WGU C840 Digital Forensics QUESTIONS WITH COMPLETE SOLUTIONS

Document Content and Description Below

WGU C840 Digital Forensics QUESTIONS WITH COMPLETE SOLUTIONS expert report Correct Answer: A formal document prepared by a forensics specialist to document an investigation, including a list of al... l tests conducted as well as the specialist's own curriculum vitae (CV). Anything the specialist plans to testify about at a trial must be included in the expert report. Testimonial evidence Correct Answer: Information that forensic specialists use to support or interpret real or documentary evidence; for example, to demonstrate that the fingerprints found on a keyboard are those of a specific individual. Daubert standard Correct Answer: The standard holding that only methods and tools widely accepted in the scientific community can be used in court. If the computer is turned on when you arrive, what does the Secret Service recommend you do? Correct Answer: Shut down according to the recommended Secret Service procedure. Communications Assistance to Law Enforcement Act of 1994 Correct Answer: The Communications Assistance to Law Enforcement Act of 1994 is a federal wiretap law for traditional wired telephony. It was expanded to include wireless, voice over packet, and other forms of electronic communications, including signaling traffic and metadata. Digital evidence Correct Answer: Digital evidence is information processed and assembled so that it is relevant to an investigation and supports a specific finding or determination. Federal Privacy Act of 1974 Correct Answer: The Federal Privacy Act of 1974, a United States federal law that establishes a code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by U.S. federal agencies. Power Spy, Verity, ICU, and WorkTime Correct Answer: Spyware good fictitious e-mail response rate Correct Answer: 1-3% Which crime is most likely to leave e-mail evidence? Correct Answer: Cyberstalking Where would you seek evidence that ophcrack had been used on a Windows Server 2008 machine? Correct Answer: In the logs of the server; look for the reboot of the system A SYN flood is an example of what? Correct Answer: DoS attack definition of a virus, in relation to a computer? Correct Answer: a type of malware that requires a host program or human help to propagate What is the starting point for investigating the denial of service attacks? Correct Answer: Tracing the packets China Eagle Union Correct Answer: The cyberterrorism group, the China Eagle Union, consists of several thousand Chinese hackers whose stated goal is to infiltrate Western computer systems. Members and leaders of the group insist that not only does the Chinese government have no involvement in their activities, but that they are breaking Chinese law and are in constant danger of arrest and imprisonment. However, most analysts believe this group is working with the full knowledge and support of the Chinese government. Rules of evidence Correct Answer: Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury. file slack Correct Answer: The unused space between the logical end of the file and the physical end of the file. It is also called slack space. The Analysis Plan Correct Answer: Before forensic examination can begin, an analysis plan should be created. This plan guides work in the analysis process. How will you gather evidence? Are there concerns about evidence being changed or destroyed? What tools are most appropriate for this specific investigation? A standard data analysis plan should be created and customized for specific situations and circumstances. What is the most important reason that you not touch the actual original evidence any more than you have to? Correct Answer: Each time you touch digital data, there is some chance of altering it. You should make at least two bitstream copies of a suspect drive. Correct Answer: TRUE To preserve digital evidence, an investigator should Correct Answer: make two copies of each evidence item using different imaging tools What would be the primary reason for you to recommend for or against making a DOS Copy Correct Answer: A simple DOS copy will not include deleted files, file slack, and other information. Which starting-point forensic certification covers the general principles and techniques of forensics, but not specific tools such as EnCase or FTK? Correct Answer: (CHFI) EC Council Certified Hacking Forensic Investigator This forensic certification is open to both the public and private sectors and is specific to the use and mastery of FTK. Requirements for taking the exam include completing the boot camp and Windows forensic courses. Correct Answer: AccessData Certified Examiner. AccessData is the creator of Forensic Toolkit (FTK) software. Federal Rules of Evidence (FRE) Correct Answer: The Federal Rules of Evidence (FRE) is a code of evidence law. The FRE governs the admission of facts by which parties in the U.S. federal court system may prove their cases. The rules of evidence, encompasses the rules and legal principles that govern the proof of facts in a legal proceeding. These rules determine what evidence must or must not be considered by the trier of fact in reaching its decision The DoD Cyber Crime Center (DC3) Correct Answer: DC3 is involved with DoD investigations that require computer forensics support to detect, enhance, or recover digital media. DC3 provides computer investigation training. It trains forensic examiners, investigators, system administrators, and others. It also ensures that defense information systems are secure from unauthorized use, criminal and fraudulent activities, and foreign intelligence service exploitation. DC3 ets standards for digital evidence processing, analysis, and diagnostics. Expert testimony Correct Answer: Expert testimony involves the authentication of evidence-based upon scientific or technical knowledge relevant to cases. Forensic examiners are often called upon to authenticate evidence between given specimens and other items. Forensic specialists should not undertake an examination that is beyond their knowledge and skill. temporary data Correct Answer: Data that an operating system creates and overwrites without the computer user taking direct action to save this data. Physical analysis Correct Answer: Offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system. Logical analysis Correct Answer: Analysis involving using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data. sweepers Correct Answer: A kind of software that cleans unallocated space. Also called a scrubber. It is acceptable, when you have evidence in a vehicle, to stop for a meal, if the vehicle is locked. Correct Answer: FALSE What Linux command can be used to create a hash? Correct Answer: MD5sum EnCase Format Correct Answer: The EnCase format is a proprietary format that is defined by Guidance Software for use in its forensic tool to store hard drive images and individual files. It includes a hash of the file to ensure nothing was changed when it was copied from the source. advanced Forensic Format (AFF) Correct Answer: This file format, abbreviated AFF, has three variations: AFF, AFM, and AFD. The AFF variation stores all data and metadata in a single file. The AFM variation stores the data and the metadata in separate files. The AFD variation stores the data and metadata in multiple small files. The AFF file format is part of the AFF Library and Toolkit, which is a set of open-source computer forensics programs. Sleuth Kit and Autopsy both support this file format. The Generic Forensic Zip Correct Answer: an open source file format used to store evidence from forensic examinations IXimager Correct Answer: developed by the IRS and restricted to law enforcement and government use What Linux command can be used to wipe a target drive? Correct Answer: dd RAID 0 Correct Answer: disk striping RAID 1 Correct Answer: completely mirrors the contents of disks so there is an identical copy of the drive running on the machine RAID 3 or 4 Correct Answer: combines three or more disks in a way that protects data against loss of any one disk RAID 5 Correct Answer: striped disks with distributed parity combines three or more disks in a way that protects data against the loss of any one disk. It is similar to RAID 3, but the parity is not stored on one dedicated drive; instead, parity information is interspersed across the drive array You need to image a server that is set up with RAID 5. How would you approach this? Correct Answer: Image each disk separately. RAID 4 should be acquired as individual disks Correct Answer: FALSE Swap files Correct Answer: Swap files are the most important type of ambient data. Windows uses swap files on each system as a "scratch pad" to write data when additional RAM is needed. A swap file is a virtual memory extension of RAM. Most computer users are unaware of the existence of swap files. The size of these files is usually about 1.5 times the size of the physical RAM in the machine. Swap files contain remnants of word processing documents, e-mails, Internet browsing activity, database entries, and almost any other work that has occurred during past Windows sessions. Swap files can be temporary or permanent. volume slack Correct Answer: Volume slack is the unused space between the end of the file system and the end of the partition where the file system resides. For example, suppose that two partitions are filled with data. When you delete one of them, the data is not actually deleted. Instead, it is hidden. RAID 6 Correct Answer: RAID 6 is a striped set with dual distributed parity. This RAID level is similar to RAID 5, RAID 6 offers both backup and increased speed. Additionally, a RAID 6 array can continue operating if up to two of its drives fail. This requires a minimum of 4 drives. carrier Correct Answer: The signal, stream, or data file into which the payload is hidden. least significant bit (LSB) Correct Answer: The last bit or least significant bit is used to store data. payload Correct Answer: The data to be covertly c [Show More]

Last updated: 2 years ago

Preview 1 out of 14 pages