1.

Which of the following represents known files you can eliminate from an investigation? (Choose all that apply.)

• a.
• Any graphics files
• b.
• Files associated with an application
• c.
• System files the OS uses
• d.
• Any files pertaining to the company

2.

For which of the following reasons should you wipe a target drive?

• a.
• To ensure the quality of digital evidence you acquire
• b.
• To make sure unwanted data isn't retained on the drive
• c.
• Neither of the above
• d.
• Both a and b

3.

FTK's Known File Filter (KFF) can be used for which of the following purposes? (Choose all that apply.)

• a.
• Filter known program files from view.
• b.
• Calculate hash values of image files.
• c.
• Compare hash values of known files to evidence files.
• d.
• Filter out evidence that doesn't relate to your investigation.

4.

For what legal and illegal purposes can you use steganography?

5.

Password recovery is included in all computer forensics tools. True or False?

6.

After you shift a file's bits, the hash value remains the same. True or False?

7.

Validating an image file once, the first time you open it, is enough. True or False?

8.

_____________ happens when an investigation goes beyond the bounds of its original description.

9.

Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?

• a.
• Criminal investigation because subpoenas can be issued to acquire any needed evidence quickly
• b.
• Criminal investigation because law enforcement agencies have more resources at their disposal
• c.
• Internal corporate investigation because corporate investigators typically have ready access to company records
• d.
• Internal corporate investigation because ISPs almost always turn over e-mail and access logs when requested by a large corporation

10.

You're using Disk Manager to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?

• a.
• The disk is corrupted.
• b.
• There's a hidden partition.
• c.
• Nothing; this is what you'd expect to see.
• d.
• The drive is formatted incorrectly.

11.

Commercial encryption programs often rely on a technology known as _____________ to recover files if a password or passphrase is lost.

12.

Steganography is used for which of the following purposes?

• a.
• Validating data
• b.
• Hiding data
• c.
• Accessing remote computers
• d.
• Creating strong passwords

13.

Which FTK search option is more likely to find text hidden in unallocated space: live search or indexed search?

14.

Which of the following statements about HDHOST is true? (Choose all that apply.)

• a.
• It can be used to access a suspect's computer remotely.
• b.
• It requires installing the DiskExplorer program corresponding to the suspect's file system.
• c.
• It can run surreptitiously to avoid detection.
• d.
• It works over both serial and TCP/IP interfaces.

15.

Which of the following tools is most helpful in accessing clusters marked as "bad" on a disk?

• a.
• Norton DiskEdit
• b.
• FTK
• c.
• ProDiscover
• d.
• HDHOST
• e.
• None of the above

 

 

1.

Graphics files stored on a computer can't be recovered after they are deleted. True or False?

2.

When you carve a graphics file, recovering the image depends on which of the following skills?

• a.
• Recovering the image from a tape backup
• b.
• Recognizing the pattern of the data content
• c.
• Recognizing the pattern of the file header content
• d.
• Recognizing the pattern of a corrupt file

3.

Explain how to identify an unknown graphics file format that your computer forensics tool doesn't recognize.

4.

What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?

5.

When investigating graphics files, you should convert them into one standard format. True or False?

6.

Digital pictures use data compression to accomplish which of the following goals? (Choose all that apply.)

• a.
• Save space on a hard drive.
• b.
• Provide a crisp and clear image.
• c.
• Eliminate redundant data.
• d.
• Produce a file that can be e-mailed or posted on the Internet.

7.

Salvaging a file is also known in North America by which of the following terms?

• a.
• Data recovery
• b.
• Scavenging
• c.
• Recycle Bin
• d.
• Carving

8.

In JPEG files, what's the starting offset position for the JFIF label?

• a.
• Offset 0
• b.
• Offset 2
• c.
• Offset 6
• d.
• Offset 4

9.

Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or False?

10.

Copyright laws don't apply to Web sites. True or False?

11.

When viewing a file header, you need to include hexadecimal information to view the image. True or False?

12.

When recovering a file with ProDiscover, your first objective is to recover cluster values. True or False?

13.

Bitmap (.bmp) files use which of the following types of compression?

• a.
• WinZip
• b.
• Lossy
• c.
• Lzip
• d.
• Lossless

14.

A JPEG file uses which type of compression?

• a.
• WinZip
• b.
• Lossy
• c.
• Lzip
• d.
• Lossless

15.

Only one file format can compress graphics files. True or False?