1. The sale of sensitive or confidential company information to a competitor is known as _______. a. ​industrial sabotage b. ​industrial espionage c. ​industrial collusion d. ​industrial betrayal 2. What tool, currently maintained by the IRS Criminal Investigation Division and limited to use by law enforcement, can analyze and read special files that are copies of a disk?​ a. ​AccessData Forensic Toolkit b. ​DeepScan c. ​ILook d. ​Photorec 3. After the evidence has been presented in a trial by jury, the jury must deliver a(n) ______. a. ​exhibit b. ​affidavit c. ​allegation d. ​Verdict 4. A TEMPEST facility is designed to accomplish which of the following goals? a.  ​Prevent data loss by maintaining consistent backups. b.  ​Shield sensitive computing systems and prevent electronic eavesdropping of computer emissions. c.  ​Ensure network security from the Internet using comprehensive security software. d.  ​Protect the integrity of data. 5. Which option below is not a recommendation for securing storage containers? a.  ​The container should be located in a restricted area. b.  ​Only authorized access should be allowed, and it should be kept to a minimum. c.  ​Evidence containers should remain locked when they aren't under direct supervision. d.  ​Rooms with evidence containers should have a secured wireless network. 6. What is the name of the Microsoft solution for whole disk encryption? a.  ​DriveCrypt b.  ​TrueCrypt c.  ​BitLocker d.  ​SecureDrive 7. What should you do while copying data on a suspect's computer that is still live?​ a.  ​Open files to view contents. b.  ​Make notes regarding everything you do. c.  ​Conduct a Google search of unknown extensions using the computer. d.  ​Check Facebook for additional suspects. 8. When seizing digital evidence in criminal investigations, whose standards should be followed?​ a.  ​U.S. DOJ b.  ISO/IEC​ c.  ​IEEE d.  ​ITU 9. As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state? a.  ​The power cable should be pulled. b.  ​The system should be shut down gracefully. c.  ​The power should be left on. d.  ​The decision should be left to the Digital Evidence First Responder (DEFR). 10. ​What is the purpose of the reconstruction function in a forensics investigation? a.  ​Re-create a suspect's drive to show what happened during a crime or incident. b.  ​Prove that two sets of data are identical. c.  ​Copy all information from a suspect's drive, including information that may have been hidden. d.  ​Generate reports or logs that detail the processes undertaken by a forensics investigator. 11. A keyword search is part of the ​analysis process within what forensic function? a.  ​reporting b.  ​reconstruction c.  ​extraction d.  ​Acquisition 12. As part of a forensics investigation, you need to recover the logon and logoff history in.

1. 1. The sale of sensitive or confidential company information to
a competitor is known as _______.
a.
industrial sabotage
b.
industrial espionage
c.
industrial collusion
d.
industrial betrayal
2. What tool, currently maintained by the IRS Criminal
Investigation Division and limited to use by law enforcement,
can analyze and read special files that are copies of a disk?
a.
AccessData Forensic Toolkit
b.
DeepScan
c.
ILook
d.
Photorec
3. After the evidence has been presented in a trial by jury, the

2. jury must deliver a(n) ______.
a.
exhibit
b.
affidavit
c.
allegation
d.
Verdict
4. A TEMPEST facility is designed to accomplish which of the
following goals?
a.
Prevent data loss by maintaining consistent backups.
b.
Shield sensitive computing systems and prevent electronic
eavesdropping of computer emissions.
c.
Ensure network security from the Internet using comprehensive
security software.
d.
Protect the integrity of data.
5. Which option below is not a recommendation for securing
storage containers?

3. a.
The container should be located in a restricted area.
b.
Only authorized access should be allowed, and it should be kept
to a minimum.
c.
Evidence containers should remain locked when they aren't
under direct supervision.
d.
Rooms with evidence containers should have a secured wireless
network.
6. What is the name of the Microsoft solution for whole disk
encryption?
a.
DriveCrypt
b.
TrueCrypt
c.
BitLocker
d.
SecureDrive
7. What should you do while copying data on a suspect's
computer that is still live?
a.

4. Open files to view contents.
b.
Make notes regarding everything you do.
c.
Conduct a Google search of unknown extensions using the
computer.
d.
Check Facebook for additional suspects.
8.
When seizing digital evidence in criminal investigations, whose
standards should be followed?
a.
U.S. DOJ
b.
ISO/IEC
c.
IEEE
d.
ITU
9. As a general rule, what should be done by forensics experts
when a suspect computer is seized in a powered-on state?
a.
The power cable should be pulled.

5. b.
The system should be shut down gracefully.
c.
The power should be left on.
d.
The decision should be left to the Digital Evidence First
Responder (DEFR).
10. What is the purpose of the reconstruction function in a
forensics investigation?
a.
Re-create a suspect's drive to show what happened during a
crime or incident.
b.
Prove that two sets of data are identical.
c.
Copy all information from a suspect's drive, including
information that may have been hidden.
d.
Generate reports or logs that detail the processes undertaken by
a forensics investigator.
11. A keyword search is part of the analysis process within what
forensic function?
a.
reporting

6. b.
reconstruction
c.
extraction
d.
Acquisition
12. As part of a forensics investigation, you need to recover the
logon and logoff history information on a Linux based OS.
Where can this information be found?
a.
/var/log/utmp
b.
/var/log/wtmp
c.
/var/log/userlog
d.
/var/log/system.log
13. What kind of graphics file combines bitmap and vector
graphics types?
a.
metafile
b.
bitmap

7. c.
jpeg
d.
Tif
14. What technique is designed to reduce or eliminate the
possibility of a rainbow table being used to discover passwords?
a.
salted passwords
b.
scrambled passwords
c.
indexed passwords
d.
master passwords
15. When performing a static acquisition, what should be done
after the hardware on a suspect's computer has been inventoried
and documented?
a.
Inventory and documentation information should be stored on a
drive and then the drive should be reformatted.
b.
Start the suspect's computer and begin collecting evidence.
c.
The hard drive should be removed, if practical, and the system's

8. date and time values should be recorded from the system's
CMOS.
d.
Connect the suspect's computer to the local network so that up
to date forensics utilities can be utilized.
16. What processor instruction set is required in order to utilize
virtualization software?
a.
AMD-VT
b.
Intel VirtualBit
c.
Virtual Machine Extensions (VMX)
d.
Virtual Hardware Extensions (VHX)
17. What utility is best suited to examine e-mail headers or chat
logs, or network communication between worms and viruses?
a.
tcpdump
b.
Argus
c.
Ngrep

9. d.
Tcpslice
18. Select below the program within the PsTools suite that
allows you to run processes remotely:
a.
PsService
b.
PsPasswd
c.
PsRemote
d.
PsExec
19. What information is not typically included in an e-mail
header?
a.
The sender's physical location
b.
The originating IP address
c.
The unique ID of the e-mail
d.
The originating domain

10. 20. What type of Facebook profile is usually only given to law
enforcement with a warrant?
a.
private profile
b.
advanced profile
c.
basic profile
d.
Neoprint profile
21. Which e-mail recovery program below can recover files
from VMware and VirtualPC virtual machines, as well as ISOs
and other types of file backups?
a.
Fookes Aid4mail
b.
DataNumen Outlook Repair
c.
EnCase Forensics
d.
AccessData FTK
22. What type of mobile forensics method listed by NIST
guidelines involves looking at a device's content page by page
and taking pictures?

11. a.
Manual extraction
b.
Chip-off
c.
Micro read
d.
Logical extraction
23. Within NIST guidelines for mobile forensics methods, the
______________ method requires physically removing flash
memory chips and gathering information at the binary level.
a.
Chip-off
b.
Logical extraction
c.
Micro read
d.
Manual extraction
24. Which of the following is NOT a service level for the
cloud?
a.

12. Platform as a service
b.
Infrastructure as a service
c.
Virtualization as a service
d.
Software as a service
25. What cloud application offers a variety of cloud services,
including automation and CRM, cloud application development,
and Web site marketing?
a.
Amazon EC2
b.
IBM Cloud
c.
Salesforce
d.
HP Helion
26. With cloud systems running in a virtual environment,
_______________ can give you valuable information before,
during, and after an incident.
a.
carving

13. b.
live acquisition
c.
RAM
d.
Snapshot
27. Which of the following is not one of the five mechanisms
the government can use to get electronic information from a
provider?
a.
search warrants
b.
subpoenas
c.
court orders
d.
seizure order
28. Within a computing investigation, the ability to perform a
series of steps again and again to produce the same results is
known as _______.
a.
repeatable findings
b.
reloadable steps

14. c.
verifiable reporting
d.
evidence reporting
29. A user with programming experience may use an assembler
program (also called a __________ ) on a file to scramble bits,
in order to secure the information contained inside.
a.
compiler
b.
shifter
c.
macro
d.
script
30. Which system below can be used to quickly and accurately
match fingerprints in a database?
a.
Fingerprint Identification Database (FID)
b.
Systemic Fingerprint Database (SFD)
c.
Automated Fingerprint Identification System (AFIS)

15. d.
Dynamic Fingerprint Matching System (DFMS)