Digital Forensics Q&A: Key Terms and Core Concepts
Digital Forensics Q&A
Which of the following is the best definition of “forensics”?✅ The process of using scientific knowledge for collecting, analyzing, and presenting digital computer evidence to the courts
One must be able to show the whereabouts and custody of evidence, and how it was handled and stored and by whom, from the time the evidence is first seized by a law enforcement officer or civilian investigator until the moment it is shown in court. What standard does this refer to?✅ Chain of custody
Ed is an expert witness providing testimony in court. He uses a high-tech computer animation to explain a technical concept to the judge and jury. What type of evidence is Ed using?✅ Demonstrative
Which of the following is not true of computer forensics?✅ The emphasis is on the volume of evidence.
The __________ was passed to improve the security and privacy of sensitive information in federal computer systems.✅ Computer Security Act of 1987
__________ is the concept that any scientific evidence presented in a trial has to have been reviewed and tested by the relevant scientific community.✅ The Daubert Standard
________ is the default file system for Apple computers using macOS 10.x.✅ APFS
What term describes information that forensic specialists use to support or interpret real or documentary evidence?✅ Digital evidence
________ is a computer’s physical address.✅ A MAC address
Which of the following is the process of examining data traffic, including transaction logs and real-time monitoring using sniffers and tracing?✅ Network forensics
The __________ is a federal wiretap law for traditional wired telephony that was expanded to include wireless, Voice over Internet Protocol (VoIP), and other forms of electronic communications.✅ Communications Assistance for Law Enforcement Act of 1994
Which of the following is the process of searching memory in real time, typically for working with compromised hosts or to identify system abuse?✅ Live system forensics
__________ is information that has been processed and assembled to be relevant to an investigation and that supports a specific finding or determination.✅ Digital evidence
Which of the following is not true of random access memory (RAM)?✅ It cannot be changed.
Tonya is an attorney. She is preparing evidence to be presented in a court trial. Her exhibits include several photographs, printouts of email messages, and printouts of text messages. What type of evidence is Tonya preparing?✅ Documentary evidence
A computer crime suspect stores data where an investigator is unlikely to find it. What is this technique called?✅ Data hiding
Alice is a computer hacker. She is attempting to cover her tracks by repeatedly overwriting a cluster of data on a hard disk with patterns of 1s and 0s. What general term describes Alice’s actions?✅ Anti-forensics
__________ is the continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered.✅ The chain of custody
Arturo is a forensic investigator. He is working on a digital forensic case that involves tracking down evidence and perpetrators in the United States, Russia, and Italy. He must coordinate with local, state, and national governments, as well as international agencies, in each country. What type of scope-related challenge is being described?✅ Distributed crime scene
Assume you run the __________ command on a computer. The command displays the computer’s Internet Protocol (IP) address, the IP address for the default gateway, and more information.✅ ipconfig
What is the name of a type of targeted phishing attack in which the criminal targets a high-value target, such as a senior company executive?✅ Whaling
_______ is defined as any attempt to gain financial reward through deception.✅ Fraud
The use of electronic communications to harass or threaten another person is the definition of:✅ Cyberstalking
Dean is interested in purchasing picture editing software… the site is known for selling illegal copies of applications. What type of cybercrime is the company likely committing?✅ Data piracy
Malware designed to do harm to a system when some logical condition is reached, often triggered on a specific date and time, is called a:✅ Logic bomb
Bill receives an urgent email that appears to be from his CFO, requesting a funds transfer to a personal account. What type of attack is likely underway?✅ Phishing
The main purpose of __________ is to prevent legitimate users from being able to access a given computer resource.✅ A denial of service (DoS) attack
With respect to phishing, a high-quality fictitious email that is intended to steal personal data to conduct identity theft will often leave evidence in what IT system?✅ Email server
The attacker’s goal when executing a denial of service (DoS) attack is to:✅ Render the target system unusable
What is the definition of a computer virus?✅ Any software that self-replicates
Most often, criminals commit __________ to perpetrate some kind of financial fraud.✅ Identity theft
Windows passwords are hashed and then stored in the __________ on the local machine.✅ SAM file
_________ is a method used by password crackers who work with pre-calculated hashes of all passwords possible within a certain character space.✅ Rainbow table
What is meant by distributed denial of service (DDoS) attack?✅ An attack in which the attacker seeks to infect several machines and use those machines to overwhelm the target system to achieve a denial of service
Which of the following are subclasses of fraud?✅ Investment offers and data piracy
Aditya is a digital forensics specialist… Which of the following is an attack vector that cannot be investigated on the victim’s machine?✅ Dumpster diving
Which of the following is not true of cyberstalking?✅ Stalkers are often technically savvy computer criminals.
Which of the following is a denial of service (DoS) attack that includes both Internet Protocol (IP) spoofing and Internet Control Message Protocol (ICMP), resulting in saturating a target with network traffic?✅ Smurf attack
How is cyberterrorism different from other cybercrimes?✅ It is investigated by federal law enforcement.
Attackers leveraging Structured Query Language (SQL) injection can be thwarted using proper programming techniques that:✅ Disallow the use of additional characters to “escape” an application reading them as text and instead process them as an instruction.
_______ is an industry certification that focuses on knowledge of PC hardware.✅ CompTIA A+
__________ sets standards for digital evidence processing, analysis, and diagnostics.✅ The DoD Cyber Crime Center (DC3)
_______ is the unused space between the logical end of a file and the physical end of a file.✅ File slack
__________ is a Linux Live CD that you use to boot a system and then use the tools. It is a free Linux distribution, making it attractive to schools teaching forensics or laboratories on a strict budget.✅ The Sleuth Kit
What document’s sole purpose is to detail a person’s experience and qualifications for a position?✅ Curriculum vitae (CV)
Forensic investigators who collect data as evidence must understand the __________ of information, which refers to how long it is valid.✅ Slack space
Tonya is entering the digital forensics field and wants to pursue a general forensics certification. Which certification is best to start with?✅ EC-Council Certified Hacking Forensic Investigator (CHFI)
__________ is information at the level of 1s and 0s stored in computer memory or on a storage device.✅ Bit-level information
Arturo is contacted to extract data from a Mac OS system. What is the best approach he should take?✅ Do not accept the assignment and recommend that the computer be brought to an expert with Mac OS experience.
When gathering systems evidence, what is not a common principle?✅ Trust only virtual evidence.
__________ govern whether, when, how, and why proof of a legal case can be placed before a judge or jury.✅ The rules of evidence
__________ holds that you cannot interact in an environment without altering it in some way, without leaving some trace.✅ Locard’s principle of transference
Use of __________ enables an investigator to reconstruct file fragments if files have been deleted or overwritten.✅ Bit-level tools
One principle of evidence gathering is to avoid changing the evidence. Which of the following steps will not help you avoid changing evidence?✅ Photograph seized equipment after you set it up in the lab.
As a forensic investigator, you should develop _________, which covers how you will gather evidence and which tools are most appropriate for a specific investigation.✅ An analysis plan
Which of the following is produced by a nonprofit volunteer organization whose goal is to enhance the sharing of knowledge and ideas about digital forensics research?✅ Digital Forensic Research Workshop (DFRWS) framework
Which of the following best defines an expert report?✅ A formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted as well as the specialist’s own curriculum vitae (CV).
According to the order of volatility in RFC 3227, what evidence should you collect first on a typical system?✅ Volatile data, then file slack
A system forensics specialist has three basic tasks related to handling evidence: find evidence, preserve evidence, and __________ evidence.✅ Prepare
Which forensic certification is open to both the public and private sectors and is specific to the use and mastery of FTK?✅ AccessData Certified Examiner
What disk drive feature is most important for forensic consideration?✅ Good blocks marked as bad
Which of the following is the best description of volatile data?✅ Data that is lost when the system is used, such as the swap file and state of network connections
Justin is investigating a digital forensic case… What file should Justin analyze to collect data from the swap file?✅ pagefile.sys
There are three specific steps to follow to handle computer evidence. The first step is to ______ the evidence, followed by _______ the evidence, and finally ________ the evidence.✅ Preserve, prepare, present
What version of RAID involves three or more striped disks with parity that protect data against the loss of any one disk?✅ RAID 3 or 4
What was designed as an area where computer vendors could store data that is shielded from user activities and operating system utilities, such as delete and format?✅ Host protected area (HPA)
Jiang is a forensic specialist… What did Jiang do wrong?✅ He left the computer unattended while shopping for supplies.
Hard drives are types of magnetic media that use high and low magnetization to store data on these devices, which is organized by:✅ Sectors and clusters
Mary attempts to take a physical image of a phone but instead takes a logical image. What type of data is likely missing?✅ Deleted files
What is the definition of “hash”?✅ A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions
_______ is an example of volatile data.✅ The state of network connections
Joey is investigating an employer-owned computer that is still running. What is the correct course of action?✅ Capture the current memory, running tasks, and live connections, and then shut the computer down.
_______ is the area of a hard drive that has not been allocated for file storage.✅ Unallocated space
What is the name of the unused space that is created between the end of a file and the end of the last data cluster assigned to the file?✅ File slack
Which of the following are attributes of a solid-state drive (SSD)?✅ Flash memory and fast startup time
Devaki is starting a new job as a forensic processor. What should she do before starting the process of removing a hard drive?✅ She should review the processes used by the police precinct to be sure she is using the correct forms and taking the required pictures.
Which of the following uses microchips that retain data in nonvolatile memory chips and contains no moving parts?✅ Solid-state drive (SSD)
What kind of data changes rapidly and may be lost when the machine that holds it is powered down?✅ Volatile data
Windows uses __________ on each system as a “scratch pad” to write data when additional random access memory (RAM) is needed.✅ A swap file
Isabella is about to start a forensic investigation on a disk drive… To prepare a disk drive to be used as the target for the image, she must first:✅ Forensically wipe the target drive by overwriting every single bit on the drive.
What is the definition of “stream cipher”?✅ A form of cryptography that encrypts the data as a stream, one bit at a time
When hiding a message in a video file, what method takes advantage of an image capable of storing colors in 24 bits to increase the storage area for the payload?✅ BPCS
Kerckhoffs’ principle states that the security of a cryptographic algorithm depends only on the secrecy of:✅ The key
What is the definition of “Kasiski examination”?✅ A method of attacking polyalphabetic substitution ciphers, such as the Vigenère cipher
In RSA, after multiplying two prime numbers to get n, the next step is to multiply __________ for each of these primes.✅ Euler’s Totient
Regarding the RSA algorithm, __________ describes the total number of coprime numbers; two numbers are considered coprime if they have no common factors.✅ Euler’s Totient
The type of medium used to hide data in steganography is referred to as __________.✅ The channel
You have a group of ciphertexts and will consider your efforts a success if you can obtain any information about the underlying plaintext. What cryptographic cracking method are you using?✅ Ciphertext-only
A cybercriminal wants to deliver steganized files to covert customers on a third-party cache. What method must be used so that the third party is unaware?✅ Dead drops
__________ is an asymmetric cryptographic protocol that allows two parties to establish a shared key over an insecure channel.✅ Diffie-Hellman
Although the Data Encryption Standard (DES) algorithm is sound, it is no longer considered secure because:✅ Of its small key size
_______ is the process of analyzing a file or files for hidden content.✅ Steganalysis
The Caesar cipher involves shifting letters. What does a shift of -4 mean?✅ Shifting 4 letters to the left
The form of symmetric cryptography involving changing some part of the plaintext is called:✅ Substitution
In World War II, the Germans made use of _________, which is an electromechanical rotor-based cipher system.✅ The Enigma machine
In steganography, what is meant by “carrier”?✅ The signal, stream, or data file in which the payload is hidden
Which of the following is not true of the Feistel function?✅ This function forms the basis for many stream ciphers.
What is the definition of “transposition” in terms of cryptography?✅ The swapping of blocks of ciphertext
What term describes a method of using techniques other than brute force to derive an encryption key?✅ Cryptanalysis
The __________ cipher is a method of encrypting alphabetic text by using a series of different monoalphabetic ciphers selected based on the letters of a keyword.✅ Vigenère
Consistency checking protects against:✅ Software bugs and storage hardware design compatibilities
In FAT and NTFS file systems, a __________ is used to map files to specific clusters where they are stored on the disk.✅ Table
What is the purpose of overwriting data on a hard disk with random characters seven times?✅ To forensically scrub a file or folder
You are unable to boot a damaged hard disk and choose to perform a zero-knowledge analysis. Is this appropriate?✅ Yes — it rebuilds the file system from scratch using knowledge of an undamaged structure, allowing data retrieval.
When attempting to recover deleted files from FAT32, what is the most important advantage?✅ Time — files deleted recently are more likely to be recovered
Paige connects a failed hard drive to a test system without installing it. What should she do next?✅ Determine whether the failed drive is recognized and can be installed as an additional disk on the test system
A symbolic link is ________ another file.✅ A pointer to
Which of the following is not true of file carving?✅ You can perform file carving on the NTFS and FAT32 file systems but not Ext4
________ is the preferred file system of Windows 2000 and later.✅ NTFS
Which operating system commonly uses the Ext file system?✅ Linux
After a power outage, Windows no longer boots past the loading screen. What type of damage likely occurred?✅ Logical damage
If a hard disk is damaged and the data is deemed “lost,” what is the recommended next step?✅ Shred the hard disk
The ________ and the ________ are the two NTFS files of most interest to forensics efforts.✅ Master File Table (MFT) and cluster bitmap
A(n) __________ is a data structure in the Linux file system that stores all file information except its name and actual data.✅ Inode
_______ is the basic repair tool in Windows.✅ Chkdsk
You recover data files from a damaged disk but they’re corrupted. What should you do?✅ Perform file carving
Devaki processed a damaged hard drive as “lost” without testing recovery options. What mistake did she make?✅ She should have fully evaluated the disk by leveraging multiple techniques to attempt data retrieval.
_______ is the basic repair tool in Mac OS.✅ Disk Utility
When performing a manual recovery on a Linux system, what is the first step?✅ Boot into the recovery menu and select to run diagnostics
In Windows, what does the File Allocation Table (FAT) store?✅ The mapping between files and their cluster location on the hard drive
The amount of time a system can be down before it is impossible for an organization to recover is addressed by:✅ Maximum tolerable downtime (MTD).
__________ is a common method for scoring system vulnerabilities.✅ Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD)
Regarding incident response, what step involves restoring software and data from a backup source that has been verified to be free from malware infection?✅ Recovery
What is the definition of business continuity plan (BCP)?✅ A plan for maintaining minimal operations until the business can return to full normal operations
In a business impact analysis, which of the following best describes the recovery time objective (RTO)?✅ The target time to have a down system back up and running
You are performing a business impact analysis (BIA). How do you calculate the single loss expectancy (SLE)?✅ By multiplying the asset value (AV) times the exposure factor (EF)
You are considering hierarchical storage management (HSM) rather than traditional tape media. What is an advantage of HSM?✅ It has far more storage capacity than traditional tape media.
Which of the following is helpful in tracing the root cause of an incident and involves depiction of something resembling a fish head and fish bones?✅ Ishikawa diagram
The manufacturer claims a hard drive will perform properly for 100,000 hours. What is this measure most closely related to?✅ Mean time to failure (MTTF)
A ________ is a plan for returning the business to full normal operations.✅ Disaster recovery plan (DRP)
The process whereby a disaster recovery team contemplates likely disasters and the impact each would have on an organization is called:✅ A business impact analysis.
In a business impact analysis, which of the following refers to how much data will be lost in a computer disaster?✅ RPO
You are preparing to add forensics to your incident response policies. Which is the absolute first step you must take?✅ Identify forensic resources.
Which of the following is not true of the Grandfather-Father-Son backup scheme?✅ Weekly backups are not reused, only sons and grandfathers.
A computer worm has used open file shares to infect hundreds of systems. What is this an example of?✅ Malicious code
Companies that process payment card data must issue a report if a breach violates which of the following?✅ PCI DSS
An organization cannot operate without its web server for more than 5 days and still recover. The mean time to repair is 3 days. How many days do you have after a disaster to initiate repairs or the organization will not be able to recover?✅ 2
You are calculating the single loss expectancy (SLE) for a laptop costing $2,500 with an exposure factor of 25%. What is the SLE?✅ $625
NIST Special Publication 800-61 considers denial of service as:✅ An attacker crafting packets to cause networks and/or computers to crash.
What type of disaster is most likely to require a computer forensic expert?✅ Intrusion