Question 1

A forensic analysis conducted on a forensic duplicate of the system in question is referred to as:

Accepted Answer

A)  Virtual analysis 
B)  Clone analysis 
C)  Post-mortem analysis 
D)  Ex post facto analysis 
A)  Virtual analysis 
B)  Clone analysis 
C)  Post-mortem analysis 
D)  Ex post facto analysis C

Question 2

Investigating computer intrusions usually involves a small amount of digital evidence from only a few sources.

Accepted Answer

A) True 
 B)False  False

Question 3

Intruders who have a preferred toolkit that they have pieced together over time, with distinctive features:

Accepted Answer

A)  Usually have little experience and are relying on the kit 
B)  Show little initiative - letting the tool do the work 
C)  Are generally more experienced 
D)  Pose less of a threat 
A)  Usually have little experience and are relying on the kit 
B)  Show little initiative - letting the tool do the work 
C)  Are generally more experienced 
D)  Pose less of a threat C

Question 4

Discuss the difference between automated and dynamic modus operandi, including the kinds of information to look for, and the value of conducting this kind of analysis.

Accepted Answer

While automated exploits are a

Question 5

A computer intruder's method of approach and attack can reveal a significant amount about their:

Accepted Answer

A)  Skill level 
B)  Knowledge of the target 
C)  Intent 
D)  All of the above 
A)  Skill level 
B)  Knowledge of the target 
C)  Intent 
D)  All of the above

Question 6

When collecting data from a compromised computer, consideration should be given to collecting the _________data first.

Accepted Answer

A)  CMOS 
B)  Most volatile 
C)  Magnetic 
D)  Optical 
A)  CMOS 
B)  Most volatile 
C)  Magnetic 
D)  Optical

Question 7

If digital investigators find an unauthorized file, they should:

Accepted Answer

A)  Immediately move the file to removable media 
B)  Check for other suspicious files in the same directory 
C)  Execute the file to determine its purpose 
D)  Permanently delete the file 
A)  Immediately move the file to removable media 
B)  Check for other suspicious files in the same directory 
C)  Execute the file to determine its purpose 
D)  Permanently delete the file

Question 8

Incident Response can be viewed as a subset or part of an intrusion investigation.

Accepted Answer

A) True 
 B)False

Question 9

Gathering information about a system through the use of a port scanner is considered a direct attack method.

Accepted Answer

A) True 
 B)False

Question 10

Remote forensic solutions can be used to access live systems, and include the ability to:

Accepted Answer

A)  Acquire and, sometimes, analyze memory 
B)  Image systems without ever having to leave the lab 
C)  Conduct examination and analysis without the need to image 
D)  Image large systems across the Internet 
A)  Acquire and, sometimes, analyze memory 
B)  Image systems without ever having to leave the lab 
C)  Conduct examination and analysis without the need to image 
D)  Image large systems across the Internet

Question 11

In the case of a computer intrusion, the target computer is:

Accepted Answer

A)  The remote crime scene 
B)  The auxiliary crime scene 
C)  The virtual crime scen. 
D)  The primary crime scene 
A)  The remote crime scene 
B)  The auxiliary crime scene 
C)  The virtual crime scen. 
D)  The primary crime scene

Question 12

A common technique that is highly useful and can be applied in a computer intrusion investigation is to simply focus on file system activities around the time of known events. This embodies a principle known as:

Accepted Answer

A)  Temporal proximity 
B)  Timeline analysis 
C)  File system analysis 
D)  Temporal aggregation 
A)  Temporal proximity 
B)  Timeline analysis 
C)  File system analysis 
D)  Temporal aggregation

Question 13

Although new exploits are published daily, it takes skill and experience to break into a computer system, commit a crime, and cover one's tracks.

Accepted Answer

A) True 
 B)False

Question 14

Social engineering refers to any attempt to contact legitimate users of the target system and trick them into giving out information that can be used by the intruder to break into the system.

Accepted Answer

A) True 
 B)False

Question 15

The forensic examiner needs to be aware that the process of collecting memory:

Accepted Answer

A)  Is seldom useful and not often called for 
B)  Can take an extremely long period of time 
C)  Is only needed for standalone systems 
D)  Changes the contents of memory 
A)  Is seldom useful and not often called for 
B)  Can take an extremely long period of time 
C)  Is only needed for standalone systems 
D)  Changes the contents of memory

Question 16

Examining a live system is prone to error, may change data on the system, and may even cause the system to stop functioning.

Accepted Answer

A) True 
 B)False

Question 17

Determining skill level can lead to:

Accepted Answer

A)  Determining the extent of the intrusion 
B)  Likely hiding places for rootkits and malware 
C)  Suspects 
D)  Offense behaviors 
A)  Determining the extent of the intrusion 
B)  Likely hiding places for rootkits and malware 
C)  Suspects 
D)  Offense behaviors

Question 18

Capturing all of the network traffic to and from the compromised system can:

Accepted Answer

A)  Allow the network administrators to participate in the investigation, establishing rapport for later interviews 
B)  Reveal the source of the attack 
C)  Seriously slow down the network, affecting normal work 
D)  None of the above 
A)  Allow the network administrators to participate in the investigation, establishing rapport for later interviews 
B)  Reveal the source of the attack 
C)  Seriously slow down the network, affecting normal work 
D)  None of the above

Question 19

Why are "non-volatile" storage locations contained in the RFC 8227 "Order of Volatility"?

Accepted Answer

A)  This is an old RFC and has not been updated. 
B)  No form of data storage is permanent. 
C)  An RFC is a Request for Comments - and corrections are expected. 
D)  None of the above. 
A)  This is an old RFC and has not been updated. 
B)  No form of data storage is permanent. 
C)  An RFC is a Request for Comments - and corrections are expected. 
D)  None of the above.

Question 20

A growing number of intrusions are committed by organized criminal organizations and state-sponsored groups.

Accepted Answer

A) True 
 B)False

Exam 13: Computer Intrusions

A forensic analysis conducted on a forensic duplicate of the system in question is referred to as:

Investigating computer intrusions usually involves a small amount of digital evidence from only a few sources.

Intruders who have a preferred toolkit that they have pieced together over time, with distinctive features:

Discuss the difference between automated and dynamic modus operandi, including the kinds of information to look for, and the value of conducting this kind of analysis.

A computer intruder's method of approach and attack can reveal a significant amount about their:

When collecting data from a compromised computer, consideration should be given to collecting the _________data first.

If digital investigators find an unauthorized file, they should:

Incident Response can be viewed as a subset or part of an intrusion investigation.

Gathering information about a system through the use of a port scanner is considered a direct attack method.

Remote forensic solutions can be used to access live systems, and include the ability to:

In the case of a computer intrusion, the target computer is:

A common technique that is highly useful and can be applied in a computer intrusion investigation is to simply focus on file system activities around the time of known events. This embodies a principle known as:

Although new exploits are published daily, it takes skill and experience to break into a computer system, commit a crime, and cover one's tracks.

Social engineering refers to any attempt to contact legitimate users of the target system and trick them into giving out information that can be used by the intruder to break into the system.

The forensic examiner needs to be aware that the process of collecting memory:

Examining a live system is prone to error, may change data on the system, and may even cause the system to stop functioning.

Determining skill level can lead to:

Capturing all of the network traffic to and from the compromised system can:

Why are "non-volatile" storage locations contained in the RFC 8227 "Order of Volatility"?

A growing number of intrusions are committed by organized criminal organizations and state-sponsored groups.

Foundations of Digital Forensics

Language of Computer Crime Investigation

Digital Evidence in the Courtroom

Cybercrime Law: a United States Perspective

Cybercrime Law: a European Perspective

Conducting Digital Investigations

Handling a Digital Crime Scene

Investigative Reconstruction With Digital Evidence

Modus Operandi, Motive, and Technology

Violent Crime and Digital Evidence

Digital Evidence As Alibi

Sex Offenders on the Internet

Cyberstalking

Computer Basics for Digital Investigators

Applying Forensic Science to Computers

Digital Evidence on Windows Systems

Digital Evidence on Unix Systems

Digital Evidence on Macintosh Systems

Digital Evidence on Mobile Devices

Network Basics for Digital Investigators

Applying Forensic Science to Networks

Digital Evidence on the Internet

Digital Evidence at the Physical and Data-Link Layers

Digital Evidence at the Network and Transport Layers

Filters