QUESTION 1 Because a file extension isn\'t the most reliable way of identifying

Question

QUESTION 1

Because a file extension isn't the most reliable way of identifying a given file - a good forensic tool should be able to identify files based on the header, not the file eextension. This comparison is generally known as a file signature analysis.

True

False

5 points   

QUESTION 2

Data in RAM are considered volatile data and thus of value to investigators.

True

False

5 points   

QUESTION 3

Latent data is a term to describe data that has been deleted or partially overwritten.

True

False

QUESTION 4

When you see unallocated space, it is okay to ignore them as it can be considered empty space.

True

False

5 points   

QUESTION 5

Slack space (or "file slack")should be of interest to investigators as you may be able to recover fragments of the previous file.

True

False

5 points   

QUESTION 6

The Locard Principle is a great way to guide your thinking as there will be some kind of a digital "fingerprint" should an compute or network is accessed. There's always a trace!

True

False

5 points   

QUESTION 7

There are two kinds of read/write blockers: software and hardware based.

True

False

5 points   

QUESTION 8

FTK Imager would be considered a software read/write blocker.

True

False

5 points   

QUESTION 9

Following the order of volatility is a good way to prioritize the evidence to be collected.

True

False

5 points   

QUESTION 10

Following the chain of custody process is not a necessary element of making sure the evidence is considered trustworthy and admissible.

True

False

5 points   

QUESTION 11

Cloning a hard drive means you are making a copy of the active data on the hard drive.

True

False

5 points   

QUESTION 12

Hashing helps you confirm that a clone is an exact duplicate of the evidence drive.

True

False

5 points   

QUESTION 13

When collecting memory (or RAM data)- one file to collect is the hibernation file (hiberfile.sys)

True

False

5 points   

QUESTION 14

The windows registry, a database of configuration files, does not play a role in forensic investigations and thus can be ignored.

True

False

5 points   

QUESTION 15

Metadata can be highly valuable in giving you additional insights as to how and when the data was manipulated (and in some cases - even the identify of the author!)

True

False

5 points   

QUESTION 16

Link artifacts (.LNK) can be useful in proving the existence of an actual file e.g. an bad actor may delete an file but not delete the .LNK artifacts which can show when someone actually opened the file in question.

True

False

5 points   

QUESTION 17

Anti forensics can include techniques like encryption, steganography, data destruction, or timestomping.

True

False

5 points   

QUESTION 18

Before collecting evidence, you don't need to worry about whether or not you have search authority. It's better to do it and then ask for forgiveness later.

True

False

5 points   

QUESTION 19

Electronic discovery is very similar to digital forensics where the person may be using the same tools because it is all about making sure you can show chain of custody, integrity and admissibility of the data that is offered to court.

True

10 points   

QUESTION 20

When analyzing an user's Internet history - the NTUSER.Dat is one of the many valuable artifacts because it includes the user's browser's history.

True

False

Explanation / Answer

Answer)

1) False.

The header along with the file extension is looked for.

2) True.

The data in RAM are volatile.

3) True.

This helps the forensic team to find files which are deleted and modified.

As per Chegg policy, a minimum of 1 question can be answered. We did 3.

Hit like if you find the answer useful. :)

Hope this answer helps. Thanks

Related Questions

Navigate

• Browse (All)
• Browse Q
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.