Student submitted questions:

F9-Common Forensic Analysis Techniques

1.
A.
B.
C.
D.

is used to identify relevant files and fragments of

relevant files.
string searching
cryptographic files
relevant data
undeleted files

2. When trying to recover deleted files make sure the forensic duplication
is
so that it is not modified during our analysis.
A. On correct disk
B. Read-only
C. Write-only
D. Locked
3. To reconstruct a file, you can use the
the Sleuth Kit.
A. Skype
B. Netscan
C. Icat
D. Lscat

tool included with

4. A better way to ignore known files is to compare the

every file in a forensic duplication with a known set of hashes and
ignore any matches.
A. MD5 hashes
B. Active hashes
C. Forensic hashes
D. Cryptography
5.
A.
B.
C.
D.

of

gives us output we can parse into other programs such as a

spreadsheet or database.
PDF
SCSI
Fls
FAT-32

F8-Noncommercial-Based Forensic Duplications

1. Use
A. Win_XP
B. Fdisk

to create a partition for the destination drive.

C. Duplicate disk
D. Forensic duplications
2. You can make an exact copy of the hard drive by first cleaning the
destination drive by placing
in all the blocks:
A. Random bits
B. Binary bits
C. Zeros
D. Reliable data
3. dd-rescue is a variation of the dd command. You can use this command to
copy it forward or backward from the end to the beginning. This is useful if
you encounter
.
A. blank disk
B. errors
C. full disk
D. negative integers
4.
A.
B.
C.
D.

You can use

to duplicate hard drives over the network
network evidence duplicator(NED)
RAID 1
Remote connection
VM-Ware

5. The reason to place zeros in all of the hard drive blocks is because
,
A. Movies are left in there
B. Data is corrupted
C. Unwanted data might have been left there and this will damage forensic
evidence.
D. The ones in the blocks have to cancel with the zeros.

F6- F7-Commercial-based Forensic duplications

1. By default enCase will duplicate the media and create a series of
mb files in a directory you specify.
A. 700
B. 640
C. 1500
D. 32
2. In forensics, each piece of hardware must be
model, serial number, evidence tag number, etc.
A. Put in closet
B. Documented
C. Signed
D. Shared

with make

3. One very well known software used for forensic analysis is

.
A. IBM
B. Google
C. Encase
D. Forensic-ripper
4. This format is the most versatile as it can be imported to any forensic
toolkit.
A. Raw disk image (dd)
B. RAID 0
C. Encase
D. NTFS
5.
A.
B.
C.
D.

The evidence custodian should,

Give the evidence to the secretary
Place evidence in the storage place
Keep logs of who has the evidence, when was it check out, etc.
Use the evidence for personal use.

1.

is forensics applied to information stored

or transported on computers
A. Information forensics
B. Data forensics
C. Computer forensics
D. Network forensics
2.

is some method of modifying data so that it is

meaningless and unreadable in
A. data hiding
B. encryption
C. data mining
D. address resolution protocol
3. when working on computer forensics always work from
the evidence and never from the original to prevent damage to the
evidence.
A. Original hard drive
B. Live computer
C. Remote desktop
D. An image

of

4.

preserving evidence means that that the

information contained on the drive down to the last bit never changes
during seizing, analysis and storage.
A. Mentally
B. Logically
C. Physically
D. Carefully
5. Write blockers are devices that allow acquisition of information on a drive
without creating the possibility of accidentally damaging the drive
contents.
A. Data blokers
B. Write blockers
C. Read blockers
D. Metadata blockers

Created by Humberto Banda

4/22/10
1.
A.
B.
C.
D.

F9-Common Forensic Analysis Techniques

is used to identify relevant files and fragments of
relevant files.
string searching
cryptographic files
relevant data
undeleted files

2. When trying to recover deleted files make sure the forensic duplication
is
so that it is not modified during our analysis.
A. On correct disk
B. Read-only
C. Write-only
D. Locked
3. To reconstruct a file, you can use the
the Sleuth Kit.
A. Skype
B. Netscan
C. Icat
D. Lscat

tool included with

4. A better way to ignore known files is to compare the

every file in a forensic duplication with a known set of hashes and
ignore any matches.

of

A.
B.
C.
D.

MD5 hashes
Active hashes
Forensic hashes
Cryptography

5.

gives us output we can parse into other programs such as a

spreadsheet or database.
PDF
SCSI
Fls
FAT-32

A.
B.
C.
D.

Chapter 10 Web browsing activity reconstruction

How many ways are there to keep track of browsing history?
A.
B.
C.
D.

5
7
3
6

The setting\<profilename>\cookies contain an

domain on the internet where it was downloaded.
A.
B.
C.
D.

file that links each cookie to a

Homepage
Index.dat
Script
Internet explorer

3.
is an open source used to used to examine index.dat files and how they
were populated when a suspect browses the internet.
A. Firefox
B. Pasco
C. cookie finder
D. Encase
4. A
activity record contains less information than the URL or LEAK
records and is symbolic of a website that redirects you to another website.
A. phone
B. Pasco
C. suspect
D. REDR
5. Keith J. Jones developed a tool named
to translate the information
inside an IE cookie to something a human can understand.
A. Cookie
B. Galleta
C. Pasco

D. Internet explorer

Chapter 11, Email activity reconstruction

1. One of the commercial tools used for reconstruction of email is
.
A. Pasco
B. Galleta
C. FTK
D. Outlook
2. Outlook and outlook express tend to be the two most utilized
clients.
A. Explorers
B. Email
C. AOL
D. Chat

3.The first choice to read outlook express email repositories is to use a took name
.
A.
B.
C.
D.
3.
4.
A.
B.
C.
D.

Google it
Eindeutig
Hack it
Snort
3
One of the differences between email DMX file format and Folders DBM
file format is
.
The file signatures is slightly different
Messages are similar
Data entries are same
DBX is not good

5. Nestcape and Mozilla stores their mailboxes in plain

format.
A. Duplex
B. Hex
C. ASCII
D. Unix
1. The
d contains significant information that helps us
determine the who, how, and possible why of the incident.
A. Encrypted data
B. Volatile data
C. Network data
D. Linux data

2. Through examining the

attacker may have established.
A. Closed ports
B. Wired ports
C. Open ports
D. Configured ports
3.
A.
B.
C.
D.

, we hope to discover any backdoors the

is the single most powerful tool in our live response toolkit

for UNIX systems.
list open files(lsof)
critical files(cf)
intruder open files(iof)
non-volatile files(nf)

4. When an attacker runs a file such as datapipe, it deletes the original

file and we would not be able to have a copy of the file. This is when
we would use
that does not actually exist on the hard
drive. It exists in memory and references running processes and other
system information.
A. Execute file system
B. /proc file system
C. /32 bit file system
D. /test corrupt file system
5. In
Collecting all computer activities and Intercepting all
packets and record takes a lot of disk space and takes a lot of time for
analysis
A. Alert data
B. Session data
C. Full content data
D. Full time monitoring

6. In
intrusion detection system is a device or
application used to inspect all network traffic and alert the user or
administrator when there has been unauthorized attempts or access.
A. Alert Data
B. Security check
C. Network security
D. Traffic control
7.

is similar to recording one conversation between

suspects.
A. Suspicious conversations
B. Session Data

C. Private conversations
D. Full content data
8. For
, the source sends one packet, and the destination
replies with one packet
A. Openf ports
B. Securityf ports
C. Closef ports
D. Dedicatedf ports

9.

is the protocol Microsoft uses to share files,

printers, serial ports, and also to communicate between computers
using named pipes and mail slots.
A. Instant messenger
B. server message Block
C. encrypted message block
D. data handshake block

10.

is used to resolve IP addresses to MAC addresses.

A.
B.
C.
D.

1.

IP config
Catscan
Netcat
Address resolution table

are the simplest and cheapest way to gain control to network traffic.
A.
B.
C.
D.

NAS
Hubs
Repeaters
Wireless router

2.Which is not a type of NBE?

A. Raw data
B. Statistical data
C. Metadata
D. Registry keys
3. what is the command to load all the loaded kernel modules?
A. Load kernel
B. MSCONFIG
C. Ismod
D. PING

4.
A.
B.
C.
D.

is designed to interpret traffic in batch mode?

Peer Network
TcpTrace
Bittorrent
Red Hat

5. The measure used to prevent attacks are called

A. Anti-attacks
B. Proactive
C. Reactive
D. Revenge

?.

1 ____ analysis is when data from the suspect is copied without the assistance of the
suspects operating system.
a. Live
b. Dead
c. Data
d. Forensic
2 ____ analysis uses the operating system or resources of the system being investigated to
find evidence.
a. Live
b. Dead
c. Data
d. Forensic
3 ____ is information we would use if the machine is turned off.
a. Registry information
b. Volatile information
c. Non-volatile information
d. Cached information

4 ____ involves capturing the memory space of the suspect processes.

a. Fport
b. Undelete
c. Defragmenting
d. Memory dump
5 While analyzing registry data, RegDmp provides the following general information
except ____.
a. user name
b. date and time
c. domain membership
d. profile information

1 Windows Live Response

Key
1 ____ analysis is when data from the suspect is copied without the assistance of the
suspects operating system.
b. Dead
2 ____ analysis uses the operating system or resources of the system being investigated to
find evidence.
a. Live
3 ____ is information we would use if the machine is turned off.
b. Volatile information
4 ____ involves capturing the memory space of the suspect processes.
d. Memory dump
5 While analyzing registry data, RegDmp provides the following general information
except ____.
b. date and time

F1a Computer Foundations

1 Computers know the layout of the data because of ____, which act like templates or
maps.
a. data structures
b. data tables
c. registers
d. arrays
2 In order to get to a particular sector, we need the following except_____.
a. head
b. cylinder
c. sector
d. stack
3 A special area of the disk that can be used to save some system information added there
by the manufacturer.
a. read protected area
b. write protected area
c. host protected area
d. user protected area
4 The software must load data such as the sector address and sizes into the CPU registers
and execute interrupt 13h in order to access ATA hard drives through_____.
a. direct access
b. BIOS
c. SCSI

d. remote access
5. A data structure is composed of which two parts?
a. number and string
b. flag and register
c. byte and string
d. flag and byte

F1a Computer Foundations

Key
1 Computers know the layout of the data because of ____, which act like templates or
maps.
a. data structures
2 In order to get to a particular sector, we need the following except_____.
d. stack
3 A special area of the disk that can be used to save some system information added there
by the manufacturer.
c. host protected area
4 The software must load data such as the sector address and sizes into the CPU registers
and execute interrupt 13h in order to access ATA hard drives through_____.
b. BIOS
5. A data structure is composed of which two parts?
a. number and string

2 UNIX Live Response

1. The single most powerful tool in the live reponse toolkit for UNIX systems.
a. Netstat
b.Nc
c. Lsof
d.lsmod
2. Sorts all files by the time the inode was last changed.
a. ctime
b.uname
c. time
d.netcat
3. A 128-bit mathematical fingerprint of the contents ina file, for every file on the
filesystem.
a. lpd login
b. zap2
c. MD5 Checksum
d.LKM
4. Transfers relevant logs to a forensic workstation for further analysis.
a. mount
b. netcat
c. netbios
d.netstat
5. Contain commands the user typed at the prompt, may contain commands that failed,
and can be used to discover the hackers methodology.
a. History Files
b. Command Logs
c. Browser History

d.Security Logs

2 UNIX Live Response

Key
1. The single most powerful tool in the live reponse toolkit for UNIX systems.
c. Lsof
2. Sorts all files by the time the inode was last changed.
a. ctime
3. A 128-bit mathematical fingerprint of the contents ina file, for every file on the
filesystem.
c. MD5 Checksum
4. Transfers relevant logs to a forensic workstation for further analysis.
b. netcat
5. Files containing commands the user typed at the prompt, may contain commands that
failed, and can be used to discover the hackers methodology.
a. History Files

F3 Collecting Network Based Evidence (NBE)

a. Full Content Data
b. Session Data
c. Alert Data
d. Statistical Data
____ 1. Most active IP addresses, ports, data length.
____ 2. Summary of sessions with date and time, from source and destination addresses
and how it was terminated.
____ 3. Collecting all computer activities, intercepting and recording all packets, requires
a lot of disk space and time for analysis.
____ 4. Analyzing NBE for predetermined items of interest

5. Forwards to all ports. A monitoring station can detect all packets.

a. Bridges
b. Taps
c. Switched Port Analyzer
d. Hubs

F3 Collecting Network Based Evidence (NBE)

Key
1. Most active IP addresses, ports, data length.
d. Statistical Data
2. Summary of sessions with date and time, from source and destination addresses and
how it was terminated.
b. Session Data
3. Collecting all computer activities, intercepting and recording all packets, requires a lot
of disk space and time for analysis.
a. Full Content Data
4. Analyzing NBE for predetermined items of interest
c. Alert Data

5. Forwards to all ports. A monitoring station can detect all packets.

d. Hubs

F4 Analyzing Network-based evidence for a windows intrusion

1. What tool was used by running it against the Libcap data to transform it into session
data?
a. McAfee
b. Argus
c. Symantec
d. WireShark
2. Multiple protocols with low number of packets may indicate of activity?
a. Packet Sniffing
b. Blue Snarfing
c. War Driving
d. Port Scanning
3. What tool was used in this chapter to find patterns of malicious activity?
a. Snort
b. WireShark
c. BackTrack4
d. McAfee
4. A single SYN packet is sent through a port and a RST ACK packet is received. What
does this mean?
a. Port is busy
b. Port is closed
c. Port is open
d. Port is available
5. As opposed running Snort in live mode to inspect traffic actively passed on the wire,
what mode can Snort be running under to inspect previously captured data?
a. dead mode
b. capture mode
c. batch mode
d. response mode

F4 Analyzing Network-based evidence for a windows intrusion

Key

1. What tool was used by running it against the Libcap data to transform it into session
data?
b. Argus
2. Multiple protocols with low number of packets may indicate of activity?
d. Port Scanning
3. What tool was used in this chapter to find patterns of malicious activity?
a. Snort
4. A single SYN packet is sent through a port and a RST ACK packet is received. What
does this mean?
b. Port is closed
5. As opposed running Snort in live mode to inspect traffic actively passed on the wire,
what mode can Snort be running under to inspect previously captured data?
c. batch mode

F6 - Preparing for Forensic Duplication

1. Items included in a forensic toolkit should include the following except
a. Screwdrivers

b. Power Cables
c. Printer
d. Permanent Markers
2. Each piece of hardware must be documented with the items information which
includes
a. Drivers License
b. Make/Model
c. Date of Birth
d. Maiden Name
3. The information written on each label should include the following except
a. Number of Partitions
b. Date
c. Type of file system
d. Price
4. Which item is used to document evidence.
a. Digital Camera
b. Firewire
c. Flash Drive
d. Flashlight
5. The following should be recorded when evidence is checked out except
a. Date of Birth
b. Case Number
c. Name
d. Date

F6 - Preparing for Forensic Duplication

Key
1. Items included in a forensic toolkit should include the following except
c. Printer

2. Each piece of hardware must be documented with the items information which
includes
b. Make/Model
3. The information written on each label should include the following except
d. Price
4. Which item is used to document evidence.
a. Digital Camera
5. The following should be recorded when evidence is checked out except
a. Date of Birth

F7- Commercial-based Forensic Duplication

1. EnCase is used to
a. backup system information
b. retrieve data from a storage device
c. print labels
d. surf the internet

2. When using EnCase or FTK, use which of the following to connect to the source hard
drive (evidence)
a. serial cable
b. read-only Firewire-to-IDE module
c. read-write Firewire-to-IDE module
d. coaxial cable
3. When EnCase duplicates an evidence hard drive, it crates evidence files on a
destination media. This usually means a
a. DVD-R
b. Floppy Disk
c. Flash drive
d. formatted storage hard drive
4. FTK can acquire the forensic duplication in the following three different formats
excepts
a. Portable Network Graphics
b. SMART format
c. Raw Disk Image (dd)
d. EnCase Evidence Files (.E01)
5. When using a laptop with Encase, two additional items are usually needed. This
includes a 2.5 to 3.5 laptop hard drive converter and a
a. Graphics card
b. PCMCIA Firewire card
c. Sound card
d. Data Acquisition card

F7- Commercial-based Forensic Duplication

Key
1. EnCase is used to
b. retrieve data from a storage device
2. When using EnCase or FTK, use which of the following to connect to the source hard
drive (evidence)?
b. read-only Firewire-to-IDE module

3. When EnCase duplicates an evidence hard drive, it crates evidence files on a

destination media. This usually means a
d. formatted storage hard drive
4. FTK can acquire the forensic duplication in the following three different formats
except
a. Portable Network Graphics
5. When using a laptop with Encase, two additional items are usually needed. This
includes a 2.5 to 3.5 laptop hard drive converter and a
b. PCMCIA Firewire card

F8 Noncommercial-based Forensic Duplications

1. The most basic of all noncommercial forensic duplication tools is definitely dd which
stands for
a. data dump
b. drive dump
c. data drive
d. digital dump
2. You want to make sure the BIOS is configured so that the computer will
a. boot from a dvd
b. boot from your Linux operating system

c. boot from the evidence hard drive

d. boot from a flash drive
3. The command if designates the
a. if statement
b. independent file
c. conditional statement
d. input file
4. Which command is useful when encountering errors?
a. dd_recover
b. dd_rescue
c. dd_reverse
d. dd_record
5. Typically, we would cop the NED client onto a bootable CD-ROM environment which
would be loaded into _____ and booted.
a. a third computer on the same network
b. the forensic workstation
c. the suspects computer
d. remote computer

F8 Noncommercial-based Forensic Duplications

Key
1. The most basic of all noncommercial forensic duplication tools is definitely dd which
stands for
a. data dump
2. You want to make sure the BIOS is configured so that the computer will
b. boot from your Linux operating system
3. The command if designates the
d. input file
4. Which command is useful when encountering errors?
b. dd_rescue

5. Typically, we would cop the NED client onto a bootable CD-ROM environment which
would be loaded into _____ and booted.
c. the suspects computer

F9 Common Forensic Analysis Techniques

1. In order to recover deleted files, the recommended tool is TASK, later renamed to
a. Encase
b. The Sleuth Kit
c. Undelete
d. Date Recovery
2. Both EnCase and FTK will recover deleted files
a. automatically
b. by selecting undelete on menu
c. from the destination hard drive
d. only
3. Metadata can include which of the following?
a. disk size
b. registration keys
c. MD5 hashes

d. fat/ntsf
4. A better way to ignore known files is to compare the _____ of every file in a forensic
duplication.
a.MAC times
b. file sizes
c. MD5 hashes
d. full file names
5. We can download _____ and save ourselves a lot of time in ignoring known files.
a. EnCase
b. Undelete
c. FTK
d. NISTS NSRL distribution

F9 Common Forensic Analysis Techniques

1. In order to recover deleted files, the recommended tool is TASK, later renamed to
b. The Sleuth Kit
2. Both EnCase and FTK will recover deleted files
a. automatically
3. Metadata can include which of the following?
c. MD5 hashes
4. A better way to ignore known files is to compare the _____ of every file in a forensic
duplication.
c. MD5 hashes
5. We can download _____ and save ourselves a lot of time in ignoring known files.
d. NISTS NSRL distribution

F10 Web Browsing Activity Reconstruction

1 Internet explorer uses these three facilities where we can find evidence except ____.
a. system32
b. web browsing history
c. cookies
d. temp internet files
2 ____ was developed to examine the contents of Internet Explorers cache files.
a. Pasco
b. Data Dump
c. Galleta
d. Fport
3 ____ examine cookies by parsing the information in Internet Explorers cookie files
into a human readable format.
a. Pasco
b. Data Dump
c. Galleta
d. Fport
4 Encase utilizes a script referred to as a(n) ____ to parse the web browsing information
found in the evidence and present it to the investigator.
a. E-Script

b. Fport
c. dd
d. FTK
5 The cookies, History.IE5, and Content.IE5 folders contain a ____ file with forensic
evidence.
a. index.exe
b. index.dat
c. index.xls
d. index.txt

F10 Web Browsing Activity Reconstruction

Key
1 Internet explorer uses these three facilities where we can find evidence except ____.
a. system32
2 ____ was developed to examine the contents of Internet Explorers cache files.
a. Pasco
3 ____ examine cookies by parsing the information in Internet Explorers cookie files
into a human readable format.
c. Galleta
4 Encase utilizes a script referred to as a(n) ____ to parse the web browsing information
found in the evidence and present it to the investigator.
a. E-Script
5 The cookies, History.IE5, and Content.IE5 folders contain a ____ file with forensic
evidence.
b. index.dat

F11 Email Activity Reconstruction

1 Which commercial tool can be used for e-mail reconstruction/
a. Galleta
b. Undelete
c. FTK
d. Outlook
2 When creating a report with FTK during e-mail reconstruction, it will contain ____
versions of the e-mails.
a. HTML
b. EnCase
c. text
d. excel
3 Which file contains actual e-mail messages for Outlook Express?
a. Sent E-Mails
b. E-Mail DBX
c. TypedURLs
d. Folders DBX
4 ____ is a utility that undecodes MIME file attachments in e-mails.
a. Regedit
b. Munpack
c. FTK
d. Eindeutig
5 This tool can be used to read Outlook Express e-mail repositories.
a. eindeutig
b. dd

c. Pasco
d. regedit

F11 Email Activity Reconstruction

KEY
1 Which commercial tool can be used for e-mail reconstruction/
c. FTK
2 When creating a report with FTK during e-mail reconstruction, it will contain ____
versions of the e-mails.
a. HTML
3 Which file contains actual e-mail messages for Outlook Express?
b. E-Mail DBX
4 ____ is a utility that undecodes MIME file attachments in e-mails.
b. Munpack
5 This tool can be used to read Outlook Express e-mail repositories.
a. eindeutig

F12 Windows Registry

1 Registry contains information such as which of the following?
a. MAC address
b. most visited websites
c. ip address
d. e-mails
2 Registry is often overlooked because the files are in proprietary format. In this case,
which tool can be used?
a. undelete
b. Back Track
c. FTK
d. dd
3 Which command can be used to locate registry.
a. Fport
b. startx
c. cmd
d. regedit
4 Which keyword denotes a registry with documents that were recently viewed.
a. IIS
b. MRU
c. REC
d. EXE
5 Microsoft Windows records information of URLs typed into IE in a registry folder
called ____.
a. Typed URLs
b. Recent URLs
c. History.IE5
d. Temporary Internet Files

F12 Windows Registry

1 Registry contains information such as which of the following?
b. most visited websites
2 Registry is often overlooked because the files are in proprietary format. In this case,
which tool can be used?
c. FTK
3 Which command can be used to locate registry.
d. regedit
4 Which keyword denotes a registry with documents that were recently viewed.
b. MRU
5 Microsoft Windows records information of URLs typed into IE in a registry folder
called ____.
a. Typed URLs

Computer Forensic Additional Notes

1 ____ is the method of modifying data so that it is meaningless and unreadable in its
current form.
a. decryption
b. obfuscation
c. stenography
d. encryption
2 ____ is the science of writing hidden messages I such a way that no one apart from th
sender and intended recipient even realizes there is a hidden message.
a. decryption
b. obfuscation
c. stenography
d. encryption
3 The following is used as forensic software except ____.
a. The Coroners Toolkit
b. Outlook
c. ILook
d. Forensic Toolkit
4 ____ are devices that allow acquisition of information on a drive without creating the
possibility of accidentally damaging the drive contents
a. write blockers
b. hubs
c. IDE Converters
d. Firewire Cards
5 A ____ function is any well defined procedure or mathematical function for turning
some kind of data into a relatively small integer.
a. hash
b. metadata
c. encryption
d. decryption

Computer Forensic Additional Notes

Key
1 ____ is the method of modifying data so that it is meaningless and unreadable in its
current form.
d. encryption
2 ____ is the science of writing hidden messages I such a way that no one apart from th
sender and intended recipient even realizes there is a hidden message.
c. stenography
3 The following is used as forensic software except ____.
b. Outlook
4 ____ are devices that allow acquisition of information on a drive without creating the
possibility of accidentally damaging the drive contents
a. write blockers
5 A ____ function is any well defined procedure or mathematical function for turning
some kind of data into a relatively small integer.
a. hash

1.

2.

3.

4.

Chapter 1
When collecting data from a victim machine to determine the who, how, and
possibly why of an incident, which is a viable source:
a. Open TCP or UDP Ports
b. Users Currently Logged On
c. Open Files
d. All the above
An open rogue port usually denotes:
a. The system date and time
b. A backdoor running on the victim machine
c. Volatile data
d. Users currently logged on
FPort does the following:
a. Opens a backdoor
b. Closes all ports
c. Links open ports to executables that opened them
d. Launches live response
Group Policy information does not contain:
a. Redirected folders that are and their details
b. The last time policy was applied for both user and computer

c. IIS logs
d. Registry settings that were applied and their details
5. Most attacks happen over port:
a. 10
b. 1
c. 50
d. 80

1.

2.

3.

4.

5.

Chapter Computer Foundations

Which is not a type of data organization?
a. ASCII
b. HDMI
c. Unicode
d. EBCDIC
Little endian is read which way?
a. Top to bottom
b. Left to right
c. Bottom to top
d. Right to left
Drives can be configured as which of the following:
a. Servant
b. Driver
c. Master
d. Dictator
LBA addressing stands for:
a. Logical block addressing
b. Load balancing area
c. Logic block authenticator
d. Light battalion armor
Which SCSI cables can be interchanged with Ultra 320?
a. Ultra2 SCSI
b. Fast SCSI
c. Ultra 3 SCSI
d. SCSI cables are not interchangeable

Chapter 2
1. The Live Response process for a Unix machine is____ to a Windows machine.
A. Completely different
B. Almost identical
C. Exactly the same
D. Unix has not released a version
2. Which of the following is a common password cracking program that attackers
employ to learn users passwords discussed in chapter 2?
A. Jack the Ripper
B. The Headless Horseman
C. The Minotaur
D. John the Ripper
3. When issuing the command uname a you will receive what information?
A. All the available operating system version information
B. A review of all the loaded kernel modules
C. A display of the mounted file systems
D. A list of all the running processes on the system
4. A quick way to eliminate redundant data in the file system is to ____:
A. Calculate and analyze the MD5 checksum
B. Use a Poor Mans FTP using netcat
C. Go to www.Facebook.com
D. Do a search for .kde
5. A hacker would search for a keyword such as datapipe with ____?
A. $
B. |
C. \
D. ?

Chapter 3 & 4
1. The acronym NBE stands for which of the following?
A. Network-based exposure
B. Network-based evidence

C. Non-Biological Extraterrestrials
D. None of the above
2. What type of data is the easiest form of data to understand and manipulate?
A. Full Content Data
B. Statistical Data
C. Session Data
D. Alert Data
3. Taps (also known as Test Access Ports) are placed ____.
A. Between the firewall and router
B. Between mirroring ports
C. Between switches
D. A and C
4. When looking at alert data ____ is helpful when searching for something
suspicious.
A. Wire Shark
B. Snort
C. Argus
D. Netstat
5. ARP is used to _____.
A. Rebuilds sessions of interest
B. Resolve IP addresses to MAC addresses
C. Get better retirement benefits
D. Check for Common Vulnerabilities and Exposure (CVE)
Chapter 6
1. All but which of the following is something that you would want to record in an
Evidence Worksheet:
A. Model
B. Serial number
C. Anti-static bags
D. Jumper settings
2. What principle is paramount to any investigation and should not be overlooked.
A. Documentation
B. Notation
C. Evidence
D. Smoking Gun
3. Any time evidence changes hands, which form should be filled out?
A. Agent Notes worksheet

B. Evidence Worksheet
C. Chain of Custody Form
D. Evidence Access Log
4. Which of the following is recommended to have in a toolkit mentioned in the
chapter?
A. Swiss Army Knife
B. Gerber Knife
C. Pens
D. HDMI cable
5. The following is unique information found on a hard drive that is recorded in the
Evidence Worksheet:
A. Calculus
B. Trigonometry
C. Algebra
D. Geometry

Chapter 7
1. _____ is one of the most widely used forensic duplication and analysis
software tools available today.
A. Snort
B. TechNet
C. TraceFirst
D. EnCase
2. When you hot swap a drive, you ____ or _____ it from a running
computer system without powering off the forensic workstation.
A. Add ; delete
B. Swap ; take
C. Read; write
D. Add; remove
3. By default, EnCase will duplicate the media and create a series of _____
files in a directory you specify.
A. 56k
B. 640 MB
C. 32 GB
D. 100 Mbps
4. Laptop hard drive converters come in _____ to _____.
A. 1.5 to 2.5

B. 5.5 to 7.5
C. 1.0 to 5.0
D. 2.5 to 3.5
5. A benefit when acquiring evidence using EnCase is that it allows us to
preview and ______ the drive in forensically sound manner.
A. Analyze
B. Send
C. Corrupt
D. Destroy
Chapter 9
1. One limitation of The Coroners Toolkit was that the authors pointed out involved
an emphasis on recovering deleted files from a ___________ when in fact FAT 32
and NTFS are the types of file systems we investigate the most.
A. Microsoft Windows file system
B. Linux file system
C. Unix file system
D. Both B and C
2. Downloading and installing The Sleuth Kit is a relatively ________ task.
A. Arduous
B. Trivial
C. Cumbersome
D. Difficult
3. Commercial methods to undelete files are more _________ and will show you the
logical and deleted files in one view.
A. Time consuming
B. Enabling
C. Fee-based
D. User-friendly
4. A notable hash distribution is the National Software Reference Library provided
by the National Institute of Standards and Technology. It is can be obtained by
_____ or ____?
A. Downloaded freely
B. Bought at the store
C. Purchased as a subscription
D. Both A and C
5. The process of looking for data when you know a portion of it is called?
A. String searching

B. Unicode searching
C. Microsoft office
D. File searching
Chapter 10
1. At the time the book was written, __________ was the most popular Web browser
utilized by the general computing population.
A. Google Chrome
B. Mozilla Firefox
C. Opera
D. Microsoft Internet Explorer
2. Which of the following is not a facility where we can find evidence to view Web
browsing history?
A. Temporary Internet Files
B. Web browsing history
C. Cookies
D. GNU directory
3. Why are cookies necessary for browsing the internet?
A. HTTP is a stateless protocol
B. URI is a stateless protocol
C. TCP/IP is a stateless protocol
D. RFC is a stateless protocol
4. A cookie contains _____?
A. Unallocated space
B. FTK display
C. Expiration time
D. Executables
5. A REDR activity record contains ____ information than the URL or LEAK
records.
A. More
B. The same
C. Less
D. None of the
Chapter 11
1. FTK will not recognize which of the following e-mail repository formats?
A. Yahoo
B. Earthlink
C. Lotus Notes
D. Outlook Express

2. How many types of DBX files are there?

A. 1
B. 2
C. 3
D. 4
3. The file _______ begins at the first byte of the Folders DBX file.
A. Header
B. Location
C. Folder
D. Signature
4. _______ and _______ tended to be the most utilized e-mail clients discovered
during the authors investigations.
A. Yahoo; Google
B. Outlook ; Outlook Express
C. Google; Outlook
D. AOL; Google
5. The E-Mail DBX file format is very similar to the Folders DBX file format.
Which of the following is not among the three main differences between the two?
A. The data entries contain different values.
B. The e-mail repository has a different file offset.
C. A new internal structure called an email entry is added to the file.
D. The file signature is slightly different.
Chapter 12
1. When investigating Microsoft Windows systems, there are basically three
different types of log files you can examine, which of the following is not one of
them?
A. Windows Event Logging
B. Application Logs
C. The Microsoft Windows Registry
D. All are used
2. By examining a few ______, we can determine some of the currently installed
programs and programs that may have been installed in the past but have since
been uninstalled.
A. Applications
B. Registry keys
C. Registry viewer
D. Event logs

3. There are currently ______ open source tools that can examine registry files
directly.
A. Plenty of
B. Really expensive
C. No available
D. Scarcely any
4. MRU stands for _______?
A. Most Redundantly Used
B. Maximum Receive Unit
C. Most Recently Used
D. Malware Removal Unit
5. Installed programs usually contain a mechanism that will enable them to be
_________.
A. Run
B. Uninstalled
C. Copied
D. Exported

Ayme Pena
Chapters 2, 3 & 4
1. Lsof is the single most powerful tool in our live response toolkit for UNIX systems;
what does it stand for.
a) list software operating files
b) list open filters
c) list open files
d) list several open files
2) In windows, an executable cannot be deleted while it is running in memory. Who locks
the file and it cannot be removed?
a) kernel
b) file system
c) operating system
d) none of the above
3) In Unix, an attacker can run a file, such as _________ and delete the original binary.

a) lsof
b) datapipe
c) mounted file
d) all of the above
c____4) Full Content Data
b____5) Session Data
d____6) Alert Data
a____7) Statistical Data

a) Similar to time of the day of the regular

calls
between subjects, duration, etc.
b) Similar to recording one conversation
between suspects
c) Similar to recording all conversations of
suspects.
d) Similar to a red light going off when a
particular word is heard

8) What answers can session data provide?

a) Is the web server compromised?
b) Did the intruder visit other machines using the webserver?
c) Is the intruder present now?
d) How frequent are the visits?
e) all of the above
9) ____________ means running Snort against previously captured data.
a) batch mode
b) live mode
c) close mode
d) run mode
10) Snorts signature-matching can find patterns of ___________________.
a) daily activities
b) malicious activities
c) time activities
d) a and c only
Chapter 5
1. The portscan.log is a simple?
a) open port
b) file
c) text file
d) none of the above
2. Tcptrace first provides __________ on the _______it sees. Next, it lists a record
number, followed by the source Ip and port and destination IP and port.
a) data:information
b) statistics:data

c) conection:networks
d) service:device
3. What is the command to exit from the FTP server?
a) exit
b) logoff
c) end
d) bye
4. If the comman used by the intruder is mget knark* what is he going to retrieve?
a) passwords
b) create a file with the name knark
c) files beginning with the word knark
d) that command is not recognized
5. What command shows the directory listings?
a) lo
b) la
c) ls
d) al
Chapter 6
1. Each piece of hardware must be documented with all except?
a) Different color
b) Peripheral connections
c) Evidence tag number
d) Make model
2. Your toolkit needs to have every type of computer hardware interface going back how
many years?
a) 2 years
b) Many
c) 6 months
d) Not applicable
3. Agent notes, Evidence labels, Chain of custody forms, Evidence custodian logs are all
part of which important part?
a) tags
b) labels
c) documents
d) printer
4. By what is the evidence safe maintained?
a) evidence custodian
b) evidence register

c) evidence janitor
d) evidence computer

5. Evidence custodian keeps a log:

a)Date, name, case number, time in, time out
b)Date, name, font
c)Date, case number, place
d)none of the above
Chapter 7
1. What is used by many law enforcement agencies and corporations around the world to
support civil/criminal investigations, network investigations, data compliance and
electronic discovery?
a) Northern
b) Windows Security
c) Encase
d) FBI Security
2. Encase enables you to acquire your evidence in a forensically sound manner, and will
perform on ______ by default.
a) 64 Bites
b) MD5 hash
c) SCA-1 Hash
d) CS Hash
3. Two important devices that do not come with Fire wire duplication kit by default are?
a) Fire wire card and software
b) Fire wire disk and laptop
c) Fire wire card and hard drive converter
d) laptop and a plug
4. What is FTK?
a) Files Tool Kit
b) Fire wire Transport Kit
c) Forensic Tool Kit
d) None of the above
5. Why is it recommended not to put a password in your EnCase?
a) because you will secure your information
b) its to many steps
c) if you forget you are out of luck
d) it cannot be encrypted

Chapter 8
1. Data dump is part of the most basic of all
a) commercial tools
b) noncommercial forensic duplication tools
c) commercial forensic duplication tools
d) all of the above
2. After Linux has finished booting, what do you want to see?
a) if the computer will restart
b) the color of the screen
c) Which device represents your suspects hard drive
d) the device empty space
3. By running [root@localhost root]# md5sum c md5sums.txt you are trying to ?
a) validate the evidence file
b) separate the memory
c) hack the computer
d) delete
4. The ______ indicates the number of blocks that are skipped from the input before the
copying begins.
a) time
b) date
c) refresh
d) skip
5. So that data left on the storage hard drive previously is not introduced into the
evidence, the first order of business is to ______?
a) buy a new hard drive
b) wash the hard drive
c) cleanse the evidence
d) unplug the hard drive

Chapter 9
1. When conducting _________ analysis, the first step is to recover undeleted files.
a) research
b) forensic
c) process

d) security
2. In order so that you can associate a file with a local loopback device such as /dev/loop0
the _________ has to be altered?
a) memory
b) hard drive
c) device
d) kernel
3.Metadata includes ___________, file sizes, MAC times, MD5 hashes, and more.
a) full file names
b) brand
c) exact sizes
d) none of the above
4. What must you select from the menu bar to perform a keyword search with EnCase?
a) View->Words
b) View->Hidden words
c) View->Keywords
d) View->Menu bar
5. Keyword searching is a very important step for ________________________ and
___________________ throughout your evidence data set.
a) identifying relevant files : file fragments
b) finding time of data : file name
c) identifying images : relevant fragments
d) forensic analysis : security treats

Chapter 10
1. Who utilizes the E-script, to parse the Web browsing information found in the evidence
and present it to the investigator?
a) FTK
b) IE History
c) E-Script
d) EnCase
2.C:\Documents and Settings\<<profilename>>\Cookies\ is an example of one of the
____________________________________?
a) profile names

b) main directory associated with web browsing history

c) web browsing history
d) documents and settings
3. Each cookie is saved as a small text file that contains?
a) variable names and values, time the cookie was downloaded
b) time the cookie expires, some information about its status
c) time the cookie was downloaded and time the cookie expires only
d) a and b
4. IE History can examine not only IE index.dat files but also __________________?
a) Microsoft Records
b) EnCase Solutions
c) Recycle Bin records
d) Main directory records
5. Pasco and Galleta are two main tools that were released within the past few years that
enable us to reconstruct ______________ browsing activity?
a) Keith J. Jones
b) Lewiss Web
c) Linux
d) Curtis W. Rose

F-12 Windows Registry

1. What is the command to open a windows registry?

a. Registry
b. Edit
c. RegEdit
d. EditRegistry
2. What is the Microsoft program used to modify which process is run at
start-up?
a. MSConfig
b. Regedit
c. MMS
d. cmd
3. Which are the three basic event logging logs for windows?
a. System, Application, Security
b. Audit, Application, Security
c. Application, Security, Domain
d. User events, System, Application
4. Where is the windows registry file kept?
a. C:\windows\system32\config
b. C:\Programs\Windows\config
c. C:\Registry\logs\config
d. C:\system32\registry\config
5. What tools are normally available to examine windows registry files?

a.
b.
c.
d.

Open source tools

Encase, FTK, Windows Regedit
Notepad
Winword

F-13

1.

2.

3.

4.

5.

What command is used in Linux to complete a source code C

program?
a. Gcc
b. Compile
c. Bcc
d. None of the above
What are self contained programs that do not require any other file
reference to run called?
a. Static Executables
b. Self Contained programs
c. Stand alone program
d. None of the above
What are executive programs that reference outside files of libraries or
code called?
a. Dynamic Executables
b. Dependent programs
c. Referenced programs
d. Data executables
The approach used to examine a file by actually executing the code/file
is called?
a. Static Analysis
b. Exec Analysis
c. Dynamic Analysis
d. Runtime analysis
Which program allows user in Linux to peer inside an executable as it
executes?
a. GNU Debugger
b. MMC
c. BB
d. GCC Debuger

Question for Chapters F7, F8, F9

Chapter F7
1. What
a.
b.
c.
d.
2. What
a.
b.
c.
3. What
a.
b.
c.
d.

is the file system used by MS Windows Vista or 7?

FAT16
FAT32
NTFS
EXT3
is the main advantage of NTFS of FAT?
Encryption
Access time
Drive speed
file system is used by Linux?
EXT3
NTFS
FAT32
FAT16

4. drawback of FAT16?
a. Restricted disk size.
b. Slow speed
c. Easily corruptible
5. What is the Linux command to make a new file system?
a) Mkfs
b) Fdisk
c) Mkdir
d) Format

Chapter F8
1. What is the fastest and most reliable drive type available?
a. IDE
b. SATA
c. SCISI
d. ATA
2. What is the term for a chronological documentation of evidence?
a. Chain of custody
b. Evidence
c. Evidence log
d. Custody log
3. What is the most modern form of booting device are currently used in
computers today?
a. 5 Floppy disk
b. 3 Floppy disk
c. USB boot drives
d. CDROMS
4. Computer forensics deals with which of the following:
a. Virus software
b. Spyware
c. Legal evidence found in computer media
d. Intellectual property
5. What is the most important rule to remember in dealing with digital
forensic evidence?
a. Do not disturb the original disk image evidence
b. Recover deleted files
c. Access the information as fast as possible
d. Discover digital evidence

Chapter F9
1. What is the best digital investigation tool current available
commercially?
a. Symantic
b. Encase
c. Dfrag
d. Undelete
2. Encase is published by which company:
a. Guidance Software
b. Encase Software

c. Microsoft
d. Oracle
3. What is the recommended way of obtaining a digital copy of an
evidence disk?
a. Bit by bit disk copy
b. Copy Paste
c. Logging into the computer in question.
4. What is the extension for an EnCase media type?
a. .exe
b. .bat
c. .enc
d. .ewf
5. What type of software is FTK?
a. Virus program
b. Disk copy program
c. Scanning program
d. Computer forensic tool kit

Real Digital Forensics chapter F2,F3,F4

1. What is the Linux or Unix system command to display a list of active
internet connections:

a. Netstat n
b. Fport
c. FTP
d. Ipconfig

2. Different drives in Linux or Unix often also have to be_____ to be

accessed.
a) Referenced
b) Loaded

c) Mounted
d) Accessed

3. What is the best way to determine if a system file has been modified?
a) Do a virus scan
b) Do an LS command

c) Run a checksum
d) Try to run the file.

4. Where is the system log stored in Linux?

a) /etc/bin/syslog.conf

b) /etc/syslog.conf

c) /windown32/system.log
d) /bin/syslog.conf

5. Which system file in Linux/Unix contains a list of user accounts?

a) /etc/passwd

b) /etc/bin/passwd
c) /windows/passwd
d) It does not exist
6. Which type of equipment joins networks together?
a. Hub
b. Switch

c. Router

d. Access Point
7. What type of device is used to filter network traffic?

a. Firewall

b. A server
c. Hub
d. Switch
8. What is a standard packet capture program?

a. TCPdump
b. Fport
c. Telnet
d. Netstat

9. What is an appropriate alert data tool to collect network traffic?

a. Snort

b. SSH
c. Netstat
d. Telnet
10.In a standard intrusion scenario, when an intruder conducts probes
against a target system it is called?
a. Consolidation
b. Exploitation

c. Reconnaissance
d. Pillage

11. What type of data gives you a general pattern of network traffic?
a. Alert data

b. Statistical data

c. Total capture data

d. Sample data
12.What type of sample technique looks for particular patterns in the
network traffic?

a. Signature based alert data

b. Statistical data

c. Sample data
d. Raw data
13. The intercepting of network data directly from the network via a
hardware device is known as?
a. Exploit

b. Tap

c. Signature
d. Sample
14.The data that records all network activity that occurred during a
specific period is know as?
a. Raw data

b. Full content data

c. Sample data
d. Alert data
15.Gaining root privileges in a linux/unix system usually refers to the
following?

a. Gaining administrative level access

b. Gaining access to the c: drive.
c. Compromising a guest account
d. Mounting a drive

1. Which of these elements is classified as volatile data?

a. File timestamps
b. Location of registry file
c. Internal routing table
d. System version and patch level
2. Which of the following is not a system event log?
a. Security
b. System
c. Audit
d. Application
3. Which command can be used to see the routing table?
a. netstat
b. regedit
c. at
d. psexecsvc
4. Which command line tool can help test file integrity?
a. regedit
b. md5sum
c. netcat
d. inspect

5. Which set of tools provide enhanced functionality for viewing volatile data in
Windows?
a. IIS
b. Policy Manager
c. pstools
d. Windows XP Service Pack 3

1. Which of these elements is classified as volatile data?

a.
File timestamps
b.
Location of registry file
c.
Internal routing table
d.
System version and patch level
2. Which of the following is not a system event log?
a.
Security
b.
System
c.
Audit
d.
Application
3. Which command can be used to see the routing table?
a.
netstat
b.
regedit
c.
at
d.
psexecsvc
4. Which command line tool can help test file integrity?
a.
regedit
b.
md5sum
c.
netcat
d.
inspect
5. Which set of tools provide enhanced functionality for viewing volatile data in
Windows?
a.
IIS
b.
Policy Manager
c.
pstools
d.
Windows XP Service Pack 3

1. In Unix, which command is used to display a list of running processes

a. proc
b. PS
c. lp
d. ps -aux
2. What is required before a disk drive can be viewed in Unix?
a. open file explorer
b. mount the drive
c. refresh the device manager
d. connect the computer and restart the machine
3. Regarding Unix, which one of these statements is not true
a. the netstat command can be used just like in Windows
b. The process list includes the name of the user that launched the process
c. Standard TCP ports are different in the Unix environment
d. The volatile and non-volatile types of data are the same as Windows
4. What is the purpose of the netcat utility?
a. To acquire non-volatile data
b. To obtain output without disturbing the victim computer in a live response
c. To detect trojans currently on the victim computer
d. A utility used to perform a network route inventory
5. What utility provides a list of open files?
a. ps
b. flist
c. fopen
d. lsof

1. What is NBE?
a. NetBios Environment
b. Network-Based Evidence
c. Non-Breakable Execution
d. Network Bound E-mail
2. Which one of these is not a type of NBE
a. Session Data
b. Alert Data
c. Application Data
d. Statistical Data
3. Which of these is not a method to intercept network traffic
a. Multimeter
b. Taps
c. Hubs
d. Inline devices
4. What function does the snort program perform
a. performs a core dump
b. eavesdrop through the telephone system
c. perform statistical analysis
d. captures interesting network packets
5. Which event is a likely precursor to an attack
a. server begins to power off without warning
b. a disgruntled employee was fired
c. a threatening email
d. a port scan

1. Which of these is not a factor in a Chain of Custody

a. source individual
b. location
c. ethernet port number
d. transfer Date
2. Which is the most widely used commercial forensic software
a. data dump
b. abadox
c. forensic toolkit
d. encase
3. What function does the fdisk command perform?
a. create a partition
b. duplicate a disk
c. mount a disk
d. show an enumerated list of external disks
4. What must be done immediately after performing a duplication
a. compress the files to save space
b. change file permissions on the victim drive to read-only
c. perform an md5 hash on the files
d. disconnect drive and give it to the evidence custodian
5. Why is it important to lock writes to the source drive
a. a single access or write will contaminate the evidence
b. it is a faster data transfer
c. the firewire device converter is relatively inexpensive
d. the victim can sue for property damage

1. What command is used to make a hard drive accessible in Unix

a. fdisk
b. mount
c. load
d. ls
2. Which of these is not a step in duplicating a hard drive
a. generate md5 hashes
b. make hash file read-only
c. use the dd command
d. open file on the source hard drive to make sure you are duplicating the correct drive
3. What technique is key to reducing fileset
a. delete all mp3 files if music files are not relevant to the case
b. delete c:\Windows folder since no user data is stored there
c. remove all files that irrelevant file extensions, such as DLL files
d. compare file hashes to remove known files, such as C:\Windows folder
4. Commercial forensic solutions recover deleted files automatically
a. true
b. false
5. Which of these is not a non-commercial forensic software
a. DCFLDD
b. dd
c. encase
d. NED

1. Which Windows program can be used to examine the registry

a. regedit
b. openreg
c. registry express
d. windows explorer
2. What type of information is not kept in the registry?
a. Installed applications
b. MRU
c. Cookies
d. Windows configuration settings
3. Which technique is used to make data unreadable (gibberish) but is not considered a
serious form of encryption?
a. masking
b. file defragmentation
c. hidden files
d. obfuscation
4. Which hardware device is sometimes required for software to function normally
a. keyboard
b. printer
c. modem
d. dongle
5. A computer forensic investigator should assume that any unknown code is hostile.
a. true
b. false
6. Which one of these is not a method used to calculate a hash value
a. RCA
b. SHA-256
c. MD5
d. SHA-512
7. Data cannot be recovered from a hard drive after the user has deleted all the files

a. true
b. false
8. What device can be used to avoid disturbing the data on a suspect drive when
accessing it?
a. Write blocker
b. dongle
c. MTU
d. Just set all the file to read-only.

9. Data can be hidden in the spaces between files

a. true
b. false
10. What is the default file system used in Windows XP?
a. UFS
b. FAT32
c. FAT16
d. NTFS

1. Under which directory are Microsoft Windows Registry files found?

a. C:\Windows\system32\config
b. C:\Program Files\system32\config
c. C:\Windows\system42\bin
d. C:\Registry Files\system32\config
2. _________ forensics is forensics applied to information stored or
transported on computers
a. System
b. File
c. Computer
d. Hard Drive
3. What are the two ways encrypting data could guard the data?
a. Protect Data and Prove Integrity
b. Lock and Key
c. Data Integrity and Prove Data
d. Passwords and Authentication
4. _______ is some method of modifying data so that it is meaningless and
unreadable in its encrypted form.
a. Encryption

b. Decryption
c. Bicryption
d. Monocryption
5. A _____ function is any well-defined procedure or mathematical
function for turning some kind of data into a relatively small integer.
a. Mash
b. Hash
c. Linear
d. Quadratic
6. What does SHA stand for?
a. System Hit Algorithm
b. Secure Hash Algorithm
c. Science History Agency
d. Secure Hail Algorithm
7. Use a __________device to prevent accidentally writing to the suspect
media.
a. System
b. File
c. Read-Blocking
d. Write-blocking
8. The _____ algorithm takes as input a message of arbitrary length and
produces as output a 128-bit fingerprint of the input.
a. MD8
b. MD5
c. MD6
d. MD7
9. It is important that an _____ is made of the hard drive and not a copy or
a backup.
a. Icon
b. File
c. Picture
d. Image
10.Which is NOT a name for a returned value of hash function?
a. Hash values
b. Hash codes
c. Hashish
d. Hashesh

Moises Flores Jr
CSCI 6318
Dr. John Abraham
Chapter 6 Questions
1. Which of the following tools is an essential tool when conducting forensic
duplication?
a. Hammer
b. Digital Camera

c. Cell Phone
d. Pager
2.

is paramount when conducting a forensic investigation.

a. Storing hardware and software.
b. Ensuring data is backed up.
c. Documentation of evidence worksheets, system worksheets, agent
notes, evidence labels, etc.
d. Keeping time of the work you put in to the investigation.

3. Which of the following IS NOT contained on the evidence labels?

a. Type of data retrieved.
b. Case Number.
c. Evidence Tag Number.
d. Contents.
4. On the Evidence Custodian Log, what information is contained?
a. Date, Name, Information, Time in, Time out.
b. Date, Name, Case Number, Time in, Time out.
c. Date, Name, Computer Number, Time in, Time out.
d. None of the above.
5. On the Chain of Custody Form, what information is contained?
a. Source individual, Source location, Destination individual, Destination
location, Transfer date.
b. Source individual, Source description, Destination individual,
Destination location, Transfer date.
c. Source information, Source address, Destination individual, Destination
location, Transfer date.
d. None of the above.
Chapter 7 Questions
1. The duplication device contains a number of components that must be assembled
correctly to successfully acquire your evidence. Which of the following IS NOT
one of those components?
a. A read-only Firewire-to-IDE module.
b. A read-write Firewire-to-IDE module.
c. Firewire cables.
d. Duplication cables.
2. When acquiring a forensic duplication, which of the following programs can be
used to assist you in this process?
a. EnChase.
b. Ncase
c. E-case

d. EnCase.
3. It is highly recommended to use
than a software solution.
a. Active.
b. Hardware.
c. Physical.
d. Password.

controls for evidence access rather

4. FTK can acquire the forensic duplication in three different formats, what are they?
a. EnChase Information Files, Raw Disk Image, SMART Format.
b. EnCase Evidence Files, Row Disk Image, SMART Format.
c. EnCase Evidence Files, Raw Disk Image, SMART Format.
d. EnCase Evidence Files, Raw Disk Image, SNORT Format.
5. To acquire a forensic duplication with FTK, you must open the FTK
.
a. Instant program.
b. Initiation program.
c. Imager program.
d. Imaging program.

Chapter 8 Questions
1. The most basic of all noncommercial forensic duplication tools is definitely
a.
b.
c.
d.

Desk dump
Data dunk
Date dump
Data dump

2. What does if stand for in the dd command?

a. Inter file
b. Inner file
c. Input file
d. In file
3. The dmesg command displays four hard drives used to boot into Linux. What are
they?
a. Suspects hard drive, OS drive, Speed drive, CD-ROM drive.
b. Suspects hard drive, OS drive, Separate drive, CD-ROM drive.
c. Suspects hard drive, OS drive, Storage drive, CD-ROM drive.
d. Suspects hard drive, OS drive, Storage drive, CD-RMO drive.

4. When creating an evidence hard drive, the first thing one should do is?
a. Delete the evidence hard drive so that data left on the storage hard drive
previously is not introduced into the evidence.
b. Detect the evidence in the hard drive so that data left on the storage hard
drive is introduced into the evidence.
c. Cleanse the evidence hard drive so that date left on the storage hard drive
previously is not introduced into the evidence.
d. None of the above.
5. The
is a variation of the standard dd that provides functionality for
greater authentication using a built-in MD5 hashing algorithm.
a. DCFLLD
b. DCFLDD
c. DDFLCD
d. DDFLDD

Chapter 9 Questions
1. When conducting forensic analysis, what is the first step you want to take?
a. Delete files.
b. Undelete files.
c. Recover files.
d. Take pictures.
2. The
is altered so that you can associate a file (the forensic duplication)
with a local loopback device such as /dev/loop0.
a. Operating system.
b. Memory.
c. Kernel.
d. Shell.
3. The first step to recover deleted files is to load our evidence into
a. Hard drive.
b. USB.
c. EnCase.
d. Forensic Work Station.
4. What is one of the advantages of using open source tools to undelete files?
a. It is easier to use than commercial alternatives.
b. No licensing fees associated.
c. It retrieves more undeleted files than commercial solutions.
d. None of the above.
5. What does Metadata include?

a.
b.
c.
d.

Full file names, file sizes, MAC times, MD5 hashes.

Full user names, file names, MAC dates, MD 5 hashes.
Full file names, file sizes, MAC size, MD 5 hashes.
None of the above.

Created By: Jerry Garza

Dr. Abraham
CSCI 6318
Chapter 2 - Questions - Key
1. What is the name of logs in unix?
A. Events
B. System
C. SysLog
D. Event Viewer
2. What command will give you the version and patch level in unix?
A. user
B. netcat -stat
C. uname -a
D. print -system
3. What is the unique mathematical fingerprint of a file called?
A. fingerprints
B. MD5 Checksum
C. encryption
D. file properties
4. What command will show the current network connections?
A. netcat -list
B. net show ports
C. net
D. netstat -an
5. In the address 102.60.21.3:1827, what is 1827?
A. The Number of connections being made.
B. The user ID
C. The port number
D. IP address

Chapter 3 & 4 - Questions - KEY

1. Capturing data when a rule or signature is met is called

A. Session Data
B. Alert Data
C. Full Content Data
D. Statistical Data
2. Capturing all the data of network connection is called
A. Session Data
B. Alert Data
C. Full Content Data
D. Statistical Data
3. This device will repeat all traffic from a port to all the other ports on the device
A. Switch
B. Tap
C. Hub
D. Inline Device
4. An application that can capture network data and run as an IDS is
A. argus
B. tcpdump
C. snort
D. fport
5. What command will capture data on linux and dump to a file
A. fport
B. argus
C. tcpdump
D. netstat
Chapter - 10 Questions
1. An open source Cookie Investigation Tool
A. FTK
B. Galleta
C. Pasco
D. Encase
2. Internet Explorer utilizes all EXCEPT the following were digital forensics evidence
can be found.
A. Web browsing history
B. Temporary Internet Files
C. Cookies
D. Local User Settings
3. An open source tool to reconstruct web browsing
A. Pasco
B. FTK
C. Galleta
D. Encase
4. In order to rebuild web history, commercial and open source tools look at what
Internet Explorer File

A. index.html
B. history.dat
C. index.dat
D. ie.dat
5. The following are valid types for an activity record in internet explorers history
EXCEPT:
A. LEAK
B. REDR
C. URL
D. COOKIE
1. The aim of an information management strategy is to:
A.
B.
C.
D.
E.

gain value from information resources.

assign appropriate responsibilities for information resources.
protect information resources.
improve the quality of information resources.
none of the above.

2.
A.
B.
C.
D.
E.

An information policy is typically aimed at improving:

opportunities from better usage of information.
a culture of knowledge sharing.
openness of communications within an organization.
the utilization of data storage on servers.
errors from poor quality information.

3. The Information Technology School of information management of

Marchand et al. (2002) has focus on:
A. managing the information lifecycle for different types of
information.
B. improving people's information usage, behaviors and values.
C. none of the above.
D. selecting appropriate technology to support decision making.
E. using information to manage people and link their performance to
business performance.
4. The Management Control School of information management of
Marchand et al. (2002) has focus on:
A. selecting appropriate technology to support decision making.
B. improving people's information usage, behaviors and values.
C. managing the information lifecycle for different types of
information.
D. none of the above.
E. using information to manage people and link their performance to
business performance.

5. The Behaviour and Control School of information management of

Marchand et al. (2002) has focus on:
A. none of the above.
B. selecting appropriate technology to support decision making.
C. using information to manage people and link their performance to
business performance.
D. improving people's information usage, behaviors and values.
E. managing the information lifecycle for different types of
information.
6. The Information Management School of information management of
Marchand et al. (2002) has focus on:
A. none of the above.
B. improving people's information usage, behaviors and values.
C. using information to manage people and link their performance to
business performance.
D. selecting appropriate technology to support decision making.
E. managing the information lifecycle for different types of
information.
7. Information management strategy development uses starts with:
A. defining responsibilities.
B. reviewing current information resource characteristics and usage
(an information audit).
C. putting in place security control.
D. setting objectives.
E. none of the above.
8. Responsibilities for information management need to be defined at
this level.
A. Board level.
B. None of the above.
C. User-level.
D. Middle manager level.
E. Partner-level.
9. The Hawley Committee recommendation that dealt with information
security was:
A. the identification of information assets...
B. none of the above.
C. the protection of information from theft, loss, unauthorized access
and abuse...
D. the harnessing of information assets and their proper use for
maximum benefit of the organization...
E. the proper use of information with applicable legal, regulatory,
operational and ethical standards...

10. The Hawley Committee recommendation that dealt with

information information auditing was:
A. the harnessing of information assets and their proper use for
maximum benefit of the organization...
B. the identification of information assets...
C. none of the above.
D. the protection of information from theft, loss, unauthorized access
and abuse...
E. the proper use of information with applicable legal, regulatory,
operational and ethical standards...

CSCI6318
03/28/2010
Liang Ding
Lecture 1: Live Incident Response
1. Which option is not included in Volatile Data?
A. The System Date and Time
B. Which Executables Are Opening TCP or UDP Ports
C. A History of Logins
D. Open Files
2. Which symbol can we use to write information printed on screen
into file?
A. ^
B. <<
C. &
D. >
3. Which command do we use to get information about Scheduled
Jobs?
A. at
B. Pslist
C. Fport
D. Date
4.
A.
B.
C.
D.

Which option is not included in Nonvolatile Data?

File System Time and Data Stamps
Registry Data
IIS Logs
Cached NetBIOS Name Table

5. Which command in our book do we use to get File System Time and

A.
B.
C.
D.

Date Stamps?
dir
find
psinfo
time

Lecture 2: Computer Foundations

1. Which not belong to data organization in following items?
A. Hexadecimal
B. Decimal
C. Binary
D. byte
2.
A.
B.
C.
D.

Numbers are stored and transmitted inside a computer in

binary form
ASCII code form
decimal form
alphanumeric form

3.
A.
B.
C.
D.

Computer knows the layout of data through _____?

Data Organization
Data Recovery
Data Structure
Data Analysis

4.
A.
B.
C.
D.

A byte correspond to_____.

4 bit
8 bit
16 bit
32 bit

5. Which are two ways to access ATA hard drives?

A. Through BIOS
B. Indirect Access
C. Through Datalink
D. Direct Access
Lecture1 Answers:
1. C

2.
3.
4.
5.

D
A
D
B

Lecture2 Answers:
1. D
2. A
3. C
4. B
5. AD
CSCI6318
03/28/2010
Liang Ding
Lecture 3: Unix Live Incident Response
1.
A.
B.
C.
D.

Which option is not included in Volatile Data for Unix?

The System Date and Time
Which Executables Are Opening TCP or UDP Ports
A History of Logins
Open Files

2. Which command in our book do we use to get current network

connections for Unix?
A. netstat
B. date
C. ps
D. dir
3. Which command do we use to get information about a history of
logins for Unix?
A. at
B. Pslist
C. last
D. Date
4.
A.
B.
C.
D.

Which option is not included in Nonvolatile Data for Unix?

System version and patch level
File system time and date stamps
A history of logins
Mounted File systems

5. Which command in our book do we use to get information of

A.
B.
C.
D.

mounted file systems for Unix?

df
find
psinfo
time

Lecture 4&5: Collecting Network-Based Evidence & Analyzing Network-Based

Evidence for a Windows Instrusion
6.
A.
B.
C.
D.
E.

Which are included in Network-Based Evidence?

Full content data
Session data
Alert data
Statistical data
All of above

7.
A.
B.
C.
D.

Which are included in a standard intrusion scenario?

Reconnaissance
Exploitation
Reinforcement
All of above

8.
Network security specialists use four main ways to access network traffic. These
methods include:
A.
Hubs
B.
Taps
C.
Inline devices
D.
Switch SPAN ports
E.
All of above
9.
Which description is for Full Content Data?
A.
Consists of the actual packets, typically including headers and application
information.
B.
Shows aggregations of packets into flows or groups of associated packets.
C. Created by network IDSs, when the IDSs see traffic that matches its signature or rule
base, it informs the administrator via an alert reported to a database, console, or email.
D. For stepping back and looking at the big picture, provides perspective.
10.

Which description is for Alert Data?

A.
Consists of the actual packets, typically including headers and application
information.
B.
Shows aggregations of packets into flows or groups of associated packets.
C. Created by network IDSs, when the IDSs see traffic that matches its signature or rule
base, it informs the administrator via an alert reported to a database, console, or email.
D. For stepping back and looking at the big picture, provides perspective.

Answer:
a)
b)
c)
d)
e)
f)
g)
h)
i)
j)

C.
A.
C.
B.
A.
E.
D.
E.
A.
C.

CSCI6318
04/15/2010
Liang Ding
Chapter 6 & 7:
2.
E.
F.
G.
H.
I.

Tools needed for Forensic Duplications?

Digital camera
Screwdriver with several sizes and types of bits
Flashlight
Dremel tool
All of above

3.
E.
F.
G.
H.
I.

Which documentations do we need for Forensic Duplications?

Evidence Worksheets
System Worksheets
Agent Notes
Evidence Labels
All of above

4.
E.
F.
G.

What is the purpose of Evidence tape for Forensic Duplications?

Cut a cable tie in the suspects computer to acquire a duplication
Connect the suspects media to your forensic
Show tampering if you store your evidence in a standard business

envelope
H. Modify a boot disk
5.
A.
B.
C.

What is the purpose of Blank floppies for Forensic Duplications?

Cut a cable tie in the suspects computer to acquire a duplication
Connect the suspects media to your forensic
Show tampering if you store your evidence in a standard business
envelope
D. Modify a boot disk
6. Which is the commercial software we use to accomplish a forensic
duplication? It is one of the most widely used forensic duplication
and analysis software tools available today.
A. FTK
B. EnCase
C. DD
D. DCFLDD

Chapter 8: Noncommercial-Based Forensic Duplications

7.
A.
B.
C.
D.
E.
7.
A.
B.
C.
D.

Commercial software for forensic duplication includes ______

FTK
EnCase
DD
All of above
Both A and B
Which is the most basic of all noncommercial forensic duplication tools?
NED
FTK
EnCase
DD

8.
The ______ is a variation of the standard dd that provides functionality for greater
authentication using a built-in MD5 hashing algorithm.
A.
NED
B.
DCFLDD
C.
FTK
D.
EnCase
9.
A.

Which is the newest open source forensics tool that runs in linux environment?
NED

B.
C.
D.

FTK
EnCase
DD

10. Noncommercial software for forensic duplication includes _________

A. DD
B. DCFLDD
C.
NED
D.
All of above
Answer:
1 E
2 E
3 C
4 D
5 B
6 E
7 D
8 B
9 A
10 D
CSCI6318
04/15/2010
Liang Ding
Chapter 6 & 7:
8.
J.
K.
L.
M.
N.

Tools needed for Forensic Duplications?

Digital camera
Screwdriver with several sizes and types of bits
Flashlight
Dremel tool
All of above

9.
J.
K.
L.
M.
N.

Which documentations do we need for Forensic Duplications?

Evidence Worksheets
System Worksheets
Agent Notes
Evidence Labels
All of above

10. What is the purpose of Evidence tape for Forensic Duplications?

I. Cut a cable tie in the suspects computer to acquire a duplication
J. Connect the suspects media to your forensic
K. Show tampering if you store your evidence in a standard business

envelope
L. Modify a boot disk
11. What is the purpose of Blank floppies for Forensic Duplications?
E. Cut a cable tie in the suspects computer to acquire a duplication
F. Connect the suspects media to your forensic
G. Show tampering if you store your evidence in a standard business
envelope
H. Modify a boot disk
12. Which is the commercial software we use to accomplish a
forensic duplication? It is one of the most widely used forensic
duplication and analysis software tools available today.
E. FTK
F. EnCase
G. DD
H. DCFLDD

Chapter 8: Noncommercial-Based Forensic Duplications

13. Commercial software for forensic duplication includes ______
F. FTK
G. EnCase
H. DD
I. All of above
J. Both A and B
7.
A.
B.
C.
D.

Which is the most basic of all noncommercial forensic duplication tools?

NED
FTK
EnCase
DD

8.
The ______ is a variation of the standard dd that provides functionality for greater
authentication using a built-in MD5 hashing algorithm.
A.
NED
B.
DCFLDD
C.
FTK
D.
EnCase
9.
A.

Which is the newest open source forensics tool that runs in linux environment?
NED

B.
C.
D.

FTK
EnCase
DD

10. Noncommercial software for forensic duplication includes _________

A. DD
B. DCFLDD
C.
NED
D.
All of above

Answer:
1 E
2 E
3 C
4 D
5 B
6 E
7 D
8 B
9 A
10 D
CSCI6318
04/22/2010
Liang Ding
Chapter 9: Common forensic analysis techniques
14. Before analysis, we should make sure that forensic duplication
is________.
O. Read and write
P. Write only
Q. Read only
R. Hidden

15. Which is the most notable forensic tool in the open source
movement to recover deleted files?
O. The Coroners Toolkit
P. EnCase
Q. JBRWWW
R. FTK
16. After we finish forensic duplication and files recovering, we
should do______.
M. Load evidence
N. Acquire the metadata from all files that exist in the evidence
O. Create new image
P. Create MD5 hashes for the files
17. What is the better way to ignore known files?
I. Delete known files at first
J. Make marks for the known files
K. Copy the known files into another hard drive
L. Compare the MD5 hashes of every file in a forensic duplication with
a known set of hashes and ignore any matches
18. If you do not know what you will find on the subjects hard drive,
but you know specifics of a case, what you should do?
I. Perform a search across the whole hard drive and detect files or file
fragments that contain the information you are looking for
J. Determine the file signatures
K. Remove known files
L. Forensic duplication

Chapter 10: Web Browsing Activity Reconstruction

19. IE utilizes ______ facilities where we can find evidence:
K. Web browsing history
L. Cookies
M. Temporary Internet Files
N. All of above
20. Which is commercial tools to parse the Web browsing information
found in the evidence and present it to the investigator?
A.
NED
B.
FTK
C.
EnCase

D.

DD

8.
Pasco examines ______ files and how they were populated when a suspect
browses the internet.
A.
index.html
B.
index.sys
C.
index.dat
D.
index.zip
9.
Which is the tool to translate the information inside an IE cookie file to something
a human can understand?
A.
Pasco
B.
FTK
C.
EnCase
D.
Galleta
10. Cookie files are store in _____.
A. Remote computer
B. Server
C.
Native computer
D.
Switch

Answer: 1. C 2. A 3.B 4.D 5.A 6.D 7.C 8.C 9.D 10.C

1.-When using Nikto web server scanning tool, status code ______________means that
the Access was successful.
A)400
D)200
B)300
E)800
2.-Activity web server logs are automatically saved in ____________
A)Winnt\System32\Savedfiles
B) Winnt\System32\Logfiles
C) Winnt\Webservices\logfiles
D) Winnt\System32\Recentactivity
3.-A utility named _________________, is used to transmit encrypted data to the forensic
workstation.
A)Netcat
B)Cryptcat
C)MD5
D)FPort
4.-_________, a utility used to check open ports and associates the executables that
opened them.

A)Netcat
B)Cryptcat
C)MD5
D)FPort
5.-_________, is an application to list the process table in order to know what processes
the attacker executed.
A)PsExec
B)PsTools
C)PsList
D)Netstat

1.-______________, refers to collecting every electronic element of a data connection.

A)Session data
D)Full content data
B)Statistical data
E)Alert data
2.-____________, is data that shows predefined items of interest (e.g. a red light flashes
each time the word shipment is detected)
A)Alert data
B) Full content data
C) Session data
D) Statistical data
3.- _________________, is the last step in a standard intrusion scenario. It could involve
stealing information or damage a computer.
A)Recoinnassance
B)Session end
C)Reinforcement
D)Pillage
4.-_________, is a tool used to split a file into smaller files.
A)Netcat
B)Cryptcat
C)MD5
D)Tcpslice
5.-In order to identify the most active hosts on a network, the analyst should use
____________.
A)Session data
B)Full content data
C)Statistical data
D)Local data

1.-______________, network security monitoring. Is used when the attack has already
happened.
A)Threat response
D)Proactive NBE
B)Reactive NSM
E)Resulting NSM

2.-____________, a java program that reads information from a MYSQL database and
produces a 3-D map of network traffic.
A)scanmap3d
B) Tcpdump
C)3-D visualizer
D)IDS
3.-In a Linux environment, if an administrator want to check if a kernel module have
been trojaned, he must use the ________ command to review all the loaded kernel
modules.
A)lsmod
B)Cryptcat
C)MD5
D)FPort
4.-_________, network security monitoring. Is used to prevent attacks.
A)Proactive NSM
B)Cryptcat
C)Reactive NBE
D)FPort
5.- ___________, is the protocol Microsoft uses to share files, printers, serial ports, and
also to communicate between computers.
A)Active Directory
B)Sharepoint Services
C)Server Message Block
D)System Services
Prepared by: Edgar Garcia

1.-In a standard intrusion scenario, _________, refers to preliminary examination before

an attack happens and check for vulnerable versions of software.
A)Pillage
D)Consolidation
B)Reconnaissance
E)Reinforcement
2.-Full content data, _________, alert data, statistical data, are the four main types of data
collected during network based evidence.
A)Session data
B) Log data
C)System data
D)History data
3.-_________, is the most useful tool to analyze full content data on a packet-level basis.
A)lsmod
B)Ethereal
C)MD5
D)FPort
4.-_________, is the best open source tool for network intrusion detection.
A)Proactive NSM
B)Ethereal
C)Snort
D)Tcpview
5.- In a standard intrusion scenario, _________, refers to download attack tools, attempt
to elevate privileges at the target, perhaps using a backdoor.
A)Pillage
B)Privilege escalation
C)Consolidation
D)Reinforcement
Prepared by: Edgar Garcia

1.-When handling evidence, the first task is to document________.

A)Agent NotesSession data
D)Evidence Worksheets
B)Chain of custory forms
E)Evidence Access Logs
2.-____________, is a form used to document any time the evidence change hands.
A)Agent Notes
B) Evidence Worksheet
C)Chain of Custody Forms
D)System Worksheets
3.- _________________,this log contains information about new evidence submission,
old evidence disposition, and any evidence auditing.
A)Evidence Custodian Log
B)Evidence Access Log
C)System Logs
D)Chain of Custody Forms
4.-_________, is a worksheet next to the evidence safe, is used when an individual
desires access to evidence in the safe.
A)Evidence Custodian Log
B)Cryptcat
C)Evidence Access Logs
D)Safe Access Logs
5.-When documenting the specifics of a hard drive. One worksheet is used for each
unique______. They usually start at one and increase by one for each unique piece of
evidence.
A)Geometry
B)Serial Number
C)Capacity
D)Evidence Tag

1.-__________, is the most widely used commercial-based forensic duplication software

tool.
A)Undelete
D)Encase
B)Partition Recover
E)System Restore
2.-When acquiring a forensic duplication, the evidence hard drive should be connected
using______________.
A)Standard SATA Cable
B) Standard IDE Cable
C)read-only Firewire-to-IDE module
D)read-write Firewire-to-IDE module

3.- If we want to duplicate more than one drive at a time, simply

requires_________________.
A)Purchase additional read-only Firewire to IDE module B)Purchase an extra
computer
C)It cant be done
D)Purchase a Server
4.-Forensic Tool Kit (FTK) can acquire the forensic duplication in the following
formats:_________.
A)EXE, COM and DOC files
B)PPT, XLS, TXT files
C)E01, dd, SMART format
D)IDS, IPS, PSD files
5.-When acquiring a forensic duplication, the storage drive(the drive on which the
duplication will be stored) should be connected using______________.
A)Standard SATA Cable
B) Standard IDE Cable
C)read-only Firewire-to-IDE module
D)read-write Firewire-to-IDE module

1.-________, is a variation of dd and can traverse a hard drive forward or backward.

A)dd_forward
D)dd_rescue
B)dd_backward
E)Encase
2.-When using dd, if= is used to ____________.
A)Specify the output file
B)Specify the network name
C)Specify the input file
D)Is not used in dd
3.- _________________,is an evidence duplicator, originally named ODESSA. Operates
using client and server model.
A)NED
B)Cryptcat
C)dd
D)Netcat
4.-_________, is a variation of dd. It provides functionality for greater authentication
using a built-in MD5 hashing algorithm.
A)NED
B)Cryptcat
C)DCFLDD
D)Netcat
5.- When using dd, of= is used to ____________.
A)Specify the output file
B)Specify the network name
C)Specify the input file
D)Is not used in dd

1.-________, is an open source tool used to examine the contents of Internet Explorers
cache files. It will parse the information in an index.dat file and output the results in a
field delimited manner.
A)FTK
D)Pasco
B)EnCase
E)NBE
2.-________, is an open source tool used to examine the contents of a cookie file. It will
parse the information in a cookie file and output the results in a field delimited manner.
A)FTK
D)Pasco
B)NBE
E)Galleta
3.- _________________,a file that can be used to reconstruct the Web browsing activity.
It contains three activity records, LEAK, URL and REDR.
A)index.dat
B)iehistory.dat
C)browser.dat
D)ielogs.dat
4.-_________,this record shows information about a browsers redirection to another site.
A)URL
B)LEAK
C)REDR
D)WebRecord
5.-It does the same as URL, it contains information about websites visited______ record.
A)REDR
B)Webrecord
C)FTK
D)LEAK

1.-__________, is an open source tool that can be used to reconstruct an E-Mail DBX
file.
A)Encase
D)Eindeutig
B)MailRecover
E)MailRestore
2.-An open source tool named __________, can be used to undecode MIME file
attachments in email.
A)EnCase
B)PASCO
C)Munpack
D)Undelete
3.- Lotus Notes e-mail repositories can be directly analyzed. They do not need to be
converted to another format before analysis.
A)True
B)False
4.-AOL E-mail repositories can be directly analyzed without having to download the
AOL client.
A)False
B)True

5.-Is a file format used by Outlook Express and contains the actual e-mail messages
content and attachments, is called______________.
A)E-Mail DBX file
B) Standard IDE Cable
C)Folders DBX File
D)Express E-Mail File

1.-Using the Sleuth Kit, ______ tool provides a file listing.

A)fls
D)dir list
B)ls
E)File list
2.-When using The Sleuth Kit, the fls tool together with the ________ shows a
recursive directory listing of the whole hard drive.
A)-s switch
B)-x switch
C)-r switch
D)No switch can be used together with fls
3.- _________________,is a program that recursively computes the MD5 hash for files.
A)NED
B)Cryptcat
C)md5deep
D)Netcat
4.-_________, are a common tool attackers use to control your computer remotely.
A)IRC bots
B)Virus
C)DCFLDD
D)Netcat
5.- The command: file /usr/include/stdio.h is intended to:________.
A)Specify the output file
B)Specify the network name
C)Specify the input file
D)determine the file signature of a file

1. What does the flag -n under the command netstat display?

a. Displays addresses and port numbers in numerical form.
b. Displays the owning process ID associated with each connection.
c. Displays all connections and listening ports.
d. Displays the owning process ID associated with each connection.
2. Under the PsTools suite, which command allows you to execute
processes remotely?
a. PsKill
b. PsExec
c. PsService
d. PsLogList
3. Under the PsTools suite, lists the files on the local system that are open
by remote systems.?
a. PsLogList

b. PsService
c. PsExec
d. PsFile
4. Which command displays protocol statistics and current TCP/IP
connections using NetBIOS over TCP/IP?
1. nc
2. Ipconfig
3. Nbtstat
4. Fport
5. What tool opens TCP/IP and UDP ports and maps them to the owning
application?
a. Fport
b. ShoWin
c. NTLast
d. Fpipe

1. Which is NOT a tool needed when preparing for forensic duplication?

a. Evidence worksheets
b. System Worksheets
c. Agent Notes
d. Scan Disk
2. What is used as safety measure to prevent static damage to brand new
unused hard drives?
a. Anti-Static bags
b. Cable ties
c. Plastic bag
d. Endust
3. Which of the following is unique information that is found on a hard drive that
should be collected on an evidence worksheet?
a. Serial Number
b. ID number
c. IP Address
d. Port Number
4. All evidence should be contained in a _________envelope.
a. First class
b. UPS
c. Plastic
d. Tamper-proof
5. _________is paramount to any investigation and should not be overlooked.
a. Documentation
b. Licensing
c. Cleanings
d. Listening
6. Which is most powerful and most expensive forensic software on the market?
a. Norton Anti Vius
b. Encase
c. Ftk
d. AVG

7. _________ converts traditional 3.5 IDE connections to read-only firewall

connections
a. Connections Converter
b. Read-only IDE-to-Firewall device
c. SCSI
d. SATA
8. What forensics tool-kit is used obtain forensic duplication in DD format?
a. FTK
b. VTK
c. AVG
d. Norton
9. When EnCase duplicates an evidence hard darive, it creates ________files on a
destination media.
a. System
b. Log
c. Evidence
d. Sound
10. Which is not a format supported by FTK?
a. .e01
b. dd
c. Smart Format
d. .doc
11. What does DD stand for?
a. Dymanic Drive
b. Data Dump
c. Disk Drive
d. Device Data
12. _________is a variation of the standard dd that provides functionaility for
greater authentication using a built-in Md5 algorithm.
a. DCFLDD
b. DD v2
c. IpDD
d. DD Blaster
13. ____ operates using a client and server model so that the client component
can be run directly from the suspects computer.
a. Share ware
b. P2P
c. NED
d. FTP
14. Which file contains the completed actions inside NED in XML format?
a. Audit.xml
b. Check.xml
c. File.xml
d. Hash.xml
15. Which directory contains the compressed image of the forensic duplication?
a. Gif_compressed
b. Pic_compressed file
c. Image_compressed
d. File_compressed
16. __________is a library and collection of command line tools that allow you to
investigate volume and file system data.
a. The Sleuth Kit
b. Visualization Tool kit
c. Data Command Tool kit

d. System Analysis Tool kit

17. What is the most notable hash distribution provided by the National Institute
of Standards and Technology (NIST)?
a. NSRL
b. HTTP
c. XHTML
d. MD5
18. With The Sleuth Kit, using the __ switch you see the full path of every file
listed rather than the pseudo-graphical directory structure.
a. r
b. n
c. c
d. p
19. ________is used to associate loop devices with regular files or block devices
a. Losetup
b. Psexec
c. Logmgr
d. TSK
20. Which is one of the types of file systems that the Sleuth Kit supports?
a. File Server
b. FTP
c. FAT32
d. HTTP

Chapter 2

1. The ______file system can be obtained from issuing either the mount
command or the dfcommand.
a. Mount
b. Internal
c. Windows
d. Linux
2. Which of the following is not a form of nonvolatile data?
a. User accounts
b. User history accounts
c. Syslog logs
d. Open files
3. What command must you use to review all loaded kernel modules?
a. Nbtstat
b. Netstat
c. Lsmod
d. Md5sum
4. You can view open processes and the users running them by issuing
the _____ command.
a. Ps aux
b. Ps rn
c. Pt x
d. Pq rt
5. _______are commands the user types at the prompt.
a. User log files

b. History files
c. Event log files
d. System log files

Chapter 3
1. Which of the following a type of NBE?
a. Statistical data
b. Raw data
c. Registry Keys
d. Metadata
2. Which of the followings is NOT a way to access network traffic?
a. Hubs
b. Taps
c. Switch SPAN ports
d. Radio waves
3. Under which standard intrusion scenario does the intruder perform
reconnaissance against the target to validate connectivity, enumerate
services, and check for vulnerable versions?
a. Pillage
b. Consolidation
c. Reconnaissance
d. Exploitation
4. ________data is created by analyzing NBE for predefined items of
interest.
a. Alert
b. Session
c. Physical
d. New
5. _____are the simplest and cheapest way to gain access to network
traffic.
a. Hubs
b. Wireless routers
c. Repeaters
d. NAS

1.

2.

3.

4.

5.

Chapter 4
_______ mode runs Snort against previously captured data.
a. Stealth
b. Live
c. Batch
d. Silent
_______ is the protocol Microsoft uses to share files, printers, serial
ports, and also to communicate between computers using named
pipes and mail slots.
a. Server Message Block (SMB)
b. MAC
c. FTP
d. HTTP
An identification request, commonly used with email and Internet Relay
Chat (IRC) is known as_________.
a. ICMP
b. SNTP
c. IDENT
d. HTML
What does the -n do in the command tcpdump n I eth0 s 1515
capture_file.lpc?
a. Disable translation of IP addresses to host names and port
number services to names.
b. Enables trandlsation of IP addresses to host names and port
number services to names.
c. Changes the port numbers and IP addresses.
d. Disables the all functions of TCP/IP
Which Microsoft service contains a dedicated scripting engine for
advanced file types such as ASP, ASA, and HTR files.
a. WebClient
b. IIS 5.0
c. W32Time
d. RapiMgr

Jennifer Garcia Avila

April 22, 2010
CSCI 6318
Answer Key
1. FTK can acquire forensic duplication in three different formats:
a. EnCase Evidence Files (.E01)

b.
c.
d.
e.
2. When
a.
b.
c.

Microsoft Excel files (.xls)

Raw Disk Image (DD)
A. and C.
None of the above
using DD, always boot make sure that the BIOS boots from:
Your LINUX operating system
The suspects hard drive
None of the above

3. Sync tells DD to place:

a. Zeros in any blocks in the output when an error is encountered
b. Ones in any blocks in the output when an error is encountered
c. Twos in any blocks in the output when an error is encountered
d. None of the above
4. DD-rescue is different from DD in that:
a. It outputs a statistics screen so one can observe how much
duplication has been completed.
b. Copies the hard drive a lot faster because it uses the optimal
block sizes to transfer data.
c. Both A and B
d. None of the above
5. NED stands for
a. Network Editing Diagram
b. Network Evidence Duplicator
c. All of the above
d. None of the above
6. NED is built around an architecture that accepts
a. Plugins
b. Words
c. Scripts
d. All of the above
e. None of the above
7. NED also contains
a. Pre-processing capabilities
b. Post-processing capabilities
c. All of the above
d. None of the above
8. Odessa is also known as:
a. ClosedDD
b. OpenDD
c. All of the above
d. None of the above
9. DSFLDD is a variation of:

a.
b.
c.
d.
e.

OpenDD
EnCase
Standard dd
All of the above
None of the above

10.DCFLDD contains the following extra switch(es):

a. Hashwindow
b. Hashlog
c. A and B
d. None of the above

Jennifer Garcia Avila

April 22, 2010
CSCI 6318
Questions
11.FTK can acquire forensic duplication in three different formats:
a. EnCase Evidence Files (.E01)
b. Microsoft Excel files (.xls)
c. Raw Disk Image (DD)
d. A. and C.
e. None of the above
12.When
a.
b.
c.

using DD, always boot make sure that the BIOS boots from:
Your LINUX operating system
The suspects hard drive
None of the above

13.Sync tells DD to place:

a. Zeros in any blocks in the output when an error is encountered
b. Ones in any blocks in the output when an error is encountered
c. Twos in any blocks in the output when an error is encountered
d. None of the above
14.DD-rescue is different from DD in that:
a. It outputs a statistics screen so one can observe how much
duplication has been completed.
b. Copies the hard drive a lot faster because it uses the optimal
block sizes to transfer data.
c. Both A and B
d. None of the above
15.NED stands for
a. Network Editing Diagram
b. Network Evidence Duplicator
c. All of the above
d. None of the above

16.NED is built around an architecture that accepts

a. Plugins
b. Words
c. Scripts
d. All of the above
e. None of the above
17.NED also contains
a. Pre-processing capabilities
b. Post-processing capabilities
c. All of the above
d. None of the above
18.Odessa is also known as:
a. ClosedDD
b. OpenDD
c. All of the above
d. None of the above
19.DSFLDD is a variation of:
a. OpenDD
b. EnCase
c. Standard dd
d. All of the above
e. None of the above
20.DCFLDD contains the following extra switch(es):
a. Hashwindow
b. Hashlog
c. A and B
d. None of the above

Jennifer Garcia Avila

Questions for Chapters 6,7,8,9 (due 4/15/10)
1. Your forensics toolkit should have items like:
a. Hard Drives
b. Cables
c. Flashlight
d. Power cords
e. All of the above
2. One should include the following in documentation:
a. Evidence worksheets
b. Chain of custody forms
c. A menu from Jasons Deli
d. A and B
e. None of the above

3. Encase is a:
a. Freeware application
b. Commercial application
c. None of the above
d. All of the above
4. FTK can acquire forensic duplication in the following formats:
a. Encase evidence files
b. Raw disk image
c. Smart format
d. All of the above
e. None of the above
5. DD does:
a. High level copying
b. Low level copying
c. All of the above
d. None of the above
6. DD is
a.
b.
c.
d.
e.

also used to:

Copy a specified number of bytes or blocks
On-the-fly byte order conversions
Copy regions of raw device files
All of the above
None of the above

7. NEDs original name was

a. Charlotte
b. Odessa
c. Maria
d. None of the above
8. In conducting forensic analysis, the investigator must execute a few
steps, including:
a. Recovering any deleted files to add to the analysis
b. Reduce the data set to the smallest number
c. String searching
d. All of the above
e. None of the above
9. Fdisk
a.
b.
c.
d.
e.

shows what the _________ looks like.

BIOS
Partition table
Operating system
All of the above
None of the above

10.Metadata includes:
a. Full tile names

b.
c.
d.
e.

File sizes
MD5 hashes
All of the above
None of the above

Jennifer Garcia Avila

Questions for Chapters 6,7,8,9 (due 4/15/10)
11.Your forensics toolkit should have items like:
a. Hard Drives
b. Cables
c. Flashlight
d. Power cords
e. All of the above
12.One should include the following in documentation:
a. Evidence worksheets
b. Chain of custody forms
c. A menu from Jasons Deli
d. A and B
e. None of the above
13.Encase is a:
a. Freeware application
b. Commercial application
c. None of the above
d. All of the above
14.FTK can acquire forensic duplication in the following formats:
a. Encase evidence files
b. Raw disk image
c. Smart format
d. All of the above
e. None of the above
15.DD does:
a. High level copying
b. Low level copying
c. All of the above
d. None of the above
16.DD is
a.
b.
c.
d.

also used to:

Copy a specified number of bytes or blocks
On-the-fly byte order conversions
Copy regions of raw device files
All of the above

e. None of the above

17.NEDs original name was
a. Charlotte
b. Odessa
c. Maria
d. None of the above
18.In conducting forensic analysis, the investigator must execute a few
steps, including:
a. Recovering any deleted files to add to the analysis
b. Reduce the data set to the smallest number
c. String searching
d. All of the above
e. None of the above
19.Fdisk
a.
b.
c.
d.
e.

shows what the _________ looks like.

BIOS
Partition table
Operating system
All of the above
None of the above

20.Metadata includes:
a. Full tile names
b. File sizes
c. MD5 hashes
d. All of the above
e. None of the above