Question 1

EnCase can recover deleted files but does not have the capability of recovering deleted directories.

Accepted Answer

A) True 
 B)False  False

Question 2

Internet traces may be found in which of the following categories?

Accepted Answer

A)  Web browser cache 
B)  Instant messenger cache 
C)  Cookies 
D)  All of the above 
A)  Web browser cache 
B)  Instant messenger cache 
C)  Cookies 
D)  All of the above D

Question 3

With the correct CMOS setting, it is possible to mount a hard drive as Read-Only in the Windows environment.

Accepted Answer

A) True 
 B)False  False

Question 4

Before evidentiary media is "acquired," forensic examiners often______________ the media to make sure it contains data relevant to the investigation.

Accepted Answer

A)  Hash 
B)  Preview 
C)  Validate 
D)  Analyze 
A)  Hash 
B)  Preview 
C)  Validate 
D)  Analyze

Question 5

Log files are used by the forensic examiner to_________ .

Accepted Answer

A)  Associate system events with specific user accounts 
B)  Verify the integrity of the file system 
C)  Confirm login passwords 
D)  Determine if a specific individual is the guilty party 
A)  Associate system events with specific user accounts 
B)  Verify the integrity of the file system 
C)  Confirm login passwords 
D)  Determine if a specific individual is the guilty party

Question 6

When examining the "news.rc," you find the following entry: 
$$\text { alt.binaries.hacking.utilities! } 1 - 8905,8912,8921,8924,8926,8929,8930,8932$$
What does the "!" mean?

Accepted Answer

A)  The user is subscribed to this group. 
B)  The user was once subscribed, but is currently unsubscribed, to this group. 
C)  The group is up to date. 
D)  The last message retrieval was aborted. 
A)  The user is subscribed to this group. 
B)  The user was once subscribed, but is currently unsubscribed, to this group. 
C)  The group is up to date. 
D)  The last message retrieval was aborted.

Question 7

NTFS time represents time as the number of 100-nanosecond intervals since January 1, 1601 00:00:00 UTC.

Accepted Answer

A) True 
 B)False

Question 8

In NTFS, when a file is deleted from a directory, the last modified and accessed date-time stamps of the parent directory listing are updated.

Accepted Answer

A) True 
 B)False

Question 9

In FAT32 file systems both the directory and FAT entries are updated when a file is deleted.

Accepted Answer

A) True 
 B)False

Question 10

The standard Windows environment supports all of the following file systems EXCEPT____________ .

Accepted Answer

A)  FAT16 
B)  ext2 
C)  FAT32 
D)  NTFS 
A)  FAT16 
B)  ext2 
C)  FAT32 
D)  NTFS

Question 11

"File carving" is an examination technique where the beginning and end of a file are located, and the block of data spanning the two locations is copied to a new file, with the appropriate extension.

Accepted Answer

A) True 
 B)False

Question 12

When a file is moved within a volume, the Last Accessed Date Time:

Accepted Answer

A)  Is unchanged 
B)  Changes if a file is moved to different directory 
C)  Changes if a file is moved to the root 
D)  Is unchanged; however, the Created Date-Time does change 
A)  Is unchanged 
B)  Changes if a file is moved to different directory 
C)  Changes if a file is moved to the root 
D)  Is unchanged; however, the Created Date-Time does change

Question 13

In the Windows environment, simply opening a file to read, without writing it back to disk, can change the date-time stamp.

Accepted Answer

A) True 
 B)False

Question 14

The Windows environment is invasive and poses a challenge to forensic examiners.

Accepted Answer

A) True 
 B)False

Question 15

Forensically acceptable alternatives to using a Windows Evidence Acquisition Boot Disk include all but which of the following?

Accepted Answer

A)  Linux boot floppy 
B)  FIRE bootable CD-ROM 
C)  Booting into safe mode 
D)  Hardware write blockers 
A)  Linux boot floppy 
B)  FIRE bootable CD-ROM 
C)  Booting into safe mode 
D)  Hardware write blockers

Question 16

Usenet readers store all the URLs that have been accessed, but do not record which Usenet newsgroups have been accessed and joined.

Accepted Answer

A) True 
 B)False

Question 17

6 . Which of the following software tools is NOT used for data recovery?

Accepted Answer

A)  WinHex (X-Ways) Forensic 
B)  EnCase 
C)  FTK 
D)  Safeback 
A)  WinHex (X-Ways) Forensic 
B)  EnCase 
C)  FTK 
D)  Safeback

Question 18

Media can be accessed for examination either ________or____________ . (Choose two)

Accepted Answer

A)  Logically 
B)  Sequentially 
C)  Randomly 
D)  Physically 
A)  Logically 
B)  Sequentially 
C)  Randomly 
D)  Physically

Question 19

Windows evidentiary media must be acquired and examined with Windows-based examination software.

Accepted Answer

A) True 
 B)False

Question 20

Given their widespread use and simple structure, FAT file systems are a good starting point for forensic analysts to understand file systems and recovery of deleted data.

Accepted Answer

A) True 
 B)False

Exam 17: Digital Evidence on Windows Systems

EnCase can recover deleted files but does not have the capability of recovering deleted directories.

Internet traces may be found in which of the following categories?

With the correct CMOS setting, it is possible to mount a hard drive as Read-Only in the Windows environment.

Before evidentiary media is "acquired," forensic examiners often______________ the media to make sure it contains data relevant to the investigation.

Log files are used by the forensic examiner to_________ .

NTFS time represents time as the number of 100-nanosecond intervals since January 1, 1601 00:00:00 UTC.

In NTFS, when a file is deleted from a directory, the last modified and accessed date-time stamps of the parent directory listing are updated.

In FAT32 file systems both the directory and FAT entries are updated when a file is deleted.

The standard Windows environment supports all of the following file systems EXCEPT____________ .

"File carving" is an examination technique where the beginning and end of a file are located, and the block of data spanning the two locations is copied to a new file, with the appropriate extension.

When a file is moved within a volume, the Last Accessed Date Time:

In the Windows environment, simply opening a file to read, without writing it back to disk, can change the date-time stamp.

The Windows environment is invasive and poses a challenge to forensic examiners.

Forensically acceptable alternatives to using a Windows Evidence Acquisition Boot Disk include all but which of the following?

Usenet readers store all the URLs that have been accessed, but do not record which Usenet newsgroups have been accessed and joined.

6 . Which of the following software tools is NOT used for data recovery?

Media can be accessed for examination either ________or____________ . (Choose two)

Windows evidentiary media must be acquired and examined with Windows-based examination software.

Given their widespread use and simple structure, FAT file systems are a good starting point for forensic analysts to understand file systems and recovery of deleted data.

Foundations of Digital Forensics

Language of Computer Crime Investigation

Digital Evidence in the Courtroom

Cybercrime Law: a United States Perspective

Cybercrime Law: a European Perspective

Conducting Digital Investigations

Handling a Digital Crime Scene

Investigative Reconstruction With Digital Evidence

Modus Operandi, Motive, and Technology

Violent Crime and Digital Evidence

Digital Evidence As Alibi

Sex Offenders on the Internet

Computer Intrusions

Cyberstalking

Computer Basics for Digital Investigators

Applying Forensic Science to Computers

Digital Evidence on Unix Systems

Digital Evidence on Macintosh Systems

Digital Evidence on Mobile Devices

Network Basics for Digital Investigators

Applying Forensic Science to Networks

Digital Evidence on the Internet

Digital Evidence at the Physical and Data-Link Layers

Digital Evidence at the Network and Transport Layers

Filters

Media can be accessed for examination either or____ . (Choose two)