CIS 562 Week 11 Final Exam – Strayer New

Click On The Link Below To Purchase A+ Graded Material
Instant Download

http://budapp.net/CIS-562-Final-Exam-Week-11-Strayer-NEW-CIS562W11E.htm

Chapters 7 Through 16

Chapter 7: Current Computer Forensics Tools

TRUE/FALSE

1. When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.


2. In software acquisition, there are three types of data-copying methods.


3. To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.


4. The Windows platforms have long been the primary command-line interface OSs.


5. After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.


MULTIPLE CHOICE

1. Computer forensics tools are divided into ____ major categories.
a. 2 c. 4
b. 3 d. 5



2. Software forensics tools are commonly used to copy data from a suspect’s disk drive to a(n) ____.
a. backup file c. image file
b. firmware d. recovery copy



3. To make a disk acquisition with En.exe requires only a PC running ____ with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable.
a. UNIX c. Linux
b. MAC OS X d. MS-DOS



4. Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command.
a. rawcp c. d2dump
b. dd d. dhex



5. ____ of data involves sorting and searching through all investigation data.
a. Validation c. Acquisition
b. Discrimination d. Reconstruction



6. Many password recovery tools have a feature that allows generating potential lists for a ____attack.
a. brute-force c. birthday
b. password dictionary d. salting



7. The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk.
a. partition-to-partition c. disk-to-disk
b. image-to-partition d. image-to-disk



8. To complete a forensic disk analysis and examination, you need to create a ____.
a. forensic disk copy c. budget plan
b. risk assessment d. report



9. The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems.
a. Apple c. Commodore
b. Atari d. IBM



10. In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network.
a. Dir c. Copy
b. ls d. owner



11. In general, forensics workstations can be divided into ____ categories.
a. 2 c. 4
b. 3 d. 5



12. A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____.
a. stationary workstation c. lightweight workstation
b. field workstation d. portable workstation



13. ____ is a simple drive-imaging station.
a. F.R.E.D. c. FIRE IDE
b. SPARC d. DiskSpy



14. ____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk.
a. Drive-imaging c. Workstations
b. Disk editors d. Write-blockers



15. Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers.
a. USB c. LCD
b. IDE d. PCMCIA



16. The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.
a. CFTT c. FS-TST
b. NIST d. NSRL



17. The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.
a. ISO 3657 c. ISO 5725
b. ISO 5321 d. ISO 17025



18. The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.
a. NSRL c. FS-TST
b. CFTT d. PARTAB



19. The primary hash algorithm used by the NSRL project is ____.
a. MD5 c. CRC-32
b. SHA-1 d. RC4



20. One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.
a. disk imager c. bit-stream copier
b. write-blocker d. disk editor



21. Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file’s contents.
a. testing, compressed c. testing, pdf
b. scanning, text d. testing, doc



COMPLETION

1. Software forensic tools are grouped into command-line applications and ____________________ applications.


2. The Windows application of EnCase requires a(n) ____________________ device, such as FastBloc, to prevent Windows from accessing and corrupting a suspect disk drive.


3. The ____________________ function is the most demanding of all tasks for computer investigators to master.


4. Because there are a number of different versions of UNIX and Linux, these platforms are referred to as ____________________ platforms.


5. Hardware manufacturers have designed most computer components to last about ____________________ months between failures.


MATCHING

Match each item with a statement below
a. JFIF f. PDBlock
b. Lightweight workstation g. Norton DiskEdit
c. Pagefile.sys h. Stationary workstation
d. Salvaging i. SafeBack
e. Raw data


1. letters embedded near the beginning of all JPEG files

2. European term for carving

3. a direct copy of a disk drive

4. usually a laptop computer built into a carrying case with a small selection of peripheral options

5. one of the first MS-DOS tools used for a computer investigation

6. software-enabled write-blocker

7. system file where passwords may have been written temporarily

8. a tower with several bays and many peripheral devices

9. command-line disk acquisition tool from New Technologies, Inc.


SHORT ANSWER

1. What are the five major function categories of any computer forensics tool?


2. Explain the validation of evidence data process.


3. What are some of the advantages of using command-line forensics tools?


4. Explain the advantages and disadvantages of GUI forensics tools.


5. Illustrate how to consider hardware needs when planning your lab budget.


6. Describe some of the problems you may encounter if you decide to build your own forensics workstation.


7. Illustrate the use of a write-blocker on a Windows environment.


8. Briefly explain the NIST general approach for testing computer forensics tools.


9. Explain the difference between repeatable results and reproducible results.


10. Briefly explain the purpose of the NIST NSRL project.



Chapter 8: Macintosh and Linux Boot Processes and File Systems

TRUE/FALSE

1. If a file contains information, it always occupies at least one allocation block.


2. Older Macintosh computers use the same type of BIOS firmware commonly found in PC-based systems.


3. GPL and BSD variations are examples of open-source software.


4. A UNIX or Linux computer has two boot blocks, which are located on the main hard disk.


5. Under ISO 9660 for DVDs, the Micro-UDF (M-UDF) function has been added to allow for long filenames.


MULTIPLE CHOICE

1. Macintosh OS X is built on a core called ____.
a. Phantom c. Darwin
b. Panther d. Tiger



2. In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored.
a. resource c. blocks
b. node d. inodes



3. The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is ____.
a. 32,768 c. 58,745
b. 45,353 d. 65,535



4. On older Macintosh OSs all information about the volume is stored in the ____.
a. Master Directory Block (MDB) c. Extents Overflow File (EOF)
b. Volume Control Block (VCB) d. Volume Bitmap (VB)



5. With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.
a. Extents overflow file c. Master Directory Block
b. Volume Bitmap d. Volume Control Block



6. On Mac OSs, File Manager uses the ____to store any information not in the MDB or Volume Control Block (VCB).
a. volume information block c. catalog
b. extents overflow file d. master directory block



7. Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement.
a. AIX c. GPL
b. BSD d. GRUB



8. The standard Linux file system is ____.
a. NTFS c. HFS+
b. Ext3fs d. Ext2fs



9. Ext2fs can support disks as large as ____ TB and files as large as 2 GB.
a. 4 c. 10
b. 8 d. 12



10. Linux is unique in that it uses ____, or information nodes, that contain descriptive information about each file or directory.
a. xnodes c. infNodes
b. extnodes d. inodes



11. To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of ____.
a. -1 c. 1
b. 0 d. 2



12. ____ components define the file system on UNIX.
a. 2 c. 4
b. 3 d. 5



13. The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive.
a. superblock c. boot block
b. data block d. inode block



14. LILO uses a configuration file named ____ located in the /Etc directory.
a. Lilo.conf c. Lilo.config
b. Boot.conf d. Boot.config



15. Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of OSs.
a. 1989 c. 1994
b. 1991 d. 1995



16. On a Linux computer, ____  is the path for the first partition on the primary master IDE disk drive.
a. /dev/sda1 c. /dev/hda1
b. /dev/hdb1 d. /dev/ide1



17. There are ____  tracks available for the program area on a CD.
a. 45 c. 99
b. 50 d. 100



18. The ____provides several software drivers that allow communication between the OS and the SCSI component.
a. International Organization of Standardization (ISO)
b. Advanced SCSI Programming Interface (ASPI)
c. CLV
d. EIDE