Digital Forensics in Cybersecurity (D431/C840) Course Exam Questions and Answers
While collecting digital evidence from a running computer involved in a cybercrime, the forensic investigator makes a list of items that need to be collected.
Which piece of digital evidence should be collected first?
Which method of copying digital evidence ensures proper evidence collection?
Which tool should a forensic investigator use to determine whether data are leaving an organization through steganographic methods?
A police detective investigating a threat traces the source to a house. The couple at the house shows the detective the only computer the family owns, which is in their son's bedroom. The couple states that their son is presently in class at a local middle school.
How should the detective legally gain access to the computer?
Which type of information does a Windows SAM file contain?
Which Windows component is responsible for reading the boot.ini file and displaying the boot loader menu on Windows XP during the boot process?
Which method is used to implement steganography through pictures?
A forensic examiner is reviewing a laptop running OS X which has been compromised. The examiner wants to know if any shell commands were executed by any of the accounts.
Which log file or folder should be reviewed?
A forensic investigator is acquiring evidence from an iPhone.
What should the investigator ensure before the iPhone is connected to the computer?
A forensic investigator wants to collect evidence from a file created by a Macintosh computer running OS X 10.8.
Which file type can be created by this OS?
A USB flash drive was seized as evidence to be entered into a trial.
Which type of evidence is this USB flash drive?
Which file system is supported by Mac?
Which U.S. law protects journalists from turning over their work or sources to law enforcement before the information is shared with the public?
A victim of Internet fraud fell for an online offer after using a search engine to find a deal on an expensive software purchase. Once the victim learned about the fraud, he contacted a forensic investigator for help.
Which digital evidence should the investigator collect?
How is the Windows swap file, also known as page file, used?
An organization is determined to prevent data leakage through steganography. It has developed a workflow that all outgoing data must pass through. The company will implement a tool as part of the workflow to check for hidden data.
Which tool should be used to check for the existence of steganographically hidden data?
An organization has identified a system breach and has collected volatile data from the system.
Which evidence type should be collected next?
What are the three basic tasks that a systems forensic specialist must keep in mind when handling evidence during a cybercrime investigation?
Which information is included in an email header?
An organization believes that a company-owned mobile phone has been compromised.
Which software should be used to collect an image of the phone as digital evidence?
A forensic scientist is examining a computer for possible evidence of a cybercrime.
Why should the forensic scientist copy files at the bit level instead of the OS level when copying files from the computer to a forensic computer?
A forensic scientist arrives at a crime scene to begin collecting evidence.
What is the first thing the forensic scientist should do?
