Question 1

A forensic examiner would use logical access to examine media if the file and directory structures were to be analyzed.

Accepted Answer

A) True 
 B)False

Question 2

The Windows NT Event log Appevent.evt:

Accepted Answer

A)  Contains a log of application usage 
B)  Records activities that have security implications, such as logins 
C)  Notes system events such as shutdowns 
D)  None of the above 
A)  Contains a log of application usage 
B)  Records activities that have security implications, such as logins 
C)  Notes system events such as shutdowns 
D)  None of the above

Question 3

You find the following deleted file on a floppy disk. How many clusters does this file occupy?$\begin{array}{ll}
\text { Name } & \text { Ext } &\text { ID } &\text { Size  } &\text {Date } &\text { Time }&\text { Cluster }&\text { 76 A R S H D V }\
\text { \_REENF } \sim 1 & \text { DOC }&\text { Erased }&19968&5-08-03&2:34pm&275&A----
\end{array}$

Accepted Answer

A)  200 
B)  78 
C)  39 
D)  21 
A)  200 
B)  78 
C)  39 
D)  21

Question 4

Which of the following issues is NOT one that a forensic examiner faces when dealing with Windows-based media?

Accepted Answer

A)  Invasive characteristics of the Windows environment 
B)  The facility in the standard Windows environment for mounting a hard drive as Read-Only 
C)  The location, organization, and content of Windows system log files 
D)  Available methods for recovering data from Windows media 
A)  Invasive characteristics of the Windows environment 
B)  The facility in the standard Windows environment for mounting a hard drive as Read-Only 
C)  The location, organization, and content of Windows system log files 
D)  Available methods for recovering data from Windows media

Question 5

The Windows NT Event log Secevent.evt:

Accepted Answer

A)  Contains a log of application usage 
B)  Records activities that have security implications, such as logins 
C)  Notes system events such as shutdowns 
D)  None of the above 
A)  Contains a log of application usage 
B)  Records activities that have security implications, such as logins 
C)  Notes system events such as shutdowns 
D)  None of the above

Question 6

The MD5 hashing algorithm is no longer considered to be a reliable method for determining whether two blocks of text are identical.

Accepted Answer

A) True 
 B)False

Question 7

EnCase provides the means to create a Windows Evidence Acquisition Boot Disk to allow for network acquisition of an evidence drive.

Accepted Answer

A) True 
 B)False

Question 8

Just like Windows NT, Windows 98 has event logs that record system activities.

Accepted Answer

A) True 
 B)False

Question 9

File system traces include all of the following EXCEPT:

Accepted Answer

A)  Metadata 
B)  CMOS settings 
C)  Swap file contents 
D)  Data object date-time stamps 
A)  Metadata 
B)  CMOS settings 
C)  Swap file contents 
D)  Data object date-time stamps

Question 10

When examining the Windows registry key, the "Last Write Time" indicates:

Accepted Answer

A)  The last time RegEdit was run 
B)  When a value in that Registry key was altered or added 
C)  The current system time 
D)  The number of allowable changes has been exceeded 
A)  The last time RegEdit was run 
B)  When a value in that Registry key was altered or added 
C)  The current system time 
D)  The number of allowable changes has been exceeded

A forensic examiner would use logical access to examine media if the file and directory structures were to be analyzed.

The Windows NT Event log Appevent.evt:

You find the following deleted file on a floppy disk. How many clusters does this file occupy? Name Ext ID Size Date Time Cluster 76 A R S H D V \_REENF \sim1 DOC Erased 19968 5-08-03 2:34pm 275 A----

Which of the following issues is NOT one that a forensic examiner faces when dealing with Windows-based media?

The Windows NT Event log Secevent.evt:

The MD5 hashing algorithm is no longer considered to be a reliable method for determining whether two blocks of text are identical.

EnCase provides the means to create a Windows Evidence Acquisition Boot Disk to allow for network acquisition of an evidence drive.

Just like Windows NT, Windows 98 has event logs that record system activities.

File system traces include all of the following EXCEPT:

When examining the Windows registry key, the "Last Write Time" indicates:

Foundations of Digital Forensics

Language of Computer Crime Investigation

Digital Evidence in the Courtroom

Cybercrime Law: a United States Perspective

Cybercrime Law: a European Perspective

Conducting Digital Investigations

Handling a Digital Crime Scene

Investigative Reconstruction With Digital Evidence

Modus Operandi, Motive, and Technology

Violent Crime and Digital Evidence

Digital Evidence As Alibi

Sex Offenders on the Internet

Computer Intrusions

Cyberstalking

Computer Basics for Digital Investigators

Applying Forensic Science to Computers

Digital Evidence on Unix Systems

Digital Evidence on Macintosh Systems

Digital Evidence on Mobile Devices

Network Basics for Digital Investigators

Applying Forensic Science to Networks

Digital Evidence on the Internet

Digital Evidence at the Physical and Data-Link Layers

Digital Evidence at the Network and Transport Layers

Filters

Exam 17: Digital Evidence on Windows Systems

A forensic examiner would use logical access to examine media if the file and directory structures were to be analyzed.

The Windows NT Event log Appevent.evt:

You find the following deleted file on a floppy disk. How many clusters does this file occupy? Name Ext ID Size Date Time Cluster 76 A R S H D V \_REENF \sim1 DOC Erased 19968 5-08-03 2:34pm 275 A----

Which of the following issues is NOT one that a forensic examiner faces when dealing with Windows-based media?

The Windows NT Event log Secevent.evt:

The MD5 hashing algorithm is no longer considered to be a reliable method for determining whether two blocks of text are identical.

EnCase provides the means to create a Windows Evidence Acquisition Boot Disk to allow for network acquisition of an evidence drive.

Just like Windows NT, Windows 98 has event logs that record system activities.

File system traces include all of the following EXCEPT:

When examining the Windows registry key, the "Last Write Time" indicates:

Foundations of Digital Forensics

Language of Computer Crime Investigation

Digital Evidence in the Courtroom

Cybercrime Law: a United States Perspective

Cybercrime Law: a European Perspective

Conducting Digital Investigations

Handling a Digital Crime Scene

Investigative Reconstruction With Digital Evidence

Modus Operandi, Motive, and Technology

Violent Crime and Digital Evidence

Digital Evidence As Alibi

Sex Offenders on the Internet

Computer Intrusions

Cyberstalking

Computer Basics for Digital Investigators

Applying Forensic Science to Computers

Digital Evidence on Unix Systems

Digital Evidence on Macintosh Systems

Digital Evidence on Mobile Devices

Network Basics for Digital Investigators

Applying Forensic Science to Networks

Digital Evidence on the Internet

Digital Evidence at the Physical and Data-Link Layers

Digital Evidence at the Network and Transport Layers

Filters