During her forensic copy validation process Danielle received
1. Which format does dd produce files in?
·
B. RAW
2. Files remnants found in clusters that have been only partially
rewritten by new files found are in what type of space?
·
B. Slack
Slack space is the space that remains when only a portion of a cluster
is used by a file.
3. Mike is looking for information about files that were changed on
a Windows system. Which of the following is least likely to contain useful
information for his investigation?
·
C. Event logs do not
typically contain significant amounts of information about file changes. The
Master File Table and file indexes (INDX files) both have specific information
about files, whereas volume shadow copies can help show differences between
files and locations at a point in time.
4. Alice wants to copy a drive without any chance of it being
modified by the copying process. What type of device should she use to ensure
that
this does not happen?
·
C. A write blocker
Write blockers ensure that no changes are made to a source drive
when creating a forensic copy
5. What two files may contain encryption keys normally stored only
in memory on a Window system?
·
C. Core dumps and
encryption logs
6. What two files may contain encryption keys normally stored only
in memory on a Window system?
·
C. Core dumps and
encryption logs
7. Jeff is investigating a system compromise
and knows that the first event was reported on October 5th. What forensic tool
capability should he use to map other events found in logs and files to this
date?
A. A timeline
Timelines are one of the most useful tools when conducting an
investigation of a compromise or other event. F
7. During her forensic copy validation process Danielle received
the following MD5 sums from her original drive and the cloned image after using
dd. What is likely wrong?
·
D. An unknown change
or problem occurred.
8. Jennifer wants to perform memory analysis and forensics for
Windows, macOS, and Linux systems. Which of the following is best suited to her
needs?
·
D. The Volatility
Framework
The Volatility Framework is designed to work with Windows, macOS,
and Linux, and it provides in-depth memory forensics and analysis
capabilities
9. Alex is conducting a forensic examination of a Windows system
and wants to determine if an application was installed. Where can he find the
Windows installer log files for a user named Jim?
·
D.
C:\Windows\Jim\AppData\Local\Temp
10. Kathleen needs to find data contained in memory but only has an
image of an offline Windows system. Where does she have the best chance of
recovering the information she needs?
·
D. %SystemRoot%/WinDBG
11. Carl does not have the ability to capture data from a cell phone
using forensic or imaging software, and the phone does not have removable
storage. Fortunately, the phone was not set up with a PIN or screen lock. What
is his best option to ensure he can see email and other data stored
there?
·
D. Manual access
Manual access is used when phones cannot be forensically imaged
or accessed as a volume or filesystem
12. Carl does not have the ability to capture data from a cell phone
using forensic or imaging software, and the phone does not have removable
storage. Fortunately, the phone was not set up with a PIN or screen lock. What
is his best option to ensure he can see email and other data stored
there?
·
D. Manual access
Manual access is used when phones cannot be forensically imaged
or accessed as a volume or filesystem
13. What forensic issue might the presence of a program like
CCleaner indicate?
·
A. CCleaner is a PC
cleanup utility that wipes Internet history, destroys cookies and other cached
data, and can impede forensic investigations. CCleaner may be an indication of
intentional anti-forensic activities on a system. It is not a full disk
encryption tool or malware packer, nor will it modify MAC times.
14. Which of the following is not a potential issue with live
imaging of a system?
·
Remnant data from the
imaging tool
15. During his investigation, Jeff, a certified forensic examiner,
is provided with a drive image created by an IT staff member and is asked to
add it to his forensic case. What is the most important issue could Jeff
encounter if the case goes to court?
·
D. Inability to
certify chain of custody
16. Jeff is investigating a system that is running malware that he
believes encrypts its data on the drive. What process should he use to have the
best chance of viewing that data in an unencrypted form?
·
Live imaging
Imaging the system while the program is live has the best
probability of allowing Jeff to capture the encryption keys or decrypted
data from memory
17. Susan has been asked to identify the applications that start
when a
Windows system does. Where should she look first?
·
C. The Registry
18. During a forensic investigation Ben asks Chris to sit with him
and to
sign off on the actions he has taken. What is he doing?
·
Maintaining chain of
custody
19. Which tool is not commonly used to
generate the hash of a forensic copy?
D. AES
·
While AES does have a hashing mode, MD5, SHA1, and built-in
hashing tools in FTK and other commercial tools are more commonly
used for forensic hashes.
19. Which of the following Linux command-line tools will show you
how much disk space is in use?
·
B. df
USA 
India