SlideShare a Scribd company logo

Cis 562 week 11 final exam – strayer new

Download as DOCX, PDF
E
EmmaJack2018

For More Information Visit Here: http://budapp.net strayer new week 11

Automotive
1 of 53
CIS 562 Week 11 Final Exam – Strayer New Click On The Link Below To Purchase A+ Graded Material Instant Download http://budapp.net/CIS-562-Final-Exam-Week-11-Strayer-NEW- CIS562W11E.htm Chapters 7 Through 16 Chapter 7: Current Computer Forensics Tools TRUE/FALSE 1. When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support. 2. In software acquisition, there are three types of data-copying methods. 3. To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. 4. The Windows platforms have long been the primary command-line interface OSs. 5. After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools. MULTIPLE CHOICE 1. Computer forensics tools are divided into ____ major categories. a. 2 c. 4 b. 3 d. 5 2. Software forensics tools are commonly used to copy data from a suspect’s disk drive to a(n) ____. a. backup file c. image file b. firmware d. recovery copy 3. To make a disk acquisition with En.exe requires only a PC running ____ with a 12- volt power connector and an IDE, a SATA, or a SCSI connector cable.
a. UNIX c. Linux b. MAC OS X d. MS-DOS 4. Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command. a. rawcp c. d2dump b. dd d. dhex 5. ____ of data involves sorting and searching through all investigation data. a. Validation c. Acquisition b. Discrimination d. Reconstruction 6. Many password recovery tools have a feature that allows generating potential lists for a ____ attack. a. brute-force c. birthday b. password dictionary d. salting 7. The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk. a. partition-to- partition c. disk-to-disk b. image-to-partition d. image-to-disk 8. To complete a forensic disk analysis and examination, you need to create a ____. a. forensic disk copy c. budget plan b. risk assessment d. report 9. The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems. a. Apple c. Commodore b. Atari d. IBM 10. In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network.
a. Dir c. Copy b. ls d. owner 11. In general, forensics workstations can be divided into ____ categories. a. 2 c. 4 b. 3 d. 5 12. A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____. a. stationary workstation c. lightweight workstation b. field workstation d. portable workstation 13. ____ is a simple drive-imaging station. a. F.R.E.D. c. FIRE IDE b. SPARC d. DiskSpy 14. ____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk. a. Drive-imaging c. Workstations b. Disk editors d. Write-blockers 15. Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers. a. USB c. LCD b. IDE d. PCMCIA 16. The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software. a. CFTT c. FS-TST b. NIST d. NSRL 17. The standards document, ____, demands accuracy for all aspects of the testing
process, meaning that the results must be repeatable and reproducible. a. ISO 3657 c. ISO 5725 b. ISO 5321 d. ISO 17025 18. The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____. a. NSRL c. FS-TST b. CFTT d. PARTAB 19. The primary hash algorithm used by the NSRL project is ____. a. MD5 c. CRC-32 b. SHA-1 d. RC4 20. One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex. a. disk imager c. bit-stream copier b. write-blocker d. disk editor 21. Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file’s contents. a. testing, compressed c. testing, pdf b. scanning, text d. testing, doc COMPLETION 1. Software forensic tools are grouped into command-line applications and ____________________ applications. 2. The Windows application of EnCase requires a(n) ____________________ device, such as FastBloc, to prevent Windows from accessing and corrupting a suspect disk drive. 3. The ____________________ function is the most demanding of all tasks for computer investigators to master. 4. Because there are a number of different versions of UNIX and Linux, these platforms
are referred to as ____________________ platforms. 5. Hardware manufacturers have designed most computer components to last about ____________________ months between failures. MATCHING Match each item with a statement below a. JFIF f. PDBlock b. Lightweight workstation g. Norton DiskEdit c. Pagefile.sys h. Stationary workstation d. Salvaging i. SafeBack e. Raw data 1. letters embedded near the beginning of all JPEG files 2. European term for carving 3. a direct copy of a disk drive 4. usually a laptop computer built into a carrying case with a small selection of peripheral options 5. one of the first MS-DOS tools used for a computer investigation 6. software-enabled write-blocker 7. system file where passwords may have been written temporarily 8. a tower with several bays and many peripheral devices 9. command-line disk acquisition tool from New Technologies, Inc. SHORT ANSWER 1. What are the five major function categories of any computer forensics tool? 2. Explain the validation of evidence data process. 3. What are some of the advantages of using command-line forensics tools?
4. Explain the advantages and disadvantages of GUI forensics tools. 5. Illustrate how to consider hardware needs when planning your lab budget. 6. Describe some of the problems you may encounter if you decide to build your own forensics workstation. 7. Illustrate the use of a write-blocker on a Windows environment. 8. Briefly explain the NIST general approach for testing computer forensics tools. 9. Explain the difference between repeatable results and reproducible results. 10. Briefly explain the purpose of the NIST NSRL project. Chapter 8: Macintosh and Linux Boot Processes and File Systems TRUE/FALSE 1. If a file contains information, it always occupies at least one allocation block. 2. Older Macintosh computers use the same type of BIOS firmware commonly found in PC-based systems. 3. GPL and BSD variations are examples of open-source software. 4. A UNIX or Linux computer has two boot blocks, which are located on the main hard disk. 5. Under ISO 9660 for DVDs, the Micro-UDF (M-UDF) function has been added to allow for long filenames. MULTIPLE CHOICE 1. Macintosh OS X is built on a core called ____. a. Phantom c. Darwin b. Panther d. Tiger
2. In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored. a. resource c. blocks b. node d. inodes 3. The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is ____. a. 32,768 c. 58,745 b. 45,353 d. 65,535 4. On older Macintosh OSs all information about the volume is stored in the ____. a. Master Directory Block (MDB) c. Extents Overflow File (EOF) b. Volume Control Block (VCB) d. Volume Bitmap (VB) 5. With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data. a. Extents overflow file c. Master Directory Block b. Volume Bitmap d. Volume Control Block 6. On Mac OSs, File Manager uses the ____ to store any information not in the MDB or Volume Control Block (VCB). a. volume information block c. catalog b. extents overflow file d. master directory block 7. Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement. a. AIX c. GPL b. BSD d. GRUB
8. The standard Linux file system is ____. a. NTFS c. HFS+ b. Ext3fs d. Ext2fs 9. Ext2fs can support disks as large as ____ TB and files as large as 2 GB. a. 4 c. 10 b. 8 d. 12 10. Linux is unique in that it uses ____, or information nodes, that contain descriptive information about each file or directory. a. xnodes c. infNodes b. extnodes d. inodes 11. To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of ____. a. -1 c. 1 b. 0 d. 2 12. ____ components define the file system on UNIX. a. 2 c. 4 b. 3 d. 5 13. The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive. a. superblock c. boot block b. data block d. inode block 14. LILO uses a configuration file named ____ located in the /Etc directory. a. Lilo.conf c. Lilo.config b. Boot.conf d. Boot.config 15. Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of OSs.
a. 1989 c. 1994 b. 1991 d. 1995 16. On a Linux computer, ____ is the path for the first partition on the primary master IDE disk drive. a. /dev/sda1 c. /dev/hda1 b. /dev/hdb1 d. /dev/ide1 17. There are ____ tracks available for the program area on a CD. a. 45 c. 99 b. 50 d. 100 18. The ____ provides several software drivers that allow communication between the OS and the SCSI component. a. International Organization of Standardization (ISO) b. Advanced SCSI Programming Interface (ASPI) c. CLV d. EIDE 19. All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard ____ ribbon or shielded cable. a. 40-pin c. 80-pin b. 60-pin d. 120-pin 20. ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable. a. 70 c. 96 b. 83 d. 100 21. IDE ATA controller on an old 486 PC doesn’t recognize disk drives larger than 8.4 ____. a. KB c. GB b. MB d. TB
COMPLETION 1. Before OS X, Macintosh uses the ____________________, in which files are stored in directories, or folders, that can be nested in other folders. 2. The Macintosh file system has ____________________ descriptors for the end of file (EOF). 3. ____________________ is a journaling version of Ext2fs that reduces file recovery time after a crash. 4. When you turn on the power to a UNIX workstation, instruction code located in firmware on the system’s CPU loads into RAM. This firmware is called ____________________ code because it’s located in ROM. 5. CD players that are 12X or faster read discs by using a(n) _____________________ system. MATCHING Match each item with a statement below a. File Manager f. Volume b. Inode blocks g. ls c. ISO 9660 h. Catalog d. LILO i. Finder e. Clumps 1. older Linux boot manager utility 2. Macintosh tool that works with the OS to keep track of files and maintain users’ desktops 3. any storage medium used to store files 4. the list command on Linux 5. maintains relationships between files and directories on a volume on a Mac OS 6. the first data after the superblock on a UNIX or Linux file system 7. ISO standard for CDs 8. Mac OS utility that handles reading, writing, and storing data to physical media
9. groups of contiguous allocation blocks SHORT ANSWER 1. Explain the relation between allocation blocks and logical block on a Mac OS file system. 2. Explain the use of B*-trees on Mac OS 9 file system. 3. Explain the use of forensic tools for Macintosh systems. 4. What are the functions of the superblock on a UNIX or Linux file system? 5. What is a bad block inode on Linux? 6. What is a continuation inode? 7. Describe the CD creation process. 8. Write a brief history of SCSI. 9. Explain the problems you can encounter with pre-ATA-33 devices when connecting them to current PCs. 10. What problems can hidden partitions on IDE devices cause to forensic investigators? Chapter 9: Computer Forensics Analysis and Validation TRUE/FALSE 1. The defense request for full discovery of digital evidence applies only to criminal cases in the United States. 2. For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.
3. FTK cannot perform forensics analysis on FAT12 file systems. 4. FTK cannot analyze data from image files from other vendors. 5. A nonsteganographic graphics file has a different size than an identical steganographic graphics file. MULTIPLE CHOICE 1. ____ increases the time and resources needed to extract,analyze,and present evidence. a. Investigation plan c. Litigation path b. Scope creep d. Court order for discovery 2. You begin any computer forensics case by creating a(n) ____. a. investigation plan c. evidence custody form b. risk assessment report d. investigation report 3. In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover. a. risk assessment reports c. scope creeps b. investigation plans d. subpoenas 4. There are ____ searching options for keywords which FTK offers. a. 2 c. 4 b. 3 d. 5 5. ____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search. a. Online c. Active b. Inline d. Live
6. The ____ search feature allows you to look for words with extensions such as “ing,”“ed,” and so forth. a. fuzzy c. permutation b. stemming d. similar-sounding 7. In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period. a. live c. active b. indexed d. inline 8. FTK and other computer forensics programs use ____ to tag and document digital evidence. a. tracers c. bookmarks b. hyperlinks d. indents 9. Getting a hash value with a ____ is much faster and easier than with a(n) ____. a. high-level language, assembler b. HTML editor, hexadecimal editor c. computer forensics tool, hexadecimal editor d. hexadecimal editor, computer forensics tool 10. AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data. a. KFF c. NTI b. PKFT d. NSRL 11. Data ____ involves changing or manipulating a file to conceal information. a. recovery c. integrity b. creep d. hiding 12. One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it. a. Norton DiskEdit c. System
Commander b. PartitionMagic d. LILO 13. Marking bad clusters data-hiding technique is more common with ____ file systems. a. NTFS c. HFS b. FAT d. Ext2fs 14. The term ____ comes from the Greek word for“hidden writing.” a. creep c. escrow b. steganography d. hashing 15. ____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there. a. Bit shifting c. Marking bad clusters b. Encryption d. Steganography 16. Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure. a. steganography c. password backup b. key escrow d. key splitting 17. People who want to hide data can also use advanced encryption programs, such as PGP or ____. a. NTI c. FTK b. BestCrypt d. PRTK 18. ____ recovery is a fairly easy task in computer forensic analysis. a. Data c. Password b. Partition d. Image 19. ____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.
a. Brute-force c. Profile b. Dictionary d. Statistics 20. ____ are handy when you need to image the drive of a computer far away from your location or when you don’t want a suspect to be aware of an ongoing investigation. a. Scope creeps c. Password recovery tools b. Remote acquisitions d. Key escrow utilities 21. ____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer’s file system. a. HDHOST c. DiskEdit b. DiskHost d. HostEditor COMPLETION 1. For most law-enforcement-related computing investigations, the investigator is limited to working with data defined in the search ____________________. 2. FTK provides two options for searching for keywords: indexed search and ____________________ search. 3. ____________________ search catalogs all words on the evidence disk so that FTK can find them quickly. 4. To generate reports with the FTK ReportWizard, first you need to ____________________ files during an examination. 5. The data-hiding technique ____________________ changes data from readable code to data that looks like binary executable code. MATCHING Match each item with a statement below a. Court orders for discovery f. PRTK
b. Investigation plan g. Validating digital evidence c. Digital Intelligence PDWipe h. MD5 d. Live search i. System Commander e. Cabinet 1. defines the investigation’s goal and scope, the materials needed, and the tasks to perform 2. a hashing algorithm 3. one of the most critical aspects of computer forensics 4. a type of compressed file 5. an FTK searching option 6. a password recovery program available from AccessData 7. a disk-partitioning utility 8. program used to clean all data from the target drive you plan to use 9. limit a civil investigation SHORT ANSWER 1. Describe the effects of scope creep on an investigation in the corporate environment. 2. Describe with examples why the approach you take for a forensics case depends largely on the specific type of case you’re investigating. 3. How should you approach a case in which an employee is suspected of industrial espionage? 4. What are the file systems supported by FTK for forensic analysis? 5. How does the Known File Filter program work? 6. How can you validate the integrity of raw format image files with ProDiscover?
7. How can you hide data by marking bad clusters? 8. Briefly describe how to use steganography for creating digital watermarks. 9. What are the basic guidelines to identify steganography files? 10. Briefly describe the differences between brute-force attacks and dictionary attacks to crack passwords. Chapter 10: Recovering Graphics Files TRUE/FALSE 1. Bitmap images are collections of dots, or pixels, that form an image. PTS: 1 REF: 398 2. Operating systems do not have tools for recovering image files. PTS: 1 REF: 405 3. If a graphics file is fragmented across areas on a disk, first you must recover all the fragments to re-create the file. PTS: 1 REF: 405 4. With many computer forensics tools, you can open files with external viewers. PTS: 1 REF: 425 5. Steganography cannot be used with file formats other than image files. PTS: 1 REF: 428 MULTIPLE CHOICE 1. ____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. a. Bitmap images c. Vector graphics b. Metafile graphics d. Line-art images PTS: 1 REF: 398
2. You use ____ to create, modify, and save bitmap, vector, and metafile graphics files. a. graphics viewers c. image viewers b. image readers d. graphics editors PTS: 1 REF: 398 3. ____ images store graphics information as grids of individual pixels. a. Bitmap c. Vector b. Raster d. Metafiles PTS: 1 REF: 398 4. The process of converting raw picture data to another format is referred to as ____. a. JEIDA c. demosaicing b. rastering d. rendering PTS: 1 REF: 401 5. The majority of digital cameras use the ____ format to store digital pictures. a. EXIF c. PNG b. TIFF d. GIF PTS: 1 REF: 401 6. ____ compression compresses data by permanently discarding bits of information in the file. a. Redundant c. Huffman b. Lossy d. Lossless PTS: 1 REF: 404 7. Recovering pieces of a file is called ____. a. carving c. saving b. slacking d. rebuilding PTS: 1 REF: 405 8. A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10. a. EPS c. GIF b. BMP d. JPEG PTS: 1 REF: 408
9. If you can’t open an image file in an image viewer, the next step is to examine the file’s ____. a. extension c. header data b. name d. size PTS: 1 REF: 414 10. The uppercase letter ____ has a hexadecimal value of 41. a. “A” c. “G” b. “C” d. “Z” PTS: 1 REF: 417 11. The image format XIF is derived from the more common ____ file format. a. GIF c. BMP b. JPEG d. TIFF PTS: 1 REF: 423 12. The simplest way to access a file header is to use a(n) ____ editor a. hexadecimal c. disk b. image d. text PTS: 1 REF: 423 13. The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03. a. TIFF c. JPEG b. XIF d. GIF PTS: 1 REF: 425 14. ____ is the art of hiding information inside image files. a. Steganography c. Graphie b. Steganalysis d. Steganos PTS: 1 REF: 425 15. ____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program. a. Replacement c. Substitution b. Append d. Insertion
PTS: 1 REF: 426 16. ____ steganography replaces bits of the host file with other bits of data. a. Insertion c. Substitution b. Replacement d. Append PTS: 1 REF: 426 17. In the following list, ____ is the only steg tool. a. EnCase c. DriveSpy b. iLook d. Outguess PTS: 1 REF: 429 18. ____ has also been used to protect copyrighted material by inserting digital watermarks into a file. a. Encryption c. Compression b. Steganography d. Archiving PTS: 1 REF: 430 19. When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations. a. international c. copyright b. forensics d. civil PTS: 1 REF: 430 20. Under copyright laws, computer programs may be registered as ____. a. literary works c. architectural works b. motion pictures d. audiovisual works PTS: 1 REF: 430 21. Under copyright laws, maps and architectural plans may be registered as ____. a. pantomimes and choreographic works c. literary works b. artistic works d. pictorial, graphic, and sculptural works
PTS: 1 REF: 430 COMPLETION 1. A graphics program creates and saves one of three types of image files: bitmap, vector, or ____________________. 2. ____________________ is the process of coding of data from a larger form to a smaller form. 3. The ____________________ is the best source for learning more about file formats and their associated extensions. 4. All ____________________ files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 2A. 5. The two major forms of steganography are ____________________ and substitution. MATCHING Match each item with a statement below a. Pixels f. Steganalysis tools b. Hex Workshop g. GIMP c. Adobe Illustrator h. XIF d. Microsoft Office Picture Manager i. Metafile graphics e. JPEG 1. drawing program that creates vector files 2. Gnome graphics editor 3. image format derived from the TIFF file format 4. combinations of bitmap and vector images 5. short for “picture elements” 6. are also called steg tools 7. graphics file format that uses lossy compression 8. tool used to rebuild image file headers
9. Microsoft image viewer SHORT ANSWER 1. Briefly describe the Exchangeable Image File (EXIF) format. 2. Explain how lossless compression relates to image file formats. 3. How does vector quantization (VQ) compress data? 4. Explain how someone can use a disk editor tool to mark clusters as “bad” clusters. 5. Identify and describe some image viewers. 6. Write a brief history of steganography. 7. Describe how to hide information on an 8-bit bitmap image file using substitution steganography. 8. Explain how steganalysis tools work. 9. Give a brief overview of copyright laws pertaining to graphics within and outside the U.S. 10. Present a list of categories covered under copyright laws in the U.S. Chapter 11: Virtual Machines, Network Forensics, and Live Acquisitions TRUE/FALSE 1. When intruders break into a network, they rarely leave a trail behind. PTS: 1 REF: 442 2. Network forensics is a fast, easy process.
PTS: 1 REF: 447 3. PsList from PsTools allows you to list detailed information about processes. PTS: 1 REF: 450 4. With the Knoppix STD tools on a portable CD, you can examine almost any network system. PTS: 1 REF: 451 5. Ngrep cannot be used to examine e-mail headers or IRC chats. PTS: 1 REF: 455 MULTIPLE CHOICE 1. ____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program. a. Broadcast forensics c. Computer forensics b. Network forensics d. Traffic forensics PTS: 1 REF: 442 2. ____ hide the most valuable data at the innermost part of the network. a. Layered network defense strategies c. Protocols b. Firewalls d. NAT PTS: 1 REF: 442 3. ____ forensics is the systematic tracking of incoming and outgoing traffic on your network. a. Network c. Criminal b. Computer d. Server PTS: 1 REF: 442 4. ____ can be used to create a bootable forensic CD and perform a live acquisition. a. Helix c. Inquisitor b. DTDD d. Neon PTS: 1 REF: 445
5. Helix operates in two modes:Windows Live (GUI or command line) and ____. a. command Windows c. command Linux b. remote GUI d. bootable Linux PTS: 1 REF: 445 6. A common way of examining network traffic is by running the ____ program. a. Netdump c. Coredump b. Slackdump d. Tcpdump PTS: 1 REF: 448 7. ____ is a suite of tools created by Sysinternals. a. EnCase c. R-Tools b. PsTools d. Knoppix PTS: 1 REF: 450 8. ____ is a Sysinternals command that shows all Registry data in real time on a Windows computer. a. PsReg c. RegMon b. RegExplorer d. RegHandle PTS: 1 REF: 450 9. The PSTools ____ kills processes by name or process ID. a. PsExec c. PsKill b. PsList d. PsShutdown PTS: 1 REF: 450 10. ____ is a popular network intrusion detection system that performs packet capture and analysis in real time. a. Ethereal c. Tcpdump b. Snort d. john PTS: 1 REF: 451 11. ____ is the U.S. DoD computer forensics lab’s version of the dd command that comes with Knoppix-STD. a. chntpw c. memfetch b. john d. dcfldd
PTS: 1 REF: 451 12. The Knoppix STD tool ____ enables you to reset passwords on a Windows computer, including the administrator password a. chntpw c. oinkmaster b. john d. memfetch PTS: 1 REF: 451 13. ____ are devices and/or software placed on a network to monitor traffic. a. Packet sniffers c. Hubs b. Bridges d. Honeypots PTS: 1 REF: 454 14. Most packet sniffers operate on layer 2 or ____ of the OSI model. a. 1 c. 5 b. 3 d. 7 PTS: 1 REF: 454 15. Most packet sniffer tools can read anything captured in ____ format. a. SYN c. PCAP b. DOPI d. AIATP PTS: 1 REF: 455 16. In a(n) ____ attack, the attacker keeps asking your server to establish a connection. a. SYN flood c. brute-force attack b. ACK flood d. PCAP attack PTS: 1 REF: 455 17. ____ is the text version of Ethereal, a packet sniffer tool. a. Tcpdump c. Etherape b. Ethertext d. Tethereal PTS: 1 REF: 455 18. ____ is a good tool for extracting information from large Libpcap files. a. Nmap c. Pcap b. Tcpslice d. TCPcap
PTS: 1 REF: 455 19. The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers. a. Honeynet c. Honeywall b. Honeypot d. Honeyweb PTS: 1 REF: 458 20. Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack. a. ISPs c. zombies b. soldiers d. pawns PTS: 1 REF: 458 21. A ____ is a computer set up to look like any other machine on your network, but it lures the attacker to it. a. honeywall c. honeynet b. honeypot d. honeyhost PTS: 1 REF: 459 COMPLETION 1. ____________________ is a layered network defense strategy developed by the National Security Agency (NSA). 2. The term ____________________ means how long a piece of information lasts on a system. 3. ____________________ logs record traffic in and out of a network. 4. The PSTools ____________________ tool allows you to suspend processes. ANS: PsSuspend 5. The U.K. Honeynet Project has created the ____________________. It contains the honeywall and honeypot on a bootable memory stick.
MATCHING Match each item with a statement below a. Cyberforensics f. Trojan horse b. Ethereal g. Knoppix c. Tripwire h. PsShutdown d. PsGetSid i. oinkmaster e. PsLoggedOn 1. displays who’s logged on locally 2. displays the security identifier (SID) of a computer or user 3. an audit control program that detects anomalies in traffic and sends an alert automatically 4. usually refers to network forensics 5. a bootable Linux CD intended for computer and network forensics 6. shuts down and optionally restarts a computer 7. helps manage snort rules so that you can specify what items to ignore as regular traffic and what items should raise alarms 8. a network analysis tool 9. type of malware SHORT ANSWER 1. Why is testing networks as important as testing servers? 2. When are live acquisitions useful? 3. What is the general procedure for a live acquisition? 4. Detail a standard procedure for network forensics investigations. 5. How should you proceed if your network forensic investigation involves other companies? 6. Describe some of the Windows tools available at Sysinternals.
7. What are some of the tools included with the PSTools suite? 8. What is Knoppix-STD? 9. What are some of the tools included with Knoppix STD? 10. Explain The Auditor tool. Chapter 12: E-mail Investigations TRUE/FALSE 1. For computer investigators, tracking intranet e-mail is relatively easy because the accounts use standard names established by the network or e-mail administrator. PTS: 1 REF: 470 2. You can always rely on the return path in an e-mail header to show the source account of an e-mail message. PTS: 1 REF: 482 3. E-mail programs either save e-mail messages on the client computer or leave them on the server. PTS: 1 REF: 483 4. All e-mail servers are databases that store multiple users’ e-mails. PTS: 1 REF: 485 5. Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication. PTS: 1 REF: 489 MULTIPLE CHOICE 1. E-mail messages are distributed from one central server to many connected client computers, a configuration called ____. a. client/server architecture c. client architecture b. central distribution architecture d. peer-to-peer architecture
PTS: 1 REF: 469 2. In an e-mail address, everything after the ____ symbol represents the domain name. a. c. @ b. . d. - PTS: 1 REF: 470 3. With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk. a. command-line c. prompt-based b. shell-based d. GUI PTS: 1 REF: 472 4. When working on a Windows environment you can press ____ to copy the selected text to the clipboard. a. Ctrl+A c. Ctrl+V b. Ctrl+C d. Ctrl+Z PTS: 1 REF: 473 5. To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click ____ to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header. a. Options c. Properties b. Details d. Message Source PTS: 1 REF: 473 6. To retrieve an Outlook Express e-mail header right-click the message, and then click ____ to open a dialog box showing general information about the message. a. Properties c. Details b. Options d. Message Source PTS: 1 REF: 473 7. For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command. a. prn c. prnt b. print d. prt
PTS: 1 REF: 477 8. To view AOL e-mail headers click Action, ____ from the menu. a. More options c. Options b. Message properties d. View Message Source PTS: 1 REF: 478 9. To view e-mail headers on Yahoo! click the ____ link in the Mail Options window, and then click Show all headers on incoming messages. a. Advanced c. Message Properties b. General Preferences d. More information PTS: 1 REF: 480 10. In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____. a. .ost c. .msg b. .eml d. .pst PTS: 1 REF: 483 11. ____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names. a. www.freeality.com c. www.whatis.com b. www.google.com d. www.juno.com PTS: 1 REF: 484 12. ____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size. a. Continuous logging c. Circular logging b. Automatic logging d. Server logging PTS: 1 REF: 485 13. The files that provide helpful information to an e-mail investigation are log files and ____ files. a. batch c. scripts b. configuration d. .rts
PTS: 1 REF: 487 14. ____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside. a. /etc/sendmail.cf c. /etc/var/log/maillog b. /etc/syslog.conf d. /var/log/maillog PTS: 1 REF: 487 15. Typically, UNIX installations are set to store logs such as maillog in the ____ directory. a. /etc/Log c. /etc/var/log b. /log d. /var/log PTS: 1 REF: 488 16. Exchange logs information about changes to its data in a(n) ____ log. a. checkpoint c. transaction b. communication d. tracking PTS: 1 REF: 489 17. In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk. a. tracking c. temporary b. checkpoint d. milestone PTS: 1 REF: 489 18. The Novell e-mail server software is called ____. a. Sendmail c. Sawmill b. GroupWise d. Guardian PTS: 1 REF: 491 19. GroupWise has ____ ways of organizing the mailboxes on the server. a. 2 c. 4 b. 3 d. 5 PTS: 1 REF: 491 20. The GroupWise logs are maintained in a standard log format in the ____ folders.
a. MIME c. QuickFinder b. mbox d. GroupWise PTS: 1 REF: 491 21. Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format. a. POP3 c. MIME b. mbox d. SMTP PTS: 1 REF: 500 COMPLETION 1. You can send and receive e-mail in two environments:via the ____________________ or an intranet (an internal network). 2. An e-mail address in the Return-Path line of an e-mail header is usually indicated as the ____________________ field in an e-mail message. 3. Administrators usually set e-mail servers to ____________________ logging mode. 4. In UNIX e-mail servers, the ____________________ file simply specifies where to save different types of e-mail log files. 5. Vendor-unique e-mail file systems, such as Microsoft .pst or .ost, typically use ____________________ formatting, which can be difficult to read with a text or hexadecimal editor. MATCHING Match each item with a statement below: a. Contacts f. Notepad b. Pico g. CISCO Pix c. syslogd file h. www.whatis.com d. www.arin.net i. Pine e. PU020101.db 1. Web site to check file extensions and match the file to a program
2. command line e-mail program used with UNIX 3. text editor used with Windows 4. the first folder the GroupWise server shares 5. text editor used with UNIX 6. the electronic address book in Outlook 7. a network firewall device 8. a registry Web site 9. includes e-mail logging instructions SHORT ANSWER 1. Describe how e-mail account names are created on an intranet environment. 2. Describe the process of examining e-mail messages when you have access to the victim’s computer and when this access is not possible. 3. What are the steps for retrieving e-mail headers on Pine? 4. What are the steps for viewing e-mail headers in Hotmail? 5. What kind of information can you find in an e-mail header? 6. Explain how to handle attachments during an e-mail investigation. 7. Why are network router logs important during an e-mail investigation? 8. What kind of information is normally included in e-mail logs? 9. Provide a brief description of Microsoft Exchange Server. Additionally, explain the differences between .edb and .stm files.
10. Briefly explain how to use AccessData FTK to recover e-mails. Chapter 13: Cell Phone and Mobile Device Forensics TRUE/FALSE 1. Many people store more information on their cell phones than they do on their computers. PTS: 1 REF: 514 2. Investigating cell phones and mobile devices is a relatively easy task in digital forensics. PTS: 1 REF: 514 3. TDMA can operate in the cell phone (800 to 1000 MHz) or PCS (1900 MHz) frequency. PTS: 1 REF: 516 4. Typically, phones developed for use on a GSM network are compatible with phones designed for a CDMA network. PTS: 1 REF: 516 5. Portability of information is what makes SIM cards so versatile. PTS: 1 REF: 517 MULTIPLE CHOICE 1. Developed during WWII, this technology,____, was patented by Qualcomm after the war. a. iDEN c. GSM b. CDMA d. EDGE PTS: 1 REF: 515 2. The ____ digital network divides a radio frequency into time slots. a. TDMA c. FDMA b. CDMA d. EDGE PTS: 1 REF: 515 3. The ____ network is a digital version of the original analog standard for cell phones.
a. TDMA c. CDMA b. EDGE d. D-AMPS PTS: 1 REF: 515 4. The ____ digital network, a faster version of GSM, is designed to deliver data. a. TDMA c. EDGE b. iDEN d. D-AMPS PTS: 1 REF: 515 5. TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life. a. IS-136 c. IS-236 b. IS-195 d. IS-361 PTS: 1 REF: 516 6. Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips. a. EROM c. EEPROM b. PROM d. ROM PTS: 1 REF: 517 7. ____ cards are found most commonly in GSM devices and consist of a microprocessor and from 16 KB to 4 MB of EEPROM. a. SD c. SDD b. MMC d. SIM PTS: 1 REF: 517 8. ____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth. a. SDHCs c. CFs b. PDAs d. MMCs PTS: 1 REF: 518 9. The file system for a SIM card is a ____ structure. a. volatile c. hierarchical b. circular d. linear
PTS: 1 REF: 520 10. The SIM file structure begins with the root of the system (____). a. EF c. DF b. MF d. DCS PTS: 1 REF: 520 11. Paraben Software is a leader in mobile forensics software and offers several tools, including ____, which can be used to acquire data from a variety of phone models. a. BitPim c. MOBILedit! b. DataPilot d. Device Seizure PTS: 1 REF: 522 12. In a Windows environment, BitPim stores files in ____ by default. a. My DocumentsBitPim c. My DocumentsBitPim Forensics Files b. My DocumentsForensi cs FilesBitPim d. My DocumentsBitPim Files PTS: 1 REF: 522 13. ____ is a forensics software tool containing a built-in write blocker. a. GSMCon c. SIMedit b. MOBILedit! d. 3GPim PTS: 1 REF: 522 COMPLETION 1. So far, there have been three generations of mobile phones: analog, digital personal communications service (PCS), and ____________________. 2. Most Code Division Multiple Access (CDMA) networks conform to IS-95, created by the ______________________. 3. Global System for Mobile Communications (GSM) uses the ______________________ technique, so multiple phones take turns sharing a
channel. 4. The 3G standard was developed by the ______________________ under the United Nations. 5. Mobile devices can range from simple phones to small computers, also called ______________________. MATCHING Match each item with a statement below: a. CDMA c. EDGE b. iDEN d. ROM 1. proprietary protocol developed by Motorola 2. nonvolatile memory 3. standard developed specifically for 3G 4. one of the most common digital networks, it uses the full radio frequency spectrum to define channels SHORT ANSWER 1. What is some of the information that can be stored in a cell phone? 2. What is the bandwidth offered by 3G mobile phones? 3. What are the three main components used for cell phone communications? 4. Briefly describe cell phone hardware. 5. Identify several uses of SIM cards. 6. Identify and define three kinds of peripheral memory cards used with PDAs. 7. How can you isolate a mobile device from incoming signals?
8. What are the four categories of information that can be retrieved from a SIM card? 9. What is the general procedure to access the content on a mobile phone SIM card? 10. What are some of the features offered by SIMCon? Chapter 14: Report Writing for High-Tech Investigations TRUE/FALSE 1. Besides presenting facts, reports can communicate expert opinion. PTS: 1 REF: 530 2. A verbal report is more structured than a written report. PTS: 1 REF: 532 3. If you must write a preliminary report, use words such as “preliminary copy,”“draft copy,” or “working draft.” PTS: 1 REF: 535 4. As with any research paper, write the report abstract last. PTS: 1 REF: 536 5. When writing a report, use a formal, technical style. PTS: 1 REF: 537 MULTIPLE CHOICE 1. Attorneys can now submit documents electronically in many courts; the standard format in federal courts is ____. a. Microsoft Word (DOC) c. Encapsulated Postscript (EPS) b. Portable Document Format (PDF) d. Postscript (PS) PTS: 1 REF: 531 2. A(n) ____ is a document that lets you know what questions to expect when you are testifying.
a. written report c. examination plan b. affidavit d. subpoena PTS: 1 REF: 532 3. You can use the ____ to help your attorney learn the terms and functions used in computer forensics. a. verbal report c. final report b. preliminary report d. examination plan PTS: 1 REF: 532 4. A written report is frequently a(n) ____ or a declaration. a. subpoena c. deposition b. affidavit d. perjury PTS: 1 REF: 532 5. If a report is long and complex, you should provide a(n) ____. a. appendix c. table of contents b. glossary d. abstract PTS: 1 REF: 536 6. A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute). a. written report c. examination plan b. verbal report d. cross-examination report PTS: 1 REF: 532 7. In the past, the method for expressing an opinion has been to frame a ____ question based on available factual evidence. a. hypothetical c. challenging b. nested d. contradictory PTS: 1 REF: 533 8. An expert’s opinion is governed by FRE, Rule ____, and the corresponding rule in many states. a. 705 c. 805 b. 755 d. 855
PTS: 1 REF: 534 9. Remember that anything you write down as part of your examination for a report is subject to ____ from the opposing attorney. a. subpoena c. publishing b. discovery d. deposition PTS: 1 REF: 535 10. A written preliminary report is considered a ____ document because opposing counsel can demand discovery on it. a. low-risk c. high-risk b. middle-risk d. no-risk PTS: 1 REF: 535 11. The abstract should be one or two paragraphs totaling about 150 to ____ words. a. 200 c. 300 b. 250 d. 350 PTS: 1 REF: 536 12. ____ provide additional resource material not included in the body of the report. a. Conclusion c. Discussion b. References d. Appendixes PTS: 1 REF: 536 13. Typically, report writers use one of two numbering systems: decimal numbering or ____ numbering. a. legal-sequential c. arabic-sequential b. roman-sequential d. letter-sequential PTS: 1 REF: 538 14. A report using the ____ numbering system divides material into sections and restarts numbering with each main section. a. roman-sequential c. legal-sequential b. decimal d. indent PTS: 1 REF: 538
15. In the main section of your report, you typically cite references with the ____ enclosed in parentheses. a. year of publication and author’s last name b. author’s last name c. author’s last name and year of publication d. year of publication PTS: 1 REF: 541 16. Save broader generalizations and summaries for the report’s ____. a. appendixes c. conclusion b. introduction d. discussion PTS: 1 REF: 541 17. The report’s ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements. a. abstract c. introduction b. conclusion d. reference PTS: 1 REF: 541 18. If necessary, you can include ____ containing material such as raw data, figures not used in the body of the report, and anticipated exhibits. a. conclusions c. references b. discussions d. appendixes PTS: 1 REF: 542 19. Reports and logs generated by forensic tools are typically in plaintext format, a word processor format, or ____ format. a. PDF c. PS b. HTML d. TXT PTS: 1 REF: 543 20. Files with extensions .ods and ____ are created using OpenOffice Calc. a. .sxc c. .dcx b. .xls d. .qpr PTS: 1 REF: 543
21. Files with extension ____ are created using Microsoft Outlook Express. a. .sxc c. .dbx b. .doc d. .ods PTS: 1 REF: 543 COMPLETION 1. Lawyers use services called _________________________ (libraries), which store examples of expert witnesses’ previous testimony. 2. The report body consists of the introduction and _________________________ sections. 3. When writing a report, _________________________ means the tone of language you use to address the reader. 4. _________________________ assist readers in scanning the text quickly by highlighting the main points and logical development of information. 5. The ______________________________ system is frequently used when writing pleadings. MATCHING Match each item with a statement below a. Decimal numbering f. Verbal report b. Lay witness g. Spoliation c. FTK h. Conclusion section d. Examination plan i. MD5 e. Signposts 1. draw reader’s attention to a point in your report. 2. a report layout system 3. used by an attorney to guide an expert witness in his or her testimony 4. computer forensics software tool 5. lawyers jargon for destroying or concealing evidence
6. stands for Message Digest 5 7. typically takes place in an attorney’s office where the attorney requests your consultant’s report 8. starts by referring to the report’s purpose, states the main points, draws conclusions, and possibly renders an opinion 9. a witness testifying to personally observed facts SHORT ANSWER 1. What are the report requirements for civil cases as specified on Rule 26, FRCP? 2. Briefly explain how to limit your report to specifics. 3. What are the areas of investigation usually addressed by a verbal report? 4. Explain how hypothetical questions can be used to ensure that you as a witness are basing your opinion on facts expected to be supported by evidence. 5. What are the four conditions required for an expert witness to testify to an opinion or conclusion? 6. What is the basic structure of a report? 7. Provide some guidelines for writing an introduction section for a report. 8. What do you need to consider to produce clear, concise reports? 9. Explain how to use supportive material on a report. 10. How should you explain examination and data collection methods? Chapter 15: Expert Testimony in High-Tech Investigations
TRUE/FALSE 1. As an expert witness, you have opinions about what you have found or observed. PTS: 1 REF: 558 2. Create a formal checklist of your procedures that’s applied to all your cases or include such a checklist in your report. PTS: 1 REF: 559 3. As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers. PTS: 1 REF: 559 4. Like a job resume, your CV should be geared for a specific trial. PTS: 1 REF: 561 5. Part of what you have to deliver to the jury is a person they can trust to help them figure out something that’s beyond their expertise. PTS: 1 REF: 565 MULTIPLE CHOICE 1. When cases go to trial, you as a forensics examiner can play one of ____ roles. a. 2 c. 4 b. 3 d. 5 PTS: 1 REF: 558 2. When you give ____ testimony, you present this evidence and explain what it is and how it was obtained. a. technical/scientific c. lay witness b. expert d. deposition PTS: 1 REF: 558 3. Validate your tools and verify your evidence with ____ to ensure its integrity. a. hashing algorithms c. steganography b. watermarks d. digital certificates PTS: 1 REF: 559
4. For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you’re constantly enhancing your skills through training, teaching, and experience. a. testimony c. examination plan b. CV d. deposition PTS: 1 REF: 561 5. If your CV is more than ____ months old, you probably need to update it to reflect new cases and additional training. a. 2 c. 4 b. 3 d. 5 PTS: 1 REF: 561 6. ____ is a written list of objections to certain testimony or exhibits. a. Defendant c. Plaintiff b. Empanelling the jury d. Motion in limine PTS: 1 REF: 562 7. Regarding a trial, the term ____ means rejecting potential jurors. a. voir dire c. strikes b. rebuttal d. venireman PTS: 1 REF: 563 8. ____ from both plaintiff and defense is an optional phase of the trial. Generally, it’s allowed to cover an issue raised during cross-examination. a. Rebuttal c. Closing arguments b. Plaintiff d. Opening statements PTS: 1 REF: 563 9. If a microphone is present during your testimony, place it ____ to eight inches from you. a. 3 c. 5 b. 4 d. 6 PTS: 1 REF: 565 10. Jurors typically average just over ____ years of education and an eighth-grade reading
level. a. 9 c. 11 b. 10 d. 12 PTS: 1 REF: 565 11. ____ is an attempt by opposing attorneys to prevent you from serving on an important case. a. Conflict of interest c. Deposition b. Warrant d. Conflicting out PTS: 1 REF: 568 12. ____ evidence is evidence that exonerates or diminishes the defendant’s liability. a. Rebuttal c. Inculpatory b. Plaintiff d. Exculpatory PTS: 1 REF: 569 13. You provide ____ testimony when you answer questions from the attorney who hired you. a. direct c. examination b. cross d. rebuttal PTS: 1 REF: 569 14. The ____ is the most important part of testimony at a trial. a. cross-examination c. rebuttal b. direct examination d. motions in limine PTS: 1 REF: 569 15. Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony. a. setup c. compound b. open-ended d. rapid-fire PTS: 1 REF: 569 16. Leading questions such as “Isn’t it true that forensics experts always destroy their handwritten notes?” are referred to as ____ questions. a. hypothetical c. setup b. attorney d. nested
PTS: 1 REF: 570 17. Sometimes opposing attorneys ask several questions inside one question; this practice is called ____ questions. a. leading c. compound b. hypothetical d. rapid-fire PTS: 1 REF: 571 18. A ____ differs from a trial testimony because there is no jury or judge. a. rebuttal c. civil case b. plaintiff d. deposition PTS: 1 REF: 573 19. There are two types of depositions: ____ and testimony preservation. a. examination c. direct b. discovery d. rebuttal PTS: 1 REF: 573 20. Discuss any potential problems with your attorney ____ a deposition. a. before c. during b. after d. during direct examination at PTS: 1 REF: 574 21. A(n) ____ hearing generally addresses the administrative agency’s subject matter and seeks evidence in your testimony on a subject for which it’s contemplating making a rule. a. administrative c. legislative b. judicial d. direct PTS: 1 REF: 575 COMPLETION 1. The ______________________ of evidence supports the integrity of your evidence. 2. Depending on your attorney’s needs, you might provide only your opinion and
technical expertise to him or her instead of testifying in court; this role is called a(n) _______________________. 3. _____________________ is a pretrial motion to exclude certain evidence because it would prejudice the jury. 4. At a trial, _____________________ are statements that organize the evidence and state the applicable law. 5. The purpose of the _____________________ is for the opposing attorney to preview your testimony before trial. MATCHING Match each item with a statement below a. Plaintiff f. CV b. Motion in limine g. Testimony preservation deposition c. Voir dire of venireman h. Voir dire d. Opening statements i. MD5 e. Discovery deposition 1. part of the discovery process for trial 2. presents the case during a trial 3. provide an overview of the case during a trial 4. questioning potential jurors to see whether they’re qualified 5. usually requested by your client to preserve your testimony in case of schedule conflicts or health problems 6. a hashing algorithm 7. lists your professional experience 8. an expert witness qualification phase 9. allows the judge to decide whether certain evidence should be admitted when the jury isn’t present
SHORT ANSWER 1. What are the differences between a technical or scientific witness and an expert witness? 2. What should you do when preparing for testimony? 3. What are some of the questions you should consider when preparing your testimony? 4. What are some of the technical definitions that you should prepare before your testimony? 5. What are some of the reasons to avoid contact with news media during a case? 6. What are the procedures followed during a trial? 7. What should you do when you find exculpatory evidence? 8. How can you deal with rapid-fire questions during a cross-examination? 9. Explain the differences between discovery deposition and testimony preservation deposition. 10. Briefly describe judicial hearings. Chapter 16: Ethics for the Expert Witness TRUE/FALSE 1. People need ethics to help maintain their balance, especially in difficult and contentious situations. PTS: 1 REF: 596 2. In the United States, there’s no state or national licensing body for computer forensics examiners.
PTS: 1 REF: 597 3. Experts should be paid in full for all previous work and for the anticipated time required for testimony. PTS: 1 REF: 600 4. Expert opinions cannot be presented without stating the underlying factual basis. PTS: 1 REF: 601 5. The American Bar Association (ABA) is a licensing body. PTS: 1 REF: 603 MULTIPLE CHOICE 1. The most important laws applying to attorneys and witnesses are the ____. a. professional codes of conduct c. rules of evidence b. rules of ethics d. professional ethics PTS: 1 REF: 597 2. Computer forensics examiners have two roles: scientific/technical witness and ____ witness. a. expert c. discovery b. direct d. professional PTS: 1 REF: 597 3. Attorneys search ____ for information on expert witnesses. a. disqualification banks c. examination banks b. deposition banks d. cross-examination banks PTS: 1 REF: 598 4. ____ questions can give you the factual structure to support and defend your opinion. a. Setup c. Rapid-fire b. Compound d. Hypothetical PTS: 1 REF: 601
5. FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful. a. 702 c. 704 b. 703 d. 705 PTS: 1 REF: 601 6. FRE ____ describes whether basis for the testimony is adequate. a. 700 c. 702 b. 701 d. 703 PTS: 1 REF: 601 7. The ABA’s ____ contains provisions limiting the fees experts can receive for their services. a. Code 703 c. Rule 26 b. Model Code d. Code 26-1.a PTS: 1 REF: 603 8. The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients. a. ISFCE c. ABA b. IACIS d. HTCIA PTS: 1 REF: 603 9. ____ are the experts who testify most often. a. Civil engineers c. Chemical engineers b. Computer forensics experts d. Medical professionals PTS: 1 REF: 604 10. ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities. a. AMA’s law c. APA’s Ethics Code b. ABA’s Model Rule d. ABA’s Model Codes PTS: 1 REF: 605 11. The ____ Ethics Code cautions psychologists about the limitations of assessment
tools. a. ABA’s c. AMA’s b. APA’s d. ADA’s PTS: 1 REF: 605 COMPLETION 1. _____________________ are the rules you internalize and use to measure your performance. 2. _____________________ are standards that others apply to you or that you are compelled to adhere to by external forces, such as licensing bodies. 3. Some attorneys contact many experts as a ploy to disqualify them or prevent opposing counsel from hiring them; this practice is called “____________________.” 4. The ____________________ is the foundation of medical ethics. 5. For psychologists, the most broadly accepted set of guidelines governing their conduct as experts is the _____________________ (APA’s) Ethical Principles of Psychologists and Code of Conduct. MATCHING Match each item with a statement below: a. Ethics c. Disqualification b. Federal Rules of Evidence (FRE) d. IACIS 1. provides a well-defined, simple guide for expected behavior of computer forensics examiners 2. prescribe the methods by which experts appear at trial 3. one of the effects of violating court rules or laws 4. help you maintain your self-respect and the respect of your profession SHORT ANSWER
1. Briefly describe the issues related to an attorney’s “opinion shopping.” 2. What are some of the factors courts have used in determining whether to disqualify an expert? 3. Describe some of the traps for unwary experts. 4. What are some of the most obvious ethical errors? 5. What are some of the guidelines included in the ISFCE code of ethics? 6. What are some of the requirements included in the HTCIA core values? 7. What are some of standards for IACIS members that apply to testifying? 8. What are the five recommendations set out by the AMA’s policy on expert witness testimony? 9. Why is it difficult to enforce any professional organization’s ethical guidelines? 10. What are the ethical responsibilities owed to you by your attorney?

Recommended

Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Hp ux-11iv3-multiple-clones-with-dynamic-root-disks-dusan-baljevic-mar2014
Hp ux-11iv3-multiple-clones-with-dynamic-root-disks-dusan-baljevic-mar2014Hp ux-11iv3-multiple-clones-with-dynamic-root-disks-dusan-baljevic-mar2014
Hp ux-11iv3-multiple-clones-with-dynamic-root-disks-dusan-baljevic-mar2014Circling Cycle
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 

Recommended

Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Hp ux-11iv3-multiple-clones-with-dynamic-root-disks-dusan-baljevic-mar2014
Hp ux-11iv3-multiple-clones-with-dynamic-root-disks-dusan-baljevic-mar2014Hp ux-11iv3-multiple-clones-with-dynamic-root-disks-dusan-baljevic-mar2014
Hp ux-11iv3-multiple-clones-with-dynamic-root-disks-dusan-baljevic-mar2014Circling Cycle
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 
Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfeGol D Roger
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows ForensicsPrince Boonlia
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
2.1 design hard disk layout v2
2.1 design hard disk layout v22.1 design hard disk layout v2
2.1 design hard disk layout v2Acácio Oliveira
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineSource Conference
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Bus 365 week 11 quiz
Bus 365 week 11 quizBus 365 week 11 quiz
Bus 365 week 11 quizEmmaJack2018
 
Bus 365 week 11 quiz
Bus 365 week 11 quizBus 365 week 11 quiz
Bus 365 week 11 quizlizabonilla
 
Bus 517 final exam – strayer new
Bus 517 final exam – strayer newBus 517 final exam – strayer new
Bus 517 final exam – strayer newEmmaJack2018
 
Acc 557 assignment 2 – strayer week 10
Acc 557 assignment 2 – strayer week 10Acc 557 assignment 2 – strayer week 10
Acc 557 assignment 2 – strayer week 10CarolMurray2018
 
Cis 524 week 10 term paper
Cis 524 week 10 term paperCis 524 week 10 term paper
Cis 524 week 10 term paperCarolMurray2018
 
Acc 562 final exam strayer new
Acc 562 final exam strayer newAcc 562 final exam strayer new
Acc 562 final exam strayer newEmmaJack2018
 
Fin 350 week 10 quiz strayer
Fin 350 week 10 quiz strayerFin 350 week 10 quiz strayer
Fin 350 week 10 quiz strayerCarolMurray2018
 

More Related Content

What's hot

Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfeGol D Roger
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
2.1 design hard disk layout v2
2.1 design hard disk layout v22.1 design hard disk layout v2
2.1 design hard disk layout v2Acácio Oliveira
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineSource Conference
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 

What's hot (15)

Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfe
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
2.1 design hard disk layout v2
2.1 design hard disk layout v22.1 design hard disk layout v2
2.1 design hard disk layout v2
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual Machine
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 

Viewers also liked

Bus 365 week 11 quiz
Bus 365 week 11 quizBus 365 week 11 quiz
Bus 365 week 11 quizEmmaJack2018
 
Bus 365 week 11 quiz
Bus 365 week 11 quizBus 365 week 11 quiz
Bus 365 week 11 quizlizabonilla
 
Bus 517 final exam – strayer new
Bus 517 final exam – strayer newBus 517 final exam – strayer new
Bus 517 final exam – strayer newEmmaJack2018
 
Acc 557 assignment 2 – strayer week 10
Acc 557 assignment 2 – strayer week 10Acc 557 assignment 2 – strayer week 10
Acc 557 assignment 2 – strayer week 10CarolMurray2018
 
Cis 524 week 10 term paper
Cis 524 week 10 term paperCis 524 week 10 term paper
Cis 524 week 10 term paperCarolMurray2018
 
Acc 562 final exam strayer new
Acc 562 final exam strayer newAcc 562 final exam strayer new
Acc 562 final exam strayer newEmmaJack2018
 
Fin 350 week 10 quiz strayer
Fin 350 week 10 quiz strayerFin 350 week 10 quiz strayer
Fin 350 week 10 quiz strayerCarolMurray2018
 
Bus 499 week 10 assignment 5 – strayer new
Bus 499 week 10 assignment 5 – strayer newBus 499 week 10 assignment 5 – strayer new
Bus 499 week 10 assignment 5 – strayer newCarolMurray2018
 
Bus 325 global human resource management week 10 quiz
Bus 325 global human resource management week 10 quizBus 325 global human resource management week 10 quiz
Bus 325 global human resource management week 10 quizCarolMurray2018
 
Eco 410 week 11 quiz strayer
Eco 410 week 11 quiz strayerEco 410 week 11 quiz strayer
Eco 410 week 11 quiz strayerEmmaJack2018
 
Leg 500 week 11 final exam – strayer new
Leg 500 week 11 final exam – strayer newLeg 500 week 11 final exam – strayer new
Leg 500 week 11 final exam – strayer newEmmaJack2018
 
Eco 302 week 11 quiz strayer
Eco 302 week 11 quiz strayerEco 302 week 11 quiz strayer
Eco 302 week 11 quiz strayerEmmaJack2018
 
Mkt 475 week 11 quiz strayer
Mkt 475 week 11 quiz strayerMkt 475 week 11 quiz strayer
Mkt 475 week 11 quiz strayerEmmaJack2018
 
Acc 410 week 11 final exam
Acc 410 week 11 final examAcc 410 week 11 final exam
Acc 410 week 11 final examEmmaJack2018
 
Eco 450 week 11 final exam – strayer
Eco 450 week 11 final exam – strayerEco 450 week 11 final exam – strayer
Eco 450 week 11 final exam – strayerEmmaJack2018
 

Viewers also liked (16)

Bus 365 week 11 quiz
Bus 365 week 11 quizBus 365 week 11 quiz
Bus 365 week 11 quiz
 
Bus 365 week 11 quiz
Bus 365 week 11 quizBus 365 week 11 quiz
Bus 365 week 11 quiz
 
Bus 517 final exam – strayer new
Bus 517 final exam – strayer newBus 517 final exam – strayer new
Bus 517 final exam – strayer new
 
Acc 557 assignment 2 – strayer week 10
Acc 557 assignment 2 – strayer week 10Acc 557 assignment 2 – strayer week 10
Acc 557 assignment 2 – strayer week 10
 
Cis 524 week 10 term paper
Cis 524 week 10 term paperCis 524 week 10 term paper
Cis 524 week 10 term paper
 
Acc 562 final exam strayer new
Acc 562 final exam strayer newAcc 562 final exam strayer new
Acc 562 final exam strayer new
 
Fin 350 week 10 quiz strayer
Fin 350 week 10 quiz strayerFin 350 week 10 quiz strayer
Fin 350 week 10 quiz strayer
 
Bus 499 week 10 assignment 5 – strayer new
Bus 499 week 10 assignment 5 – strayer newBus 499 week 10 assignment 5 – strayer new
Bus 499 week 10 assignment 5 – strayer new
 
Bus 325 global human resource management week 10 quiz
Bus 325 global human resource management week 10 quizBus 325 global human resource management week 10 quiz
Bus 325 global human resource management week 10 quiz
 
Eco 410 week 11 quiz strayer
Eco 410 week 11 quiz strayerEco 410 week 11 quiz strayer
Eco 410 week 11 quiz strayer
 
Leg 500 week 11 final exam – strayer new
Leg 500 week 11 final exam – strayer newLeg 500 week 11 final exam – strayer new
Leg 500 week 11 final exam – strayer new
 
Eco 302 week 11 quiz strayer
Eco 302 week 11 quiz strayerEco 302 week 11 quiz strayer
Eco 302 week 11 quiz strayer
 
Mkt 475 week 11 quiz strayer
Mkt 475 week 11 quiz strayerMkt 475 week 11 quiz strayer
Mkt 475 week 11 quiz strayer
 
Acc 410 week 11 final exam
Acc 410 week 11 final examAcc 410 week 11 final exam
Acc 410 week 11 final exam
 
Bus 230 week 10 quiz
Bus 230 week 10 quizBus 230 week 10 quiz
Bus 230 week 10 quiz
 
Eco 450 week 11 final exam – strayer
Eco 450 week 11 final exam – strayerEco 450 week 11 final exam – strayer
Eco 450 week 11 final exam – strayer
 

Similar to Cis 562 week 11 final exam – strayer new

Assignment unix & shell programming
Assignment unix & shell programmingAssignment unix & shell programming
Assignment unix & shell programmingMohit Aggarwal
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxchristinemaritza
 
Concepts and Applications of Information Technology IFSM.docx
Concepts and Applications of Information Technology IFSM.docxConcepts and Applications of Information Technology IFSM.docx
Concepts and Applications of Information Technology IFSM.docxmaxinesmith73660
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)David Sweigert
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics reportyash sawarkar
 
Linux Installation
Linux InstallationLinux Installation
Linux InstallationBIT DURG
 
ICT 2nd QUARTER summative.pptx
ICT 2nd QUARTER summative.pptxICT 2nd QUARTER summative.pptx
ICT 2nd QUARTER summative.pptxMichael Montarde
 
Hsc computer science chap 1 Operating System (1).pdf
Hsc computer science chap 1 Operating System (1).pdfHsc computer science chap 1 Operating System (1).pdf
Hsc computer science chap 1 Operating System (1).pdfAAFREEN SHAIKH
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerDavid Sweigert
 
Computer basics worksheet
Computer basics worksheetComputer basics worksheet
Computer basics worksheetDonna Rue
 
Digital forensics lessons
Digital forensics lessons Digital forensics lessons
Digital forensics lessons Amr Nasr
 
Allied american university isy 101 module 4
Allied american university isy 101 module 4Allied american university isy 101 module 4
Allied american university isy 101 module 4Olivia Fournier
 
5 assessment instrument evidence_ tos_ written t_est_etc
5 assessment instrument evidence_ tos_ written t_est_etc5 assessment instrument evidence_ tos_ written t_est_etc
5 assessment instrument evidence_ tos_ written t_est_etcMCabz1
 
Linux Operating System Resembles Unix Operating. System
Linux Operating System Resembles Unix Operating. SystemLinux Operating System Resembles Unix Operating. System
Linux Operating System Resembles Unix Operating. SystemOlga Bautista
 
1. The sale of sensitive or confidential company information to a .docx
1. The sale of sensitive or confidential company information to a .docx1. The sale of sensitive or confidential company information to a .docx
1. The sale of sensitive or confidential company information to a .docxambersalomon88660
 

Similar to Cis 562 week 11 final exam – strayer new (20)

Assignment unix & shell programming
Assignment unix & shell programmingAssignment unix & shell programming
Assignment unix & shell programming
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
 
Concepts and Applications of Information Technology IFSM.docx
Concepts and Applications of Information Technology IFSM.docxConcepts and Applications of Information Technology IFSM.docx
Concepts and Applications of Information Technology IFSM.docx
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
 
Deft
DeftDeft
Deft
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
 
Neww
NewwNeww
Neww
 
Linux Installation
Linux InstallationLinux Installation
Linux Installation
 
Operating system
Operating systemOperating system
Operating system
 
ICT 2nd QUARTER summative.pptx
ICT 2nd QUARTER summative.pptxICT 2nd QUARTER summative.pptx
ICT 2nd QUARTER summative.pptx
 
Hsc computer science chap 1 Operating System (1).pdf
Hsc computer science chap 1 Operating System (1).pdfHsc computer science chap 1 Operating System (1).pdf
Hsc computer science chap 1 Operating System (1).pdf
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
 
Linux Recovery
Linux RecoveryLinux Recovery
Linux Recovery
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 
Computer basics worksheet
Computer basics worksheetComputer basics worksheet
Computer basics worksheet
 
Digital forensics lessons
Digital forensics lessons Digital forensics lessons
Digital forensics lessons
 
Allied american university isy 101 module 4
Allied american university isy 101 module 4Allied american university isy 101 module 4
Allied american university isy 101 module 4
 
5 assessment instrument evidence_ tos_ written t_est_etc
5 assessment instrument evidence_ tos_ written t_est_etc5 assessment instrument evidence_ tos_ written t_est_etc
5 assessment instrument evidence_ tos_ written t_est_etc
 
Linux Operating System Resembles Unix Operating. System
Linux Operating System Resembles Unix Operating. SystemLinux Operating System Resembles Unix Operating. System
Linux Operating System Resembles Unix Operating. System
 
1. The sale of sensitive or confidential company information to a .docx
1. The sale of sensitive or confidential company information to a .docx1. The sale of sensitive or confidential company information to a .docx
1. The sale of sensitive or confidential company information to a .docx
 

More from EmmaJack2018

Fin 317 week 11 final exam strayer
Fin 317 week 11 final exam strayerFin 317 week 11 final exam strayer
Fin 317 week 11 final exam strayerEmmaJack2018
 
Acc 560 week 11 quiz – strayer new
Acc 560 week 11 quiz – strayer newAcc 560 week 11 quiz – strayer new
Acc 560 week 11 quiz – strayer newEmmaJack2018
 
Bus 536 week 11 final exam – strayer new
Bus 536 week 11 final exam – strayer newBus 536 week 11 final exam – strayer new
Bus 536 week 11 final exam – strayer newEmmaJack2018
 
Fin 350 week 11 quiz strayer
Fin 350 week 11 quiz strayerFin 350 week 11 quiz strayer
Fin 350 week 11 quiz strayerEmmaJack2018
 
Acc 557 week 11 quiz – strayer new
Acc 557 week 11 quiz – strayer newAcc 557 week 11 quiz – strayer new
Acc 557 week 11 quiz – strayer newEmmaJack2018
 
Cis 513 week 11 final exam – strayer new
Cis 513 week 11 final exam – strayer newCis 513 week 11 final exam – strayer new
Cis 513 week 11 final exam – strayer newEmmaJack2018
 
Bus 230 week 11 quiz
Bus 230 week 11 quizBus 230 week 11 quiz
Bus 230 week 11 quizEmmaJack2018
 
Bus 309 business ethics week 11 quiz
Bus 309 business ethics week 11 quizBus 309 business ethics week 11 quiz
Bus 309 business ethics week 11 quizEmmaJack2018
 
Eco 305 week 11 quiz strayer
Eco 305 week 11 quiz strayerEco 305 week 11 quiz strayer
Eco 305 week 11 quiz strayerEmmaJack2018
 
Bus 335 staffing organizations week 11 quiz
Bus 335 staffing organizations week 11 quizBus 335 staffing organizations week 11 quiz
Bus 335 staffing organizations week 11 quizEmmaJack2018
 
Cis 505 week 11 dq
Cis 505 week 11 dqCis 505 week 11 dq
Cis 505 week 11 dqEmmaJack2018
 
Mkt 500 week 11 discussion
Mkt 500 week 11 discussionMkt 500 week 11 discussion
Mkt 500 week 11 discussionEmmaJack2018
 
Bus 508 week 11 discussion
Bus 508 week 11 discussionBus 508 week 11 discussion
Bus 508 week 11 discussionEmmaJack2018
 
Hrm 500 week 11 discussion
Hrm 500 week 11 discussionHrm 500 week 11 discussion
Hrm 500 week 11 discussionEmmaJack2018
 

More from EmmaJack2018 (14)

Fin 317 week 11 final exam strayer
Fin 317 week 11 final exam strayerFin 317 week 11 final exam strayer
Fin 317 week 11 final exam strayer
 
Acc 560 week 11 quiz – strayer new
Acc 560 week 11 quiz – strayer newAcc 560 week 11 quiz – strayer new
Acc 560 week 11 quiz – strayer new
 
Bus 536 week 11 final exam – strayer new
Bus 536 week 11 final exam – strayer newBus 536 week 11 final exam – strayer new
Bus 536 week 11 final exam – strayer new
 
Fin 350 week 11 quiz strayer
Fin 350 week 11 quiz strayerFin 350 week 11 quiz strayer
Fin 350 week 11 quiz strayer
 
Acc 557 week 11 quiz – strayer new
Acc 557 week 11 quiz – strayer newAcc 557 week 11 quiz – strayer new
Acc 557 week 11 quiz – strayer new
 
Cis 513 week 11 final exam – strayer new
Cis 513 week 11 final exam – strayer newCis 513 week 11 final exam – strayer new
Cis 513 week 11 final exam – strayer new
 
Bus 230 week 11 quiz
Bus 230 week 11 quizBus 230 week 11 quiz
Bus 230 week 11 quiz
 
Bus 309 business ethics week 11 quiz
Bus 309 business ethics week 11 quizBus 309 business ethics week 11 quiz
Bus 309 business ethics week 11 quiz
 
Eco 305 week 11 quiz strayer
Eco 305 week 11 quiz strayerEco 305 week 11 quiz strayer
Eco 305 week 11 quiz strayer
 
Bus 335 staffing organizations week 11 quiz
Bus 335 staffing organizations week 11 quizBus 335 staffing organizations week 11 quiz
Bus 335 staffing organizations week 11 quiz
 
Cis 505 week 11 dq
Cis 505 week 11 dqCis 505 week 11 dq
Cis 505 week 11 dq
 
Mkt 500 week 11 discussion
Mkt 500 week 11 discussionMkt 500 week 11 discussion
Mkt 500 week 11 discussion
 
Bus 508 week 11 discussion
Bus 508 week 11 discussionBus 508 week 11 discussion
Bus 508 week 11 discussion
 
Hrm 500 week 11 discussion
Hrm 500 week 11 discussionHrm 500 week 11 discussion
Hrm 500 week 11 discussion
 

Recently uploaded

UNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHER
UNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHERUNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHER
UNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHERunosafeads
 
John Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service Manual
John Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service ManualJohn Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service Manual
John Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service ManualExcavator
 
BLUE VEHICLES the kids picture show 2024
BLUE VEHICLES the kids picture show 2024BLUE VEHICLES the kids picture show 2024
BLUE VEHICLES the kids picture show 2024AHOhOops1
 
ENJOY Call Girls In Okhla Vihar Delhi Call 9654467111
ENJOY Call Girls In Okhla Vihar Delhi Call 9654467111ENJOY Call Girls In Okhla Vihar Delhi Call 9654467111
ENJOY Call Girls In Okhla Vihar Delhi Call 9654467111Sapana Sha
 
What Causes BMW Chassis Stabilization Malfunction Warning To Appear
What Causes BMW Chassis Stabilization Malfunction Warning To AppearWhat Causes BMW Chassis Stabilization Malfunction Warning To Appear
What Causes BMW Chassis Stabilization Malfunction Warning To AppearJCL Automotive
 
Delhi Call Girls East Of Kailash 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls East Of Kailash 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls East Of Kailash 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls East Of Kailash 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Transformative journey for Automotive Components Manufacturers- D&V Business ...
Transformative journey for Automotive Components Manufacturers- D&V Business ...Transformative journey for Automotive Components Manufacturers- D&V Business ...
Transformative journey for Automotive Components Manufacturers- D&V Business ...D&V Business Consulting
 
Hauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhi
Hauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhiHauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhi
Hauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhiHot Call Girls In Sector 58 (Noida)
 
Alina 7042364481 Call Girls Service Pochanpur Colony - independent Pochanpur ...
Alina 7042364481 Call Girls Service Pochanpur Colony - independent Pochanpur ...Alina 7042364481 Call Girls Service Pochanpur Colony - independent Pochanpur ...
Alina 7042364481 Call Girls Service Pochanpur Colony - independent Pochanpur ...Hot Call Girls In Sector 58 (Noida)
 
꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂
꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂
꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂Hot Call Girls In Sector 58 (Noida)
 
Hyundai World Rally Team in action at 2024 WRC
Hyundai World Rally Team in action at 2024 WRCHyundai World Rally Team in action at 2024 WRC
Hyundai World Rally Team in action at 2024 WRCHyundai Motor Group
 
83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagar
83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagar83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagar
83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagardollysharma2066
 
Delhi Call Girls Saket 9711199171 ☎✔👌✔ Full night Service for more than 1 person
Delhi Call Girls Saket 9711199171 ☎✔👌✔ Full night Service for more than 1 personDelhi Call Girls Saket 9711199171 ☎✔👌✔ Full night Service for more than 1 person
Delhi Call Girls Saket 9711199171 ☎✔👌✔ Full night Service for more than 1 personshivangimorya083
 
Call me @ 9892124323 Call Girl in Andheri East With Free Home Delivery
Call me @ 9892124323 Call Girl in Andheri East With Free Home DeliveryCall me @ 9892124323 Call Girl in Andheri East With Free Home Delivery
Call me @ 9892124323 Call Girl in Andheri East With Free Home DeliveryPooja Nehwal
 
Russian Call Girls Delhi Indirapuram {9711199171} Aarvi Gupta ✌️Independent ...
Russian Call Girls Delhi Indirapuram {9711199171} Aarvi Gupta ✌️Independent ...Russian Call Girls Delhi Indirapuram {9711199171} Aarvi Gupta ✌️Independent ...
Russian Call Girls Delhi Indirapuram {9711199171} Aarvi Gupta ✌️Independent ...shivangimorya083
 
John Deere Tractors 5515 Diagnostic Repair Manual
John Deere Tractors 5515 Diagnostic Repair ManualJohn Deere Tractors 5515 Diagnostic Repair Manual
John Deere Tractors 5515 Diagnostic Repair ManualExcavator
 

Recently uploaded (20)

UNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHER
UNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHERUNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHER
UNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHER
 
John Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service Manual
John Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service ManualJohn Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service Manual
John Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service Manual
 
BLUE VEHICLES the kids picture show 2024
BLUE VEHICLES the kids picture show 2024BLUE VEHICLES the kids picture show 2024
BLUE VEHICLES the kids picture show 2024
 
(INDIRA) Call Girl Kolkata Call Now 8617697112 Kolkata Escorts
(INDIRA) Call Girl Kolkata Call Now 8617697112 Kolkata Escorts(INDIRA) Call Girl Kolkata Call Now 8617697112 Kolkata Escorts
(INDIRA) Call Girl Kolkata Call Now 8617697112 Kolkata Escorts
 
ENJOY Call Girls In Okhla Vihar Delhi Call 9654467111
ENJOY Call Girls In Okhla Vihar Delhi Call 9654467111ENJOY Call Girls In Okhla Vihar Delhi Call 9654467111
ENJOY Call Girls In Okhla Vihar Delhi Call 9654467111
 
What Causes BMW Chassis Stabilization Malfunction Warning To Appear
What Causes BMW Chassis Stabilization Malfunction Warning To AppearWhat Causes BMW Chassis Stabilization Malfunction Warning To Appear
What Causes BMW Chassis Stabilization Malfunction Warning To Appear
 
Delhi Call Girls East Of Kailash 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls East Of Kailash 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls East Of Kailash 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls East Of Kailash 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Transformative journey for Automotive Components Manufacturers- D&V Business ...
Transformative journey for Automotive Components Manufacturers- D&V Business ...Transformative journey for Automotive Components Manufacturers- D&V Business ...
Transformative journey for Automotive Components Manufacturers- D&V Business ...
 
Hauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhi
Hauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhiHauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhi
Hauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhi
 
Alina 7042364481 Call Girls Service Pochanpur Colony - independent Pochanpur ...
Alina 7042364481 Call Girls Service Pochanpur Colony - independent Pochanpur ...Alina 7042364481 Call Girls Service Pochanpur Colony - independent Pochanpur ...
Alina 7042364481 Call Girls Service Pochanpur Colony - independent Pochanpur ...
 
꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂
꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂
꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂
 
Hyundai World Rally Team in action at 2024 WRC
Hyundai World Rally Team in action at 2024 WRCHyundai World Rally Team in action at 2024 WRC
Hyundai World Rally Team in action at 2024 WRC
 
83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagar
83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagar83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagar
83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagar
 
Delhi Call Girls Saket 9711199171 ☎✔👌✔ Full night Service for more than 1 person
Delhi Call Girls Saket 9711199171 ☎✔👌✔ Full night Service for more than 1 personDelhi Call Girls Saket 9711199171 ☎✔👌✔ Full night Service for more than 1 person
Delhi Call Girls Saket 9711199171 ☎✔👌✔ Full night Service for more than 1 person
 
Call Girls In Kirti Nagar 7042364481 Escort Service 24x7 Delhi
Call Girls In Kirti Nagar 7042364481 Escort Service 24x7 DelhiCall Girls In Kirti Nagar 7042364481 Escort Service 24x7 Delhi
Call Girls In Kirti Nagar 7042364481 Escort Service 24x7 Delhi
 
Hotel Escorts Sushant Golf City - 9548273370 Call Girls Service in Lucknow, c...
Hotel Escorts Sushant Golf City - 9548273370 Call Girls Service in Lucknow, c...Hotel Escorts Sushant Golf City - 9548273370 Call Girls Service in Lucknow, c...
Hotel Escorts Sushant Golf City - 9548273370 Call Girls Service in Lucknow, c...
 
Call me @ 9892124323 Call Girl in Andheri East With Free Home Delivery
Call me @ 9892124323 Call Girl in Andheri East With Free Home DeliveryCall me @ 9892124323 Call Girl in Andheri East With Free Home Delivery
Call me @ 9892124323 Call Girl in Andheri East With Free Home Delivery
 
Russian Call Girls Delhi Indirapuram {9711199171} Aarvi Gupta ✌️Independent ...
Russian Call Girls Delhi Indirapuram {9711199171} Aarvi Gupta ✌️Independent ...Russian Call Girls Delhi Indirapuram {9711199171} Aarvi Gupta ✌️Independent ...
Russian Call Girls Delhi Indirapuram {9711199171} Aarvi Gupta ✌️Independent ...
 
John Deere Tractors 5515 Diagnostic Repair Manual
John Deere Tractors 5515 Diagnostic Repair ManualJohn Deere Tractors 5515 Diagnostic Repair Manual
John Deere Tractors 5515 Diagnostic Repair Manual
 
Call Girls In Kirti Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In Kirti Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In Kirti Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In Kirti Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 

Cis 562 week 11 final exam – strayer new

  • 1. CIS 562 Week 11 Final Exam – Strayer New Click On The Link Below To Purchase A+ Graded Material Instant Download http://budapp.net/CIS-562-Final-Exam-Week-11-Strayer-NEW- CIS562W11E.htm Chapters 7 Through 16 Chapter 7: Current Computer Forensics Tools TRUE/FALSE 1. When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support. 2. In software acquisition, there are three types of data-copying methods. 3. To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. 4. The Windows platforms have long been the primary command-line interface OSs. 5. After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools. MULTIPLE CHOICE 1. Computer forensics tools are divided into ____ major categories. a. 2 c. 4 b. 3 d. 5 2. Software forensics tools are commonly used to copy data from a suspect’s disk drive to a(n) ____. a. backup file c. image file b. firmware d. recovery copy 3. To make a disk acquisition with En.exe requires only a PC running ____ with a 12- volt power connector and an IDE, a SATA, or a SCSI connector cable.
  • 2. a. UNIX c. Linux b. MAC OS X d. MS-DOS 4. Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command. a. rawcp c. d2dump b. dd d. dhex 5. ____ of data involves sorting and searching through all investigation data. a. Validation c. Acquisition b. Discrimination d. Reconstruction 6. Many password recovery tools have a feature that allows generating potential lists for a ____ attack. a. brute-force c. birthday b. password dictionary d. salting 7. The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk. a. partition-to- partition c. disk-to-disk b. image-to-partition d. image-to-disk 8. To complete a forensic disk analysis and examination, you need to create a ____. a. forensic disk copy c. budget plan b. risk assessment d. report 9. The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems. a. Apple c. Commodore b. Atari d. IBM 10. In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network.
  • 3. a. Dir c. Copy b. ls d. owner 11. In general, forensics workstations can be divided into ____ categories. a. 2 c. 4 b. 3 d. 5 12. A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____. a. stationary workstation c. lightweight workstation b. field workstation d. portable workstation 13. ____ is a simple drive-imaging station. a. F.R.E.D. c. FIRE IDE b. SPARC d. DiskSpy 14. ____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk. a. Drive-imaging c. Workstations b. Disk editors d. Write-blockers 15. Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers. a. USB c. LCD b. IDE d. PCMCIA 16. The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software. a. CFTT c. FS-TST b. NIST d. NSRL 17. The standards document, ____, demands accuracy for all aspects of the testing
  • 4. process, meaning that the results must be repeatable and reproducible. a. ISO 3657 c. ISO 5725 b. ISO 5321 d. ISO 17025 18. The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____. a. NSRL c. FS-TST b. CFTT d. PARTAB 19. The primary hash algorithm used by the NSRL project is ____. a. MD5 c. CRC-32 b. SHA-1 d. RC4 20. One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex. a. disk imager c. bit-stream copier b. write-blocker d. disk editor 21. Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file’s contents. a. testing, compressed c. testing, pdf b. scanning, text d. testing, doc COMPLETION 1. Software forensic tools are grouped into command-line applications and ____________________ applications. 2. The Windows application of EnCase requires a(n) ____________________ device, such as FastBloc, to prevent Windows from accessing and corrupting a suspect disk drive. 3. The ____________________ function is the most demanding of all tasks for computer investigators to master. 4. Because there are a number of different versions of UNIX and Linux, these platforms
  • 5. are referred to as ____________________ platforms. 5. Hardware manufacturers have designed most computer components to last about ____________________ months between failures. MATCHING Match each item with a statement below a. JFIF f. PDBlock b. Lightweight workstation g. Norton DiskEdit c. Pagefile.sys h. Stationary workstation d. Salvaging i. SafeBack e. Raw data 1. letters embedded near the beginning of all JPEG files 2. European term for carving 3. a direct copy of a disk drive 4. usually a laptop computer built into a carrying case with a small selection of peripheral options 5. one of the first MS-DOS tools used for a computer investigation 6. software-enabled write-blocker 7. system file where passwords may have been written temporarily 8. a tower with several bays and many peripheral devices 9. command-line disk acquisition tool from New Technologies, Inc. SHORT ANSWER 1. What are the five major function categories of any computer forensics tool? 2. Explain the validation of evidence data process. 3. What are some of the advantages of using command-line forensics tools?
  • 6. 4. Explain the advantages and disadvantages of GUI forensics tools. 5. Illustrate how to consider hardware needs when planning your lab budget. 6. Describe some of the problems you may encounter if you decide to build your own forensics workstation. 7. Illustrate the use of a write-blocker on a Windows environment. 8. Briefly explain the NIST general approach for testing computer forensics tools. 9. Explain the difference between repeatable results and reproducible results. 10. Briefly explain the purpose of the NIST NSRL project. Chapter 8: Macintosh and Linux Boot Processes and File Systems TRUE/FALSE 1. If a file contains information, it always occupies at least one allocation block. 2. Older Macintosh computers use the same type of BIOS firmware commonly found in PC-based systems. 3. GPL and BSD variations are examples of open-source software. 4. A UNIX or Linux computer has two boot blocks, which are located on the main hard disk. 5. Under ISO 9660 for DVDs, the Micro-UDF (M-UDF) function has been added to allow for long filenames. MULTIPLE CHOICE 1. Macintosh OS X is built on a core called ____. a. Phantom c. Darwin b. Panther d. Tiger
  • 7. 2. In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored. a. resource c. blocks b. node d. inodes 3. The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is ____. a. 32,768 c. 58,745 b. 45,353 d. 65,535 4. On older Macintosh OSs all information about the volume is stored in the ____. a. Master Directory Block (MDB) c. Extents Overflow File (EOF) b. Volume Control Block (VCB) d. Volume Bitmap (VB) 5. With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data. a. Extents overflow file c. Master Directory Block b. Volume Bitmap d. Volume Control Block 6. On Mac OSs, File Manager uses the ____ to store any information not in the MDB or Volume Control Block (VCB). a. volume information block c. catalog b. extents overflow file d. master directory block 7. Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement. a. AIX c. GPL b. BSD d. GRUB
  • 8. 8. The standard Linux file system is ____. a. NTFS c. HFS+ b. Ext3fs d. Ext2fs 9. Ext2fs can support disks as large as ____ TB and files as large as 2 GB. a. 4 c. 10 b. 8 d. 12 10. Linux is unique in that it uses ____, or information nodes, that contain descriptive information about each file or directory. a. xnodes c. infNodes b. extnodes d. inodes 11. To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of ____. a. -1 c. 1 b. 0 d. 2 12. ____ components define the file system on UNIX. a. 2 c. 4 b. 3 d. 5 13. The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive. a. superblock c. boot block b. data block d. inode block 14. LILO uses a configuration file named ____ located in the /Etc directory. a. Lilo.conf c. Lilo.config b. Boot.conf d. Boot.config 15. Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of OSs.
  • 9. a. 1989 c. 1994 b. 1991 d. 1995 16. On a Linux computer, ____ is the path for the first partition on the primary master IDE disk drive. a. /dev/sda1 c. /dev/hda1 b. /dev/hdb1 d. /dev/ide1 17. There are ____ tracks available for the program area on a CD. a. 45 c. 99 b. 50 d. 100 18. The ____ provides several software drivers that allow communication between the OS and the SCSI component. a. International Organization of Standardization (ISO) b. Advanced SCSI Programming Interface (ASPI) c. CLV d. EIDE 19. All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard ____ ribbon or shielded cable. a. 40-pin c. 80-pin b. 60-pin d. 120-pin 20. ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable. a. 70 c. 96 b. 83 d. 100 21. IDE ATA controller on an old 486 PC doesn’t recognize disk drives larger than 8.4 ____. a. KB c. GB b. MB d. TB
  • 10. COMPLETION 1. Before OS X, Macintosh uses the ____________________, in which files are stored in directories, or folders, that can be nested in other folders. 2. The Macintosh file system has ____________________ descriptors for the end of file (EOF). 3. ____________________ is a journaling version of Ext2fs that reduces file recovery time after a crash. 4. When you turn on the power to a UNIX workstation, instruction code located in firmware on the system’s CPU loads into RAM. This firmware is called ____________________ code because it’s located in ROM. 5. CD players that are 12X or faster read discs by using a(n) _____________________ system. MATCHING Match each item with a statement below a. File Manager f. Volume b. Inode blocks g. ls c. ISO 9660 h. Catalog d. LILO i. Finder e. Clumps 1. older Linux boot manager utility 2. Macintosh tool that works with the OS to keep track of files and maintain users’ desktops 3. any storage medium used to store files 4. the list command on Linux 5. maintains relationships between files and directories on a volume on a Mac OS 6. the first data after the superblock on a UNIX or Linux file system 7. ISO standard for CDs 8. Mac OS utility that handles reading, writing, and storing data to physical media
  • 11. 9. groups of contiguous allocation blocks SHORT ANSWER 1. Explain the relation between allocation blocks and logical block on a Mac OS file system. 2. Explain the use of B*-trees on Mac OS 9 file system. 3. Explain the use of forensic tools for Macintosh systems. 4. What are the functions of the superblock on a UNIX or Linux file system? 5. What is a bad block inode on Linux? 6. What is a continuation inode? 7. Describe the CD creation process. 8. Write a brief history of SCSI. 9. Explain the problems you can encounter with pre-ATA-33 devices when connecting them to current PCs. 10. What problems can hidden partitions on IDE devices cause to forensic investigators? Chapter 9: Computer Forensics Analysis and Validation TRUE/FALSE 1. The defense request for full discovery of digital evidence applies only to criminal cases in the United States. 2. For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.
  • 12. 3. FTK cannot perform forensics analysis on FAT12 file systems. 4. FTK cannot analyze data from image files from other vendors. 5. A nonsteganographic graphics file has a different size than an identical steganographic graphics file. MULTIPLE CHOICE 1. ____ increases the time and resources needed to extract,analyze,and present evidence. a. Investigation plan c. Litigation path b. Scope creep d. Court order for discovery 2. You begin any computer forensics case by creating a(n) ____. a. investigation plan c. evidence custody form b. risk assessment report d. investigation report 3. In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover. a. risk assessment reports c. scope creeps b. investigation plans d. subpoenas 4. There are ____ searching options for keywords which FTK offers. a. 2 c. 4 b. 3 d. 5 5. ____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search. a. Online c. Active b. Inline d. Live
  • 13. 6. The ____ search feature allows you to look for words with extensions such as “ing,”“ed,” and so forth. a. fuzzy c. permutation b. stemming d. similar-sounding 7. In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period. a. live c. active b. indexed d. inline 8. FTK and other computer forensics programs use ____ to tag and document digital evidence. a. tracers c. bookmarks b. hyperlinks d. indents 9. Getting a hash value with a ____ is much faster and easier than with a(n) ____. a. high-level language, assembler b. HTML editor, hexadecimal editor c. computer forensics tool, hexadecimal editor d. hexadecimal editor, computer forensics tool 10. AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data. a. KFF c. NTI b. PKFT d. NSRL 11. Data ____ involves changing or manipulating a file to conceal information. a. recovery c. integrity b. creep d. hiding 12. One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it. a. Norton DiskEdit c. System
  • 14. Commander b. PartitionMagic d. LILO 13. Marking bad clusters data-hiding technique is more common with ____ file systems. a. NTFS c. HFS b. FAT d. Ext2fs 14. The term ____ comes from the Greek word for“hidden writing.” a. creep c. escrow b. steganography d. hashing 15. ____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there. a. Bit shifting c. Marking bad clusters b. Encryption d. Steganography 16. Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure. a. steganography c. password backup b. key escrow d. key splitting 17. People who want to hide data can also use advanced encryption programs, such as PGP or ____. a. NTI c. FTK b. BestCrypt d. PRTK 18. ____ recovery is a fairly easy task in computer forensic analysis. a. Data c. Password b. Partition d. Image 19. ____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.
  • 15. a. Brute-force c. Profile b. Dictionary d. Statistics 20. ____ are handy when you need to image the drive of a computer far away from your location or when you don’t want a suspect to be aware of an ongoing investigation. a. Scope creeps c. Password recovery tools b. Remote acquisitions d. Key escrow utilities 21. ____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer’s file system. a. HDHOST c. DiskEdit b. DiskHost d. HostEditor COMPLETION 1. For most law-enforcement-related computing investigations, the investigator is limited to working with data defined in the search ____________________. 2. FTK provides two options for searching for keywords: indexed search and ____________________ search. 3. ____________________ search catalogs all words on the evidence disk so that FTK can find them quickly. 4. To generate reports with the FTK ReportWizard, first you need to ____________________ files during an examination. 5. The data-hiding technique ____________________ changes data from readable code to data that looks like binary executable code. MATCHING Match each item with a statement below a. Court orders for discovery f. PRTK
  • 16. b. Investigation plan g. Validating digital evidence c. Digital Intelligence PDWipe h. MD5 d. Live search i. System Commander e. Cabinet 1. defines the investigation’s goal and scope, the materials needed, and the tasks to perform 2. a hashing algorithm 3. one of the most critical aspects of computer forensics 4. a type of compressed file 5. an FTK searching option 6. a password recovery program available from AccessData 7. a disk-partitioning utility 8. program used to clean all data from the target drive you plan to use 9. limit a civil investigation SHORT ANSWER 1. Describe the effects of scope creep on an investigation in the corporate environment. 2. Describe with examples why the approach you take for a forensics case depends largely on the specific type of case you’re investigating. 3. How should you approach a case in which an employee is suspected of industrial espionage? 4. What are the file systems supported by FTK for forensic analysis? 5. How does the Known File Filter program work? 6. How can you validate the integrity of raw format image files with ProDiscover?
  • 17. 7. How can you hide data by marking bad clusters? 8. Briefly describe how to use steganography for creating digital watermarks. 9. What are the basic guidelines to identify steganography files? 10. Briefly describe the differences between brute-force attacks and dictionary attacks to crack passwords. Chapter 10: Recovering Graphics Files TRUE/FALSE 1. Bitmap images are collections of dots, or pixels, that form an image. PTS: 1 REF: 398 2. Operating systems do not have tools for recovering image files. PTS: 1 REF: 405 3. If a graphics file is fragmented across areas on a disk, first you must recover all the fragments to re-create the file. PTS: 1 REF: 405 4. With many computer forensics tools, you can open files with external viewers. PTS: 1 REF: 425 5. Steganography cannot be used with file formats other than image files. PTS: 1 REF: 428 MULTIPLE CHOICE 1. ____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. a. Bitmap images c. Vector graphics b. Metafile graphics d. Line-art images PTS: 1 REF: 398
  • 18. 2. You use ____ to create, modify, and save bitmap, vector, and metafile graphics files. a. graphics viewers c. image viewers b. image readers d. graphics editors PTS: 1 REF: 398 3. ____ images store graphics information as grids of individual pixels. a. Bitmap c. Vector b. Raster d. Metafiles PTS: 1 REF: 398 4. The process of converting raw picture data to another format is referred to as ____. a. JEIDA c. demosaicing b. rastering d. rendering PTS: 1 REF: 401 5. The majority of digital cameras use the ____ format to store digital pictures. a. EXIF c. PNG b. TIFF d. GIF PTS: 1 REF: 401 6. ____ compression compresses data by permanently discarding bits of information in the file. a. Redundant c. Huffman b. Lossy d. Lossless PTS: 1 REF: 404 7. Recovering pieces of a file is called ____. a. carving c. saving b. slacking d. rebuilding PTS: 1 REF: 405 8. A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10. a. EPS c. GIF b. BMP d. JPEG PTS: 1 REF: 408
  • 19. 9. If you can’t open an image file in an image viewer, the next step is to examine the file’s ____. a. extension c. header data b. name d. size PTS: 1 REF: 414 10. The uppercase letter ____ has a hexadecimal value of 41. a. “A” c. “G” b. “C” d. “Z” PTS: 1 REF: 417 11. The image format XIF is derived from the more common ____ file format. a. GIF c. BMP b. JPEG d. TIFF PTS: 1 REF: 423 12. The simplest way to access a file header is to use a(n) ____ editor a. hexadecimal c. disk b. image d. text PTS: 1 REF: 423 13. The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03. a. TIFF c. JPEG b. XIF d. GIF PTS: 1 REF: 425 14. ____ is the art of hiding information inside image files. a. Steganography c. Graphie b. Steganalysis d. Steganos PTS: 1 REF: 425 15. ____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program. a. Replacement c. Substitution b. Append d. Insertion
  • 20. PTS: 1 REF: 426 16. ____ steganography replaces bits of the host file with other bits of data. a. Insertion c. Substitution b. Replacement d. Append PTS: 1 REF: 426 17. In the following list, ____ is the only steg tool. a. EnCase c. DriveSpy b. iLook d. Outguess PTS: 1 REF: 429 18. ____ has also been used to protect copyrighted material by inserting digital watermarks into a file. a. Encryption c. Compression b. Steganography d. Archiving PTS: 1 REF: 430 19. When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations. a. international c. copyright b. forensics d. civil PTS: 1 REF: 430 20. Under copyright laws, computer programs may be registered as ____. a. literary works c. architectural works b. motion pictures d. audiovisual works PTS: 1 REF: 430 21. Under copyright laws, maps and architectural plans may be registered as ____. a. pantomimes and choreographic works c. literary works b. artistic works d. pictorial, graphic, and sculptural works
  • 21. PTS: 1 REF: 430 COMPLETION 1. A graphics program creates and saves one of three types of image files: bitmap, vector, or ____________________. 2. ____________________ is the process of coding of data from a larger form to a smaller form. 3. The ____________________ is the best source for learning more about file formats and their associated extensions. 4. All ____________________ files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 2A. 5. The two major forms of steganography are ____________________ and substitution. MATCHING Match each item with a statement below a. Pixels f. Steganalysis tools b. Hex Workshop g. GIMP c. Adobe Illustrator h. XIF d. Microsoft Office Picture Manager i. Metafile graphics e. JPEG 1. drawing program that creates vector files 2. Gnome graphics editor 3. image format derived from the TIFF file format 4. combinations of bitmap and vector images 5. short for “picture elements” 6. are also called steg tools 7. graphics file format that uses lossy compression 8. tool used to rebuild image file headers
  • 22. 9. Microsoft image viewer SHORT ANSWER 1. Briefly describe the Exchangeable Image File (EXIF) format. 2. Explain how lossless compression relates to image file formats. 3. How does vector quantization (VQ) compress data? 4. Explain how someone can use a disk editor tool to mark clusters as “bad” clusters. 5. Identify and describe some image viewers. 6. Write a brief history of steganography. 7. Describe how to hide information on an 8-bit bitmap image file using substitution steganography. 8. Explain how steganalysis tools work. 9. Give a brief overview of copyright laws pertaining to graphics within and outside the U.S. 10. Present a list of categories covered under copyright laws in the U.S. Chapter 11: Virtual Machines, Network Forensics, and Live Acquisitions TRUE/FALSE 1. When intruders break into a network, they rarely leave a trail behind. PTS: 1 REF: 442 2. Network forensics is a fast, easy process.
  • 23. PTS: 1 REF: 447 3. PsList from PsTools allows you to list detailed information about processes. PTS: 1 REF: 450 4. With the Knoppix STD tools on a portable CD, you can examine almost any network system. PTS: 1 REF: 451 5. Ngrep cannot be used to examine e-mail headers or IRC chats. PTS: 1 REF: 455 MULTIPLE CHOICE 1. ____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program. a. Broadcast forensics c. Computer forensics b. Network forensics d. Traffic forensics PTS: 1 REF: 442 2. ____ hide the most valuable data at the innermost part of the network. a. Layered network defense strategies c. Protocols b. Firewalls d. NAT PTS: 1 REF: 442 3. ____ forensics is the systematic tracking of incoming and outgoing traffic on your network. a. Network c. Criminal b. Computer d. Server PTS: 1 REF: 442 4. ____ can be used to create a bootable forensic CD and perform a live acquisition. a. Helix c. Inquisitor b. DTDD d. Neon PTS: 1 REF: 445
  • 24. 5. Helix operates in two modes:Windows Live (GUI or command line) and ____. a. command Windows c. command Linux b. remote GUI d. bootable Linux PTS: 1 REF: 445 6. A common way of examining network traffic is by running the ____ program. a. Netdump c. Coredump b. Slackdump d. Tcpdump PTS: 1 REF: 448 7. ____ is a suite of tools created by Sysinternals. a. EnCase c. R-Tools b. PsTools d. Knoppix PTS: 1 REF: 450 8. ____ is a Sysinternals command that shows all Registry data in real time on a Windows computer. a. PsReg c. RegMon b. RegExplorer d. RegHandle PTS: 1 REF: 450 9. The PSTools ____ kills processes by name or process ID. a. PsExec c. PsKill b. PsList d. PsShutdown PTS: 1 REF: 450 10. ____ is a popular network intrusion detection system that performs packet capture and analysis in real time. a. Ethereal c. Tcpdump b. Snort d. john PTS: 1 REF: 451 11. ____ is the U.S. DoD computer forensics lab’s version of the dd command that comes with Knoppix-STD. a. chntpw c. memfetch b. john d. dcfldd
  • 25. PTS: 1 REF: 451 12. The Knoppix STD tool ____ enables you to reset passwords on a Windows computer, including the administrator password a. chntpw c. oinkmaster b. john d. memfetch PTS: 1 REF: 451 13. ____ are devices and/or software placed on a network to monitor traffic. a. Packet sniffers c. Hubs b. Bridges d. Honeypots PTS: 1 REF: 454 14. Most packet sniffers operate on layer 2 or ____ of the OSI model. a. 1 c. 5 b. 3 d. 7 PTS: 1 REF: 454 15. Most packet sniffer tools can read anything captured in ____ format. a. SYN c. PCAP b. DOPI d. AIATP PTS: 1 REF: 455 16. In a(n) ____ attack, the attacker keeps asking your server to establish a connection. a. SYN flood c. brute-force attack b. ACK flood d. PCAP attack PTS: 1 REF: 455 17. ____ is the text version of Ethereal, a packet sniffer tool. a. Tcpdump c. Etherape b. Ethertext d. Tethereal PTS: 1 REF: 455 18. ____ is a good tool for extracting information from large Libpcap files. a. Nmap c. Pcap b. Tcpslice d. TCPcap
  • 26. PTS: 1 REF: 455 19. The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers. a. Honeynet c. Honeywall b. Honeypot d. Honeyweb PTS: 1 REF: 458 20. Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack. a. ISPs c. zombies b. soldiers d. pawns PTS: 1 REF: 458 21. A ____ is a computer set up to look like any other machine on your network, but it lures the attacker to it. a. honeywall c. honeynet b. honeypot d. honeyhost PTS: 1 REF: 459 COMPLETION 1. ____________________ is a layered network defense strategy developed by the National Security Agency (NSA). 2. The term ____________________ means how long a piece of information lasts on a system. 3. ____________________ logs record traffic in and out of a network. 4. The PSTools ____________________ tool allows you to suspend processes. ANS: PsSuspend 5. The U.K. Honeynet Project has created the ____________________. It contains the honeywall and honeypot on a bootable memory stick.
  • 27. MATCHING Match each item with a statement below a. Cyberforensics f. Trojan horse b. Ethereal g. Knoppix c. Tripwire h. PsShutdown d. PsGetSid i. oinkmaster e. PsLoggedOn 1. displays who’s logged on locally 2. displays the security identifier (SID) of a computer or user 3. an audit control program that detects anomalies in traffic and sends an alert automatically 4. usually refers to network forensics 5. a bootable Linux CD intended for computer and network forensics 6. shuts down and optionally restarts a computer 7. helps manage snort rules so that you can specify what items to ignore as regular traffic and what items should raise alarms 8. a network analysis tool 9. type of malware SHORT ANSWER 1. Why is testing networks as important as testing servers? 2. When are live acquisitions useful? 3. What is the general procedure for a live acquisition? 4. Detail a standard procedure for network forensics investigations. 5. How should you proceed if your network forensic investigation involves other companies? 6. Describe some of the Windows tools available at Sysinternals.
  • 28. 7. What are some of the tools included with the PSTools suite? 8. What is Knoppix-STD? 9. What are some of the tools included with Knoppix STD? 10. Explain The Auditor tool. Chapter 12: E-mail Investigations TRUE/FALSE 1. For computer investigators, tracking intranet e-mail is relatively easy because the accounts use standard names established by the network or e-mail administrator. PTS: 1 REF: 470 2. You can always rely on the return path in an e-mail header to show the source account of an e-mail message. PTS: 1 REF: 482 3. E-mail programs either save e-mail messages on the client computer or leave them on the server. PTS: 1 REF: 483 4. All e-mail servers are databases that store multiple users’ e-mails. PTS: 1 REF: 485 5. Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication. PTS: 1 REF: 489 MULTIPLE CHOICE 1. E-mail messages are distributed from one central server to many connected client computers, a configuration called ____. a. client/server architecture c. client architecture b. central distribution architecture d. peer-to-peer architecture
  • 29. PTS: 1 REF: 469 2. In an e-mail address, everything after the ____ symbol represents the domain name. a. c. @ b. . d. - PTS: 1 REF: 470 3. With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk. a. command-line c. prompt-based b. shell-based d. GUI PTS: 1 REF: 472 4. When working on a Windows environment you can press ____ to copy the selected text to the clipboard. a. Ctrl+A c. Ctrl+V b. Ctrl+C d. Ctrl+Z PTS: 1 REF: 473 5. To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click ____ to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header. a. Options c. Properties b. Details d. Message Source PTS: 1 REF: 473 6. To retrieve an Outlook Express e-mail header right-click the message, and then click ____ to open a dialog box showing general information about the message. a. Properties c. Details b. Options d. Message Source PTS: 1 REF: 473 7. For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command. a. prn c. prnt b. print d. prt
  • 30. PTS: 1 REF: 477 8. To view AOL e-mail headers click Action, ____ from the menu. a. More options c. Options b. Message properties d. View Message Source PTS: 1 REF: 478 9. To view e-mail headers on Yahoo! click the ____ link in the Mail Options window, and then click Show all headers on incoming messages. a. Advanced c. Message Properties b. General Preferences d. More information PTS: 1 REF: 480 10. In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____. a. .ost c. .msg b. .eml d. .pst PTS: 1 REF: 483 11. ____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names. a. www.freeality.com c. www.whatis.com b. www.google.com d. www.juno.com PTS: 1 REF: 484 12. ____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size. a. Continuous logging c. Circular logging b. Automatic logging d. Server logging PTS: 1 REF: 485 13. The files that provide helpful information to an e-mail investigation are log files and ____ files. a. batch c. scripts b. configuration d. .rts
  • 31. PTS: 1 REF: 487 14. ____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside. a. /etc/sendmail.cf c. /etc/var/log/maillog b. /etc/syslog.conf d. /var/log/maillog PTS: 1 REF: 487 15. Typically, UNIX installations are set to store logs such as maillog in the ____ directory. a. /etc/Log c. /etc/var/log b. /log d. /var/log PTS: 1 REF: 488 16. Exchange logs information about changes to its data in a(n) ____ log. a. checkpoint c. transaction b. communication d. tracking PTS: 1 REF: 489 17. In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk. a. tracking c. temporary b. checkpoint d. milestone PTS: 1 REF: 489 18. The Novell e-mail server software is called ____. a. Sendmail c. Sawmill b. GroupWise d. Guardian PTS: 1 REF: 491 19. GroupWise has ____ ways of organizing the mailboxes on the server. a. 2 c. 4 b. 3 d. 5 PTS: 1 REF: 491 20. The GroupWise logs are maintained in a standard log format in the ____ folders.
  • 32. a. MIME c. QuickFinder b. mbox d. GroupWise PTS: 1 REF: 491 21. Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format. a. POP3 c. MIME b. mbox d. SMTP PTS: 1 REF: 500 COMPLETION 1. You can send and receive e-mail in two environments:via the ____________________ or an intranet (an internal network). 2. An e-mail address in the Return-Path line of an e-mail header is usually indicated as the ____________________ field in an e-mail message. 3. Administrators usually set e-mail servers to ____________________ logging mode. 4. In UNIX e-mail servers, the ____________________ file simply specifies where to save different types of e-mail log files. 5. Vendor-unique e-mail file systems, such as Microsoft .pst or .ost, typically use ____________________ formatting, which can be difficult to read with a text or hexadecimal editor. MATCHING Match each item with a statement below: a. Contacts f. Notepad b. Pico g. CISCO Pix c. syslogd file h. www.whatis.com d. www.arin.net i. Pine e. PU020101.db 1. Web site to check file extensions and match the file to a program
  • 33. 2. command line e-mail program used with UNIX 3. text editor used with Windows 4. the first folder the GroupWise server shares 5. text editor used with UNIX 6. the electronic address book in Outlook 7. a network firewall device 8. a registry Web site 9. includes e-mail logging instructions SHORT ANSWER 1. Describe how e-mail account names are created on an intranet environment. 2. Describe the process of examining e-mail messages when you have access to the victim’s computer and when this access is not possible. 3. What are the steps for retrieving e-mail headers on Pine? 4. What are the steps for viewing e-mail headers in Hotmail? 5. What kind of information can you find in an e-mail header? 6. Explain how to handle attachments during an e-mail investigation. 7. Why are network router logs important during an e-mail investigation? 8. What kind of information is normally included in e-mail logs? 9. Provide a brief description of Microsoft Exchange Server. Additionally, explain the differences between .edb and .stm files.
  • 34. 10. Briefly explain how to use AccessData FTK to recover e-mails. Chapter 13: Cell Phone and Mobile Device Forensics TRUE/FALSE 1. Many people store more information on their cell phones than they do on their computers. PTS: 1 REF: 514 2. Investigating cell phones and mobile devices is a relatively easy task in digital forensics. PTS: 1 REF: 514 3. TDMA can operate in the cell phone (800 to 1000 MHz) or PCS (1900 MHz) frequency. PTS: 1 REF: 516 4. Typically, phones developed for use on a GSM network are compatible with phones designed for a CDMA network. PTS: 1 REF: 516 5. Portability of information is what makes SIM cards so versatile. PTS: 1 REF: 517 MULTIPLE CHOICE 1. Developed during WWII, this technology,____, was patented by Qualcomm after the war. a. iDEN c. GSM b. CDMA d. EDGE PTS: 1 REF: 515 2. The ____ digital network divides a radio frequency into time slots. a. TDMA c. FDMA b. CDMA d. EDGE PTS: 1 REF: 515 3. The ____ network is a digital version of the original analog standard for cell phones.
  • 35. a. TDMA c. CDMA b. EDGE d. D-AMPS PTS: 1 REF: 515 4. The ____ digital network, a faster version of GSM, is designed to deliver data. a. TDMA c. EDGE b. iDEN d. D-AMPS PTS: 1 REF: 515 5. TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life. a. IS-136 c. IS-236 b. IS-195 d. IS-361 PTS: 1 REF: 516 6. Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips. a. EROM c. EEPROM b. PROM d. ROM PTS: 1 REF: 517 7. ____ cards are found most commonly in GSM devices and consist of a microprocessor and from 16 KB to 4 MB of EEPROM. a. SD c. SDD b. MMC d. SIM PTS: 1 REF: 517 8. ____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth. a. SDHCs c. CFs b. PDAs d. MMCs PTS: 1 REF: 518 9. The file system for a SIM card is a ____ structure. a. volatile c. hierarchical b. circular d. linear
  • 36. PTS: 1 REF: 520 10. The SIM file structure begins with the root of the system (____). a. EF c. DF b. MF d. DCS PTS: 1 REF: 520 11. Paraben Software is a leader in mobile forensics software and offers several tools, including ____, which can be used to acquire data from a variety of phone models. a. BitPim c. MOBILedit! b. DataPilot d. Device Seizure PTS: 1 REF: 522 12. In a Windows environment, BitPim stores files in ____ by default. a. My DocumentsBitPim c. My DocumentsBitPim Forensics Files b. My DocumentsForensi cs FilesBitPim d. My DocumentsBitPim Files PTS: 1 REF: 522 13. ____ is a forensics software tool containing a built-in write blocker. a. GSMCon c. SIMedit b. MOBILedit! d. 3GPim PTS: 1 REF: 522 COMPLETION 1. So far, there have been three generations of mobile phones: analog, digital personal communications service (PCS), and ____________________. 2. Most Code Division Multiple Access (CDMA) networks conform to IS-95, created by the ______________________. 3. Global System for Mobile Communications (GSM) uses the ______________________ technique, so multiple phones take turns sharing a
  • 37. channel. 4. The 3G standard was developed by the ______________________ under the United Nations. 5. Mobile devices can range from simple phones to small computers, also called ______________________. MATCHING Match each item with a statement below: a. CDMA c. EDGE b. iDEN d. ROM 1. proprietary protocol developed by Motorola 2. nonvolatile memory 3. standard developed specifically for 3G 4. one of the most common digital networks, it uses the full radio frequency spectrum to define channels SHORT ANSWER 1. What is some of the information that can be stored in a cell phone? 2. What is the bandwidth offered by 3G mobile phones? 3. What are the three main components used for cell phone communications? 4. Briefly describe cell phone hardware. 5. Identify several uses of SIM cards. 6. Identify and define three kinds of peripheral memory cards used with PDAs. 7. How can you isolate a mobile device from incoming signals?
  • 38. 8. What are the four categories of information that can be retrieved from a SIM card? 9. What is the general procedure to access the content on a mobile phone SIM card? 10. What are some of the features offered by SIMCon? Chapter 14: Report Writing for High-Tech Investigations TRUE/FALSE 1. Besides presenting facts, reports can communicate expert opinion. PTS: 1 REF: 530 2. A verbal report is more structured than a written report. PTS: 1 REF: 532 3. If you must write a preliminary report, use words such as “preliminary copy,”“draft copy,” or “working draft.” PTS: 1 REF: 535 4. As with any research paper, write the report abstract last. PTS: 1 REF: 536 5. When writing a report, use a formal, technical style. PTS: 1 REF: 537 MULTIPLE CHOICE 1. Attorneys can now submit documents electronically in many courts; the standard format in federal courts is ____. a. Microsoft Word (DOC) c. Encapsulated Postscript (EPS) b. Portable Document Format (PDF) d. Postscript (PS) PTS: 1 REF: 531 2. A(n) ____ is a document that lets you know what questions to expect when you are testifying.
  • 39. a. written report c. examination plan b. affidavit d. subpoena PTS: 1 REF: 532 3. You can use the ____ to help your attorney learn the terms and functions used in computer forensics. a. verbal report c. final report b. preliminary report d. examination plan PTS: 1 REF: 532 4. A written report is frequently a(n) ____ or a declaration. a. subpoena c. deposition b. affidavit d. perjury PTS: 1 REF: 532 5. If a report is long and complex, you should provide a(n) ____. a. appendix c. table of contents b. glossary d. abstract PTS: 1 REF: 536 6. A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute). a. written report c. examination plan b. verbal report d. cross-examination report PTS: 1 REF: 532 7. In the past, the method for expressing an opinion has been to frame a ____ question based on available factual evidence. a. hypothetical c. challenging b. nested d. contradictory PTS: 1 REF: 533 8. An expert’s opinion is governed by FRE, Rule ____, and the corresponding rule in many states. a. 705 c. 805 b. 755 d. 855
  • 40. PTS: 1 REF: 534 9. Remember that anything you write down as part of your examination for a report is subject to ____ from the opposing attorney. a. subpoena c. publishing b. discovery d. deposition PTS: 1 REF: 535 10. A written preliminary report is considered a ____ document because opposing counsel can demand discovery on it. a. low-risk c. high-risk b. middle-risk d. no-risk PTS: 1 REF: 535 11. The abstract should be one or two paragraphs totaling about 150 to ____ words. a. 200 c. 300 b. 250 d. 350 PTS: 1 REF: 536 12. ____ provide additional resource material not included in the body of the report. a. Conclusion c. Discussion b. References d. Appendixes PTS: 1 REF: 536 13. Typically, report writers use one of two numbering systems: decimal numbering or ____ numbering. a. legal-sequential c. arabic-sequential b. roman-sequential d. letter-sequential PTS: 1 REF: 538 14. A report using the ____ numbering system divides material into sections and restarts numbering with each main section. a. roman-sequential c. legal-sequential b. decimal d. indent PTS: 1 REF: 538
  • 41. 15. In the main section of your report, you typically cite references with the ____ enclosed in parentheses. a. year of publication and author’s last name b. author’s last name c. author’s last name and year of publication d. year of publication PTS: 1 REF: 541 16. Save broader generalizations and summaries for the report’s ____. a. appendixes c. conclusion b. introduction d. discussion PTS: 1 REF: 541 17. The report’s ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements. a. abstract c. introduction b. conclusion d. reference PTS: 1 REF: 541 18. If necessary, you can include ____ containing material such as raw data, figures not used in the body of the report, and anticipated exhibits. a. conclusions c. references b. discussions d. appendixes PTS: 1 REF: 542 19. Reports and logs generated by forensic tools are typically in plaintext format, a word processor format, or ____ format. a. PDF c. PS b. HTML d. TXT PTS: 1 REF: 543 20. Files with extensions .ods and ____ are created using OpenOffice Calc. a. .sxc c. .dcx b. .xls d. .qpr PTS: 1 REF: 543
  • 42. 21. Files with extension ____ are created using Microsoft Outlook Express. a. .sxc c. .dbx b. .doc d. .ods PTS: 1 REF: 543 COMPLETION 1. Lawyers use services called _________________________ (libraries), which store examples of expert witnesses’ previous testimony. 2. The report body consists of the introduction and _________________________ sections. 3. When writing a report, _________________________ means the tone of language you use to address the reader. 4. _________________________ assist readers in scanning the text quickly by highlighting the main points and logical development of information. 5. The ______________________________ system is frequently used when writing pleadings. MATCHING Match each item with a statement below a. Decimal numbering f. Verbal report b. Lay witness g. Spoliation c. FTK h. Conclusion section d. Examination plan i. MD5 e. Signposts 1. draw reader’s attention to a point in your report. 2. a report layout system 3. used by an attorney to guide an expert witness in his or her testimony 4. computer forensics software tool 5. lawyers jargon for destroying or concealing evidence
  • 43. 6. stands for Message Digest 5 7. typically takes place in an attorney’s office where the attorney requests your consultant’s report 8. starts by referring to the report’s purpose, states the main points, draws conclusions, and possibly renders an opinion 9. a witness testifying to personally observed facts SHORT ANSWER 1. What are the report requirements for civil cases as specified on Rule 26, FRCP? 2. Briefly explain how to limit your report to specifics. 3. What are the areas of investigation usually addressed by a verbal report? 4. Explain how hypothetical questions can be used to ensure that you as a witness are basing your opinion on facts expected to be supported by evidence. 5. What are the four conditions required for an expert witness to testify to an opinion or conclusion? 6. What is the basic structure of a report? 7. Provide some guidelines for writing an introduction section for a report. 8. What do you need to consider to produce clear, concise reports? 9. Explain how to use supportive material on a report. 10. How should you explain examination and data collection methods? Chapter 15: Expert Testimony in High-Tech Investigations
  • 44. TRUE/FALSE 1. As an expert witness, you have opinions about what you have found or observed. PTS: 1 REF: 558 2. Create a formal checklist of your procedures that’s applied to all your cases or include such a checklist in your report. PTS: 1 REF: 559 3. As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers. PTS: 1 REF: 559 4. Like a job resume, your CV should be geared for a specific trial. PTS: 1 REF: 561 5. Part of what you have to deliver to the jury is a person they can trust to help them figure out something that’s beyond their expertise. PTS: 1 REF: 565 MULTIPLE CHOICE 1. When cases go to trial, you as a forensics examiner can play one of ____ roles. a. 2 c. 4 b. 3 d. 5 PTS: 1 REF: 558 2. When you give ____ testimony, you present this evidence and explain what it is and how it was obtained. a. technical/scientific c. lay witness b. expert d. deposition PTS: 1 REF: 558 3. Validate your tools and verify your evidence with ____ to ensure its integrity. a. hashing algorithms c. steganography b. watermarks d. digital certificates PTS: 1 REF: 559
  • 45. 4. For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you’re constantly enhancing your skills through training, teaching, and experience. a. testimony c. examination plan b. CV d. deposition PTS: 1 REF: 561 5. If your CV is more than ____ months old, you probably need to update it to reflect new cases and additional training. a. 2 c. 4 b. 3 d. 5 PTS: 1 REF: 561 6. ____ is a written list of objections to certain testimony or exhibits. a. Defendant c. Plaintiff b. Empanelling the jury d. Motion in limine PTS: 1 REF: 562 7. Regarding a trial, the term ____ means rejecting potential jurors. a. voir dire c. strikes b. rebuttal d. venireman PTS: 1 REF: 563 8. ____ from both plaintiff and defense is an optional phase of the trial. Generally, it’s allowed to cover an issue raised during cross-examination. a. Rebuttal c. Closing arguments b. Plaintiff d. Opening statements PTS: 1 REF: 563 9. If a microphone is present during your testimony, place it ____ to eight inches from you. a. 3 c. 5 b. 4 d. 6 PTS: 1 REF: 565 10. Jurors typically average just over ____ years of education and an eighth-grade reading
  • 46. level. a. 9 c. 11 b. 10 d. 12 PTS: 1 REF: 565 11. ____ is an attempt by opposing attorneys to prevent you from serving on an important case. a. Conflict of interest c. Deposition b. Warrant d. Conflicting out PTS: 1 REF: 568 12. ____ evidence is evidence that exonerates or diminishes the defendant’s liability. a. Rebuttal c. Inculpatory b. Plaintiff d. Exculpatory PTS: 1 REF: 569 13. You provide ____ testimony when you answer questions from the attorney who hired you. a. direct c. examination b. cross d. rebuttal PTS: 1 REF: 569 14. The ____ is the most important part of testimony at a trial. a. cross-examination c. rebuttal b. direct examination d. motions in limine PTS: 1 REF: 569 15. Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony. a. setup c. compound b. open-ended d. rapid-fire PTS: 1 REF: 569 16. Leading questions such as “Isn’t it true that forensics experts always destroy their handwritten notes?” are referred to as ____ questions. a. hypothetical c. setup b. attorney d. nested
  • 47. PTS: 1 REF: 570 17. Sometimes opposing attorneys ask several questions inside one question; this practice is called ____ questions. a. leading c. compound b. hypothetical d. rapid-fire PTS: 1 REF: 571 18. A ____ differs from a trial testimony because there is no jury or judge. a. rebuttal c. civil case b. plaintiff d. deposition PTS: 1 REF: 573 19. There are two types of depositions: ____ and testimony preservation. a. examination c. direct b. discovery d. rebuttal PTS: 1 REF: 573 20. Discuss any potential problems with your attorney ____ a deposition. a. before c. during b. after d. during direct examination at PTS: 1 REF: 574 21. A(n) ____ hearing generally addresses the administrative agency’s subject matter and seeks evidence in your testimony on a subject for which it’s contemplating making a rule. a. administrative c. legislative b. judicial d. direct PTS: 1 REF: 575 COMPLETION 1. The ______________________ of evidence supports the integrity of your evidence. 2. Depending on your attorney’s needs, you might provide only your opinion and
  • 48. technical expertise to him or her instead of testifying in court; this role is called a(n) _______________________. 3. _____________________ is a pretrial motion to exclude certain evidence because it would prejudice the jury. 4. At a trial, _____________________ are statements that organize the evidence and state the applicable law. 5. The purpose of the _____________________ is for the opposing attorney to preview your testimony before trial. MATCHING Match each item with a statement below a. Plaintiff f. CV b. Motion in limine g. Testimony preservation deposition c. Voir dire of venireman h. Voir dire d. Opening statements i. MD5 e. Discovery deposition 1. part of the discovery process for trial 2. presents the case during a trial 3. provide an overview of the case during a trial 4. questioning potential jurors to see whether they’re qualified 5. usually requested by your client to preserve your testimony in case of schedule conflicts or health problems 6. a hashing algorithm 7. lists your professional experience 8. an expert witness qualification phase 9. allows the judge to decide whether certain evidence should be admitted when the jury isn’t present
  • 49. SHORT ANSWER 1. What are the differences between a technical or scientific witness and an expert witness? 2. What should you do when preparing for testimony? 3. What are some of the questions you should consider when preparing your testimony? 4. What are some of the technical definitions that you should prepare before your testimony? 5. What are some of the reasons to avoid contact with news media during a case? 6. What are the procedures followed during a trial? 7. What should you do when you find exculpatory evidence? 8. How can you deal with rapid-fire questions during a cross-examination? 9. Explain the differences between discovery deposition and testimony preservation deposition. 10. Briefly describe judicial hearings. Chapter 16: Ethics for the Expert Witness TRUE/FALSE 1. People need ethics to help maintain their balance, especially in difficult and contentious situations. PTS: 1 REF: 596 2. In the United States, there’s no state or national licensing body for computer forensics examiners.
  • 50. PTS: 1 REF: 597 3. Experts should be paid in full for all previous work and for the anticipated time required for testimony. PTS: 1 REF: 600 4. Expert opinions cannot be presented without stating the underlying factual basis. PTS: 1 REF: 601 5. The American Bar Association (ABA) is a licensing body. PTS: 1 REF: 603 MULTIPLE CHOICE 1. The most important laws applying to attorneys and witnesses are the ____. a. professional codes of conduct c. rules of evidence b. rules of ethics d. professional ethics PTS: 1 REF: 597 2. Computer forensics examiners have two roles: scientific/technical witness and ____ witness. a. expert c. discovery b. direct d. professional PTS: 1 REF: 597 3. Attorneys search ____ for information on expert witnesses. a. disqualification banks c. examination banks b. deposition banks d. cross-examination banks PTS: 1 REF: 598 4. ____ questions can give you the factual structure to support and defend your opinion. a. Setup c. Rapid-fire b. Compound d. Hypothetical PTS: 1 REF: 601
  • 51. 5. FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful. a. 702 c. 704 b. 703 d. 705 PTS: 1 REF: 601 6. FRE ____ describes whether basis for the testimony is adequate. a. 700 c. 702 b. 701 d. 703 PTS: 1 REF: 601 7. The ABA’s ____ contains provisions limiting the fees experts can receive for their services. a. Code 703 c. Rule 26 b. Model Code d. Code 26-1.a PTS: 1 REF: 603 8. The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients. a. ISFCE c. ABA b. IACIS d. HTCIA PTS: 1 REF: 603 9. ____ are the experts who testify most often. a. Civil engineers c. Chemical engineers b. Computer forensics experts d. Medical professionals PTS: 1 REF: 604 10. ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities. a. AMA’s law c. APA’s Ethics Code b. ABA’s Model Rule d. ABA’s Model Codes PTS: 1 REF: 605 11. The ____ Ethics Code cautions psychologists about the limitations of assessment
  • 52. tools. a. ABA’s c. AMA’s b. APA’s d. ADA’s PTS: 1 REF: 605 COMPLETION 1. _____________________ are the rules you internalize and use to measure your performance. 2. _____________________ are standards that others apply to you or that you are compelled to adhere to by external forces, such as licensing bodies. 3. Some attorneys contact many experts as a ploy to disqualify them or prevent opposing counsel from hiring them; this practice is called “____________________.” 4. The ____________________ is the foundation of medical ethics. 5. For psychologists, the most broadly accepted set of guidelines governing their conduct as experts is the _____________________ (APA’s) Ethical Principles of Psychologists and Code of Conduct. MATCHING Match each item with a statement below: a. Ethics c. Disqualification b. Federal Rules of Evidence (FRE) d. IACIS 1. provides a well-defined, simple guide for expected behavior of computer forensics examiners 2. prescribe the methods by which experts appear at trial 3. one of the effects of violating court rules or laws 4. help you maintain your self-respect and the respect of your profession SHORT ANSWER
  • 53. 1. Briefly describe the issues related to an attorney’s “opinion shopping.” 2. What are some of the factors courts have used in determining whether to disqualify an expert? 3. Describe some of the traps for unwary experts. 4. What are some of the most obvious ethical errors? 5. What are some of the guidelines included in the ISFCE code of ethics? 6. What are some of the requirements included in the HTCIA core values? 7. What are some of standards for IACIS members that apply to testifying? 8. What are the five recommendations set out by the AMA’s policy on expert witness testimony? 9. Why is it difficult to enforce any professional organization’s ethical guidelines? 10. What are the ethical responsibilities owed to you by your attorney?