
Elena is examining a hard drive and discovers several altered files. There are both legitimate and illegitimate reasons for altered files on a hard drive. What are they? Choose all that apply. (2)
a. Compressed data to save space
b. Hide data from examination
c. Files containing computer program data
d. Files containing .exe programs
a. Compressed data to save space
b. Hide data from examination
Kevin is about to begin an examination of a hard drive. Out of all the tools available to him, which one is the most important to keep the OS from writing data to the hard drive?
a. SCSI card
b. Network interface card (NIC)
c. Write-blocker
d. Target drive
c. Write-blocker
Samantha is about to be questioned for the first time about her qualifications as an expert witness. She hears the attorney she works for calling it voir dire. Samantha wants to know what "voir dire" means. What does Samantha's attorney tell her the translation means?
a. To see, to say
b. To hear, to look
c. To be or not to be
d. To say, to see
a. To see, to say
Jabari discovers a deleted file named MyTextFile.txt. He wants to examine the metadata in the file. What is some of the information Jabari could find in the deleted file? Choose all that apply. (3)
a. File's permissions
b. Owner
c. Access times
d. Computer hardware information
a. File's permissions
b. Owner
c. Access times
One of dc3dd features can generate detailed logs that record information about the imaging process, including command-line options used, timing information, and verification results, which can be valuable for forensic investigations. This feature is called Forensic Logging.
a. True
b. False
a. True
Jayden finds several saved web pages on a suspect's computer. They look like legitimate web pages, but this suspect is a known child pornographer, so the police are on the lookout for images and messages that might be in the suspect's possession. How does Jayden go about searching for this evidence?
a. Click on links on the website to see where they go
b. Look carefully at the website
c. Search the HTML source code for hidden text
d. Use a Hex editor to find the hidden text
c. Search the HTML source code for hidden text
Zoey is new to the field of computer forensics. Her boss has asked her to make a bit-stream copy of a disk drive for an investigation her company is working on. Zoey is curious why she can't make a backup copy instead. She comes to you for advice. What do you tell her? (2)
a. A bit-stream copy is used because it is an exact duplicate of the original drive.
b. A backup copy has most of the files necessary; you just need to take extra steps.
c. A backup copy doesn't have deleted files and emails or recovered file fragments.
d. A bit-stream copy needs multiple forensic tools to get all the data off it.
a. A bit-stream copy is used because it is an exact duplicate of the original drive.
c. A backup copy doesn't have deleted files and emails or recovered file fragments.
Ambrus is in a discovery deposition. The opposing counsel Mark Miller is just about to finish up. At the end of the session Mark asks Ambrus if he would like to waive signature. Ambrus says no. Why is Ambrus not waiving signature on the deposition?
a. Not waiving signature will avoid delays in the deposition process.
b. Not waiving signature allows for review and corrections.
c. Not waiving signature will avoid disputes.
d. Not waiving signature will keep you from making commitments.
b. Not waiving signature allows for review and corrections.