Guide to Computer Forensics and Investigations, 3Rd Ed., 1418063312

Guide to Computer Forensics and Investigations, 3rd ed., 1418063312

Ch.9Solutions-1

Chapter 9Solutions

Review Questions

1. Which of the following represents known files you can eliminate from an investigation? (Choose all that apply.)
2. Any graphics files.
3. Files associated with an application
4. System files the OS uses
5. Any file pertaining to the company

1. For which of the following reasons should you wipe a target drive?
2. To ensure the quality of digital evidence you acquire
3. To make sure unwanted data isn’t retained on the drive
4. Neither of the above
5. Both a and b

1. FTK’s Known File Filter (KFF) can be used for which of the following purposes? (Choose all that apply.)
2. Filter known program files from view
3. Calculate hash values of image files
4. Compare hash values of known files to evidence files
5. Filter out evidence that doesn’t relate to your investigation

1. For what legal and illegal purposes can you use steganography?

1. Password recovery is included in all computer forensics tools. True or False?

1. After you shift a file’s bits, the hash value still remains the same. True or False?

1. Validating an image file once, the first time you open it, is sufficient. True or False?

1. ______happens when an investigation goes beyond the bounds of its original description.

1. Suppose you’re investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?

a. criminal investigation because subpoenas can be issued to acquire any needed evidence quickly

b criminal investigation because law enforcement agencies have more resources at their disposal

c. internal corporate investigation because corporate investigators typically have ready access to company records

d. internal corporate investigation because ISPs almost always turn over e-mail and access logs when required by a large corporation

1. You’re using Disk Manager to view primary and extended partitions on a suspect’s drive. The program reports the extended partition’s total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?
2. the disk is corrupted
3. there’s a hidden partition
4. nothing; this is what you’d expect to see
5. the drive is formatted incorrectly

1. Commercial encryption programs often rely on a technology known as ______to recover files if a password or passphrase is lost.

1. Steganography is used for which of the following purposes?
2. validating data
3. hiding data
4. accessing remote computers
5. creating strong passwords

1. Which FTK search option is more likely to find text hidden in unallocated space: live search or indexed search?

1. Which of the following statements about HDHOST is true? (Choose all that apply.)

a. It can be used to access a suspect’s computer remotely.

b. It requires installing the DiskExplorer program corresponding to the suspect’s file system.

c. It can run surreptitiously to avoid detection.

d. It works over both serial and TCP/IP interfaces.

1. Which of the following tools is most helpful in accessing clusters marked as “bad” on a disk?
2. Norton Disk Edit
3. FTK
4. ProDiscover
5. HDHOST
6. None of the above

1. The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False?