Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

ISM 4320 Midterm Exam Questions and Answers: Computer Forensics Fundamentals, Exams of Information Technology Management

Florida Atlantic University (FAU)Information Technology Management

A comprehensive set of questions and answers covering key concepts in computer forensics. It explores topics such as digital investigations, legal considerations, evidence collection, and lab procedures. Valuable for students studying computer forensics, providing insights into common exam questions and essential knowledge for the field.

Typology: Exams

2024/2025

Available from 02/23/2025

Smartsolutions
Smartsolutions 🇺🇸

2.3

(3)

11K documents

1 / 21

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ISM 4320 MIDTERM EXAM QUESTIONS AND CORRECT
ANSWERS 100% VERIFIED!!
To be a successful computer forensics investigator, you must be familiar with more than
one computing platform. - ANSWER TRUE
* Computer investigations and forensics fall into the same category: public
investigations. - ANSWER FALSE
* By the 1970s, electronic crimes were increasing, especially in the financial sector. -
ANSWER TRUE
* Without a warning banner, employees might have an assumed ____ when using a
company's computer systems and network accesses. - ANSWER right of privacy
* In addition to warning banners that state a company's rights of computer ownership,
businesses should specify a(n) ____ who has the power to conduct investigations. -
ANSWER authorized requester
* A ____ usually appears when a computer starts or connects to the company intranet,
network, or virtual private network (VPN) and informs end users that the organization
reserves the right to inspect computer systems and network traffic at will. - ANSWER
warning banner
* A(n) ____ is a person using a computer to perform routine tasks other than systems
administration. - ANSWER end user
* Your ____ as a digital investigation and forensics analyst is critical because it
determines your credibility. - ANSWER Professional Conduct
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15

Partial preview of the text

Download ISM 4320 Midterm Exam Questions and Answers: Computer Forensics Fundamentals and more Exams Information Technology Management in PDF only on Docsity!

ISM 432 0 MIDTERM EXAM QUESTIONS AND CORRECT

ANSWERS 10 0% VERIFIED!!

To be a successful computer forensics investigator, you must be familiar with more than one computing platform. - ANSWER TRUE

  • Computer investigations and forensics fall into the same category: public investigations. - ANSWER FALSE

  • By the 1970s, electronic crimes were increasing, especially in the financial sector. - ANSWER TRUE

  • Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses. - ANSWER right of privacy

  • In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations. - ANSWER authorized requester

  • A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. - ANSWER warning banner

  • A(n) ____ is a person using a computer to perform routine tasks other than systems administration. - ANSWER end user

  • Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility. - ANSWER Professional Conduct

  • Most digital investigations in the private sector involve ____. - ANSWER Misuse of digital assets

  • Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer. - ANSWER silver-platter

  • Maintaining credibility means you must form and sustain unbiased opinions of your cases. - ANSWER FALSE

  • The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence. - ANSWER Computer Analysis and Response Team (CART)

  • The law of search and seizure protects the rights of all people, excluding people suspected of crimes. - ANSWER FALSE

  • After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant. - ANSWER TRUE

  • The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime. - ANSWER Digital Investigations

Computer investigations

  • By the early 1990s, the ____ introduced training on software for forensics investigations. - ANSWER International Association for Computer Information Systems (IACIS)

  • ____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. - ANSWER Data Recovery

  • ____ often work as part of a team to secure an organization's computers and networks.

  • The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure. - ANSWER TRUE

  • When you work in the enterprise digital group, you test and verify the integrity of standalone workstations and network servers. - ANSWER FALSE

  • The police blotter provides a record of clues to crimes that have been committed previously. - ANSWER TRUE

  • A forensics analysis of a 6 TB disk, for example, can take several days or weeks. - ANSWER TRUE

  • Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses. - ANSWER FALSE

  • In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery. - ANSWER configuration management

  • For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets. - ANSWER RAID

  • A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing. - ANSWER disaster recovery

  • You should have at least one copy of your backups on site and a duplicate or a previous copy of your backups stored in a safe ____ facility. - ANSWER off-site

  • In the ____, you justify acquiring newer and better resources to investigate digital forensics cases. - ANSWER buisness case

  • ____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment. - ANSWER risk management

  • Computing components are designed to last 18 to ____ months in normal business operations. - ANSWER 36

  • Computing systems in a forensics lab should be able to process typical cases in a timely manner. - ANSWER TRUE

  • A ____ is where you conduct your investigations, store evidence, and do most of your work. - ANSWER computer forensics lab

  • If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately. - ANSWER FALSE

  • A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks. - ANSWER TRUE

  • Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System. - ANSWER NTFS

  • ____ was created by police officers who wanted to formalize credentials in digital investigations. - ANSWER International Association of Computer Investigative Specialists (IACIS)

  • Lab costs can be broken down into monthly, ____, and annual expenses. - ANSWER quartely or daily (both should apply)

  • ____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed. - ANSWER Uniform crime reports

  • If your time is limited, consider using a logical acquisition or ____ acquisition data copy method. - ANSWER sparse

  • If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available. - ANSWER live

  • The most common and flexible data-acquisition method is ____. - ANSWER Disk-to-image file copy

  • Linux ISO images that can be burned to a CD or DVD are referred to as ____. - ANSWER Live CDs

  • The ____ command displays pages from the online help manual for information on Linux commands and their options. - ANSWER man

  • Image files can be reduced by as much as ____% of the original when using lossless compression. - ANSWER 50

  • Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult. - ANSWER whole disk encryption

  • Current distributions of Linux include two hashing algorithm utilities: md5sum and ____. - ANSWER sha1sum

  • You use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512. - ANSWER hash

  • The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions. - ANSWER dd

  • The ____ command, works similarly to the dd command but has many features

designed for computer forensics acquisitions. - ANSWER dcfldd

  • Autopsy uses ____ to validate an image. - ANSWER Md5 hash

  • By using marketing to attract new customers or clients, you can justify future budgets for the lab's operation and staff. - ANSWER TRUE

  • The ANSI-ASQ National Accreditation Board (ANAB) is a wholly owned subsidiary of the American Society of Crime Laboratory Directors (ASCLD). - ANSWER TRUE

  • Chapter 5, Section 3, of the NISPOM describes the characteristics of a safe storage container. - ANSWER TRUE

  • The lab manager sets up processes for managing cases and reviews them regularly. - ANSWER TRUE

  • For daily work production, several examiners can work together in a large open area, as long as they all have different levels of authority and access needs. - ANSWER FALSE

  • The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file. - ANSWER TRUE

  • Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive.

  • ANSWER TRUE

  • If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available. - ANSWER FALSE

  • One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools. - ANSWER Proprietary

  • ____ records are data the system maintains, such as system log files and proxy server logs. - ANSWER computer-generated

  • Corporate investigators always have the authority to seize all computer equipment during a corporate investigation. - ANSWER FALSE

  • Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain ____. - ANSWER Hearsay

  • Every business or organization must have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a ____ that a law or policy is being violated. - ANSWER reasonable suspicion

  • Confidential business data included with the criminal evidence are referred to as ____ data. - ANSWER commingled

  • The FOIA was originally enacted in the ____. - ANSWER 1960s

  • Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes. - ANSWER much easier than

  • A separate manual validation is recommended for all raw acquisitions at the time of analysis. - ANSWER TRUE

  • Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized. - ANSWER TRUE

  • In Autopsy and many other forensics tools raw format image files don't contain metadata. - ANSWER FALSE

  • Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.
  • ANSWER FALSE

  • ____, or mirrored striping, is a combination of RAID 1 and RAID 0. - ANSWER Raid 10

  • ____, or mirrored striping with parity, is a combination of RAID 1 and RAID 5. - ANSWER Raid 15

  • For Windows XP, 2000, and NT servers and workstations, RAID 0 or ____ is available. - ANSWER 1

  • In ____, two or more disk drives become one large volume, so the computer views the disks as a single disk. - ANSWER RAID 0

  • Some cases involve dangerous settings. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene. - ANSWER TRUE

  • If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy. - ANSWER TRUE

  • The most common computer-related crime is check fraud. - ANSWER TRUE

  • Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which always get funding from the government or other agencies. - ANSWER TRUE

  • The type of file system an OS uses determines how data is stored on the disk. - ANSWER TRUE

  • One technique for extracting evidence from large systems is called ____. - ANSWER sparse acquisition

  • When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data. - ANSWER (DOJ) Department of Justice

  • During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system. - ANSWER Windows 9x

  • Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server. - ANSWER sniffing

  • ____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS. - ANSWER NTBootdd.sys

  • ____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the systemroot\Windows\System32\Drivers folder. - ANSWER Device Drivers

  • ____, located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version. - ANSWER Boot.ini

  • ____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr. - ANSWER NTDetect.com

  • ____ is Windows XP system service dispatch stubs to executables functions and internal support functions. - ANSWER ntdll.dll

  • A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment. - ANSWER Virtual

Machine

  • ____ is a core Win32 subsystem DLL file. - ANSWER User32.sys

  • ____ is the physical address support program for accessing more than 4 GB of physical RAM. - ANSWER Ntkrnlpa.exe

  • The first 5 bytes (characters) for all MFT records are FILE. - ANSWER FALSE (Only the first 4 bytes are FILE)

  • Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence. - ANSWER TRUE

  • One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop. - ANSWER TRUE

  • As data is added, the MFT can expand to take up 75% of the NTFS disk. - ANSWER FALSE

  • ____ refers to the number of bits in one square inch of a disk platter. - ANSWER Areal density

  • ____ is the file structure database that Microsoft originally designed for floppy disks. - ANSWER FAT

  • A ____ is a column of tracks on two or more disk platters. - ANSWER cylinder

  • ____ is how most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks. - ANSWER (ZBR)Zoned-bit recording

to a(n) ____. - ANSWER Image File

  • Magnet ____ enables you to acquire the forensic image and process it in the same step.
  • ANSWER AXIOM (Magnet AXIOM is a all-in-one digital forensics tool that lets you examine evidence from both computer and mobile devices all in the same case)

  • To complete a forensic disk analysis and examination, you need to create a ____. - ANSWER report

  • The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems. - ANSWER IBM

  • Many password recovery tools have a feature for generating potential lists for a ____ attack. - ANSWER Password dictionary

  • The simplest method of duplicating a disk drive is using a tool that makes a direct ____ copy from the suspect disk to the target location. - ANSWER Disk-to-image

  • A forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation is also known as a ____. - ANSWER portable workstation

  • ____ disks are commonly used with Sun Solaris systems. - ANSWER Sparc

  • In Windows 2000 and later, the ____ command shows you the file owner if you have multiple users on the system or network. - ANSWER dir

  • In general, forensics workstations can be divided into ____ categories. - ANSWER 3

  • The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software. - ANSWER NIST

  • The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible. - ANSWER ISO 5725

  • ____ can be software or hardware and are used to protect evidence disks by preventing data from being written to them. - ANSWER Write-Blockers

  • Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0 and 3.0, SATA, PATA, and SCSI controllers. - ANSWER USB

  • Typically, a virtual machine consists of just one file. - ANSWER FALSE

  • Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack. - ANSWER TRUE

  • It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows. - ANSWER TRUE

  • From a network forensics standpoint, there are no potential issues related to using virtual machines. - ANSWER FALSE

  • In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors. - ANSWER TRUE

  • When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support. - ANSWER TRUE

  • In software acquisition, there are three types of data-copying methods. - ANSWER FALSE

  • With ____, Macintosh moved to the Intel processor and became UNIX based. - ANSWER OSX

  • In older versions of macOS, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored. - ANSWER resource

  • Windows OSs do not have a kernel. - ANSWER FALSE

  • The pipe (|) character redirects the output of the command preceding it. - ANSWER TRUE

  • With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data. - ANSWER Volume Bitmap

  • On Mac OSs, the ____ stores any file information not in the MDB or Volume Control Block (VCB). - ANSWER Extends Overflow File

  • In macOS, volumes have allocation blocks and ____ blocks. - ANSWER logical

  • On older Mac OSs all information about the volume is stored in the ____. - ANSWER Master Directory Block (MDB)

  • One way to compare results and verify your a new tool is by using a ____, such as HexWorkshop, or WinHex. - ANSWER disk editor

  • The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____. - ANSWER (NSRL) National Software Reference Library

  • The primary hash algorithm used by the NSRL project is ____. - ANSWER SHA-

  • Software forensic tools are grouped into command-line applications and GUI applications. - ANSWER TRUE

  • The validation function is the most challenging of all tasks for computer investigators to master. - ANSWER FALSE

  • Before OS X, the Hierarchical File System (HFS) was used, in which files are stored in directories (folders) that can be nested in other directories. - ANSWER TRUE

  • The HFS and HFS+ file systems have four descriptors for the end of a file (EOF). - ANSWER FALSE

  • All disks have more storage capacity than the manufacturer states. - ANSWER TRUE

  • Ext3 is a journaling version of Ext2 that has a built-in file recovery mechanism used after a crash. - ANSWER TRUE

  • In macOS volume fragmentation is kept to a minimum by removing clumps from larger files. - ANSWER FALSE

  • Ext4 can support disk partitions as large as ____ TB. - ANSWER 16

  • ____ contain file and directory metadata and provide a mechanism for linking data stored in data blocks. - ANSWER Inodes

  • The term ____ is often used when discussing Linux because technically, Linux is only the core of the OS. - ANSWER Kernel