Explore all topics
Start Free Trial
Need Help? Contact us
back arrowfull exam logo
search
ai logoChat with AI
Servicesarrow
Discoverarrow

Topics

Explore all topics
Discover more topics

Deck 22: Applying Forensic Science to Networks

Full screen (f)
exit full mode
Question
Preservation of digital evidence can involve which of the following?

A) Collecting computer hardware
B) Making a forensic image of storage media
C) Copying the files that are needed from storage media
D) All of the above
Use Space or
up arrow
down arrow
to flip the card.
Question
When a computer contains digital evidence, it is always advisable to turn it off immediately.
Question
Examination of digital evidence includes (but is not limited to) which of the following activities?

A) Seizure, preservation, and documentation
B) Recovery, harvesting, and reduction
C) Experimentation, fusion, and correlation
D) Arrest, interviewing, and trial
Question
Evidence can be related to its source in which of the following ways?

A) Top, middle, bottom
B) IP address, MD5 value, filename, date-time stamps
C) Production, segment, alteration, location
D) Parent, uncle, orphan
Question
Issues to be aware of when connecting to a computer over a network and collecting information include:

A) Creating and following a set of standard operating procedures
B) Keeping a log of actions taken during the collection process
C) Documenting which server actually contains the data that's being collected
D) All of the above
Question
Although it was not designed with evidence collection in mind, can still be useful for examining network traffic.

A) EnCase
B) FTK
C) Wireshark
D) CHKDSK
Question
Different types of analysis include which of the following?

A) Relational (e.g., link analysis) and temporal (e.g., timeline analysis)
B) Cryptography
C) Metadata hashing
D) Digital photography
Question
Chain of custody enables anyone to determine where a piece of evidence has been, who handled it when, and what was done to it since it was seized.
Question
Information security professionals submit samples of log files associated with certain intrusion tools to help others detect attacks on the mailing lists at:

A) Bugtraq
B) Sam Spade
C) CNET
D) Security Focus
Question
Which of the following are situations where a bitstream copy may not be viable?

A) The hard drive is too large to copy.
B) The system cannot be shut down.
C) The digital investigator does not have authority to copy the entire drive.
D) All of the above.
Question
A forensic image of a hard disk drive preserves the partition table.
Question
It is not necessary to sanitize/wipe a hard drive purchased directly from a manufacturer.
Question
Which of the following is NOT an information gathering process?

A) Scanning the system remotely
B) Studying security audit reports
C) Attempting to bypass logon security
D) Examining e-mail headers
Question
Analysis of digital evidence includes which of the following activities?

A) Seizure, preservation, and documentation
B) Recovery, harvesting, and reduction
C) Experimentation, fusion, and correlation
D) Arrest, interviewing, and trial
Question
Occasionally, an intrusion detection system may trigger an alarm caused by an innocent packet that coincidentally contains intrusion class characteristics. This type of alert is called:

A) False warning
B) Failsafe
C) DEF con
D) False positive
Question
When a website is under investigation, before obtaining authorization to seize the systems it is necessary to:

A) Determine where the web servers are located
B) Inform personnel at the web server location that you'll be coming to seize the systems
C) Conduct a reconnaissance probe of the target website
D) None of the above
Question
No two files can have the same MD5 value.
Question
Unlike law enforcement, system administrators are permitted to on their network when it is necessary to protect the network and the data it contains.

A) Open unread e-mails.
B) Monitor network traffic.
C) Modify system logs.
D) Divulge user personal information.
Question
A forensic image of a drive preserves which of the following?

A) Memory contents
B) File slack and unallocated space
C) System date and time
D) Screen contents
Question
All forensic tools acquire digital evidence from storage media in the same way.
Question
The chance of two different files having the same MD5 value is roughly one in 340 billion billion billion billion which is approximately equivalent to winning 30,000 billion billion billion first prizes in the Hong Kong Mark Six - the lotto game in Hong Kong which randomly picks 6 numbers from 1 to 47 with a one in 10,737,573 chance of winning first prize.
Question
If you are investigating a homicide and, while executing a search warrant, you find a computer in the suspect's home that appears to contain child pornography, what would you do?
Question
After the MD5 value of a piece of digital evidence has been calculated, any change in that piece of evidence can be detected.
Question
Other than verifying the integrity of a file, how can the MD5 value of a file be useful?
Question
It is not possible to recover deleted system or network log files.
Question
What is the difference between a class characteristic and an individualizing characteristic? Give examples of each involving digital evidence.
Question
TCP/IP network traffic never contains useful class characteristics.
Question
When seeking authorization to search a network and digital evidence that may exist in more than one jurisdiction it is not necessary to obtain a search warrant for each location.
Question
A digital evidence class characteristic is similar to toolmark analysis in the physical world.
Question
What are the limitations of the message digest of digital evidence?
Question
When drawing up an affidavit for a warrant, it is important to specifically mention all desired digital evidence.
Question
Digital investigators should remember that evidence can reside in unexpected places, such as network routers.
Question
How would you search for all image files on a disk? Explain the rationale of your approach.
Question
Active monitoring is time consuming, invasive, and costly and should only be used as a last resort.
Question
What does a digital signature tell you?
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/35
auto play flashcards
Play
simple tutorial
Full screen (f)
exit full mode
Deck 22: Applying Forensic Science to Networks
1
Preservation of digital evidence can involve which of the following?

A) Collecting computer hardware
B) Making a forensic image of storage media
C) Copying the files that are needed from storage media
D) All of the above
D
2
When a computer contains digital evidence, it is always advisable to turn it off immediately.
False
3
Examination of digital evidence includes (but is not limited to) which of the following activities?

A) Seizure, preservation, and documentation
B) Recovery, harvesting, and reduction
C) Experimentation, fusion, and correlation
D) Arrest, interviewing, and trial
B
4
Evidence can be related to its source in which of the following ways?

A) Top, middle, bottom
B) IP address, MD5 value, filename, date-time stamps
C) Production, segment, alteration, location
D) Parent, uncle, orphan
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
5
Issues to be aware of when connecting to a computer over a network and collecting information include:

A) Creating and following a set of standard operating procedures
B) Keeping a log of actions taken during the collection process
C) Documenting which server actually contains the data that's being collected
D) All of the above
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
6
Although it was not designed with evidence collection in mind, can still be useful for examining network traffic.

A) EnCase
B) FTK
C) Wireshark
D) CHKDSK
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
7
Different types of analysis include which of the following?

A) Relational (e.g., link analysis) and temporal (e.g., timeline analysis)
B) Cryptography
C) Metadata hashing
D) Digital photography
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
8
Chain of custody enables anyone to determine where a piece of evidence has been, who handled it when, and what was done to it since it was seized.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
9
Information security professionals submit samples of log files associated with certain intrusion tools to help others detect attacks on the mailing lists at:

A) Bugtraq
B) Sam Spade
C) CNET
D) Security Focus
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
10
Which of the following are situations where a bitstream copy may not be viable?

A) The hard drive is too large to copy.
B) The system cannot be shut down.
C) The digital investigator does not have authority to copy the entire drive.
D) All of the above.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
11
A forensic image of a hard disk drive preserves the partition table.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
12
It is not necessary to sanitize/wipe a hard drive purchased directly from a manufacturer.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
13
Which of the following is NOT an information gathering process?

A) Scanning the system remotely
B) Studying security audit reports
C) Attempting to bypass logon security
D) Examining e-mail headers
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
14
Analysis of digital evidence includes which of the following activities?

A) Seizure, preservation, and documentation
B) Recovery, harvesting, and reduction
C) Experimentation, fusion, and correlation
D) Arrest, interviewing, and trial
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
15
Occasionally, an intrusion detection system may trigger an alarm caused by an innocent packet that coincidentally contains intrusion class characteristics. This type of alert is called:

A) False warning
B) Failsafe
C) DEF con
D) False positive
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
16
When a website is under investigation, before obtaining authorization to seize the systems it is necessary to:

A) Determine where the web servers are located
B) Inform personnel at the web server location that you'll be coming to seize the systems
C) Conduct a reconnaissance probe of the target website
D) None of the above
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
17
No two files can have the same MD5 value.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
18
Unlike law enforcement, system administrators are permitted to on their network when it is necessary to protect the network and the data it contains.

A) Open unread e-mails.
B) Monitor network traffic.
C) Modify system logs.
D) Divulge user personal information.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
19
A forensic image of a drive preserves which of the following?

A) Memory contents
B) File slack and unallocated space
C) System date and time
D) Screen contents
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
20
All forensic tools acquire digital evidence from storage media in the same way.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
21
The chance of two different files having the same MD5 value is roughly one in 340 billion billion billion billion which is approximately equivalent to winning 30,000 billion billion billion first prizes in the Hong Kong Mark Six - the lotto game in Hong Kong which randomly picks 6 numbers from 1 to 47 with a one in 10,737,573 chance of winning first prize.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
22
If you are investigating a homicide and, while executing a search warrant, you find a computer in the suspect's home that appears to contain child pornography, what would you do?
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
23
After the MD5 value of a piece of digital evidence has been calculated, any change in that piece of evidence can be detected.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
24
Other than verifying the integrity of a file, how can the MD5 value of a file be useful?
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
25
It is not possible to recover deleted system or network log files.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
26
What is the difference between a class characteristic and an individualizing characteristic? Give examples of each involving digital evidence.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
27
TCP/IP network traffic never contains useful class characteristics.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
28
When seeking authorization to search a network and digital evidence that may exist in more than one jurisdiction it is not necessary to obtain a search warrant for each location.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
29
A digital evidence class characteristic is similar to toolmark analysis in the physical world.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
30
What are the limitations of the message digest of digital evidence?
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
31
When drawing up an affidavit for a warrant, it is important to specifically mention all desired digital evidence.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
32
Digital investigators should remember that evidence can reside in unexpected places, such as network routers.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
33
How would you search for all image files on a disk? Explain the rationale of your approach.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
34
Active monitoring is time consuming, invasive, and costly and should only be used as a last resort.
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
35
What does a digital signature tell you?
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Unlock Deck
k this deck
locked card icon
Unlock Deck
Unlock for access to all 35 flashcards in this deck.
Examlex
Examlex
Work With Us
Policies
Download the App
Scan to downloadDownload the App
qr-code
Links
Links
Work With Us
Download the App

Scan to downloadDownload the App
qr-code

Copyright © 2025 Examlex LLC.
  • facebook-footer
  • instagram-footer
  • x-footer
  • tiktok
  • Linktree