Forensic Course Overview Knowledge Check ( Practice Quiz )
Q1) Digital forensics can be defined as the application of science to the identification, collection, examination, and analysis of what ?
- Data
Q2) According to NIST, the four (4) steps of the forensic process include which? (Select 4)
- Collection
- Examination
- Analysis
- Reporting
The Forensics Process Knowledge Check ( Practice Quiz )
Q1) According to NIST, a forensic analysis should include four elements, Places, Items, Events and what ?
- People
Q2) True or False. Digital forensics report must contain details of every test conducted, the methods and tools used, and the results.
- True
Q3) Which section of a digital forensics report would contain a list of the steps you have taken to insure the integrity of the evidence ?
- Forensic Acquisition & Examination Preparation
Q4) Network activity, Application usage, Logs and Keystroke monitoring are all sources of what ?
- Data
Q5) What are the three (3) main hurdles that must be overcome when examining data? (Select 3)
- Bypassing controls such as operating system and encryption passwords.
- Selecting the most effective tools to help with the searching and filtering of data.
- Dealing with a sea of data. A single hard drive will contains many thousands of files that are not relevant to our investigation.
Forensic Data Knowledge Check ( Practice Quiz )
Q1) True of False. Only data files can be effectively analyzed during a forensic analysis.
- False
Q2) Most data files are smaller than the number of blocks allocated to their storage by the file system, the unused spaces is known as what ?
- Slack space
Q3) What does file metadata known as "MAC" data stand for in the context of a forensic analysis ?
- Modification, Access and Creation times
Q4) Open files are considered which data type ?
- Volatile
Q5) True or False. When collecting forensic data from a running system, you should always attempt to collect volatile data first.
- True
Q6) Which operating system has a "Target Disk Mode" that allows a forensic investigator to easily make a copy of the target hard drive ?
- Mac OS X
Q7) Which three (3) of the following are application components ? (Select 3)
- Supporting files
- Log files
- Configuration settings
Q8) Which of these applications would likely be of the most interest in a forensic analysis ?
Q9) What useful foresnsic data can be extracted from the Application layer of the TCP/IP protocol stack ?
- HTTP addresses
Q10) Which device would you inspect if you were looking for failed attempts to penetrate your company's network ?
- Firewall
Digital Forensics Assessment ( Main Quiz )
Q1) Digital forensics is commonly applied to which of the following activities ?
- All of the above
Q2) NIST includes which three (3) as steps in collecting data ? (Select 3)
- Develop a plan to aquire the data
- Acquire the data
- Verify the integrity of the data
Q3) What is the primary purpose of maintaining a chain of custody ?
- To avoid allegations of mishandling or tampering of evidence.
Q4) True or False. Digital forensics had been used to solve a number of high-profile violent crimes.
- True
Q5) True or False. Digital forensics report is a summary of your findings. If your case goes to trial, your testimony can, and usually does, involve far more detail than is in the report.
- False
Q6) Which section of a digital forensics report would include using the best practices of taking lots of screenshots, use built-in logging options of your digital forensics tools, and exporting key data items into a .csv or .txt file ?
- Findings & Analysis
Q7) Which types of files are appropriate subjects for forensic analysis ?
- All of the above
Q8) Deleting a file results in what action by most operating systems ?
- The memory registers used by the file are marked as available for new storage but are otherwise not changed.
Q9) Forensic analysis should always be conducted on a copy of the original data. What type of copying is appropriate for getting data from a live system that cannot be taken offline ?
- A logical backup
Q10) How does a forensic analysis use hash sets acquired from NIST's Software Reference Library project ?
- They can quickly eliminate known good operating system and application files from consideration.
Q11) Which three (3) of the following data types are considered non-volatile ? (Select 3)
- Dump files
- Logs
- Swap files
Q12) Configuration files are considered which data type ?
- Non-volatile
Q13) True or False. When collecting forensic data from a running system, you should always attempt to collect non-volatile data first.
- False
Q14) Which three (3) of the following are application components ? (Select 3)
- Application architecture
- Authentication mechanisms
- Data files
Q15) Which of these applications would likely be of the least interest in a forensic analysis ?
- Patch files
Q16) The Internet layer of the TCP/IP stack, also known as the Network layer in the OSI model, contains which two (2) protocols that are very useful to a forensic investigation ? (Select 2)
- ICMP
- IPv4 / IPv6
Q17) Which device would you inspect if you were looking event data correlated across a number of different network devices ?
- Remote access server
Q18) Which of these sources might require a court order in order to obtain the data for forensic analysis ?
- ISP records
0 Comments