To Purchase
this Complete Test Bank with Answers Click the link Below
https://tbzuiqe.com/product/guide-to-computer-forensics-and-investigations-5th-edition-bill-nelson-amelia-phillips-christopher-steuart-test-bank/
If face any problem or
Further information contact us At tbzuiqe@gmail.com
Sample Test
|
Chapter_03__Data_Acquisition
True / False
|
|
1. Hardware and software errors or
incompatibilities are a common problem when dealing with older hard drives.
|
ANSWER:
|
True
|
|
POINTS:
|
1
|
|
REFERENCES:
|
93
|
|
QUESTION TYPE:
|
True / False
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:32 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:42 AM
|
|
|
2. A forensics investigator should
verify that acquisition tools can copy data in the HPA of a disk drive.
|
ANSWER:
|
True
|
|
POINTS:
|
1
|
|
REFERENCES:
|
95
|
|
QUESTION TYPE:
|
True / False
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:44 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:44 AM
|
|
|
3. FTK Imager software can acquire
a drive’s host protected area.
|
ANSWER:
|
False
|
|
POINTS:
|
1
|
|
REFERENCES:
|
112
|
|
QUESTION TYPE:
|
True / False
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:55 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:45 AM
|
|
|
4. The ImageUSB utility can be
used to create a bootable flash drive.
|
ANSWER:
|
True
|
|
POINTS:
|
1
|
|
REFERENCES:
|
125
|
|
QUESTION TYPE:
|
True / False
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 11:36 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:46 AM
|
|
|
5. A RAID 3 array uses distributed
data and distributed parity in a manner similar to a RAID 5 array.
|
ANSWER:
|
False
|
|
POINTS:
|
1
|
|
REFERENCES:
|
120
|
|
QUESTION TYPE:
|
True / False
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 11:48 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:46 AM
|
|
|
6. Which option below is not a
hashing function used for validation checks?
|
|
a.
|
RC4
|
|
|
b.
|
MD5
|
|
|
c.
|
SHA-1
|
|
|
d.
|
CRC32
|
|
ANSWER:
|
a
|
|
POINTS:
|
1
|
|
REFERENCES:
|
91
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:05 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:29 AM
|
|
|
7. The Linux command _____ can be
used to write bit-stream data to files.
|
|
a.
|
write
|
|
|
b.
|
dd
|
|
|
c.
|
cat
|
|
|
d.
|
dump
|
|
ANSWER:
|
b
|
|
POINTS:
|
1
|
|
REFERENCES:
|
91
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:21 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:29 AM
|
|
|
8. Which option below is not a
Linux Live CD meant for use as a digital forensics tool?
|
|
a.
|
Penguin Sleuth
|
|
|
b.
|
Kali Linux
|
|
|
c.
|
Ubuntu
|
|
|
d.
|
CAINE
|
|
ANSWER:
|
c
|
|
POINTS:
|
1
|
|
REFERENCES:
|
97-98
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:48 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:29 AM
|
|
|
9. The _______ switch can be used
with the split command to adjust the size of segmented volumes created by the
dd command.
|
|
a.
|
-p
|
|
|
b.
|
-s
|
|
|
c.
|
-b
|
|
|
d.
|
-S
|
|
ANSWER:
|
c
|
|
POINTS:
|
1
|
|
REFERENCES:
|
104
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:51 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:30 AM
|
|
|
10. The Linux command _______ can
be used to list the current disk devices connected to the computer.
|
|
a.
|
ls -l
|
|
|
b.
|
fdisk -l
|
|
|
c.
|
show drives
|
|
|
d.
|
geom
|
|
ANSWER:
|
b
|
|
POINTS:
|
1
|
|
REFERENCES:
|
99
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:54 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:31 AM
|
|
|
11. The _______ command was
developed by Nicholas Harbour of the Defense Computer Forensics Laboratory.
|
|
a.
|
dd
|
|
|
b.
|
split
|
|
|
c.
|
dcfldd
|
|
|
d.
|
echo
|
|
ANSWER:
|
c
|
|
POINTS:
|
1
|
|
REFERENCES:
|
106
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 2:03 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:31 AM
|
|
|
12. Which RAID type utilizes
mirrored striping, providing fast access and redundancy?
|
|
a.
|
RAID 1
|
|
|
b.
|
RAID 3
|
|
|
c.
|
RAID 5
|
|
|
d.
|
RAID 10
|
|
ANSWER:
|
d
|
|
POINTS:
|
1
|
|
REFERENCES:
|
120
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 11:51 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:32 AM
|
|
|
13. Within the fdisk interactive
menu, what character should be entered to view existing partitions?
|
ANSWER:
|
b
|
|
POINTS:
|
1
|
|
REFERENCES:
|
100
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 11:55 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:32 AM
|
|
|
14. When using a target drive that
is FAT32 formatted, what is the maximum size limitation for split files?
|
|
a.
|
512 MB
|
|
|
b.
|
2 GB
|
|
|
c.
|
1 TB
|
|
|
d.
|
1 PB
|
|
ANSWER:
|
b
|
|
POINTS:
|
1
|
|
REFERENCES:
|
109
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 12:03 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:34 AM
|
|
|
15. An investigator wants to
capture all data on a SATA drive connected to a Linux system. What should the
investigator use for the “if=” portion of the dcfldd command?
|
|
a.
|
/dev/hda
|
|
|
b.
|
/dev/hda1
|
|
|
c.
|
/dev/sda
|
|
|
d.
|
/dev/sda1
|
|
ANSWER:
|
c
|
|
POINTS:
|
1
|
|
REFERENCES:
|
107
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 12:15 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:35 AM
|
|
|
16. _______ can be used with the
dcfldd command to compare an image file to the original medium.
|
|
a.
|
compare
|
|
|
b.
|
cmp
|
|
|
c.
|
vf
|
|
|
d.
|
imgcheck
|
|
ANSWER:
|
c
|
|
POINTS:
|
1
|
|
REFERENCES:
|
117
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 12:20 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:35 AM
|
|
|
17. Which RAID type provides
increased speed and data storage capability, but lacks redundancy?
|
|
a.
|
RAID 0
|
|
|
b.
|
RAID 1
|
|
|
c.
|
RAID 0+1
|
|
|
d.
|
RAID 5
|
|
ANSWER:
|
a
|
|
POINTS:
|
1
|
|
REFERENCES:
|
119
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 12:22 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:36 AM
|
|
|
18. Which RAID type utilizes a
parity bit and allows for the failure of one drive without losing data?
|
|
a.
|
RAID 1
|
|
|
b.
|
RAID 2
|
|
|
c.
|
RAID 3
|
|
|
d.
|
RAID 5
|
|
ANSWER:
|
d
|
|
POINTS:
|
1
|
|
REFERENCES:
|
120
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 12:24 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:36 AM
|
|
|
19. _______ creates a virtual
volume of a RAID image file, and then makes repairs on the virtual volume,
which can then be restored to the original RAID.
|
|
a.
|
Runtime Software
|
|
|
b.
|
RaidRestore
|
|
|
c.
|
R-Tools R-Studio
|
|
|
d.
|
FixitRaid
|
|
ANSWER:
|
c
|
|
POINTS:
|
1
|
|
REFERENCES:
|
122
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 12:29 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:37 AM
|
|
|
20. _______ is the utility used by
the ProDiscover program for remote access.
|
|
a.
|
SubSe7en
|
|
|
b.
|
l0pht
|
|
|
c.
|
PDServer
|
|
|
d.
|
VNCServer
|
|
ANSWER:
|
c
|
|
POINTS:
|
1
|
|
REFERENCES:
|
123
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 12:38 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:38 AM
|
|
|
21. The _______ copies evidence of
intrusions to an investigation workstation automatically for further analysis
over the network.
|
|
a.
|
intrusion detection system
|
|
|
b.
|
active defense mechanism
|
|
|
c.
|
total awareness system
|
|
|
d.
|
intrusion monitoring system
|
|
ANSWER:
|
a
|
|
POINTS:
|
1
|
|
REFERENCES:
|
124
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 12:42 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:38 AM
|
|
|
22. Which open-source acquisition
format is capable of producing compressed or uncompressed image files, and
uses the .afd extension for segmented image files?
|
|
a.
|
Advanced Forensics Disk
|
|
|
b.
|
Advanced Forensic Format
|
|
|
c.
|
Advanced Capture Image
|
|
|
d.
|
Advanced Open Capture
|
|
ANSWER:
|
b
|
|
POINTS:
|
1
|
|
REFERENCES:
|
92
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 12:44 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:38 AM
|
|
|
23. What is the name of the
Microsoft solution for whole disk encryption?
|
|
a.
|
DriveCrypt
|
|
|
b.
|
TrueCrypt
|
|
|
c.
|
BitLocker
|
|
|
d.
|
SecureDrive
|
|
ANSWER:
|
c
|
|
POINTS:
|
1
|
|
REFERENCES:
|
95
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 12:47 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:39 AM
|
|
|
24. Which technology below is not
a hot-swappable technology?
|
|
a.
|
USB-3
|
|
|
b.
|
FireWire 1394A
|
|
|
c.
|
SATA
|
|
|
d.
|
IDE
|
|
ANSWER:
|
d
|
|
POINTS:
|
1
|
|
REFERENCES:
|
95
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 12:53 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:40 AM
|
|
|
25. To create a new primary
partition within the fdisk interactive utility, which letter should be typed?
|
ANSWER:
|
d
|
|
POINTS:
|
1
|
|
REFERENCES:
|
100
|
|
QUESTION TYPE:
|
Multiple Choice
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 12:59 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:40 AM
|
|
|
26. The ______________ imaging
tool produces three proprietary formats: IDIF, IRBF, and IEIF.
|
ANSWER:
|
IXimager
|
|
POINTS:
|
1
|
|
REFERENCES:
|
92
|
|
QUESTION TYPE:
|
Completion
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:27 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:41 AM
|
|
|
27. The ___________ file type uses
lossy compression to reduce file size and doesn’t affect image quality when
the file is restored and viewed.
|
ANSWER:
|
.jpeg
|
|
POINTS:
|
1
|
|
REFERENCES:
|
94
|
|
QUESTION TYPE:
|
Completion
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:35 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:41 AM
|
|
|
28. _____________ software is used
in a Linux environment to mount and write data only to NTFS partitions.
|
ANSWER:
|
NTFS-3G
|
|
POINTS:
|
1
|
|
REFERENCES:
|
98
|
|
QUESTION TYPE:
|
Completion
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 11:58 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:41 AM
|
|
|
29. When two files with different
contents generate the same digital fingerprint using a hashing function, a(n)
____________ has occurred.
|
ANSWER:
|
collision
|
|
POINTS:
|
1
|
|
REFERENCES:
|
115
|
|
QUESTION TYPE:
|
Completion
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 12:01 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:42 AM
|
|
|
30. ________________ software can
sometimes be used to decrypt a drive that is utilizing whole disk encryption.
|
ANSWER:
|
Elcomsoft Forensic Disk Decryptor
|
|
POINTS:
|
1
|
|
REFERENCES:
|
93
|
|
QUESTION TYPE:
|
Completion
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 12:08 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:42 AM
|
|
|
|
a.
|
Advanced Forensic Format (AFF)
|
b.
|
Host protected area (HPA)
|
|
c.
|
Live acquisitions
|
d.
|
Logical acquisitions
|
|
e.
|
Raw format
|
f.
|
Redundant array of independent disks (RAID)
|
|
g.
|
Sparse acquisition
|
h.
|
Static acquisitions
|
|
i.
|
Whole disk encryption
|
j.
|
.pdg extension
|
|
REFERENCES:
|
121, 127
|
|
QUESTION TYPE:
|
Matching
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/2/2014 3:25 PM
|
|
DATE MODIFIED:
|
8/14/2014 4:51 PM
|
|
|
31. A data acquisition method
used when a suspect computer can’t be shut down to perform a static
acquisition
|
|
32. A data acquisition method
that captures only specific files of interest to a case, but also collects
fragments of unallocated (deleted) data
|
|
33. An encryption technique that
performs a sector-by-sector encryption of an entire drive; each sector is
encrypted in its entirety, making it unreadable when copied with a static acquisition
method
|
|
34. A data acquisition method
that captures only specific files of interest to the case or specific types
of files, such as Outlook .pst files
|
|
35. Two or more disks combined
into one large drive in several configurations for special needs
|
|
36. A data acquisition method
used when a suspect drive is write-protected and can’t be altered
|
|
37. A data acquisition format that
creates simple sequential flat files of a suspect drive or data set
|
|
38. A ProDiscover Group file,
which includes instructions for how ProDiscover should load each physical
disk’s image data
|
|
39. An open-source data
acquisition format that stores image data and metadata
|
|
40. An area of a disk drive
reserved for booting utilities and diagnostic programs; it is not visible to
the computer’s OS
|
|
41. How can lossless compression
be tested?
|
ANSWER:
|
Lossless compression can be tested using a hashing
algorithm on data before and after it has been compressed. The hash data
can then be checked for a match. If the hashes do not match, the file was
not compressed properly, or the file was corrupted.
|
|
POINTS:
|
1
|
|
REFERENCES:
|
94
|
|
QUESTION TYPE:
|
Subjective Short Answer
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:40 AM
|
|
DATE MODIFIED:
|
10/3/2014 12:46 AM
|
|
|
42. In Linux, how is a specific
partition acquired, as opposed to an entire drive?
|
ANSWER:
|
The partition number must be added to the device name,
such as /dev/sdb1 instead of /dev/sdb.
|
|
POINTS:
|
1
|
|
REFERENCES:
|
106
|
|
QUESTION TYPE:
|
Subjective Short Answer
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:01 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:47 AM
|
|
|
43. What is a hashing collision?
|
ANSWER:
|
A hashing collision occurs when two files or data
streams with different content produce the same digital fingerprint.
|
|
POINTS:
|
1
|
|
REFERENCES:
|
115
|
|
QUESTION TYPE:
|
Subjective Short Answer
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:03 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:47 AM
|
|
|
44. Describe RAID 3.
|
ANSWER:
|
RAID 3 uses data striping and dedicated parity and
requires at least three disks. Similar to RAID 0, RAID 3 stripes
tracks across all disks that make up one volume. RAID 3 also
implements dedicated parity of data to ensure recovery if data is
corrupted. Dedicated parity is stored on one disk in the RAID 3 array.
Like RAID 3, RAID 4 uses data striping and dedicated parity (block
writing), except data is written in blocks rather than bytes.
|
|
POINTS:
|
1
|
|
REFERENCES:
|
120
|
|
QUESTION TYPE:
|
Subjective Short Answer
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:05 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:48 AM
|
|
|
45. Describe a RAID 6
configuration.
|
ANSWER:
|
In RAID 6, distributed data and distributed parity
(double parity) function the same way as RAID 5, except each disk in
the RAID array has redundant parity. The advantage of RAID 6 over RAID
5 is that it recovers any two disks that fail because of the additional
parity stored on each disk.
|
|
POINTS:
|
1
|
|
REFERENCES:
|
120
|
|
QUESTION TYPE:
|
Subjective Short Answer
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:12 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:48 AM
|
|
|
46. How does remote access work
in EnCase Enterprise software?
|
ANSWER:
|
In EnCase Enterprise, the remote access program,
Servlet, is a passive utility installed on the suspect computer. The
program connects the suspect computer to the Examiner and SAFE
workstations, and can run in stealth mode on the suspect computer.
|
|
POINTS:
|
1
|
|
REFERENCES:
|
124
|
|
QUESTION TYPE:
|
Subjective Short Answer
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:13 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:48 AM
|
|
|
47. What is the dd command?
|
ANSWER:
|
The dd command, or data dump command, can be used to
read and write data from a media device and a data file, and isn’t bound by
a logical file system’s data structures. The command creates a raw format
file that most forensics analysis tools can read.
|
|
POINTS:
|
1
|
|
REFERENCES:
|
104
|
|
QUESTION TYPE:
|
Subjective Short Answer
|
|
HAS VARIABLES:
|
False
|
|
DATE CREATED:
|
8/3/2014 1:16 PM
|
|
DATE MODIFIED:
|
10/3/2014 12:49 AM
|
|
Comments
Post a Comment