Question 1
___________ is some method of modifying data so that it is meaningless and
unreadable in its current form.
Response: Data hiding
Score: Encryption
Question 2
The ability to hide data in another file is called:
Response: Steganography
Score: 1 out of 1 Yes
Question 3
The portion of a disk that contains no stored data, but may contain latent data is
called
Response: Unallocated space
Score: 1 out of 1 Yes
Question 4
When a file is deleted from a from a FAT filesystem:
Response: All of these
Score: 1 out of 1 Yes
Question 5
The smallest addressable unit of data by a HDD generally consists of:
Response: 512 bytes
Score: 1 out of 1 Yes
Question 6
You are a computer forensic examiner investigating a seized computer. You
recovered a document containing potential evidence. You find out that the file
system on the forensic image of the hard drive is File Allocation Table (FAT). What
information about the document file can be found in the FAT on the media? (Choose
all that apply.)
Response: Name of the file
Response: Date and time stamps of the file
Score: Starting cluster of the file
Fragmentation of the file
Question 7
What is the filesystem used by Windows Vista or 7?
Response: NTFS
Score: 1 out of 1 Yes
Question 8
USB drives use _____
Response: Flash memory
Score: 1 out of 1 Yes
Question 9
You are a computer forensic examiner investigating media on a seized computer. You
recovered a document containing potential evidence. You find out that the file
system on the forensic image of the hard drive is New Technology File System
(NTFS). What information about the document file can be found in the NTFS master
file table on the media? (Choose all that apply.)
Response: Name of the file
Response: Date and time stamps of the file
Response: Ownership of the file
Score: Name of the file
Date and time stamps of the file
Starting cluster of the file
Fragmentation of the file
Ownership of the file
Question 10
A file header is which of the following?
Response: A unique set of characters at the beginning of a file that identifies the
file type
Score: 1 out of 1 Yes
Question 11
_________ preserving evidence means that the information contained on the drive
down to the last bit never changes during seizing, analysis and storage.
Response: Logically
Score: 1 out of 1 Yes
Question 12
Metadata include _____, file sizes, MAC times, MD5 hashes, and more.
Response: None of these
Score: Full file names
Question 13
_______ is used to identify relevant files and fragments of relevant files.
Response: String searching
Score: 1 out of 1 Yes
Question 14
What is the main drawback of FAT16?
Response: Restricted disk size
Score: 1 out of 1 Yes
Question 15
Data cannot be recovered from a hard drive after the user has deleted all the
files
Response: False
Score: 1 out of 1 Yes
Question 16
You can make an exact copy of the hard drive by first cleaning the destination
drive by placing _______ in all the blocks
Response: Zeros
Score: 1 out of 1 Yes
Question 17
The Windows OS uses a file name’s ________ to associate files with the proper
applications.
Response: Signature
Score: Extension
Question 18
What is the main advantage of NTFS over FAT?
Response: Drive Speed
Score: Encryption
Question 19
A good way to ignore known files, is to compare the ______ of every file in a
forensic duplication with a known set of hashes and ignore any matches.
Response: Active hashes
Score: Forensic hashes
Question 20
Data can be hidden in the spaces between files
Response: True
Score: 1 out of 1 Yes
Question 21
When trying to recover deleted files, make sure the forensic duplication is ______
so that it is not modified during your analysis.
Response: Write-only
Score: On the correct disk.
Question 22
The reason to place zeros in all of the hard drive blocks is because _______
Response: The ones in the blocks have to cancel with the zeros
Score: Unwanted data might have been left there and this will damage forensic
evidence.
Question 23
What filesystem is used by Linux?
Response: EXT3
Score: 1 out of 1
JyXGMhwC:t-3Lv.