Review of FRS301

2-3. Key Technical Concepts

CCSF's Web4 lets student enroll in
classes online. What type of cloud
computing is it?

A. SaaS
B. PaaS
C. IaaS
D. None of the above
A company moves to the cloud, taking images of
their servers, routers, and switches, and
deploying them to Amazon's servers as virtual
machines and software-defined networks. What
type of cloud service is that?

A. SaaS
B. PaaS
C. IaaS
D. None of the above
Tyler makes a Word document and saves it on
his desktop. What type of data is it?

A. Active data
B. Latent data
C. Archival data
D. Metadata
E. None of the above
Tyler deletes the document, so it goes into the
Recycle Bin. What type of data is it?

A. Active data
B. Latent data
C. Archival data
D. Metadata
E. None of the above
Tyler empties his Recycle bin, so the Word
document is gone. What type of data is it?

A. Active data
B. Latent data
C. Archival data
D. Metadata
E. None of the above
Tyler uses DISKPART and CLEAN ALL to write
zeroes to his whole hard drive, including the
Word document. What type of data is the Word
document now?

A. Active data
B. Latent data
C. Archival data
D. Metadata
E. None of the above
4. Labs and Tools
Which of these documents is most important,
and can ruin the evidence if it is lost?

A. Chain of custody
B. Examiner's final report
C. Summary
D. Detailed findings
E. Glossary
Which of these items must be written in clear,
non-technical English?

A. Chain of custody
B. Examiner's final report
C. Summary
D. Detailed findings
E. Glossary
Which is the most reliable forensic software?

A. FTK
B. EnCase
C. SleuthKit and Autopsy
D. ProDiscover
E. Never trust any of them, always use two
5-6. Collecting Evidence
Which item must be placed in a Faraday bag
immediately after seizure?

A. SD cards
B. Thumb drive
C. Hard disk
D. Cell phone
E. Laptop
Which item of evidence is the most volatile?

A. Deleted files on a hard disk

B. Downloads in progress
C. Archival data
D. Data stored in the cloud
E. USB thumbdrive data
If a suspect is using encryption, which data
below is likely to be lost if the device is powered
off?

A. Cell phone
B. USB thumb drive
C. Contents of RAM
D. Laptop hard drive
E. All of the above
Which is the first step done by a forensic
examiner who arrives at a crime scene?

A. Take photographs
B. Label devices
C. Take notes
D. Fill out Chain of Custody form
E. Remove extra people
Joe is making a clone of the evidence drive onto
a target drive. Which of these is not a good
practice?

A. Forensically wipe target drive first

B. Use antivirus to scan the forensic workstation
C. Use antivirus to scan the evidence drive
D. Use a hardware write-blocker
E. Calculate the MD5 hash
You find a laptop at a crime scene with a dead
battery. What type of acquisition should you
perform?

A. Live acquisition in a laboratory

B. Static acquisition in a laboratory
C. Live acquisition at the scene
D. Static acquisition at the scene
E. They are all equally useful
You find a cell phone at a crime scene with a
low battery, and no charger is available. What
type of acquisition should you perform?

A. Live acquisition in a laboratory

B. Static acquisition in a laboratory
C. Live acquisition at the scene
D. Static acquisition at the scene
E. They are all equally useful
7-8. Windows System Artifacts
Which type of data is created when a laptop lid
is closed?

A. Deleted data
B. Hiberfil
C. Page file
D. Registry
E. Metadata
Which type of data must be reconstructed with
file carving?

A. Thumbnails
B. MRU list
C. Restore points
D. Deleted data
E. Metadata
Where is the identity of the last-logged-in user
stored?

A. MRU list
B. Hiberfil
C. Page file
D. Registry
E. Metadata
Where is the Modified timestamp for a file
stored?

A. MRU list
B. Hiberfil
C. Page file
D. Registry
E. Metadata
9. Anti-forensics
What term best describes BASE64 encoding?

A. Encryption
B. Obfuscation
C. Steganography
D. Hashing
E. Destruction
Which method uses one key to encrypt, and a
different key to decrypt?

A. Symmetric encryption
B. Asymmetric encryption
C. Hashing
D. More than one of the above
E. None of the above
Which of these is a hardware device?

A. BitLocker
B. FileVault
C. TrueCrypt
D. TPM
E. EFS
If you see a repeated pattern of DEADBEEF for
a large portion of a hard drive, what does this
indicate?

A. BitLocker
B. FileVault
C. TrueCrypt
D. Drive wiping
E. Obfuscation
10. Legal
Which law protects you from third-party wiretaps?

A. Fourth amendment
B. First amendment
C. ECPA
D. SCA
E. ESI
Boston police searched houses for the bomber
without warrants. What justification did they have
for that?

A. Probable cause
B. Consent
C. Exigent circumstances
D. Reasonable expectation of privacy
E. Eminent domain
What starts as soon as there is a reasonable
expectation of litigation?

A. eDiscovery
B. Spoilation
C. Duty to preserve
D. ESI
E. Data sampling
11. Internet and Email
What is the technical term for the last part of a
Web address, such as .com or .net?

A. HTTP
B. TLD
C. IP
D. DNS
E. HTML
Which item is deceptive, often containing data
from a Web site the suspect never visited?

A. P2P
B. Index.dat
C. Cookie
D. Web cache
E. MSHist files
Which protocol is used to send email?

A. DNS
B. TCP
C. SMTP
D. IMAP
E. POP
12. Digital Forensics
and Networking
What type of network is the Internet?

A. WAN
B. PAN
C. MAN
D. CAN
E. LAN
What type of attack could be prevented by
egress filtering?

A. DDoS
B. IP Spoofing
C. MITM
D. Social engineering
E. Insider
What part of the Incident Response process
involves finding out how large the problem is and
making sure it stops growing?

A. Detection and analysis

B. Containment
C. Eradication
D. Recovery
E. Post-incident review
13-14. Mobile Device
Forensics
What is this?

A. Base station
B. Handoff
C. PSTN
D. SMS
E. MSC
Which phones use a ESN to identify them?

A. PSTN
B. CDMA
C. GSM
D. iDEN
E. GPS
Which phones use SIM cards?

A. PSTN
B. CDMA
C. GSM
D. iDEN
E. GPS
What is the most popular phone OS?

A. Windows Phone
B. Android
C. iOS
D. Symbian
E. Unix
Which devices store a track log of physical
locations automatically?

A. CDMA
B. GSM
C. iDEN
D. GPS
E. Prepaid
14. Reading: Looking Ahead
- Challenges and Concerns
Which term describes long-term off-site storage
of old data?

A. Data remanence
B. Cloud persistence
C. Previous versions
D. Time machine
E. BitLocker
Which term describes data accidentally left on
discarded devices?

A. Data remanence
B. Cloud persistence
C. Previous versions
D. Time machine
E. BitLocker
What activity of an SSD controller causes write
operations to one block to actually store data on
some other block?

A. Cloud persistence
B. Defragmentation
C. File translation layer
D. Garbage collection
E. IaaS
What activity of an SSD controller causes latent
data to vanish?

A. Cloud persistence
B. Defragmentation
C. File translation layer
D. Garbage collection
E. IaaS