Sie sind auf Seite 1von 98

1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

NAME
Bhurban Kāgān Dunga Gali Nārān Doha Abu Dhabi Lahore

F We
This is a Free Service provided by Why Fund Inc. (a 501 C3 NonProfit)
thank you for your donation!
0%

(1. Click on the course Study Set you wish to learn.) (2. If you wish you can click on
"Print" and print the test page.) (3. When you want to take a test...click on anyone of the
tests for that Study Set.) (4. Click on "Check Answers" and it will score your test and
correct your answers.) (5. You can take all the tests as many times as you choose until
you get an "A"!) (6. Automated college courses created from lecture notes, class exams,
text books, reading materials from many colleges and universities.)

195 Multiple choice questions

1. b

(No Answer)
a. What information is not typically included in an e-mail header
a. the sender's physical location
b. the originating IP address
c. the unique ID of the e-mail
d. the originating domain

b. As with any research paper, write the ___________________ last.


a. appendix
b. body
c. acknowledgements
d. abstract

c. CORRECT: What digital network technology was developed during World War II?
a. TDMA
b. CDMA
c. GSM
d. iDEN

d. What digital network technology is a digital version of the original analog standard for cell phones?
a. GSM
b. CDMA
c. iDEN
d. D-AMPS

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20hal… 1/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

2. d

(No Answer)
a. Validate your tools and verify your evidence with ____ to ensure its integrity.
a. hashing algorithms
b. watermarks
c. steganography
d. digital certificates

b. Where is the snapshot database created by Google Drive located in Windows


a. C:/Program Files/Google/Drive
b.C:/Users/username/AppData/Local//Google/Drive
c. C:/Users/username/Google/Google drive
d. C:/Google/drive

c. CORRECT: Computer forensics examiners have two roles: fact witness and ____ witness.
a. professional
b. direct
c. discovery
d. expert

d. When cases go to trial, you as a forensics examiner can play one of ____ roles.
a. 2
b. 3
c. 4
d. 5

3. b

(No Answer)
a. To reduce the time it takes to start applications, Microsoft has created ??? files, which contain the DLL pathnames and metadata used by
application
a. temp
b. cache
c. config
d. prefetch

b. The Pagefile.sys file on a computer can contain message fragments from instant messaging applications
T/F

c. CORRECT: The Google drive file ??? contains a detailed list of a user's cloud transactions
a. loggedtransactions.log
b. sync_log.log
c. transact_user.db
d. history.db

d. ____ evidence is evidence that exonerates or diminishes the defendant's liability.


a. rebuttal
b. plaintiff
c. inculpatory
d. exculpatory

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20hal… 2/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

4. d

(No Answer)
a. CORRECT: Which of the following is not one of the five mechanisms the government can use to get electronic information from a
provider
a. search warrants
b. subpoenas
c. court orders
d. seizure order

b. Within NIST guidelines for mobile forensics methods, the ______________ method requires physically removing flash memory chips and
gathering information at the binary level.
a. Chip-off
b. Logical extraction
c. Micro read
d. Manual extraction

c. Which of the following is NOT a service level for the cloud


a. Platform as a service
b. Infrastructure as a service
c. Virtualization as a service
d. Software as a service

d. Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise.
a. true
b. false

5. c

(No Answer)
a. The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients.
a. HTCIA
b. IACIS
c. ISFCE
d. ABA

b. ___ is an attempt by opposing attorneys to prevent you from serving on an important case.
a. conflict of interest
b. warrant
c. deposition
d. conflicting out

c. CORRECT: The Suni Munshani v. Singal Lake Venture Fund II, LP et al case is an example of a case that involves e-mail ???
a. destruction
b. spamming
c. spoofing
d. theft

d. The honeynet Project was developed to make information widely available in an attempt to thwart internet and network attackers
T/F

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20hal… 3/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

6. a

(No Answer)
a. ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities.
a. AMA's law
b. ABA's model rule
c. ABA's model codes
d. APA's ethics code

b. If a microphone is present during your testimony, place it ____ to eight inches from you.
a. 3
b. 4
c. 5
d. 6

c. CORRECT: ____ from both plaintiff and defense is an optional phase of the trial. Generally, it's allowed to cover an issue raised during
cross-examination.
a. rebuttal
b. plaintiff
c. closing arguments
d. opening statements

d. Committing crimes with e-mail is uncommon, and investigators are not generally tasked with linking suspects to e-mail
T/F

7. a

(No Answer)
a. Which is not a valid method of deployment for a cloud
a. community
b. public
c. targeted
d. private

b. The advantage of recording hash values is that you can determine whether data has changed.
t/f

c. CORRECT: The SANS Investigative Forensics Toolkit (SIFT) appliance can currently only be installed on what version of Ubuntu
a. 12.04
b. 13.11
c. 14.04
d. 14.11

d. The capability of type 1 hypervisors is limited only by the amount of available RAM, storage, and throughput
T/F

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20hal… 4/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

8. d

(No Answer)
a. A report can provide justification for collecting more evidence and be used at a probable cause hearing.
a. true
b. false

b. The ??? is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for privacy
agreements, security measures, questionnaires, and more
a. OpenStack Framework Alliance
b. vCluod Security Advisory Panel
c. Cloud Security Alliance
d. Cloud Architecture Group

c. As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.
a. true
b. false

d. CORRECT: What information blow is not something recorded in Google Drive's snapshot.db file
a. modified and created times
b. URL pathnames
c. file access records
d. file SHA values and sizes

9. a

(No Answer)
a. What digital network technology was developed during World War II?
a. TDMA
b. CDMA
c. GSM
d. iDEN

b. CORRECT: What information is not typically included in an e-mail header


a. the sender's physical location
b. the originating IP address
c. the unique ID of the e-mail
d. the originating domain

c. What format below is used for VMware images?


a. .vhd
b. .vmdk
c. .s01
d. .aff

d. Which type of report typically takes place in an attorney's office?


a. Examination Plan
b. Written Report
c. Preliminary Report
d. Verbal Report

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20hal… 5/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

10. c

(No Answer)
a. What letter should be typed into DiskEdit in order to mark a good sector as bad?
a. M
b. B
c. T
d. D

b. What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a
copy of the expert's written report that includes all opinions, the basis for the opinions, and the information considered in coming to
those opinions?
a. rule 24
b. rule 35
c. rule 36
d. rule 26

c. What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine
a. .nvram
b. .vmen
c. .vmpage
d. .vmx

d. CORRECT: What cloud service listed below provides a freeware type 1 hypervisor used for public and private clouds
a. HP Helion
b. Amazon EC2
c. XenServer and XenCenter Windows Management Console
d. Cisco Cloud Computing

11. d

(No Answer)
a. What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site
marketing
a. Amazon EC2
b. IBM Cloud
c. Salesforce
d. HP Helion

b. What type of mobile forensics method listed by NIST guidelines involves looking at a device's content page by page and taking pictures?
a. Manual extraction
b. Chip-off
c. Micro read
d. Logical extraction

c. CORRECT: Metadata in a prefetch file contains an application's ??? times in UTC format and a counter of how many times the
application has run since the prefect file was created
a. startup / access
b. log event
c. ACL
d. MAC

d. As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.
a. true
b. false

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20hal… 6/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

12. d

(No Answer)
a. What type of mobile forensics method listed by NIST guidelines involves looking at a device's content page by page and taking pictures?
a. Manual extraction
b. Chip-off
c. Micro read
d. Logical extraction

b. In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous
contact with an opposing party?
a. Tidemann v. Toshiba Corp
b. Wang Laboratories, Inc v. Toshiba Corpc
c. Tidemann v. Nadler Golf Car Sales, Inc
d. Hewlett-Pachard v. EMC Corp

c. CORRECT: On what mobile device platform does Facebook use a SQLite database containing friends, their ID numbers, and phone
numbers as well as files that tracked all uploads, including pictures?
a. Android
b. Blackberry
c. Windows RT
d. iPhone

d. In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters?
a. NTFS
b. FAT
c. HFSX
d. Ext3fs

13. d

(No Answer)
a. The DomainKey identified Mail service is a way to verity the names of domains a message is flowing through ans was developed as a way
to cut down on spam
T/F

b. The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be
seized usually describes physical hardware rather than data, unless the CSP is a suspect. T/F

c. The Pagefile.sys file on a computer can contain message fragments from instant messaging applications
T/F

d. CORRECT: The NSA's defense in depth (DiD) strategy contains three modes of protection. Which option below is not one of the three
modes
a. People
b. Technology
c. Operations
d. Management

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20hal… 7/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

14. d

(No Answer)
a. When using the PassMark software to find forensic information in e-mails, messages that appear to be suspicious should be flagged
__________.
a. yellow
b. green
c. red
d. orange

b. Which of the NIST guidelines below requires using a modified boot loader to access RAM for analysis?
a. Chip-off
b. Manual extraction
c. Hex dumping
d. Micro read

c. FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful.
a. 702
b. 703
c. 704
d. 705

d. CORRECT: Select below the program within the Ps Tools suite that allows you to run processes remotely
a. PsService
b. PsPasswd
c. PsRemote
d. PsExec

15. a

(No Answer)
a. In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes remotely.
a. keygrabber
b. keylogger
c. packet capture
d. protocol analyzer

b. Most Code Division Multiple Access (CDMA) networks conform to ____________ , created by the Telecommunications Industry Association
(TIA).
a. TS-95
b. 802.11
c. IS-95
d. IS-136

c. Currently, expert witnesses testify in more than __ percent of trials.


a. 55
b. 80
c. 92
d. 78

d. CORRECT: A consultant who doesn't testify can earn a ____________________ for locating testifying experts or investigative leads.
a. contingency fee
b. retainer
c. stake in a case
d. reprimand

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20hal… 8/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

16. d

(No Answer)
a. Type 2 hypervisors are typically loaded on servers or workstations with a lot of RAM and storage
T/F

b. An Internet e-mail is generally part of a local network, and is maintained and managed by an administrator for internal use by a specific
company
T/F

c. CORRECT: Jurors typically average just over ____ years of education and an eighth-grade reading level.
a. 9
b. 10
c. 11
d. 12

d. There are two types of depositions: ____ and testimony preservation.


a. examination
b. discovery
c. direct
d. rebuttal

17. b

(No Answer)
a. In a prefetch file, the application's last access date and time are at offset ???
a. 0x80
b. 0x88
c. 0xD4
d. 0x90

b. If a microphone is present during your testimony, place it ____ to eight inches from you.
a. 3
b. 4
c. 5
d. 6

c. The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery;
the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in
which it belongs", was established in what court case?
a. Daubert v. Merrell Dow Pharmaceuticals, Inc
b. Smith v. United States
c. Frye v. United States
d. Dillon v. United States

d. CORRECT: If your CV is more than ____ months old, you probably need to update it to reflect new cases and additional training.
a. 2
b. 3
c. 4
d. 5

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20hal… 9/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

18. b

(No Answer)
a. Metadata in a prefetch file contains an application's ??? times in UTC format and a counter of how many times the application has run
since the prefect file was created
a. startup / access
b. log event
c. ACL
d. MAC

b. The honeynet Project was developed to make information widely available in an attempt to thwart internet and network attackers
T/F

c. FRE ____ describes whether basis for the testimony is adequate.


a. 700
b. 701
c. 702
d. 703

d. CORRECT: What organization is responsible for the creation of the requirements for carriers to be considered 4G?
a. IEEE
b. ITU-R
c. ISO
d. TIA

19. d

(No Answer)
a. You provide ____ testimony when you answer questions from the attorney who hired you.
a. direct
b. cross
c. examination
d. rebuttal

b. Specially trained system and network administrators are often a CSP's first responders
T/F

c. The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be
seized usually describes physical hardware rather than data, unless the CSP is a suspect. T/F

d. CORRECT: ____ evidence is evidence that exonerates or diminishes the defendant's liability.
a. rebuttal
b. plaintiff
c. inculpatory
d. exculpatory

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 10/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

20. d

(No Answer)
a. CORRECT: To reduce the time it takes to start applications, Microsoft has created ??? files, which contain the DLL pathnames and
metadata used by application
a. temp
b. cache
c. config
d. prefetch

b. In the United States, there's no state or national licensing body for computer forensics examiners.
a. true
b. false

c. In the United State, the Electronic Communications Privacy Act (ECPA) describes 5 mechanisms the government can use to get electronic
information from a provider
T/F

d. The ___ tool is an updated version of BackTrack, and contains more than 300 tools, such as password crackers, network sniffers, and
freeware forensics tools
a. Kali Linux
b. Ubuntu
c. OSForensics
d. Sleuth Kit

21. d

(No Answer)
a. CORRECT: FRE ____ describes whether basis for the testimony is adequate.
a. 700
b. 701
c. 702
d. 703

b. Currently, expert witnesses testify in more than __ percent of trials.


a. 55
b. 80
c. 92
d. 78

c. Regarding a trial, the term ____ means rejecting potential jurors.


a. voir dire
b. rebuttal
c. strikes
d. venireman

d. How many words should be in the abstract of a report?


a. 50 to 100 words
b. 100 to 150 words
c. 150 to 299 words
d. 200 to 250 words

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 11/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

22. false

(No Answer)
a. CORRECT: Because attorneys do not have the right of full discovery of digital evidence, it is not possible for new evidence to come to
light while complying with a defense request for full discovery.
t/f

b. Select the tool below that does not use dictionary attacks or brute force attacks to crack passwords:
a. Last Bit
b. AccessData PRTK
c. OSForensics
d. Passware

c. As an expert witness, you have opinions about what you have found or observed.
a. true
b. false

d. ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities.
a. AMA's law
b. ABA's model rule
c. ABA's model codes
d. APA's ethics code

23. b

(No Answer)
a. CORRECT: What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact
a. iNet
b. ARIN
c. Google
d. ERIN

b. What frequencies can be used by GSM with the TDMA technique


a. 1200 to 1500 MHz
b. 2.4 GHz to 5.0 GHZ
c. 600 to 1000 MHz
d. 800 to 1000 MHZ

c. Syslog is generally configured to put all e-mail related log information into what file
a. /usr/log/mail.log
b. /var/log/message
c. /proc/mail
d. /var/log/maillog

d. In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant.
t/f

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 12/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

24. b

(No Answer)
a. Which of the following options would represent a valid retainer?
a. 2 to 8 hours of your usual billable rate
b. a verbal agreement
c. complete discussion of an ongoing case
d. dissemination of evidence

b. Which of the following file systems can't be analyzed by OSForensics?


a. FAT12
b. Ext2fs
c. HFS+
d. XFS

c. Which of the following is NOT a service level for the cloud


a. Platform as a service
b. Infrastructure as a service
c. Virtualization as a service
d. Software as a service

d. CORRECT: Which of the following is not a valid source for cloud forensics training
a. Sans Cloud Forensics with F-Response
b. A+ Security
c. INFOSEC Intitute
d. (ISC)2 Certified Cyber Forensics Professional

25. d

(No Answer)
a. __________________ means the tone of language you use to address the reader.
a. Style
b. Format
c. Outline
d. Prose

b. As an expert witness, you have opinions about what you have found or observed.
a. true
b. false

c. CORRECT: In order to retrieve logs from exchange, the Powershell cmdlet ??? can be used
a. GetExchangeLogs.psl
b. GetLogInfo.psl
c. ShowExchangeHistrory.psl
d. GetTransactionLogStats.psl

d. One of the most noteworthy e-mail scams was 419, otherwise known as the ???
a. Nigerian Scam
b. Lake Venture Scam
c. Conficker virus
d. Iloveyou Scam

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 13/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

26. d

(No Answer)
a. Like a job resume, your CV should be geared for a specific trial.
a. true
b. false

b. CORRECT: On a UNIX system, where is a user's mail stored by default


a. /var/mail
b. /var/log/mail
c. /username/mail
d. /home/username/mail

c. Regarding a trial, the term ____ means rejecting potential jurors.


a. voir dire
b. rebuttal
c. strikes
d. venireman

d. Where does the Postfix UNIX mail server store e-mail


a. /home/username/mail
b. /var/mail/postfix
c. /var/spool/postfix
d. /etc/postfix

27. b

(No Answer)
a. ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities.
a. AMA's law
b. ABA's model rule
c. ABA's model codes
d. APA's ethics code

b. _______________ is the process of opposing attorneys seeking information from each other.
a. Subpoena
b. Warranting
c. Discovery
d. Digging

c. The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery;
the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in
which it belongs", was established in what court case?
a. Daubert v. Merrell Dow Pharmaceuticals, Inc
b. Smith v. United States
c. Frye v. United States
d. Dillon v. United States

d. CORRECT: In a ___ attack, the attacker keeps asking your server to establish a connection, with the intent of overloading a server
with established connections
a. smurf
b. SYN flood
c. spoof
d. ghost

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 14/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

28. b

(No Answer)
a. The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but
does not list hash values of known illegal files.
a. Open Hash Database
b. HashKeeper Online
c. National Hashed Software Referenced.
d. National Software Reference Library

b. In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer.
a. format
b. fdisk
c. grub
d. diskpart

c. CORRECT: Lawyers may request _________________ of previous testimony by their own potential experts to ensure that the experts
haven't previously testified to a contrary position.
a. warrants
b. transcripts
c. subpoenas
d. evidence

d. The _________________ numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect of the report,
and each Arabic numeral is an important piece of supporting information.
a. decimal
b. ordered-sequential
c. legal-sequential
d. reverse-order

29. c

(No Answer)
a. Which of the following is not a valid source for cloud forensics training
a. Sans Cloud Forensics with F-Response
b. A+ Security
c. INFOSEC Intitute
d. (ISC)2 Certified Cyber Forensics Professional

b. Which of the following file systems can't be analyzed by OSForensics?


a. FAT12
b. Ext2fs
c. HFS+
d. XFS

c. CORRECT: Which of the following is NOT a service level for the cloud
a. Platform as a service
b. Infrastructure as a service
c. Virtualization as a service
d. Software as a service

d. Which of the following is not a type of peripheral memory card used in PDAs?
a. Secure Digital (SD)
b. Compact Flash (CF)
c. Multimedia Card (MMC)
d. RamBus (RB)

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 15/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

30. true

(No Answer)
a. Within Windows Vista and later, partition gaps are _____________ bytes in length.
a. 64
b. 128
c. 256
d. 512

b. CORRECT: Specially trained system and network administrators are often a CSP's first responders
T/F

c. While travelling internationally with a GSM phone, you can pop in a SIM card for the country you're currently in, rather than get a new
phone.
a. true
b. false

d. The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery;
the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in
which it belongs", was established in what court case?
a. Daubert v. Merrell Dow Pharmaceuticals, Inc
b. Smith v. United States
c. Frye v. United States
d. Dillon v. United States

31. true

(No Answer)
a. In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous
contact with an opposing party?
a. Tidemann v. Toshiba Corp
b. Wang Laboratories, Inc v. Toshiba Corpc
c. Tidemann v. Nadler Golf Car Sales, Inc
d. Hewlett-Pachard v. EMC Corp

b. When you give ____ testimony, you present this evidence and explain what it is and how it was obtained.
a. technical/scientific
b. expert
c. lay witness
d. deposition

c. While travelling internationally with a GSM phone, you can pop in a SIM card for the country you're currently in, rather than get a new
phone.
a. true
b. false

d. CORRECT: The advantage of recording hash values is that you can determine whether data has changed.
t/f

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 16/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

32. a

(No Answer)
a. What letter should be typed into DiskEdit in order to mark a good sector as bad?
a. M
b. B
c. T
d. D

b. CORRECT: Experts should be paid in full for all previous work and for the anticipated time required for testimony.
a. true
b. false

c. You should create a formal checklist of your procedures that's applied to all your cases or include such a checklist in your report.
a. true
b. false

d. An expert's opinion is governed by FRCP, Rule 26, and the corresponding rule in many states.
a. true
b. false

33. b

(No Answer)
a. Which component of cell communication is used to route digital packets for the network and relies on a database to support subscribers?
a. Base station controller (BSC)
b. Base transceiver station (BTS)
c. Base transceiver controller (BTC)
d. Mobile switching center (MSC)

b. CORRECT: The tcpdump and Wireshark utilities both use what well known packet capture format
a. Netcap
b. Pcap
c. Packetd
d. RAW

c. What command below could be used on a UNIX system to help locate log directories
a. show log
b. detail
c. search
d. find

d. While travelling internationally with a GSM phone, you can pop in a SIM card for the country you're currently in, rather than get a new
phone.
a. true
b. false

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 17/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

34. b

(No Answer)
a. You provide ____ testimony when you answer questions from the attorney who hired you.
a. direct
b. cross
c. examination
d. rebuttal

b. CORRECT: ____ questions can give you the factual structure to support and defend your opinion.
a. rapid-fire
b. hypothetical
c. setup
d. compound

c. What frequencies can be used by GSM with the TDMA technique


a. 1200 to 1500 MHz
b. 2.4 GHz to 5.0 GHZ
c. 600 to 1000 MHz
d. 800 to 1000 MHZ

d. A report can provide justification for collecting more evidence and be used at a probable cause hearing.
a. true
b. false

35. c

(No Answer)
a. Which of the following is not a valid source for cloud forensics training
a. Sans Cloud Forensics with F-Response
b. A+ Security
c. INFOSEC Intitute
d. (ISC)2 Certified Cyber Forensics Professional

b. CORRECT: Which of the NIST guidelines below requires using a modified boot loader to access RAM for analysis?
a. Chip-off
b. Manual extraction
c. Hex dumping
d. Micro read

c. The Sysinternals Handle utility shows only file system activity, but does not show what processes are using files on the file system
T/F

d. What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine
a. .nvram
b. .vmen
c. .vmpage
d. .vmx

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 18/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

36. d

(No Answer)
a. In what state is sending unsolicited email illegal
a. Florida
b. Washington
c. Maine
d. New York

b. ____ questions can give you the factual structure to support and defend your opinion.
a. rapid-fire
b. hypothetical
c. setup
d. compound

c. CORRECT: What type of Facebook profile is usually only given to law enforcement with a warrant
a. private profile
b. advanced profile
c. basic profile
d.Neoprint profile

d. Type 2 hypervisors are typically loaded on servers or workstations with a lot of RAM and storage
T/F

37. c

(No Answer)
a. The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but
does not list hash values of known illegal files.
a. Open Hash Database
b. HashKeeper Online
c. National Hashed Software Referenced.
d. National Software Reference Library

b. When you give ____ testimony, you present this evidence and explain what it is and how it was obtained.
a. technical/scientific
b. expert
c. lay witness
d. deposition

c. If a microphone is present during your testimony, place it ____ to eight inches from you.
a. 3
b. 4
c. 5
d. 6

d. CORRECT: The _________________ numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect
of the report, and each Arabic numeral is an important piece of supporting information.
a. decimal
b. ordered-sequential
c. legal-sequential
d. reverse-order

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 19/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

38. b

(No Answer)
a. __________________ means the tone of language you use to address the reader.
a. Style
b. Format
c. Outline
d. Prose

b. What command below could be used on a UNIX system to help locate log directories
a. show log
b. detail
c. search
d. find

c. Select the file below that is used in VirtualBox to create a virtual machine
a. .vdi
b. .vbox
c. .r0
d. ova

d. CORRECT: Expert witnesses are not required to submit a written report for civil cases.
a. true
b. false

39. a

(No Answer)
a. In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer.
a. format
b. fdisk
c. grub
d. diskpart

b. CORRECT: When using the PassMark software to find forensic information in e-mails, messages that appear to be suspicious should be
flagged __________.
a. yellow
b. green
c. red
d. orange

c. Sometimes opposing attorneys ask several questions inside one question; this practice is called a ____ question.
a. leading
b. hypothetical
c. compound
d. rapid-fire

d. Select below the option that is not a typical feature of smartphones on the market today:
a. Microprocessor
b. Flash
c. ROM
d. Hard drive

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 20/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

40. d

(No Answer)
a. The ??? utility can be used to repair .ost and .pst files, and is included with Microsoft Outlook
a. fixmail.exe
b. scanpst.exe
c. repairpst.exe
d. rebuildpst.exe

b. CORRECT: What frequencies can be used by GSM with the TDMA technique
a. 1200 to 1500 MHz
b. 2.4 GHz to 5.0 GHZ
c. 600 to 1000 MHz
d. 800 to 1000 MHZ

c. What information is not typically included in an e-mail header


a. the sender's physical location
b. the originating IP address
c. the unique ID of the e-mail
d. the originating domain

d. The ??? tool can be used by bypass a virtual machine's hypervisor, and can by used with OpenStack
a. Openforensics
b. FROST
c. WinHex
d. ARC

41. d

(No Answer)
a. A report can provide justification for collecting more evidence and be used at a probable cause hearing.
a. true
b. false

b. FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful.
a. 702
b. 703
c. 704
d. 705

c. CORRECT: What virtual machine software supports all Windows and Linux OSs as well as Macintosh and Solaris, and is provided as
shareware?
a. KVM
b. Parallels
c. Microsoft Virtual PC
d. VirtualBox

d. When using the PassMark software to find forensic information in e-mails, messages that appear to be suspicious should be flagged
__________.
a. yellow
b. green
c. red
d. orange

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 21/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

42. b

(No Answer)
a. Specially trained system and network administrators are often a CSP's first responders.
a. true
b. false

b. CORRECT: The ________________ section of a report starts by referring to the report's purpose, states the main points, draws
conclusions, and possibly renders an opinion.
a. body
b. conclusion
c. appendix
d. reference

c. You provide ____ testimony when you answer questions from the attorney who hired you.
a. direct
b. cross
c. examination
d. rebuttal

d. The ___ tool is an updated version of BackTrack, and contains more than 300 tools, such as password crackers, network sniffers, and
freeware forensics tools
a. Kali Linux
b. Ubuntu
c. OSForensics
d. Sleuth Kit

43. b

(No Answer)
a. Which of the following is NOT a service level for the cloud
a. Platform as a service
b. Infrastructure as a service
c. Virtualization as a service
d. Software as a service

b. What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses
a. tcpdump
b. Argus
c. Ngrep
d. Tcpslice

c. What cloud service listed below provides a freeware type 1 hypervisor used for public and private clouds
a. HP Helion
b. Amazon EC2
c. XenServer and XenCenter Windows Management Console
d. Cisco Cloud Computing

d. CORRECT: What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine
a. .nvram
b. .vmen
c. .vmpage
d. .vmx

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 22/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

44. b

(No Answer)
a. CORRECT: Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses ________________ as a
way to hide its malicious code from antivirus tools.
a. hashing
b. bit-shifting
c. registry edits
d. slack space

b. The Sysinternals Handle utility shows only file system activity, but does not show what processes are using files on the file system
T/F

c. Select below the option that is not a typical feature of smartphones on the market today:
a. Microprocessor
b. Flash
c. ROM
d. Hard drive

d. Jurors typically average just over ____ years of education and an eighth-grade reading level.
a. 9
b. 10
c. 11
d. 12

45. b

(No Answer)
a. Select below the program within the Ps Tools suite that allows you to run processes remotely
a. PsService
b. PsPasswd
c. PsRemote
d. PsExec

b. The most important laws applying to attorneys and witnesses are the ____.
a. professional ethics
b. rules of ethics
c. rules of evidence
d. professional codes of conduct

c. What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site
marketing
a. Amazon EC2
b. IBM Cloud
c. Salesforce
d. HP Helion

d. CORRECT: A ??? is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it's accessed
through the application's Web interface
a. configuration manager
b. management plane
c. backdoor
d. programming language

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 23/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

46. d

(No Answer)
a. What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact
a. iNet
b. ARIN
c. Google
d. ERIN

b. Which of the following is NOT a service level for the cloud


a. Platform as a service
b. Infrastructure as a service
c. Virtualization as a service
d. Software as a service

c. CORRECT: Select the folder below that is most likely to contain Dropbox files for a specific user
a. C:/User/username/AppData/Dropbox
b. C:/Dropbos
c. C:/Users/Dropbox
d. C:/Users/username/Dropbox

d. What method below is not an effective method for isolating a mobile device from receiving signals?
a. placing the device into a plastic evidence bag
b. placing the device into a paint can, preferable one previously containing radio-wave blocking paint
c. placing the device into airplane mode
d. turning the device off

47. d

(No Answer)
a. What format below is used for VMware images?
a. .vhd
b. .vmdk
c. .s01
d. .aff

b. What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact
a. iNet
b. ARIN
c. Google
d. ERIN

c. Which of the following is not a valid source for cloud forensics training
a. Sans Cloud Forensics with F-Response
b. A+ Security
c. INFOSEC Intitute
d. (ISC)2 Certified Cyber Forensics Professional

d. CORRECT: Select the file below that is used in VirtualBox to create a virtual machine
a. .vdi
b. .vbox
c. .r0
d. ova

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 24/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

48. b

(No Answer)
a. How many words should be in the abstract of a report?
a. 50 to 100 words
b. 100 to 150 words
c. 150 to 299 words
d. 200 to 250 words

b. FRE ____ describes whether basis for the testimony is adequate.


a. 700
b. 701
c. 702
d. 703

c. Discuss any potential problems with your attorney ____ a deposition.


a. before
b. after
c. during
d. during direct examination at

d. CORRECT: Like a job resume, your CV should be geared for a specific trial.
a. true
b. false

49. b

(No Answer)
a. What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a
copy of the expert's written report that includes all opinions, the basis for the opinions, and the information considered in coming to
those opinions?
a. rule 24
b. rule 35
c. rule 36
d. rule 26

b. CORRECT: Which e-mail recovery program below can recover files from VMware and VirtualPC virtual machines, as well as ISOs and
other types of file backups
a. Fookes Aid4mail
b. DataNumen Outlook Repair
c. EnCase Forensics
d. AccessData FTK

c. Which option below is not a disk management tool?


a. Partition Magic
b. Partition Master
c. GRUB
d. HexEdit

d. Which of the following is not a type of peripheral memory card used in PDAs?
a. Secure Digital (SD)
b. Compact Flash (CF)
c. Multimedia Card (MMC)
d. RamBus (RB)

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 25/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

50. a

(No Answer)
a. If your CV is more than ____ months old, you probably need to update it to reflect new cases and additional training.
a. 2
b. 3
c. 4
d. 5

b. Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony.
a. setup
b. open-ended
c. compound
d. repid-fire

c. The advantage of recording hash values is that you can determine whether data has changed.
t/f

d. CORRECT: When you give ____ testimony, you present this evidence and explain what it is and how it was obtained.
a. technical/scientific
b. expert
c. lay witness
d. deposition

51. b

(No Answer)
a. Validate your tools and verify your evidence with ____ to ensure its integrity.
a. hashing algorithms
b. watermarks
c. steganography
d. digital certificates

b. What command below could be used on a UNIX system to help locate log directories
a. show log
b. detail
c. search
d. find

c. Which option below is the correct path to the sendmail configuration file
a. /var/etc/sendmail.cf
b. /var/mail/sendmail.cf
c. /usr/local/sendmail.cf
d. /etc/mail/sendmail.cf

d. CORRECT: Expert opinions cannot be presented without stating the underlying factual basis.
a. true
b. false

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 26/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

52. c

(No Answer)
a. A report can provide justification for collecting more evidence and be used at a probable cause hearing.
a. true
b. false

b. The goal of recovering as much information as possible can result in ________________, in which an investigation expands beyond the
original description because of unexpected evidence found.
a. litigation
b. scope creep
c. criminal charges
d. violations

c. CORRECT: A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in
order to secure the information contained inside.
a. compiler
b. shifter
c. macro
d. script

d. Because mobile phones are seized at the time of arrest, a search warrant is not necessary to examine the device for information.
a. true
b. false

53. b

(No Answer)
a. A consultant who doesn't testify can earn a ____________________ for locating testifying experts or investigative leads.
a. contingency fee
b. retainer
c. stake in a case
d. reprimand

b. When writing a report, group related ideas and sentences into ___________________,
a. chapters
b. sections
c. paragraphs
d. separate reports

c. In older versions of exchange, what type of file was responsible for massages formatted with Messaging Application Programming
Interface, and served as the database file
a. .ost
b. edp
c. .edb
d. .edi

d. CORRECT: In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes
remotely.
a. keygrabber
b. keylogger
c. packet capture
d. protocol analyzer

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 27/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

54. d

(No Answer)
a. In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant.
t/f

b. The AccessData program has a hashing database, ________________, which is available only with FTK, and can be used to filter known
program files from view and contains the hash values of known illegal files.
a. DeepScan Filter
b. Unknown File Filter (UFF)
c. Known File Filter (KFF)
d. FTK Hash Imager

c. Leading questions such as "Isn't it true that forensics experts always destroy their handwritten notes?" are referred to as ____ questions.
a. hypothetical
b. attorney
c. setup
d. nested

d. CORRECT: Exchange uses and Exchange database and is based on the ???, which uses several files in different combinations to provide
e-mail service
a. Microsoft Mail Storage Engine (MSE)
b. Microsoft Stored Mail Extension (SME)
c. Microsoft Extended Mail Storage (EMS)
d. Microsoft Extensible Storage Engine (ESE)

55. c

(No Answer)
a. CORRECT: Where is the OS stored on a smartphone?
a. RAM
b. Microprocessor
c. ROM
d. Read/write flash

b. FRE ____ describes whether basis for the testimony is adequate.


a. 700
b. 701
c. 702
d. 703

c. Where is the snapshot database created by Google Drive located in Windows


a. C:/Program Files/Google/Drive
b.C:/Users/username/AppData/Local//Google/Drive
c. C:/Users/username/Google/Google drive
d. C:/Google/drive

d. Which of the following is not a type of peripheral memory card used in PDAs?
a. Secure Digital (SD)
b. Compact Flash (CF)
c. Multimedia Card (MMC)
d. RamBus (RB)

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 28/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

56. b

(No Answer)
a. What command below could be used on a UNIX system to help locate log directories
a. show log
b. detail
c. search
d. find

b. Which option below is the correct path to the sendmail configuration file
a. /var/etc/sendmail.cf
b. /var/mail/sendmail.cf
c. /usr/local/sendmail.cf
d. /etc/mail/sendmail.cf

c. What type of Facebook profile is usually only given to law enforcement with a warrant
a. private profile
b. advanced profile
c. basic profile
d.Neoprint profile

d. CORRECT: What kind of files are created by Exchange while converting binary data to readable text in order to prevent loss of data
a. .txt
b. .tmp
c. .exe
d. .log

57. d

(No Answer)
a. The advantage of recording hash values is that you can determine whether data has changed.
t/f

b. A ??? is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities
a. court order
b. temporary restraining order
c. warrant
d. subpoena

c. CORRECT: ___ is an attempt by opposing attorneys to prevent you from serving on an important case.
a. conflict of interest
b. warrant
c. deposition
d. conflicting out

d. _______________ is the process of opposing attorneys seeking information from each other.
a. Subpoena
b. Warranting
c. Discovery
d. Digging

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 29/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

58. d

(No Answer)
a. What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses
a. tcpdump
b. Argus
c. Ngrep
d. Tcpslice

b. Which is not a valid method of deployment for a cloud


a. community
b. public
c. targeted
d. private

c. CORRECT: Which password recovery method uses every possible letter, number, and character found on a keyboard?
a. rainbow table
b. dictionary attack
c. hybrid attack
d. brute-force attack

d. FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful.
a. 702
b. 703
c. 704
d. 705

59. d

(No Answer)
a. How you format _____________ is less important than being consistent in applying formatting.
a. words
b. text
c. paragraphs
d. sections

b. The ___________________ technology is designed for GSM and Universal Mobile Telecommunications Systems (UMTS) technology, supports
45 Mbps to 144 Mbps transmission speeds.
a. WiMAX
b. LTE
c. MIMO
d. UMB

c. __________________ means the tone of language you use to address the reader.
a. Style
b. Format
c. Outline
d. Prose

d. CORRECT: The _______________ component is made up of radio transceiver equipment that defines cells and communicates with
mobile phones; sometimes referred to as a "cell phone tower".
a. Vase station controller (BSC)
b. Mobile switching center (MSC)
c. Base transceiver controller (BTC)
d. Base transceiver station (BTS)

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 30/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

60. d

(No Answer)
a. The most important laws applying to attorneys and witnesses are the ____.
a. professional ethics
b. rules of ethics
c. rules of evidence
d. professional codes of conduct

b. Where is the snapshot database created by Google Drive located in Windows


a. C:/Program Files/Google/Drive
b.C:/Users/username/AppData/Local//Google/Drive
c. C:/Users/username/Google/Google drive
d. C:/Google/drive

c. CORRECT: A ____ differs from a trial testimony because there is no jury or judge.
a. rebuttal
b. plaintiff
c. civil case
d. deposition

d. There are two types of depositions: ____ and testimony preservation.


a. examination
b. discovery
c. direct
d. rebuttal

61. d

(No Answer)
a. CORRECT: As with any research paper, write the ___________________ last.
a. appendix
b. body
c. acknowledgements
d. abstract

b. Within Windows Vista and later, partition gaps are _____________ bytes in length.
a. 64
b. 128
c. 256
d. 512

c. An expert's opinion is governed by ________________ and the corresponding rule in many states.
a. FRE, Rule 705
b. FRE, Rule 507
c. FRCP 26
d. FRCP 62

d. In addition to opinions and exhibits, the ______________ must specify fees paid for the expert's services and list all other civil or criminal
cases in which the expert has testified.
a. verbal report
b. informal report
c. written report
d. preliminary report

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 31/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

62. b

(No Answer)
a. If a microphone is present during your testimony, place it ____ to eight inches from you.
a. 3
b. 4
c. 5
d. 6

b. When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and
documented?
a. Inventory and documentation information should be stored on a drive and then the drive should be reformatted.
b. Start the suspect's computer and begin collecting evidence.
c. The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.
d. Connect the suspect's computer to the local network so that up to date forensics utilities can be utilized.

c. In an e-mail address, everything before the @ symbol represents the domain name
T/F

d. CORRECT: If a preliminary report is written, destroying the preliminary report after the final report is complete could be considered
______________.
a. proper data security
b. spoliation
c. beneficial
d. necessary

63. b

(No Answer)
a. Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise.
a. true
b. false

b. The use of smart phones for illicit activities is becoming more prevalent.
a. true
b. false

c. CORRECT: Because mobile phones are seized at the time of arrest, a search warrant is not necessary to examine the device for
information.
a. true
b. false

d. Select the file below that is used in VirtualBox to create a virtual machine
a. .vdi
b. .vbox
c. .r0
d. ova

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 32/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

64. c

(No Answer)
a. CORRECT: In addition to opinions and exhibits, the ______________ must specify fees paid for the expert's services and list all other
civil or criminal cases in which the expert has testified.
a. verbal report
b. informal report
c. written report
d. preliminary report

b. Validate your tools and verify your evidence with ____ to ensure its integrity.
a. hashing algorithms
b. watermarks
c. steganography
d. digital certificates

c. People who fear having their ______________ acts revealed feel as though they must protest the ________________ acts of others being
revealed.
a. legal
b. improper
c. secret
d. public

d. An expert's opinion is governed by FRCP, Rule 26, and the corresponding rule in many states.
a. true
b. false

65. c

(No Answer)
a. Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony.
a. setup
b. open-ended
c. compound
d. repid-fire

b. Type 2 hypervisors are typically loaded on servers or workstations with a lot of RAM and storage
T/F

c. The ___ is a good tool for extracting information from large Libpcap files; you simply specify the time frame you want to examine
a. Tcpdstat
b. Tcpslice
c. Ngrep
d. tcpdump

d. CORRECT: The ??? Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers
between Dropbox and the client's system
a. read_filejournal
b. filetx.log
c. filecache.dbx
d. filecache.dll

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 33/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

66. d

(No Answer)
a. CORRECT: What digital network technology is a digital version of the original analog standard for cell phones?
a. GSM
b. CDMA
c. iDEN
d. D-AMPS

b. In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous
contact with an opposing party?
a. Tidemann v. Toshiba Corp
b. Wang Laboratories, Inc v. Toshiba Corpc
c. Tidemann v. Nadler Golf Car Sales, Inc
d. Hewlett-Pachard v. EMC Corp

c. The ________________ technology uses the IEEE 802.16e standard and Orthogonal Frequency Division Multiple Access (OFDMA) and
supports transmission speeds of 12 Mbps
a. WiMAX
b. CDMA
c. UMB
d. MIMO

d. FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful.
a. 702
b. 703
c. 704
d. 705

67. false

(No Answer)
a. In older versions of exchange, what type of file was responsible for massages formatted with Messaging Application Programming
Interface, and served as the database file
a. .ost
b. edp
c. .edb
d. .edi

b. The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET)
T/F

c. The honeynet Project was developed to make information widely available in an attempt to thwart internet and network attackers
T/F

d. CORRECT: An Internet e-mail is generally part of a local network, and is maintained and managed by an administrator for internal use
by a specific company
T/F

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 34/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

68. B

(No Answer)
a. CORRECT: The ___________________ technology is designed for GSM and Universal Mobile Telecommunications Systems (UMTS)
technology, supports 45 Mbps to 144 Mbps transmission speeds.
a. WiMAX
b. LTE
c. MIMO
d. UMB

b. The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but
does not list hash values of known illegal files.
a. Open Hash Database
b. HashKeeper Online
c. National Hashed Software Referenced.
d. National Software Reference Library

c. What digital network technology is a digital version of the original analog standard for cell phones?
a. GSM
b. CDMA
c. iDEN
d. D-AMPS

d. The _________________ numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect of the report,
and each Arabic numeral is an important piece of supporting information.
a. decimal
b. ordered-sequential
c. legal-sequential
d. reverse-order

69. b

(No Answer)
a. A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in order to
secure the information contained inside.
a. compiler
b. shifter
c. macro
d. script

b. CORRECT: Many commercial encryption programs use a technology called _____________, which is designed to recover encrypted
data if users forget their passphrases or if the user key is corrupted after a system failure.
a. key vault
b. key escrow
c. bump key
d. master key

c. When writing a report, group related ideas and sentences into ___________________,
a. chapters
b. sections
c. paragraphs
d. separate reports

d. Select below the option that is not a typical feature of smartphones on the market today:
a. Microprocessor
b. Flash
c. ROM
d. Hard drive

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 35/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

70. c

(No Answer)
a. CORRECT: What standard introduced sleep mode to enhance battery life, and is used with TDMA?
a. IS-99
b. IS-140
c. IS-136
d. IS-95

b. Which password recovery method uses every possible letter, number, and character found on a keyboard?
a. rainbow table
b. dictionary attack
c. hybrid attack
d. brute-force attack

c. What information blow is not something recorded in Google Drive's snapshot.db file
a. modified and created times
b. URL pathnames
c. file access records
d. file SHA values and sizes

d. What digital network technology was developed during World War II?
a. TDMA
b. CDMA
c. GSM
d. iDEN

71. b

(No Answer)
a. The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but
does not list hash values of known illegal files.
a. Open Hash Database
b. HashKeeper Online
c. National Hashed Software Referenced.
d. National Software Reference Library

b. __________________ means the tone of language you use to address the reader.
a. Style
b. Format
c. Outline
d. Prose

c. The _________________ numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect of the report,
and each Arabic numeral is an important piece of supporting information.
a. decimal
b. ordered-sequential
c. legal-sequential
d. reverse-order

d. CORRECT: An ___________________ is a document that serves as a guideline for knowing what questions to expect when you're
testifying.
a. testimony procedure
b. examination plan
c. planned questionnaire
d. testimony excerpt

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 36/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

72. b

(No Answer)
a. CORRECT: The ____ is the most important part of testimony at a trial.
a. cross-examination
b. direct examination
c. rebuttal
d. motions in limine

b. Attorneys search ____ for information on expert witnesses.


a. cross-examination banks
b. examination banks
c. deposition banks
d. disqualification banks

c. Select below the option that is not common type 1 hypervisor


a. VMwar vSphere
b. Microsoft Hyper-V
c. Citirix XenServer
d. Oracle VirtualBox

d. Where is the OS stored on a smartphone?


a. RAM
b. Microprocessor
c. ROM
d. Read/write flash

73. c

(No Answer)
a. Where is the snapshot database created by Google Drive located in Windows
a. C:/Program Files/Google/Drive
b.C:/Users/username/AppData/Local//Google/Drive
c. C:/Users/username/Google/Google drive
d. C:/Google/drive

b. What format below is used for VMware images?


a. .vhd
b. .vmdk
c. .s01
d. .aff

c. The American Bar Association (ABA) is a licensing body.


a. true
b. false

d. CORRECT: Which is not a valid method of deployment for a cloud


a. community
b. public
c. targeted
d. private

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 37/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

74. a

(No Answer)
a. Expert opinions cannot be presented without stating the underlying factual basis.
a. true
b. false

b. Which of the following is not a valid source for cloud forensics training
a. Sans Cloud Forensics with F-Response
b. A+ Security
c. INFOSEC Intitute
d. (ISC)2 Certified Cyber Forensics Professional

c. If a microphone is present during your testimony, place it ____ to eight inches from you.
a. 3
b. 4
c. 5
d. 6

d. CORRECT: Validate your tools and verify your evidence with ____ to ensure its integrity.
a. hashing algorithms
b. watermarks
c. steganography
d. digital certificates

75. a

(No Answer)
a. CORRECT: People need ethics to help maintain their balance, especially in difficult and contentious situations.
a. true
b. false

b. One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you collect is
essential for presenting evidence in court.
t/f

c. Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific files or sectors.
t/f

d. The DomainKey identified Mail service is a way to verity the names of domains a message is flowing through ans was developed as a way
to cut down on spam
T/F

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 38/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

76. d

(No Answer)
a. Which service below does not put log information into /var/log/maillog
a. SMTP
b. Exchange
c. IMAP
d. POP

b. CORRECT: Which type of report typically takes place in an attorney's office?


a. Examination Plan
b. Written Report
c. Preliminary Report
d. Verbal Report

c. Which of the following is not a valid source for cloud forensics training
a. Sans Cloud Forensics with F-Response
b. A+ Security
c. INFOSEC Intitute
d. (ISC)2 Certified Cyber Forensics Professional

d. The ____ is the most important part of testimony at a trial.


a. cross-examination
b. direct examination
c. rebuttal
d. motions in limine

77. a

(No Answer)
a. In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network adapters
a. Slow-NetworkAdapters
b. Query-ipconfig
c. Get-VMNetworkAdapter
d. Dump-Betconfig

b. CORRECT: Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond
their expertise.
a. true
b. false

c. At what layers of the OSI model do most packet analyzers function


a. layer 1 or 2
b. layer 2 or 3
c. layer 3 or 4
d. layer 4 or 5

d. What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses
a. tcpdump
b. Argus
c. Ngrep
d. Tcpslice

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 39/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

78. b

(No Answer)
a. The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET)
T/F

b. CORRECT: For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and
showing that you're constantly enhancing your skills through training, teaching, and experience.
a. testimony
b. CV
c. examination plan
d. deposition

c. Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise.
a. true
b. false

d. Forensics tools can't directly mount VMs as external drives


T/F

79. c

(No Answer)
a. Computer forensics examiners have two roles: fact witness and ____ witness.
a. professional
b. direct
c. discovery
d. expert

b. In order to retrieve logs from exchange, the Powershell cmdlet ??? can be used
a. GetExchangeLogs.psl
b. GetLogInfo.psl
c. ShowExchangeHistrory.psl
d. GetTransactionLogStats.psl

c. Exchange uses and Exchange database and is based on the ???, which uses several files in different combinations to provide e-mail
service
a. Microsoft Mail Storage Engine (MSE)
b. Microsoft Stored Mail Extension (SME)
c. Microsoft Extended Mail Storage (EMS)
d. Microsoft Extensible Storage Engine (ESE)

d. CORRECT: In older versions of exchange, what type of file was responsible for massages formatted with Messaging Application
Programming Interface, and served as the database file
a. .ost
b. edp
c. .edb
d. .edi

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 40/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

80. d

(No Answer)
a. What processor instruction set is required in order to utilize virtualization software
a. AMD-VT
b. Intel VirtualBit
c. Virtual Machine Extensions (VMX)
d. Virtual HarwareExtensions (VHX)

b. The capability of type 1 hypervisors is limited only by the amount of available RAM, storage, and throughput
T/F

c. CORRECT: With cloud systems running in a virtual environment, ??? can give you valuable information before, during, and after an
incident
a. carving
b. live acquisition
c. RAM
d. snapshot

d. What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site
marketing
a. Amazon EC2
b. IBM Cloud
c. Salesforce
d. HP Helion

81. d

(No Answer)
a. The Pagefile.sys file on a computer can contain message fragments from instant messaging applications
T/F

b. The ??? utility can be used to repair .ost and .pst files, and is included with Microsoft Outlook
a. fixmail.exe
b. scanpst.exe
c. repairpst.exe
d. rebuildpst.exe

c. CORRECT: Nonvolatile memory on a mobile device can contain OS files and stored user data, such as a __________________ and
backed-up files.
a. Professional Data Holder
b. Personal Assistant Organizer
c. Personal Data Manager
d. Personal Information Manager

d. A report can provide justification for collecting more evidence and be used at a probable cause hearing.
a. true
b. false

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 41/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

82. a

(No Answer)
a. CORRECT: The use of smart phones for illicit activities is becoming more prevalent.
a. true
b. false

b. There are two types of depositions: ____ and testimony preservation.


a. examination
b. discovery
c. direct
d. rebuttal

c. The most important laws applying to attorneys and witnesses are the ____.
a. professional ethics
b. rules of ethics
c. rules of evidence
d. professional codes of conduct

d. The ___ disk image file format is associated with the VirtualBox hypervisor
a. .vmdk
b. .had
c. .vhd
d. .vdi

83. c

(No Answer)
a. The ________________ technology uses the IEEE 802.16e standard and Orthogonal Frequency Division Multiple Access (OFDMA) and
supports transmission speeds of 12 Mbps
a. WiMAX
b. CDMA
c. UMB
d. MIMO

b. The ___ command line program is a common way of examining network traffic, which provides records of network activity while it is
running, and produce hundreds of thousands of records
a. netstat
b. ls
c. ifconfig
d. tcpdump

c. CORRECT: _______________ is the process of opposing attorneys seeking information from each other.
a. Subpoena
b. Warranting
c. Discovery
d. Digging

d. The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but
does not list hash values of known illegal files.
a. Open Hash Database
b. HashKeeper Online
c. National Hashed Software Referenced.
d. National Software Reference Library

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 42/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

84. b

(No Answer)
a. As with any research paper, write the ___________________ last.
a. appendix
b. body
c. acknowledgements
d. abstract

b. CORRECT: The purpose of requesting the ________________ is to deter attorneys from communicating with you solely for the purpose
of disqualifying you.
a. case
b. retainer
c. juror list
d. evidence

c. A report using the _________________ system divides material into sections and restarts numbering with each main section.
a. numerically ordered
b. hierarchical
c. decimal numbering
d. number formatted

d. The advantage of recording hash values is that you can determine whether data has changed.
t/f

85. d

(No Answer)
a. The ___ tool is an updated version of BackTrack, and contains more than 300 tools, such as password crackers, network sniffers, and
freeware forensics tools
a. Kali Linux
b. Ubuntu
c. OSForensics
d. Sleuth Kit

b. The use of smart phones for illicit activities is becoming more prevalent.
a. true
b. false

c. The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery;
the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in
which it belongs", was established in what court case?
a. Daubert v. Merrell Dow Pharmaceuticals, Inc
b. Smith v. United States
c. Frye v. United States
d. Dillon v. United States

d. CORRECT: The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients.
a. HTCIA
b. IACIS
c. ISFCE
d. ABA

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 43/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

86. false

(No Answer)
a. CORRECT: The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the
property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect. T/F

b. The Google drive file ??? contains a detailed list of a user's cloud transactions
a. loggedtransactions.log
b. sync_log.log
c. transact_user.db
d. history.db

c. What kind of files are created by Exchange while converting binary data to readable text in order to prevent loss of data
a. .txt
b. .tmp
c. .exe
d. .log

d. When using the PassMark software to find forensic information in e-mails, messages that appear to be suspicious should be flagged
__________.
a. yellow
b. green
c. red
d. orange

87. b

(No Answer)
a. CORRECT: The ___ is a good tool for extracting information from large Libpcap files; you simply specify the time frame you want to
examine
a. Tcpdstat
b. Tcpslice
c. Ngrep
d. tcpdump

b. The ___ command line program is a common way of examining network traffic, which provides records of network activity while it is
running, and produce hundreds of thousands of records
a. netstat
b. ls
c. ifconfig
d. tcpdump

c. You provide ____ testimony when you answer questions from the attorney who hired you.
a. direct
b. cross
c. examination
d. rebuttal

d. The ??? is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for privacy
agreements, security measures, questionnaires, and more
a. OpenStack Framework Alliance
b. vCluod Security Advisory Panel
c. Cloud Security Alliance
d. Cloud Architecture Group

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 44/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

88. b

(No Answer)
a. The use of smart phones for illicit activities is becoming more prevalent.
a. true
b. false

b. Where is the OS stored on a smartphone?


a. RAM
b. Microprocessor
c. ROM
d. Read/write flash

c. The ___ disk image file format is associated with the VirtualBox hypervisor
a. .vmdk
b. .had
c. .vhd
d. .vdi

d. CORRECT: The ___ is the version of Pcap available for Linux based operating systems
a. Wincap
b. Libcap
c. Tcpcap
d. Netcap

89. false

(No Answer)
a. CORRECT: The Sysinternals Handle utility shows only file system activity, but does not show what processes are using files on the file
system
T/F

b. Syslog is generally configured to put all e-mail related log information into what file
a. /usr/log/mail.log
b. /var/log/message
c. /proc/mail
d. /var/log/maillog

c. GSM refers to mobile phones as "mobile stations" and divides a station into two parts, the __________ and the mobile equipment (ME).
a. antenna
b. SIM card
c. radio
d. transceiver

d. Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses ________________ as a way to hide its
malicious code from antivirus tools.
a. hashing
b. bit-shifting
c. registry edits
d. slack space

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 45/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

90. a

(No Answer)
a. Computer forensics examiners have two roles: fact witness and ____ witness.
a. professional
b. direct
c. discovery
d. expert

b. CORRECT: When cases go to trial, you as a forensics examiner can play one of ____ roles.
a. 2
b. 3
c. 4
d. 5

c. The goal of recovering as much information as possible can result in ________________, in which an investigation expands beyond the
original description because of unexpected evidence found.
a. litigation
b. scope creep
c. criminal charges
d. violations

d. In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes remotely.
a. keygrabber
b. keylogger
c. packet capture
d. protocol analyzer

91. true

(No Answer)
a. Specially trained system and network administrators are often a CSP's first responders.
a. true
b. false

b. To reduce the time it takes to start applications, Microsoft has created ??? files, which contain the DLL pathnames and metadata used by
application
a. temp
b. cache
c. config
d. prefetch

c. CORRECT: In the United State, the Electronic Communications Privacy Act (ECPA) describes 5 mechanisms the government can use to
get electronic information from a provider
T/F

d. In the United States, there's no state or national licensing body for computer forensics examiners.
a. true
b. false

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 46/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

92. a

(No Answer)
a. CORRECT: In the United States, there's no state or national licensing body for computer forensics examiners.
a. true
b. false

b. The American Bar Association (ABA) is a licensing body.


a. true
b. false

c. One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you collect is
essential for presenting evidence in court.
t/f

d. Which password recovery method uses every possible letter, number, and character found on a keyboard?
a. rainbow table
b. dictionary attack
c. hybrid attack
d. brute-force attack

93. d

(No Answer)
a. Regarding a trial, the term ____ means rejecting potential jurors.
a. voir dire
b. rebuttal
c. strikes
d. venireman

b. As an expert witness, you have opinions about what you have found or observed.
a. true
b. false

c. The ___ is the version of Pcap available for Linux based operating systems
a. Wincap
b. Libcap
c. Tcpcap
d. Netcap

d. CORRECT: ____ is a written list of objections to certain testimony or exhibits.


a. defendant
b empanelling the jury
c. plaintiff
d. motion in limine

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 47/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

94. b

(No Answer)
a. CORRECT: Before allowing an attorney to describe any case details, determine who the parties are to reduce the possibility of a
_______________.
a. collaboration
b. conflict
c. mistrial
d. contradiction

b. Which of the following options would represent a valid retainer?


a. 2 to 8 hours of your usual billable rate
b. a verbal agreement
c. complete discussion of an ongoing case
d. dissemination of evidence

c. The advantage of recording hash values is that you can determine whether data has changed.
t/f

d. Sometimes opposing attorneys ask several questions inside one question; this practice is called a ____ question.
a. leading
b. hypothetical
c. compound
d. rapid-fire

95. c

(No Answer)
a. What Windows Registry key contains associations for file extensions
a. HKEY_CLASSES_ROOT
b. HKEY_USERS
c. HKEY_LOCAL_MACHINE
d. HKEY_CURRENT_CONFIG

b. CORRECT: Attorneys search ____ for information on expert witnesses.


a. cross-examination banks
b. examination banks
c. deposition banks
d. disqualification banks

c. The ____ is the most important part of testimony at a trial.


a. cross-examination
b. direct examination
c. rebuttal
d. motions in limine

d. The American Bar Association (ABA) is a licensing body.


a. true
b. false

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 48/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

96. a

(No Answer)
a. The _________________ numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect of the report,
and each Arabic numeral is an important piece of supporting information.
a. decimal
b. ordered-sequential
c. legal-sequential
d. reverse-order

b. The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but
does not list hash values of known illegal files.
a. Open Hash Database
b. HashKeeper Online
c. National Hashed Software Referenced.
d. National Software Reference Library

c. The ________________ section of a report starts by referring to the report's purpose, states the main points, draws conclusions, and
possibly renders an opinion.
a. body
b. conclusion
c. appendix
d. reference

d. CORRECT: The ________________ technology uses the IEEE 802.16e standard and Orthogonal Frequency Division Multiple Access
(OFDMA) and supports transmission speeds of 12 Mbps
a. WiMAX
b. CDMA
c. UMB
d. MIMO

97. b

(No Answer)
a. CORRECT: There are two types of depositions: ____ and testimony preservation.
a. examination
b. discovery
c. direct
d. rebuttal

b. Discuss any potential problems with your attorney ____ a deposition.


a. before
b. after
c. during
d. during direct examination at

c. Which type of report typically takes place in an attorney's office?


a. Examination Plan
b. Written Report
c. Preliminary Report
d. Verbal Report

d. ____ is a written list of objections to certain testimony or exhibits.


a. defendant
b empanelling the jury
c. plaintiff
d. motion in limine

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 49/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

98. a

(No Answer)
a. CORRECT: Specially trained system and network administrators are often a CSP's first responders.
a. true
b. false

b. Committing crimes with e-mail is uncommon, and investigators are not generally tasked with linking suspects to e-mail
T/F

c. In the United State, the Electronic Communications Privacy Act (ECPA) describes 5 mechanisms the government can use to get electronic
information from a provider
T/F

d. ____ evidence is evidence that exonerates or diminishes the defendant's liability.


a. rebuttal
b. plaintiff
c. inculpatory
d. exculpatory

99. b

(No Answer)
a. If a microphone is present during your testimony, place it ____ to eight inches from you.
a. 3
b. 4
c. 5
d. 6

b. Discuss any potential problems with your attorney ____ a deposition.


a. before
b. after
c. during
d. during direct examination at

c. CORRECT: Within Windows Vista and later, partition gaps are _____________ bytes in length.
a. 64
b. 128
c. 256
d. 512

d. The AccessData program has a hashing database, ________________, which is available only with FTK, and can be used to filter known
program files from view and contains the hash values of known illegal files.
a. DeepScan Filter
b. Unknown File Filter (UFF)
c. Known File Filter (KFF)
d. FTK Hash Imager

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 50/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

100. d

(No Answer)
a. In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes remotely.
a. keygrabber
b. keylogger
c. packet capture
d. protocol analyzer

b. The ____ is the most important part of testimony at a trial.


a. cross-examination
b. direct examination
c. rebuttal
d. motions in limine

c. One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you collect is
essential for presenting evidence in court.
t/f

d. CORRECT: ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics
activities.
a. AMA's law
b. ABA's model rule
c. ABA's model codes
d. APA's ethics code

101. c

(No Answer)
a. What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact
a. iNet
b. ARIN
c. Google
d. ERIN

b. The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET)
T/F

c. CORRECT: What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses
a. tcpdump
b. Argus
c. Ngrep
d. Tcpslice

d. What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords?
a. salted passwords
b. scrambled passwords
c. indexed passwords
d. master passwords

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 51/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

102. a

(No Answer)
a. In VirtualBox, ___ different types of virtual network adapters are possible, such as AMD and Intel Pro adapters
a. 2
b. 4
c. 6
d. 8

b. Where is the snapshot database created by Google Drive located in Windows


a. C:/Program Files/Google/Drive
b.C:/Users/username/AppData/Local//Google/Drive
c. C:/Users/username/Google/Google drive
d. C:/Google/drive

c. CORRECT: A ??? is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities
a. court order
b. temporary restraining order
c. warrant
d. subpoena

d. The ??? is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for privacy
agreements, security measures, questionnaires, and more
a. OpenStack Framework Alliance
b. vCluod Security Advisory Panel
c. Cloud Security Alliance
d. Cloud Architecture Group

103. c

(No Answer)
a. What Windows Registry key contains associations for file extensions
a. HKEY_CLASSES_ROOT
b. HKEY_USERS
c. HKEY_LOCAL_MACHINE
d. HKEY_CURRENT_CONFIG

b. What digital network technology was developed during World War II?
a. TDMA
b. CDMA
c. GSM
d. iDEN

c. At what layers of the OSI model do most packet analyzers function


a. layer 1 or 2
b. layer 2 or 3
c. layer 3 or 4
d. layer 4 or 5

d. CORRECT: Regarding a trial, the term ____ means rejecting potential jurors.
a. voir dire
b. rebuttal
c. strikes
d. venireman

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 52/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

104. c

(No Answer)
a. CORRECT: In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network
adapters
a. Slow-NetworkAdapters
b. Query-ipconfig
c. Get-VMNetworkAdapter
d. Dump-Betconfig

b. Exchange uses and Exchange database and is based on the ???, which uses several files in different combinations to provide e-mail
service
a. Microsoft Mail Storage Engine (MSE)
b. Microsoft Stored Mail Extension (SME)
c. Microsoft Extended Mail Storage (EMS)
d. Microsoft Extensible Storage Engine (ESE)

c. Which component of cell communication is used to route digital packets for the network and relies on a database to support subscribers?
a. Base station controller (BSC)
b. Base transceiver station (BTS)
c. Base transceiver controller (BTC)
d. Mobile switching center (MSC)

d. When using the PassMark software to find forensic information in e-mails, messages that appear to be suspicious should be flagged
__________.
a. yellow
b. green
c. red
d. orange

105. b

(No Answer)
a. Select the file below that is used in VirtualBox to create a virtual machine
a. .vdi
b. .vbox
c. .r0
d. ova

b. CORRECT: E-mail administrators may make use of ???, which overwrites a log file when it reaches a specified size or at the end of a
specified time frame
a. log recycling
b. circular logging
c. log purging
d. log cycling

c. The Suni Munshani v. Singal Lake Venture Fund II, LP et al case is an example of a case that involves e-mail ???
a. destruction
b. spamming
c. spoofing
d. theft

d. Type 2 hypervisors are typically loaded on servers or workstations with a lot of RAM and storage
T/F

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 53/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

106. a

(No Answer)
a. Which type of report typically takes place in an attorney's office?
a. Examination Plan
b. Written Report
c. Preliminary Report
d. Verbal Report

b. As with any research paper, write the ___________________ last.


a. appendix
b. body
c. acknowledgements
d. abstract

c. CORRECT: Discuss any potential problems with your attorney ____ a deposition.
a. before
b. after
c. during
d. during direct examination at

d. Currently, expert witnesses testify in more than __ percent of trials.


a. 55
b. 80
c. 92
d. 78

107. b

(No Answer)
a. What information is not typically included in an e-mail header
a. the sender's physical location
b. the originating IP address
c. the unique ID of the e-mail
d. the originating domain

b. CORRECT: What format below is used for VMware images?


a. .vhd
b. .vmdk
c. .s01
d. .aff

c. Which option below is the correct path to the sendmail configuration file
a. /var/etc/sendmail.cf
b. /var/mail/sendmail.cf
c. /usr/local/sendmail.cf
d. /etc/mail/sendmail.cf

d. What command below could be used on a UNIX system to help locate log directories
a. show log
b. detail
c. search
d. find

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 54/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

108. b

(No Answer)
a. The NSA's defense in depth (DiD) strategy contains three modes of protection. Which option below is not one of the three modes
a. People
b. Technology
c. Operations
d. Management

b. An expert's opinion is governed by ________________ and the corresponding rule in many states.
a. FRE, Rule 705
b. FRE, Rule 507
c. FRCP 26
d. FRCP 62

c. With cloud systems running in a virtual environment, ??? can give you valuable information before, during, and after an incident
a. carving
b. live acquisition
c. RAM
d. snapshot

d. CORRECT: An expert's opinion is governed by FRCP, Rule 26, and the corresponding rule in many states.
a. true
b. false

109. a

(No Answer)
a. When writing a report, group related ideas and sentences into ___________________,
a. chapters
b. sections
c. paragraphs
d. separate reports

b. In addition to opinions and exhibits, the ______________ must specify fees paid for the expert's services and list all other civil or criminal
cases in which the expert has testified.
a. verbal report
b. informal report
c. written report
d. preliminary report

c. Most Code Division Multiple Access (CDMA) networks conform to ____________ , created by the Telecommunications Industry Association
(TIA).
a. TS-95
b. 802.11
c. IS-95
d. IS-136

d. CORRECT: Within NIST guidelines for mobile forensics methods, the ______________ method requires physically removing flash memory
chips and gathering information at the binary level.
a. Chip-off
b. Logical extraction
c. Micro read
d. Manual extraction

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 55/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

110. c

(No Answer)
a. CORRECT: In VirtualBox, ___ different types of virtual network adapters are possible, such as AMD and Intel Pro adapters
a. 2
b. 4
c. 6
d. 8

b. Which of the following is not a type of peripheral memory card used in PDAs?
a. Secure Digital (SD)
b. Compact Flash (CF)
c. Multimedia Card (MMC)
d. RamBus (RB)

c. The advantage of recording hash values is that you can determine whether data has changed.
t/f

d. Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses ________________ as a way to hide its
malicious code from antivirus tools.
a. hashing
b. bit-shifting
c. registry edits
d. slack space

111. d

(No Answer)
a. Which of the following options would represent a valid retainer?
a. 2 to 8 hours of your usual billable rate
b. a verbal agreement
c. complete discussion of an ongoing case
d. dissemination of evidence

b. CORRECT: Which component of cell communication is used to route digital packets for the network and relies on a database to
support subscribers?
a. Base station controller (BSC)
b. Base transceiver station (BTS)
c. Base transceiver controller (BTC)
d. Mobile switching center (MSC)

c. What information is not typically included in an e-mail header


a. the sender's physical location
b. the originating IP address
c. the unique ID of the e-mail
d. the originating domain

d. Which of the NIST guidelines below requires using a modified boot loader to access RAM for analysis?
a. Chip-off
b. Manual extraction
c. Hex dumping
d. Micro read

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 56/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

112. c

(No Answer)
a. CORRECT: What processor instruction set is required in order to utilize virtualization software
a. AMD-VT
b. Intel VirtualBit
c. Virtual Machine Extensions (VMX)
d. Virtual HarwareExtensions (VHX)

b. ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities.
a. AMA's law
b. ABA's model rule
c. ABA's model codes
d. APA's ethics code

c. What letter should be typed into DiskEdit in order to mark a good sector as bad?
a. M
b. B
c. T
d. D

d. What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine
a. .nvram
b. .vmen
c. .vmpage
d. .vmx

113. a

(No Answer)
a. CORRECT: The ___ tool is an updated version of BackTrack, and contains more than 300 tools, such as password crackers, network
sniffers, and freeware forensics tools
a. Kali Linux
b. Ubuntu
c. OSForensics
d. Sleuth Kit

b. The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery;
the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in
which it belongs", was established in what court case?
a. Daubert v. Merrell Dow Pharmaceuticals, Inc
b. Smith v. United States
c. Frye v. United States
d. Dillon v. United States

c. Nonvolatile memory on a mobile device can contain OS files and stored user data, such as a __________________ and backed-up files.
a. Professional Data Holder
b. Personal Assistant Organizer
c. Personal Data Manager
d. Personal Information Manager

d. The NSA's defense in depth (DiD) strategy contains three modes of protection. Which option below is not one of the three modes
a. People
b. Technology
c. Operations
d. Management

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 57/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

114. b

(No Answer)
a. Which of the following is NOT a service level for the cloud
a. Platform as a service
b. Infrastructure as a service
c. Virtualization as a service
d. Software as a service

b. What Windows Registry key contains associations for file extensions


a. HKEY_CLASSES_ROOT
b. HKEY_USERS
c. HKEY_LOCAL_MACHINE
d. HKEY_CURRENT_CONFIG

c. CORRECT: At what layers of the OSI model do most packet analyzers function
a. layer 1 or 2
b. layer 2 or 3
c. layer 3 or 4
d. layer 4 or 5

d. Which of the following options would represent a valid retainer?


a. 2 to 8 hours of your usual billable rate
b. a verbal agreement
c. complete discussion of an ongoing case
d. dissemination of evidence

115. true

(No Answer)
a. Which component of cell communication is used to route digital packets for the network and relies on a database to support subscribers?
a. Base station controller (BSC)
b. Base transceiver station (BTS)
c. Base transceiver controller (BTC)
d. Mobile switching center (MSC)

b. Which option below is the correct path to the sendmail configuration file
a. /var/etc/sendmail.cf
b. /var/mail/sendmail.cf
c. /usr/local/sendmail.cf
d. /etc/mail/sendmail.cf

c. An Internet e-mail is generally part of a local network, and is maintained and managed by an administrator for internal use by a specific
company
T/F

d. CORRECT: The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET)
T/F

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 58/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

116. a

(No Answer)
a. The advantage of recording hash values is that you can determine whether data has changed.
t/f

b. CORRECT: FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful.
a. 702
b. 703
c. 704
d. 705

c. ____ questions can give you the factual structure to support and defend your opinion.
a. rapid-fire
b. hypothetical
c. setup
d. compound

d. The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery;
the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in
which it belongs", was established in what court case?
a. Daubert v. Merrell Dow Pharmaceuticals, Inc
b. Smith v. United States
c. Frye v. United States
d. Dillon v. United States

117. c

(No Answer)
a. CORRECT: A report using the _________________ system divides material into sections and restarts numbering with each main
section.
a. numerically ordered
b. hierarchical
c. decimal numbering
d. number formatted

b. When using the PassMark software to find forensic information in e-mails, messages that appear to be suspicious should be flagged
__________.
a. yellow
b. green
c. red
d. orange

c. Before allowing an attorney to describe any case details, determine who the parties are to reduce the possibility of a _______________.
a. collaboration
b. conflict
c. mistrial
d. contradiction

d. An expert's opinion is governed by ________________ and the corresponding rule in many states.
a. FRE, Rule 705
b. FRE, Rule 507
c. FRCP 26
d. FRCP 62

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 59/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

118. b

(No Answer)
a. CORRECT: GSM refers to mobile phones as "mobile stations" and divides a station into two parts, the __________ and the mobile
equipment (ME).
a. antenna
b. SIM card
c. radio
d. transceiver

b. ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities.
a. AMA's law
b. ABA's model rule
c. ABA's model codes
d. APA's ethics code

c. What virtual machine software supports all Windows and Linux OSs as well as Macintosh and Solaris, and is provided as shareware?
a. KVM
b. Parallels
c. Microsoft Virtual PC
d. VirtualBox

d. What processor instruction set is required in order to utilize virtualization software


a. AMD-VT
b. Intel VirtualBit
c. Virtual Machine Extensions (VMX)
d. Virtual HarwareExtensions (VHX)

119. false

(No Answer)
a. In the United State, the Electronic Communications Privacy Act (ECPA) describes 5 mechanisms the government can use to get electronic
information from a provider
T/F

b. CORRECT: Committing crimes with e-mail is uncommon, and investigators are not generally tasked with linking suspects to e-mail
T/F

c. When using the PassMark software to find forensic information in e-mails, messages that appear to be suspicious should be flagged
__________.
a. yellow
b. green
c. red
d. orange

d. Nonvolatile memory on a mobile device can contain OS files and stored user data, such as a __________________ and backed-up files.
a. Professional Data Holder
b. Personal Assistant Organizer
c. Personal Data Manager
d. Personal Information Manager

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 60/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

120. b

(No Answer)
a. The ??? Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox
and the client's system
a. read_filejournal
b. filetx.log
c. filecache.dbx
d. filecache.dll

b. A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in order to
secure the information contained inside.
a. compiler
b. shifter
c. macro
d. script

c. The honeynet Project was developed to make information widely available in an attempt to thwart internet and network attackers
T/F

d. CORRECT: The goal of recovering as much information as possible can result in ________________, in which an investigation expands
beyond the original description because of unexpected evidence found.
a. litigation
b. scope creep
c. criminal charges
d. violations

121. c

(No Answer)
a. Which of the following is not a type of peripheral memory card used in PDAs?
a. Secure Digital (SD)
b. Compact Flash (CF)
c. Multimedia Card (MMC)
d. RamBus (RB)

b. Like a job resume, your CV should be geared for a specific trial.


a. true
b. false

c. CORRECT: Where does the Postfix UNIX mail server store e-mail
a. /home/username/mail
b. /var/mail/postfix
c. /var/spool/postfix
d. /etc/postfix

d. Expert witnesses are not required to submit a written report for civil cases.
a. true
b. false

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 61/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

122. d

(No Answer)
a. Where is the snapshot database created by Google Drive located in Windows
a. C:/Program Files/Google/Drive
b.C:/Users/username/AppData/Local//Google/Drive
c. C:/Users/username/Google/Google drive
d. C:/Google/drive

b. CORRECT: The ___ disk image file format is associated with the VirtualBox hypervisor
a. .vmdk
b. .had
c. .vhd
d. .vdi

c. The ___ is the version of Pcap available for Linux based operating systems
a. Wincap
b. Libcap
c. Tcpcap
d. Netcap

d. The most important laws applying to attorneys and witnesses are the ____.
a. professional ethics
b. rules of ethics
c. rules of evidence
d. professional codes of conduct

123. false

(No Answer)
a. Currently, expert witnesses testify in more than __ percent of trials.
a. 55
b. 80
c. 92
d. 78

b. FRE ____ describes whether basis for the testimony is adequate.


a. 700
b. 701
c. 702
d. 703

c. CORRECT: In an e-mail address, everything before the @ symbol represents the domain name
T/F

d. When cases go to trial, you as a forensics examiner can play one of ____ roles.
a. 2
b. 3
c. 4
d. 5

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 62/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

124. d

(No Answer)
a. Where is the snapshot database created by Google Drive located in Windows
a. C:/Program Files/Google/Drive
b.C:/Users/username/AppData/Local//Google/Drive
c. C:/Users/username/Google/Google drive
d. C:/Google/drive

b. Which of the following is not a valid source for cloud forensics training
a. Sans Cloud Forensics with F-Response
b. A+ Security
c. INFOSEC Intitute
d. (ISC)2 Certified Cyber Forensics Professional

c. CORRECT: Which of the following is not a type of peripheral memory card used in PDAs?
a. Secure Digital (SD)
b. Compact Flash (CF)
c. Multimedia Card (MMC)
d. RamBus (RB)

d. Which of the following options would represent a valid retainer?


a. 2 to 8 hours of your usual billable rate
b. a verbal agreement
c. complete discussion of an ongoing case
d. dissemination of evidence

125. d

(No Answer)
a. CORRECT: The ___ command line program is a common way of examining network traffic, which provides records of network activity
while it is running, and produce hundreds of thousands of records
a. netstat
b. ls
c. ifconfig
d. tcpdump

b. _______________ is the process of opposing attorneys seeking information from each other.
a. Subpoena
b. Warranting
c. Discovery
d. Digging

c. The ________________ section of a report starts by referring to the report's purpose, states the main points, draws conclusions, and
possibly renders an opinion.
a. body
b. conclusion
c. appendix
d. reference

d. The ___ is the version of Pcap available for Linux based operating systems
a. Wincap
b. Libcap
c. Tcpcap
d. Netcap

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 63/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

126. a

(No Answer)
a. CORRECT: __________________ means the tone of language you use to address the reader.
a. Style
b. Format
c. Outline
d. Prose

b. The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but
does not list hash values of known illegal files.
a. Open Hash Database
b. HashKeeper Online
c. National Hashed Software Referenced.
d. National Software Reference Library

c. An ___________________ is a document that serves as a guideline for knowing what questions to expect when you're testifying.
a. testimony procedure
b. examination plan
c. planned questionnaire
d. testimony excerpt

d. A ____________ image file containing software is intended to be bit-stream copied to floppy disks or other external media.
a. fdisk
b. format
c. dd
d. DiskEdit

127. b

(No Answer)
a. CORRECT: The ??? tool can be used by bypass a virtual machine's hypervisor, and can by used with OpenStack
a. Openforensics
b. FROST
c. WinHex
d. ARC

b. The ??? is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for privacy
agreements, security measures, questionnaires, and more
a. OpenStack Framework Alliance
b. vCluod Security Advisory Panel
c. Cloud Security Alliance
d. Cloud Architecture Group

c. The ___ disk image file format is associated with the VirtualBox hypervisor
a. .vmdk
b. .had
c. .vhd
d. .vdi

d. The Sysinternals Handle utility shows only file system activity, but does not show what processes are using files on the file system
T/F

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 64/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

128. a

(No Answer)
a. What digital network technology was developed during World War II?
a. TDMA
b. CDMA
c. GSM
d. iDEN

b. ____ is a written list of objections to certain testimony or exhibits.


a. defendant
b empanelling the jury
c. plaintiff
d. motion in limine

c. CORRECT: Which of the following options would represent a valid retainer?


a. 2 to 8 hours of your usual billable rate
b. a verbal agreement
c. complete discussion of an ongoing case
d. dissemination of evidence

d. At what layers of the OSI model do most packet analyzers function


a. layer 1 or 2
b. layer 2 or 3
c. layer 3 or 4
d. layer 4 or 5

129. c

(No Answer)
a. CORRECT: The AccessData program has a hashing database, ________________, which is available only with FTK, and can be used to
filter known program files from view and contains the hash values of known illegal files.
a. DeepScan Filter
b. Unknown File Filter (UFF)
c. Known File Filter (KFF)
d. FTK Hash Imager

b. The ___ command line program is a common way of examining network traffic, which provides records of network activity while it is
running, and produce hundreds of thousands of records
a. netstat
b. ls
c. ifconfig
d. tcpdump

c. Exchange uses and Exchange database and is based on the ???, which uses several files in different combinations to provide e-mail
service
a. Microsoft Mail Storage Engine (MSE)
b. Microsoft Stored Mail Extension (SME)
c. Microsoft Extended Mail Storage (EMS)
d. Microsoft Extensible Storage Engine (ESE)

d. The honeynet Project was developed to make information widely available in an attempt to thwart internet and network attackers
T/F

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 65/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

130. b

(No Answer)
a. Which of the following options would represent a valid retainer?
a. 2 to 8 hours of your usual billable rate
b. a verbal agreement
c. complete discussion of an ongoing case
d. dissemination of evidence

b. Which is not a valid method of deployment for a cloud


a. community
b. public
c. targeted
d. private

c. What type of Facebook profile is usually only given to law enforcement with a warrant
a. private profile
b. advanced profile
c. basic profile
d.Neoprint profile

d. CORRECT: In what state is sending unsolicited email illegal


a. Florida
b. Washington
c. Maine
d. New York

131. d

(No Answer)
a. What cloud service listed below provides a freeware type 1 hypervisor used for public and private clouds
a. HP Helion
b. Amazon EC2
c. XenServer and XenCenter Windows Management Console
d. Cisco Cloud Computing

b. CORRECT: What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify
must provide a copy of the expert's written report that includes all opinions, the basis for the opinions, and the information considered in
coming to those opinions?
a. rule 24
b. rule 35
c. rule 36
d. rule 26

c. The ??? Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox
and the client's system
a. read_filejournal
b. filetx.log
c. filecache.dbx
d. filecache.dll

d. What type of mobile forensics method listed by NIST guidelines involves looking at a device's content page by page and taking pictures?
a. Manual extraction
b. Chip-off
c. Micro read
d. Logical extraction

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 66/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

132. b

(No Answer)
a. Where does the Postfix UNIX mail server store e-mail
a. /home/username/mail
b. /var/mail/postfix
c. /var/spool/postfix
d. /etc/postfix

b. Forensics tools can't directly mount VMs as external drives


T/F

c. CORRECT: The American Bar Association (ABA) is a licensing body.


a. true
b. false

d. What Windows Registry key contains associations for file extensions


a. HKEY_CLASSES_ROOT
b. HKEY_USERS
c. HKEY_LOCAL_MACHINE
d. HKEY_CURRENT_CONFIG

133. a

(No Answer)
a. Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific files or sectors.
t/f

b. Which e-mail recovery program below can recover files from VMware and VirtualPC virtual machines, as well as ISOs and other types of
file backups
a. Fookes Aid4mail
b. DataNumen Outlook Repair
c. EnCase Forensics
d. AccessData FTK

c. CORRECT: Search and seizure procedures for mobile devices are as important as procedures for computers.
a. true
b. false

d. _______________ is the process of opposing attorneys seeking information from each other.
a. Subpoena
b. Warranting
c. Discovery
d. Digging

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 67/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

134. false

(No Answer)
a. CORRECT: Type 2 hypervisors are typically loaded on servers or workstations with a lot of RAM and storage
T/F

b. In VirtualBox, ___ different types of virtual network adapters are possible, such as AMD and Intel Pro adapters
a. 2
b. 4
c. 6
d. 8

c. Jurors typically average just over ____ years of education and an eighth-grade reading level.
a. 9
b. 10
c. 11
d. 12

d. In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network adapters
a. Slow-NetworkAdapters
b. Query-ipconfig
c. Get-VMNetworkAdapter
d. Dump-Betconfig

135. d

(No Answer)
a. In the United States, there's no state or national licensing body for computer forensics examiners.
a. true
b. false

b. CORRECT: In a prefetch file, the application's last access date and time are at offset ???
a. 0x80
b. 0x88
c. 0xD4
d. 0x90

c. When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and
documented?
a. Inventory and documentation information should be stored on a drive and then the drive should be reformatted.
b. Start the suspect's computer and begin collecting evidence.
c. The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.
d. Connect the suspect's computer to the local network so that up to date forensics utilities can be utilized.

d. A report can provide justification for collecting more evidence and be used at a probable cause hearing.
a. true
b. false

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 68/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

136. c

(No Answer)
a. CORRECT: When performing a static acquisition, what should be done after the hardware on a suspect's computer has been
inventoried and documented?
a. Inventory and documentation information should be stored on a drive and then the drive should be reformatted.
b. Start the suspect's computer and begin collecting evidence.
c. The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.
d. Connect the suspect's computer to the local network so that up to date forensics utilities can be utilized.

b. The advantage of recording hash values is that you can determine whether data has changed.
t/f

c. Technical terms, if included in a report, should be defined in ordinary language such that lawyers, judges, and jurors can understand them.
a. true
b. false

d. In a prefetch file, the application's last access date and time are at offset ???
a. 0x80
b. 0x88
c. 0xD4
d. 0x90

137. false

(No Answer)
a. The ___ is the version of Pcap available for Linux based operating systems
a. Wincap
b. Libcap
c. Tcpcap
d. Netcap

b. CORRECT: Forensics tools can't directly mount VMs as external drives


T/F

c. The American Bar Association (ABA) is a licensing body.


a. true
b. false

d. FRE ____ describes whether basis for the testimony is adequate.


a. 700
b. 701
c. 702
d. 703

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 69/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

138. c

(No Answer)
a. What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a
copy of the expert's written report that includes all opinions, the basis for the opinions, and the information considered in coming to
those opinions?
a. rule 24
b. rule 35
c. rule 36
d. rule 26

b. What type of Facebook profile is usually only given to law enforcement with a warrant
a. private profile
b. advanced profile
c. basic profile
d.Neoprint profile

c. Which of the following is not a valid source for cloud forensics training
a. Sans Cloud Forensics with F-Response
b. A+ Security
c. INFOSEC Intitute
d. (ISC)2 Certified Cyber Forensics Professional

d. CORRECT: What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and
Web site marketing
a. Amazon EC2
b. IBM Cloud
c. Salesforce
d. HP Helion

139. b

(No Answer)
a. CORRECT: What letter should be typed into DiskEdit in order to mark a good sector as bad?
a. M
b. B
c. T
d. D

b. Which option below is not a disk management tool?


a. Partition Magic
b. Partition Master
c. GRUB
d. HexEdit

c. What type of Facebook profile is usually only given to law enforcement with a warrant
a. private profile
b. advanced profile
c. basic profile
d.Neoprint profile

d. How many words should be in the abstract of a report?


a. 50 to 100 words
b. 100 to 150 words
c. 150 to 299 words
d. 200 to 250 words

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 70/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

140. a

(No Answer)
a. What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site
marketing
a. Amazon EC2
b. IBM Cloud
c. Salesforce
d. HP Helion

b. CORRECT: As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.
a. true
b. false

c. In a ___ attack, the attacker keeps asking your server to establish a connection, with the intent of overloading a server with established
connections
a. smurf
b. SYN flood
c. spoof
d. ghost

d. What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a
copy of the expert's written report that includes all opinions, the basis for the opinions, and the information considered in coming to
those opinions?
a. rule 24
b. rule 35
c. rule 36
d. rule 26

141. b

(No Answer)
a. CORRECT: You should create a formal checklist of your procedures that's applied to all your cases or include such a checklist in your
report.
a. true
b. false

b. Experts should be paid in full for all previous work and for the anticipated time required for testimony.
a. true
b. false

c. Because attorneys do not have the right of full discovery of digital evidence, it is not possible for new evidence to come to light while
complying with a defense request for full discovery.
t/f

d. You provide ____ testimony when you answer questions from the attorney who hired you.
a. direct
b. cross
c. examination
d. rebuttal

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 71/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

142. c

(No Answer)
a. Select below the program within the Ps Tools suite that allows you to run processes remotely
a. PsService
b. PsPasswd
c. PsRemote
d. PsExec

b. Select below the option that is not a typical feature of smartphones on the market today:
a. Microprocessor
b. Flash
c. ROM
d. Hard drive

c. CORRECT: Select the tool below that does not use dictionary attacks or brute force attacks to crack passwords:
a. Last Bit
b. AccessData PRTK
c. OSForensics
d. Passware

d. Select below the option that is not common type 1 hypervisor


a. VMwar vSphere
b. Microsoft Hyper-V
c. Citirix XenServer
d. Oracle VirtualBox

143. c

(No Answer)
a. When cases go to trial, you as a forensics examiner can play one of ____ roles.
a. 2
b. 3
c. 4
d. 5

b. CORRECT: The term for detecting and analyzing steganography files is _________________.
a. carving
b. steganology
c. steganalysis
d. steganomics

c. Computer forensics examiners have two roles: fact witness and ____ witness.
a. professional
b. direct
c. discovery
d. expert

d. The use of smart phones for illicit activities is becoming more prevalent.
a. true
b. false

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 72/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

144. d

(No Answer)
a. Before allowing an attorney to describe any case details, determine who the parties are to reduce the possibility of a _______________.
a. collaboration
b. conflict
c. mistrial
d. contradiction

b. What type of mobile forensics method listed by NIST guidelines involves looking at a device's content page by page and taking pictures?
a. Manual extraction
b. Chip-off
c. Micro read
d. Logical extraction

c. What organization is responsible for the creation of the requirements for carriers to be considered 4G?
a. IEEE
b. ITU-R
c. ISO
d. TIA

d. CORRECT: Select below the option that is not a typical feature of smartphones on the market today:
a. Microprocessor
b. Flash
c. ROM
d. Hard drive

145. true

(No Answer)
a. The ___ is a good tool for extracting information from large Libpcap files; you simply specify the time frame you want to examine
a. Tcpdstat
b. Tcpslice
c. Ngrep
d. tcpdump

b. In the United States, there's no state or national licensing body for computer forensics examiners.
a. true
b. false

c. The goal of recovering as much information as possible can result in ________________, in which an investigation expands beyond the
original description because of unexpected evidence found.
a. litigation
b. scope creep
c. criminal charges
d. violations

d. CORRECT: The honeynet Project was developed to make information widely available in an attempt to thwart internet and network
attackers
T/F

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 73/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

146. d

(No Answer)
a. A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in order to
secure the information contained inside.
a. compiler
b. shifter
c. macro
d. script

b. CORRECT: Select the program below that can be used to analyze mail from Outlook, Thunderbird, and Eudora
a. AccessData FTK
b. DataNumen
c. R-Tools R-Mail
d. Fookes Aid4Mail

c. Which e-mail recovery program below can recover files from VMware and VirtualPC virtual machines, as well as ISOs and other types of
file backups
a. Fookes Aid4mail
b. DataNumen Outlook Repair
c. EnCase Forensics
d. AccessData FTK

d. The ??? is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for privacy
agreements, security measures, questionnaires, and more
a. OpenStack Framework Alliance
b. vCluod Security Advisory Panel
c. Cloud Security Alliance
d. Cloud Architecture Group

147. a

(No Answer)
a. ____ evidence is evidence that exonerates or diminishes the defendant's liability.
a. rebuttal
b. plaintiff
c. inculpatory
d. exculpatory

b. When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and
documented?
a. Inventory and documentation information should be stored on a drive and then the drive should be reformatted.
b. Start the suspect's computer and begin collecting evidence.
c. The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.
d. Connect the suspect's computer to the local network so that up to date forensics utilities can be utilized.

c. CORRECT: You provide ____ testimony when you answer questions from the attorney who hired you.
a. direct
b. cross
c. examination
d. rebuttal

d. Sometimes opposing attorneys ask several questions inside one question; this practice is called a ____ question.
a. leading
b. hypothetical
c. compound
d. rapid-fire

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 74/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

148. a

(No Answer)
a. CORRECT: An expert's opinion is governed by ________________ and the corresponding rule in many states.
a. FRE, Rule 705
b. FRE, Rule 507
c. FRCP 26
d. FRCP 62

b. In addition to opinions and exhibits, the ______________ must specify fees paid for the expert's services and list all other civil or criminal
cases in which the expert has testified.
a. verbal report
b. informal report
c. written report
d. preliminary report

c. The report generator in ProDiscover defaults to ______________________, which can be opened by most word processors.
a. HyperText Markup Language (HTML)
b. Rich Text Format (RTF)
c. Extensible Markup Language (XML)
d. Microsoft Word document format

d. Within Windows Vista and later, partition gaps are _____________ bytes in length.
a. 64
b. 128
c. 256
d. 512

149. c

(No Answer)
a. What command below could be used on a UNIX system to help locate log directories
a. show log
b. detail
c. search
d. find

b. If a report is long and complex, you should include a(n) _____________.


a. appendix
b. abstract
c. glossary
d. table of contents

c. The goal of recovering as much information as possible can result in ________________, in which an investigation expands beyond the
original description because of unexpected evidence found.
a. litigation
b. scope creep
c. criminal charges
d. violations

d. CORRECT: When writing a report, group related ideas and sentences into ___________________,
a. chapters
b. sections
c. paragraphs
d. separate reports

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 75/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

150. d

(No Answer)
a. Which of the following is not a valid source for cloud forensics training
a. Sans Cloud Forensics with F-Response
b. A+ Security
c. INFOSEC Intitute
d. (ISC)2 Certified Cyber Forensics Professional

b. One of the most noteworthy e-mail scams was 419, otherwise known as the ???
a. Nigerian Scam
b. Lake Venture Scam
c. Conficker virus
d. Iloveyou Scam

c. Which of the following options would represent a valid retainer?


a. 2 to 8 hours of your usual billable rate
b. a verbal agreement
c. complete discussion of an ongoing case
d. dissemination of evidence

d. CORRECT: Which of the following file systems can't be analyzed by OSForensics?


a. FAT12
b. Ext2fs
c. HFS+
d. XFS

151. a

(No Answer)
a. ____ evidence is evidence that exonerates or diminishes the defendant's liability.
a. rebuttal
b. plaintiff
c. inculpatory
d. exculpatory

b. What organization is responsible for the creation of the requirements for carriers to be considered 4G?
a. IEEE
b. ITU-R
c. ISO
d. TIA

c. CORRECT: What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords?
a. salted passwords
b. scrambled passwords
c. indexed passwords
d. master passwords

d. What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses
a. tcpdump
b. Argus
c. Ngrep
d. Tcpslice

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 76/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

152. b

(No Answer)
a. Which option below is the correct path to the sendmail configuration file
a. /var/etc/sendmail.cf
b. /var/mail/sendmail.cf
c. /usr/local/sendmail.cf
d. /etc/mail/sendmail.cf

b. The ___ disk image file format is associated with the VirtualBox hypervisor
a. .vmdk
b. .had
c. .vhd
d. .vdi

c. One of the most noteworthy e-mail scams was 419, otherwise known as the ???
a. Nigerian Scam
b. Lake Venture Scam
c. Conficker virus
d. Iloveyou Scam

d. CORRECT: Where is the snapshot database created by Google Drive located in Windows
a. C:/Program Files/Google/Drive
b.C:/Users/username/AppData/Local//Google/Drive
c. C:/Users/username/Google/Google drive
d. C:/Google/drive

153. b

(No Answer)
a. Select below the option that is not common type 1 hypervisor
a. VMwar vSphere
b. Microsoft Hyper-V
c. Citirix XenServer
d. Oracle VirtualBox

b. Select the file below that is used in VirtualBox to create a virtual machine
a. .vdi
b. .vbox
c. .r0
d. ova

c. CORRECT: Which service below does not put log information into /var/log/maillog
a. SMTP
b. Exchange
c. IMAP
d. POP

d. The honeynet Project was developed to make information widely available in an attempt to thwart internet and network attackers
T/F

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 77/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

154. d

(No Answer)
a. CORRECT: Syslog is generally configured to put all e-mail related log information into what file
a. /usr/log/mail.log
b. /var/log/message
c. /proc/mail
d. /var/log/maillog

b. What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact
a. iNet
b. ARIN
c. Google
d. ERIN

c. Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony.
a. setup
b. open-ended
c. compound
d. repid-fire

d. In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters?
a. NTFS
b. FAT
c. HFSX
d. Ext3fs

155. true

(No Answer)
a. Nonvolatile memory on a mobile device can contain OS files and stored user data, such as a __________________ and backed-up files.
a. Professional Data Holder
b. Personal Assistant Organizer
c. Personal Data Manager
d. Personal Information Manager

b. The Suni Munshani v. Singal Lake Venture Fund II, LP et al case is an example of a case that involves e-mail ???
a. destruction
b. spamming
c. spoofing
d. theft

c. CORRECT: The DomainKey identified Mail service is a way to verity the names of domains a message is flowing through ans was
developed as a way to cut down on spam
T/F

d. The NSA's defense in depth (DiD) strategy contains three modes of protection. Which option below is not one of the three modes
a. People
b. Technology
c. Operations
d. Management

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 78/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

156. c

(No Answer)
a. CORRECT: Sometimes opposing attorneys ask several questions inside one question; this practice is called a ____ question.
a. leading
b. hypothetical
c. compound
d. rapid-fire

b. FRE ____ describes whether basis for the testimony is adequate.


a. 700
b. 701
c. 702
d. 703

c. Most Code Division Multiple Access networks conform to IS-95. The systems are referred to as CDMAOne, and when they went to 3G
service, they became CDMAThree
a. true
b. false

d. ___ is an attempt by opposing attorneys to prevent you from serving on an important case.
a. conflict of interest
b. warrant
c. deposition
d. conflicting out

157. true

(No Answer)
a. The ___ disk image file format is associated with the VirtualBox hypervisor
a. .vmdk
b. .had
c. .vhd
d. .vdi

b. CORRECT: The capability of type 1 hypervisors is limited only by the amount of available RAM, storage, and throughput
T/F

c. At what layers of the OSI model do most packet analyzers function


a. layer 1 or 2
b. layer 2 or 3
c. layer 3 or 4
d. layer 4 or 5

d. The ____ is the most important part of testimony at a trial.


a. cross-examination
b. direct examination
c. rebuttal
d. motions in limine

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 79/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

158. c

(No Answer)
a. FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful.
a. 702
b. 703
c. 704
d. 705

b. CORRECT: Leading questions such as "Isn't it true that forensics experts always destroy their handwritten notes?" are referred to as
____ questions.
a. hypothetical
b. attorney
c. setup
d. nested

c. Expert opinions cannot be presented without stating the underlying factual basis.
a. true
b. false

d. The advantage of recording hash values is that you can determine whether data has changed.
t/f

159. a

(No Answer)
a. What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine
a. .nvram
b. .vmen
c. .vmpage
d. .vmx

b. Which option below is not a disk management tool?


a. Partition Magic
b. Partition Master
c. GRUB
d. HexEdit

c. CORRECT: What method below is not an effective method for isolating a mobile device from receiving signals?
a. placing the device into a plastic evidence bag
b. placing the device into a paint can, preferable one previously containing radio-wave blocking paint
c. placing the device into airplane mode
d. turning the device off

d. Which of the following is NOT a service level for the cloud


a. Platform as a service
b. Infrastructure as a service
c. Virtualization as a service
d. Software as a service

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 80/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

160. b

(No Answer)
a. Technical terms, if included in a report, should be defined in ordinary language such that lawyers, judges, and jurors can understand them.
a. true
b. false

b. The ??? Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox
and the client's system
a. read_filejournal
b. filetx.log
c. filecache.dbx
d. filecache.dll

c. CORRECT: The ??? utility can be used to repair .ost and .pst files, and is included with Microsoft Outlook
a. fixmail.exe
b. scanpst.exe
c. repairpst.exe
d. rebuildpst.exe

d. What standard introduced sleep mode to enhance battery life, and is used with TDMA?
a. IS-99
b. IS-140
c. IS-136
d. IS-95

161. b

(No Answer)
a. When writing a report, group related ideas and sentences into ___________________,
a. chapters
b. sections
c. paragraphs
d. separate reports

b. The AccessData program has a hashing database, ________________, which is available only with FTK, and can be used to filter known
program files from view and contains the hash values of known illegal files.
a. DeepScan Filter
b. Unknown File Filter (UFF)
c. Known File Filter (KFF)
d. FTK Hash Imager

c. The ___ command line program is a common way of examining network traffic, which provides records of network activity while it is
running, and produce hundreds of thousands of records
a. netstat
b. ls
c. ifconfig
d. tcpdump

d. CORRECT: The report generator in ProDiscover defaults to ______________________, which can be opened by most word processors.
a. HyperText Markup Language (HTML)
b. Rich Text Format (RTF)
c. Extensible Markup Language (XML)
d. Microsoft Word document format

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 81/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

162. d

(No Answer)
a. As an expert witness, you have opinions about what you have found or observed.
a. true
b. false

b. Which of the following is not a valid source for cloud forensics training
a. Sans Cloud Forensics with F-Response
b. A+ Security
c. INFOSEC Intitute
d. (ISC)2 Certified Cyber Forensics Professional

c. CORRECT: What command below could be used on a UNIX system to help locate log directories
a. show log
b. detail
c. search
d. find

d. What format below is used for VMware images?


a. .vhd
b. .vmdk
c. .s01
d. .aff

163. a

(No Answer)
a. In order to retrieve logs from exchange, the Powershell cmdlet ??? can be used
a. GetExchangeLogs.psl
b. GetLogInfo.psl
c. ShowExchangeHistrory.psl
d. GetTransactionLogStats.psl

b. Computer forensics examiners have two roles: fact witness and ____ witness.
a. professional
b. direct
c. discovery
d. expert

c. CORRECT: As an expert witness, you have opinions about what you have found or observed.
a. true
b. false

d. Which option below is the correct path to the sendmail configuration file
a. /var/etc/sendmail.cf
b. /var/mail/sendmail.cf
c. /usr/local/sendmail.cf
d. /etc/mail/sendmail.cf

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 82/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

164. a

(No Answer)
a. Which of the following is not one of the five mechanisms the government can use to get electronic information from a provider
a. search warrants
b. subpoenas
c. court orders
d. seizure order

b. The advantage of recording hash values is that you can determine whether data has changed.
t/f

c. CORRECT: While travelling internationally with a GSM phone, you can pop in a SIM card for the country you're currently in, rather than
get a new phone.
a. true
b. false

d. When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and
documented?
a. Inventory and documentation information should be stored on a drive and then the drive should be reformatted.
b. Start the suspect's computer and begin collecting evidence.
c. The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.
d. Connect the suspect's computer to the local network so that up to date forensics utilities can be utilized.

165. true

(No Answer)
a. The ___ is the version of Pcap available for Linux based operating systems
a. Wincap
b. Libcap
c. Tcpcap
d. Netcap

b. CORRECT: One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you
collect is essential for presenting evidence in court.
t/f

c. An Internet e-mail is generally part of a local network, and is maintained and managed by an administrator for internal use by a specific
company
T/F

d. One of the most noteworthy e-mail scams was 419, otherwise known as the ???
a. Nigerian Scam
b. Lake Venture Scam
c. Conficker virus
d. Iloveyou Scam

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 83/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

166. b

(No Answer)
a. ____ is a written list of objections to certain testimony or exhibits.
a. defendant
b empanelling the jury
c. plaintiff
d. motion in limine

b. CORRECT: At what offset is a prefetch file's create date & time located
a. 0x88
b. 0x80
c. 0x98
d. 0x90

c. Regarding a trial, the term ____ means rejecting potential jurors.


a. voir dire
b. rebuttal
c. strikes
d. venireman

d. A ____ differs from a trial testimony because there is no jury or judge.


a. rebuttal
b. plaintiff
c. civil case
d. deposition

167. true

(No Answer)
a. Exchange uses and Exchange database and is based on the ???, which uses several files in different combinations to provide e-mail
service
a. Microsoft Mail Storage Engine (MSE)
b. Microsoft Stored Mail Extension (SME)
c. Microsoft Extended Mail Storage (EMS)
d. Microsoft Extensible Storage Engine (ESE)

b. On what mobile device platform does Facebook use a SQLite database containing friends, their ID numbers, and phone numbers as well as
files that tracked all uploads, including pictures?
a. Android
b. Blackberry
c. Windows RT
d. iPhone

c. CORRECT: Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific files or
sectors.
t/f

d. People need ethics to help maintain their balance, especially in difficult and contentious situations.
a. true
b. false

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 84/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

168. b

(No Answer)
a. What processor instruction set is required in order to utilize virtualization software
a. AMD-VT
b. Intel VirtualBit
c. Virtual Machine Extensions (VMX)
d. Virtual HarwareExtensions (VHX)

b. In older versions of exchange, what type of file was responsible for massages formatted with Messaging Application Programming
Interface, and served as the database file
a. .ost
b. edp
c. .edb
d. .edi

c. Sometimes opposing attorneys ask several questions inside one question; this practice is called a ____ question.
a. leading
b. hypothetical
c. compound
d. rapid-fire

d. CORRECT: Most Code Division Multiple Access networks conform to IS-95. The systems are referred to as CDMAOne, and when they
went to 3G service, they became CDMAThree
a. true
b. false

169. c

(No Answer)
a. If a report is long and complex, you should include a(n) _____________.
a. appendix
b. abstract
c. glossary
d. table of contents

b. Which of the following is not a type of peripheral memory card used in PDAs?
a. Secure Digital (SD)
b. Compact Flash (CF)
c. Multimedia Card (MMC)
d. RamBus (RB)

c. Within Windows Vista and later, partition gaps are _____________ bytes in length.
a. 64
b. 128
c. 256
d. 512

d. CORRECT: Most Code Division Multiple Access (CDMA) networks conform to ____________ , created by the Telecommunications
Industry Association (TIA).
a. TS-95
b. 802.11
c. IS-95
d. IS-136

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 85/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

170. b

(No Answer)
a. In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant.
t/f

b. Select the tool below that does not use dictionary attacks or brute force attacks to crack passwords:
a. Last Bit
b. AccessData PRTK
c. OSForensics
d. Passware

c. What type of mobile forensics method listed by NIST guidelines involves looking at a device's content page by page and taking pictures?
a. Manual extraction
b. Chip-off
c. Micro read
d. Logical extraction

d. CORRECT: In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition
clusters?
a. NTFS
b. FAT
c. HFSX
d. Ext3fs

171. c

(No Answer)
a. If a report is long and complex, you should include a(n) _____________.
a. appendix
b. abstract
c. glossary
d. table of contents

b. CORRECT: The most important laws applying to attorneys and witnesses are the ____.
a. professional ethics
b. rules of ethics
c. rules of evidence
d. professional codes of conduct

c. Currently, expert witnesses testify in more than __ percent of trials.


a. 55
b. 80
c. 92
d. 78

d. One of the most noteworthy e-mail scams was 419, otherwise known as the ???
a. Nigerian Scam
b. Lake Venture Scam
c. Conficker virus
d. Iloveyou Scam

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 86/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

172. d

(No Answer)
a. Select the tool below that does not use dictionary attacks or brute force attacks to crack passwords:
a. Last Bit
b. AccessData PRTK
c. OSForensics
d. Passware

b. What information is not typically included in an e-mail header


a. the sender's physical location
b. the originating IP address
c. the unique ID of the e-mail
d. the originating domain

c. At what layers of the OSI model do most packet analyzers function


a. layer 1 or 2
b. layer 2 or 3
c. layer 3 or 4
d. layer 4 or 5

d. CORRECT: Select below the option that is not common type 1 hypervisor
a. VMwar vSphere
b. Microsoft Hyper-V
c. Citirix XenServer
d. Oracle VirtualBox

173. b

(No Answer)
a. CORRECT: People who fear having their ______________ acts revealed feel as though they must protest the ________________ acts of
others being revealed.
a. legal
b. improper
c. secret
d. public

b. People need ethics to help maintain their balance, especially in difficult and contentious situations.
a. true
b. false

c. The most important laws applying to attorneys and witnesses are the ____.
a. professional ethics
b. rules of ethics
c. rules of evidence
d. professional codes of conduct

d. A report can provide justification for collecting more evidence and be used at a probable cause hearing.
a. true
b. false

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 87/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

174. a

(No Answer)
a. The ??? Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox
and the client's system
a. read_filejournal
b. filetx.log
c. filecache.dbx
d. filecache.dll

b. What standard introduced sleep mode to enhance battery life, and is used with TDMA?
a. IS-99
b. IS-140
c. IS-136
d. IS-95

c. CORRECT: A report can provide justification for collecting more evidence and be used at a probable cause hearing.
a. true
b. false

d. A ??? is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it's accessed through the
application's Web interface
a. configuration manager
b. management plane
c. backdoor
d. programming language

175. d

(No Answer)
a. CORRECT: The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications,
and images, but does not list hash values of known illegal files.
a. Open Hash Database
b. HashKeeper Online
c. National Hashed Software Referenced.
d. National Software Reference Library

b. The ________________ technology uses the IEEE 802.16e standard and Orthogonal Frequency Division Multiple Access (OFDMA) and
supports transmission speeds of 12 Mbps
a. WiMAX
b. CDMA
c. UMB
d. MIMO

c. An ___________________ is a document that serves as a guideline for knowing what questions to expect when you're testifying.
a. testimony procedure
b. examination plan
c. planned questionnaire
d. testimony excerpt

d. How you format _____________ is less important than being consistent in applying formatting.
a. words
b. text
c. paragraphs
d. sections

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 88/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

176. d

(No Answer)
a. In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network adapters
a. Slow-NetworkAdapters
b. Query-ipconfig
c. Get-VMNetworkAdapter
d. Dump-Betconfig

b. The _________________ numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect of the report,
and each Arabic numeral is an important piece of supporting information.
a. decimal
b. ordered-sequential
c. legal-sequential
d. reverse-order

c. CORRECT: In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer.
a. format
b. fdisk
c. grub
d. diskpart

d. Lawyers may request _________________ of previous testimony by their own potential experts to ensure that the experts haven't
previously testified to a contrary position.
a. warrants
b. transcripts
c. subpoenas
d. evidence

177. d

(No Answer)
a. CORRECT: Which option below is the correct path to the sendmail configuration file
a. /var/etc/sendmail.cf
b. /var/mail/sendmail.cf
c. /usr/local/sendmail.cf
d. /etc/mail/sendmail.cf

b. Expert opinions cannot be presented without stating the underlying factual basis.
a. true
b. false

c. Where is the snapshot database created by Google Drive located in Windows


a. C:/Program Files/Google/Drive
b.C:/Users/username/AppData/Local//Google/Drive
c. C:/Users/username/Google/Google drive
d. C:/Google/drive

d. Which of the following is not a valid source for cloud forensics training
a. Sans Cloud Forensics with F-Response
b. A+ Security
c. INFOSEC Intitute
d. (ISC)2 Certified Cyber Forensics Professional

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 89/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

178. b

(No Answer)
a. The ??? Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox
and the client's system
a. read_filejournal
b. filetx.log
c. filecache.dbx
d. filecache.dll

b. When you give ____ testimony, you present this evidence and explain what it is and how it was obtained.
a. technical/scientific
b. expert
c. lay witness
d. deposition

c. CORRECT: Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give
your testimony.
a. setup
b. open-ended
c. compound
d. repid-fire

d. The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be
seized usually describes physical hardware rather than data, unless the CSP is a suspect. T/F

179. b

(No Answer)
a. As an expert witness, you have opinions about what you have found or observed.
a. true
b. false

b. When writing a report, group related ideas and sentences into ___________________,
a. chapters
b. sections
c. paragraphs
d. separate reports

c. The term for detecting and analyzing steganography files is _________________.


a. carving
b. steganology
c. steganalysis
d. steganomics

d. CORRECT: If a report is long and complex, you should include a(n) _____________.
a. appendix
b. abstract
c. glossary
d. table of contents

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 90/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

180. a

(No Answer)
a. At what layers of the OSI model do most packet analyzers function
a. layer 1 or 2
b. layer 2 or 3
c. layer 3 or 4
d. layer 4 or 5

b. CORRECT: What type of mobile forensics method listed by NIST guidelines involves looking at a device's content page by page and
taking pictures?
a. Manual extraction
b. Chip-off
c. Micro read
d. Logical extraction

c. What type of Facebook profile is usually only given to law enforcement with a warrant
a. private profile
b. advanced profile
c. basic profile
d.Neoprint profile

d. What organization is responsible for the creation of the requirements for carriers to be considered 4G?
a. IEEE
b. ITU-R
c. ISO
d. TIA

181. false

(No Answer)
a. As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.
a. true
b. false

b. CORRECT: In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant.
t/f

c. In order to retrieve logs from exchange, the Powershell cmdlet ??? can be used
a. GetExchangeLogs.psl
b. GetLogInfo.psl
c. ShowExchangeHistrory.psl
d. GetTransactionLogStats.psl

d. What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact
a. iNet
b. ARIN
c. Google
d. ERIN

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 91/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

182. c

(No Answer)
a. CORRECT: A ____________ image file containing software is intended to be bit-stream copied to floppy disks or other external media.
a. fdisk
b. format
c. dd
d. DiskEdit

b. The ________________ technology uses the IEEE 802.16e standard and Orthogonal Frequency Division Multiple Access (OFDMA) and
supports transmission speeds of 12 Mbps
a. WiMAX
b. CDMA
c. UMB
d. MIMO

c. The Google drive file ??? contains a detailed list of a user's cloud transactions
a. loggedtransactions.log
b. sync_log.log
c. transact_user.db
d. history.db

d. An ___________________ is a document that serves as a guideline for knowing what questions to expect when you're testifying.
a. testimony procedure
b. examination plan
c. planned questionnaire
d. testimony excerpt

183. d

(No Answer)
a. CORRECT: If a microphone is present during your testimony, place it ____ to eight inches from you.
a. 3
b. 4
c. 5
d. 6

b. Within Windows Vista and later, partition gaps are _____________ bytes in length.
a. 64
b. 128
c. 256
d. 512

c. If your CV is more than ____ months old, you probably need to update it to reflect new cases and additional training.
a. 2
b. 3
c. 4
d. 5

d. You provide ____ testimony when you answer questions from the attorney who hired you.
a. direct
b. cross
c. examination
d. rebuttal

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 92/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

184. b

(No Answer)
a. CORRECT: How you format _____________ is less important than being consistent in applying formatting.
a. words
b. text
c. paragraphs
d. sections

b. The _________________ numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect of the report,
and each Arabic numeral is an important piece of supporting information.
a. decimal
b. ordered-sequential
c. legal-sequential
d. reverse-order

c. The _______________ component is made up of radio transceiver equipment that defines cells and communicates with mobile phones;
sometimes referred to as a "cell phone tower".
a. Vase station controller (BSC)
b. Mobile switching center (MSC)
c. Base transceiver controller (BTC)
d. Base transceiver station (BTS)

d. In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer.
a. format
b. fdisk
c. grub
d. diskpart

185. b

(No Answer)
a. The most important laws applying to attorneys and witnesses are the ____.
a. professional ethics
b. rules of ethics
c. rules of evidence
d. professional codes of conduct

b. CORRECT: Currently, expert witnesses testify in more than __ percent of trials.


a. 55
b. 80
c. 92
d. 78

c. Discuss any potential problems with your attorney ____ a deposition.


a. before
b. after
c. during
d. during direct examination at

d. Regarding a trial, the term ____ means rejecting potential jurors.


a. voir dire
b. rebuttal
c. strikes
d. venireman

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 93/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

186. a

(No Answer)
a. What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine
a. .nvram
b. .vmen
c. .vmpage
d. .vmx

b. The Suni Munshani v. Singal Lake Venture Fund II, LP et al case is an example of a case that involves e-mail ???
a. destruction
b. spamming
c. spoofing
d. theft

c. Which of the NIST guidelines below requires using a modified boot loader to access RAM for analysis?
a. Chip-off
b. Manual extraction
c. Hex dumping
d. Micro read

d. CORRECT: Technical terms, if included in a report, should be defined in ordinary language such that lawyers, judges, and jurors can
understand them.
a. true
b. false

187. false

(No Answer)
a. CORRECT: A search warrant can be used in any kind of case, either civil or criminal
T/F

b. The American Bar Association (ABA) is a licensing body.


a. true
b. false

c. The ??? utility can be used to repair .ost and .pst files, and is included with Microsoft Outlook
a. fixmail.exe
b. scanpst.exe
c. repairpst.exe
d. rebuildpst.exe

d. Select the file below that is used in VirtualBox to create a virtual machine
a. .vdi
b. .vbox
c. .r0
d. ova

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 94/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

188. a

(No Answer)
a. The most important laws applying to attorneys and witnesses are the ____.
a. professional ethics
b. rules of ethics
c. rules of evidence
d. professional codes of conduct

b. Which type of report typically takes place in an attorney's office?


a. Examination Plan
b. Written Report
c. Preliminary Report
d. Verbal Report

c. Where is the snapshot database created by Google Drive located in Windows


a. C:/Program Files/Google/Drive
b.C:/Users/username/AppData/Local//Google/Drive
c. C:/Users/username/Google/Google drive
d. C:/Google/drive

d. CORRECT: One of the most noteworthy e-mail scams was 419, otherwise known as the ???
a. Nigerian Scam
b. Lake Venture Scam
c. Conficker virus
d. Iloveyou Scam

189. true

(No Answer)
a. What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords?
a. salted passwords
b. scrambled passwords
c. indexed passwords
d. master passwords

b. CORRECT: The Pagefile.sys file on a computer can contain message fragments from instant messaging applications
T/F

c. What organization is responsible for the creation of the requirements for carriers to be considered 4G?
a. IEEE
b. ITU-R
c. ISO
d. TIA

d. Syslog is generally configured to put all e-mail related log information into what file
a. /usr/log/mail.log
b. /var/log/message
c. /proc/mail
d. /var/log/maillog

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 95/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

190. c

(No Answer)
a. The ??? utility can be used to repair .ost and .pst files, and is included with Microsoft Outlook
a. fixmail.exe
b. scanpst.exe
c. repairpst.exe
d. rebuildpst.exe

b. What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a
copy of the expert's written report that includes all opinions, the basis for the opinions, and the information considered in coming to
those opinions?
a. rule 24
b. rule 35
c. rule 36
d. rule 26

c. CORRECT: The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific
principle or discovery; the thing from which the deduction is made must be sufficiently established to have gained general acceptance in
the particular field in which it belongs", was established in what court case?
a. Daubert v. Merrell Dow Pharmaceuticals, Inc
b. Smith v. United States
c. Frye v. United States
d. Dillon v. United States

d. In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant.
t/f

191. a

(No Answer)
a. What digital network technology was developed during World War II?
a. TDMA
b. CDMA
c. GSM
d. iDEN

b. There are two types of depositions: ____ and testimony preservation.


a. examination
b. discovery
c. direct
d. rebuttal

c. CORRECT: What Windows Registry key contains associations for file extensions
a. HKEY_CLASSES_ROOT
b. HKEY_USERS
c. HKEY_LOCAL_MACHINE
d. HKEY_CURRENT_CONFIG

d. At what layers of the OSI model do most packet analyzers function


a. layer 1 or 2
b. layer 2 or 3
c. layer 3 or 4
d. layer 4 or 5

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 96/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

192. d

(No Answer)
a. Which of the following is not a valid source for cloud forensics training
a. Sans Cloud Forensics with F-Response
b. A+ Security
c. INFOSEC Intitute
d. (ISC)2 Certified Cyber Forensics Professional

b. What digital network technology was developed during World War II?
a. TDMA
b. CDMA
c. GSM
d. iDEN

c. Which service below does not put log information into /var/log/maillog
a. SMTP
b. Exchange
c. IMAP
d. POP

d. CORRECT: Which option below is not a disk management tool?


a. Partition Magic
b. Partition Master
c. GRUB
d. HexEdit

193. c

(No Answer)
a. What digital network technology was developed during World War II?
a. TDMA
b. CDMA
c. GSM
d. iDEN

b. Where is the snapshot database created by Google Drive located in Windows


a. C:/Program Files/Google/Drive
b.C:/Users/username/AppData/Local//Google/Drive
c. C:/Users/username/Google/Google drive
d. C:/Google/drive

c. While travelling internationally with a GSM phone, you can pop in a SIM card for the country you're currently in, rather than get a new
phone.
a. true
b. false

d. CORRECT: The ??? is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for
privacy agreements, security measures, questionnaires, and more
a. OpenStack Framework Alliance
b. vCluod Security Advisory Panel
c. Cloud Security Alliance
d. Cloud Architecture Group

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 97/98
1/12/2019 Test: * Combo with "Computer forensics - 2nd half - quiz 9" and 7 others | Quizlet

194. b

(No Answer)
a. When you give ____ testimony, you present this evidence and explain what it is and how it was obtained.
a. technical/scientific
b. expert
c. lay witness
d. deposition

b. What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site
marketing
a. Amazon EC2
b. IBM Cloud
c. Salesforce
d. HP Helion

c. What digital network technology is a digital version of the original analog standard for cell phones?
a. GSM
b. CDMA
c. iDEN
d. D-AMPS

d. CORRECT: In what court case did the court summarize the process of determining whether an expert should be disqualified because
of previous contact with an opposing party?
a. Tidemann v. Toshiba Corp
b. Wang Laboratories, Inc v. Toshiba Corpc
c. Tidemann v. Nadler Golf Car Sales, Inc
d. Hewlett-Pachard v. EMC Corp

195. c

(No Answer)
a. Discuss any potential problems with your attorney ____ a deposition.
a. before
b. after
c. during
d. during direct examination at

b. Which option below is not a disk management tool?


a. Partition Magic
b. Partition Master
c. GRUB
d. HexEdit

c. What command below could be used on a UNIX system to help locate log directories
a. show log
b. detail
c. search
d. find

d. CORRECT: How many words should be in the abstract of a report?


a. 50 to 100 words
b. 100 to 150 words
c. 150 to 299 words
d. 200 to 250 words

http://whyfund.net/Digital%20Forensics/Test%20%20%20%20Combo%20with%20'Computer%20forensics%20-%202nd%20h… 98/98

Das könnte Ihnen auch gefallen