ETI All MCQ

Download as pdf or txt
Download as pdf or txt
You are on page 1of 601

unit 2 -internet of things.

mcqs

1. embedded systems are


A. general-purpose
B. special purpose
ans: b

2. embedded system is
A. an electronic system
B. a pure mechanical system
C. an electro-mechanical system
D. (a) or (c)
ans: d

3. which of the following is not true about embedded systems?


A. built around specialized hardware
B. always contain an operating system
C. execution behavior may be deterministic
D. all of these
E. none of these
ans: e

4. which of the following is not an example of a “small-scale embedded system”?


A. electronic barbie doll
B. simple calculator
C. cell phone
D. electronic toy car
ans: c

5. the first recognized modern embedded system is


A. apple computer
B. apollo guidance computer (agc)
C. calculator
D. radio navigation system
ans: b

6. the first mass-produced embedded system is


A. minuteman-i
B. minuteman-ii
C. autonetics d-17
D. apollo guidance computer (agc)
ans: c

7. which of the following is an (are) an intended purpose(s) of embedded systems?


A. data collection
B. data processing
C. data communication
D. all of these
E. none of these
ans: d

8. which of the following is (are) example(s) of an embedded system for data communication?usb
mass storage device
A. network router
B. digital camera
C. music player
D. all of these
E. none of these
unit 2 -internet of things. mcqs

ans: b

9. what are the essential tight constraints related to the design metrics of an embedded system?
A. ability to fit on a single chip
B. low power consumption
C. fast data processing for real-time operations
D. all of the above
ans: d

10. a digital multimeter is an example of an embedded system for


A. data communication
B. monitoring
C. control
D. all of these
E. none of these
ans: b

11. which of the following is an (are) example(s) of an embedded system for signal processing?
A. apple ipod (media player device)
B. sandisk usb mass storage device
C. both (a) and (b)
D. none of these
ans: d

12. the instruction set of risc processor is


A. simple and lesser in number
B. complex and lesser in number
C. simple and larger in number
D. complex and larger in number
ans: a

13. which of the following is true about cisc processors?


A. the instruction set is non-orthogonal
B. the number of general-purpose registers is limited
C. instructions are like macros in c language
D. variable-length instructions
E. all of these
F. none of these
ans: e

14. main processor chip in computers is


A. asic
B. assp
C. cpu
D. cpld
ans: c

15. processors used in many microcontroller products need to be


A. high power
B. low power
C. low interrupt response
D. low code density
ans: b
unit 2 -internet of things. mcqs

16. in microcontrollers, uart is acronym of


A. universal applied receiver/transmitter
B. universal asynchronous rectified transmitter
C. universal asynchronous receiver/transmitter
D. united asynchronous receiver/transmitterans:
c

17. which architecture is followed by general-purpose microprocessors?


A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: b

18. which architecture involves both the volatile and non-volatile memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a

19. which architecture provides separate buses for program and data memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a

20. harvard architecture allows:


A. separate program and data memory
B. pipe-ling
C. complex architecture
D. all of the mentioned
ans: d

21. which of the following processor architecture supports easier instruction pipelining?
A. harvard
B. von neumann
C. both of them
D. none of these
ans: a

22. which of the following is an example of a wireless communication interface?


A. rs-232c
B. wi-fi
C. bluetooth
D. eee1394
E. both (b) and (c)
ans: e

23. arm stands for


A. advanced risc machine
B. advanced risc methodology
C. advanced reduced machine
D. advanced reduced methodology
unit 2 -internet of things. mcqs

ans: a

24. what is the processor used by arm7?


A. 8-bit cisc
B. 8-bit risc
C. 32-bit cisc
D. 32-bit risc
ans: d

25. the main importance of arm microprocessors is providing operation with


A. low cost and low power consumption
B. higher degree of multi-tasking
C. lower error or glitches
D. efficient memory management
ans: a

26. arm processors where basically designed for


A. mainframe systems
B. distributed systems
C. mobile systems
D. supercomputers
ans: c

27. asic chip is


A. simple in design.
B. manufacturing time is less.
C. it is faster.
D. both a&c.
ans: c

28. asic stands for


A. application-system integrated circuits
B. application-specific integrated circuits
C. application-system internal circuits
D. application-specific internal circuits
ans: b

29. in microcontrollers, i2c stands for


A. inter-integrated clock
B. initial-integrated clock
C. intel-integrated circuit
D. inter-integrated circuit
ans: d

30. is the smallest microcontrollers which can be programmed to perform a


large range of tasks.
A. pic microcontrollers
B. arm microcontrollers
C. avr microcontrollers
D. asic microcontrollers
ans: - a

31. was developed in the year 1996 by atmel corporation


unit 2 -internet of things. mcqs

A. pic
B. avr
C. arm
D. asic
ans: - b

32. avr stands for .


A. advanced virtual risc.
B. alf-egil bogen and vegard wollan risc
C. both a & b
D. none of the above
ans: - c

33. avr microcontroller executes most of the instruction in .


A. single execution cycle.
B. double execution cycle.
C. both a& b
D. none of the above.
ans: - a

34. the term "the internet of things" was coined by


A. edward l. schneider
B. kevin ashton
C. john h.
D. charles anthony
ans: b

35. the huge numbers of devices connected to the internet of things have to communicate
automatically, not via humans, what is this called?
A. bot to bot(b2b)
B. machine to machine(m2m)
C. intercloud
D. skynet
ans: b

36. what does “things” in iot refer to?


A. general device
B. information
C. iot devices
D. object
ans: c

37. interconnection of internet and computing devices embedded in everyday objects, enabling
them to send and receive data is called
A. internet of things
B. network interconnection
C. object determination
D. none of these
ans: a

38. is a computing concept that describes the idea of everyday physical objects
being connected to the internet.
A. iot (internet of things)
B. mqtt
C. coap
D. spi
unit 2 -internet of things. mcqs

ans: -a

39 devices may support a number of interoperable communication protocols and


communicate with other devices and also with infrastructure.
A. artificial intelligence
B. machine learning
C. internet of things
D. none of the above
ans: c

40. which one is not an element of iot?


A. process
B. people
C. security
D. things
ans:c

41. iiot stands for


A. information internet of things
B. industrial internet of things
C. innovative internet of things
D. none of the above
ans:b

42. name of the iot device which is first recognized?


A. smart watch
B. atm
C. radio
D. video game
ans: b

43. is used by iot


A. radio information technology
B. satellite
C. cable
D. broadband
ans: a

44. consists of communication protocols for electronic devices, typically a mobile device
and a standard device.
A. rfid
B. mqtt
C. nfc
D. none of the above
ans:c

45. refers to establish a proper connection between all the things of iot.
A. connectivity
B. analyzing
C. sensing
D. active engagement
ans: - a

46. iot devices which have unique identities and can perform .
A. remote sensing
B. actuating
unit 2 -internet of things. mcqs

C. monitoring capabilities
D. all of the above
ans: - d

47. the sensed data communicated .


A. cloud-based servers/storage.
B. i/o interfaces.
C. internet connectivity.
D. none of the above
ans: - a

48. iot devices are various types, for instance .


A. wearable sensors.
B. smartwatches.
C. led lights.
D. all of the above
ans: - d

49. is a collection of wired ethernet standard for the link layer.


A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans: - a

50. is a collection of wlan communication standards.


A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans: b

51. is a collection of wireless broadband standards (wimax).


A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans: c

52 is a collection of standards for lr-wpans.


A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans:d

53. lr-wpans standards from the basis of specifications for high-level communication protocolsuch
as .
A. zigbee
B. allsean
C. tyrell
D. microsoft's azure
ans: a
unit 2 -internet of things. mcqs

54. includes gsm and cdma.


A. 2g
B. 3g
C. 4g
D. none of the above
ans: a

55. include umts and cdma2000.


A. 2g
B. 3g
C. 4g
D. none of the above
ans: b

56 include lte.
A. 2g
B. 3g
C. 4g
D. none of the above
ans:c

57. layer protocols determine how the data is physically sent over the network’s
physical layer or medium.
A. application layer
B. transport layer
C. network layer
D. link-layer
ans: - d

58 layer is responsible for sending of ip datagrams from the source network to the
destination network.
A. application layer
B. transport layer
C. network layer
D. link-layer
ans: c

59. layer performs the host addressing and packet routing.


A. application layer
B. transport layer
C. network layer
D. link-layer
ans:c

60. protocols provide end to end message transfer capability independent of the
underlying network.
A. network layer
B. transport layer
C. application layer
D. link-layer
ans: - b

61. the protocols define how the applications interface with the lower-layer protocol to sendthe
data over the network.
A. application layer
unit 2 -internet of things. mcqs

B. transport layer
C. network layer
D. link-layer
ans: a

62. 6lowpan stands for


A. 6 low personal area network
B. ipv6 low personal area network
C. ipv6 over low power wireless personal area network
D. none of the above
ans:c

63. 802.3 is the standard for 10base5 ethernet that uses cable as shared medium.
A. twisted pair cable
B. coaxial cable
C. fiber optic cable
D. none of the above
ans: - b

64. ieee 802.11 standards provide data rates


A. 10 gbit/s.
B. 1 gbit/s
C. 1 mb/s to up to 6.75 gb/s
D. 250 kb/s
ans: - c

65. of the following is a protocol related to iot


A. zigbee
B. 6lowpan
C. coap
D. all of the above
ans: c

66. is useful for time-sensitive application that have very small data units to
exchange and do not want the overhead of connection setup.
A. tcp
B. udp
C. transport layer
D. none of the above.
ans: - b

67. protocol uses universal resource identifiers (uris) to identify http


resources.
A. http
B. coap
C. websocket
D. mqtt
ans: a

68. the 10/100mbit ethernet support enables the board to connect to


A. lan
B. man
C. wan
D. wlan
ans: a
unit 2 -internet of things. mcqs

69. which one out of these is not a data link layer technology?
A. bluetooth
B. uart
C. wi-fi
D. http
ans: d

70. what is the size of the ipv6 address?


A. 32 bits
B. 64 bits
C. 128 bits
D. 256 bits
ans: c

71. mqtt stands for


A. mq telemetry things
B. mq transport telemetry
C. mq transport things
D. mq telemetry transport
ans: d

72. mqtt is better than http for sending and receiving data.
A. true
B. false
ans: a

73. mqtt is protocol.


A. machine to machine
B. internet of things
C. machine to machine and internet of things
D. machine things
ans: c

74. which protocol is lightweight?


A. mqtt
B. http
C. coap
D. spi
ans: a

75 mqtt is:
A. based on client-server architecture
B. based on publish-subscribe architecture
C. based on both of the above
D. based on none of the above
ans: b

76. xmpp is used for streaming which type of elements?


A. xpl
B. xml
C. xhl
D. mpl
ans: b
unit 2 -internet of things. mcqs

77. xmpp creates identity.


A. device
B. email
C. message
D. data
ans: a

78. xmpp uses architecture.


A. decentralized client-server
B. centralized client-server
C. message
D. public/subscriber
ans: a

79. what does http do?


A. enables network resources and reduces the perception of latency
B. reduces perception of latency and allows multiple concurrency exchange
C. allows multiple concurrent exchanges and enables network resources
D. enables network resources and reduces the perception of latency and allows multiple
concurrent
exchange.
ans: d

80. http expands?


A. hypertext transfer protocol
B. hyper terminal transfer protocol
C. hypertext terminal protocol
D. hyper terminal text protocol
ans: a

81. coap is specialized in


A. internet applications
B. device applications
C. wireless applications
D. wired applications
ans: a

82. which protocol is used to link all the devices in the iot?
A. tcp/ip
B. network
C. udp
D. http
ans: a

83. data in network layer is transferred in the form of


A. layers
B. packets
C. bytes
D. bits
ans: b

84. services provided by the application layer?


unit 2 -internet of things. mcqs

A. webchat
B. error control
C. connection services
D. congestion control
ans: a

85. tcp and udp are called?


A. application protocols
B. session protocols
C. transport protocols
D. network protocols
ans: c

86. the security-based connection is provided by which layer?


A. application layer
B. transport layer
C. session layer
D. network layer
ans: d

87. using which layer in transport layer data integrity can be assured?
A. checksum
B. repetition codes
C. cyclic redundancy checks
D. error correction codes
ans: a

88. the transport layer receives data in the form of?


A. packets
B. byte streams
C. bits stream
D. both packet and byte stream
ans: b

89. the network layer is considered as the ?


A. backbone
B. packets
C. bytes
D. bits
ans: a

90. the network layer consists of which hardware devices?


A. router
B. bridges
C. switches
D. all of the above
ans: d

91. network layer protocol exits in ?


A. host
B. switches
C. packets
D. bridges
ans: a

92. which protocol has a quality of service?


unit 2 -internet of things. mcqs

A. xmpp
B. http
C. coap
D. mqtt
ans: a

93. is a data-centric middleware standard for device-to-device and machine-to-machine


communication.
A. data distribution service (dds)
B. advanced message queuing protocol (amqp)
C. extensible messaging and presence protocol (xmpp)
D. message queue telemetry transport (mqtt)ans:
a

94. is a bi-directional, fully duplex communication model that uses a persistent connection
between client and server.
A. request-response
B. publish-subscriber
C. push-pull
D. exclusive pair
ans:d

95. is a stateful communication model and the server is aware of all open connections.
A. request-response
B. publish-subscriber
C. push-pull
D. exclusive pair
ans:d

96. which is not an iot communication model.


A. request-response
B. publish-subscribe
C. push-producer
D. exclusive pair
ans: c

97. in node mcu, mcu stands for .


A. micro control unit
B. microcontroller unit
C. macro control unit
D. macro controller unit
ans: b

98. rest is acronym for


A. representational state transfer
B. represent state transfer
C. representational state transmit
D. representational store transfer
ans: a

99. wsn stands for


A. wide sensor network
B. wireless sensor network
C. wired sensor network
D. none of these
ans: b
unit 2 -internet of things. mcqs

100. the benefit of cloud computing services


A. fast
B. anywhere access
C. higher utilization
D. all of the above
ans: d

101. paas stands for


A. platform as a service
B. platform as a survey
C. people as a service
D. platform as a survey
ans: a

102. as a service is a cloud computing infrastructure that creates a development


environment upon which applications may be build.
A. infrastructure
B. service
C. platform
D. all of the mentioned
ans:c

103. is a cloud computing service model in which hardware is virtualized in the


cloud.
A. iaas
B. caas
C. paas
D. none of the mentioned
ans: a

104. which of the following is the fundamental unit of the virtualized client in an iaas deployment?
a) work unit
b) workspace
c) workload
d) all of the mentioned
ans:c

105. offering provides the tools and development environment to deploy applications on
another vendor’s application.
A. paas
B. iaas
C. caas
D. all of the mentioned
ans.b

106. is the most refined and restrictive service model.


A. iaas
B. caas
C. paas
D. all of the mentioned
ans.c

107. is suitable for iot applications to have low latency or high throughput requirements.
A. rest
B. publish-subscriber
unit 2 -internet of things. mcqs

C. push-pull
D. websocket
ans:d

108 is one of the most popular wireless technologies used by wsns.


A. zigbee
B. allsean
C. tyrell
D. z-wave
ans:a

109. zigbee specification are based on .


a. 802.3
b. 802.11
c. 802.16
d. 802.15.4
ans:d

110. is a transformative computing paradigm that involves delivering applications and


services over the internet.
A. wsn
B. cloud computing
C. big data
D. none of the above
ans: b

111. the process of collecting, organizing and collecting large sets of data called as
A. wsn
B. cloud computing
C. big data
D. none of the above
ans:c

112. does raspberry pi need external hardware?


A. true
B. false
ans.b

113. does rpi have internal memory?


A. true
B. false
ans.a

114. what do we use to connect tv to rpi?


A. male hdmi
B. female hdmi
C. male hdmi and adapter
D. female hdmi and adapter
ans.c

115. how power supply is done to rpi?


A. usb connection
B. internal battery
C. charger
D. adapter
ans.a
unit 2 -internet of things. mcqs

116. what is the ethernet/lan cable used in rpi?


a.cat5
b.at5e
c. cat6 d
. rj45
ans.d

117. which instruction set architecture is used in raspberry pi?


A. x86
B. msp
C. avr
D. arm
ans: d

118. does micro sd card present in all modules?


A. true
B. false
ans: a

119. which characteristics involve the facility the thing to respond in an intelligent way to a
particular situation?
A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: a

120. empowers iot by bringing together everyday objects.


A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: b

121. the collection of data is achieved with changes.


A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: c

122. the number of devices that need to be managed and that communicate with each other will be
much larger.
A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: d

123. in iot as one of the key characteristics, devices have different hardware
platforms and networks.
A. sensors
unit 2 -internet of things. mcqs

B. heterogeneity
C. security
D. connectivity
ans: b

124. devices that transforms electrical signals into physical movements


A. sensors
B. actuators
C. switches
D. display
ans: b

125. stepper motors are


A. ac motors
B. dc motors
C. electromagnets
D. none of the above
ans: b

126. dc motors convert electrical into energy.


A. mechanical
B. wind
C. electric
D. none
ans: a

127. linear actuators are used in


A. machine tools
B. industrial machinery
C. both a and b
d.none
ans: a

128. solenoid is a specially designed


A. actuator
B. machine
C. electromagnet
D. none of above
ans: c

129. stepper motors are


A. ac motors
B. dc motors
C. electromagnets
D. none of the above
ans: b

130. accelerometer sensors are used in


A. smartphones
B. aircrafts
C. both
D. none of the above
ans: c

131. image sensors are found in


A. cameras
unit 2 -internet of things. mcqs

B. night-vision equipment
C. sonars
D. all of the above
ans: d

132. gas sensors are used to detect gases.


A. toxic
B. natural
C. oxygen
D. hydrogen
ans: a

133. properties of arduino are:


A. inexpensive
B. independent
C. simple
D. both a and c
ans: d

134. properties of iot devices.


A. sense
B. send and receive data
C. both a and b
D. none of the above
ans: c

135. iot devices are


A. standard
B. non-standard
C. both
D. none
ans: b

136. what is the microcontroller used in arduino uno?


A. atmega328p
B. atmega2560
C. atmega32114
D. at91sam3x8e
ans: a

137. is an open-source electronic platform based on easy to used hardware and software.
A. arduino
B. uno
C. raspberry pi
D. node
ans: a

138 is used latching, locking, triggering.


A. solenoid
B. relay
C. linear actuator
D. servo motors
ans: a

139. detect the presence or absence of nearby objects without any physical contact.
A. smoke sensor
unit 2 -internet of things. mcqs

B. pressure sensor
C. ir sensor
D. proximity sensor
ans:d

140 sensors include thermocouples, thermistors, resistor temperature detectors (rtds) and
integrated circuits (ics).
A. smoke sensor
B. temperature sensor
C. ir sensor
D. proximity sensor
ans: b

141. the measurement of humidity is


A. rh
B. ph
C. ic
D. none of the above
ans: a

142 sensor is used for automatic door controls, automatic parking system, automated sinks,
automated toilet flushers, hand dryers.
A. smoke sensor
B. temperature sensor
C. ir sensor
D. motion sensor
ans:d

143 sensor measure heat emitted by objects.


A. smoke sensor
B. temperature sensor
C. ir sensor
D. proximity sensor
ans:c

chapter-2 internet of things | eti mcq i scheme


chapter-3 basics of digital forensics | eti mcq i scheme

1. digital forensics is all of them except:


A. extraction of computer data.
B. preservation of computer data.
C. interpretation of computer data.
D. manipulation of computer data.
ans:d

2. idip stands for


A. integrated digital investigation process.
B. integrated data investigator process.
C. integrated digital investigator process.
D. independent digital investigator process.
ans: a

3. who proposed road map for digital forensic research (rmdfr)


A. g.gunsh.
B. s.ciardhuain
C. j.korn.
D. g.palmar
ans: d

4. the investigator should satisfy the following points:


A. contribute to society and human beings.
B. avoid harm to others.
C. honest and trustworthy.
D. all of the above
ans: d

5. in the past, the method for expressing an opinion has been to frame a question based on
available factual evidence.
A. hypothetical
B. nested
C. challenging
D. contradictory
ans: a

6. more subtle because you are not aware that you are running these macros (the document
opens and the application automatically runs); spread via email
A. the purpose of the copyright
B. the danger of macro viruses
C. derivative works
D. computer-specific crime
ans: b

7. there are three c's in computer forensics. which is one of the three?
A. control
B. chance
C. chains
D. core
ans: a

8. when federal bureau investigation program was created?


a.1979
b.1984
c.1995
d.1989
ans: b

9. when the field of pc forensics began?


a.1960's
b.1970's
c.1980's
d.1990's
ans: c

10. what is digital forensic?


A. process of using scientific knowledge in analysis and presentation of evidence in court
B. the application of computer science and investigative procedures for a legal purpose
involving the analysis of digital evidence after proper search authority, the chain of custody,
validation with mathematics, use of validated tools, repeatability, reporting, and possible
expert presentation
C. process where we develop and test hypotheses that answer questions about digital events
D. use of science or technology in the investigation and establishment of the facts or
evidence in a court of law
ans: b

11. digital forensics entails .


A. accessing the system's directories viewing mode and navigating through the various systemsfiles
and folders
B. undeleting and recovering lost files
C. identifying and solving computer crimes
D. the identification, preservation, recovery, restoration, and presentation of digital evidence
from systems and devices
ans: d

12. which of the following is false?


A. the digital forensic investigator must maintain absolute objectivity
B. it is the investigator’s job to determine someone’s guilt or innocence.
C. it is the investigator’s responsibility to accurately report the relevant facts of a case.
D. the investigator must maintain strict confidentiality, discussing the results of an investigationon
only a “need to know”
ans: b

13. what is the most significant legal issue in computer forensics?


A. preserving evidence
B. seizing evidence
C. admissibility of evidence
D. discovery of evidence
ans: c

14. phase includes putting the pieces of a digital puzzle together and developing
investigative hypotheses
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans: d
15. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans: b

16. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans: b

17. computer forensics do not involve activity.


A. preservation of computer data.
B. extraction of computer data.
C. manipulation of computer data.
D. interpretation of computer data.
ans: c

18. a set of instruction compiled into a program that perform a particular task is known as:
a. hardware.
b.cpu
c. motherboard
d. software
ans: d

19. which of following is not a rule of digital forensics?


A. an examination should be performed on the original data
B. a copy is made onto forensically sterile media. new media should always be used if
available.
C. the copy of the evidence must be an exact, bit-by-bit copy
D. the examination must be conducted in such a way as to prevent any modification of the
evidence.
ans: a

20. to collect and analyze the digital evidence that was obtained from the physical investigation
phase, is the goal of which phase?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase.
ans: b

21. to provide a mechanism to an incident to be detected and confirmed is purpose of which


phase?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase.
ans: d

22. which phase entails a review of the whole investigation and identifies an area of improvement?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase
ans: c

23. is known as father of computer forensic.


A. g. palmar
B. j. korn
C. michael anderson
D. s.ciardhuain.
ans: c

24. is well established science where various contribution have been made
A. forensic
B. crime
C. cyber crime
D. evidence
ans: a

25. who proposed end to end digital investigation process (eedip)?


A. g. palmar
B. stephenson
C. michael anderson
D. s.ciardhuain
ans: b

26. which model of investigation proposed by carrier and safford?


A. extended model of cybercrime investigation (emci)
B. integrated digital investigation process(idip)
C. road map for digital forensic research (rmdfr)
D. abstract digital forensic model (adfm)
ans: b

27. which of the following is not a property of computer evidence?


A. authentic and accurate.
B. complete and convincing.
C. duplicated and preserved.
D. conform and human readable.
ans. d

28. can makes or breaks investigation.


A. crime
B. security
c: digital forensicd:
evidence
ans: d

29. is software that blocks unauthorized users from connecting to your computer.
A. firewall
B. quick launch
C. onelogin
D. centrify
ans: a

30. which of the following are general ethical norms for investigator?
A. to contribute to society and human beings.
B. to avoid harm to others.
C. to be honest and trustworthy.
D. all of the above
E. none of the above
ans: d

31. which of the following are unethical norms for investigator?


A. uphold any relevant evidence.
B. declare any confidential matters or knowledge.
C. distort or falsify education, training, credentials.
D. all of the above
E. none of the above
ans: d

32. which of the following is not a general ethical norm for investigator?
A. to contribute to society and human beings.
B. uphold any relevant evidence.
C. to be honest and trustworthy.
D. to honor confidentially.
ans: b

33. which of the following is a not unethical norm for digital forensics investigation?
A. uphold any relevant evidence.
B. declare any confidential matters or knowledge.
C. distort or falsify education, training, credentials.
D. to respect the privacy of others.
ans: d

34. what is called as the process of creation a duplicate of digital media for purpose of
examining it?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
ans: a

35. which term refers to modifying a computer in a way which was not originally intended to
view information?
A. metadata
B. live analysis
C. hacking
D. bit copy
ans: c

36. the ability to recover and read deleted or damaged files from a criminal’s computer is an
example of a law enforcement specialty called?
A. robotics
B. simulation
C. computer forensics
D. animation
ans: c

37. what are the important parts of the mobile device which used in digital forensic?
A. sim
B. ram
C. rom.
d.emmc chip
ans: d

38. using what, data hiding in encrypted images be carried out in digital forensics?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
and: b

39. which of this is not a computer crime?


A. e-mail harassment
B. falsification of data.
C. sabotage.
D. identification of data
ans. d

40. which file is used to store the user entered password?


A. .exe
B. .txt
C. .iso
D. .sam
ans: d

41. is the process of recording as much data as possible to create reports and analysison
user input.
A. data mining
B. data carving
C. metadata
D. data spoofing.
ans: a

42. searches through raw data on a hard drive without using a file system.
A. data mining
B. data carving
C. metadata
D. data spoofing.
ans: b

43. what is the first step to handle retrieving data from an encrypted hard drive?
A. formatting disk
B. storing data
C. finding configuration files.

D. deleting files
ans: c
chapter-6
types of hacking(co6)

1. snmp stands for


A. simple network messaging protocol
B. simple network mean protocol
C. simple network management protocol
D. simple network master protocol
ans:c

2. which of the following tool is used for network testing and port scanning
A. netcat
B. superscan
C. netscan
D. all of above
ans:d

3. banner grabbing is used for


A. whitehat hacking
B. blackhat hacking
C. greyhat hacking
D. scriptkiddies
ans:a

4. an attacker can create an attack by sending hundreds or thousands of e-mails with very
large attachments.
A. connection attack
B. auto responder attack
C. attachment overloading attack
D. all the above
ans:b

5. which of the following tools is used for windows for network queries from dns
lookups to trace routes?
A. samspade
B. superscan
C. netscan
D. netcat
ans:a
6. which tool is used for ping sweeps and port scanning?
A. netcat
B. samspade
C. superscan
D. all the above
ans:c

7. which of the following tool is used for security checks sas port scanning and firewall testing?
A. netcat
B. nmap
C. data communication
D. netscan
ans:a

8. what is the most important activity in system cracking?


A. information gathering
B. cracking password
C. escalating privileges
D. covering tracks
ans:b

9. which nmap scan does not completely open tcp connection?


A. syn stealth scan
B. tcp scan
C. xma streescan
D. ack scan
ans:a

10.keylogger reform
A. spyware
B. shoulder surfing
C. trojan
D. socialengineering
ans:a

11. nmap is abbreviated as network mapper.


A. true
B. false
ans:a

12 ......... is a popular tool used for discovering network as well as security auditing.
C. ettercap
D. meta sploit
E. nmap
F. burpsuit
ans:c
12. which of this map do not check?
A. services different hosts are offering
B. on what os they are running.
C. what kind of firewall is in use?
D. what type of antivirus is in
use? ans: d

13. what is the purpose of denialofservice attacks?


A. exploit weakness intcp/ip attack.
B. to execute a trojan horse on a system.
C. to overload a system so it is no longer operational.
D. to shutdown services by turning them off.
ans:c

14. what are some of the most common vulnerabilities that exist in a network system?
A. changing manufacturer,or recommended settings of newly installed applications.
B. additional unused feature on commercial software package.
C. utilizing open source application code.
D. balancing security and ease of use of system.
ans:b

15. which of the following is not characteristic of an ethical hacker?


A. excellent knowledge of windows.
B. understandstheprocessofexploitingnetworkvulnerabilities.
C. patience,persistence and perseverance.
D. has the highest level of security for the organization.
ans: d

16. attempting to gain access to a network using an employee's credentials escalade


mode of ethical hacking.
A. local networking
B. social engineering
C. physical entry
D. remote networking
ans:a

17. the first phase of hacking an it system is compromise of which foundation of security?
A. availability
B. confidentiality
C. integrity
D. authentication
ans:b
18. why would a ping sweep be used?
A. to identify livesystems
B. to locate live systems
C. to identify open ports
D. to locate firewalls
ans:a

19. what are the port states determined by nmap?


A. active,inactive,standby
B. open,half-open,closed
C. open,filtered,unfiltered
D. active,closed,unused
ans:c

20. what port does telnet use?


A. 22
B. 80
C. 20
d. 23
ans: d

21. which of the following will allow footprinting to be conducted without detection?
A. ping sweep
B. trace route
C. war dialers
d. arin
ans:d

22. performing hacking activities with the intent on gaining visibility for an unfair
situation is called .
A. cracking
B. analysis
C. hacktivism
D. exploitation
ans:c

23. why would a hacker use a proxy server?


A. to create a stronger connection with the target.
B. to create a ghost server on the network.
C. to obtain a remote access connection
D. to hide malicious activity on the network
ans:a
24. which phase of hacking perform actual attack on network or system?
A. reconnaissance
B. maintainingaccess
C. scanning
D. gainingaccess
ans: d

25. sniffing is used to perform ............ finger printing.


A. passive stack
B. active stack
C. passive banner grabbing
D. scanned
ans:a

26. services running on a system are determined by .


A. the system’s ip address
B. the active directory
C. the system’s network name
D. the port assigned
ans:d

27. what are the types of scanning?


A. port,network,and services
B. network,vulnerability,and port
C. passive,active,and interactive
D. server,client,and network
ans:b

28. enumeration is part of what phase of ethical hacking?


A. reconnaissance
B. maintaining access
C. gaining access
D. scanning
ans:c

29.framework made cracking of vulnerabilities easy like point and click.


A. net
B. metasploit
C. zeus
D. ettercap
ans:b
30.is a popular ip address and port scanner.
A. cain and abel
B. snort
C. angry ip scanner
D. ettercap
ans:c

31.is a popular tool used for network analysis in multiprotocol diverse network
A. snort
B. superscan
C. burpsuit
D. etterpeak
ans: d

33 .................scans tcp ports and resolves different host names.


A. superscan
B. snort
C. ettercap
D. qualysguard.
ans:a

34. what tool can be used to perform snmp enumeration?


A. dns lookup
B. whois
C. ns lookup
D. ip network browser
ans: d

35. wireshark is a .................tool.


A. network protocol analysis
B. network connection security
C. connection analysis
D. defending malicious packet-filtering
ans:a

36. aircrack-ng is used for


A. firewall bypassing
B. wi-fiattacks
C. packet filtering
D. system password cracking
ans:b
37. phishing is a form of .
A. spamming
B. identify theft
C. impersonation
D. scanning
ans:c

38. what are the types of scanning?


A. port,network,and services
B. network,vulnerability,and port
C. passive,active,and interactive
D. server,client,and network
ans:b

39 ...............is used for searching multiple hosts in order to target just one specific open port.
A. pingsweep
B. portscan
C. ipconfig
D. spamming
ans:a

40. arp spoofing is often referred to as


A. man-in-the-middle attack
B. denial-of-service attack
C. sniffing
D. spoofing
ans:a

41.is a tool that allows you to look into the network and analyze data going across
the wire for network optimization,security and troubleshooting purposes.
A. network analyzer
B. cryptool
C. john-the-ripper
D. backtrack
ans:a

42.is not a function of a network analyzer tool.


A. captures all network traffic
B. interpreter decode what is found in a human-readable format.
C. displays it all in chronological order.
D. banner grabbing
ans: d
43.protocol is used for network monitoring.
A. ftpsnmp
b.telnet
c.relnet
d.arp
ans:a

44. what's the attack called“evil twin”?


A. rogue access point
B. arp poisoning
C. session hijacking
D. mac spoofing
ans:a

45.what is the primary goal of an ethical hacker?


A. avoiding detection
B. testing security controls
C. resolving security vulnerabilities
D. determining return on investment for security measures
ans:c

46. what are the forms of password cracking technique?


A. attack syllable
B. attack brute forcing
C. attack hybrid
D. all the above
ans: d

45. which type hacker represents the highest risk to your network?
A. black-hat hackers
B. grey-hat hackers
C. script kiddies
D. disgruntled employees
ans: d

46. hacking a cause is called


A. hacktivism
B. black-hat hacking
C. active hacking
D. activism
ans:a
47. when a hacker attempts to attack via the internet it is known as what type of attack?
A. local access
B. remote attack
C. internal attack
D. physical access
ans:b

49. a type of attack that overloads the resources of a single system to cause it to crash or hang.
A. resource starvation
B. active sniffing
C. passive sniffing
D. session hijacking
ans.c

50. in computer networking, is any technical effort to manipulate the normal behavior of
network connections and connected systems.
A. hacking
B. evidence
C. tracing
D. none of above
ans:-a

51.generally refers to unauthorized intrusion into a computer or a network.


A. hacking
B. evidence
C. tracing
D. none of above
ans:-a

52. we can eliminate many well-known network vulnerabilities by simply patch-ing


your network hosts with their latest and .
A. hackers and crackers
B. vendor software and firmware patches
C. software and hardware
D. none of above
ans:-b

53.network consist devices such as routers,firewalls,hosts that you must assess as a part of
process.

A. prackers
B. blackhat hacking
C. gray hat hacking process
D. ethical hacking process.
ans:-d

54. network infrastructure vulnerabilities are the foundation for most technical security
issues in our information systems.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d

55.attack,which can take down your internet connection or your entire network.
A. mac
B. dos
C. ids
D. none of above
ans:-b

56.dos stands for


A. detection of system
B. denial of service
C. detection of service
D. none of above
ans:-b

57.ids stands for


A. intrusion detection system
B. information documentation service
C. intrusion documentation system
D. none of above
ans:-a

58. which protocols are in use is vulnerable


A. tcl
B. ssl
C. ftp
d. smtp
ans:-b

59. ssl stands for


A. secure sockets layer
B. software security layer
C. socket security layer
D. system software layer
ans:-a
60.include phishing, sql injection, hacking, social engineering, spamming,
denial of service attacks, trojans,virus and worm attacks.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d

61.who invent worm attack


A. brightn godfrey
B. alan yeung
C. robert morris
D. none of above
ans:-c

62. which of the following is not a typical characteristic of an ethical hacker?


A. excellent knowledge of windows.
B. understandstheprocessofexploitingnetworkvulnerabilities.
C. patience,persistence and perseverance.
D. has the highest level of security for the organization
. and:-d

63. what is the purpose of a denial of service attack?


A. exploit weakness in the tcp/ipstack
B. toexecuteatrojanonasystem
C. to overload a system so it is no longer operational
D. to shut down services by turning them off
ans:-c

64.what are some of the most common vulnerabilities that exist in a network or system?
A. changing manufacturer, or recommended, settings of a newly installed application.
B. additional unused features on commercial software packages.
C. utilizing open source application code
D. balancing security concerns with functionality and ease of use of a system.
ans:b

65. what is the sequence of atcp connection?


A. syn-ack-fin
B. syn-synack-ack
C. syn-ack
d. syn-syn-ackans:b

66. why would a ping sweep be used?


A. to identify livesystems
B. to locate livesystems
C. to identify open ports
D. to locate firewalls
ans:-a

67. a packet with no flags set is which type of scan?


A. tcp
B. xmas
C. idle
d. null
ans:-d
question bank (i scheme)

name of subject: emerging trends in computer and information technology unit test: i
subject code: 22618 courses: if/cm6i
semester: vi
multiple choice questions and answers
chapter 1- artificial intelligence

1. which of these schools was not among the early leaders in ai research?
A. dartmouth university
B. harvard university
C. massachusetts institute of technology
D. stanford university
E. none of the above
ans: b

2. darpa, the agency that has funded a great deal of american ai research, is part of the
department of:
A. defense
B. energy
C. education
D. justice
E. none of the above
ans: a

3. the conference that launched the ai revolution in 1956 was held at:
A. dartmouth
B. harvard
C. new york
D. stanford
E. none of the above
ans: a

4. what is the term used for describing the judgmental or commonsense part of problem
solving?
A. heuristic
B. critical
C. value based
D. analytical
E. none of the above
ans: a

5. what of the following is considered to be a pivotal event in the history of ai.


A. 1949, donald o, the organization of behavior.
B. 1950, computing machinery and intelligence.
C. 1956, dartmouth university conference organized by john mccarthy.
D. 1961, computer and computer sense.
E. none of the above
ans: c
6. a certain professor at the stanford university coined the word 'artificial intelligence' in
1956 at a conference held at dartmouth college. can you name the professor?
A. david levy
B. john mccarthy
C. joseph weizenbaum
D. hans berliner
E. none of the above
ans: b

7. the field that investigates the mechanics of human intelligence is:


A. history
B. cognitive science
C. psychology
D. sociology
E. none of the above
ans: b

8. a.m. turing developed a technique for determining whether a computer could or could not
demonstrate the artificial intelligence,, presently, this technique is called
A. turing test
B. algorithm
C. boolean algebra
D. logarithm
E. none of the above
ans: a

9. the first ai programming language was called:


A. basic
B. fortran
C. ipl
D. lisp
E. none of the above
ans: c

10. what is artificial intelligence?


A. putting your intelligence into computer
B. programming with your own intelligence
C. making a machine intelligent
D. putting more memory into computer
ans: c

11. who is a father of ai?


A. alain colmerauer
B. john mccarthy
C. nicklaus wirth
D. seymour papert
ans: b

12. artificial intelligence has its expansion in the following application.


A. planning and scheduling
B. game playing
C. robotics
D. all of the above
ans: d

13. the characteristics of the computer system capable of thinking, reasoning and learning is
known is
A. machine intelligence
B. human intelligence
C. artificial intelligence
D. virtual intelligence
ans: c

14. the first ai programming language was called:


A. basic
B. fortran
C. ipl
D. lisp
ans: c

15. the first widely used commercial form of artificial intelligence (al) is being used in many
popular products like microwave ovens, automobiles and plug in circuit boards for desktop pcs.
what is name of ai?
A. boolean logic
B. human logic
C. fuzzy logic
D. functional logic
ans: c

16. what is the term used for describing the judgmental or commonsense part of problem
solving?
A. heuristic
B. critical
C. value based
D. analytical
ans: a

17. is a branch of computer science which deals with helping machines finds solutions to
complex problems in a more human like fashions
A. artificial intelligence
B. internet of things
C. embedded system
D. cyber security
ans: a

18. in the goal is for the software to use what it has learned in one area to solve problems in
other areas.
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: b
19. computer programs that mimic the way the human brain processes information is called as
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: c

20. a is a rule of thumb, strategy, trick, simplification, or any other kind of device which
drastically limits search for solutions in large problem spaces.
A. heuristic
B. critical
C. value based
D. analytical
ans: a

21. do not guarantee optimal/any solutions


A. heuristic
B. critical
C. value based
D. analytical
ans: a

22. cognitive science related with


A. act like human
B. eliza
C. think like human
D. none of above
ans: c

23. model should reflect how results were obtained.


A. design model
B. logic model
C. computational model
D. none of above
ans: c

24. communication between man and machine is related with


A. lisp
B. eliza
C. all of above
D. none of above
ans: b

25. eliza created by


A. john mccarthy
B. steve russell
C. alain colmerauer
D. joseph weizenbaum
ans: d
26. the concept derived from level are propositional logic, tautology, predicate
calculus, model, temporal logic.
A. cognition level
B. logic level
C. functional level
D. all of above
ans: b

27. prolog is an ai programming language which solves problems with a form of symbolic
logic known as .
A. propositional logic
B. tautology
C. predicate calculus
D. temporal logic
ans: c

28. the level contains constituents at the third level which are knowledge based system,
heuristic search, automatic theorem proving, multi-agent system.
A. cognition level
B. gross level
C. functional level
D. all of above
ans: b

29. prolog, lisp, nlp are the language of _


A. artificial intelligence
B. machine learning
C. internet of things
D. deep learning
ans: a

30. is used for ai because it supports the implementation of software that computes with
symbols very well.
A. lisp
B. eliza
C. prolog
D. nlp
ans: a

31. symbols, symbolic expressions and computing with those is at the core of
A. lisp
B. eliza
C. prolog
D. nlp
ans: a

32. that deals with the interaction between computers and humans using the natural
language
A. lisp
B. eliza
C. prolog
D. nlp
ans: d

33. the core components are constituents of ai are derived from


A. concept of logic
B. cognition
C. computation
D. all of above
ans: d

34. aristotle’s theory of syllogism and descartes and kant’s critic of pure reasoning made
knowledge on .
A. logic
B. computation logic
C. cognition logic
D. all of above
ans: a

35. charles babbage and boole who demonstrate the power of


A. logic
B. computation logic
C. cognition logic
D. all of above
ans: b

36. in 1960s, pushed the logical formalism to integrate reasoning with knowledge.
A. marvin minsky
B. alain colmerauer
C. john mccarthy
D. none of above
ans: a

37. sensing organs as input, mechanical movement organs as output and central nervous system
(cns) in brain as control and computing devices is known as of human being
A. information control paradigm
B. information processing paradigm
C. information processing control
D. none of above
ans: b

38. model were developed and incorporated in machines which mimicked the
functionalities of human origin.
A. functional model
B. neural model
C. computational model
D. none of above
ans: c

39. chomsky’s linguistic computational theory generated a model for syntactic analysis through

A. regular grammar
B. regular expression
C. regular word
D. none of these
ans: a

40. human to machine is and machine to machine is .


A. process, process
B. process, program
C. program, hardware
D. program, program
ans: c

41. weak ai is also known as


A. narrow ai
B. general ai
C. neural ai
D. none of above
ans: a

42. ai is able to perform dedicated task.


A. narrow ai
B. general ai
C. neural ai
D. none of above
ans: a

43. narrow ai is performs multiple task at a time.


A. true
B. false
ans: b

44. weak ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: c

45. strong ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: a

46. artificial intelligence is


A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: d

47. apple siri is a good example of ai.


A. narrow ai
B. general ai
C. neural ai
D. none of above
ans: a

48. ibm watson supercomputer comes under ai.


A. narrow ai
B. general ai
C. neural ai
D. none of above
ans: a

49. ai is a type of intelligence which could perform any intellectual task with efficiency
like human.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b

50. the idea behind ai to make such a system which could be smarter and think like
a human by its own.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b

51. the worldwide researchers are now focusing on developing machines with ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b

52. playing chess, purchasing suggestions on e-commerce site, self-driving cars, speech
recognition, and image recognition are the example of .
A. narrow ai
B. general ai
C. super ai
D. None of above
Ans: A
53. machine can perform any task better than human with cognitive properties is known as
ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c

54. ability to think, puzzle, make judgments, plan, learn, communication by its own is known as
ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c

55. ai is hypothetical concept of ai.


A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c

56. which ai system not store memories or past experiences for future actions.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a

57. which machines only focus on current scenarios and react on it as per as possible best
action.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a

58. ibm’s deep blue system is example of .


A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a

59. google alpha go is example of .


A. reactive machine
B. limited memory
C. theory of mind
D. None of above
Ans: A
60. which can stores past experiences or some data for short period time.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: b

61. self-driving car is example of .


A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: b [car stores recent speed of nearby cars, distance of others car, speed limit, other
information to navigate the road]

62. which ai should understand the human emotions, people, and beliefs and be able to interact
socially like humans.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: c

63. which machines will be smarter than human mind?


A. reactive machine
B. limited memory
C. theory of mind
D. self-awareness
ans: d

64. machines will have their own consciousness and sentiments


A. reactive machine
B. theory of mind
C. self-awareness
D. both b & c
ans: c

65. which is not the commonly used programming language for ai?
A. prolog
B. lisp
C. perl
D. java script
ans: c

66. what is machine learning?


A. the autonomous acquisition of knowledge through the use of computer programs
B. the autonomous acquisition of knowledge through the use of manual programs
C. the selective acquisition of knowledge through the use of computer programs
D. the selective acquisition of knowledge through the use of manual programs
Ans: A
67 is a branch of science that deals with programing the systems in such a way
that they automatically learn and improve with experience
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: a

68. classifying email as a spam, labeling webpages based on their content, voice recognition are
the example of .
A. supervised learning
B. unsupervised learning
C. machine learning
D. deep learning
ans: a

69. k-means, self-organizing maps, hierarchical clustering are the example of .


A. supervised learning
B. unsupervised learning
C. machine learning
D. deep learning
ans: b

70. deep learning is a subfield of machine learning where concerned algorithms are inspired by
the structured and function of the brain called .
A. machine learning
B. artificial neural networks
C. deep learning
D. robotics
ans: b

71. machine learning invent by .


A. john mccarthy
B. nicklaus wirth
C. joseph weizenbaum
D. arthur samuel
ans: d

chapter-2 internet of things

1. embedded systems are


A. general purpose
B. special purpose
ans: b

2. embedded system is
A. an electronic system
B. a pure mechanical system
C. an electro-mechanical system
D. (a) or (c)
Ans: D
3. which of the following is not true about embedded systems?
A. built around specialized hardware
B. always contain an operating system
C. execution behavior may be deterministic
D. all of these
E. none of these
ans: e

4. which of the following is not an example of a “small-scale embedded system”?


A. electronic barbie doll
B. simple calculator
C. cell phone
D. electronic toy car
ans: c

5. the first recognized modern embedded system is


A. apple computer
B. apollo guidance computer (agc)
C. calculator
D. radio navigation system
ans: b

6. the first mass produced embedded system is


A. minuteman-i
B. minuteman-ii
C. autonetics d-17
D. apollo guidance computer (agc)
ans: c

7. which of the following is an (are) an intended purpose(s) of embedded systems?


A. data collection
B. data processing
C. data communication
D. all of these
E. none of these
ans: d

8. which of the following is (are) example(s) of embedded system for data communication?
usb mass storage device
A. network router
B. digital camera
C. music player
D. all of these
E. none of these
ans: b
9. what are the essential tight constraint/s related to the design metrics of an embedded system?
A. ability to fit on a single chip
B. low power consumption
C. fast data processing for real-time operations
d .all of the above
Ans: D
10. a digital multi meter is an example of an embedded system for
A. data communication
B. monitoring
C. control
D. all of these
E. none of these
ans: b

11. which of the following is an (are) example(s) of an embedded system for signal processing?
A. apple ipod (media player device)
B. sandisk usb mass storage device
C. both (a) and (b)
D. none of these
ans: d

12. the instruction set of risc processor is


A. simple and lesser in number
B. complex and lesser in number
C. simple and larger in number
D. complex and larger in number
ans: a

13. which of the following is true about cisc processors?


A. the instruction set is non-orthogonal
B. the number of general purpose registers is limited
C. instructions are like macros in c language
D. variable length instructions
E. all of these
F. none of these
ans: e

14. main processor chip in computers is


A. asic
B. assp
C. cpu
D. cpld
ans: c

15. processors used in many microcontroller products need to be


A. high power
B. low power
C. low interrupt response
D. low code density
ans: b

16. in microcontrollers, uart is acronym of


A. universal applied receiver/transmitter
B. universal asynchronous rectified transmitter
C. universal asynchronous receiver/transmitter
D. united asynchronous receiver/transmitter
Ans: C
17. which architecture is followed by general purpose microprocessors?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: b

18. which architecture involves both the volatile and the non-volatile memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a

19. which architecture provides separate buses for program and data memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a

20. harvard architecture allows:


A. separate program and data memory
B. pipe-ling
C. complex architecture
D. all of the mentioned
ans: d

21. which of the following processor architecture supports easier instruction pipelining?
A. harvard
B. von neumann
C. both of them
D. none of these
ans: a

22. which of the following is an example for wireless communication interface?


A. rs-232c
B. wi-fi
C. bluetooth
D. eee1394
E. both (b) and (c)
ans: e

23. arm stands for


A. advanced risc machine
B. advanced risc methodology
C. advanced reduced machine
D. advanced reduced methodology
ans: a
24. what is the processor used by arm7?
A. 8-bit cisc
B. 8-bit risc
C. 32-bit cisc
D. 32-bit risc
ans: d

25. the main importance of arm micro-processors is providing operation with


A. low cost and low power consumption
B. higher degree of multi-tasking
C. lower error or glitches
D. efficient memory management
ans: a

26. arm processors where basically designed for


A. main frame systems
B. distributed systems
C. mobile systems
D. super computers
ans: c

27. asic chip is


A. simple in design.
B. manufacturing time is less.
C. it is faster.
D. both a&c.
ans: c

28. asic stands for


A. application-system integrated circuits
B. application-specific integrated circuits
C. application-system internal circuits
D. application-specific internal circuits
ans: b

29. in microcontrollers, i2c stands for


A. inter-integrated clock
B. initial-integrated clock
C. intel-integrated circuit
D. inter-integrated circuit
ans: d

30. is the smallest microcontrollers which can be programmed to perform a


large range of tasks.
A. pic microcontrollers
B. arm microcontrollers
C. avr microcontrollers
D. asic microcontrollers
ans: - a
31. was developed in the year 1996 by atmel corporation
A. pic
B. avr
C. arm
D. asic
ans: - b

32. avr stands for .


A. advanced virtual risc.
B. alf-egil bogen and vegard wollan risc
C. both a & b
D. none of the above
ans: - c

33. avr microcontroller executes most of the instruction in .


A. single execution cycle.
B. double execution cycle.
C. both a& b
D. none of the above.
ans: - a

34. term "the internet of things" was coined by


A. edward l. schneider
B. kevin ashton
C. john h.
D. charles anthony
ans: b

35. the huge numbers of devices connected to the internet of things have to communicate
automatically, not via humans, what is this called?
A. bot to bot(b2b)
B. machine to machine(m2m)
C. intercloud
D. skynet
ans: b

36. what does “things” in iot refers to?


A. general device
B. information
C. iot devices
D. object
ans: c

37. interconnection of internet and computing devices embedded in everyday objects, enabling
them to send and receive data is called
A. internet of things
B. network interconnection
C. object determination
D. none of these
ans: a
38. is a computing concept that describes the idea of everyday physical objects
being connected to the internet.
A. iot (internet of things)
B. mqtt
C. coap
D. spi
ans: -a

39 devices may support a number of interoperable communication protocols and


communicate with other device and also with infrastructure.
A. artificial intelligence
B. machine learning
C. internet of things
D. none of above
ans: c

40. which one is not element of iot?


A. process
B. people
C. security
D. things
ans:c

41. iiot stands for


A. information internet of things
B. industrial internet of things
C. inovative internet of things
D. none of above
ans:b

42. name of the iot device which is first recognized?


A. smart watch
B. atm
C. radio
D. video game
ans: b

43. is used by iot


A. radio information technology
B. satellite
C. cable
D. broadband
ans:a

44. consists of communication protocols for electronic devices, typically a mobile device
and a standard device.
A. rfid
B. mqtt
C. nfc
D. none of above
ans:c
45. refers to establish a proper connection between all the things of iot.
A. connectivity
B. analyzing
C. sensing
D. active engagement
ans: - a

46. iot devices which have unique identities and can perform .
A. remote sensing
B. actuating
C. monitoring capabilities
D. all of the above
ans: - d

47. the sensed data communicated .


A. cloud-based servers/storage.
B. i/o interfaces.
C. internet connectivity.
D. none of the above
ans: - a

48. iot devices are various types, for instance .


A. wearable sensors.
B. smart watches.
C. led lights.
D. all of the above
ans: - d

49. is a collection of wired ethernet standard for the link layer.


A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans: - a

50. is a collection of wlan communication standards.


A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans:b

51. is a collection of wireless broadband standards (wimax).


A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans:c
52 is a collection of standards for lr-wpans.
A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans:d

53. lr-wpans standards from basis of specifications for high level communication protocol
such as .
A. zigbee
B. allsean
C. tyrell
D. microsoft's azure
ans:a

54. includes gsm and cdma.


A. 2g
B. 3g
C. 4g
D. none of above
ans:a

55. include umts and cdma2000.


A. 2g
B. 3g
C. 4g
D. none of above
ans:b

56 include lte.
A. 2g
B. 3g
C. 4g
D. none of above
ans:c

57. layer protocols determine how the data is physically sent over the network’s
physical layer or medium.
A. application layer
B. transport layer
C. network layer
D. link layer
ans: - d
58 layer is responsible for sending of ip datagrams from the source network to the
destination network.
A. application layer
B. transport layer
C. network layer
D. link layer
Ans: C
59. layer perform the host addressing and packet routing.
A. application layer
B. transport layer
C. network layer
D. link layer
ans:c

60. protocols provide end to end message transfer capability independent of the
underlying network.
A. network layer
B. transport layer
C. application layer
D. link layer
ans: - b

61. the protocols define how the applications interface with the lower layer protocol to send
the data over the network.
A. application layer
B. transport layer
C. network layer
D. link layer
ans:a

62. 6lowpan stands for


A. 6 low personal area network
B. ipv6 low personal area network
C. ipv6 over low power wireless personal area network
D. none of above
ans:c

63. 802.3 is the standard for 10base5 ethernet that uses cable as shared medium.
A. twisted pair cable
B. coaxial cable
C. fiber optic cable
D. none of the above
ans: - b

64. ieee 802.11 standards provide data rates


A. 10 gbit/s.
B. 1 gbit/s
C. 1 mb/s to up to 6.75 gb/s
D. 250 kb/s
ans: - c

65. of the following is a protocol related to iot


A. zigbee
B. 6lowpan
C. coap
D. all of the above
Ans: C
66. is useful for time-sensitive application that have very small data units to
exchange and do not want the overhead of connection setup.
A. tcp
B. udp
C. transport layer
D. none of the above.
ans: - b

67. protocol uses universal resource identifiers (uris) to identify http


resources.
A. http
B. coap
C. websocket
D. mqtt
ans: a

68. the 10/100mbit ethernet support enables the board to connect to


A. lan
B. man
C. wan
D. wlan
ans: a

69. which one out of these is not a data link layer technology?
A. bluetooth
B. uart
C. wi-fi
D. http
ans: d

70. what is size of the ipv6 address?


A. 32 bits
B. 64 bits
C. 128 bits
D. 256 bits
ans: c

71. mqtt stands for


A. mq telemetry things
B. mq transport telemetry
C. mq transport things
D. mq telemetry transport
ans: d

72. mqtt is better than http for sending and receiving data.
A. true
B. false
ans: a
73. mqtt is protocol.
A. machine to machine
B. internet of things
C. machine to machine and internet of things
D. machine things
ans: c

74. which protocol is lightweight?


A. mqtt
B. http
C. coap
D. spi
ans: a

75 mqtt is:
A. based on client-server architecture
B. based on publish-subscribe architecture
C. based on both of the above
D. based on none of the above
ans: b

76. xmpp is used for streaming which type of elements?


A. xpl
B. xml
C. xhl
D. mpl
ans: b

77. xmpp creates identity.


A. device
B. email
C. message
D. data
ans: a

78. xmpp uses architecture.


A. decentralized client-server
B. centralized client-server
C. message
D. public/subscriber
ans: a
79. what does http do?
A. enables network resources and reduces perception of latency
B. reduces perception of latency and allows multiple concurrency exchange
C. allows multiple concurrent exchange and enables network resources
D. enables network resources and reduces perception of latency and allows multiple concurrent
exchange.
Ans: D
80. http expands?
A. hyper text transfer protocol
B. hyper terminal transfer protocol
C. hyper text terminal protocol
D. hyper terminal text protocol
ans: a

81. coap is specialized in


A. internet applications
B. device applications
C. wireless applications
D. wired applications
ans: a

82. which protocol is used to link all the devices in the iot?
A. tcp/ip
B. network
C. udp
D. http
ans: a

83. data in network layer is transferred in the form of


A. layers
B. packets
C. bytes
D. bits
ans:b

84. services provided by application layer?


A. web chat
B. error control
C. connection services
D. congestion control
ans: a

85. tcp and udp are called?


A. application protocols
B. session protocols
C. transport protocols
D. network protocols
ans: c

86. security based connection is provided by which layer?


A. application layer
B. transport layer
C. session layer
D. network layer
Ans: D
87. using which layer in transport layer data integrity can be assured?
A. checksum
B. repetition codes
C. cyclic redundancy checks
D. error correction codes
ans: a

88. transport layer receives data in the form of?


A. packets
B. byte streams
C. bits stream
D. both packet and byte stream
ans: b

89. the network layer is considered as the ?


A. backbone
B. packets
C. bytes
D. bits
ans: a

90. the network layer consists of which hardware devices?


A. router
B. bridges
C. switches
D. all of the above
ans: d

91. network layer protocol exits in ?


A. host
B. switches
C. packets
D. bridges
ans: a

92. which protocol has a quality of service?


A. xmpp
B. http
C. coap
D. mqtt
ans: a

93. is a data-centric middleware standard for device-to-device and machine-to-machine


communication.
A. data distribution serviced (dds)
B. advance message queuing protocol (amqp)
C. extensible messaging and presence protocol (xmpp)
D. message queue telemetry transport (mqtt)
ans:a
94. is a bi-directional, fully duplex communication model that uses a persistent connection
between client and server.
A. request-response
B. publish-subscriber
C. push-pull
D. exclusive pair
ans:d

95. is a stateful communication model and server is aware of all open connection.
A. request-response
B. publish-subscriber
C. push-pull
D. exclusive pair
ans:d

96. which is not an iot communication model.


A. request-response
B. publish-subscribe
C. push-producer
D. exclusive pair
ans: c

97. in node mcu, mcu stands for .


A. micro control unit
B. micro controller unit
C. macro control unit
D. macro controller unit
ans: b

98. rest is acronym for


A. representational state transfer
B. represent state transfer
C. representational state transmit
D. representational store transfer
ans: a

99. wsn stands for


A. wide sensor network
B. wireless sensor network
C. wired sensor network
D. none of these
ans: b

100. benefit of cloud computing services


A. fast
B. anywhere access
C. higher utilization
D. all of the above
ans: d
101. paas stands for _
A. platform as a service
B. platform as a survey
C. people as a service
D. platform as a survey
ans: a

102. as a service is a cloud computing infrastructure that creates a development


environment upon which applications may be build.
A. infrastructure
B. service
C. platform
D. all of the mentioned
ans:c

103. is a cloud computing service model in which hardware is virtualized in the


cloud.
A. iaas
B. caas
C. paas
D. none of the mentioned
ans:a

104. which of the following is the fundamental unit of virtualized client in an iaas deployment?
a) workunit
b) workspace
c) workload
d) all of the mentioned
ans:c

105. offering provides the tools and development environment to deploy applications on
another vendor’s application.
A. paas
B. iaas
C. caas
D. all of the mentioned
ans.b

106. is the most refined and restrictive service model.


A. iaas
B. caas
C. paas
D. all of the mentioned
ans.c

107. is suitable for iot applications to have low latency or high throughput requirements.
A. rest
B. publish-subscriber
C. push-pull
D. websocket
ans:d
108 is a one of the most popular wireless technologies used by wsns.
A. zigbee
B. allsean
C. tyrell
D. z-wave
ans:a

109. zigbee specification are based on .


a. 802.3
b. 802.11
c. 802.16
d. 802.15.4
ans:d

110. is a transformative computing paradigm that involves delivering applications and


services over the internet.
A. wsn
B. cloud computing
C. big data
D. none of above
ans:b

111. the process of collecting, organizing and collecting large sets of data called as
A. wsn
B. cloud computing
C. big data
D. none of above
ans:c

112. does raspberry pi need external hardware?


A. true
B. false
ans.b

113. does rpi have an internal memory?


A. true
B. false
ans.a

114. what do we use to connect tv to rpi?


A. male hdmi
B. female hdmi
C. male hdmi and adapter
D. female hdmi and adapter
ans.c

115. how power supply is done to rpi?


A. usb connection
B. internal battery
C. charger
D. adapter
ans.a

116. what is the ethernet/lan cable used in rpi?


a.cat5
b.at5e
c. cat6 d
. rj45
ans.d

117. which instruction set architecture is used in raspberry pi?


A. x86
B. msp
C. avr
D. arm
ans: d

118. does micro sd card present in all modules?


A. true
B. false
ans: a

119. which characteristics involve the facility the thing to respond in an intelligent way to a
particular situation?
A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: a

120. empowers iot by bringing together everyday objects.


A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: b

121. the collection of data is achieved with changes.


A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: c
122. the number of devices that need to be managed and that communicate with each other will
be much larger.
A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: d
123. in iot as one of the key characteristics, devices have different hardware
platforms and networks.
A. sensors
B. heterogeneity
C. security
D. connectivity
ans: b

124. devices that transforms electrical signals into physical movements


A. sensors
B. actuators
C. switches
D. display
ans: b

125. stepper motors are_


A. ac motors
B. dc motors
C. electromagnets
D. none of above
ans: b

126. dc motors converts electrical into energy.


A. mechanical
B. wind
C. electric
D. none
ans: a

127. linear actuators are used in


A. machine tools
B. industrial machinery
C.both a and b
d.none
ans: a

128. solenoid is a specially designed


A. actuator
B. machine
C. electromagnet
D. none of above
ans: c

129. stepper motors are_


A. ac motors
B. dc motors
C. electromagnets
D. none of above
ans: b
130. accelerometer sensors are used in
A. smartphones
B. aircrafts
C. both
D. none of above
ans: c

131. image sensors are found in


A. cameras
B. night-vision equipment
C. sonars
D. all of above
ans: d

132. gas sensors are used to detect gases.


A. toxic
B. natural
C. oxygen
D. hydrogen
ans: a

133. properties of arduino are:


A. inexpensive
B. independent
C. simple
D. both a and c
ans: d

134. properties of iot devices.


A. sense
B. send and receive data
C. both a and b
D. none of above
ans: c

135. iot devices are _


A. standard
B. non-standard
C. both
D. none
ans: b

136. what is the microcontroller used in arduino uno?


A. atmega328p
B. atmega2560
C. atmega32114
D. at91sam3x8e
ans: a
137. is an open source electronic platform based on easy to used hardware and software.
A. arduino
B. uno
C. raspberry pi
D. node
ans:a

138 is used latching, locking, triggering.


A. solenoid
B. relay
C. linear actuator
D. servo motors
ans:a

139. detect the presence or absence of nearby object without any physical contact.
A. smoke sensor
B. pressure sensor
C. ir sensor
D. proximity sensor
ans:d

140 sensors include thermocouples, thermistors, resistor temperature detectors (rtds) and
integratd circuits (ics).
A. smoke sensor
B. temperature sensor
C. ir sensor
D. proximity sensor
ans:b

141. the measurement of humidity is


A. rh
B. ph
C. ic
D. none of aboved
ans:a

142 sensor is used for automatic door controls, automatic parking system, automated sinks,
automated toilet flushers, hand dryers.
A. smoke sensor
B. temperature sensor
C. ir sensor
D. motion sensor
ans:d

143 sensor measure heat emitted by objects.


A. smoke sensor
B. temperature sensor
C. ir sensor
D. proximity sensor
ans:c
chapter-3 basics of digital forensics

1. digital forensics is all of them except:


A. extraction of computer data.
B. preservation of computer data.
C. interpretation of computer data.
D. manipulation of computer data.
ans:d

2. idip stands for


A. integrated digital investigation process.
B. integrated data investigator process.
C. integrated digital investigator process.
D. independent digital investigator process.
ans: a

3. who proposed road map for digital forensic research (rmdfr)


A. g.gunsh.
B. s.ciardhuain
C. j.korn.
D. g.palmar
ans: d

4. investigator should satisfy following points:


A. contribute to society and human being.
B. avoid harm to others.
C. honest and trustworthy.
D. all of the above
ans: d

5. in the past, the method for expressing an opinion has been to frame a question based on
available factual evidence.
A. hypothetical
B. nested
C. challenging
D. contradictory
ans: a

6. more subtle because you are not aware that you are running these macros (the document opens
and the application automatically runs); spread via email
A. the purpose of copyright
B. danger of macro viruses
C. derivative works
D. computer-specific crime
ans: b
7. there are three c's in computer forensics. which is one of the three?
A. control
B. chance
C. chains
D. core
ans: a
8. when federal bureau investigation program was created?
a.1979
b.1984
c.1995
d.1989
ans: b

9. when the field of pc forensics began?


a.1960's
b.1970's
c.1980's
d.1990's
ans: c

10. what is digital forensic?


A. process of using scientific knowledge in analysis and presentation of evidence in court
B. the application of computer science and investigative procedures for a legal purpose
involving the analysis of digital evidence after proper search authority, chain of custody,
validation with mathematics, use of validated tools, repeatability, reporting, and possible
expert presentation
C. process where we develop and test hypotheses that answer questions about digital events
D. use of science or technology in the investigation and establishment of the facts or
evidence in a court of law
ans: b

11. digital forensics entails .


A. accessing the system's directories viewing mode and navigating through the various systems
files and folders
B. undeleting and recovering lost files
C. identifying and solving computer crimes
D. the identification, preservation, recovery, restoration and presentation of digital evidence
from systems and devices
ans: d

12. which of the following is false?


A. the digital forensic investigator must maintain absolute objectivity
B. it is the investigator’s job to determine someone’s guilt or innocence.
C. it is the investigator’s responsibility to accurately report the relevant facts of a case.
D. the investigator must maintain strict confidentiality, discussing the results of an investigation
on only a “need to know”
ans: b

13. what is the most significant legal issue in computer forensics?


A. preserving evidence
B. seizing evidence
C. admissibility of evidence
D. discovery of evidence
ans: c
14. phase includes putting the pieces of a digital puzzle together and developing
investigative hypotheses
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans: d

15. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans:b

16. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
F. preservation phase
G. survey phase
H. documentation phase
I. reconstruction phase
J. presentation phase
ans:b

17. computer forensics do not involve activity.


A. preservation of computer data.
B. exraction of computer data.
C. manipulation of computer data.
D. interpretation of computer data.
ans: c

18. a set of instruction compiled into a program that perform a particular task is known as:
A. hardware.
b.cpu
c. motherboard
d. software
ans: d

19. which of following is not a rule of digital forensics?


A. an examination should be performed on the original data
B. a copy is made onto forensically sterile media. new media should always be used if
available.
C. the copy of the evidence must be an exact, bit-by-bit copy
D. the examination must be conducted in such a way as to prevent any modification of the
evidence.
ans: a
20. to collect and analyze the digital evidence that was obtained from the physical investigation
phase, is the goal of which phase?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase.
ans: b

21. to provide mechanism to an incident to be detected and confirmed is purpose of which


phase?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase.
ans: d

22. which phase entails a review of the whole investigation and identifies area of improvement?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase
ans: c

23. is known as father of computer forensic.


A. g. palmar
B. j. korn
C. michael anderson
D. s.ciardhuain.
ans: c

24. is well established science where various contribution have been made
A. forensic
B. crime
C. cyber crime
D. evidence
ans: a

25. who proposed end to end digital investigation process (eedip)?


A. g. palmar
B. stephenson
C. michael anderson
D. s.ciardhuain
ans: b

26. which model of investigation proposed by carrier and safford?


A. extended model of cybercrime investigation (emci)
B. integrated digital investigation process(idip)
C. road map for digital forensic research (rmdfr)
D. abstract digital forensic model (adfm)
ans: b
27. which of the following is not a property of computer evidence?
A. authentic and accurate.
B. complete and convincing.
C. duplicated and preserved.
D. conform and human readable.
ans. d

28. can makes or breaks investigation.


A. crime
B. security
c: digital forensic
d: evidence
ans: d

29. is software that blocks unauthorized users from connecting to your computer.
A. firewall
B. quick lauch
C. onelogin
D. centrify
ans: a

30. which of following are general ethical norms for investigator?


A. to contribute to society and human being.
B. to avoid harm to others.
C. to be honest and trustworthy.
D. all of above
E. none of above
ans: d

31. which of following are unethical norms for investigator?


A. uphold any relevant evidence.
B. declare any confidential matters or knowledge.
C. distort or falsify education, training, credentials.
D. all of above
E. none of above
ans: d

32. which of following is not general ethical norm for investigator?


A. to contribute to society and human being.
B. uphold any relevant evidence.
C. to be honest and trustworthy.
D. to honor confidentially.
ans: b

33. which of following is a not unethical norm for digital forensics investigation?
A. uphold any relevant evidence.
B. declare any confidential matters or knowledge.
C. distort or falsify education, training, credentials.
D. to respect the privacy of others.
ans: d
34. what is called as the process of creation a duplicate of digital media for purpose of
examining it?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
ans: a

35. which term refers for modifying a computer in a way which was not originally intended to
view information?
A. metadata
B. live analysis
C. hacking
D. bit copy
ans: c

36. the ability to recover and read deleted or damaged files from a criminal’s computer is an
example of a law enforcement specialty called?
A. robotics
B. simulation
C. computer forensics
D. animation
ans: c

37. what are the important parts of the mobile device which used in digital forensic?
A. sim
B. ram
C. rom.
d.emmc chip
ans: d

38. using what, data hiding in encrypted images be carried out in digital forensics?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
and: b

39. which of this is not a computer crime?


A. e-mail harassment
B. falsification of data.
C. sabotage.
D. identification of data
ans. d

40. which file is used to store the user entered password?


A. .exe
B. .txt
C. .iso
D. .sam
ans: d
41. is the process of recording as much data as possible to create reports and analysis
on user input.
A. data mining
B. data carving
C. meta data
D. data spoofing.
ans: a

42. searches through raw data on a hard drive without using a file system.
A. data mining
B. data carving
C. meta data
D. data spoofing.
ans: b

43. what is first step to handle retrieving data from an encrypted hard drive?
A. formatting disk
B. storing data
C. finding configuration files.
D. deleting files.
ans: c
bharati vidyapeeth institute of technologyquestion bank

unit test-ii (shift:-i & ii)


program: - computer engineering group program code:- cm/if
course title: -emerging trends in computer technology semester: - sixth
course abbr & code:-eti (22618) scheme: i

--------------------------------------------------------------------------------------------------

multiple choice questions and answers

chapter 4- digital evidence (co4)

1. a valid definition of digital evidence is:


A. data stored or transmitted using a computer
B. information of probative value
C. digital data of probative value
D. any digital evidence on a computer
ans: c

2. what are the three general categories of computer systems that can contain digital
evidence?
A. desktop, laptop, server
B. personal computer, internet, mobile telephone
C. hardware, software, networks
D. open computer systems, communication systems, and embedded systems
ans: d

3. in terms of digital evidence, a hard drive is an example of:


A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: a

4. in terms of digital evidence, a mobile telephone is an example of:


A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: c
5. in terms of digital evidence, a smart card is an example of:
A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: c

6. in terms of digital evidence, the internet is an example of:


A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: b

7. computers can be involved in which of the following types of crime?


A. homicide and sexual assault
B. computer intrusions and intellectual property theft
C. civil disputes
D. all the above
ans: d

8. a logon record tells us that, at a specific time:


A. an unknown person logged into the system using the account
B. the owner of a specific account logged into the system
C. the account was used to log into the system
D. none of the above
ans: c

9. cyber trails are advantageous because:


A. they are not connected to the physical world.
B. nobody can be harmed by crime on the internet.
C. they are easy to follow.
D. offenders who are unaware of them leave behind more clues than they otherwise
would have.
ans: d

10. private networks can be a richer source of evidence than the internet because:
A. they retain data for longer periods of time.
B. owners of private networks are more cooperative with law enforcement.
C. private networks contain a higher concentration of digital evidence.
D. all the above.
ans: c
11. due to caseload and budget constraints, often computer security professionals attempt to
limit the damage and close each investigation as quickly as possible. which of the following is
not a significant drawback to this approach?
A. each unreported incident robs attorneys and law enforcement personnel of an opportunity
to learn about the basics of computer-related crime.
B. responsibility for incident resolution frequently does not reside with the security
professional, but with management.
C. this approach results in under-reporting of criminal activity, deflating statistics that are
used to allocate corporate and government spending on combating computer-related
crime.
D. computer security professionals develop loose evidence processing habits that can make
it more difficult for law enforcement personnel and attorneys to prosecute an offender.
none of the above
ans: b

12. the criminological principle which states that, when anyone, or anything, enters a crime
scene he/she takes something of the scene with him/her, and leaves something of himself/herself
behind, is:
A. locard’s exchange principle
B. differential association theory
C. beccaria’s social contract
D. none of the above
ans: a

13. the author of a series of threatening e-mails consistently uses “im” instead of “i’m.” thisis
an example of:
A. an individual characteristic
B. an incidental characteristic
C. a class characteristic
D. an indeterminate characteristic
ans: a

14. personal computers and networks are often a valuable source of evidence. those
involved with should be comfortable with this technology.
A. criminal investigation
B. prosecution
C. defense work
D. all of the above
ans:

15. an argument for including computer forensic training computer security specialists is:
A. it provides an additional credential.
B. it provides them with the tools to conduct their own investigations.
C. it teaches them when it is time to call in law enforcement.
D. none of the above.
ans: c
16. the digital evidence are used to establish a credible link between
A. attacker and victim and the crime scene
B. attacker and the crime scene
C. victim and the crime scene
D. attacker and information
ans: a

17. digital evidences must follow the requirements of the


A. ideal evidence rule
B. best evidence rule
C. exchange rule
D. all the mentioned
ans: b

18. from the two given statements 1 and 2, select the correct option from a-d.
a. original media can be used to carry out digital investigation process.
b. by default, every part of the victim’s computer is considered as unreliable.

A. a and b both are true


B. a is true and b is false
C. a and b both are false
D. a is false and b is true
ans: b

19. the evidences or proof can be obtained from the electronic source is called the
A. digital evidence
B. demonstrative evidence
C. explainable evidence
D. substantial evidence
ans: a

20. which of the following is not a type of volatile evidence?


A. routing tables
B. main memory
C. log files
D. cached data
ans: c

21. the evidence must be usable in the court which is called as


A. admissible
B. authentic
C. complete
D. reliable
ans: a
22. photographs, videos, sound recordings, x-rays, maps drawing, graphs, charts is a
a type of _
A. illustrative evidence
B. electronic evidence
C. documented evidence
D. explainable evidence
ans: a

23. email, hard drives are examples of


A. illustrative evidence
B. electronic evidence
C. documented evidence
D. explainable evidence
ans: b

24. blood, fingerprints, dna these are examples of


A. illustrative evidence
B. electronic evidence
C. documented evidence
D. substantial evidence
ans: d

25. when an incident takes place, a criminal will leave a hint evidence at the scene and remove a
hint from the scene which is called as
A. locard’s exchange principle
B. anderson’s exchange principle
C. charles’s anthony principle
D. kevin ashton principle
ans: a

26. which is not procedure to establish a chain of custody?


A. save the original materials.
B. take photos of physical evidence.
C. don’t take screenshots of digital evidence content.
D. document date, time, and any other information of receipt.
ans: c

27. which is not related with digital evidence?


A. work with the original evidence to develop procedures.
B. use clean collecting media.
C. document any extra scope.
D. consider safety of personnel at the scene.
ans: a
28. which is example of non-volatile memory.
A. flash memory
B. registers and cache
C. process table
D. arp cache
ans: a

29. is known as testimonial.


A. oath affidavit
B. dna samples
C. fingerprint
D. dried blood
ans: a

30. the process of ensuring that providing or obtaining the data that you have collected is similar
to the data provided or presented in a court is known as
A. evidence validation
B. relative evidence
C. best evidence
D. illustrative evidence
ans: a
31. when cases got to trial your forensics examiner play one of role.
A. 2
B. 4
C. 3
D. 5
ans. a

32. types of digital evidence

A. eye witness
B. picture and video
C. paper work
D. none of the above
ans b

33. rule of evidence is also known as

A. law of witness
B. law of litigation
C. law of evidence
D. all of the above

ans. c
true or false questions
1. digital evidence is only useful in a court of law.
A. true
B. false
ans: b

2. attorneys and police are encountering progressively more digital evidence in their
work.
A. true
B. false
ans: a

3. video surveillance can be a form of digital evidence.


A. true
B. false
ans: a

4. all forensic examinations should be performed on the original digital evidence.


A. true
B. false
ans: b

5. digital evidence can be duplicated exactly without any changes to the original data.
A. true
B. false
ans: b

6. computers were involved in the investigations into both world trade center attacks.
A. true
B. false
ans: a

7. digital evidence is always circumstantial.


A. true
B. false
ans: b

8. digital evidence alone can be used to build a solid case.


A. true
B. false
ans: b

9. computers can be used by terrorists to detonate bombs.


A. true
B. false
ans: a

10. the aim of a forensic examination is to prove with certainty what occurred.
A. true
B. false
ans: b

11. even digital investigations that do not result in legal action can benefit from principles of
forensic science.
A. true
B. false
ans: a

12. forensic science is the application of science to investigation and prosecution of crime or to
the just resolution of conflict.
A. true
B. false
ans: a
chapter 5
basics of hacking (co5)

1. ethical hacking is also known as


A. black hat hacking.
B. white hat hacking.
C. encryption.
D. none of these.
ans. b

2. tool(s) used by ethical hacker .


A. scanner
B. decoder
C. proxy
D. all of these.
ans. d

3. vulnerability scanning in ethical hacking finds .


A. strengths.
B. weakness.
C. a &b
D. none of these.
ans. b

4. ethical hacking will allow to all the massive security breaches.


A. remove.
B. measure.
C. reject.
D. none of these.
ans. b

5. sequential step hackers use are: _ _ _ _.


A. maintaining access.
B. reconnaissance
C. scanning.
D. gaining access.

A. b, c, d, a
B. b, a, c, d
C. a, b, c, d
D. d, c, b, a
ans. a
6. is the art of exploiting the human elements to gain access to the authorized user.
A. social engineering.
B. it engineering.
C. ethical hacking.
D. none of the above.
ans. a

7. which hacker refers to ethical hacker?


A. black hat hacker.
B. white hat hacker.
C. grey hat hacker.
D. none of the above.
ans. b

8. the term cracker refers to


A. black hat hacker.
B. white hat hacker.
C. grey hat hacker.
D. none of the above.
ans. a

9. who described a dissertation on fundamentals of hacker’s attitude?


A. g. palma.
B. raymond.
C. either.
D. jhon browman.
ans. b

10.computer hackers have been in existence for more than a .


A. decade.
B. year.
C. century
D. era.
ans. c

11.hackers do hack for?


A. fame.
B. profit.
C. revenge.
D. all the above
ans. d
12.the intent of ethical hacker is to discover vulnerabilities from a point of view to better
secure system.
A. victims.
B. attackers.
C. both a & b
D. none of these.
ans. b

13.security audits are usually based on


A. entries.
B. checklists.
C. both a & b
D. none of the above
ans. b

14.ethical hacking consist of


A. penetration testing.
B. intrusion testing.
C. red teaming.
D. all of the above.
ans. d

15. is a person who find and exploits the weakness in computer system.
A. victim
B. hacker
C. developer
D. none of the above.
ans. b

16. a white hat hacker is the one who


A. fix identifies weakness
B. steal the data
C. identifies the weakness and leave message to owner
D. none of the above
ans. a

17.a black hat hacker is the one who


A. fix identifies weakness
B. steal the data
C. identifies the weakness and leave message to owner
D. none of the above.
ans. b
18. a grey hat hacker is the one who
A. fix identifies weakness
B. steal the data
C. identifies the weakness and leave message to owner
D. none of the above
ans. c

19. keeping information secured can protect an organization image and save and organization lot
of money
A. true
B. false
ans. a

20.information is a one of the most valuable assets of organization


A. true
B. false
ans. a

21. to catch a thief, think like


A. police
B. forensics
C. thief
D. hacker
ans. c

22. can create false feeling of safety


A. firewall
B. encryption
C. vnps
D. all the above
ans. d

23. exploits that involves manipulating people and user even your self are the greatest
vulnerability within any computer
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. a
24.connecting into network through a rogue modem attached to computer behind a firewall is an
example of -
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. b

25. comprise of large portion of hacker attacks simply because every computer has one
and so well know exploits can be used against them
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. c

26. should be done before ethical hacking process.


A. data gathering.
B. attacking
C. planning
D. research
ans. c

27.which permission is necessary before ethical hacking?


A. written permission.
B. decision maker permission
C. privacy permission
D. risk permission.
ans. a

28. which tool is used to crack the password?


A. nmap
B. lc4
C. toneloc
D. nessus
ans. b

29. which tool is used for depth analysis of a web application?


A. whisker
B. super scan
C. nikto
D. kismet
ans. a
30. which tool is used to encrypt email?
A. webinspect
B. qualyguard
C. pgp (pretty good privacy)
D. none of the above.
ans. c

31.malicious attacker often think like?


A. thieves
B. kidnapper
C. both a & b
D. none of the above
ans. c

32.which hacker try to distribute political or social message through their work?
A. black hat hacker
B. hactivist
C. script kiddes
D. white hat hacker
ans. b

33. are part of organized crime on internet.


A. criminal
B. antinationalist
C. hacker for hire
D. none of the above
ans. c

34. which magazines releases the latest hacking methods?


a. 2600
B. hackin9
C. phrack
D. all the above
ans. d

35. performing a shoulder surfing in order to check other’s password is ethical


practice.
A. a good
B. not so good
C. very good social engineering practice
D. a bad
ans. d
36. has now evolved to be one of the most popular automated tools for unethical
hacking.
A. automated apps
B. database software
C. malware
D. worms
ans. c

37. leaking your company data to the outside network without prior permission of senior
authority is a crime.
A. true
B. false
ans. a

38. a penetration tester must identify and keep in mind the &
requirements of a firm while evaluating the security postures.
A. privacy and security
B. rules and regulations
C. hacking techniques
D. ethics to talk to seniors
ans. a

39. the legal risks of ethical hacking include lawsuits due to of personal data.
A. stealing
B. disclosure
C. deleting
D. hacking
ans. b

40. before performing any penetration test, through legal procedure, which key points listed
below is not mandatory?
A. know the nature of the organization
B. characteristics of work done in the firm
C. system and network
D. type of broadband company used by the firm
ans. d
chapter-6
types of hacking (co6)

1. snmp stands for


A. simple network messaging protocol
B. simple network mailing protocol
C. simple network management protocol
D. simple network master protocol
ans: c

2. which of the following tool is used for network testing and port scanning
A. netcat
B. superscan
C. netscan
D. all of above
ans: d

3. banner grabbing is used for


A. white hat hacking
B. black hat hacking
C. grey hat hacking
D. script kiddies
ans: a

4. an attacker can create an attack by sending hundreds or thousands of e-mails a with


very large attachments.
A. connection attack
B. auto responder attack
C. attachment overloading attack
D. all the above
ans: b

5. which of the following tool is used for windows for network queries from dns lookups to
trace routes?
A. sam spade
B. superscan
C. netscan
D. netcat
ans: a
6. which tool is used for ping sweeps and port scanning?
A. netcat
B. samspade
C. superscan
D. all the above
ans: c

7. which of the following tool is used for security checks as port scanning and firewall testing?
A. netcat
B. nmap
C. data communication
D. netscan
ans: a

8. what is the most important activity in system cracking?


A. information gathering
B. cracking password
C. escalating privileges
D. covering tracks
ans: b

9. which nmap scan is does not completely open a tcp connection?


A. syn stealth scan
B. tcp scan
C. xmas tree scan
D. ack scan
ans: a

10.key loggers are form of


A. spyware
B. shoulder surfing
C. trojan
D. social engineering
ans: a

11. nmap is abbreviated as network mapper.


A. true
B. false
ans: a

12. is a popular tool used for discovering network as well as security auditing.
A. ettercap
B. metasploit
C. nmap
D. burp suit
ans: c
13. which of this nmap do not check?
A. services different hosts are offering
B. on what os they are running.
C. what kind of firewall in use?
D. what type of antivirus in use?
ans: d

14. what is purpose of denial of service attacks?


A. exploit weakness in tcp/ip attack.
B. to execute a trojan horse on a system.
C. to overload a system so it is no longer operational.
D. to shutdown services by turning them off.
ans: c

15. what are the some of the most common vulnerabilities that exist in a network system?
A. changing manufacturer, or recommended settings of newly installed application.
B. additional unused feature on commercial software package.
C. utilizing open source application code.
D. balancing security and ease of use of system.
ans: b

16. which of the following is not a characteristic of ethical hacker?


A. excellent knowledge of windows.
B. understands the process of exploiting network vulnerabilities.
C. patience, persistence and perseverance.
D. has the highest level of security for the organization.
ans: d

17. attempting to gain access to a network using an employee’s credentials is called the
mode of ethical hacking.
A. local networking
B. social engineering
C. physical entry
D. remote networking
ans: a

18. the first phase of hacking an it system is compromise of which foundation of security?
A. availability
B. confidentiality
C. integrity
D. authentication
ans: b
19. why would a ping sweep be used?
A. to identify live systems
B. to locate live systems
C. to identify open ports
D. to locate firewalls
ans: a

20. what are the port states determined by nmap?


A. active, inactive, standby
B. open, half-open, closed
C. open, filtered, unfiltered
D. active, closed, unused
ans: c

21. what port does telnet use?


A. 22
B. 80
C. 20
D. 23
ans: d

22. which of the following will allow foot printing to be conducted without detection?
A. pingsweep
B. traceroute
C. war dialers
D. arin
ans: d

23. performing hacking activities with the intent on gaining visibility for an unfair situation is
called .
A. cracking
B. analysis
C. hacktivism
D. exploitation
ans: c

24. why would a hacker use a proxy server?


A. to create a stronger connection with the target.
B. to create a ghost server on the network.
C. to obtain a remote access connection
D. to hide malicious activity on the network
ans: a
25. which phase of hacking performs actual attack on a network or system?
A. reconnaissance
B. maintaining access
C. scanning
D. gaining access
ans: d

26. sniffing is used to perform fingerprinting.


A. passive stack
B. active stack
C. passive banner grabbing
D. scanned
ans: a

27. services running on a system are determined by .


A. the system’s ip address
B. the active directory
C. the system’s network name
D. the port assigned
ans: d

28. what are the types of scanning?


A. port, network, and services
B. network, vulnerability, and port
C. passive, active, and interactive
D. server, client, and network
ans: b

29. enumeration is part of what phase of ethical hacking?


A. reconnaissance
B. maintaining access
C. gaining access
D. scanning
ans: c

30. framework made cracking of vulnerabilities easy like point and click.
A. net
B. metasploit
C. zeus
D. ettercap
ans: b
31. is a popular ip address and port scanner.
A. cain and abel
B. snort
C. angry ip scanner
D. ettercap
ans: c

32. is a popular tool used for network analysis in multiprotocol diverse network
A. snort
B. superscan
C. burp suit
D. etterpeak
ans: d

33 scans tcp ports and resolves different hostnames.


A. superscan
B. snort
C. ettercap
D. qualysguard .
ans: a

34. what tool can be used to perform snmp enumeration?


A. dnslookup
B. whois
C. nslookup
D. ip network browser
ans: d

35. wireshark is a tool.


A. network protocol analysis
B. network connection security
C. connection analysis
D. defending malicious packet-filtering
ans: a

36. aircrack-ng is used for


A. firewall bypassing
B. wi-fi attacks
C. packet filtering
D. system password cracking
ans: b
37. phishing is a form of .
A. spamming
B. identify theft
C. impersonation
D. scanning
ans: c

38. what are the types of scanning?


A. port, network, and services
B. network, vulnerability, and port
C. passive, active, and interactive
D. server, client, and network
ans: b

39 is used for searching of multiple hosts in order to target just one specific open port.
A. ping sweep
B. port scan
C. ipconfig
D. spamming
ans: a

40. arp spoofing is often referred to as


A. man-in-the-middle attack
B. denial-of-service attack
C. sniffing
D. spoofing
ans: a

41. is a tool that allows you to look into network and analyze data going across the wire
for network optimization, security and troubleshooting purposes.
A. network analyzer
B. crypt tool
C. john-the -ripper
D. back track
ans: a

42. is not a function of network analyzer tool.


A. captures all network traffic
B. interprets or decodes what is found into a human-readable format.
C. displays it all in chronological order.
D. banner grabbing
ans: d
43. protocol is used for network monitoring.
A. ftp snmp
b.
c. relnet
d. arp
ans: a

44. what is the attack called “evil twin”?


A. rouge access point
B. arp poisoning
C. session hijacking
D. mac spoofing
ans: a

45.what is the primary goal of an ethical hacker?


A. avoiding detection
B. testing security controls
C. resolving security vulnerabilities
D. determining return on investment for security measures
ans: c

46. what are the forms of password cracking technique?


A. attack syllable
B. attack brute forcing
C. attacks hybrid
D. all the above
ans: d

45. which type of hacker represents the highest risk to your network?
A. black-hat hackers
B. grey-hat hackers
C. script kiddies
D. disgruntled employees
ans: d

46. hacking for a cause is called


A. hacktivism
B. black-hat hacking
C. active hacking
D. activism
ans: a
47. when a hacker attempts to attack a host via the internet it is known as what type of attack?
A. local access
B. remote attack
C. internal attack
D. physical access
ans: b

49. a type of attack that overloads the resources of a single system to cause it to crash or hang.
A. resource starvation
B. active sniffing
C. passive sniffing
D. session hijacking
ans. c

50.in computer networking, is any technical effort to manipulate the normal behavior of
network connections and connected systems.
A. hacking
B. evidence
C. tracing
D. none of above
ans:-a

51. generally refers to unauthorized intrusion into a computer or a network.


A. hacking
B. evidence
C. tracing
D. none of above

ans:-a

52.we can eliminate many well-known network vulnerabilities by simply patch-ing your
network hosts with their latest and .
A. hckers and prackers
B. vendor software and firmware patches
C. software amd hardware
D. none of above
ans:-b

53.network consist devices such as routers, firewalls, hosts that you must assess as a part of
process.

A. prackers
B. black hat hacking
C. grey hat hacking process
D. ethical hacking process.
ans:-d

54. network infrastructure vulnerabilities are the foundation for most technical security
issues in your information systems.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d

55. attack, which can take down your internet connection or your entire network.
A. mac
B. dos
C. ids
D. none of above
ans:-b

56.dos stands for


A. detection of system
B. denial of service
C. detection of service
D. none of above
ans:-b

57.ids stands for


A. intrusion detection system
B. information documentation service
C. intrusion documentation system
D. none of above
ans:-a

58. which protocols are in use is vulnerable


A. tcl
B. ssl
C. ftp
D. smtp
ans:-b

59. ssl stands for


A. secure sockets layer
B. software security layer
C. socket security layer
D. system software layer
ans:-a
60. include phishing, sql injection, hacking, social engineering, spamming, denial of
service attacks, trojans, virus and worm attacks.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d

61.who invent worm attack


A. brightn godfrey
B. alan yeung
C. robert morris
D. none of above
ans:-c

62. which of the following is not a typical characteristic of an ethical hacker?


A. excellent knowledge of windows.
B. understands the process of exploiting network vulnerabilities.
C. patience, persistence and perseverance.
D. has the highest level of security for the organization.
ans:-d
63. what is the purpose of a denial of service attack?
A. exploit a weakness in the tcp/ip stack
B. to execute a trojan on a system
C. to overload a system so it is no longer operational
D. to shutdown services by turning them off
ans:- c

64.what are some of the most common vulnerabilities that exist in a network or system?
A. changing manufacturer, or recommended, settings of a newly installed application.
B. additional unused features on commercial software packages.
C. utilizing open source application code
D. balancing security concerns with functionality and ease of use of a system.
ans:b

65. what is the sequence of a tcp connection?


A. syn-ack-fin
B. syn-syn ack-ack
C. syn-ack
D. syn-syn-ack
ans:b

66. why would a ping sweep be used?


A. to identify live systems
B. to locate live systems
C. to identify open ports
D. to locate firewalls
ans:-a

67. a packet with no flags set is which type of scan?


A. tcp
B. xmas
C. idle
D. null
ans:-d
cwipedia.in

question bank

unit test-ii
program: - computer engineering group program code:- cm/if
/cw
course title: -emerging trends in computer technology semester: - sixth
eti (22618) scheme: i

--------------------------------------------------------------------------------------------------

multiple choice questions and answers

chapter 4- digital evidence (co4)

1. a valid definition of digital evidence is: a. data stored or transmitted using a computer
B. information of probative value
C. digital data of probative value
D. any digital evidence on a computer
ans: c

2. what are the three general categories of computer systems that can contain digital evidence?
A. desktop, laptop, server
B. personal computer, internet, mobile telephone
C. hardware, software, networks
D. open computer systems, communication systems, and embedded systems
ans: d

3. in terms of digital evidence, a hard drive is an example of:


A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: a

4. in terms of digital evidence, a mobile telephone is an example of:


A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: c

5. in terms of digital evidence, a smart card is an example of:


A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: c

6. in terms of digital evidence, the internet is an example of:


A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: b

7. computers can be involved in which of the following types of crime?


A. homicide and sexual assault
B. computer intrusions and intellectual property theft
C. civil disputes
D. all the above
ans: d

8. a logon record tells us that, at a specific time:


A. an unknown person logged into the system using the account
B. the owner of a specific account logged into the system
C. the account was used to log into the system
D. none of the above
ans: c

9. cyber trails are advantageous because:


A. they are not connected to the physical world.
B. nobody can be harmed by crime on the internet.
C. they are easy to follow.
D. offenders who are unaware of them leave behind more clues than they otherwise
would have.
ans: d

10. private networks can be a richer source of evidence than the internet because: a. they retain
data for longer periods of time.
B. owners of private networks are more cooperative with law enforcement.
C. private networks contain a higher concentration of digital evidence.
D. all the above.
ans: c

11. due to caseload and budget constraints, often computer security professionals attempt to limit
the damage and close each investigation as quickly as possible. which of the following is not a
significant drawback to this approach?
A. each unreported incident robs attorneys and law enforcement personnel of an opportunity
to learn about the basics of computer-related crime.
B. responsibility for incident resolution frequently does not reside with the security
professional, but with management.
C. this approach results in under-reporting of criminal activity, deflating statistics that are
used to allocate corporate and government spending on combating computer-related crime.
D. computer security professionals develop loose evidence processing habits that can make
it more difficult for law enforcement personnel and attorneys to prosecute an offender.
none of the above
ans: b

12. the criminological principle which states that, when anyone, or anything, enters a crime scene
he/she takes something of the scene with him/her, and leaves something of himself/herself
behind, is:
A. locard’s exchange principle
B. differential association theory
C. beccaria’s social contract
D. none of the above
ans: a

13. the author of a series of threatening e-mails consistently uses “im” instead of “i’m.” this is
an example of:
A. an individual characteristic
B. an incidental characteristic
C. a class characteristic
D. an indeterminate characteristic
ans: a

14. personal computers and networks are often a valuable source of evidence. those involved with
should be comfortable with this technology.
A. criminal investigation
B. prosecution
C. defense work
D. all of the above ans:
15. an argument for including computer forensic training computer security specialists is: a. it
provides an additional credential.
B. it provides them with the tools to conduct their own investigations.
C. it teaches them when it is time to call in law enforcement.
D. none of the above. ans: c

16. the digital evidence are used to establish a credible link between
A. attacker and victim and the crime scene
B. attacker and the crime scene
C. victim and the crime scene
D. attacker and information
ans: a

17. digital evidences must follow the requirements of the


A. ideal evidence rule
B. best evidence rule
C. exchange rule
D. all the mentioned
ans: b

18. from the two given statements 1 and 2, select the correct option from a-d.
a. original media can be used to carry out digital investigation process.
b. by default, every part of the victim’s computer is considered as unreliable.

A. a and b both are true


B. a is true and b is false
C. a and b both are false
D. a is false and b is true
ans: b

19. the evidences or proof can be obtained from the electronic source is called the
A. digital evidence
B. demonstrative evidence
C. explainable evidence
D. substantial evidence
ans: a

20. which of the following is not a type of volatile evidence?


A. routing tables
B. main memory
C. log files
D. cached data
ans: c

21. the evidence must be usable in the court which is called as


A. admissible
B. authentic
C. complete
D. reliable
ans: a

22. photographs, videos, sound recordings, x-rays, maps drawing, graphs, charts is a a type of

A. illustrative evidence
B. electronic evidence
C. documented evidence
D. explainable evidence
ans: a

23. email, hard drives are examples of


A. illustrative evidence
B. electronic evidence
C. documented evidence
D. explainable evidence
ans: b

24. blood, fingerprints, dna these are examples of


A. illustrative evidence
B. electronic evidence
C. documented evidence
D. substantial evidence
ans: d

25. when an incident takes place, a criminal will leave a hint evidence at the scene and remove a
hint from the scene which is called as
A. locard’s exchange principle
B. anderson’s exchange principle
C. charles’s anthony principle
D. kevin ashton principle
ans: a

26. which is not procedure to establish a chain of custody? a. save the original materials. b. take
photos of physical evidence.
C. don’t take screenshots of digital evidence content.
D. document date, time, and any other information of receipt.
ans: c

27. which is not related with digital evidence?


A. work with the original evidence to develop procedures.
B. use clean collecting media.
C. document any extra scope.
D. consider safety of personnel at the scene.
ans: a

28. which is example of non-volatile memory.


A. flash memory
B. registers and cache
C. process table
D. arp cache
ans: a

29. is known as testimonial.


A. oath affidavit
B. dna samples
C. fingerprint
D. dried blood
ans: a

30. the process of ensuring that providing or obtaining the data that you have collected is similar
to the data provided or presented in a court is known as
A. evidence validation
B. relative evidence
C. best evidence
D. illustrative evidence
ans: a
31. when cases got to trial your forensics examiner play one of role.
A. 2
B. 4
C. 3 d. 5
ans. a

32. types of digital evidence

A. eye witness
B. picture and video
C. paper work
D. none of the above
ans b

33. rule of evidence is also known as

A. law of witness
B. law of litigation
C. law of evidence
D. all of the above

ans. c

true or false questions


1. digital evidence is only useful in a court of law.
A. true
B. false
ans: b

2. attorneys and police are encountering progressively more digital evidence in their work.
A. true
B. false
ans: a

3. video surveillance can be a form of digital evidence.


A. true
B. false
ans: a

4. all forensic examinations should be performed on the original digital evidence.


A. true
B. false
ans: b

5. digital evidence can be duplicated exactly without any changes to the original data. a. true
b. false
ans: b

6. computers were involved in the investigations into both world trade center attacks. a. true
b. false
ans: a

7. digital evidence is always circumstantial.


A. true
B. false
ans: b

8. digital evidence alone can be used to build a solid case.


A. true
B. false
ans: b

9. computers can be used by terrorists to detonate bombs. a. true


b. false
ans: a

10. the aim of a forensic examination is to prove with certainty what occurred. a. true
b. false
ans: b

11. even digital investigations that do not result in legal action can benefit from principles of
forensic science.
A. true
B. false
ans: a

12. forensic science is the application of science to investigation and prosecution of crime or to
the just resolution of conflict.
A. true
B. false
ans: a
chapter 5
basics of hacking (co5)

1. ethical hacking is also known as a. black hat


hacking.
B. white hat hacking.
C. encryption.
D. none of these. ans. b

2. tool(s) used by ethical hacker .


A. scanner
B. decoder
C. proxy
D. all of these.
ans. d

3. vulnerability scanning in ethical hacking finds . a.


strengths.
B. weakness.
C. a &b
D. none of these.
ans. b

4. ethical hacking will allow to all the massive security


breaches. a. remove.
B. measure.
C. reject.
D. none of these.
ans. b

5. sequential step hackers use are: _ _ _ _. a. maintaining


access. b. reconnaissance c. scanning.
d. gaining access.

A. b, c, d, a
B. b, a, c, d c. a, b, c, d
d. d, c, b, a
ans. a
6. is the art of exploiting the human elements to gain
access to the authorized user. a. social engineering. b. it
engineering.
C. ethical hacking.
D. none of the above.
ans. a

7. which hacker refers to ethical hacker? a. black hat


hacker.
B. white hat hacker.
C. grey hat hacker.
D. none of the above.
ans. b

8. the term cracker refers to a. black hat hacker.


B. white hat hacker.
C. grey hat hacker.
D. none of the above.
ans. a

9. who described a dissertation on fundamentals of hacker’s


attitude? a. g. palma.
B. raymond.
C. either.
D. jhon browman.
ans. b

10.computer hackers have been in existence for more than a . a.


decade.
B. year.
C. century
D. era.
ans. c

11.hackers do hack for? a.


fame.
B. profit.
C. revenge.
D. all the above
ans. d

12.the intent of ethical hacker is to discover vulnerabilities from a point of view to better
secure system.
A. victims.
B. attackers.
C. both a & b d. none of these.
ans. b

13.security audits are usually based on a. entries.


B. checklists.
C. both a & b
D. none of the above
ans. b

14.ethical hacking consist of a.


penetration testing.
B. intrusion testing.
C. red teaming.
D. all of the above.
ans. d

15. is a person who find and exploits the weakness in computer system.
A. victim
B. hacker
C. developer
D. none of the above.
ans. b

16. a white hat hacker is the one who


A. fix identifies weakness
B. steal the data
C. identifies the weakness and leave message to owner
D. none of the above
ans. a

17.A black hat hacker is the one who


A. fix identifies weakness
B. steal the data
C. identifies the weakness and leave message to owner
D. none of the above. ans. b
18. a grey hat hacker is the one who
A. fix identifies weakness
B. steal the data
C. identifies the weakness and leave message to owner
D. none of the above
ans. c

19. keeping information secured can protect an organization image and save and organization lot
of money
A. true
B. false
ans. a

20.information is a one of the most valuable assets of organization


A. true
B. false
ans. a

21. to catch a thief, think like


A. police
B. forensics
C. thief
D. hacker
ans. c

22. can create false feeling of safety


A. firewall
B. encryption
C. vnps
D. all the above
ans. d

23. exploits that involves manipulating people and user even your self are the greatest
vulnerability within any computer
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. a
24.connecting into network through a rogue modem attached to computer behind a firewall is an
example of -
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. b

25. comprise of large portion of hacker attacks simply because every computer has one
and so well know exploits can be used against them
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. c

26. should be done before ethical hacking process. a.


data gathering.
b. attacking c.
planning
d. research
ans. c

27.which permission is necessary before ethical hacking? a.


written permission.
b. decision maker permission c.
privacy permission d. risk
permission.
ans. a

28. which tool is used to crack the password?


A. nmap
B. lc4
C. toneloc
D. nessus
ans. b

29. which tool is used for depth analysis of a web application?


A. whisker
B. super scan
C. nikto
D. kismet ans. a
30. which tool is used to encrypt email?
A. webinspect
B. qualyguard
C. pgp (pretty good privacy)
D. none of the above.
ans. c

31.malicious attacker often think like?


A. thieves
B. kidnapper
C. both a & b
D. none of the above
ans. c

32.which hacker try to distribute political or social message through their work?
A. black hat hacker
B. hactivist
C. script kiddes
D. white hat hacker
ans. b

33. are part of organized crime on internet.


A. criminal
B. antinationalist
C. hacker for hire
D. none of the above
ans. c

34. which magazines releases the latest hacking methods?


a. 2600
B. hackin9
C. phrack
D. all the above
ans. d

35. performing a shoulder surfing in order to check other’s password is ethical


practice.
A. a good
B. not so good
C. very good social engineering practice
D. a bad ans. d
36. has now evolved to be one of the most popular automated tools for unethical
hacking.
A. automated apps
B. database software
C. malware
D. worms
ans. c

37. leaking your company data to the outside network without prior permission of senior authority
is a crime.
A. true
B. false
ans. a

38. a penetration tester must identify and keep in mind the &
requirements of a firm while evaluating the security postures.
A. privacy and security
B. rules and regulations
C. hacking techniques
D. ethics to talk to seniors
ans. a

39. the legal risks of ethical hacking include lawsuits due to of personal data. a.
stealing
B. disclosure
C. deleting
D. hacking
ans. b

40. before performing any penetration test, through legal procedure, which key points listed below
is not mandatory?
A. know the nature of the organization
B. characteristics of work done in the firm
C. system and network
D. type of broadband company used by the firm
ans. d
chapter-6
types of hacking (co6)

1. snmp stands for


A. simple network messaging protocol
B. simple network mailing protocol
C. simple network management protocol
D. simple network master protocol
ans: c

2. which of the following tool is used for network testing and port scanning
A. netcat
B. superscan
C. netscan
D. all of above
ans: d

3. banner grabbing is used for a. white hat hacking


B. black hat hacking
C. grey hat hacking
D. script kiddies
ans: a

4. an attacker can create an attack by sending hundreds or thousands of e-mails a with


very large attachments.
A. connection attack
B. auto responder attack
C. attachment overloading attack
D. all the above
ans: b

5. which of the following tool is used for windows for network queries from dns lookups to
trace routes?
A. sam spade
B. superscan
C. netscan
D. netcat
ans: a

6. which tool is used for ping sweeps and port scanning?


A. netcat
B. samspade
C. superscan
D. all the above
ans: c

7. which of the following tool is used for security checks as port scanning and firewall testing?
A. netcat
B. nmap
C. data communication
D. netscan
ans: a

8. what is the most important activity in system cracking? a. information gathering


B. cracking password
C. escalating privileges
D. covering tracks
ans: b

9. which nmap scan is does not completely open a tcp connection?


A. syn stealth scan
B. tcp scan
C. xmas tree scan
D. ack scan
ans: a

10.key loggers are form of


A. spyware
B. shoulder surfing
C. trojan
D. social engineering
ans: a

11. nmap is abbreviated as network mapper.


A. true
B. false
ans: a

12. is a popular tool used for discovering network as well as security auditing.
A. ettercap
B. metasploit
C. nmap
D. burp suit ans: c
13. which of this nmap do not check?
A. services different hosts are offering
B. on what os they are running.
C. what kind of firewall in use?
D. what type of antivirus in use?
ans: d

14. what is purpose of denial of service attacks? a. exploit weakness in tcp/ip attack. b. to
execute a trojan horse on a system.
c. to overload a system so it is no longer operational.
d. to shutdown services by turning them off.
ans: c

15. what are the some of the most common vulnerabilities that exist in a network system? a.
changing manufacturer, or recommended settings of newly installed application.
B. additional unused feature on commercial software package.
C. utilizing open source application code.
D. balancing security and ease of use of system.
ans: b

16. which of the following is not a characteristic of ethical hacker? a. excellent knowledge of
windows.
B. understands the process of exploiting network vulnerabilities.
C. patience, persistence and perseverance.
D. has the highest level of security for the organization.
ans: d

17. attempting to gain access to a network using an employee’s credentials is called the
mode of ethical hacking.
A. local networking
B. social engineering
C. physical entry
D. remote networking
ans: a

18. the first phase of hacking an it system is compromise of which foundation of security?
A. availability
B. confidentiality
C. integrity
D. authentication ans: b
19. why would a ping sweep be used?
A. to identify live systems
B. to locate live systems
C. to identify open ports
D. to locate firewalls
ans: a

20. what are the port states determined by nmap?


A. active, inactive, standby
B. open, half-open, closed
C. open, filtered, unfiltered
D. active, closed, unused
ans: c

21. what port does telnet use?


a. 22 b. 80
c. 20
d. 23
ans: d

22. which of the following will allow foot printing to be conducted without detection?
A. pingsweep
B. traceroute
C. war dialers
D. arin
ans: d

23. performing hacking activities with the intent on gaining visibility for an unfair situation is
called .
A. cracking
B. analysis
C. hacktivism
D. exploitation
ans: c

24. why would a hacker use a proxy server?


A. to create a stronger connection with the target.
B. to create a ghost server on the network.
C. to obtain a remote access connection
D. to hide malicious activity on the network ans: a

25. which phase of hacking performs actual attack on a network or system?


A. reconnaissance
B. maintaining access
C. scanning
D. gaining access
ans: d

26. sniffing is used to perform fingerprinting.


A. passive stack
B. active stack
C. passive banner grabbing
D. scanned
ans: a

27. services running on a system are determined by .


A. the system’s ip address
B. the active directory
C. the system’s network name
D. the port assigned
ans: d

28. what are the types of scanning? a. port, network, and services
B. network, vulnerability, and port
C. passive, active, and interactive
D. server, client, and network
ans: b

29. enumeration is part of what phase of ethical hacking?


A. reconnaissance
B. maintaining access
C. gaining access
D. scanning
ans: c

30. framework made cracking of vulnerabilities easy like point and click.
A. net
B. metasploit
C. zeus
D. ettercap ans: b
31. is a popular ip address and port scanner.
A. cain and abel
B. snort
C. angry ip scanner
D. ettercap
ans: c

32. is a popular tool used for network analysis in multiprotocol diverse network
A. snort
B. superscan
C. burp suit
D. etterpeak
ans: d

33 scans tcp ports and resolves different hostnames.


A. superscan
B. snort
C. ettercap d. qualysguard .
ans: a

34. what tool can be used to perform snmp enumeration?


A. dnslookup
B. whois
C. nslookup
D. ip network browser
ans: d

35. wireshark is a tool.


A. network protocol analysis
B. network connection security
C. connection analysis
D. defending malicious packet-filtering
ans: a

36. aircrack-ng is used for


A. firewall bypassing
B. wi-fi attacks
C. packet filtering
D. system password cracking
ans: b

37. phishing is a form of .


A. spamming
B. identify theft
C. impersonation
D. scanning
ans: c
38. what are the types of scanning?
A. port, network, and services
B. network, vulnerability, and port
C. passive, active, and interactive
D. server, client, and network
ans: b

39 is used for searching of multiple hosts in order to target just one specific open port.
A. ping sweep
B. port scan
C. ipconfig
D. spamming
ans: a

40. arp spoofing is often referred to as


a. man-in-the-middle attack
b. denial-of-service attack
c. sniffing
d. spoofing
ans: a

41. is a tool that allows you to look into network and analyze data going across the wire
for network optimization, security and troubleshooting purposes.
a. network analyzer
b. crypt tool
c. john-the -ripper
d. back track
ans: a

42. is not a function of network analyzer tool.


A. captures all network traffic
B. interprets or decodes what is found into a human-readable format.
C. displays it all in chronological order. d. banner grabbing ans: d
43. protocol is used for network monitoring.
A. ftp snmp
b.
c. relnet
d. arp
ans: a

44. what is the attack called “evil twin”? a. rouge access point
B. arp poisoning
C. session hijacking
D. mac spoofing
ans: a

45.what is the primary goal of an ethical hacker?


A. avoiding detection
B. testing security controls
C. resolving security vulnerabilities
D. determining return on investment for security measures
ans: c

46. what are the forms of password cracking technique?


A. attack syllable
B. attack brute forcing
C. attacks hybrid
D. all the above
ans: d

45. which type of hacker represents the highest risk to your network?
A. black-hat hackers
B. grey-hat hackers
C. script kiddies
D. disgruntled employees
ans: d

46. hacking for a cause is called


A. hacktivism
B. black-hat hacking
C. active hacking
D. activism
ans: a

47. when a hacker attempts to attack a host via the internet it is known as what type of attack? a.
local access
B. remote attack
C. internal attack
D. physical access
ans: b

49. a type of attack that overloads the resources of a single system to cause it to crash or hang.
A. resource starvation
B. active sniffing
C. passive sniffing
D. session hijacking
ans. c

50.in computer networking, is any technical effort to manipulate the normal behavior of
network connections and connected systems.
A. hacking
B. evidence
C. tracing
D. none of above
ans:-a

51. generally refers to unauthorized intrusion into a computer or a network.


A. hacking
B. evidence
C. tracing
D. none of above

ans:-a

52.we can eliminate many well-known network vulnerabilities by simply patch-ing your network
hosts with their latest and .
A. hckers and prackers
B. vendor software and firmware patches
C. software amd hardware
D. none of above
ans:-b

53.network consist devices such as routers, firewalls, hosts that you must assess as a part of
process.

A. prackers
B. black hat hacking c. grey hat hacking process
d. ethical hacking process.
ans:-d

54. network infrastructure vulnerabilities are the foundation for most technical security issues in
your information systems.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d

55. attack, which can take down your internet connection or your entire network.
A. mac
B. dos
C. ids
D. none of above
ans:-b

56.dos stands for a. detectionof


system
B. denial of service
C. detection of service
D. none of above
ans:-b

57.ids stands for


A. intrusion detection system
B. information documentation service
C. intrusion documentation system
D. none of above
ans:-a

58. which protocols are in use is vulnerable


A. tcl
B. ssl
C. ftp
D. smtp
ans:-b

59. ssl stands for a. secure sockets layer


B. software security layer
C. socket security layer
D. system software layer
ans:-a

60. include phishing, sql injection, hacking, social engineering, spamming, denial of
service attacks, trojans, virus and worm attacks.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d

61.who invent worm attack


A. brightn godfrey
B. alan yeung
C. robert morris
D. none of above
ans:-c

62. which of the following is not a typical characteristic of an ethical hacker? a. excellent
knowledge of windows.
B. understands the process of exploiting network vulnerabilities.
C. patience, persistence and perseverance.
D. has the highest level of security for the organization.
ans:-d
63. what is the purpose of a denial of service attack?
A. exploit a weakness in the tcp/ip stack
B. to execute a trojan on a system
C. to overload a system so it is no longer operational
D. to shutdown services by turning them off
ans:- c

64.what are some of the most common vulnerabilities that exist in a network or system?
A. changing manufacturer, or recommended, settings of a newly installed application.
B. additional unused features on commercial software packages.
C. utilizing open source application code
D. balancing security concerns with functionality and ease of use of a system. ans:b

65. what is the sequence of a tcp connection?


A. syn-ack-fin
B. syn-syn ack-ack
C. syn-ack
D. syn-syn-ack
ans:b

66. why would a ping sweep be used?


A. to identify live systems
B. to locate live systems
C. to identify open ports
D. to locate firewalls
ans:-a
67. a packet with no flags set is which type of scan?
A. tcp
B. xmas
C. idle
D. null
ans:-d

happy learning! cwipedia.in


emerging trends in computer andinformation
technology (22618)

multiple choice questions and answers

chapter 4- digital evidence (co4)

1. a valid definition of digital evidence is:


A. data stored or transmitted using a computer
B. information of probative value
C. digital data of probative value
D. any digital evidence on a computer
ans: c

2. what are the three general categories of computer systems that can contain digital
evidence?
A. desktop, laptop, server
B. personal computer, internet, mobile telephone
C. hardware, software, networks
D. open computer systems, communication systems, and embedded systems
ans: d

3. in terms of digital evidence, a hard drive is an example of:


A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: a

4. in terms of digital evidence, a mobile telephone is an example of:


A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: c
5. in terms of digital evidence, a smart card is an example of:
A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: c

6. in terms of digital evidence, the internet is an example of:


A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: b

7. computers can be involved in which of the following types of crime?


A. homicide and sexual assault
B. computer intrusions and intellectual property theft
C. civil disputes
D. all the above
ans: d

8. a logon record tells us that, at a specific time:


A. an unknown person logged into the system using the account
B. the owner of a specific account logged into the system
C. the account was used to log into the system
D. none of the above
ans: c

9. cyber trails are advantageous because:


A. they are not connected to the physical world.
B. nobody can be harmed by crime on the internet.
C. they are easy to follow.
D. offenders who are unaware of them leave behind more clues than they otherwise
would have.
ans: d

10. private networks can be a richer source of evidence than the internet because:
A. they retain data for longer periods of time.
B. owners of private networks are more cooperative with law enforcement.
C. private networks contain a higher concentration of digital evidence.
D. all the above.
ans: c
11. due to caseload and budget constraints, often computer security professionals attempt to
limit the damage and close each investigation as quickly as possible. which of the following is
not a significant drawback to this approach?
A. each unreported incident robs attorneys and law enforcement personnel of an opportunity
to learn about the basics of computer-related crime.
B. responsibility for incident resolution frequently does not reside with the security
professional, but with management.
C. this approach results in under-reporting of criminal activity, deflating statistics that are
used to allocate corporate and government spending on combating computer-related
crime.
D. computer security professionals develop loose evidence processing habits that can make
it more difficult for law enforcement personnel and attorneys to prosecute an offender.
none of the above
ans: b

12. the criminological principle which states that, when anyone, or anything, enters a crime
scene he/she takes something of the scene with him/her, and leaves something of himself/herself
behind, is:
A. locard’s exchange principle
B. differential association theory
C. beccaria’s social contract
D. none of the above
ans: a

13. the author of a series of threatening e-mails consistently uses “im” instead of “i’m.” thisis
an example of:
A. an individual characteristic
B. an incidental characteristic
C. a class characteristic
D. an indeterminate characteristic
ans: a

14. personal computers and networks are often a valuable source of evidence. those
involved with should be comfortable with this technology.
A. criminal investigation
B. prosecution
C. defense work
D. all of the above
ans:

15. an argument for including computer forensic training computer security specialists is:
A. it provides an additional credential.
B. it provides them with the tools to conduct their own investigations.
C. it teaches them when it is time to call in law enforcement.
D. none of the above.
ans: c
16. the digital evidence are used to establish a credible link between
A. attacker and victim and the crime scene
B. attacker and the crime scene
C. victim and the crime scene
D. attacker and information
ans: a

17. digital evidences must follow the requirements of the


A. ideal evidence rule
B. best evidence rule
C. exchange rule
D. all the mentioned
ans: b

18. from the two given statements 1 and 2, select the correct option from a-d.
a. original media can be used to carry out digital investigation process.
b. by default, every part of the victim’s computer is considered as unreliable.

A. a and b both are true


B. a is true and b is false
C. a and b both are false
D. a is false and b is true
ans: b

19. the evidences or proof can be obtained from the electronic source is called the
A. digital evidence
B. demonstrative evidence
C. explainable evidence
D. substantial evidence
ans: a

20. which of the following is not a type of volatile evidence?


A. routing tables
B. main memory
C. log files
D. cached data
ans: c

21. the evidence must be usable in the court which is called as


A. admissible
B. authentic
C. complete
D. reliable
ans: a
22. photographs, videos, sound recordings, x-rays, maps drawing, graphs, charts is a
a type of _
A. illustrative evidence
B. electronic evidence
C. documented evidence
D. explainable evidence
ans: a

23. email, hard drives are examples of


A. illustrative evidence
B. electronic evidence
C. documented evidence
D. explainable evidence
ans: b

24. blood, fingerprints, dna these are examples of


A. illustrative evidence
B. electronic evidence
C. documented evidence
D. substantial evidence
ans: d

25. when an incident takes place, a criminal will leave a hint evidence at the scene and remove a
hint from the scene which is called as
A. locard’s exchange principle
B. anderson’s exchange principle
C. charles’s anthony principle
D. kevin ashton principle
ans: a

26. which is not procedure to establish a chain of custody?


A. save the original materials.
B. take photos of physical evidence.
C. don’t take screenshots of digital evidence content.
D. document date, time, and any other information of receipt.
ans: c

27. which is not related with digital evidence?


A. work with the original evidence to develop procedures.
B. use clean collecting media.
C. document any extra scope.
D. consider safety of personnel at the scene.
ans: a
28. which is example of non-volatile memory.
A. flash memory
B. registers and cache
C. process table
D. arp cache
ans: a

29. is known as testimonial.


A. oath affidavit
B. dna samples
C. fingerprint
D. dried blood
ans: a

30. the process of ensuring that providing or obtaining the data that you have collected is similar
to the data provided or presented in a court is known as
A. evidence validation
B. relative evidence
C. best evidence
D. illustrative evidence
ans: a
31. when cases got to trial your forensics examiner play one of role.
A. 2
B. 4
C. 3
D. 5
ans. a

32. types of digital evidence

A. eye witness
B. picture and video
C. paper work
D. none of the above
ans b

33. rule of evidence is also known as

A. law of witness
B. law of litigation
C. law of evidence
D. all of the above

ans. c
true or false questions
1. digital evidence is only useful in a court of law.
A. true
B. false
ans: b

2. attorneys and police are encountering progressively more digital evidence in their
work.
A. true
B. false
ans: a

3. video surveillance can be a form of digital evidence.


A. true
B. false
ans: a

4. all forensic examinations should be performed on the original digital evidence.


A. true
B. false
ans: b

5. digital evidence can be duplicated exactly without any changes to the original data.
A. true
B. false
ans: b

6. computers were involved in the investigations into both world trade center attacks.
A. true
B. false
ans: a

7. digital evidence is always circumstantial.


A. true
B. false
ans: b

8. digital evidence alone can be used to build a solid case.


A. true
B. false
ans: b

9. computers can be used by terrorists to detonate bombs.


A. true
B. false
ans: a

10. the aim of a forensic examination is to prove with certainty what occurred.
A. true
B. false
ans: b

11. even digital investigations that do not result in legal action can benefit from principles of
forensic science.
A. true
B. false
ans: a

12. forensic science is the application of science to investigation and prosecution of crime or to
the just resolution of conflict.
A. true
B. false
ans: a
chapter 5
basics of hacking (co5)

1. ethical hacking is also known as


A. black hat hacking.
B. white hat hacking.
C. encryption.
D. none of these.
ans. b

2. tool(s) used by ethical hacker .


A. scanner
B. decoder
C. proxy
D. all of these.
ans. d

3. vulnerability scanning in ethical hacking finds .


A. strengths.
B. weakness.
C. a &b
D. none of these.
ans. b

4. ethical hacking will allow to all the massive security breaches.


A. remove.
B. measure.
C. reject.
D. none of these.
ans. b

5. sequential step hackers use are: _ _ _ _.


A. maintaining access.
B. reconnaissance
C. scanning.
D. gaining access.

A. b, c, d, a
B. b, a, c, d
C. a, b, c, d
D. d, c, b, a
ans. a
6. is the art of exploiting the human elements to gain access to the authorized user.
A. social engineering.
B. it engineering.
C. ethical hacking.
D. none of the above.
ans. a

7. which hacker refers to ethical hacker?


A. black hat hacker.
B. white hat hacker.
C. grey hat hacker.
D. none of the above.
ans. b

8. the term cracker refers to


A. black hat hacker.
B. white hat hacker.
C. grey hat hacker.
D. none of the above.
ans. a

9. who described a dissertation on fundamentals of hacker’s attitude?


A. g. palma.
B. raymond.
C. either.
D. jhon browman.
ans. b

10. computer hackers have been in existence for more than a .


A. decade.
B. year.
C. century
D. era.
ans. c

11. hackers do hack for?


A. fame.
B. profit.
C. revenge.
D. all the above
ans. d
12. the intent of ethical hacker is to discover vulnerabilities from a point of view to better
secure system.
A. victims.
B. attackers.
C. both a & b
D. none of these.
ans. b

13. security audits are usually based on


A. entries.
B. checklists.
C. both a & b
D. none of the above
ans. b

14. ethical hacking consist of


A. penetration testing.
B. intrusion testing.
C. red teaming.
D. all of the above.
ans. d

15. is a person who find and exploits the weakness in computer system.
A. victim
B. hacker
C. developer
D. none of the above.
ans. b

16. a white hat hacker is the one who


A. fix identifies weakness
B. steal the data
C. identifies the weakness and leave message to owner
D. none of the above
ans. a

17.a black hat hacker is the one who


A. fix identifies weakness
B. steal the data
C. identifies the weakness and leave message to owner
D. none of the above.
ans. b
18. a grey hat hacker is the one who
A. fix identifies weakness
B. steal the data
C. identifies the weakness and leave message to owner
D. none of the above
ans. c

19. keeping information secured can protect an organization image and save and organization lot
of money
A. true
B. false
ans. a

20. information is a one of the most valuable assets of organization


A. true
B. false
ans. a

21. to catch a thief, think like


A. police
B. forensics
C. thief
D. hacker
ans. c

22. can create false feeling of safety


A. firewall
B. encryption
C. vnps
D. all the above
ans. d

23. exploits that involves manipulating people and user even your self are the greatest
vulnerability within any computer
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. a
24. connecting into network through a rogue modem attached to computer behind a firewall is an
example of -
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. b

25. comprise of large portion of hacker attacks simply because every computer has one
and so well know exploits can be used against them
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. c

26. should be done before ethical hacking process.


A. data gathering.
B. attacking
C. planning
D. research
ans. c

27. which permission is necessary before ethical hacking?


A. written permission.
B. decision maker permission
C. privacy permission
D. risk permission.
ans. a

28. which tool is used to crack the password?


A. nmap
B. lc4
C. toneloc
D. nessus
ans. b

29. which tool is used for depth analysis of a web application?


A. whisker
B. super scan
C. nikto
D. kismet
ans. a
30. which tool is used to encrypt email?
A. webinspect
B. qualyguard
C. pgp (pretty good privacy)
D. none of the above.
ans. c

31. malicious attacker often think like?


A. thieves
B. kidnapper
C. both a & b
D. none of the above
ans. c

32. which hacker try to distribute political or social message through their work?
A. black hat hacker
B. hactivist
C. script kiddes
D. white hat hacker
ans. b

33. are part of organized crime on internet.


A. criminal
B. antinationalist
C. hacker for hire
D. none of the above
ans. c

34. which magazines releases the latest hacking methods?


a. 2600
B. hackin9
C. phrack
D. all the above
ans. d

35. performing a shoulder surfing in order to check other’s password is ethical


practice.
A. a good
B. not so good
C. very good social engineering practice
D. a bad
ans. d
36. has now evolved to be one of the most popular automated tools for unethical
hacking.
A. automated apps
B. database software
C. malware
D. worms
ans. c

37. leaking your company data to the outside network without prior permission of senior
authority is a crime.
A. true
B. false
ans. a

38. a penetration tester must identify and keep in mind the &
requirements of a firm while evaluating the security postures.
A. privacy and security
B. rules and regulations
C. hacking techniques
D. ethics to talk to seniors
ans. a

39. the legal risks of ethical hacking include lawsuits due to of personal data.
A. stealing
B. disclosure
C. deleting
D. hacking
ans. b

40. before performing any penetration test, through legal procedure, which key points listed
below is not mandatory?
A. know the nature of the organization
B. characteristics of work done in the firm
C. system and network
D. type of broadband company used by the firm
ans. d
chapter-6
types of hacking (co6)

1. snmp stands for


A. simple network messaging protocol
B. simple network mailing protocol
C. simple network management protocol
D. simple network master protocol
ans: c

2. which of the following tool is used for network testing and port scanning
A. netcat
B. superscan
C. netscan
D. all of above
ans: d

3. banner grabbing is used for


A. white hat hacking
B. black hat hacking
C. grey hat hacking
D. script kiddies
ans: a

4. an attacker can create an attack by sending hundreds or thousands of e-mails a with


very large attachments.
A. connection attack
B. auto responder attack
C. attachment overloading attack
D. all the above
ans: b

5. which of the following tool is used for windows for network queries from dns lookups to
trace routes?
A. sam spade
B. superscan
C. netscan
D. netcat
ans: a
6. which tool is used for ping sweeps and port scanning?
A. netcat
B. samspade
C. superscan
D. all the above
ans: c

7. which of the following tool is used for security checks as port scanning and firewall testing?
A. netcat
B. nmap
C. data communication
D. netscan
ans: a

8. what is the most important activity in system cracking?


A. information gathering
B. cracking password
C. escalating privileges
D. covering tracks
ans: b

9. which nmap scan is does not completely open a tcp connection?


A. syn stealth scan
B. tcp scan
C. xmas tree scan
D. ack scan
ans: a

10. key loggers are form of


A. spyware
B. shoulder surfing
C. trojan
D. social engineering
ans: a

11. nmap is abbreviated as network mapper.


A. true
B. false
ans: a

12. is a popular tool used for discovering network as well as security auditing.
A. ettercap
B. metasploit
C. nmap
D. burp suit
ans: c
13. which of this nmap do not check?
A. services different hosts are offering
B. on what os they are running.
C. what kind of firewall in use?
D. what type of antivirus in use?
ans: d

14. what is purpose of denial of service attacks?


A. exploit weakness in tcp/ip attack.
B. to execute a trojan horse on a system.
C. to overload a system so it is no longer operational.
D. to shutdown services by turning them off.
ans: c

15. what are the some of the most common vulnerabilities that exist in a network system?
A. changing manufacturer, or recommended settings of newly installed application.
B. additional unused feature on commercial software package.
C. utilizing open source application code.
D. balancing security and ease of use of system.
ans: b

16. which of the following is not a characteristic of ethical hacker?


A. excellent knowledge of windows.
B. understands the process of exploiting network vulnerabilities.
C. patience, persistence and perseverance.
D. has the highest level of security for the organization.
ans: d

17. attempting to gain access to a network using an employee’s credentials is called the
mode of ethical hacking.
A. local networking
B. social engineering
C. physical entry
D. remote networking
ans: a

18. the first phase of hacking an it system is compromise of which foundation of security?
A. availability
B. confidentiality
C. integrity
D. authentication
ans: b
19. why would a ping sweep be used?
A. to identify live systems
B. to locate live systems
C. to identify open ports
D. to locate firewalls
ans: a

20. what are the port states determined by nmap?


A. active, inactive, standby
B. open, half-open, closed
C. open, filtered, unfiltered
D. active, closed, unused
ans: c

21. what port does telnet use?


A. 22
B. 80
C. 20
D. 23
ans: d

22. which of the following will allow foot printing to be conducted without detection?
A. pingsweep
B. traceroute
C. war dialers
D. arin
ans: d

23. performing hacking activities with the intent on gaining visibility for an unfair situation is
called .
A. cracking
B. analysis
C. hacktivism
D. exploitation
ans: c

24. why would a hacker use a proxy server?


A. to create a stronger connection with the target.
B. to create a ghost server on the network.
C. to obtain a remote access connection
D. to hide malicious activity on the network
ans: a
25. which phase of hacking performs actual attack on a network or system?
A. reconnaissance
B. maintaining access
C. scanning
D. gaining access
ans: d

26. sniffing is used to perform fingerprinting.


A. passive stack
B. active stack
C. passive banner grabbing
D. scanned
ans: a

27. services running on a system are determined by .


A. the system’s ip address
B. the active directory
C. the system’s network name
D. the port assigned
ans: d

28. what are the types of scanning?


A. port, network, and services
B. network, vulnerability, and port
C. passive, active, and interactive
D. server, client, and network
ans: b

29. enumeration is part of what phase of ethical hacking?


A. reconnaissance
B. maintaining access
C. gaining access
D. scanning
ans: c

30. framework made cracking of vulnerabilities easy like point and click.
A. net
B. metasploit
C. zeus
D. ettercap
ans: b
31. is a popular ip address and port scanner.
A. cain and abel
B. snort
C. angry ip scanner
D. ettercap
ans: c

32. is a popular tool used for network analysis in multiprotocol diverse network
A. snort
B. superscan
C. burp suit
D. etterpeak
ans: d

33 scans tcp ports and resolves different hostnames.


A. superscan
B. snort
C. ettercap
D. qualysguard .
ans: a

34. what tool can be used to perform snmp enumeration?


A. dnslookup
B. whois
C. nslookup
D. ip network browser
ans: d

35. wireshark is a tool.


A. network protocol analysis
B. network connection security
C. connection analysis
D. defending malicious packet-filtering
ans: a

36. aircrack-ng is used for


A. firewall bypassing
B. wi-fi attacks
C. packet filtering
D. system password cracking
ans: b
37. phishing is a form of .
A. spamming
B. identify theft
C. impersonation
D. scanning
ans: c

38. what are the types of scanning?


A. port, network, and services
B. network, vulnerability, and port
C. passive, active, and interactive
D. server, client, and network
ans: b

39 is used for searching of multiple hosts in order to target just one specific open port.
A. ping sweep
B. port scan
C. ipconfig
D. spamming
ans: a

40. arp spoofing is often referred to as


A. man-in-the-middle attack
B. denial-of-service attack
C. sniffing
D. spoofing
ans: a

41. is a tool that allows you to look into network and analyze data going across the wire
for network optimization, security and troubleshooting purposes.
A. network analyzer
B. crypt tool
C. john-the -ripper
D. back track
ans: a

42. is not a function of network analyzer tool.


A. captures all network traffic
B. interprets or decodes what is found into a human-readable format.
C. displays it all in chronological order.
D. banner grabbing
ans: d
43. protocol is used for network monitoring.
A. ftp snmp
b.
c. relnet
d. arp
ans: a

44. what is the attack called “evil twin”?


A. rouge access point
B. arp poisoning
C. session hijacking
D. mac spoofing
ans: a

45. what is the primary goal of an ethical hacker?


A. avoiding detection
B. testing security controls
C. resolving security vulnerabilities
D. determining return on investment for security measures
ans: c

46. what are the forms of password cracking technique?


A. attack syllable
B. attack brute forcing
C. attacks hybrid
D. all the above
ans: d

45. which type of hacker represents the highest risk to your network?
A. black-hat hackers
B. grey-hat hackers
C. script kiddies
D. disgruntled employees
ans: d

46. hacking for a cause is called


A. hacktivism
B. black-hat hacking
C. active hacking
D. activism
ans: a
47. when a hacker attempts to attack a host via the internet it is known as what type of attack?
A. local access
B. remote attack
C. internal attack
D. physical access
ans: b

49. a type of attack that overloads the resources of a single system to cause it to crash or hang.
A. resource starvation
B. active sniffing
C. passive sniffing
D. session hijacking
ans. c

50. in computer networking, is any technical effort to manipulate the normal behavior of
network connections and connected systems.
A. hacking
B. evidence
C. tracing
D. none of above
ans:-a

51. generally refers to unauthorized intrusion into a computer or a network.


A. hacking
B. evidence
C. tracing
D. none of above

ans:-a

52. we can eliminate many well-known network vulnerabilities by simply patch-ing your
network hosts with their latest and .
A. hckers and prackers
B. vendor software and firmware patches
C. software amd hardware
D. none of above
ans:-b

53. network consist devices such as routers, firewalls, hosts that you must assess as a part of
process.

A. prackers
B. black hat hacking
C. grey hat hacking process
D. ethical hacking process.
ans:-d

54. network infrastructure vulnerabilities are the foundation for most technical security
issues in your information systems.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d

55. attack, which can take down your internet connection or your entire network.
A. mac
B. dos
C. ids
D. none of above
ans:-b

56. dos stands for


A. detection of system
B. denial of service
C. detection of service
D. none of above
ans:-b

57. ids stands for


A. intrusion detection system
B. information documentation service
C. intrusion documentation system
D. none of above
ans:-a

58. which protocols are in use is vulnerable


A. tcl
B. ssl
C. ftp
D. smtp
ans:-b

59. ssl stands for


A. secure sockets layer
B. software security layer
C. socket security layer
D. system software layer
ans:-a
60. include phishing, sql injection, hacking, social engineering, spamming, denial of
service attacks, trojans, virus and worm attacks.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d

61. who invent worm attack


A. brightn godfrey
B. alan yeung
C. robert morris
D. none of above
ans:-c

62. which of the following is not a typical characteristic of an ethical hacker?


A. excellent knowledge of windows.
B. understands the process of exploiting network vulnerabilities.
C. patience, persistence and perseverance.
D. has the highest level of security for the organization.
ans:-d
63. what is the purpose of a denial of service attack?
A. exploit a weakness in the tcp/ip stack
B. to execute a trojan on a system
C. to overload a system so it is no longer operational
D. to shutdown services by turning them off
ans:- c

64. what are some of the most common vulnerabilities that exist in a network or system?
A. changing manufacturer, or recommended, settings of a newly installed application.
B. additional unused features on commercial software packages.
C. utilizing open source application code
D. balancing security concerns with functionality and ease of use of a system.
ans:b

65. what is the sequence of a tcp connection?


A. syn-ack-fin
B. syn-syn ack-ack
C. syn-ack
D. syn-syn-ack
ans:b

66. why would a ping sweep be used?


A. to identify live systems
B. to locate live systems
C. to identify open ports
D. to locate firewalls
ans:-a

67. a packet with no flags set is which type of scan?


A. tcp
B. xmas
C. idle
D. null
ans:-d
question bank (i scheme)

name of subject: emerging trends in computer and information technology unit test: i
subject code: 22618 courses: if/cm6i
semester: vi
multiple choice questions and answers
chapter 1- artificial intelligence

1. which of these schools was not among the early leaders in ai research?
A. dartmouth university
B. harvard university
C. massachusetts institute of technology
D. stanford university
E. none of the above
ans: b

2. darpa, the agency that has funded a great deal of american ai research, is part of the
department of:
A. defense
B. energy
C. education
D. justice
E. none of the above
ans: a

3. the conference that launched the ai revolution in 1956 was held at:
A. dartmouth
B. harvard
C. new york
D. stanford
E. none of the above
ans: a

4. what is the term used for describing the judgmental or commonsense part of problem
solving?
A. heuristic
B. critical
C. value based
D. analytical
E. none of the above
ans: a

5. what of the following is considered to be a pivotal event in the history of ai.


A. 1949, donald o, the organization of behavior.
B. 1950, computing machinery and intelligence.
C. 1956, dartmouth university conference organized by john mccarthy.
D. 1961, computer and computer sense.
E. none of the above
ans: c
6. a certain professor at the stanford university coined the word 'artificial intelligence' in
1956 at a conference held at dartmouth college. can you name the professor?
A. david levy
B. john mccarthy
C. joseph weizenbaum
D. hans berliner
E. none of the above
ans: b

7. the field that investigates the mechanics of human intelligence is:


A. history
B. cognitive science
C. psychology
D. sociology
E. none of the above
ans: b

8. a.m. turing developed a technique for determining whether a computer could or could not
demonstrate the artificial intelligence,, presently, this technique is called
A. turing test
B. algorithm
C. boolean algebra
D. logarithm
E. none of the above
ans: a

9. the first ai programming language was called:


A. basic
B. fortran
C. ipl
D. lisp
E. none of the above
ans: c

10. what is artificial intelligence?


A. putting your intelligence into computer
B. programming with your own intelligence
C. making a machine intelligent
D. putting more memory into computer
ans: c

11. who is a father of ai?


A. alain colmerauer
B. john mccarthy
C. nicklaus wirth
D. seymour papert
ans: b

12. artificial intelligence has its expansion in the following application.


A. planning and scheduling
B. game playing
C. robotics
D. all of the above
ans: d

13. the characteristics of the computer system capable of thinking, reasoning and learning is
known is
A. machine intelligence
B. human intelligence
C. artificial intelligence
D. virtual intelligence
ans: c

14. the first ai programming language was called:


A. basic
B. fortran
C. ipl
D. lisp
ans: c

15. the first widely used commercial form of artificial intelligence (al) is being used in many
popular products like microwave ovens, automobiles and plug in circuit boards for desktop pcs.
what is name of ai?
A. boolean logic
B. human logic
C. fuzzy logic
D. functional logic
ans: c

16. what is the term used for describing the judgmental or commonsense part of problem
solving?
A. heuristic
B. critical
C. value based
D. analytical
ans: a

17. is a branch of computer science which deals with helping machines finds solutions to
complex problems in a more human like fashions
A. artificial intelligence
B. internet of things
C. embedded system
D. cyber security
ans: a

18. in the goal is for the software to use what it has learned in one area to solve problems in
other areas.
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: b
19. computer programs that mimic the way the human brain processes information is called as
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: c

20. a is a rule of thumb, strategy, trick, simplification, or any other kind of device which
drastically limits search for solutions in large problem spaces.
A. heuristic
B. critical
C. value based
D. analytical
ans: a

21. do not guarantee optimal/any solutions


A. heuristic
B. critical
C. value based
D. analytical
ans: a

22. cognitive science related with


A. act like human
B. eliza
C. think like human
D. none of above
ans: c

23. model should reflect how results were obtained.


A. design model
B. logic model
C. computational model
D. none of above
ans: c

24. communication between man and machine is related with


A. lisp
B. eliza
C. all of above
D. none of above
ans: b

25. eliza created by


A. john mccarthy
B. steve russell
C. alain colmerauer
D. joseph weizenbaum
ans: d
26. the concept derived from level are propositional logic, tautology, predicate
calculus, model, temporal logic.
A. cognition level
B. logic level
C. functional level
D. all of above
ans: b

27. prolog is an ai programming language which solves problems with a form of symbolic
logic known as .
A. propositional logic
B. tautology
C. predicate calculus
D. temporal logic
ans: c

28. the level contains constituents at the third level which are knowledge based system,
heuristic search, automatic theorem proving, multi-agent system.
A. cognition level
B. gross level
C. functional level
D. all of above
ans: b

29. prolog, lisp, nlp are the language of _


A. artificial intelligence
B. machine learning
C. internet of things
D. deep learning
ans: a

30. is used for ai because it supports the implementation of software that computes with
symbols very well.
A. lisp
B. eliza
C. prolog
D. nlp
ans: a

31. symbols, symbolic expressions and computing with those is at the core of
A. lisp
B. eliza
C. prolog
D. nlp
ans: a

32. that deals with the interaction between computers and humans using the natural
language
A. lisp
B. eliza
C. prolog
D. nlp
ans: d

33. the core components are constituents of ai are derived from


A. concept of logic
B. cognition
C. computation
D. all of above
ans: d

34. aristotle’s theory of syllogism and descartes and kant’s critic of pure reasoning made
knowledge on .
A. logic
B. computation logic
C. cognition logic
D. all of above
ans: a

35. charles babbage and boole who demonstrate the power of


A. logic
B. computation logic
C. cognition logic
D. all of above
ans: b

36. in 1960s, pushed the logical formalism to integrate reasoning with knowledge.
A. marvin minsky
B. alain colmerauer
C. john mccarthy
D. none of above
ans: a

37. sensing organs as input, mechanical movement organs as output and central nervous system
(cns) in brain as control and computing devices is known as of human being
A. information control paradigm
B. information processing paradigm
C. information processing control
D. none of above
ans: b

38. model were developed and incorporated in machines which mimicked the
functionalities of human origin.
A. functional model
B. neural model
C. computational model
D. none of above
ans: c

39. chomsky’s linguistic computational theory generated a model for syntactic analysis through

A. regular grammar
B. regular expression
C. regular word
D. none of these
ans: a

40. human to machine is and machine to machine is .


A. process, process
B. process, program
C. program, hardware
D. program, program
ans: c

41. weak ai is also known as


A. narrow ai
B. general ai
C. neural ai
D. none of above
ans: a

42. ai is able to perform dedicated task.


A. narrow ai
B. general ai
C. neural ai
D. none of above
ans: a

43. narrow ai is performs multiple task at a time.


A. true
B. false
ans: b

44. weak ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: c

45. strong ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: a

46. artificial intelligence is


A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: d

47. apple siri is a good example of ai.


A. narrow ai
B. general ai
C. neural ai
D. none of above
ans: a

48. ibm watson supercomputer comes under ai.


A. narrow ai
B. general ai
C. neural ai
D. none of above
ans: a

49. ai is a type of intelligence which could perform any intellectual task with efficiency
like human.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b

50. the idea behind ai to make such a system which could be smarter and think like
a human by its own.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b

51. the worldwide researchers are now focusing on developing machines with ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b

52. playing chess, purchasing suggestions on e-commerce site, self-driving cars, speech
recognition, and image recognition are the example of .
A. narrow ai
B. general ai
C. super ai
D. None of above
Ans: A
53. machine can perform any task better than human with cognitive properties is known as
ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c

54. ability to think, puzzle, make judgments, plan, learn, communication by its own is known as
ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c

55. ai is hypothetical concept of ai.


A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c

56. which ai system not store memories or past experiences for future actions.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a

57. which machines only focus on current scenarios and react on it as per as possible best
action.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a

58. ibm’s deep blue system is example of .


A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a

59. google alpha go is example of .


A. reactive machine
B. limited memory
C. theory of mind
D. None of above
Ans: A
60. which can stores past experiences or some data for short period time.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: b

61. self-driving car is example of .


A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: b [car stores recent speed of nearby cars, distance of others car, speed limit, other
information to navigate the road]

62. which ai should understand the human emotions, people, and beliefs and be able to interact
socially like humans.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: c

63. which machines will be smarter than human mind?


A. reactive machine
B. limited memory
C. theory of mind
D. self-awareness
ans: d

64. machines will have their own consciousness and sentiments


A. reactive machine
B. theory of mind
C. self-awareness
D. both b & c
ans: c

65. which is not the commonly used programming language for ai?
A. prolog
B. lisp
C. perl
D. java script
ans: c

66. what is machine learning?


A. the autonomous acquisition of knowledge through the use of computer programs
B. the autonomous acquisition of knowledge through the use of manual programs
C. the selective acquisition of knowledge through the use of computer programs
D. the selective acquisition of knowledge through the use of manual programs
Ans: A
67 is a branch of science that deals with programing the systems in such a way
that they automatically learn and improve with experience
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: a

68. classifying email as a spam, labeling webpages based on their content, voice recognition are
the example of .
A. supervised learning
B. unsupervised learning
C. machine learning
D. deep learning
ans: a

69. k-means, self-organizing maps, hierarchical clustering are the example of .


A. supervised learning
B. unsupervised learning
C. machine learning
D. deep learning
ans: b

70. deep learning is a subfield of machine learning where concerned algorithms are inspired by
the structured and function of the brain called .
A. machine learning
B. artificial neural networks
C. deep learning
D. robotics
ans: b

71. machine learning invent by .


A. john mccarthy
B. nicklaus wirth
C. joseph weizenbaum
D. arthur samuel
ans: d

chapter-2 internet of things

1. embedded systems are


A. general purpose
B. special purpose
ans: b

2. embedded system is
A. an electronic system
B. a pure mechanical system
C. an electro-mechanical system
D. (a) or (c)
Ans: D
3. which of the following is not true about embedded systems?
A. built around specialized hardware
B. always contain an operating system
C. execution behavior may be deterministic
D. all of these
E. none of these
ans: e

4. which of the following is not an example of a “small-scale embedded system”?


A. electronic barbie doll
B. simple calculator
C. cell phone
D. electronic toy car
ans: c

5. the first recognized modern embedded system is


A. apple computer
B. apollo guidance computer (agc)
C. calculator
D. radio navigation system
ans: b

6. the first mass produced embedded system is


A. minuteman-i
B. minuteman-ii
C. autonetics d-17
D. apollo guidance computer (agc)
ans: c

7. which of the following is an (are) an intended purpose(s) of embedded systems?


A. data collection
B. data processing
C. data communication
D. all of these
E. none of these
ans: d

8. which of the following is (are) example(s) of embedded system for data communication?
usb mass storage device
A. network router
B. digital camera
C. music player
D. all of these
E. none of these
ans: b
9. what are the essential tight constraint/s related to the design metrics of an embedded system?
A. ability to fit on a single chip
B. low power consumption
C. fast data processing for real-time operations
d .all of the above
Ans: D
10. a digital multi meter is an example of an embedded system for
A. data communication
B. monitoring
C. control
D. all of these
E. none of these
ans: b

11. which of the following is an (are) example(s) of an embedded system for signal processing?
A. apple ipod (media player device)
B. sandisk usb mass storage device
C. both (a) and (b)
D. none of these
ans: d

12. the instruction set of risc processor is


A. simple and lesser in number
B. complex and lesser in number
C. simple and larger in number
D. complex and larger in number
ans: a

13. which of the following is true about cisc processors?


A. the instruction set is non-orthogonal
B. the number of general purpose registers is limited
C. instructions are like macros in c language
D. variable length instructions
E. all of these
F. none of these
ans: e

14. main processor chip in computers is


A. asic
B. assp
C. cpu
D. cpld
ans: c

15. processors used in many microcontroller products need to be


A. high power
B. low power
C. low interrupt response
D. low code density
ans: b

16. in microcontrollers, uart is acronym of


A. universal applied receiver/transmitter
B. universal asynchronous rectified transmitter
C. universal asynchronous receiver/transmitter
D. united asynchronous receiver/transmitter
Ans: C
17. which architecture is followed by general purpose microprocessors?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: b

18. which architecture involves both the volatile and the non-volatile memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a

19. which architecture provides separate buses for program and data memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a

20. harvard architecture allows:


A. separate program and data memory
B. pipe-ling
C. complex architecture
D. all of the mentioned
ans: d

21. which of the following processor architecture supports easier instruction pipelining?
A. harvard
B. von neumann
C. both of them
D. none of these
ans: a

22. which of the following is an example for wireless communication interface?


A. rs-232c
B. wi-fi
C. bluetooth
D. eee1394
E. both (b) and (c)
ans: e

23. arm stands for


A. advanced risc machine
B. advanced risc methodology
C. advanced reduced machine
D. advanced reduced methodology
ans: a
24. what is the processor used by arm7?
A. 8-bit cisc
B. 8-bit risc
C. 32-bit cisc
D. 32-bit risc
ans: d

25. the main importance of arm micro-processors is providing operation with


A. low cost and low power consumption
B. higher degree of multi-tasking
C. lower error or glitches
D. efficient memory management
ans: a

26. arm processors where basically designed for


A. main frame systems
B. distributed systems
C. mobile systems
D. super computers
ans: c

27. asic chip is


A. simple in design.
B. manufacturing time is less.
C. it is faster.
D. both a&c.
ans: c

28. asic stands for


A. application-system integrated circuits
B. application-specific integrated circuits
C. application-system internal circuits
D. application-specific internal circuits
ans: b

29. in microcontrollers, i2c stands for


A. inter-integrated clock
B. initial-integrated clock
C. intel-integrated circuit
D. inter-integrated circuit
ans: d

30. is the smallest microcontrollers which can be programmed to perform a


large range of tasks.
A. pic microcontrollers
B. arm microcontrollers
C. avr microcontrollers
D. asic microcontrollers
ans: - a
31. was developed in the year 1996 by atmel corporation
A. pic
B. avr
C. arm
D. asic
ans: - b

32. avr stands for .


A. advanced virtual risc.
B. alf-egil bogen and vegard wollan risc
C. both a & b
D. none of the above
ans: - c

33. avr microcontroller executes most of the instruction in .


A. single execution cycle.
B. double execution cycle.
C. both a& b
D. none of the above.
ans: - a

34. term "the internet of things" was coined by


A. edward l. schneider
B. kevin ashton
C. john h.
D. charles anthony
ans: b

35. the huge numbers of devices connected to the internet of things have to communicate
automatically, not via humans, what is this called?
A. bot to bot(b2b)
B. machine to machine(m2m)
C. intercloud
D. skynet
ans: b

36. what does “things” in iot refers to?


A. general device
B. information
C. iot devices
D. object
ans: c

37. interconnection of internet and computing devices embedded in everyday objects, enabling
them to send and receive data is called
A. internet of things
B. network interconnection
C. object determination
D. none of these
ans: a
38. is a computing concept that describes the idea of everyday physical objects
being connected to the internet.
A. iot (internet of things)
B. mqtt
C. coap
D. spi
ans: -a

39 devices may support a number of interoperable communication protocols and


communicate with other device and also with infrastructure.
A. artificial intelligence
B. machine learning
C. internet of things
D. none of above
ans: c

40. which one is not element of iot?


A. process
B. people
C. security
D. things
ans:c

41. iiot stands for


A. information internet of things
B. industrial internet of things
C. inovative internet of things
D. none of above
ans:b

42. name of the iot device which is first recognized?


A. smart watch
B. atm
C. radio
D. video game
ans: b

43. is used by iot


A. radio information technology
B. satellite
C. cable
D. broadband
ans:a

44. consists of communication protocols for electronic devices, typically a mobile device
and a standard device.
A. rfid
B. mqtt
C. nfc
D. none of above
ans:c
45. refers to establish a proper connection between all the things of iot.
A. connectivity
B. analyzing
C. sensing
D. active engagement
ans: - a

46. iot devices which have unique identities and can perform .
A. remote sensing
B. actuating
C. monitoring capabilities
D. all of the above
ans: - d

47. the sensed data communicated .


A. cloud-based servers/storage.
B. i/o interfaces.
C. internet connectivity.
D. none of the above
ans: - a

48. iot devices are various types, for instance .


A. wearable sensors.
B. smart watches.
C. led lights.
D. all of the above
ans: - d

49. is a collection of wired ethernet standard for the link layer.


A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans: - a

50. is a collection of wlan communication standards.


A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans:b

51. is a collection of wireless broadband standards (wimax).


A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans:c
52 is a collection of standards for lr-wpans.
A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans:d

53. lr-wpans standards from basis of specifications for high level communication protocol
such as .
A. zigbee
B. allsean
C. tyrell
D. microsoft's azure
ans:a

54. includes gsm and cdma.


A. 2g
B. 3g
C. 4g
D. none of above
ans:a

55. include umts and cdma2000.


A. 2g
B. 3g
C. 4g
D. none of above
ans:b

56 include lte.
A. 2g
B. 3g
C. 4g
D. none of above
ans:c

57. layer protocols determine how the data is physically sent over the network’s
physical layer or medium.
A. application layer
B. transport layer
C. network layer
D. link layer
ans: - d
58 layer is responsible for sending of ip datagrams from the source network to the
destination network.
A. application layer
B. transport layer
C. network layer
D. link layer
Ans: C
59. layer perform the host addressing and packet routing.
A. application layer
B. transport layer
C. network layer
D. link layer
ans:c

60. protocols provide end to end message transfer capability independent of the
underlying network.
A. network layer
B. transport layer
C. application layer
D. link layer
ans: - b

61. the protocols define how the applications interface with the lower layer protocol to send
the data over the network.
A. application layer
B. transport layer
C. network layer
D. link layer
ans:a

62. 6lowpan stands for


A. 6 low personal area network
B. ipv6 low personal area network
C. ipv6 over low power wireless personal area network
D. none of above
ans:c

63. 802.3 is the standard for 10base5 ethernet that uses cable as shared medium.
A. twisted pair cable
B. coaxial cable
C. fiber optic cable
D. none of the above
ans: - b

64. ieee 802.11 standards provide data rates


A. 10 gbit/s.
B. 1 gbit/s
C. 1 mb/s to up to 6.75 gb/s
D. 250 kb/s
ans: - c

65. of the following is a protocol related to iot


A. zigbee
B. 6lowpan
C. coap
D. all of the above
Ans: C
66. is useful for time-sensitive application that have very small data units to
exchange and do not want the overhead of connection setup.
A. tcp
B. udp
C. transport layer
D. none of the above.
ans: - b

67. protocol uses universal resource identifiers (uris) to identify http


resources.
A. http
B. coap
C. websocket
D. mqtt
ans: a

68. the 10/100mbit ethernet support enables the board to connect to


A. lan
B. man
C. wan
D. wlan
ans: a

69. which one out of these is not a data link layer technology?
A. bluetooth
B. uart
C. wi-fi
D. http
ans: d

70. what is size of the ipv6 address?


A. 32 bits
B. 64 bits
C. 128 bits
D. 256 bits
ans: c

71. mqtt stands for


A. mq telemetry things
B. mq transport telemetry
C. mq transport things
D. mq telemetry transport
ans: d

72. mqtt is better than http for sending and receiving data.
A. true
B. false
ans: a
73. mqtt is protocol.
A. machine to machine
B. internet of things
C. machine to machine and internet of things
D. machine things
ans: c

74. which protocol is lightweight?


A. mqtt
B. http
C. coap
D. spi
ans: a

75 mqtt is:
A. based on client-server architecture
B. based on publish-subscribe architecture
C. based on both of the above
D. based on none of the above
ans: b

76. xmpp is used for streaming which type of elements?


A. xpl
B. xml
C. xhl
D. mpl
ans: b

77. xmpp creates identity.


A. device
B. email
C. message
D. data
ans: a

78. xmpp uses architecture.


A. decentralized client-server
B. centralized client-server
C. message
D. public/subscriber
ans: a
79. what does http do?
A. enables network resources and reduces perception of latency
B. reduces perception of latency and allows multiple concurrency exchange
C. allows multiple concurrent exchange and enables network resources
D. enables network resources and reduces perception of latency and allows multiple concurrent
exchange.
Ans: D
80. http expands?
A. hyper text transfer protocol
B. hyper terminal transfer protocol
C. hyper text terminal protocol
D. hyper terminal text protocol
ans: a

81. coap is specialized in


A. internet applications
B. device applications
C. wireless applications
D. wired applications
ans: a

82. which protocol is used to link all the devices in the iot?
A. tcp/ip
B. network
C. udp
D. http
ans: a

83. data in network layer is transferred in the form of


A. layers
B. packets
C. bytes
D. bits
ans:b

84. services provided by application layer?


A. web chat
B. error control
C. connection services
D. congestion control
ans: a

85. tcp and udp are called?


A. application protocols
B. session protocols
C. transport protocols
D. network protocols
ans: c

86. security based connection is provided by which layer?


A. application layer
B. transport layer
C. session layer
D. network layer
Ans: D
87. using which layer in transport layer data integrity can be assured?
A. checksum
B. repetition codes
C. cyclic redundancy checks
D. error correction codes
ans: a

88. transport layer receives data in the form of?


A. packets
B. byte streams
C. bits stream
D. both packet and byte stream
ans: b

89. the network layer is considered as the ?


A. backbone
B. packets
C. bytes
D. bits
ans: a

90. the network layer consists of which hardware devices?


A. router
B. bridges
C. switches
D. all of the above
ans: d

91. network layer protocol exits in ?


A. host
B. switches
C. packets
D. bridges
ans: a

92. which protocol has a quality of service?


A. xmpp
B. http
C. coap
D. mqtt
ans: a

93. is a data-centric middleware standard for device-to-device and machine-to-machine


communication.
A. data distribution serviced (dds)
B. advance message queuing protocol (amqp)
C. extensible messaging and presence protocol (xmpp)
D. message queue telemetry transport (mqtt)
ans:a
94. is a bi-directional, fully duplex communication model that uses a persistent connection
between client and server.
A. request-response
B. publish-subscriber
C. push-pull
D. exclusive pair
ans:d

95. is a stateful communication model and server is aware of all open connection.
A. request-response
B. publish-subscriber
C. push-pull
D. exclusive pair
ans:d

96. which is not an iot communication model.


A. request-response
B. publish-subscribe
C. push-producer
D. exclusive pair
ans: c

97. in node mcu, mcu stands for .


A. micro control unit
B. micro controller unit
C. macro control unit
D. macro controller unit
ans: b

98. rest is acronym for


A. representational state transfer
B. represent state transfer
C. representational state transmit
D. representational store transfer
ans: a

99. wsn stands for


A. wide sensor network
B. wireless sensor network
C. wired sensor network
D. none of these
ans: b

100. benefit of cloud computing services


A. fast
B. anywhere access
C. higher utilization
D. all of the above
ans: d
101. paas stands for _
A. platform as a service
B. platform as a survey
C. people as a service
D. platform as a survey
ans: a

102. as a service is a cloud computing infrastructure that creates a development


environment upon which applications may be build.
A. infrastructure
B. service
C. platform
D. all of the mentioned
ans:c

103. is a cloud computing service model in which hardware is virtualized in the


cloud.
A. iaas
B. caas
C. paas
D. none of the mentioned
ans:a

104. which of the following is the fundamental unit of virtualized client in an iaas deployment?
a) workunit
b) workspace
c) workload
d) all of the mentioned
ans:c

105. offering provides the tools and development environment to deploy applications on
another vendor’s application.
A. paas
B. iaas
C. caas
D. all of the mentioned
ans.b

106. is the most refined and restrictive service model.


A. iaas
B. caas
C. paas
D. all of the mentioned
ans.c

107. is suitable for iot applications to have low latency or high throughput requirements.
A. rest
B. publish-subscriber
C. push-pull
D. websocket
ans:d
108 is a one of the most popular wireless technologies used by wsns.
A. zigbee
B. allsean
C. tyrell
D. z-wave
ans:a

109. zigbee specification are based on .


a. 802.3
b. 802.11
c. 802.16
d. 802.15.4
ans:d

110. is a transformative computing paradigm that involves delivering applications and


services over the internet.
A. wsn
B. cloud computing
C. big data
D. none of above
ans:b

111. the process of collecting, organizing and collecting large sets of data called as
A. wsn
B. cloud computing
C. big data
D. none of above
ans:c

112. does raspberry pi need external hardware?


A. true
B. false
ans.b

113. does rpi have an internal memory?


A. true
B. false
ans.a

114. what do we use to connect tv to rpi?


A. male hdmi
B. female hdmi
C. male hdmi and adapter
D. female hdmi and adapter
ans.c

115. how power supply is done to rpi?


A. usb connection
B. internal battery
C. charger
D. adapter
ans.a

116. what is the ethernet/lan cable used in rpi?


a.cat5
b.at5e
c. cat6 d
. rj45
ans.d

117. which instruction set architecture is used in raspberry pi?


A. x86
B. msp
C. avr
D. arm
ans: d

118. does micro sd card present in all modules?


A. true
B. false
ans: a

119. which characteristics involve the facility the thing to respond in an intelligent way to a
particular situation?
A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: a

120. empowers iot by bringing together everyday objects.


A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: b

121. the collection of data is achieved with changes.


A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: c
122. the number of devices that need to be managed and that communicate with each other will
be much larger.
A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: d
123. in iot as one of the key characteristics, devices have different hardware
platforms and networks.
A. sensors
B. heterogeneity
C. security
D. connectivity
ans: b

124. devices that transforms electrical signals into physical movements


A. sensors
B. actuators
C. switches
D. display
ans: b

125. stepper motors are_


A. ac motors
B. dc motors
C. electromagnets
D. none of above
ans: b

126. dc motors converts electrical into energy.


A. mechanical
B. wind
C. electric
D. none
ans: a

127. linear actuators are used in


A. machine tools
B. industrial machinery
C.both a and b
d.none
ans: a

128. solenoid is a specially designed


A. actuator
B. machine
C. electromagnet
D. none of above
ans: c

129. stepper motors are_


A. ac motors
B. dc motors
C. electromagnets
D. none of above
ans: b
130. accelerometer sensors are used in
A. smartphones
B. aircrafts
C. both
D. none of above
ans: c

131. image sensors are found in


A. cameras
B. night-vision equipment
C. sonars
D. all of above
ans: d

132. gas sensors are used to detect gases.


A. toxic
B. natural
C. oxygen
D. hydrogen
ans: a

133. properties of arduino are:


A. inexpensive
B. independent
C. simple
D. both a and c
ans: d

134. properties of iot devices.


A. sense
B. send and receive data
C. both a and b
D. none of above
ans: c

135. iot devices are _


A. standard
B. non-standard
C. both
D. none
ans: b

136. what is the microcontroller used in arduino uno?


A. atmega328p
B. atmega2560
C. atmega32114
D. at91sam3x8e
ans: a
137. is an open source electronic platform based on easy to used hardware and software.
A. arduino
B. uno
C. raspberry pi
D. node
ans:a

138 is used latching, locking, triggering.


A. solenoid
B. relay
C. linear actuator
D. servo motors
ans:a

139. detect the presence or absence of nearby object without any physical contact.
A. smoke sensor
B. pressure sensor
C. ir sensor
D. proximity sensor
ans:d

140 sensors include thermocouples, thermistors, resistor temperature detectors (rtds) and
integratd circuits (ics).
A. smoke sensor
B. temperature sensor
C. ir sensor
D. proximity sensor
ans:b

141. the measurement of humidity is


A. rh
B. ph
C. ic
D. none of aboved
ans:a

142 sensor is used for automatic door controls, automatic parking system, automated sinks,
automated toilet flushers, hand dryers.
A. smoke sensor
B. temperature sensor
C. ir sensor
D. motion sensor
ans:d

143 sensor measure heat emitted by objects.


A. smoke sensor
B. temperature sensor
C. ir sensor
D. proximity sensor
ans:c
chapter-3 basics of digital forensics

1. digital forensics is all of them except:


A. extraction of computer data.
B. preservation of computer data.
C. interpretation of computer data.
D. manipulation of computer data.
ans:d

2. idip stands for


A. integrated digital investigation process.
B. integrated data investigator process.
C. integrated digital investigator process.
D. independent digital investigator process.
ans: a

3. who proposed road map for digital forensic research (rmdfr)


A. g.gunsh.
B. s.ciardhuain
C. j.korn.
D. g.palmar
ans: d

4. investigator should satisfy following points:


A. contribute to society and human being.
B. avoid harm to others.
C. honest and trustworthy.
D. all of the above
ans: d

5. in the past, the method for expressing an opinion has been to frame a question based on
available factual evidence.
A. hypothetical
B. nested
C. challenging
D. contradictory
ans: a

6. more subtle because you are not aware that you are running these macros (the document opens
and the application automatically runs); spread via email
A. the purpose of copyright
B. danger of macro viruses
C. derivative works
D. computer-specific crime
ans: b
7. there are three c's in computer forensics. which is one of the three?
A. control
B. chance
C. chains
D. core
ans: a
8. when federal bureau investigation program was created?
a.1979
b.1984
c.1995
d.1989
ans: b

9. when the field of pc forensics began?


a.1960's
b.1970's
c.1980's
d.1990's
ans: c

10. what is digital forensic?


A. process of using scientific knowledge in analysis and presentation of evidence in court
B. the application of computer science and investigative procedures for a legal purpose
involving the analysis of digital evidence after proper search authority, chain of custody,
validation with mathematics, use of validated tools, repeatability, reporting, and possible
expert presentation
C. process where we develop and test hypotheses that answer questions about digital events
D. use of science or technology in the investigation and establishment of the facts or
evidence in a court of law
ans: b

11. digital forensics entails .


A. accessing the system's directories viewing mode and navigating through the various systems
files and folders
B. undeleting and recovering lost files
C. identifying and solving computer crimes
D. the identification, preservation, recovery, restoration and presentation of digital evidence
from systems and devices
ans: d

12. which of the following is false?


A. the digital forensic investigator must maintain absolute objectivity
B. it is the investigator’s job to determine someone’s guilt or innocence.
C. it is the investigator’s responsibility to accurately report the relevant facts of a case.
D. the investigator must maintain strict confidentiality, discussing the results of an investigation
on only a “need to know”
ans: b

13. what is the most significant legal issue in computer forensics?


A. preserving evidence
B. seizing evidence
C. admissibility of evidence
D. discovery of evidence
ans: c
14. phase includes putting the pieces of a digital puzzle together and developing
investigative hypotheses
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans: d

15. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans:b

16. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
F. preservation phase
G. survey phase
H. documentation phase
I. reconstruction phase
J. presentation phase
ans:b

17. computer forensics do not involve activity.


A. preservation of computer data.
B. exraction of computer data.
C. manipulation of computer data.
D. interpretation of computer data.
ans: c

18. a set of instruction compiled into a program that perform a particular task is known as:
A. hardware.
b.cpu
c. motherboard
d. software
ans: d

19. which of following is not a rule of digital forensics?


A. an examination should be performed on the original data
B. a copy is made onto forensically sterile media. new media should always be used if
available.
C. the copy of the evidence must be an exact, bit-by-bit copy
D. the examination must be conducted in such a way as to prevent any modification of the
evidence.
ans: a
20. to collect and analyze the digital evidence that was obtained from the physical investigation
phase, is the goal of which phase?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase.
ans: b

21. to provide mechanism to an incident to be detected and confirmed is purpose of which


phase?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase.
ans: d

22. which phase entails a review of the whole investigation and identifies area of improvement?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase
ans: c

23. is known as father of computer forensic.


A. g. palmar
B. j. korn
C. michael anderson
D. s.ciardhuain.
ans: c

24. is well established science where various contribution have been made
A. forensic
B. crime
C. cyber crime
D. evidence
ans: a

25. who proposed end to end digital investigation process (eedip)?


A. g. palmar
B. stephenson
C. michael anderson
D. s.ciardhuain
ans: b

26. which model of investigation proposed by carrier and safford?


A. extended model of cybercrime investigation (emci)
B. integrated digital investigation process(idip)
C. road map for digital forensic research (rmdfr)
D. abstract digital forensic model (adfm)
ans: b
27. which of the following is not a property of computer evidence?
A. authentic and accurate.
B. complete and convincing.
C. duplicated and preserved.
D. conform and human readable.
ans. d

28. can makes or breaks investigation.


A. crime
B. security
c: digital forensic
d: evidence
ans: d

29. is software that blocks unauthorized users from connecting to your computer.
A. firewall
B. quick lauch
C. onelogin
D. centrify
ans: a

30. which of following are general ethical norms for investigator?


A. to contribute to society and human being.
B. to avoid harm to others.
C. to be honest and trustworthy.
D. all of above
E. none of above
ans: d

31. which of following are unethical norms for investigator?


A. uphold any relevant evidence.
B. declare any confidential matters or knowledge.
C. distort or falsify education, training, credentials.
D. all of above
E. none of above
ans: d

32. which of following is not general ethical norm for investigator?


A. to contribute to society and human being.
B. uphold any relevant evidence.
C. to be honest and trustworthy.
D. to honor confidentially.
ans: b

33. which of following is a not unethical norm for digital forensics investigation?
A. uphold any relevant evidence.
B. declare any confidential matters or knowledge.
C. distort or falsify education, training, credentials.
D. to respect the privacy of others.
ans: d
34. what is called as the process of creation a duplicate of digital media for purpose of
examining it?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
ans: a

35. which term refers for modifying a computer in a way which was not originally intended to
view information?
A. metadata
B. live analysis
C. hacking
D. bit copy
ans: c

36. the ability to recover and read deleted or damaged files from a criminal’s computer is an
example of a law enforcement specialty called?
A. robotics
B. simulation
C. computer forensics
D. animation
ans: c

37. what are the important parts of the mobile device which used in digital forensic?
A. sim
B. ram
C. rom.
d.emmc chip
ans: d

38. using what, data hiding in encrypted images be carried out in digital forensics?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
and: b

39. which of this is not a computer crime?


A. e-mail harassment
B. falsification of data.
C. sabotage.
D. identification of data
ans. d

40. which file is used to store the user entered password?


A. .exe
B. .txt
C. .iso
D. .sam
ans: d
41. is the process of recording as much data as possible to create reports and analysis
on user input.
A. data mining
B. data carving
C. meta data
D. data spoofing.
ans: a

42. searches through raw data on a hard drive without using a file system.
A. data mining
B. data carving
C. meta data
D. data spoofing.
ans: b

43. what is first step to handle retrieving data from an encrypted hard drive?
A. formatting disk
B. storing data
C. finding configuration files.
D. deleting files.
ans: c
multiple choice questions & answers (mcqs)
In LISP, the function returns the list that results after the first element is removed (the rest f the
list), is
a) car
b) last
c) cons
d) cdr

Which of the following contains the output segments of Artificial Intelligence programming?
a) Printed language and synthesized speech
b) Manipulation of physical object
c) Locomotion
d) All of the mentioned

LISP was created by?


a) John McCarthy
b) Marvin Minsky
c) Alan Turing
d) Allen Newell and Herbert Simon

Expert Ease was developed under the direction of


a) John McCarthy
b) Donald Michie
c) Lofti Zadeh
d) Alan Turing

An Artificial Intelligence system developed by Terry A. Winograd to permit an interactive


dialogue about a domain he called blocks-world.
a) SHRDLU
b) SIMD
c) BACON
d) STUDENT

MLMenu, a natural language interface for the TI Explorer, is similar to


a) Ethernet
b) NaturalLink
c) PROLOG
d) The Personal Consultant

Strong Artificial Intelligence is


a) the embodiment of human intellectual capabilities within a computer
b) a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans
c) the study of mental faculties through the use of mental models implemented on a computer
d) all of the mentioned

the traditional way to exit and lisp system is to enter


a) quit
b) exit
c) bye
d) ok

in which of the following situations might a blind search be acceptable?


a) real-life situation
b) complex game
c) small search space
d) all of the mentioned

. what is artificial intelligence?


a) putting your intelligence into computer
b) programming with your own intelligence
c) making a machine intelligent
d) playing a game

which search method takes less memory?


a) depth-first search
b) breadth-first search
c) optimal search
d) linear search

a heuristic is a way of trying


a) to discover something or an idea embedded in a program
b) to search and measure how far a node in a search tree seems to be from a goal
c) to compare two nodes in a search tree to see if one is better than the other is
d) all of the mentioned

how do you represent “all dogs have tails”?


a) ۷x: dog(x) àhastail(x)
b) ۷x: dog(x) àhastail(y)
c) ۷x: dog(y) àhastail(x)
d) ۷x: dog(x) àhasàtail(x)

. which is not a property of representation of knowledge?


a) representational verification
b) Representational Adequacy
c) Inferential Adequacy
d) Inferential Efficiency

A series of Artificial Intelligence systems, developed by Pat Langley to explore the role of
heuristics in scientific discovery is
a) RAMD
b) BACON
c) MIT
d) DU

A.M. turing developed a technique for determining whether a computer could or could not
demonstrate the artificial Intelligence, Presently, this technique is called
a) Turing Test
b) Algorithm
c) Boolean Algebra
d) Logarithm

A Personal Consultant knowledge base contain information in the form of


a) parameters
b) contexts
c) production rules
d) all of the mentioned

Which approach to speech recognition avoids the problem caused by the variation in speech
patterns among different speakers?
a) Continuous speech recognition
b) Isolated word recognition
c) Connected word recognition
d) Speaker-dependent recognition

Which of the following, is a component of an expert system?


a) inference engine
b) knowledge base
c) user interface
d) all of the mentioned

A computer vision technique that relies on image templates is


a) edge detection
b) binocular vision
c) model-based vision
d) robot vision

darpa, the agency that has funded a great deal of american artificial intelligence research, ispart
of the department of
a) defense
b) energy
c) education
d) justice

. which of these schools was not among the early leaders in artificial intelligence research?
a) dartmouth university
b) harvard university
c) massachusetts institute of technology
d) stanford university

a certain professor at the stanford university coined the word ‘artificial intelligence’ in 1956 ata
conference held at dartmouth college. can you name the professor?
a) david levy
b) john mccarthy
c) joseph weizenbaum
d) hans berliner

in lisp, the function (copy-list <list>)


a) returns a new list that is equal to <list> by copying the top-level element of <list>
b) returns the length of <list>
c) returns t if <list> is empty
d) all of the mentioned

who is the “father” of artificial intelligence?


a) fisher ada
b) john mccarthy
c) allen newell
d) alan turning

in 1985, the famous chess player david levy beat a world champion chess program in four
straight games by using orthodox moves that confused the program. what was the name of the
chess program?
a) kaissa
b) cray blitz
c) golf
d) digdug
. the explanation facility of an expert system may be used to
a) construct a diagnostic model
b) expedite the debugging process
c) explain the system’s reasoning process
d) expedite the debugging process & explain the system’s reasoning process

a process that is repeated, evaluated, and refined is called


a) diagnostic
b) descriptive
c) interpretive
d) iterative

visual clues that are helpful in computer vision include


a) color and motion
b) depth and texture
c) height and weight
d) color and motion, depth and texture

the conference that launched the ai revolution in 1956 was held at?
a) dartmouth
b) harvard
c) new york
d) stanford

texas instruments incorporated produces a low-cost lisp machine called _


a) the computer-based consultant
b) the explorer
c) smalltalk
d) the personal consultant

when a top-level function is entered, the lisp processor do(es)?


a) it reads the function entered
b) it evaluates the function and the function’s operands
c) it prints the results returned by the function
d) all of the mentioned

one method of programming a computer to exhibit human intelligence is called modeling or

a) simulation
b) cognitization
c) duplication
d) psychic amelioration
graphic interfaces were first used in a xerox product called
a) interlisp
b) ethernet
c) smalltalk
d) zetalisp

the al researcher who co-authored both the handbook of artificial intelligence and the fifth
generation is
a) bruce lee
b) randy davis
c) ed feigenbaum
d) mark fox

which of the following is being investigated as a means of automating the creation of a


knowledge base?
a) automatic knowledge acquisition
b) simpler tools
c) discovery of new concepts
d) all of the mentioned

the cai (computer-assisted instruction) technique based on programmed instruction is

a) frame-based cai
b) generative cai
c) problem-solving cai
d) intelligent cai

a robot’s “arm” is also known as its


a) end effector
b) actuator
c) manipulator
d) servomechanism

kee is a product of
a) teknowledge
b) intellicorpn
c) texas instruments
d) tech knowledge

in lisp, the function x (x). (2x+l) would be rendered as


a) (lambda (x) (+(*2 x)l))
b) (lambda (x) (+1 (* 2x)
c) (+ lambda (x) 1 (*2x))
d) (* lambda(x) (+2×1)

A natural language generation program must decide


a) what to say
b) when to say something
c) why it is being used
d) both what to say & when to say something

The hardware features of LISP machines generally include


a) large memory and a high-speed processor
b) letter-quality printers and 8-inch disk drives
c) a mouse and a specialized keyboard
d) large memory and a high-speed processor & a mouse and a specialized keyboard

In which of the following areas may ICAI programs prove to be useful?


a) educational institutions
b) corporations
c) department of Defense
d) all of the mentioned

A network with named nodes and labeled arcs that can be used to represent certain natural
language grammars to facilitate parsing.
a) Tree Network
b) Star Network
c) Transition Network
d) Complete Network

What is Machine learning?


a) The autonomous acquisition of knowledge through the use of computer programs
b) The autonomous acquisition of knowledge through the use of manual programs
c) The selective acquisition of knowledge through the use of computer programs
d) The selective acquisition of knowledge through the use of manual programs

Which of the factors affect the performance of learner system does not include?
a) Representation scheme used
b) Training scenario
c) Type of feedback
d) Good data structures

Different learning methods does not include?


a) Memorization
b) Analogy
c) Deduction
d) Introduction

In language understanding, the levels of knowledge that does not include?


a) Phonological
b) Syntactic
c) Empirical
d) Logical

A model of language consists of the categories which does not include?


a) Language units
b) Role structure of units
c) System constraints
d) Structural units

What is a top-down parser?


a) Begins by hypothesizing a sentence (the symbol S) and successively predicting lower level
constituents until individual preterminal symbols are written
b) Begins by hypothesizing a sentence (the symbol S) and successively predicting upper level
constituents until individual preterminal symbols are written
c) Begins by hypothesizing lower level constituents and successively predicting a sentence (the
symbol S)
d) Begins by hypothesizing upper level constituents and successively predicting a sentence (the
symbol S)

Among the following which is not a horn clause?


a) p
b) Øp V q
c) p → q
d) p → Øq

The action ‘STACK(A, B)’ of a robot arm specify to


a) Place block B on Block A
b) Place blocks A, B on the table in that order
c) Place blocks B, A on the table in that order
d) Place block A on block B

which instruments are used for perceiving and acting upon the environment?
a) sensors and actuators
b) sensors
c) perceiver
d) none of the mentioned

what is meant by agent’s percept sequence?


a) used to perceive the environment
b) complete history of actuator
c) complete history of perceived things
d) none of the mentioned

how many types of agents are there in artificial intelligence?


a) 1
b) 2
c) 3
d) 4

what is the rule of simple reflex agent?


a) simple-action rule
b) condition-action rule
c) simple & condition-action rule
d) none of the mentioned

what are the composition for agents in artificial intelligence?


a) program
b) architecture
c) both program & architecture
d) none of the mentioned

in which agent does the problem generator is present?


a) learning agent
b) observing agent
c) reflex agent
d) none of the mentioned
Which is used to improve the agents performance?
a) Perceiving
b) Learning
c) Observing
d) None of the mentioned

Which agent deals with happy and unhappy states?


a) Simple reflex agent
b) Model based agent
c) Learning agent
d) Utility based agent

Which action sequences are used to achieve the agent’s goal?


a) Search
b) Plan
c) Retrieve
d) Both Search & Plan

Which element in the agent are used for selecting external actions?
a) Perceive
b) Performance
c) Learning
d) Actuator

What is Artificial intelligence?


a) Putting your intelligence into Computer
b) Programming with your own intelligence
c) Making a Machine intelligent
d) Playing a Game

Which is not the commonly used programming language for AI?


a) PROLOG
b) Java
c) LISP
d) Perl

Artificial Intelligence has its expansion in the following application.


a) Planning and Scheduling
b) Game Playing
c) Diagnosis
d) all of the mentioned

what is an ‘agent’?
a) perceives its environment through sensors and acting upon that environment through actuators
b) takes input from the surroundings and uses its intelligence and performs the desired
operations
c) a embedded program controlling line following robot
d) all of the mentioned

agents behavior can be best described by


a) perception sequence
b) agent function
c) sensors and actuators
d) environment in which agent is performing

rational agent is the one who always does the right thing.
a) true
b) false

performance measures are fixed for all agents.


a) true
b) false

what is rational at any given time depends on?


a) the performance measure that defines the criterion of success
b) the agent’s prior knowledge of the environment
c) the actions that the agent can perform
d) all of the mentioned

an omniscient agent knows the actual outcome of its actions and can act accordingly; but
omniscience is impossible in reality. rational agent always does the right thing; but rationality is
possible in reality.
a) true
b) false

the task environment of an agent consists of


a) sensors
b) actuators
c) performance measures
d) all of the mentioned
What could possibly be the environment of a Satellite Image Analysis System?
a) Computers in space and earth
b) Image categorization techniques
c) Statistical data on image pixel intensity value and histograms
d) All of the mentioned

Categorize Crossword puzzle in Fully Observable / Partially Observable.


a) Fully Observable
b) partially Observable
c) All of the mentioned
d) None of the mentioned

The game of Poker is a single agent.


a) True
b) False

Satellite Image Analysis System is (Choose the one that is not applicable).
a) Episodic
b) Semi-Static
c) Single agent
d) Partially Observable

An agent is composed of
a) Architecture
b) Agent Function
c) Perception Sequence
d) Architecture and Program

allows us to control electronic components


a) RETful API
b) RESTful API
c) HTTP
d) MQTT

MQTT stands for


a) MQ Telemetry Things
b) MQ Transport Telemetry
c) MQ Transport Things
d) MQ Telemetry Transport
mqtt is better than http for sending and receiving data.
a) true
b) false

mqtt is protocol.
a) machine to machine
b) internet of things
c) machine to machine and internet of things
d) machine things

which protocol is lightweight?


a) mqtt
b) http
c) coap
d) spi

pubnub publishes and subscribes in order to send and receive messages.


a) network
b) account
c) portal
d) keys

by clicking which key the pubnub will display public, subscribe, and secret keys.
a) pane
b) demo keyset
c) portal
d) network

the messagechannel class declares the _ class attribute that defines the key string.
a) command_key
b) command-key
c) commandkey
d) key_command
method saves the received arguments in three attributes.
a) init
b) init
c) init
d) _init_

and saves the publish and subscribe keys that we have generated with the
pubnub admin portal.
a) public_key and subscribe_key
b) public-key and subscribe-key
c) publickey and subscribekey
d) key_public and key_subscribe

specifies the function that will be called when there is a new message received from
the channel.
a) reconnect
b) error
c) connect
d) callback

specifies the function that will be called on an error event.


a) callback
b) error
c) connect
d) reconnect

specifies the function that will be called when a successful connection with the
pubnub cloud.
a) callback
b) error
c) connect
d) reconnect

specifies the function that will be called when a successful re-connection is


completed.
a) callback
b) error
c) connect
d) reconnect
specifies the function that will be called when the client disconnects.
a) callback
b) error
c) connect
d) disconnect

what is the java extension file in iot?


a) .jar
b) .c
c) .exe
d) .py

do we run our program in the same computer where we have written?


a) true
b) false
c) may or may not
d) cannot be determined

publish command message is sent from _


a) only publisher to broker
b) only broker to publisher
c) publisher to broker and broker to publisher
d) server to client

the message is sent to the input queue of a message flow that contains a _
a) subscriber
b) server
c) publication node
d) client

does user has authority for all topics.


a) true
b) false

rostopic uses at the command line for representing the content of the message.
a) yaml_syntax
b) rostopic bw
c) rostopic delay
d) rostopic echo
Which command displays the band width?
a) rostopic hz
b) rostopic delay
c) rostopic echo
d) rostopic bw
rostopic delay will provide delay for _
a) Topics which has header
b) Topics which has tail
c) Topics which has tail and head
d) To all topics

Which command displays messages published to a topic?


a) rostopic bw
b) rostopic delay
c) rostopic echo
d) rostopic hz

Which command finds out the topic?


a) rostopic bw
b) rostopic delay
c) rostopic echo
d) rostopic find

Publishing messages is handled through _ Class.


a) Client()
b) Server()
c) Publish()
d) Batch()

client() class provides to create topics.


a) Software
b) Classes
c) Methods
d) Batch

method publishes messages to pub/sub.


a) Client()
b) Publish()
c) Server()
d) Batch()
how many arguments are accepted by publish()?
a) 5 arguments
b) 3 arguments
c) 1 argument
d) 2 arguments

does publish() method accepts arbitrary arguments.


a) true
b) false

the topic in the publish method is in which form?


a) binomial form
b) canonical form
c) nominal form
d) message form

the message in pub/sub is an opaque blob of


a) bits
b) bytes
c) word
d) nibble

error will show if we try to send text string instead of bytes.


a) typeerror
b) error
c) linker error
d) compiler error

what do we call string in python 2?


a) str
b) unicode
c) strs
d) unicades

when you publish a message is automatically created?


a) client
b) server
c) batch
d) server
When the batch is created, it begins a countdown that publishes the batch once sufficient time
has elapsed.
a) True
b) False

What is the time elapsed after a batch is created?


a) 0.5 seconds
b) 0.05 seconds
c) 1.5 seconds
d) 1 second

Every call to publish() will return a class that conforms to the interface.
a) Batch
b) Client
c) Server
d) Future

IaaS stands for


a) Infrastructure as a Service
b) Infrastructure as a Software
c) Internet as a Service
d) Internet as a Software

Mobile cloud computing at its simplest refers to an


a) Intervention
b) Internet
c) Infrastructure
d) Intervention & Internet

Mobile Cloud applications move the Power and away from mobile
phone and into cloud.
a) Computing and internet
b) Data storage and computing
c) Computing and data storage
d) Internet and computing
saas stands for
a) service as a smartphone
b) service as a software
c) smartphone as a service
d) software as a service

reduces the development and running cost of mobile applications on smartphone


devices.
a) infrastructure
b) productive business
c) software
d) services

paas stands as
a) platform as a software
b) photo as a service
c) platform as a service
d) photo as a software

the architecture of mcc is such that various mobile devices are connected to their respective
mobile networks via
a) software
b) satellite
c) access point
d) base station

mcc stands for mobile cloud computation.


a) true
b) false

is the minimum value which an application shall exceed to be offloaded.


a) static value
b) critical value
c) threshold value
d) dynamic value

offloading decision depends upon to be offloaded.


a) size of application
b) threshold value
c) critical value
d) dynamic value

the part of the code which involves complex computations and requires more time to execute is
referred to as _
a) static session
b) threshold session
c) dynamic session
d) critical session

in offloading application is partitioned during development.


a) static offloading
b) dynamic offloading
c) threshold offloading
d) critical offloading

network environment means changing connection status.


a) static offloading
b) dynamic offloading
c) threshold offloading
d) critical offloading

is defined as delay between the offloading and final result.


a) latency rate
b) network bandwidth
c) heterogeneity
d) migration cost

depends upon the amount of the code being offloaded.


a) latency rate
b) network bandwidth
c) heterogeneity
d) migration cost
which one of the following offers cpus as integrated memory or peripheral interfaces?
a) microcontroller
b) microprocessor
c) embedded system
d) memory system

which of the following offers external chips for memory and peripheral interface circuits?
a) microcontroller
b) microprocessor
c) peripheral system
d) embedded system

how many bits does an mc6800 family have?


a) 16
b) 32
c) 4
d) 8

which of the following is a 4-bit architecture?


a) mc6800
b) 8086
c) 80386
d) national cop series

what is cisc?
a) computing instruction set complex
b) complex instruction set computing
c) complimentary instruction set computing
d) complex instruction set complementary

how is the protection and security for an embedded system made?


a) otp
b) ipr
c) memory disk security
d) security chips

which of the following possesses a cisc architecture?a)


mc68020
b) arc
c) atmel avr
d) blackfin
which of the following is a risc architecture?a)
80286
b) mips
c) zilog z80
d) 80386

which one of the following is board based system?


a) data bus
b) address bus
c) vmebus
d) dma bus

vme bus stands for


a) versa module europa bus
b) versa module embedded bus
c) vertical module embedded bus
d) vertical module europa bus

which of the following provides a buffer between the user and the low-level interfaces to the
hardware?
a) operating system
b) kernel
c) software
d) hardware

which of the following enables the user to utilise the system efficiently?
a) kernel
b) operating system
c) software
d) hardware

which of the following can make the application program hardware independent?
a) software
b) application manager
c) operating system
d) kernel

which of the following speed up the testing process?


a) kernel
b) software
c) application manager
d) program debugging tools
which of the following includes its own i/o routine?
a) hardware
b) kernel
c) operating system
d) application manager

which forms the heart of the operating system?


a) kernel
b) applications
c) hardware
d) operating system

which of the following locates a parameter block by using an address pointer?


a) os
b) kernel
c) system
d) memory

which of the following are not dependent on the actual hardware performing the physical task?
a) applications
b) hardware
c) registers
d) parameter block

which of the following bus can easily upgrade the system hardware?
a) control bus
b) data bus
c) vmebus
d) bus interface unit

which of the following is the first widely used operating system?


a) ms-dos
b) windows xp
c) android
d) cp/m
which of the following is an example of a single task operating system?
a) android
b) windows
c) ios
d) cp/m

which of the following becomes a limiting factor while an application program has to be
complete?
a) memory
b) peripheral
c) input
d) output

which of the following cannot carry implicit information?


a) semaphore
b) message passing
c) threads
d) process

which of the following works by dividing the processor’s time?


a) single task operating system
b) multitask operating system
c) kernel
d) applications

which of the following decides which task can have the next time slot?
a) single task operating system
b) applications
c) kernel
d) software

which of the following controls the time slicing mechanism in a multitasking operating system?
a) kernel
b) single tasking kernel
c) multitasking kernel
d) application manager

which of the following provides a time period for the context switch?
a) timer
b) counter
c) time slice
d) time machine

which of the following can periodically trigger the context switch?


a) software interrupt
b) hardware interrupt
c) peripheral
d) memory

which interrupt provides system clock in the context switching?


a) software interrupt
b) hardware interrupt
c) peripheral
d) memory

the special tale in the multitasking operating system is also known as


a) task control block
b) task access block
c) task address block
d) task allocating block

which of the following stores all the task information that the system requires?
a) task access block
b) register
c) accumulator
d) task control block

which of the following contains all the task and their status?
a) register
b) ready list
c) access list
d) task list
Which determines the sequence and the associated task’s priority?
a) scheduling algorithm
b) ready list
c) task control block
d) application register

Which can control memory usage?


a) operating system
b) applications
c) hardware
d) kernel

Which can control the memory sharing between the tasks?


a) kernel
b) application
c) software
d) OS

Which of the following can implement the message passing and control?
a) application software
b) operating system
c) software
d) kernel

How many types of messages are associated with the real-time operating system?
a) 2
b) 3
c) 4
d) 5

Which of the following can carry information and control task?


a) semaphore
b) messages
c) flags
d) address message

what are the essential tight constraint/s related to the design metrics of an embedded system?

a. ability to fit on a single chip


b. low power consumption
c. fast data processing for real-time operations
d. all of the above
which abstraction level under-go the compilation process by converting a sequential program
into finite-state machine and register transfers while designing an embedded system?

a. system
b. behaviour
c. rt
d. logic

which characteristics of an embedded system exhibit the responsiveness to the assortments or


variations in system's environment by computing specific results for real-time applications
without any kind of postponement ?

a. single-functioned characteristic
b. tightly-constraint characteristics
c. reactive & real time characteristics
d. all of the above

which of the following is not a type of cyber crime?


a) data theft
b) forgery
c) damage to data and systems
d) installing antivirus for protection

Cyber-laws are incorporated for punishing all criminals only.


a) True
b) False

Cyber-crime can be categorized into types.


a) 4
b) 3
c) 2
d) 6

Which of the following is not a type of peer-to-peer cyber-crime?


a) Phishing
b) Injecting Trojans to a target victim
c) MiTM
d) credit card details leak in deep web

which of the following is not an example of a computer as weapon cyber-crime?


a) credit card fraudulent
b) spying someone using keylogger
c) ipr violation
d) pornography

which of the following is not done by cyber criminals?


a) unauthorized account access
b) mass attack using trojans as botnets
c) email spoofing and spamming
d) report vulnerability in any system

what is the name of the it law that india is having in the indian legislature?
a) india’s technology (it) act, 2000
b) india’s digital information technology (dit) act, 2000
c) india’s information technology (it) act, 2000
d) the technology act, 2008

in which year india’s it act came into existence?a)


2000
b) 2001
c) 2002
d) 2003

what is the full form of ita-2000?


a) information tech act -2000
b) indian technology act -2000
c) international technology act -2000
d) information technology act -2000
the information technology act -2000 bill was passed by k. r. narayanan.
a) true
b) false

under which section of it act, stealing any digital asset or information is written a cyber-crime.
a) 65
b) 65-d
c) 67
d) 70

what is the punishment in india for stealing computer documents, assets or any software’s
source code from any organization, individual, or from any other means?
a) 6 months of imprisonment and a fine of rs. 50,000
b) 1 year of imprisonment and a fine of rs. 100,000
c) 2 years of imprisonment and a fine of rs. 250,000
d) 3 years of imprisonment and a fine of rs. 500,000

what is the updated version of the it act, 2000?


a) it act, 2007
b) advanced it act, 2007
c) it act, 2008
d) advanced it act, 2008

in which year the indian it act, 2000 got updated?a)


2006
b) 2008
c) 2010
d) 2012

what type of cyber-crime, its laws and punishments does section 66 of the indian it act holds?
a) cracking or illegally hack into any system
b) putting antivirus into the victim
c) stealing data
d) stealing hardware components

accessing computer without prior authorization is a cyber-crimes that come under


a) section 65
b) section 66
c) section 68
d) section 70

cracking digital identity of any individual or doing identity theft, comes under of it
act.
a) section 65
b) section 66
c) section 68
d) section 70

accessing wi-fi dishonestly is a cyber-crime.


a) true
b) false

download copy, extract data from an open system done fraudulently is treated as
a) cyber-warfare
b) cyber-security act
c) data-backup
d) cyber-crime

any cyber-crime that comes under section 66 of it act, the accused person gets fined of aroundrs

a) 2 lacs
b) 3 lacs
c) 4 lacs
d) 5 lacs
how many years of imprisonment can an accused person face, if he/she comes under any cyber-
crime listed in section 66 of the indian it act, 2000?
a) 1 year
b) 2 years
c) 3 years
d) 4 years

any digital content which any individual creates and is not acceptable to the society, it’s a cyber-
crime that comes under of it act.
a) section 66
b) section 67
c) section 68
d) section 69

it act 2008 make cyber-crime details more precise where it mentioned if anyone publishes
sexually explicit digital content then under of it act, 2008 he/she has to pay a
legitimate amount of fine.
a) section 67-a
b) section 67-b
c) section 67-c
d) section 67-d

if anyone publishes sexually explicit type digital content, it will cost that person imprisonment of
years.
a) 2
b) 3
c) 4
d) 5

using spy cameras in malls and shops to capture private parts of any person comes under
of it act, 2008.
a) section 66
b) section 67
c) section 68
d) section 69

using spy cameras in malls and shops to capture private parts of any person comes under section
67 of it act, 2008 and is punished with a fine of rs. 5 lacs.
a) true
b) false

using of spy cameras in malls and shops to capture private parts of any person comes under
section 67 of it act, 2008 and is punished with imprisonment of
a) 2 years
b) 3 years
c) 4 years
d) 5 years

misuse of digital signatures for fraudulent purposes comes under of it act.


a) section 65
b) section 66
c) section 71
d) section 72

sending offensive message to someone comes under of the indian it act

a) section 66-a, 2000


b) section 66-b, 2008
c) section 67, 2000
d) section 66-a, 2008

stealing of digital files comes under of the indian it act.


a) section 66-a
b) section 66-b
c) section 66-c
d) section 66-d
section 79 of the indian it act declares that any 3rd party information or personal data leakagein
corporate firms or organizations will be a punishable offense.
a) true
b) false

which of the following attach is not used by lc4 to recover windows password?
a) brute-force attack
b) dictionary attack
c) mitm attack
d) hybrid attacks

is the world’s most popular vulnerability scanner used in companies for checking
vulnerabilities in the network.
a) wireshark
b) nessus
c) snort
d) webinspect

is a tool which can detect registry issues in an operating system.


a) network stumbler
b) ettercap
c) maltego
d) languard network security scanner

network stumbler is a windows wi-fi monitoring tool.


a) true
b) false

5. toneloc is abbreviated as
a) tone locking
b) tone locator
c) tone locker
d) tune locator

is a debugger and exploration tool.


a) netdog
b) netcat
c) tcpdump
d) backtrack

is a popular command-line packet analyser.


a) wireshark
b) snort
c) metasploit
d) tcpdump

is a platform that essentially keeps the log of data from networks, devices as
well as applications in a single location.
a) eventlog analyser
b) nordvpn
c) wireshark
d) packetfilter analyzer

is competent to restore corrupted exchange server database files as well as


recovering unapproachable mails in mailboxes.
a) outlook
b) nessus
c) mailbox exchange recovery
d) mail exchange recovery toolkit

. helps in protecting businesses against data breaches that may make threats
to cloud.
a) centrify
b) mailbox exchange recovery
c) nessus
d) dashline

advertisement

is a popular corporate security tool that is used to detect the attack on email with
cloud only services.
a) cain and abel
b) proofpoint
c) angry ip scanner
d) ettercap

helps in protecting corporate data, communications and other assets.


a) snort
b) ciphercloud
c) burp suit
d) wireshark

framework made cracking of vulnerabilities easy like point and click.


a) .net
b) metasploit
c) zeus
d) ettercap

nmap is abbreviated as network mapper.


a) true
b) false

is a popular tool used for discovering networks as well as in security auditing.


a) ettercap
b) metasploit
c) nmap
d) burp suit
which of this nmap do not check?
a) services different hosts are offering
b) on what os they are running
c) what kind of firewall is in use
d) what type of antivirus is in use

which of the following deals with network intrusion detection and real-time traffic analysis?
a) john the ripper
b) l0phtcrack
c) snort
d) nessus

wireshark is a tool.
a) network protocol analysis
b) network connection security
c) connection analysis
d) defending malicious packet-filtering

which of the below-mentioned tool is used for wi-fi hacking?


a) wireshark
b) nessus
c) aircrack-ng
d) snort

aircrack-ng is used for


a) firewall bypassing
b) wi-fi attacks
c) packet filtering
d) system password cracking

is a popular ip address and port scanner.


a) cain and abel
b) snort
c) angry ip scanner
d) ettercap

is a popular tool used for network analysis in multiprotocol diverse network.


a) snort
b) superscan
c) burp suit
d) etterpeak

scans tcp ports and resolves different hostnames.


a) superscan
b) snort
c) ettercap
d) qualysguard

is a web application assessment security tool.


a) lc4
b) webinspect
c) ettercap
d) qualysguard

which of the following attack-based checks webinspect cannot do?


a) cross-site scripting
b) directory traversal
c) parameter injection
d) injecting shell code

is a password recovery and auditing tool.


a) lc3
b) lc4
c) network stumbler
d) maltego
l0phtcrack is formerly known as lc3.
a) true
b) false
is a weakness that can be exploited by attackers.
a) system with virus
b) system without firewall
c) system with vulnerabilities
d) system with a strong password

is the sum of all the possible points in software or system where unauthorized users
can enter as well as extract data from the system.
a) attack vector
b) attack surface
c) attack point
d) attack arena

is the cyclic practice for identifying & classifying and then solving the
vulnerabilities in a system.
a) bug protection
b) bug bounty
c) vulnerability measurement
d) vulnerability management

risk and vulnerabilities are the same things.


a) true
b) false

is a special type of vulnerability that doesn’t possess risk.


a) vulnerabilities without risk
b) vulnerabilities without attacker
c) vulnerabilities without action
d) vulnerabilities no one knows
a/an is a piece of software or a segment of command that usually take advantage
of a bug to cause unintended actions and behaviors.
a) malware
b) trojan
c) worms
d) exploit

there are types of exploit.


a) 3
b) 2
c) 5
d) 4

remote exploits is that type of exploits acts over any network to exploit on security
vulnerability.
a) true
b) false

type of exploit requires accessing to any vulnerable system for enhancing privilege for
an attacker to run the exploit.
a) local exploits
b) remote exploits
c) system exploits
d) network exploits

is a technique used by penetration testers to compromise any system within a


network for targeting other systems.
a) exploiting
b) cracking
c) hacking
d) pivoting
a is a software bug that attackers can take advantage to gain unauthorized access in a
system.
a) system error
b) bugged system
c) security bug
d) system virus

security bugs are also known as


a) security defect
b) security problems
c) system defect
d) software error

is the timeframe from when the loophole in security was introduced till the time
when the bug was fixed.
a) time-frame of vulnerability
b) window of vulnerability
c) time-lap of vulnerability
d) entry-door of vulnerability

isms is abbreviated as _
a) information server management system
b) information security management software
c) internet server management system
d) information security management system

a zero-day vulnerability is a type of vulnerability unknown to the creator or vendor of the


system or software.
a) true
b) false
what is the ethics behind training how to hack a system?
a) to think like hackers and know how to defend such attacks
b) to hack a system without the permission
c) to hack a network that is vulnerable
d) to corrupt software or service using malware

Performing a shoulder surfing in order to check other’s password is ethical


practice.
a) a good
b) not so good
c) very good social engineering practice
d) a bad

has now evolved to be one of the most popular automated tools for unethical
hacking.
a) Automated apps
b) Database software
c) Malware
d) Worms

Leaking your company data to the outside network without prior permission of senior authority
is a crime.
a) True
b) False

is the technique used in business organizations and firms to protect IT assets.


a) Ethical hacking
b) Unethical hacking
c) Fixing bugs
d) Internal data-breach
the legal risks of ethical hacking include lawsuits due to of personal data.
a) stealing
b) disclosure
c) deleting
d) hacking

before performing any penetration test, through legal procedure, which key points listed below is
not mandatory?
a) know the nature of the organization
b) characteristics of work done in the firm
c) system and network
d) type of broadband company used by the firm

an ethical hacker must ensure that proprietary information of the firm does not get leaked.
a) true
b) false

after performing the ethical hacker should never disclose client information to
other parties.
a) hacking
b) cracking
c) penetration testing
d) exploiting

is the branch of cyber security that deals with morality and provides different
theories and a principle regarding the view-points about what is right and wrong.
a) social ethics
b) ethics in cyber-security
c) corporate ethics
d) ethics in black hat hacking
. helps to classify arguments and situations, better understand a cyber-crime and helps
to determine appropriate actions.
a) cyber-ethics
b) social ethics
c) cyber-bullying
d) corporate behaviour

a penetration tester must identify and keep in mind the &


requirements of a firm while evaluating the security postures.
a) privacy and security
b) rules and regulations
c) hacking techniques
d) ethics to talk to seniors

a tries to formulate a web resource occupied or busy its users by flooding the
url of the victim with unlimited requests than the server can handle.
a) phishing attack
b) dos attack
c) website attack
d) mitm attack

during a dos attack, the regular traffic on the target will be either dawdling
down or entirely interrupted.
a) network
b) system
c) website
d) router

the intent of a is to overkill the targeted server’s bandwidth and other


resources of the target website.
a) phishing attack
b) dos attack
c) website attack
d) mitm attack

dos is abbreviated as
a) denial of service
b) distribution of server
c) distribution of service
d) denial of server

a dos attack coming from a large number of ip addresses, making it hard to manually filter or
crash the traffic from such sources is known as a _
a) gos attack
b) pdos attack
c) dos attack
d) ddos attack

ddos stands for


a) direct distribution of server
b) distributed denial of service
c) direct distribution of service
d) distributed denial of server

instead of implementing single computer & its internet bandwidth, a utilizes


various systems & their connections for flooding the targeted website.
a) gos attack
b) pos attack
c) ddos attack
d) dos attack

there are types of dos attack.


a) 2
b) 3
c) 4
d) 5

application layer dos attack is also known as


a) layer4 dos attack
b) layer5 dos attack
c) layer6 dos attack
d) layer7 dos attack

is a type of dos threats to overload a server as it sends a large number of requests


requiring resources for handling & processing.
a) network layer dos
b) physical layer dos
c) transport layer dos
d) application layer dos

which of the following is not a type of application layer dos?


a) http flooding
b) slowloris
c) tcp flooding
d) dns query flooding

network layer attack is also known as


a) layer3-4 dos attack
b) layer5 dos attack
c) layer6-7 dos attack
d) layer2 dos attack

which of the following do not comes under network layer dos flooding?
a) udp flooding
b) http flooding
c) syn flooding
d) ntp amplification
which of the following do not comes under network layer dos flooding?
a) dns amplification
b) udp flooding
c) dns query flooding
d) ntp amplification

ddos are high traffic events that are measured in gigabits per second (gbps) or packets per
second (pps).
a) true
b) false

a ddos with 20 to 40 gbps is enough for totally shutting down the majority networkinfrastructures.
a) true
b) false

is an internet scam done by cyber-criminals where the user is convinced


digitally to provide confidential information.
a) phishing attack
b) dos attack
c) website attack
d) mitm attack

in some cyber-criminals redirect the legitimate users to different phishing


sites and web pages via emails, ims, ads and spyware.
a) url redirection
b) dos
c) phishing
d) mitm attack
phishers often develop _ websites for tricking users & filling their personal data.
a) legitimate
b) illegitimate
c) genuine
d) official

which of the following type of data, phishers cannot steal from its target victims?
a) bank details
b) phone number
c) passwords
d) apps installed in the mobile

algorithm-based phishing was developed in the year


a) 1988
b) 1989
c) 1990
d) 1991

was the first type of phishing where the phishers developed an algorithm for
generating random credit card numbers.
a) algo-based phishing
b) email-based phishing
c) domain phishing
d) vishing

email phishing came into origin in the year


a) 1990
b) 2000
c) 2005
d) 2015

type of phishing became very popular as if it has been sent from a


legitimate source with a legitimate link to its official website.
a) algo-based phishing
b) email-based phishing
c) domain phishing
d) vishing

refers to phishing performed over smart-phone by calling.


a) algo-based phishing
b) email-based phishing
c) domain phishing
d) vishing

= voice + phishing.
a) algo-based phishing
b) vishing
c) domain phishing
d) email-based phishing

victims of phishing are mostly


a) tech enthusiast
b) professional computer engineers
c) lack of computer knowledge
d) lack of management skill

is usually targeted by nature where the emails are exclusively designed


to target any exact user.
a) algo-based phishing
b) vishing
c) domain phishing
d) spear phishing

. or smishing is one of the simplest types of phishing where the target victims
may get a fake order detail with a cancellation link.
a) algo-based phishing
b) sms phishing
c) domain phishing
d) spear phishing

phishing is that type of phishing where the construction of a fake webpage is


done for targeting definite keywords & waiting for the searcher to land on the fake webpage.
a) voice
b) sms
c) search engine
d) email

which of the following is not an example or type of phishing?


a) spear phishing
b) deceptive phishing
c) whaling
d) monkey in the middle

which of the following is not an example or type of phishing?


a) tracking
b) vishing
c) smishing
d) pharming

is data interception method used by hackers.


a) phishing
b) dos
c) sniffing
d) mitm

sniffing is also known as


a) network-tapping
b) wiretapping
c) net-tapping
d) wireless-tapping

are programs or devices that capture the vital information from the target
network or particular network.
a) routers
b) trappers
c) wireless-crackers
d) sniffers

which of them is not an objective of sniffing for hackers?


a) fetching passwords
b) email texts
c) types of files transferred
d) geographic location of a user

which of the following tech-concepts cannot be sniffed?


a) router configuration
b) isp details
c) email traffic
d) web traffic

which of the following tech-concepts cannot be sniffed?


a) cloud sessions
b) ftp passwords
c) telnet passwords
d) chat sessions
which of the below-mentioned protocol is not susceptible to sniffing?
a) http
b) smtp
c) pop
d) tcp

which of the below-mentioned protocol is not susceptible to sniffing?


a) nntp
b) udp
c) ftp
d) imap

there are types of sniffing.


a) 2
b) 3
c) 4
d) 5

active sniffing is difficult to detect.


a) true
b) false

which of the following is not a sniffing tool?


a) wireshark
b) dude sniffer
c) maltego
d) look@lan

a sniffer, on the whole turns your system’s nic to the licentious mode so that it can listen to allyour
data transmitted on its division.
a) true
b) false
a on the whole turns your system’s nic to the licentious mode so that it can
listen to all your data transmitted on its division.
a) phishing site
b) sniffer tool
c) password cracker
d) nic cracker

in sniffing, the network traffic is not only supervised & locked but also be can
be altered in different ways to accomplish the attack.
a) passive
b) signal
c) network
d) active

are those devices which can be plugged into your network at the hardware
level & it can monitor traffic.
a) hardware sniffers & analyzers
b) hardware protocol analyzers
c) hardware protocol sniffers
d) hardware traffic sniffers and observers
question bank (i scheme)

name of subject: emerging trends in computer and information technology unit test: i
subject code: 22618 courses: if/cm6i
semester: vi
multiple choice questions and answers
chapter 1- artificial intelligence

1. which of these schools was not among the early leaders in ai research?
A. dartmouth university
B. harvard university
C. massachusetts institute of technology
D. stanford university
E. none of the above
ans: b

2. darpa, the agency that has funded a great deal of american ai research, is part of the
department of:
A. defense
B. energy
C. education
D. justice
E. none of the above
ans: a

3. the conference that launched the ai revolution in 1956 was held at:
A. dartmouth
B. harvard
C. new york
D. stanford
E. none of the above
ans: a

4. what is the term used for describing the judgmental or commonsense part of problem
solving?
A. heuristic
B. critical
C. value based
D. analytical
E. none of the above
ans: a

5. what of the following is considered to be a pivotal event in the history of ai.


A. 1949, donald o, the organization of behavior.
B. 1950, computing machinery and intelligence.
C. 1956, dartmouth university conference organized by john mccarthy.
D. 1961, computer and computer sense.
E. none of the above
ans: c
6. a certain professor at the stanford university coined the word 'artificial intelligence' in
1956 at a conference held at dartmouth college. can you name the professor?
A. david levy
B. john mccarthy
C. joseph weizenbaum
D. hans berliner
E. none of the above
ans: b

7. the field that investigates the mechanics of human intelligence is:


A. history
B. cognitive science
C. psychology
D. sociology
E. none of the above
ans: b

8. a.m. turing developed a technique for determining whether a computer could or could not
demonstrate the artificial intelligence,, presently, this technique is called
A. turing test
B. algorithm
C. boolean algebra
D. logarithm
E. none of the above
ans: a

9. the first ai programming language was called:


A. basic
B. fortran
C. ipl
d. LISP
e. none of the above
ans: c

10. what is artificial intelligence?


A. putting your intelligence into computer
B. programming with your own intelligence
C. making a machine intelligent
D. putting more memory into computer
ans: c

11. who is a father of ai?


A. alain colmerauer
B. john mccarthy
C. nicklaus wirth
D. seymour papert
ans: b

12. artificial intelligence has its expansion in the following application.


A. planning and scheduling
B. game playing
C. robotics
D. all of the above
ans: d

13. the characteristics of the computer system capable of thinking, reasoning and learning is
known is
A. machine intelligence
B. human intelligence
C. artificial intelligence
D. virtual intelligence
ans: c

14. the first ai programming language was called:


A. basic
B. fortran
C. ipl
D. lisp
ans: c

15. the first widely used commercial form of artificial intelligence (al) is being used in many
popular products like microwave ovens, automobiles and plug in circuit boards for desktop pcs.
what is name of ai?
A. boolean logic
B. human logic
C. fuzzy logic
D. functional logic
ans: c

16. what is the term used for describing the judgmental or commonsense part of problem
solving?
A. heuristic
B. critical
C. value based
D. analytical
ans: a

17. is a branch of computer science which deals with helping machines finds solutions to
complex problems in a more human like fashions
A. artificial intelligence
B. internet of things
C. embedded system
D. cyber security
ans: a

18. in the goal is for the software to use what it has learned in one area to solve problems in
other areas.
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: b
19. computer programs that mimic the way the human brain processes information is called as
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: c

20. a is a rule of thumb, strategy, trick, simplification, or any other kind of device which
drastically limits search for solutions in large problem spaces.
A. heuristic
B. critical
C. value based
D. analytical
ans: a

21. do not guarantee optimal/any solutions


A. heuristic
B. critical
C. value based
D. analytical
ans: a

22. cognitive science related with


A. act like human
B. eliza
C. think like human
D. none of above
ans: c

23. model should reflect how results were obtained.


A. design model
B. logic model
C. computational model
D. none of above
ans: c

24. communication between man and machine is related with


A. lisp
B. eliza
C. all of above
D. none of above
ans: b

25. eliza created by


A. john mccarthy
B. steve russell
C. alain colmerauer
D. joseph weizenbaum
ans: d
26. the concept derived from level are propositional logic, tautology, predicate
calculus, model, temporal logic.
A. cognition level
B. logic level
C. functional level
D. all of above
ans: b

27. prolog is an ai programming language which solves problems with a form of symbolic
logic known as .
A. propositional logic
B. tautology
C. predicate calculus
D. temporal logic
ans: c

28. the level contains constituents at the third level which are knowledge based system,
heuristic search, automatic theorem proving, multi-agent system.
A. cognition level
B. gross level
C. functional level
D. all of above
ans: b

29. prolog, lisp, nlp are the language of _


A. artificial intelligence
B. machine learning
C. internet of things
D. deep learning
ans: a

30. is used for ai because it supports the implementation of software that computes with
symbols very well.
A. lisp
B. eliza
C. prolog
D. nlp
ans: a

31. symbols, symbolic expressions and computing with those is at the core of
A. lisp
B. eliza
C. prolog
D. nlp
ans: a

32. that deals with the interaction between computers and humans using the natural
language
A. lisp
B. eliza
C. prolog
D. nlp
ans: d

33. the core components are constituents of ai are derived from


A. concept of logic
B. cognition
C. computation
D. all of above
ans: d

34. aristotle’s theory of syllogism and descartes and kant’s critic of pure reasoning made
knowledge on .
A. logic
B. computation logic
C. cognition logic
D. all of above
ans: a

35. charles babbage and boole who demonstrate the power of


A. logic
B. computation logic
C. cognition logic
D. all of above
ans: b

36. in 1960s, pushed the logical formalism to integrate reasoning with knowledge.
A. marvin minsky
B. alain colmerauer
C. john mccarthy
D. none of above
ans: a

37. sensing organs as input, mechanical movement organs as output and central nervous system
(cns) in brain as control and computing devices is known as of human being
A. information control paradigm
B. information processing paradigm
C. information processing control
D. none of above
ans: b

38. model were developed and incorporated in machines which mimicked the
functionalities of human origin.
A. functional model
B. neural model
C. computational model
D. none of above
ans: c

39. chomsky’s linguistic computational theory generated a model for syntactic analysis through

A. regular grammar
B. regular expression
C. regular word
D. none of these
ans: a

40. human to machine is and machine to machine is .


A. process, process
B. process, program
C. program, hardware
D. program, program
ans: c

41. weak ai is also known as


A. narrow ai
B. general ai
C. neural ai
D. none of above
ans: a

42. ai is able to perform dedicated task.


A. narrow ai
B. general ai
C. neural ai
D. none of above
ans: a

43. narrow ai is performs multiple task at a time.


A. true
B. false
ans: b

44. weak ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: c

45. strong ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: a

46. artificial intelligence is


A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: d

47. apple siri is a good example of ai.


A. narrow ai
B. general ai
C. neural ai
D. none of above
ans: a

48. ibm watson supercomputer comes under ai.


A. narrow ai
B. general ai
C. neural ai
D. none of above
ans: a

49. ai is a type of intelligence which could perform any intellectual task with efficiency
like human.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b

50. the idea behind ai to make such a system which could be smarter and think like
a human by its own.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b

51. the worldwide researchers are now focusing on developing machines with ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b

52. playing chess, purchasing suggestions on e-commerce site, self-driving cars, speech
recognition, and image recognition are the example of .
A. narrow ai
B. general ai
C. super ai
D. None of above
Ans: A
53. machine can perform any task better than human with cognitive properties is known as
ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c

54. ability to think, puzzle, make judgments, plan, learn, communication by its own is known as
ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c

55. ai is hypothetical concept of ai.


A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c

56. which ai system not store memories or past experiences for future actions.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a

57. which machines only focus on current scenarios and react on it as per as possible best
action.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a

58. ibm’s deep blue system is example of .


A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a

59. google alpha go is example of .


A. reactive machine
B. limited memory
C. theory of mind
D. None of above
Ans: A
60. which can stores past experiences or some data for short period time.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: b

61. self-driving car is example of .


A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: b [car stores recent speed of nearby cars, distance of others car, speed limit, other
information to navigate the road]

62. which ai should understand the human emotions, people, and beliefs and be able to interact
socially like humans.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: c

63. which machines will be smarter than human mind?


A. reactive machine
B. limited memory
C. theory of mind
D. self-awareness
ans: d

64. machines will have their own consciousness and sentiments


A. reactive machine
B. theory of mind
C. self-awareness
D. both b & c
ans: c

65. which is not the commonly used programming language for ai?
A. prolog
B. lisp
C. perl
D. java script
ans: c

66. what is machine learning?


A. the autonomous acquisition of knowledge through the use of computer programs
B. the autonomous acquisition of knowledge through the use of manual programs
C. the selective acquisition of knowledge through the use of computer programs
D. the selective acquisition of knowledge through the use of manual programs
Ans: A
67 is a branch of science that deals with programing the systems in such a way
that they automatically learn and improve with experience
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: a

68. classifying email as a spam, labeling webpages based on their content, voice recognition are
the example of .
A. supervised learning
B. unsupervised learning
C. machine learning
D. deep learning
ans: a

69. k-means, self-organizing maps, hierarchical clustering are the example of .


A. supervised learning
B. unsupervised learning
C. machine learning
D. deep learning
ans: b

70. deep learning is a subfield of machine learning where concerned algorithms are inspired by
the structured and function of the brain called .
A. machine learning
B. artificial neural networks
C. deep learning
D. robotics
ans: b

71. machine learning invent by .


A. john mccarthy
B. nicklaus wirth
C. joseph weizenbaum
D. arthur samuel
ans: d

chapter-2 internet of things

1. embedded systems are


A. general purpose
B. special purpose
ans: b

2. embedded system is
A. an electronic system
B. a pure mechanical system
C. an electro-mechanical system
D. (a) or (c)
Ans: D
3. which of the following is not true about embedded systems?
A. built around specialized hardware
B. always contain an operating system
C. execution behavior may be deterministic
D. all of these
E. none of these
ans: e

4. which of the following is not an example of a “small-scale embedded system”?


A. electronic barbie doll
B. simple calculator
C. cell phone
D. electronic toy car
ans: c

5. the first recognized modern embedded system is


A. apple computer
B. apollo guidance computer (agc)
C. calculator
D. radio navigation system
ans: b

6. the first mass produced embedded system is


A. minuteman-i
B. minuteman-ii
C. autonetics d-17
D. apollo guidance computer (agc)
ans: c

7. which of the following is an (are) an intended purpose(s) of embedded systems?


A. data collection
B. data processing
C. data communication
D. all of these
E. none of these
ans: d

8. which of the following is (are) example(s) of embedded system for data communication?
usb mass storage device
A. network router
B. digital camera
C. music player
D. all of these
E. none of these
ans: b
9. what are the essential tight constraint/s related to the design metrics of an embedded system?
A. ability to fit on a single chip
B. low power consumption
C. fast data processing for real-time operations
d .all of the above
Ans: D
10. a digital multi meter is an example of an embedded system for
A. data communication
B. monitoring
C. control
D. all of these
E. none of these
ans: b

11. which of the following is an (are) example(s) of an embedded system for signal processing?
A. apple ipod (media player device)
B. sandisk usb mass storage device
C. both (a) and (b)
D. none of these
ans: d

12. the instruction set of risc processor is


A. simple and lesser in number
B. complex and lesser in number
C. simple and larger in number
D. complex and larger in number
ans: a

13. which of the following is true about cisc processors?


A. the instruction set is non-orthogonal
B. the number of general purpose registers is limited
C. instructions are like macros in c language
D. variable length instructions
E. all of these
F. none of these
ans: e

14. main processor chip in computers is


A. asic
B. assp
C. cpu
D. cpld
ans: c

15. processors used in many microcontroller products need to be


A. high power
B. low power
C. low interrupt response
D. low code density
ans: b

16. in microcontrollers, uart is acronym of


A. universal applied receiver/transmitter
B. universal asynchronous rectified transmitter
C. universal asynchronous receiver/transmitter
D. united asynchronous receiver/transmitter
Ans: C
17. which architecture is followed by general purpose microprocessors?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: b

18. which architecture involves both the volatile and the non-volatile memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a

19. which architecture provides separate buses for program and data memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a

20. harvard architecture allows:


A. separate program and data memory
B. pipe-ling
C. complex architecture
D. all of the mentioned
ans: d

21. which of the following processor architecture supports easier instruction pipelining?
A. harvard
B. von neumann
C. both of them
D. none of these
ans: a

22. which of the following is an example for wireless communication interface?


A. rs-232c
B. wi-fi
C. bluetooth
D. eee1394
E. both (b) and (c)
ans: e

23. arm stands for


A. advanced risc machine
B. advanced risc methodology
C. advanced reduced machine
D. advanced reduced methodology
ans: a
24. what is the processor used by arm7?
A. 8-bit cisc
B. 8-bit risc
C. 32-bit cisc
D. 32-bit risc
ans: d

25. the main importance of arm micro-processors is providing operation with


A. low cost and low power consumption
B. higher degree of multi-tasking
C. lower error or glitches
D. efficient memory management
ans: a

26. arm processors where basically designed for


A. main frame systems
B. distributed systems
C. mobile systems
D. super computers
ans: c

27. asic chip is


A. simple in design.
B. manufacturing time is less.
C. it is faster.
D. both a&c.
ans: c

28. asic stands for


A. application-system integrated circuits
B. application-specific integrated circuits
C. application-system internal circuits
D. application-specific internal circuits
ans: b

29. in microcontrollers, i2c stands for


A. inter-integrated clock
B. initial-integrated clock
C. intel-integrated circuit
D. inter-integrated circuit
ans: d

30. is the smallest microcontrollers which can be programmed to perform a


large range of tasks.
A. pic microcontrollers
B. arm microcontrollers
C. avr microcontrollers
D. asic microcontrollers
ans: - a
31. was developed in the year 1996 by atmel corporation
A. pic
B. avr
C. arm
D. asic
ans: - b

32. avr stands for .


A. advanced virtual risc.
B. alf-egil bogen and vegard wollan risc
C. both a & b
D. none of the above
ans: - c

33. avr microcontroller executes most of the instruction in .


A. single execution cycle.
B. double execution cycle.
C. both a& b
D. none of the above.
ans: - a

34. term "the internet of things" was coined by


A. edward l. schneider
B. kevin ashton
C. john h.
D. charles anthony
ans: b

35. the huge numbers of devices connected to the internet of things have to communicate
automatically, not via humans, what is this called?
A. bot to bot(b2b)
B. machine to machine(m2m)
C. intercloud
D. skynet
ans: b

36. what does “things” in iot refers to?


A. general device
B. information
C. iot devices
D. object
ans: c

37. interconnection of internet and computing devices embedded in everyday objects, enabling
them to send and receive data is called
A. internet of things
B. network interconnection
C. object determination
D. none of these
ans: a
38. is a computing concept that describes the idea of everyday physical objects
being connected to the internet.
A. iot (internet of things)
B. mqtt
C. coap
D. spi
ans: -a

39 devices may support a number of interoperable communication protocols and


communicate with other device and also with infrastructure.
A. artificial intelligence
B. machine learning
C. internet of things
D. none of above
ans: c

40. which one is not element of iot?


A. process
B. people
C. security
D. things
ans:c

41. iiot stands for


A. information internet of things
B. industrial internet of things
C. inovative internet of things
D. none of above
ans:b

42. name of the iot device which is first recognized?


A. smart watch
B. atm
C. radio
D. video game
ans: b

43. is used by iot


A. radio information technology
B. satellite
C. cable
D. broadband
ans:a

44. consists of communication protocols for electronic devices, typically a mobile device
and a standard device.
A. rfid
B. mqtt
C. nfc
D. none of above
ans:c
45. refers to establish a proper connection between all the things of iot.
A. connectivity
B. analyzing
C. sensing
D. active engagement
ans: - a

46. iot devices which have unique identities and can perform .
A. remote sensing
B. actuating
C. monitoring capabilities
D. all of the above
ans: - d

47. the sensed data communicated .


A. cloud-based servers/storage.
B. i/o interfaces.
C. internet connectivity.
D. none of the above
ans: - a

48. iot devices are various types, for instance .


A. wearable sensors.
B. smart watches.
C. led lights.
D. all of the above
ans: - d

49. is a collection of wired ethernet standard for the link layer.


A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans: - a

50. is a collection of wlan communication standards.


A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans:b

51. is a collection of wireless broadband standards (wimax).


A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans:c
52 is a collection of standards for lr-wpans.
A. ieee 802.3
B. ieee 802.11
C. ieee 802.16
d. ieee 802.15.4
ans:d

53. lr-wpans standards from basis of specifications for high level communication protocol
such as .
A. zigbee
B. allsean
C. tyrell
D. microsoft's azure
ans:a

54. includes gsm and cdma.


A. 2g
B. 3g
C. 4g
D. none of above
ans:a

55. include umts and cdma2000.


A. 2g
B. 3g
C. 4g
D. none of above
ans:b

56 include lte.
A. 2g
B. 3g
C. 4g
D. none of above
ans:c

57. layer protocols determine how the data is physically sent over the network’s
physical layer or medium.
A. application layer
B. transport layer
C. network layer
D. link layer
ans: - d
58 layer is responsible for sending of ip datagrams from the source network to the
destination network.
A. application layer
B. transport layer
C. network layer
D. link layer
Ans: C
59. layer perform the host addressing and packet routing.
A. application layer
B. transport layer
C. network layer
D. link layer
ans:c

60. protocols provide end to end message transfer capability independent of the
underlying network.
A. network layer
B. transport layer
C. application layer
D. link layer
ans: - b

61. the protocols define how the applications interface with the lower layer protocol to send
the data over the network.
A. application layer
B. transport layer
C. network layer
D. link layer
ans:a

62. 6lowpan stands for


A. 6 low personal area network
B. ipv6 low personal area network
C. ipv6 over low power wireless personal area network
D. none of above
ans:c

63. 802.3 is the standard for 10base5 ethernet that uses cable as shared medium.
A. twisted pair cable
B. coaxial cable
C. fiber optic cable
D. none of the above
ans: - b

64. ieee 802.11 standards provide data rates


A. 10 gbit/s.
B. 1 gbit/s
C. 1 mb/s to up to 6.75 gb/s
D. 250 kb/s
ans: - c

65. of the following is a protocol related to iot


A. zigbee
B. 6lowpan
C. coap
D. all of the above
Ans: C
66. is useful for time-sensitive application that have very small data units to
exchange and do not want the overhead of connection setup.
A. tcp
B. udp
C. transport layer
D. none of the above.
ans: - b

67. protocol uses universal resource identifiers (uris) to identify http


resources.
A. http
B. coap
C. websocket
D. mqtt
ans: a

68. the 10/100mbit ethernet support enables the board to connect to


A. lan
B. man
C. wan
D. wlan
ans: a

69. which one out of these is not a data link layer technology?
A. bluetooth
B. uart
C. wi-fi
D. http
ans: d

70. what is size of the ipv6 address?


A. 32 bits
B. 64 bits
C. 128 bits
D. 256 bits
ans: c

71. mqtt stands for


A. mq telemetry things
B. mq transport telemetry
C. mq transport things
D. mq telemetry transport
ans: d

72. mqtt is better than http for sending and receiving data.
A. true
B. false
ans: a
73. mqtt is protocol.
A. machine to machine
B. internet of things
C. machine to machine and internet of things
D. machine things
ans: c

74. which protocol is lightweight?


A. mqtt
B. http
C. coap
D. spi
ans: a

75 mqtt is:
A. based on client-server architecture
B. based on publish-subscribe architecture
C. based on both of the above
D. based on none of the above
ans: b

76. xmpp is used for streaming which type of elements?


A. xpl
B. xml
C. xhl
D. mpl
ans: b

77. xmpp creates identity.


A. device
B. email
C. message
D. data
ans: a

78. xmpp uses architecture.


A. decentralized client-server
B. centralized client-server
C. message
D. public/subscriber
ans: a
79. what does http do?
A. enables network resources and reduces perception of latency
B. reduces perception of latency and allows multiple concurrency exchange
C. allows multiple concurrent exchange and enables network resources
D. enables network resources and reduces perception of latency and allows multiple concurrent
exchange.
Ans: D
80. http expands?
A. hyper text transfer protocol
B. hyper terminal transfer protocol
C. hyper text terminal protocol
D. hyper terminal text protocol
ans: a

81. coap is specialized in


A. internet applications
B. device applications
C. wireless applications
D. wired applications
ans: a

82. which protocol is used to link all the devices in the iot?
A. tcp/ip
B. network
C. udp
D. http
ans: a

83. data in network layer is transferred in the form of


A. layers
B. packets
C. bytes
D. bits
ans:b

84. services provided by application layer?


A. web chat
B. error control
C. connection services
D. congestion control
ans: a

85. tcp and udp are called?


A. application protocols
B. session protocols
C. transport protocols
D. network protocols
ans: c

86. security based connection is provided by which layer?


A. application layer
B. transport layer
C. session layer
D. network layer
Ans: D
87. using which layer in transport layer data integrity can be assured?
A. checksum
B. repetition codes
C. cyclic redundancy checks
D. error correction codes
ans: a

88. transport layer receives data in the form of?


A. packets
B. byte streams
C. bits stream
D. both packet and byte stream
ans: b

89. the network layer is considered as the ?


A. backbone
B. packets
C. bytes
D. bits
ans: a

90. the network layer consists of which hardware devices?


A. router
B. bridges
C. switches
D. all of the above
ans: d

91. network layer protocol exits in ?


A. host
B. switches
C. packets
D. bridges
ans: a

92. which protocol has a quality of service?


A. xmpp
B. http
C. coap
D. mqtt
ans: a

93. is a data-centric middleware standard for device-to-device and machine-to-machine


communication.
A. data distribution serviced (dds)
B. advance message queuing protocol (amqp)
C. extensible messaging and presence protocol (xmpp)
D. message queue telemetry transport (mqtt)
ans:a
94. is a bi-directional, fully duplex communication model that uses a persistent connection
between client and server.
A. request-response
B. publish-subscriber
C. push-pull
D. exclusive pair
ans:d

95. is a stateful communication model and server is aware of all open connection.
A. request-response
B. publish-subscriber
C. push-pull
D. exclusive pair
ans:d

96. which is not an iot communication model.


A. request-response
B. publish-subscribe
C. push-producer
D. exclusive pair
ans: c

97. in node mcu, mcu stands for .


A. micro control unit
B. micro controller unit
C. macro control unit
D. macro controller unit
ans: b

98. rest is acronym for


A. representational state transfer
B. represent state transfer
C. representational state transmit
D. representational store transfer
ans: a

99. wsn stands for


A. wide sensor network
B. wireless sensor network
C. wired sensor network
D. none of these
ans: b

100. benefit of cloud computing services


A. fast
B. anywhere access
C. higher utilization
D. all of the above
ans: d
101. paas stands for _
A. platform as a service
B. platform as a survey
C. people as a service
D. platform as a survey
ans: a

102. as a service is a cloud computing infrastructure that creates a development


environment upon which applications may be build.
A. infrastructure
B. service
C. platform
D. all of the mentioned
ans:c

103. is a cloud computing service model in which hardware is virtualized in the


cloud.
A. iaas
B. caas
C. paas
D. none of the mentioned
ans:a

104. which of the following is the fundamental unit of virtualized client in an iaas deployment?
a) workunit
b) workspace
c) workload
d) all of the mentioned
ans:c

105. offering provides the tools and development environment to deploy applications on
another vendor’s application.
A. paas
B. iaas
C. caas
D. all of the mentioned
ans.b

106. is the most refined and restrictive service model.


A. iaas
B. caas
C. paas
D. all of the mentioned
ans.c

107. is suitable for iot applications to have low latency or high throughput requirements.
A. rest
B. publish-subscriber
C. push-pull
D. websocket
ans:d
108 is a one of the most popular wireless technologies used by wsns.
A. zigbee
B. allsean
C. tyrell
D. z-wave
ans:a

109. zigbee specification are based on .


a. 802.3
b. 802.11
c. 802.16
d. 802.15.4
ans:d

110. is a transformative computing paradigm that involves delivering applications and


services over the internet.
A. wsn
B. cloud computing
C. big data
D. none of above
ans:b

111. the process of collecting, organizing and collecting large sets of data called as
A. wsn
B. cloud computing
C. big data
D. none of above
ans:c

112. does raspberry pi need external hardware?


A. true
B. false
ans.b

113. does rpi have an internal memory?


A. true
B. false
ans.a

114. what do we use to connect tv to rpi?


A. male hdmi
B. female hdmi
C. male hdmi and adapter
D. female hdmi and adapter
ans.c

115. how power supply is done to rpi?


A. usb connection
B. internal battery
C. charger
D. adapter
ans.a

116. what is the ethernet/lan cable used in rpi?


a.cat5
b.at5e
c. cat6 d
. rj45
ans.d

117. which instruction set architecture is used in raspberry pi?


A. x86
B. msp
C. avr
D. arm
ans: d

118. does micro sd card present in all modules?


A. true
B. false
ans: a

119. which characteristics involve the facility the thing to respond in an intelligent way to a
particular situation?
A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: a

120. empowers iot by bringing together everyday objects.


A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: b

121. the collection of data is achieved with changes.


A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: c
122. the number of devices that need to be managed and that communicate with each other will
be much larger.
A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: d
123. in iot as one of the key characteristics, devices have different hardware
platforms and networks.
A. sensors
B. heterogeneity
C. security
D. connectivity
ans: b

124. devices that transforms electrical signals into physical movements


A. sensors
B. actuators
C. switches
D. display
ans: b

125. stepper motors are_


A. ac motors
B. dc motors
C. electromagnets
D. none of above
ans: b

126. dc motors converts electrical into energy.


A. mechanical
B. wind
C. electric
D. none
ans: a

127. linear actuators are used in


A. machine tools
B. industrial machinery
C.both a and b
d.none
ans: a

128. solenoid is a specially designed


A. actuator
B. machine
C. electromagnet
D. none of above
ans: c

129. stepper motors are_


A. ac motors
B. dc motors
C. electromagnets
D. none of above
ans: b
130. accelerometer sensors are used in
A. smartphones
B. aircrafts
C. both
D. none of above
ans: c

131. image sensors are found in


A. cameras
B. night-vision equipment
C. sonars
D. all of above
ans: d

132. gas sensors are used to detect gases.


A. toxic
B. natural
C. oxygen
D. hydrogen
ans: a

133. properties of arduino are:


A. inexpensive
B. independent
C. simple
D. both a and c
ans: d

134. properties of iot devices.


A. sense
B. send and receive data
C. both a and b
D. none of above
ans: c

135. iot devices are _


A. standard
B. non-standard
C. both
D. none
ans: b

136. what is the microcontroller used in arduino uno?


A. atmega328p
B. atmega2560
C. atmega32114
D. at91sam3x8e
ans: a
137. is an open source electronic platform based on easy to used hardware and software.
A. arduino
B. uno
C. raspberry pi
D. node
ans:a

138 is used latching, locking, triggering.


A. solenoid
B. relay
C. linear actuator
D. servo motors
ans:a

139. detect the presence or absence of nearby object without any physical contact.
A. smoke sensor
B. pressure sensor
C. ir sensor
D. proximity sensor
ans:d

140 sensors include thermocouples, thermistors, resistor temperature detectors (rtds) and
integratd circuits (ics).
A. smoke sensor
B. temperature sensor
C. ir sensor
D. proximity sensor
ans:b

141. the measurement of humidity is


A. rh
B. ph
C. ic
D. none of aboved
ans:a

142 sensor is used for automatic door controls, automatic parking system, automated sinks,
automated toilet flushers, hand dryers.
A. smoke sensor
B. temperature sensor
C. ir sensor
D. motion sensor
ans:d

143 sensor measure heat emitted by objects.


A. smoke sensor
B. temperature sensor
C. ir sensor
D. proximity sensor
ans:c
chapter-3 basics of digital forensics

1. digital forensics is all of them except:


A. extraction of computer data.
B. preservation of computer data.
C. interpretation of computer data.
D. manipulation of computer data.
ans:d

2. idip stands for


A. integrated digital investigation process.
B. integrated data investigator process.
C. integrated digital investigator process.
D. independent digital investigator process.
ans: a

3. who proposed road map for digital forensic research (rmdfr)


A. g.gunsh.
B. s.ciardhuain
C. j.korn.
D. g.palmar
ans: d

4. investigator should satisfy following points:


A. contribute to society and human being.
B. avoid harm to others.
C. honest and trustworthy.
D. all of the above
ans: d

5. in the past, the method for expressing an opinion has been to frame a question based on
available factual evidence.
A. hypothetical
B. nested
C. challenging
D. contradictory
ans: a

6. more subtle because you are not aware that you are running these macros (the document opens
and the application automatically runs); spread via email
A. the purpose of copyright
B. danger of macro viruses
C. derivative works
D. computer-specific crime
ans: b
7. there are three c's in computer forensics. which is one of the three?
A. control
B. chance
C. chains
D. core
ans: a
8. when federal bureau investigation program was created?
a.1979
b.1984
c.1995
d.1989
ans: b

9. when the field of pc forensics began?


a.1960's
b.1970's
c.1980's
d.1990's
ans: c

10. what is digital forensic?


A. process of using scientific knowledge in analysis and presentation of evidence in court
B. the application of computer science and investigative procedures for a legal purpose
involving the analysis of digital evidence after proper search authority, chain of custody,
validation with mathematics, use of validated tools, repeatability, reporting, and possible
expert presentation
C. process where we develop and test hypotheses that answer questions about digital events
D. use of science or technology in the investigation and establishment of the facts or
evidence in a court of law
ans: b

11. digital forensics entails .


A. accessing the system's directories viewing mode and navigating through the various systems
files and folders
B. undeleting and recovering lost files
C. identifying and solving computer crimes
D. the identification, preservation, recovery, restoration and presentation of digital evidence
from systems and devices
ans: d

12. which of the following is false?


A. the digital forensic investigator must maintain absolute objectivity
B. it is the investigator’s job to determine someone’s guilt or innocence.
C. it is the investigator’s responsibility to accurately report the relevant facts of a case.
D. the investigator must maintain strict confidentiality, discussing the results of an investigation
on only a “need to know”
ans: b

13. what is the most significant legal issue in computer forensics?


A. preserving evidence
B. seizing evidence
C. admissibility of evidence
D. discovery of evidence
ans: c
14. phase includes putting the pieces of a digital puzzle together and developing
investigative hypotheses
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans: d

15. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans:b

16. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
F. preservation phase
G. survey phase
H. documentation phase
I. reconstruction phase
J. presentation phase
ans:b

17. computer forensics do not involve activity.


A. preservation of computer data.
B. exraction of computer data.
C. manipulation of computer data.
D. interpretation of computer data.
ans: c

18. a set of instruction compiled into a program that perform a particular task is known as:
A. hardware.
b.cpu
c. motherboard
d. software
ans: d

19. which of following is not a rule of digital forensics?


A. an examination should be performed on the original data
B. a copy is made onto forensically sterile media. new media should always be used if
available.
C. the copy of the evidence must be an exact, bit-by-bit copy
D. the examination must be conducted in such a way as to prevent any modification of the
evidence.
ans: a
20. to collect and analyze the digital evidence that was obtained from the physical investigation
phase, is the goal of which phase?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase.
ans: b

21. to provide mechanism to an incident to be detected and confirmed is purpose of which


phase?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase.
ans: d

22. which phase entails a review of the whole investigation and identifies area of improvement?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase
ans: c

23. is known as father of computer forensic.


A. g. palmar
B. j. korn
C. michael anderson
D. s.ciardhuain.
ans: c

24. is well established science where various contribution have been made
A. forensic
B. crime
C. cyber crime
D. evidence
ans: a

25. who proposed end to end digital investigation process (eedip)?


A. g. palmar
B. stephenson
C. michael anderson
D. s.ciardhuain
ans: b

26. which model of investigation proposed by carrier and safford?


A. extended model of cybercrime investigation (emci)
B. integrated digital investigation process(idip)
C. road map for digital forensic research (rmdfr)
D. abstract digital forensic model (adfm)
ans: b
27. which of the following is not a property of computer evidence?
A. authentic and accurate.
B. complete and convincing.
C. duplicated and preserved.
D. conform and human readable.
ans. d

28. can makes or breaks investigation.


A. crime
B. security
c: digital forensic
d: evidence
ans: d

29. is software that blocks unauthorized users from connecting to your computer.
A. firewall
B. quick lauch
C. onelogin
D. centrify
ans: a

30. which of following are general ethical norms for investigator?


A. to contribute to society and human being.
B. to avoid harm to others.
C. to be honest and trustworthy.
D. all of above
E. none of above
ans: d

31. which of following are unethical norms for investigator?


A. uphold any relevant evidence.
B. declare any confidential matters or knowledge.
C. distort or falsify education, training, credentials.
D. all of above
E. none of above
ans: d

32. which of following is not general ethical norm for investigator?


A. to contribute to society and human being.
B. uphold any relevant evidence.
C. to be honest and trustworthy.
D. to honor confidentially.
ans: b

33. which of following is a not unethical norm for digital forensics investigation?
A. uphold any relevant evidence.
B. declare any confidential matters or knowledge.
C. distort or falsify education, training, credentials.
D. to respect the privacy of others.
ans: d
34. what is called as the process of creation a duplicate of digital media for purpose of
examining it?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
ans: a

35. which term refers for modifying a computer in a way which was not originally intended to
view information?
A. metadata
B. live analysis
C. hacking
D. bit copy
ans: c

36. the ability to recover and read deleted or damaged files from a criminal’s computer is an
example of a law enforcement specialty called?
A. robotics
B. simulation
C. computer forensics
D. animation
ans: c

37. what are the important parts of the mobile device which used in digital forensic?
A. sim
B. ram
C. rom.
d.emmc chip
ans: d

38. using what, data hiding in encrypted images be carried out in digital forensics?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
and: b

39. which of this is not a computer crime?


A. e-mail harassment
B. falsification of data.
C. sabotage.
D. identification of data
ans. d

40. which file is used to store the user entered password?


A. .exe
B. .txt
C. .iso
D. .sam
ans: d
41. is the process of recording as much data as possible to create reports and analysis
on user input.
A. data mining
B. data carving
C. meta data
D. data spoofing.
ans: a

42. searches through raw data on a hard drive without using a file system.
A. data mining
B. data carving
C. meta data
D. data spoofing.
ans: b

43. what is first step to handle retrieving data from an encrypted hard drive?
A. formatting disk
B. storing data
C. finding configuration files.
D. deleting files.
ans: c
bharati vidyapeeth institute of technologyquestion bank

unit test-ii (shift:-i & ii)


program: - computer engineering group program code:- cm/if
course title: -emerging trends in computer technology semester: - sixth
course abbr & code:-eti (22618) scheme: i

--------------------------------------------------------------------------------------------------

multiple choice questions and answers

chapter 4- digital evidence (co4)

1. a valid definition of digital evidence is:


A. data stored or transmitted using a computer
B. information of probative value
C. digital data of probative value
D. any digital evidence on a computer
ans: c

2. what are the three general categories of computer systems that can contain digital
evidence?
A. desktop, laptop, server
B. personal computer, internet, mobile telephone
C. hardware, software, networks
D. open computer systems, communication systems, and embedded systems
ans: d

3. in terms of digital evidence, a hard drive is an example of:


A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: a

4. in terms of digital evidence, a mobile telephone is an example of:


A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: c
5. in terms of digital evidence, a smart card is an example of:
A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: c

6. in terms of digital evidence, the internet is an example of:


A. open computer systems
B. communication systems
C. embedded computer systems
D. none of the above
ans: b

7. computers can be involved in which of the following types of crime?


A. homicide and sexual assault
B. computer intrusions and intellectual property theft
C. civil disputes
D. all the above
ans: d

8. a logon record tells us that, at a specific time:


A. an unknown person logged into the system using the account
B. the owner of a specific account logged into the system
C. the account was used to log into the system
D. none of the above
ans: c

9. cyber trails are advantageous because:


A. they are not connected to the physical world.
B. nobody can be harmed by crime on the internet.
C. they are easy to follow.
D. offenders who are unaware of them leave behind more clues than they otherwise
would have.
ans: d

10. private networks can be a richer source of evidence than the internet because:
A. they retain data for longer periods of time.
B. owners of private networks are more cooperative with law enforcement.
C. private networks contain a higher concentration of digital evidence.
D. all the above.
ans: c
11. due to caseload and budget constraints, often computer security professionals attempt to
limit the damage and close each investigation as quickly as possible. which of the following is
not a significant drawback to this approach?
A. each unreported incident robs attorneys and law enforcement personnel of an opportunity
to learn about the basics of computer-related crime.
B. responsibility for incident resolution frequently does not reside with the security
professional, but with management.
C. this approach results in under-reporting of criminal activity, deflating statistics that are
used to allocate corporate and government spending on combating computer-related
crime.
D. computer security professionals develop loose evidence processing habits that can make
it more difficult for law enforcement personnel and attorneys to prosecute an offender.
none of the above
ans: b

12. the criminological principle which states that, when anyone, or anything, enters a crime
scene he/she takes something of the scene with him/her, and leaves something of himself/herself
behind, is:
A. locard’s exchange principle
B. differential association theory
C. beccaria’s social contract
D. none of the above
ans: a

13. the author of a series of threatening e-mails consistently uses “im” instead of “i’m.” thisis
an example of:
A. an individual characteristic
B. an incidental characteristic
C. a class characteristic
D. an indeterminate characteristic
ans: a

14. personal computers and networks are often a valuable source of evidence. those
involved with should be comfortable with this technology.
A. criminal investigation
B. prosecution
C. defense work
d. All of the above
ans:

15. an argument for including computer forensic training computer security specialists is:
A. it provides an additional credential.
B. it provides them with the tools to conduct their own investigations.
C. it teaches them when it is time to call in law enforcement.
D. none of the above.
ans: c
16. the digital evidence are used to establish a credible link between
A. attacker and victim and the crime scene
B. attacker and the crime scene
C. victim and the crime scene
D. attacker and information
ans: a

17. digital evidences must follow the requirements of the


A. ideal evidence rule
B. best evidence rule
C. exchange rule
D. all the mentioned
ans: b

18. from the two given statements 1 and 2, select the correct option from a-d.
a. original media can be used to carry out digital investigation process.
b. by default, every part of the victim’s computer is considered as unreliable.

A. a and b both are true


B. a is true and b is false
C. a and b both are false
D. a is false and b is true
ans: b

19. the evidences or proof can be obtained from the electronic source is called the
A. digital evidence
B. demonstrative evidence
C. explainable evidence
D. substantial evidence
ans: a

20. which of the following is not a type of volatile evidence?


A. routing tables
B. main memory
C. log files
D. cached data
ans: c

21. the evidence must be usable in the court which is called as


A. admissible
B. authentic
C. complete
D. reliable
ans: a
22. photographs, videos, sound recordings, x-rays, maps drawing, graphs, charts is a
a type of _
A. illustrative evidence
B. electronic evidence
C. documented evidence
D. explainable evidence
ans: a

23. email, hard drives are examples of


A. illustrative evidence
B. electronic evidence
C. documented evidence
D. explainable evidence
ans: b

24. blood, fingerprints, dna these are examples of


A. illustrative evidence
B. electronic evidence
C. documented evidence
D. substantial evidence
ans: d

25. when an incident takes place, a criminal will leave a hint evidence at the scene and remove a
hint from the scene which is called as
A. locard’s exchange principle
B. anderson’s exchange principle
C. charles’s anthony principle
D. kevin ashton principle
ans: a

26. which is not procedure to establish a chain of custody?


A. save the original materials.
B. take photos of physical evidence.
C. don’t take screenshots of digital evidence content.
D. document date, time, and any other information of receipt.
ans: c

27. which is not related with digital evidence?


A. work with the original evidence to develop procedures.
B. use clean collecting media.
C. document any extra scope.
D. consider safety of personnel at the scene.
ans: a
28. which is example of non-volatile memory.
A. flash memory
B. registers and cache
C. process table
D. arp cache
ans: a

29. is known as testimonial.


A. oath affidavit
B. dna samples
C. fingerprint
D. dried blood
ans: a

30. the process of ensuring that providing or obtaining the data that you have collected is similar
to the data provided or presented in a court is known as
A. evidence validation
B. relative evidence
C. best evidence
D. illustrative evidence
ans: a
31. when cases got to trial your forensics examiner play one of role.
A. 2
B. 4
C. 3
D. 5
ans. a

32. types of digital evidence

A. eye witness
B. picture and video
C. paper work
D. none of the above
ans b

33. rule of evidence is also known as

A. law of witness
B. law of litigation
C. law of evidence
D. all of the above

ans. c
true or false questions
1. digital evidence is only useful in a court of law.
A. true
B. false
ans: b

2. attorneys and police are encountering progressively more digital evidence in their
work.
A. true
B. false
ans: a

3. video surveillance can be a form of digital evidence.


A. true
B. false
ans: a

4. all forensic examinations should be performed on the original digital evidence.


A. true
B. false
ans: b

5. digital evidence can be duplicated exactly without any changes to the original data.
A. true
B. false
ans: b

6. computers were involved in the investigations into both world trade center attacks.
A. true
B. false
ans: a

7. digital evidence is always circumstantial.


A. true
B. false
ans: b

8. digital evidence alone can be used to build a solid case.


A. true
B. false
ans: b

9. computers can be used by terrorists to detonate bombs.


A. true
B. false
ans: a

10. the aim of a forensic examination is to prove with certainty what occurred.
A. true
B. false
ans: b

11. even digital investigations that do not result in legal action can benefit from principles of
forensic science.
A. true
B. false
ans: a

12. forensic science is the application of science to investigation and prosecution of crime or to
the just resolution of conflict.
A. true
B. false
ans: a
chapter 5
basics of hacking (co5)

1. ethical hacking is also known as


A. black hat hacking.
B. white hat hacking.
C. encryption.
D. none of these.
ans. b

2. tool(s) used by ethical hacker .


A. scanner
B. decoder
C. proxy
D. all of these.
ans. d

3. vulnerability scanning in ethical hacking finds .


A. strengths.
B. weakness.
C. a &b
D. none of these.
ans. b

4. ethical hacking will allow to all the massive security breaches.


A. remove.
B. measure.
C. reject.
D. none of these.
ans. b

5. sequential step hackers use are: _ _ _ _.


A. maintaining access.
B. reconnaissance
C. scanning.
D. gaining access.

A. b, c, d, a
B. b, a, c, d
C. a, b, c, d
D. d, c, b, a
ans. a
6. is the art of exploiting the human elements to gain access to the authorized user.
A. social engineering.
B. it engineering.
C. ethical hacking.
D. none of the above.
ans. a

7. which hacker refers to ethical hacker?


A. black hat hacker.
B. white hat hacker.
C. grey hat hacker.
D. none of the above.
ans. b

8. the term cracker refers to


A. black hat hacker.
B. white hat hacker.
C. grey hat hacker.
D. none of the above.
ans. a

9. who described a dissertation on fundamentals of hacker’s attitude?


A. g. palma.
B. raymond.
C. either.
D. jhon browman.
ans. b

10.computer hackers have been in existence for more than a .


A. decade.
B. year.
C. century
D. era.
ans. c

11.hackers do hack for?


A. fame.
B. profit.
C. revenge.
D. all the above
ans. d
12.the intent of ethical hacker is to discover vulnerabilities from a point of view to better
secure system.
A. victims.
B. attackers.
C. both a & b
D. none of these.
ans. b

13.security audits are usually based on


A. entries.
B. checklists.
C. both a & b
D. none of the above
ans. b

14.ethical hacking consist of


A. penetration testing.
B. intrusion testing.
C. red teaming.
D. all of the above.
ans. d

15. is a person who find and exploits the weakness in computer system.
A. victim
B. hacker
C. developer
D. none of the above.
ans. b

16. a white hat hacker is the one who


A. fix identifies weakness
B. steal the data
C. identifies the weakness and leave message to owner
D. none of the above
ans. a

17.a black hat hacker is the one who


A. fix identifies weakness
B. steal the data
C. identifies the weakness and leave message to owner
D. none of the above.
ans. b
18. a grey hat hacker is the one who
A. fix identifies weakness
B. steal the data
C. identifies the weakness and leave message to owner
D. none of the above
ans. c

19. keeping information secured can protect an organization image and save and organization lot
of money
A. true
B. false
ans. a

20.information is a one of the most valuable assets of organization


A. true
B. false
ans. a

21. to catch a thief, think like


A. police
B. forensics
C. thief
D. hacker
ans. c

22. can create false feeling of safety


A. firewall
B. encryption
C. vnps
D. all the above
ans. d

23. exploits that involves manipulating people and user even your self are the greatest
vulnerability within any computer
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. a
24.connecting into network through a rogue modem attached to computer behind a firewall is an
example of -
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. b

25. comprise of large portion of hacker attacks simply because every computer has one
and so well know exploits can be used against them
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. c

26. should be done before ethical hacking process.


A. data gathering.
B. attacking
C. planning
D. research
ans. c

27.which permission is necessary before ethical hacking?


A. written permission.
B. decision maker permission
C. privacy permission
D. risk permission.
ans. a

28. which tool is used to crack the password?


A. nmap
B. lc4
C. toneloc
D. nessus
ans. b

29. which tool is used for depth analysis of a web application?


A. whisker
B. super scan
C. nikto
D. kismet
ans. a
30. which tool is used to encrypt email?
A. webinspect
B. qualyguard
C. pgp (pretty good privacy)
D. none of the above.
ans. c

31.malicious attacker often think like?


A. thieves
B. kidnapper
C. both a & b
D. none of the above
ans. c

32.which hacker try to distribute political or social message through their work?
A. black hat hacker
B. hactivist
C. script kiddes
D. white hat hacker
ans. b

33. are part of organized crime on internet.


A. criminal
B. antinationalist
C. hacker for hire
D. none of the above
ans. c

34. which magazines releases the latest hacking methods?


a. 2600
B. hackin9
C. phrack
D. all the above
ans. d

35. performing a shoulder surfing in order to check other’s password is ethical


practice.
A. a good
B. not so good
C. very good social engineering practice
D. a bad
ans. d
36. has now evolved to be one of the most popular automated tools for unethical
hacking.
A. automated apps
B. database software
C. malware
D. worms
ans. c

37. leaking your company data to the outside network without prior permission of senior
authority is a crime.
A. true
B. false
ans. a

38. a penetration tester must identify and keep in mind the &
requirements of a firm while evaluating the security postures.
A. privacy and security
B. rules and regulations
C. hacking techniques
D. ethics to talk to seniors
ans. a

39. the legal risks of ethical hacking include lawsuits due to of personal data.
A. stealing
B. disclosure
C. deleting
D. hacking
ans. b

40. before performing any penetration test, through legal procedure, which key points listed
below is not mandatory?
A. know the nature of the organization
B. characteristics of work done in the firm
C. system and network
D. type of broadband company used by the firm
ans. d
chapter-6
types of hacking (co6)

1. snmp stands for


A. simple network messaging protocol
B. simple network mailing protocol
C. simple network management protocol
D. simple network master protocol
ans: c

2. which of the following tool is used for network testing and port scanning
A. netcat
B. superscan
C. netscan
D. all of above
ans: d

3. banner grabbing is used for


A. white hat hacking
B. black hat hacking
C. grey hat hacking
D. script kiddies
ans: a

4. an attacker can create an attack by sending hundreds or thousands of e-mails a with


very large attachments.
A. connection attack
B. auto responder attack
C. attachment overloading attack
D. all the above
ans: b

5. which of the following tool is used for windows for network queries from dns lookups to
trace routes?
A. sam spade
B. superscan
C. netscan
D. netcat
ans: a
6. which tool is used for ping sweeps and port scanning?
A. netcat
B. samspade
C. superscan
D. all the above
ans: c

7. which of the following tool is used for security checks as port scanning and firewall testing?
A. netcat
B. nmap
C. data communication
D. netscan
ans: a

8. what is the most important activity in system cracking?


A. information gathering
B. cracking password
C. escalating privileges
D. covering tracks
ans: b

9. which nmap scan is does not completely open a tcp connection?


A. syn stealth scan
B. tcp scan
C. xmas tree scan
D. ack scan
ans: a

10.key loggers are form of


A. spyware
B. shoulder surfing
C. trojan
D. social engineering
ans: a

11. nmap is abbreviated as network mapper.


A. true
B. false
ans: a

12. is a popular tool used for discovering network as well as security auditing.
A. ettercap
B. metasploit
C. nmap
D. burp suit
ans: c
13. which of this nmap do not check?
A. services different hosts are offering
B. on what os they are running.
C. what kind of firewall in use?
D. what type of antivirus in use?
ans: d

14. what is purpose of denial of service attacks?


A. exploit weakness in tcp/ip attack.
B. to execute a trojan horse on a system.
C. to overload a system so it is no longer operational.
D. to shutdown services by turning them off.
ans: c

15. what are the some of the most common vulnerabilities that exist in a network system?
A. changing manufacturer, or recommended settings of newly installed application.
B. additional unused feature on commercial software package.
C. utilizing open source application code.
D. balancing security and ease of use of system.
ans: b

16. which of the following is not a characteristic of ethical hacker?


A. excellent knowledge of windows.
B. understands the process of exploiting network vulnerabilities.
C. patience, persistence and perseverance.
D. has the highest level of security for the organization.
ans: d

17. attempting to gain access to a network using an employee’s credentials is called the
mode of ethical hacking.
A. local networking
B. social engineering
C. physical entry
D. remote networking
ans: a

18. the first phase of hacking an it system is compromise of which foundation of security?
A. availability
B. confidentiality
C. integrity
D. authentication
ans: b
19. why would a ping sweep be used?
A. to identify live systems
B. to locate live systems
C. to identify open ports
D. to locate firewalls
ans: a

20. what are the port states determined by nmap?


A. active, inactive, standby
B. open, half-open, closed
C. open, filtered, unfiltered
D. active, closed, unused
ans: c

21. what port does telnet use?


A. 22
B. 80
C. 20
D. 23
ans: d

22. which of the following will allow foot printing to be conducted without detection?
A. pingsweep
B. traceroute
C. war dialers
D. arin
ans: d

23. performing hacking activities with the intent on gaining visibility for an unfair situation is
called .
A. cracking
B. analysis
C. hacktivism
D. exploitation
ans: c

24. why would a hacker use a proxy server?


A. to create a stronger connection with the target.
B. to create a ghost server on the network.
C. to obtain a remote access connection
D. to hide malicious activity on the network
ans: a
25. which phase of hacking performs actual attack on a network or system?
A. reconnaissance
B. maintaining access
C. scanning
D. gaining access
ans: d

26. sniffing is used to perform fingerprinting.


A. passive stack
B. active stack
C. passive banner grabbing
D. scanned
ans: a

27. services running on a system are determined by .


A. the system’s ip address
B. the active directory
C. the system’s network name
D. the port assigned
ans: d

28. what are the types of scanning?


A. port, network, and services
B. network, vulnerability, and port
C. passive, active, and interactive
D. server, client, and network
ans: b

29. enumeration is part of what phase of ethical hacking?


A. reconnaissance
B. maintaining access
C. gaining access
D. scanning
ans: c

30. framework made cracking of vulnerabilities easy like point and click.
A. net
B. metasploit
C. zeus
D. ettercap
ans: b
31. is a popular ip address and port scanner.
A. cain and abel
B. snort
C. angry ip scanner
D. ettercap
ans: c

32. is a popular tool used for network analysis in multiprotocol diverse network
A. snort
B. superscan
C. burp suit
D. etterpeak
ans: d

33 scans tcp ports and resolves different hostnames.


A. superscan
B. snort
C. ettercap
D. qualysguard .
ans: a

34. what tool can be used to perform snmp enumeration?


A. dnslookup
B. whois
C. nslookup
D. ip network browser
ans: d

35. wireshark is a tool.


A. network protocol analysis
B. network connection security
C. connection analysis
D. defending malicious packet-filtering
ans: a

36. aircrack-ng is used for


A. firewall bypassing
B. wi-fi attacks
C. packet filtering
D. system password cracking
ans: b
37. phishing is a form of .
A. spamming
B. identify theft
C. impersonation
D. scanning
ans: c

38. what are the types of scanning?


A. port, network, and services
B. network, vulnerability, and port
C. passive, active, and interactive
D. server, client, and network
ans: b

39 is used for searching of multiple hosts in order to target just one specific open port.
A. ping sweep
B. port scan
C. ipconfig
D. spamming
ans: a

40. arp spoofing is often referred to as


A. man-in-the-middle attack
B. denial-of-service attack
C. sniffing
D. spoofing
ans: a

41. is a tool that allows you to look into network and analyze data going across the wire
for network optimization, security and troubleshooting purposes.
A. network analyzer
B. crypt tool
C. john-the -ripper
D. back track
ans: a

42. is not a function of network analyzer tool.


A. captures all network traffic
B. interprets or decodes what is found into a human-readable format.
C. displays it all in chronological order.
D. banner grabbing
ans: d
43. protocol is used for network monitoring.
A. ftp SNMP
b.
c. relnet
d. arp
ans: a

44. what is the attack called “evil twin”?


A. rouge access point
B. arp poisoning
C. session hijacking
D. mac spoofing
ans: a

45.what is the primary goal of an ethical hacker?


A. avoiding detection
B. testing security controls
C. resolving security vulnerabilities
D. determining return on investment for security measures
ans: c

46. what are the forms of password cracking technique?


A. attack syllable
B. attack brute forcing
C. attacks hybrid
D. all the above
ans: d

45. which type of hacker represents the highest risk to your network?
A. black-hat hackers
B. grey-hat hackers
C. script kiddies
D. disgruntled employees
ans: d

46. hacking for a cause is called


A. hacktivism
B. black-hat hacking
C. active hacking
D. activism
ans: a
47. when a hacker attempts to attack a host via the internet it is known as what type of attack?
A. local access
B. remote attack
C. internal attack
D. physical access
ans: b

49. a type of attack that overloads the resources of a single system to cause it to crash or hang.
A. resource starvation
B. active sniffing
C. passive sniffing
D. session hijacking
ans. c

50.in computer networking, is any technical effort to manipulate the normal behavior of
network connections and connected systems.
A. hacking
B. evidence
C. tracing
D. none of above
ans:-a

51. generally refers to unauthorized intrusion into a computer or a network.


A. hacking
B. evidence
C. tracing
D. none of above

ans:-a

52.we can eliminate many well-known network vulnerabilities by simply patch-ing your
network hosts with their latest and .
A. hckers and prackers
B. vendor software and firmware patches
C. software amd hardware
D. none of above
ans:-b

53.network consist devices such as routers, firewalls, hosts that you must assess as a part of
process.

A. prackers
B. black hat hacking
C. grey hat hacking process
D. ethical hacking process.
ans:-d

54. network infrastructure vulnerabilities are the foundation for most technical security
issues in your information systems.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d

55. attack, which can take down your internet connection or your entire network.
A. mac
B. dos
C. ids
D. none of above
ans:-b

56.dos stands for


A. detection of system
B. denial of service
C. detection of service
D. none of above
ans:-b

57.ids stands for


A. intrusion detection system
B. information documentation service
C. intrusion documentation system
D. none of above
ans:-a

58. which protocols are in use is vulnerable


A. tcl
B. ssl
C. ftp
D. smtp
ans:-b

59. ssl stands for


A. secure sockets layer
B. software security layer
C. socket security layer
D. system software layer
ans:-a
60. include phishing, sql injection, hacking, social engineering, spamming, denial of
service attacks, trojans, virus and worm attacks.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d

61.who invent worm attack


A. brightn godfrey
B. alan yeung
C. robert morris
D. none of above
ans:-c

62. which of the following is not a typical characteristic of an ethical hacker?


A. excellent knowledge of windows.
B. understands the process of exploiting network vulnerabilities.
C. patience, persistence and perseverance.
D. has the highest level of security for the organization.
ans:-d
63. what is the purpose of a denial of service attack?
A. exploit a weakness in the tcp/ip stack
B. to execute a trojan on a system
C. to overload a system so it is no longer operational
D. to shutdown services by turning them off
ans:- c

64.what are some of the most common vulnerabilities that exist in a network or system?
A. changing manufacturer, or recommended, settings of a newly installed application.
B. additional unused features on commercial software packages.
C. utilizing open source application code
D. balancing security concerns with functionality and ease of use of a system.
ans:b

65. what is the sequence of a tcp connection?


A. syn-ack-fin
B. syn-syn ack-ack
C. syn-ack
D. syn-syn-ack
ans:b

66. why would a ping sweep be used?


A. to identify live systems
B. to locate live systems
C. to identify open ports
D. to locate firewalls
ans:-a

67. a packet with no flags set is which type of scan?


A. tcp
B. xmas
C. idle
D. null
ans:-d
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

State Level Online Exam for Emerging


Trends in Computer Engineering and
Information Technology(22618)
Total points 63/70

This Online Exam is for Final Year students of Computer Engineering Group of MSBTE
affiliated Polytechnic.
Date : 21-05-2020
Time 10.00 to 11.30am.

Email address *

[email protected]

0 of 0 points

Full Name *

Shivam Anil Hande

Institute Name *

Matsyodari Shikshan Sanstha's, COLLEGE OF ENGINEERING AND TECHNOLOGY, Nagewadi,


Aurangabad Jalna Road, JALNA - 431203 Maharashtra (INDIA)

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 1/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

Institute Code *

1546

Enrollment number *

1715460058

63 of 70 points

1. IBM Watson Supercomputer comes under --- AI 1/1

Narrow AI

General AI

Neural AI

None of the above

Feedback

Narrow AI

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 2/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

2. DARPA, the agency that has funded a great deal of American AI 1/1
research, is part of the Department of:

Defence

Energy

Education

Jastice

Feedback

Defence

3. The conference that launched the AI revolution in 1956 was held at: 1/1

Dartmouth

Harvard

New York

Stanford

Feedback

Dartmouth

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 3/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

4. What is the term used for describing the judgmental or commonsense 1/1
part of problem solving?

Heuristic

Critical

Value based

Analytical

Feedback

Heuristic

5. What of the following is considered to be a pivotal event in the history 0/1


of AI.

1949, Donald O, The organization of Behavior.

1950, Computing Machinery and Intelligence.

1956, Dartmouth University Conference Organized by John McCarthy.

1961, Computer and Computer Sense.E. None of the above3

Correct answer

1956, Dartmouth University Conference Organized by John McCarthy.

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 4/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

6. A certain Professor at the Stanford University coined the word 1/1


'artificial intelligence' in 1956 at a conference held at Dartmouth College.
Can you name the Professor?

David Levy

John McCarthy

Joseph Weizenbaum

Hans Berliner

None of the above

Feedback

John McCarthy

7. The ability to recover and read deleted or damaged files from a 1/1
criminal’s computer is an example of a law enforcement specialty called?

Robotics

Simulation

Computer Forensics

Animation

Feedback

Computer Forensics

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 5/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

8. What are the important parts of the mobile device which used in 1/1
Digital forensic?

SIM

RAM

ROM

EMMC chip

Feedback

EMMC chip

9. Using what, data hiding in encrypted images be carried out in digital 1/1
forensics?

Acquisition.

Steganography.

Live analysis

Hashing.

Other:

Feedback

Steganography

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 6/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

10. Which of this is not a computer crime? 1/1

e-mail harassment

Falsification of data

Sabotage

Identification of data

Feedback

Identification of data

11. Which file is used to store the user entered password? 1/1

.exe

.txt

.iso

.sam

Feedback

.sam

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 7/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

12. is the process of recording as much data as possible to 1/1


create reports and analysis on user input.

Data mining

Data carving

Meta data

Data Spoofing.

Feedback

Data mining

13. What is first step to Handle Retrieving Data from an Encrypted Hard 1/1
Drive?

Formatting diskStoring

data

Finding configuration files.

Deleting files.

Feedback

Finding configuration files.

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 8/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

14. In phase investigator transfers the relevant data from a venue out of 1/1
physical or administrative control of the investigator to a controlled
location

Preservation phase

Survey phase

Documentation phase

Reconstruction phase

Presentation phase

Feedback

Survey phase

15. Computer forensics do not involve activity. 1/1

Preservation of computer data.

Exraction of computer data.

Manipulation of computer data.

Interpretation of computer data.

Feedback

Manipulation of computer data.

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 9/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

16. A set of instruction compiled into a program that perform a particular 1/1
task is known as:

Hardware.

CPU

Motherboard

Software

Feedback

Software

17. Which of following is not a rule of digital forensics? 1/1

An examination should be performed on the original data

A copy is made onto forensically sterile media. New media should always be used if
available.

The copy of the evidence must be an exact, bit-by-bit copy

The examination must be conducted in such a way as to prevent any modification of


the evidence.

Feedback

An examination should be performed on the original data

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 10/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

18. To collect and analyze the digital evidence that was obtained from the1/1
physical investigation phase, is the goal of which phase?

Physical crime investigation

Digital crime investigation.

Review phase.

Deployment phase.

Feedback

Digital crime investigation.

19. To provide mechanism to an incident to be detected and confirmed is 1/1


purpose of which phase?

Physical crime investigation

Digital crime investigation

Review phase

Deployment phase

Feedback

Deployment phase

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 11/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

20. Which phase entails a review of the whole investigation and identifies 1/1
area of improvement?

Physical crime investigation

Digital crime investigation.

Review phase.

Deployment phase

Feedback

Review phase.

21. is known as father of computer forensic. 1/1

G. Palmar

J. Korn

Michael Anderson

S.Ciardhuain.

Feedback

Michael Anderson

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 12/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

22. is well established science where various contribution 1/1


have been made

Forensic

Crime

Cyber Crime

Evidence

Feedback

forensic

23. Who proposed End to End Digital Investigation Process (EEDIP)? 1/1

G. Palmar

Stephenson

Michael Anderson

S.Ciardhuain

Feedback

Stephenson.

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 13/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

24. Which model of Investigation proposed by Carrier and Safford? 1/1

Extended Model of Cybercrime Investigation (EMCI)

Integrated Digital Investigation Process(IDIP)

Road Map for Digital Forensic Research (RMDFR)

Abstract Digital Forensic Model (ADFM)

Feedback

Integrated Digital Investigation Process(IDIP)

25. Which of the following is not a property of computer evidence? 1/1

Authentic and Accurate.

Complete and Convincing.

Duplicated and Preserved.

Conform and Human Readable.

Feedback

Conform and Human Readable.

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 14/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

26. A valid definition of digital evidence is 1/1

Data stored or transmitted using a computer

Information of probative value

Digital data of probative value

Any digital evidence on acomputer

Feedback

Digital Data of probative value

27. What are the three general categories of computer systems that can 1/1
contain digital evidence?

Desktop, laptop,server

Personal computer, Internet, mobile telephoneHardware,

software,networks

Open computer systems, communication systems, and embedded systems

Feedback

Open computer systems, communication systems, and embedded systems

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 15/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

28. In terms of digital evidence, the Internet is an example of 0/1

Open computersystems

Communication systems

Embedded computersystems

None of the above

Correct answer

Communication systems

29. Cyber trails are advantageous because: 1/1

They are not connected to the physical world.

Nobody can be harmed by crime on the Internet.

They are easy to follow.

Offenders who are unaware of them leave behind more clues than they otherwise
would have.

Feedback

Offenders who are unaware of them leave behind more clues than they otherwise would
have.

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 16/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

30. Private networks can be a richer source of evidence than the Internet 0/1
because:

They retain data for longer periods of time.

Owners of private networks are more cooperative with law enforcement.

Private networks contain a higher concentration of digital evidence.

All the above.

Correct answer

Private networks contain a higher concentration of digital evidence.

31. The criminological principle which states that, when anyone, or 2/2
anything, enters a crime scene he/she takes something of the scene with
him/her, and leaves something of himself/herself behind, is:

Locard’s Exchange Principle

Differential AssociationTheory

Beccaria’s SocialContract

None of theabove

Feedback

Locard’s Exchange Principle

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 17/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

32. Ethical Hacking is also known as 2/2

Black Hat Hacking.

White Hat Hacking.

Encryption.

None ofthese.

Feedback

White Hat Hacking.

33. Vulnerability scanning in Ethical hacking finds 2/2

Strengths.

Weakness.

A &B

None of these.

Feedback

Weakness.

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 18/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

34. Who described a dissertation on fundamentals of hacker’s attitude? 2/2

G. Palma.

Raymond.

Either.

Jhon Browman

Feedback

Raymond.

35. A grey hat hacker is the one who ···/2

Fix identifiesweakness

Steal thedata

Identifies the weakness and leave message to owner

None of the above

No correct answers

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 19/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

36. Which tool is used to crack the password? 2/2

Nmap

LC4

ToneLOC

Nessus

Feedback

LC4

37. Which tool is used for depth analysis of a web application? 2/2

Whisker

Superscan

Nikto

Kismet

Feedback

Whisker

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 20/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

38. Which hacker try to distribute political or social message through 2/2
their work?

Black hathacker

Hactivist

Scriptkiddes

White hathacker

Feedback

Hactivist

39. A penetration tester must identify and keep in mind the & 2/2
requirements of a firm while evaluating the security postures.

privacy and security

rules and regulations

hacking techniques

ethics to talk to seniors

Feedback

privacy and security

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 21/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

40. Before performing any penetration test, through legal procedure, 2/2
which key points listed below is not mandatory?

Know the nature of the organization

Characteristics of work done in the firm

System and network

Type of broadband company used by the firm

Feedback

Type of broadband company used by the firm

41. Banner grabbing is used for 2/2

White Hat Hacking

Black Hat Hacking

Grey Hat Hacking

Script Kiddies

Feedback

White Hat Hacking

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 22/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

42. Which of the following tool is used for Windows for network queries 2/2
from DNS lookups to trace routes?

SamSpade

SuperScan

NetScan

Netcat

Feedback

SamSpade

43. Which Nmap scan is does not completely open a TCP connection? 2/2

SYN stealthscan

TCP scan

XMAS treescan

ACKscan

Feedback

SYN stealthscan

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 23/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

44. Which of the following is not a characteristic of ethical hacker? 2/2

Excellent knowledge of Windows.

Understands the process of exploiting network vulnerabilities.

Patience, persistence and perseverance.

Has the highest level of security for the organization.

Feedback

Has the highest level of security for the organization.

45. Attempting to gain access to a network using an employee’s 2/2


credentials is called the mode of ethical hacking.

Local networking

Social engineering

Physical entry

Remote networking

Feedback

Local networking

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 24/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

46. Enumeration is part of what phase of ethical hacking? 2/2

Reconnaissance

Maintaining Access

Gaining Access

Scanning

Feedback

Gaining Access

47. Which type of hacker represents the highest risk to your network? 0/2

black-hathackers

grey-hathackers

script kiddies

disgruntled employees

Correct answer

disgruntled employees

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 25/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

48. Embedded systems are 2/2

General Purpose

Special Purpose

Feedback

Special Purpose

49. A digital multi meter is an example of embedded system for 2/2

Data communication

Monitoring

control

All of above

Feedback

Monitoring

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 26/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)

50. Main Processor chip in computers is 2/2

ASIC

ASSP

CPU

CPLD

Feedback

CPU

this content is neither created nor endorsed by google. - t erms of service - p rivacy policy

forms

https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 27/27
chapter 1- artificial intelligence | eti mcq i scheme

1. which of these schools was not among the early leaders in ai research?
A. dartmouth university
B. harvard university
C. massachusetts institute of technology
D. stanford university
E. none of the above
ans: b

2. darpa, the agency that has funded a great deal of american ai research, is part of the
department of:
A. defense
B. energy
C. education
D. justice
E. none of the above
ans: a

3. the conference that launched the ai revolution in 1956 was held at:
A. dartmouth
B. harvard
C. new york
D. stanford
E. none of the above
ans: a

4. what is the term used for describing the judgmental or commonsense part of the problem
solving?
A. heuristic
B. critical
C. value-based
D. analytical
E. none of the above
ans: a

5. what of the following is considered to be a pivotal event in the history of ai.


A. 1949, donald o, the organization of behavior.
B. 1950, computing machinery and intelligence.
C. 1956, dartmouth university conference organized by john mccarthy.
D. 1961, computer and computer sense.
E. none of the above
ans: c

6. a certain professor at the stanford university coined the word 'artificial intelligence' in
1956 at a conference held at dartmouth college. can you name the professor?
A. david levy
B. john mccarthy
C. joseph weizenbaum
D. hans berliner
E. none of the above
ans: b

7. the field that investigates the mechanics of human intelligence is:


A. history
B. cognitive science
C. psychology
D. sociology
E. none of the above
ans: b

8. a.m. turing developed a technique for determining whether a computer could or could not
demonstrate the artificial intelligence,, presently, this technique is called
A. turing test
B. algorithm
C. boolean algebra
D. logarithm
E. none of the above
ans: a

9. the first ai programming language was called:


A. basic
B. fortran
C. ipl
D. lisp
E. none of the above
ans: d

10. what is artificial intelligence?


A. putting your intelligence into computer
B. programming with your own intelligence
C. making a machine intelligent
D. putting more memory into computer
ans: c

11. who is a father of ai?


A. alain colmerauer
B. john mccarthy
C. nicklaus wirth
D. seymour papert
ans: b

12. artificial intelligence has its expansion in the following application.


A. planning and scheduling
B. game playing
C. robotics
D. all of the above
ans: d

13. the characteristics of the computer system capable of thinking, reasoning and learning is
known is
A. machine intelligence
B. human intelligence
C. artificial intelligence
D. virtual intelligence
ans: c

14. the first ai programming language was called:


A. basic
B. fortran
C. ipl
D. lisp
ans: d

15. the first widely used commercial form of artificial intelligence (al) is being used in many
popular products like microwave ovens, automobiles and plug in circuit boards for desktop pcs.
what is name of ai?
A. boolean logic
B. human logic
C. fuzzy logic
D. functional logic
ans: c

16. what is the term used for describing the judgmental or commonsense part of the problem
solving?
A. heuristic
B. critical
C. value-based
D. analytical
ans: a

17. is a branch of computer science which deals with helping machines finds solutions to
complex problems in a more human-like fashions
A. artificial intelligence
B. internet of things
C. embedded system
D. cyber security
ans: a

18. in the goal is for the software to use what it has learned in one area to solve problems in
other areas.
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: b

19. computer programs that mimic the way the human brain processes information is called as
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: c

20. a is a rule of thumb, strategy, trick, simplification, or any other kind of device which
drastically limits the search for solutions in large problem spaces.
A. heuristic
B. critical
C. value based
D. analytical
ans: a

21. do not guarantee optimal/any solutions


A. heuristic
B. critical
C. value based
D. analytical
ans: a

22. cognitive science related with


A. act like human
B. eliza
C. think like human
D. none of the above
ans: c

23. model should reflect how results were obtained.


A. design model
B. logic model
C. computational model
D. none of the above
ans: c

24. communication between man and machine is related with


A. lisp
B. eliza
C. all of the above
D. none of the above
ans: b

25. eliza created by


A. john mccarthy
B. steve russell
C. alain colmerauer
D. joseph weizenbaum
ans: d

26. the concept derived from level is propositional logic, tautology, predicate
calculus, model, temporal logic.
A. cognition level
B. logic level
C. functional level
D. all of the above
ans: b

27. prolog is an ai programming language which solves problems with a form of symboliclogic
known as .
A. propositional logic
B. tautology
C. predicate calculus
D. temporal logic
ans: c

28. the level contains constituents at the third level which are knowledge-based system,
heuristic search, automatic theorem proving, multi-agent system.
A. cognition level
B. gross level
C. functional level
D. All of the above
Ans: B
29. prolog, lisp, nlp are the language of
A. artificial intelligence
B. machine learning
C. internet of things
D. deep learning
ans: a

30. is used for ai because it supports the implementation of software that computes with
symbols very well.
A. lisp
B. eliza
C. prolog
D. nlp
ans: a

31. symbols, symbolic expressions, and computing with those is at the core of
A. lisp
B. eliza
C. prolog
D. nlp
ans: a

32. that deals with the interaction between computers and humans using the natural
language
A. lisp
B. eliza
C. prolog
D. nlp
ans: d

33. the core components are constituents of ai are derived from


A. concept of logic
B. cognition
C. computation
D. all of the above
ans: d

34. aristotle 抯 theory of syllogism and descartes and kant's critic of pure reasoning made
knowledge on .
A. logic
B. computation logic
C. cognition logic
D. all of the above
ans: a

35. charles babbage and boole who demonstrate the power of


A. logic
B. computation logic
C. cognition logic

D. All of the above


Ans: B
36. in 1960s, pushed the logical formalism to integrate reasoning with knowledge.
A. marvin minsky
B. alain colmerauer
C. john mccarthy
D. none of above
ans: a

37. sensing organs as input, mechanical movement organs as output and central nervous system
(cns) in the brain as control and computing devices is known as of human being
A. information control paradigm
B. information processing paradigm
C. information processing control
D. none of the above
ans: b

38. model was developed and incorporated in machines which mimicked the
functionalities of human origin.
A. functional model
B. neural model
C. computational model
D. none of the above
ans: c

39. chomsky 抯 linguistic computational theory generated a model for syntactic analysis through

A. regular grammar
B. regular expression
C. regular word
D. none of these
ans: a

40. human to machine is and machine to machine is .


A. process, process
B. process, program
C. program, hardware
D. program, program
ans: c

41. weak ai is also known as


A. narrow ai
B. general ai
C. neural ai
D. none of the above
ans: a

42. ai is able to perform a dedicated task.


A. narrow ai
B. general ai
C. neural ai
D. none of the above
ans: a

43. narrow ai is performed multiple tasks at a time.


A. true
B. false
ans: b
44. weak ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: c

45. strong ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: a

46. artificial intelligence is


A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: d

47. apple siri is a good example of ai.


A. narrow ai
B. general ai
C. neural ai
D. none of the above
ans: a

48. ibm watson supercomputer comes under ai.


A. narrow ai
B. general ai
C. neural ai
D. none of above
ans: a

49. ai is a type of intelligence which could perform any intellectual task with efficiencylike
human.
A. narrow ai
B. general ai
C. super ai
D. none of the above
ans: b

50. the idea behind ai to make such a system which could be smarter and think likea
human by its own.
A. narrow ai
B. general ai
C. super ai
D. none of the above
ans: b

51. the worldwide researchers are now focusing on developing machines with ai.
A. narrow ai
B. general ai
C. super ai
D. none of the above
ans: b

52. playing chess, purchasing suggestions on e-commerce site, self-driving cars, speech
recognition and image recognition are the example of .
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: a

53. a machine can perform any task better than a human with cognitive properties is known asai.
A. narrow ai
B. general ai
C. super ai
D. none of the above
ans: c

54. ability to think, puzzle, make judgments, plan, learn, communication by its own is known as
ai.
A. narrow ai
B. general ai
C. super ai
D. none of the above
ans: c

55. ai is a hypothetical concept of ai.


A. narrow ai
B. general ai
C. super ai
D. none of the above
ans: c

56. which ai system not store memories or past experiences for future actions.
A. reactive machine
B. limited memory
C. theory of mind
D. none of the above
ans: a

57. which machines only focus on current scenarios and react on it as per as possible best
action.
A. reactive machine
B. limited memory
C. theory of mind
D. none of the above
ans: a

58. ibm 抯 deep blue system is an example of .


A. reactive machine
B. limited memory
C. theory of mind
D. none of the above
ans: a

59. google alpha go is an example of .


A. reactive machine
B. limited memory
C. theory of mind
D. none of the above
ans: a

60. which can stores past experiences or some data for short period time.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: b

61. the self-driving car is an example of .


A. reactive machine
B. limited memory
C. theory of mind
D. none of the above
ans: b [car stores recent speed of nearby cars, the distance of others car, speed limit, otherinformation
to navigate the road]

62. which ai should understand human emotions, people, and beliefs and be able to interact
socially like humans.
A. reactive machine
B. limited memory
C. theory of mind
D. none of the above
ans: c

63. which machines will be smarter than human mind?


A. reactive machine
B. limited memory
C. theory of mind
D. self-awareness
ans: d

64. machines will have their own consciousness and sentiments


A. reactive machine
B. theory of mind
C. self-awareness
D. both b & c
ans: c
65. which is not the commonly used programming language for ai?
A. prolog
B. lisp
C. perl
D. java script
ans: c

66. what is machine learning?


A. the autonomous acquisition of knowledge through the use of computer programs
B. the autonomous acquisition of knowledge through the use of manual programs
C. the selective acquisition of knowledge through the use of computer programs
D. the selective acquisition of knowledge through the use of manual programs
ans: a

67 is a branch of science that deals with programming the systems in such a way
that they automatically learn and improve with experience
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: a

68. classifying email as spam, labeling webpages based on their content, voice recognition arethe
example of .
A. supervised learning
B. unsupervised learning
C. machine learning
D. deep learning
ans: a

69. k-means, self-organizing maps, hierarchical clustering are the example of .


A. supervised learning
B. unsupervised learning
C. machine learning
D. deep learning
ans: b

70. deep learning is a subfield of machine learning where concerned algorithms are inspired bythe
structured and function of the brain called .
A. machine learning
B. artificial neural networks
C. deep learning
D. robotics
ans: b

71. machine learning invent by .


A. john mccarthy
B. nicklaus wirth
C. joseph weizenbaum
D. arthur samuel
ans: d
course :- emerging trends in computer and infromation technology
chapter 2 - embedded system

sr.no question op1 op2 op3 op4 answer


embedded systems applications typically involve processing
1 information as block level logical volumes distance signals d
reality-time real-time real-data
2 deadline-driven constraints so called none of above b
constraints constraints constraints
processor must accept and process frame before next frame hard real-time real-time real-data soft real-time
3 arrives, typically called a
systems constraints constraints systems
average time for a particular task is constrained as well as is
hard real-time real-data real-time soft real-time
4 number of instances when some maximum time is exceeded, d
systems constraints constraints systems
stated approach is known as
caches can be converted into software-managed on-chip
5 memories via block level seek time line locking line blocking c
6 which of the following is a coprocessor of 80386 80387 8087 8089 8088 a
name the processor which helps in floating point
7 microprocessor microcontroller coprocessor controller c
calculations
processor and processor and
8 an embedded system must have hard disk operating system d
memory input-output unit(
simulation on
9 soc stands for system on chip size on chip simulation on chip computer a
10 what is the processor used by arm7? 8-bit cisc 8-bit risc 32-bit cisc 32-bit risc d
16-bit instruction 32-bit instruction 64-bit instruction 8-bit instruction
11 what is the instruction set used by arm7? a
set set set set
35 register( 28 37 registers(28 37 registers(31 35 register(30 gpr
12 how many registers are there in arm7? c
gpr and7spr) gpr and 9spr) gpr and 6spr) and 5 spr)
13 which of the following has the same instruction set as arm7 arm6 armv3 arm71a0 armv4t b

advanced risc advanced risc advanced reduced advanced reduced


14 arm stands for a
machine methadology machine methadology
in which of the following arm processors virtual memory is
15 arm7di arm7tdmi-s arm7tdmi arm7ej-s a
present?
embedded systems applications typically involve processing
16 distance signals block level logical volumes b
information as
sr.no question op1 op2 op3 op4 answer
17 the internal ram memory of the 8051 is: 32 bytes 64 bytes 128 bytes 256 bytes c
18 the 8051 can handle interrupt sources. 3 4 5 6 c
in avr what is the isr address for an external hardware all of the
19 0002h 0004h 0006h d
interrupt? mentioned
in avr, which of the following registers are not used for none of the
20 tcnt tcon tifr b
programming timers? mentioned
programmable programmable programmable
21 pal stands for… none of the these a
array logic logic array array loaded
very long single very large scale very least scale
22 which of the following full form of vlsi? none of the these b
integration integration integration
23 the number of elements in the open iot architecture? 6 elements 8 elements 7 elements 3 elements c
increasing cost
increasing cost
reducing cost and reducing cost and and increasing
and decreasing
24 global sensor network is built for time for increasingtime for time a
time for
development development fordevelopmentvel
development
opment
is a community that is working together to
25 eclipse iot red hat intercloud bot 2 bot a
establish an iot architecture.
internal internet international aid internet assigned
26 1. iana stands for: assessment association for network auto numbers d
numerical access numbersauthority mation authority
27 standard port number for secure mqtt is: 1883 8000 8883 8888 a
secure socket
secure socket secure socket
layout and session socket
layers and layers and
28 terms ssl and tls stand for: transport layers and b
transport transport
levelsessionsecuri transportlayer
layersession layersecurity
ty
29 which one out of these is not a data link layer technology: bluetooth uart wifi http d
30 which transport layer protocols is used by dhcp? rsvp tcp dccp udp d
a system designed
the physical
to prevent the network
31 what is a firewall in computer networks: a web browser boundary of a
unauthorized operating system
network
access
sr.no question op1 op2 op3 op4 answer
the selective the autonomous
the selective the autonomous
acquisition of acquisition of
acquisitionofknow acquisitionofknow
knowledge knowledge
32 machine learning is ledge through the ledge through the d
through the use of through the use of
use of manual use of manual
computer computer
programs programs
programs programs

33 how many times setup function runs in arduino ide: none of the above 10 2 1 d
34 raspbian is: assembler language compiler os d
common gateway common gateway common gate common gateway
35 cgi stands for: d
interest interrupt interference interface

based on client- based on publish-


based on both of based on none of
36 mqtt is: server subscribearchitect b
the above the above
architecture ure

device that allows


none of the
wireless devices wireless devices to
37 what is the access point (ap) in wireless lan? mentionedevelop both (a) and (b) d
itself connect to a wired
ment
network
none of the access point is not nodes are not access point is
38 in wireless ad-hoc network b
mentioned required required must
wi-fi protected wired process wired protected wi-fi process
39 what is wpa? a
access access access access
none of the
40 an interconnected collection of piconet is called micronet scatternet mininet b
mentioned

remote command- remote command all of the secure data


41 secure shell (ssh) network protocol is used for c
line loginsession executionsession mentioned communication

none of the
42 the network layer concerns with bits frames packets d
mentioned
none of the
43 ethernet frame consists of ip address both (a) and (b) mac address d
mentioned
sr.no question op1 op2 op3 op4 answer
interconnection of
a vast collection of none of the
44 what is internet? local area a single network b
different networks mentioned
networks
45 what is the clock frequency of 8087? 10 mhz 5 mhz 6 mhz 4 mhz c
46 how are negative numbers stored in a coprocessor? 1’s complement 2’s complement decimal gray b
47 how many bits are used for storing signed integers? 2 4 8 16 d
48 which of the processor has an internal coprocessor? 8087 80287 80387 80486dx d
control unit and floating point unit coprocessor unit
integer unit and
49 what are the two major sections in a coprocessor? numeric control and coprocessor and numeric a
control unit
unit unit control unit
50 which are the processors based on risc? sparc 80386 mc68030 mc68020 a
80% instruction is 80% instruction is 80%instruction is 80% instruction is
generated and executed and 20% executed and 20% generated and
51 what is 80/20 rule? a
20% instruction is instruction is instruction is not 20% instructions
executed generated executed are not generated
52 which of the architecture is more complex? sparc mc68030 mc68030 8086 a
53 which is the first company who defined risc architecture? intel ibm motorola mips b
which of the following processors execute its instruction in
54 8086 8087 8088 mips r2000 d
a single cycle?
55 which of the following is a coprocessor of 80386? 80387 8087 8088 8089 a
name the processor which helps in floating point
56 microprocessor microcontroller coprocessor controller c
calculations.
57 which is the coprocessor of 8086? 8087 8088 8086 8080 a
which of the following is a coprocessor of motorola 68000
58 68001 68011 68881 68010 c
family?
which of the following processors can perform exponential,
59 8086 8087 8080 8088 b
logarithmic and trigonometric functions?
60 how many stack register does an 8087 have? 4 8 16 32 b
61 which of the following processor can handle infinity values? 8080 8086 8087 8088 c
sr.no question op1 op2 op3 op4 answer
62 which coprocessor supports affine closure? 80187 80287 80387 8088 b
63 which one is the floating point coprocessor of 80286? 8087 80187 80287 80387 c
64 how many pins does 8087 have? 40 pin dip 20 pin dip 40 pin 20 pin a
which one of the following offers cpus as integrated
65 microcontroller microprocessor embedded system memory system a
memory or peripheral interfaces?
which of the following offers external chips for memory and
66 microcontroller microprocessor peripheral system embedded system b
peripheral interface circuits?
67 how many bits does an mc6800 family have? 16 32 4 8 d
national cop
68 which of the following is a 4-bit architecture? mc6800 8086 80386 d
series
computing computing complimentary complex
69 what is cisc? instruction set instruction set instruction set instruction set a
complex complex computing complementary
how is the protection and security for an embedded system memory disk
70 otp ipr security chips b
made? security
71 which of the following possesses a cisc architecture? mc68020 arc atmel avr blackfin a
72 which of the following is a risc architecture? 80286 mips zilog z80 80386 b
73 which one of the following is board based system? data bus address bus vmebus dma bus c
versa module versa module vertical module vertical module
74 vme bus stands for a
europa bus embedded bus embedded bus europa bus
75 the arm processors don’t support byte addressability. block level logical volumes distance signals d
reality-time real-time real-data
76 deadline-driven constraints so called none of above b
constraints constraints constraints
processor must accept and process the frame before the hard real-time real-time real-data soft real-time
77 a
next frame arrives, typically called systems constraints constraints systems
fast data
what are the essential tight constraint/s related to the ability to fit on a low power
78 processing for real- all of the above d
design metrics of an embedded system? single chip consumption
time operations
which function/s is/are provided by integrated memory optional on-chip 4 levels of virtual memory
79 all of the above d
management unit in 80386 architecture? paging protection support
undefined
an attempt access low priority arm processor is
80 abort mode generally enters when instructions are to a
memory fails interrupt is raised on rest
be handled
what is/are the configuration status of control unit in risc
81 hardwired microprogrammed both a and b none of the above a
processors?
sr.no question op1 op2 op3 op4 answer
low cost and low
the main importance of arm micro-processors is providing higher degree of lower error or efficient memory
82 power a
operation with multi-tasking glitches management
consumption
main frame distributed
83 arm processors where basically designed for mobile systems super computers c
systems systems
84 who has invented flash memory? dr.fujiomasuoka john ellis josh fisher john ruttenberg a
85 which of the following is serial access memory? ram flash memory shifters rom c
magnetic core ferrimagnetic anti-magnetic
86 which is the early form of non-volatile memory? anti-ferromagnetic a
memory memory memory
which of the following memories has more speed in
87 sram dram eprom eeprom a
accessing data?
88 in which memory, the signals are multiplexed? dram sram eprom eeprom a
89 how many main signals are used with memory chips? 2 4 6 8 b
to provide data to to select a location
to select a to select a
90 what is the purpose of address bus? and from within the c
specified chip read/write cycle
the chip memory chip
which are the two main types of processor
91 sockets and slots sockets and pins slots and pins pins and ports a
connection to the motherboard?
92 which of the following has programmable hardware? microcontroller microprocessor coprocessor fpga d
nxp
93 who invented trimedia processor? intel ibm apple d
semiconductor
which one of the following is the successor of 8086 and
94 80286 80387 8051 8087 d
8088 processor?
95 which is the processor behind the ibm pc at? 80387 8088 80286 8086 c
real mode and alternate and mode a and mode
96 which are the two modes of 80286? mode1 and mode2 a
protected mode main b
which register set of 80286 form the same register set of
97 ah,al bx bx,ax el a
8086 processor?
which are the 4 general purposes 16 bit register in intel
98 cs,ds,ss,es ax,bx,cx,dx ip,fl,di,si di,si,bp,sp b
80286?
99 which are the 4 segmented registers in intel 80286? ax,bx,cx,dx as,bs,cs,ds sp,di,si,bp ip,fl,si,di b
100 how is expanded memory accessed in 80286? paging interleaving ram external storage a
sr.no question op1 op2 op3 op4 answer
101 when is the register set gets expanded in 80286? in real mode in expanded mode in protected mode interrupt mode c
which are the two register available in the protected mode general and general and index and base index and
102 c
of 80286? segmented pointer pointer segmented
103 what kind of support does 80286 access in protected mode? real mode address access data access virtual memory d

which of the following is a process of analyzing the set of design space hardware/softwar
104 scheduling compilation a
possible designs? exploration e partitioning
high-level hardware/softwar
105 in which design activity, the loops are interchangeable? compilation scheduling c
transformation e partitioning
name the processor which helps in floating point
106 microprocessor microcontroller coprocessor controller c
calculations
undefined
an attempt access low priority arm processor is
107 abort mode generally enters when instructions are to a
memory fails interrupt is raised on rest
be handled
108 how is the nature of instruction size in cisc processors? fixed vriable both a and b none of the above b
embedded systems applications typically involve processing
109 block level logical volumes distance signals d
information as
deadline-driven
real-time real-data
110 deadline-driven constraints so called constraints so none of above b
constraints constraints
called
what is/are the configuration status of control unit in risc
111 hardwired microprogrammed both a and b none of the above a
processors?
112 which one of the following are header files? proc() truct() files #include d
113 which one of the following is also called a loader? linker locater compiler assembler a
course :- emerging trends in computer and infromation technology
chapter 1 - internet of things

sr.
question a b c d answer
no.
1 what are the undesirable properties of knowledge? voluminous difficult to characterize variability all of the above d
separate words into
individual morphemes and is an extension of
2 morphological segmentation does discourse analysis none b
identify the class of the propositional logic
morphemes
when two individual
knowledge should be
situations are represented,
represented such that it knowledge should be
how should knowledge be represented to be used for knowledge should provide
3 should be understood by represented in a way that all of these d
an ai technique? generalization such that
the people who have it can be easily modified
only common properties
of both situations are provided it
how many types of entities are there in knowledge
4 facts symbols both a and b none c
representation?
what are the properties of a good knowledge
5 representation adequacy inferential adequacy inferential efficiency all of these d
representation system?
6 natural language processing (nlp) is field of computer science artificial intelligence linguistics all of the mentioned d
putting your intelligence
7 what is artificial intelligence? programming with your ow making a machine intellige putting more memory into c
into computer
8 artificial intelligence has its expansion in the followin planning and scheduling game playing robotics all of the above d

the characteristics of the computer system capable


9 machine intelligence human intelligence artificial intelligence virtual intelligence c
of thinking, reasoning and learning is known is
10 the first ai programming language was called: basic fortran ipl lisp d
the first widely-used commercial form of artificial
intelligence (al) is being used in many popular
products like microwave ovens, automobiles and
11 plug in circuit boards for desktop pcs. it allows boolean logic human logic fuzzy logic functional logic c
machines to handle vague information with a
deftness that mimics human intuition. what is the
name of this ai?
what is the term used for describing the judgmental
12 heuristic critical value based analytical a
or commonsense part of problem solving?
which kind of planning consists of successive
13 hierarchical planning non-hierarchical planning project planning all of the above a
representations of different levels of a plan?
what was originally called the "imitation game" by
14 the turing test lisp the logic theorist cybernetics a
its creator?
prolog is an ai programming language which solves
problems with a form of symbolic logic knownas
15 predicate calculus. it was developed in 1972 at the alain colmerauer nicklaus wirth seymour papert john mccarthy a
university of marseilles by a team of specialists. can
you name the person who headed this team?
an ai technique that allows computers to understand
16 associations and relationships between objects and heuristic processing cognitive science relative symbolism pattern matching a
events is called:
the field that investigates the mechanics of human
17 history cognitive science psychology sociology b
intelligence is:
what is the name of the computer program that
18 human logic expert reason expert system personal information d
simulates the thought processes of human beings?

what is the name of the computer program that data base management management information
19 expert system artificial intelligence d
contains the distilled knowledge of an expert? system system
claude shannon described the operation of electronic
20 switching circuits with a system of mathematical lisp xlisp boolean algebra neural networking d
logic called:
1956, dartmouth
1950, computing
what of the following is considered to be a pivotal 1949, donald o, the university conference 1961, computer and
21 machinery and c
event in the history of ai. organization of behavior. organized by john computer sense.
intelligence.
mccarthy
high-resolution, bit-mapped displays are useful for
22 clearer characters graphics more characters all of the above c
displaying:
a bidirectional feedback loop links computer
23 artificial science heuristic processing human intelligence cognitive science d
modelling with:
which of the following have people traditionally recognizing relative
24 finding similarities resolving ambiguity all of the above d
done better than computers? importance
the explanation facility of an expert system may be construct a diagnostic expedite the debugging explain the system's
25 both b and c d
used to: model process reasoning process
a set of computer
the study of mental
programs that produce
the embodiment of human faculties through the use
output that would be
26 strong artificial intelligence is intellectual capabilities of mental models all of the mentioned b
considered to reflect
within a computer. implemented on a
intelligence if it were
computer.
generated by humans.
which nobel laureate is also known as the father of
27 herbert a. simon howard aiken charles babbage alan turing a
artificial intelligence?
a set of computer
the study of mental
programs that produce
the embodiment of human faculties through the use
output that would be
28 weak ai is intellectual capabilities of mental models all of the above c
considered to reflect
within a computer. implemented on a
intelligence if it were
computer.
generated by humans.
who is considered to be the "father" of artificial
29 fisher ada john mccarthy allen newell alan turning b
intelligence?
a.m. turing developed a technique for determining
whether a computer could or could not demonstrate
30 turing test algorithm boolean algebra logarithm a
the artificial intelligence,, presently, this technique is
called
which of these schools was not among the early massachusetts institute of
31 dartmouth university harvard university stanford university b
leaders in ai research? technology
a certain professor at the stanford university coined
the word 'artificial intelligence' in 1956 at a
32 david levy john mccarthy joseph weizenbaum hans berliner b
conference held at dartmouth college. can you name
the professor?
the embodiment of human a set of computer the study of mental
33 strong ai is intellectual capabilities programs that produce faculties through the use all of the above a
within a computer. output that would be of mental models
34 mqtt stands for mq telemetry things mq transport telemetry mq transport things mq telemetry transport d

machine to machine and


35 mqtt is protocol. machine to machine internet of things machine things c
internet of things

36 which protocol is lightweight? mqtt http coap spi a

artificial intelligence is a branch of science which


37 deals with helping machines find solutions to artificial intelligence internet of things embedded system cyber security a
complex problems in a more human-like fashion.

internal assessment internet association international aid internet assigned


38 iana stands for: d
numerical access numbers authority for network automation numbers authority
39 standard port number for secure mqtt is: 1883 8000 8883 8888 c
specifies the function that will be called
40 callback error connect disconnect d
when the client disconnects.
specifies the function that will be called
41 callback error connect reconnect d
when a successful re-connection is completed.

specifies the function that will be called


42 callback error connect reconnect c
when a successful connection with the pubnub cloud.
44 which one is not an element? people process security things a
which one out of these is not a data link layer
45 bluetooth uart wifi http d
technology:
46 what is the standard length of mac address: 16 bits 32 bits 48 bits 64 bits c
specifies the function that will be called
47 when there is a new message received from the reconnect error connect callback d
channel.
specifies the function that will be called on
48 callback error connect reconnect b
an error event.
49 what is the java extension file in iot? .jar .c .exe .py a
do we run our program in the same computer where
50 true false may or may not cannot be determined c
we have written?

publisher to broker and


51 publish command message is sent from only publisher to broker only broker to publisher server to client c
broker to publisher

the message is sent to the input queue of a message


52 subscriber server publication node client d
flow that contains a
rostopic uses at the command line for
53 yaml_syntax rostopic bw rostopic delay rostopic echo a
representing the content of the message.
topics which has tail and
54 rostopic delay will provide delay for topics which has header topics which has tail to all topics a
head
55 which command finds out the topic? rostopic bw rostopic delay rostopic echo rostopic find d
56 what iot collects? human generated data sensor data machine generated data device data c
57 which requires data stream management? bigdata iot bigdata & iot device data b
58 which requires edge analytics? bigdata iot bigdata & iot device data b
59 the iot operates at scale. machine human device sensor a
one way to see observations addressing iot analytics
60 4-tier analytics 2-tier analytics 1-tier analytics 3-tier analytics d
is?
which tier performs individual wind turbine real
61 3-tier analytics 2-tier analytics 1-tier analytics 4-tier analytics c
time performance?
62 which tier performs predicts maintenance? 3-tier analytics 2-tier analytics 1-tier analytics 4-tier analytics b
which tier is data lake enabled core analytics
63 4-tier analytics 2-tier analytics 1-tier analytics 3-tier analytics d
platform?
64 what bigdata collects? human generated data sensor data machine generated data device data a
course :- emerging trends in computer and infromation technology
chapter 4 -digital evidence

sr.no question a b c d answer


a valid definition of digital evidence is: data stored or information of digital data of any digital evidence
1 transmitted using a probative value probative value on a computer c
computer

what are the three general categories of computer desktop, laptop, personal computer, hardware, software, open computer
2 systems that can contain digital evidence? server internet, mobile networks systems, d
telephone communication
in terms of digital evidence, a hard drive is an example open computer communication embedded none of the above
3 of: systems systems computer systems a

in terms of digital evidence, a mobile telephone is an open computer communication embedded none of the above
4 example of: systems systems computer systems c

in terms of digital evidence, a smart card is an open computer communication embedded none of the above
5 example of: systems systems computer systems c

in terms of digital evidence, the internet is an example open computer communication embedded none of the above
6 of: systems systems computer systems b

computers can be involved in which of the following homicide and sexual computer intrusions civil disputes all of the above
types of crime? assault and intellectual
7 d
property theft

a logon record tells us that, at a specific time: an unknown person the owner of a the account was none of the above
logged into the specific account used to log into the
8 c
system using the logged into the system
account system
cybertrails are advantageous because: they are not nobody can be they are easy to offenders who are
connected to the harmed by crime on follow. unaware of them
physical world the internet. leave behind more
9 clues than they d
otherwise would
have.
private networks can be a richer source of evidence they retain data for owners of private private networks all of the above.
than the internet because: longer periods of networks are more contain a higher
10 time. cooperative with concentration of c
law enforcement. digital evidence.

due to caseload and budget constraints, often each unreported responsibility for this approach results computer security
computer security professionals attempt to limit the incident robs incident resolution in under- reporting professionals
damage and close each investigation as quickly as attorneys and law frequently does not of criminalactivity, develop loose
possible. which of the following is not a significant enforcement reside with the deflating statistics evidence processing
personnel of an security that are used to habits
drawback to this approach?
opportunity to learn professional, but allocate corporate that can make it
11 about the basics of with management. and government more difficult for b
computer-related spending on law enforcement
crime. combating computer personnel and
related crime. attorneys to
prosecute an
offender.

locard’s exchange differential beccaria’s social none of the above


the criminological principle which states that, when principle association theory contract
12 anyone, or anything, enters a crime scene he/she takes a
something of the scene with him/her, and leaves
something of himself/herself behind, is:
the author of a series of threatening e-mails an individual an incidental a class an indeterminate
13 consistently uses “im” instead of “i’m.” this is an characteristic characteristic characteristic characteristic a
example of:
criminal prosecution defense work all of the above
personal computers and networks are often a valuable investigation
14 d
source of evidence. those involved with should
be comfortable with this technology.
an argument for including computer forensic training it provides an it provides them it teaches them none of the above.
additional with the tools to when it is time to
15 computer security specialists is: c
credential. conduct their own call in law
investigations. enforcement.
computers can play the following roles in a crime: target, object, and evidence, object, evidence, symbol,
subject instrumentality, and tool instrumentality, and
16 b
contraband, or fruit source of evidence
of crime
the first us law to address computer crime was: computer fraud and florida computer computer abuse act none of the above
17 abuse act (cfaa) crime act b

the following specializations exist in digital first responder forensic examiner digital investigator all of the above
18 investigations: (a.k.a. digital crime d
scene technician)
the first tool for making forensic copies of computer encase expert witness dd safeback
19 c
storage media was:
one of the most common approaches to validating examine the source ask others if the compare results of computer forensic
20 forensic software is to: code multiple tools for
software is reliable tool testing projects c
discrepancies
an instrumentality of a crime is: an instrument used a weapon or tool anything that plays all of the above
21 to commit a crime designed to commit a significant role in a d
a crime crime
. contraband can include: child pornography devices or programs encryption devices all of the above
for eavesdropping or applications
22 d
on communications

a cloned mobile telephone is an example of: hardware as hardware as an information as information as


23 contraband or fruits instrumentality contraband or fruits evidence a
of crime of crime
digital photographs or videos of child exploitation is hardware as hardware as an information as information as
24 an example of: contraband or fruits instrumentality evidence contraband or fruits d
of crime of crime
stolen bank account information is an example of: hardware as information as information as an information as
25 contraband or fruits contraband or fruits instrumentality evidence b
of crime of crime
a network sniffer program is an example of: hardware as hardware as an information as information as
26 contraband or fruits instrumentality contraband or fruits evidence c
of crime of crime
computer equipment purchased with stolen credit hardware as hardware as an hardware as information as
27 card information is an example of: contraband or fruits instrumentality evidence contraband or fruits a
of crime of crime
a printer used for counterfeiting is an example of: hardware as hardware as an hardware as information as
28 contraband or fruits instrumentality evidence contraband or fruits b
of crime of crime
phone company records are an example of: hardware as information as information as an information as
29 contraband or fruits contraband or fruits instrumentality evidence d
of crime of crime
in the course of conducting forensic analysis, which of critical thinking fusion validation all of the above
30 d
the following actions are carried out?
having a member of the search team trained to handle can reduce the can serve to can reduce the all of the above
digital evidence: number of people streamline the opportunity for
who handle the presentation of the opposing counsel to
31 d
evidence case impugn the integrity
of the evidence

an attorney asking a digital investigator to find influencing the due diligence quid pro quo voir dire
32 evidence supporting a particular line of inquiry is an examiner a
example of:
logical reasoning common sense preconceived theory investigator’s
a digital investigator pursuing a line of investigation in intuition
33 c
a case because that line of investigation proved
successful in two previous cases is an example of:
balance of beyond a reasonable acquittal none of the above
a scientific truth attempts to identify roles that are probabilities doubt
34 b
universally true. legal judgment, on the other hand,
has a standard of proof in criminal prosecutions of:
regarding the admissibility of evidence, which of the relevance authenticity best evidence nominally
35 prejudicial d
following is not a consideration:
uninformed consent forcible entry obtained without none of the above
36 according to the text, the most common mistake that authorization c
prevents evidence seized from being admitted is:
in obtaining a warrant, an investigator must convince evidence of a crime a crime has been the owner or the evidence is
the judge on all of the following points except: is in existence committed resident of the place likely to exist at the
to be searched is place to be searched
37 c
likely to have
committed the
crime
if, while searching a computer for evidence of a abandon the continue with the stop the search and continue with the
specific crime, evidence of a new, unrelated crime is original search, and original search but obtain a warrant original search,
38 discovered, the best course of action is: pursue the new line also pursue the new that addresses the ignoring the new c
of investigation inquiry new inquiry information

the process of documenting the seizure of digital chain of custody field notes interim report none of the above
39 evidence and, in particular, when that evidence a
changes hands, is known as:
when assessing the reliability of digital evidence, the whether chain of whether there are whether the whether the
investigator is concerned with whether the computer custody was indications that the evidence was evidence media was
40 that generated the evidence was functioning normally, maintained actual digital properly secured in compatible with b
and: evidence was transit forensic machines
tampered with
the fact that with modern technology, a photocopy of a best evidence rule due diligence quid pro quo voir dire
41 document has become acceptable in place of the a
original is known as:
evidence contained in a document provided to prove inadmissible illegally obtained hearsay evidence direct evidence
42 that statements made in court are true is referred to evidence evidence c
as:
business records are considered to be an exception to: direct evidence inadmissible illegally obtained hearsay evidence
43 evidence evidence d
which of the following is not one of the levels of probably maybe almost definitely possibly
44 b
certainty associated with a particular finding?
45 direct evidence establishes a: fact assumption error line of inquiry a
what is one of the most complex aspects of jurisdiction arranging to travel determining which finding a court that finding a federal
when the internet is involved? to remote locations court can enforce a is in two states court that can hear a
46 to apprehend judgment over a civil suit b
criminals defendant

in the us, to enforce a judgment over a defendant, a subject matter and general and limited diversity and long none of the above
47 court must have which of the following? personal jurisdiction jurisdiction arm jurisdiction a

the miller test takes which of the following into it appeals to the it depicts sexual it lacks any all of the above
public interest conduct in a monetary value
48 account when determining if pornography is obscene? b
patently offensive
way
which of the following rights is not explicitly right of the people right of personal right of the people right to a speedy
49 mentioned in the us constitution? to keep and bear privacy peaceably to and public trial b
arms assemble
the definition of a “protected computer” is, according a computer that is a computer that is a computer that is all of the above.
to the cfaa: used exclusively by used non- used in state or
a financial exclusively by a foreign commerce
institution or the financial institution or communication.
50 federal government. or the federal d
government and the
crime affects that
use.

the legislation that made the theft of trade secrets a the lanham act the economic the child none of the above
51 federal crime was espionage act pornography b
protection act
which state does not have a law prohibiting simple california texas washington none of the above
52 hacking – gaining unauthorized access to a computer? d

the term “computer contaminant” refers to: excessive dust viruses, worms, and spam e-mails nigerian scam e-
53 found inside the other malware mails b
computer case
in those states with legislation addressing computer computers computer specialized all of the above
54 forgery, contraband in the form of “forgery devices” equipment computer software d
may include:
compelling a suspect to reveal passwords to provide second amendment fourth amendment fifth amendment seventh
55 access to encrypted media is considered to fall under amendment c
the:
an example of a content-related crime would be: cyberstalking child pornography hacking none of the above
56 b
hacking is an example of: computer-assisted computer-related computer-integrity computer
57 crime crime crime malfeasance crime
c
forgery is an example of: computer assisted computer-related computer-integrity computer
58 crime crime crime malfeasance crime
a
in ireland, the non-fatal offences against the state act computerized cyberbullying nigerian scams hacking
59 welfare fraud b
of 1997 specifically addresses:
jurisdiction claims may be based on: location of the location of the location of all of the above
60 perpetrator’s victim’s computer intermediary d
computer computers
standard operating procedures (sops) are important help individuals ensure that the best increase the all of the above
because they: avoid common available methods probability that two
mistakes are used forensic examiners
will reach the same
61 d
conclusions when
they examine the
evidence

the goal of an investigation is to: convict the suspect discover the truthfind incriminating all of the above
62 evidence
b
an investigation can be hindered by the following: preconceived improperly handled offender all of the above
63 theories evidence concealment d
behavior
when you have developed a theory, what can you do to predict, based on perform conclude, based on all of the above
confirm that your hypothesis is correct? your hypothesis, experiments to test your findings,
64 where artifacts results and rule out whether the d
should be located alternate evidence supports
explanations the hypothesis
which of the following would be considered an the originating ip a scratch on the date-time stamps of all of the above
individual characteristic? address in a glass of a flatbed files on a disk or
65 b
network packet or e- scanner or digital entries in a database
mail header camera lens
when digital photographs containing child someone in the someone in the someone in the none of the above.
pornography are found on a home computer, house transferred house took the house took the
investigators can assert that: a the photographs photographs with a photographs with a
66 onto the computer digital camera and digital camera and d
from a disk or the transferred transferred them
internet them directly onto directly onto the
the computer. computer
forensic examination involves which of the following: assessment, seizure and recovery, all of the above
experimentation, preservation harvesting, filtering,
67 fusion, correlation, organization, and c
and validation search

forensic analysis involves the following: assessment, seizure and recovery, all of the above
experimentation, preservation harvesting, filtering,
68 fusion, correlation, organization, and a
and validation search
the first step in applying the scientific method to a form a theory on experiment or test make one or more form a conclusion
digital investigation is to: what may have the available observations based based on the results
69 occurred evidence to confirm on events that of your findings c
or refute your occurred
prediction
which of the following should the digital investigator should the evidence will the evidence will there be all of the above
consider when arranging for the transportation of be physically in the copies be shared environmental
possession of the with other experts factors associated
70 evidence? d
investigator at all at other locations? with the digital
times? media?

in the staircase model, why is case management case documents are case management case management none of the above.
shown spanning across all of the steps in the process intangible objects provides stability documents the
model? that can be held. and enables process function.
71 investigators to tie b
all relevant
information
together.
process models have their origins in the early theories complicated difficult linear polymorphic
72 of computer forensics which defined the field in terms c
of a process
generating a plan of action and obtaining supporting preparation survey/identificatio preservation examination and
73 resources and materials falls under which step in the n analysis a
digital investigation?
the process model whose goal is to completely the physical model the staircase model the evidence flow the subphase
74 describe the flow of information in a digital model model c
investigation is known as:
the following organizations have published guidelines us secret service association of chief us department of all of the above
75 for handling digital crime scenes: police officers justice d

when a first responder encounters technology or seize the equipment seek assistance leave that ask the suspect for
as if it were a known from a more particular piece of details on the
76 equipment that he is not familiar with, the b
recommended course of action is to: device experienced digital equipment at the equipment
investigator crime scene
when preparing a questionnaire for interviewing passwords encryption keys admission of guilt details on
individuals of the crime scene which of the following removable storage
77 c
should not be requested:
when entering a crime scene, the initial survey should: include user involve tracing collect relevant all of the above
manuals cables data such as
78 d
passwords and
account details
examples of data that should be immediately usb drives digital picture system and usb bracelets
79 preserved include: frames network c
information
the crime scene preservation process includes all but protecting against acquiring digital confirming system controlling access
80 which of the following: unauthorized evidence date and time to the crime scene c
alterations
a thorough crime scene survey should include: manuals for removable media mobile devices all of the above
81 software d
applications
the challenge to controlling access to a digital crime information may be the computer may the computer case none of the above.
stored on internet be shared. may be locked.
82 scene is that: a
servers in different
locations
in the case where digital investigators dealing with notify personnel at notify personnel at utilize remote none of the above
distributed systems need to collect data from remote the remote sites to the remote sites to forensics tools to
sites, the following procedure is recommended: leave everything as shut down all acquire data from
83 is, and arrange for systems and send the remote sites’ c
travel to the remote the hard drives to ram as well as the
locations the forensic lab hard drives

when presenting evidence on an organizational system the ceo of the the cso (chief additional forensic
84 network, the digital investigator may require the administrators organization security officer) investigators a
assistance of:
which of the following is not a safety consideration for additional protection against proper tools for protective gloves
a first responder? personnel to control elf emanations disassembling and and eyewear
85 those present at the from monitors reassembling b
crime scene computer cases

digital investigators like to preserve every potential the law resources the interests of all of the above
86 source of digital evidence; however, they are business d
constrained by:
during the initial survey of a crime scene, why it is this simplifies photographing to record the fact none of the above.
necessary to photograph or videotape the area and inventorying the items to be seized that a particular
items of potential interest in their current state? crime scene records their actual item was actually
condition, and found at the crime
87 precludes damage scene. c
claims when the
items are returned
to the offender.

why is the first step to secure the physical crime scene to prevent them to prevent them to give them time to keep them from
by removing everyone from the immediate area? from contaminating from asking to fill out a personal blocking the view
evidence questions about the information survey when photographs
88 a
case before they can are being taken
be interviewed

when a piece of evidence has both a biological and a the crime scene the digital neither; the both the crime
digital component, who should process it first? technician, because investigator, evidence should be scene technician and
biological artifacts because processing preserved and the digital
are much more the biological transported to the investigator, in a
fragile artifacts will destroy lab for processing cooperative effort,
digital evidence assuring that the
89 d
biological evidence
is collected in a way
that does not
damage the digital
component

the process of evaluating available evidence equivocal forensic investigative threshold behavioral imprints
objectively, independent of the interpretations of analysis reconstruction assessment
90 a
others, to determine its true meaning is referred to as:

the words that an offender uses on the internet, the investigation threshold behavioral imprints crime scene
tools that an offender uses online, and how an offender reconstruction assessment analysis
91 c
conceals his identity and criminal activity are referred
to in the text as:
investigative reconstruction is composed of three which of the functional intentional relational
following is not one
92 different forms b
of those three
forms?
creating a histogram of times to reveal periods of high functional intentional relational temporal
93 activity is an example of which form of investigative d
reconstruction?
the investigation and study of victim characteristics is criminal profiling behavioral imprints victimology crime scene
94 analysis c
known as:
why should victimology include a thorough search of because the because it is well because nearly none of the above.
the internet for cybertrails? a internet can known that even everyone uses the
significantly traditional criminal internet.
95 a
increase the victims offenses are
risk documented on the
internet.
the type of report that is a preliminary summary of sitrep threshold full investigative field notes
96 assessment report report b
findings is known as:
according to the text, the distinguishing features of a hard evidence fruit of the poison caveat emptor crime scene
crime scene as evidenced by the offender’s behavioral tree characteristics
97 d
decisions regarding the victim and the offense location
are known as:
in crimes against individuals the period leading 24-hour 48- hour 60-minute 15-minute
up to the crime often contains the most important
98 a
clues regarding the relationship between the offender
and the victim
one of the most important things to establish when a where the what operating who or what was none of the above
99 computer is directly involved in the commission of a computer was system is in use the intended victim c
crime is: purchased or target
an example of online behavior that puts an individual using your real putting personal posting photographs all of the above
name online information in your on a social
100 at higher risk for cyberstalking is: d
profile networking page

in the movie home alone one of the burglars would psychotic episode signature-oriented modus operandi vandalism
always turn the water on in the sinks so that the house behavior
101 would be flooded when the owners returned. in terms b
of crime scene characteristics, this is an example of:

the totality of choices an offender makes during the the criminal’s mo crime scene tangible evidence none of the above
102 characteristics b
commission of a crime are referred to as:
because seemingly minor details regarding the what the offender what the offender what the offender all of the above
offender can be important, investigators should get brought to the crime took from the crime changed at the crime
103 d
into the habit of contemplating which of the following: scene scene scene

one reason digital investigators write threshold they will be they keep their they take less time they serve as field
assessments more often than full reports is because: included in a final supervisor aware of to prepare and may notes for the
report, and so, their productivity. be sufficient to close investigator.
distribute the time out an investigation.
104 for final report c
preparation over the
entire period of the
investigation

every violent crime investigation should incorporate investigative leads likely suspects previously all the above
105 digital evidence because digital evidence may reveal: unknown crimes d

how the offender approaches and obtains control of a motives choice of weapons modus operandi signature behaviors
106 victim or target is significant because it exposes the a
offender’s:
crime scenes fall into two categories – primary and remote secondary ancillary theoretical
107 b
when reconstructing evidence surrounding a violent lay out all the work with the construct a timeline begin the process of
crime, it is generally helpful to: evidence so it can be crime scene of events from converting field
viewed in its technicians so that a digital evidence notes to a final
108 entirety better report c
understanding of the
crime is achieved

one reason not to put too much trust into those who there has always they are typically they are usually not they may be the
run the company’s computers is that: been an antagonism too busy to take the authorized to offenders.
between system time to answer your answer questions.
109 d
administrators and questions
law enforcement
although crime scenes are typically photographed, it is diagramming is a the process of the quality of none of the above.
a good idea to create diagrams of the crime scene common crime creating a diagram photographs taken
because: scene technician’s can result in a digital at the crime scene is
skill; however, it investigator noticing not known until the
110 requires continual an important item of film is developed. b
practice evidence that would
otherwise have been
missed

given the scope and consequences of violent crimes, collect only that focus only on the seek out and focus only on the
when collecting digital evidence it is advisable to: digital evidence that primary crime preserve all offender’s digital
is clearly connected scene, as searching available digital evidence, as the
to the offense the offender’s home evidence victim’s digital
111 c
and workplace evidence is usually
requires additional of little value
authorization

when swift action is needed, law enforcement searches of this exigent eminent domain mens rea
112 personnel may be permitted to conduct searches kind are permitted circumstances a
without a warrant under:
when processing the digital crime scene in a violent a good supply of more than one standard operating a good supply of
crime investigation it is important to have to electrostatic bags reliable camera for procedures for nitrile gloves
for holding sensitive photographing the processing a digital
113 ensure that all digital evidence and findings can hold c
up under close scrutiny electronic crime scene crime scene
components

the federal statute that has a provision allowing ecpa ccpa the privacy act fcra
internet service providers to disclose subscriber
114 a
information to law enforcement in exigent
circumstances is:
when reconstructing evidence surrounding a violent diagram the crime create a timeline of create a threat none of the above
115 crime, it is generally helpful to: scene events from digital assessment report b
evidence
a thief who has programmed and released a virus to power assertive profit oriented power reassurance anger retaliatory
roam a network looking for victim passwords used for
116 b
online banking is an example of what offense
behavior?
the case of a michigan bank robber requiring tellers to deviant aberrant criminal humor crime scene investigative
117 undress so he could photograph them is an example of: behavior characteristics reconstruction c

the assessment of the victim as they relate to the threat assessment signature behaviors behavioral evidence victimology
118 offender, the crime scene, the incident, and the methodology analysis d
criminal justice system is known as:
computers and mobile devices are treated as temporary immediate remote secondary
119 crime scenes in violent crime investigations d

during the commission of a crime, evidence is locard’s exchange sutherland’s martin’s rule d parkinson’s rule of
120 transferred between the offender’s computer and the principle general theory of available space a
target this is an example of: criminology
intruders who have a preferred toolkit that they have usually have little show little initiative are generally more pose less of a threat
experience and are – letting the tool do experienced
121 pieced together over time, with distinctive features: c
relying on the kit the work

in the case of a computer intrusion, the target the remote crime the auxiliary crime the virtual crime the primary crime
122 scene scene scen scene d
computer is:
a computer intruder’s method of approach and attack skill level knowledge of the intent all of the above
123 target d
can reveal significant amount about their:
determining skill level can lead to: determining the likely hiding places suspects offense behaviors
124 extent of the for rootkits and c
intrusion malware
if digital investigators find an unauthorized file, they immediately move check for other execute the file to permanently delete
125 should: the file to removable suspicious files in determine its the file b
media the same directory purpose
remote forensic solutions can be used to access live acquire and, image systems conduct image large systems
sometimes, analyze without ever having examination and across the internet
126 systems, and include the ability to: a
memory to leave the lab analysis without the
need to image
a forensic analysis conducted on a forensic duplicate virtual analysis clone analysis post-mortem ex post facto
127 of the system in question is referred to as: analysis analysis c
capturing all of the network traffic to and from the allow the network reveal the source of seriously slow none of the above
compromised system can: administrators to the attack down the network,
participate in the affecting normal
investigation, work
128 b
establishing rapport
for later interviews

a common technique that is highly useful and can be this embodies a temporal proximity timeline analysis file system analysis
applied in a computer intrusion investigation is to principle known as:
129 a
simply focus on file system activities around the time
of known events
the registry key new software time and date trojans a list of recently run
hklm\software\microsoft\windows\current versionis entries information programs
130 c
one of the most common locations for:

when collecting data from a compromised computer, cmos most volatile magnetic optical
131 consideration should be given to collecting the b
data first.
the forensic examiner needs to be aware that the is seldom useful can take an is only needed for changes the
132 process of collecting memory: and not often called extremely long standalone systems contents of memory d
for period of time c d
a more thorough method of collecting specific volatile examine the collect the full selectively collect take screenshots
133 data from a computer is to: specific memory contents of physical contents of physical b
addresses live memory memory
why are “non-volatile” storage locations contained in this is an old rfc no form of data an rfc is a request none of the above.
the rfc 8227 “order of volatility”? and has not been storage is for comments – and
134 updated permanent corrections are b
expected.

the first state in the united states to enact a law to texas b hawaii c california d new york
135 c
deal with cyberstalkers was: a
the first cyberstalking law in the us was passed in: 1985 b 1990 c 1995 d 2000
136 b
stalkers want to exert power over their victims, fear anxiety autosuggestion peer pressure
137 a
primarily through:
a stalker’s ability to frighten and control a victim telephone numbers addresses personal all of the above
138 increases with the amount of information that he can preferences d
gather, such as:
stalkers have taken to the internet because: the cost of an they depend they no longer have none of the above
internet connection heavily on to go out to do their
has dropped information and the stalking
139 b
considerably internet contains
vast amounts

an implication from studies indicating that many part of the blame the offender is investigators investigators
stalkers had prior acquaintance with their victims is can be assigned to likely to be found in should pay should always check
the victim the same area as the particular attention the immediate
140 that: c
victim to acquaintances of family
the victim

an excellent set of guidelines developed specifically for the national center the national white the department of the national
141 victims of stalking is available from: for victims of crime collar crime center justice institute of justice a

when a cyberstalking case is stalled, it is a good idea to the victim might the information the time between none of the above
interview the victim again, because: have been that investigators the first and second
withholding have gathered might interviews has given
142 b
information during help the victim the victim time to
the first interview recall additional seek counseling
details
in determining how and why the offender selected a knew the victim learned about the noticed the victim all of the above
143 specific victim, the investigator should determine victim through a in a chat room d
whether the cyberstalker: personal web page
a key aspect of developing victimology is determining hobbies likes and dislikes risks roles
144 c
victim and offender
when searching for evidence of cyberstalking, it is grooming surreptitious initial contact congenial
145 useful to distinguish between an offender’s harassing monitoring b
behaviors and behaviors
that part of cyberstalking where the offender is using profiling trolling surreptitious none of the above.
146 monitoring c
the internet to find a victim is known as:
when a cyberstalker chooses victims at random, he is opportunistic power assertive profit-oriented none of the above
147 stalker stalker stalker a
said to be an:
the initial stage in a cyberstalking investigation is to: search for analyze crime scene conduct interview the victim
148 additional digital characteristics victimology and risk d
evidence assessments
it is extremely important for the investigator to be if the victim if the investigation the victim must be the victims
extremely cautious when dealing with a stalking case becomes offended is conducted too protected, in case frequently become
because: by the investigator’s openly, the offender the offender decides emotionally
methods, she is may stop the to escalate to attached to the
149 c
likely to go file a harassment and physical violence investigator
complaint move on to another
victim

which of the following is not part of the set of preparation interdiction documentation reconstruction
150 b
forensic methodologies referenced in this book?
preparation planning prior to processing a crime scene what computer what the systems whether a network all of the above
151 should include: equipment to expect are used for is involved d
at the site
the forensic crime scene processing kit should include evidence bags, tags, forensically compilers for hardware write
and other items to sanitized hard developing forensic blockers
152 all of the following, except: c
label and package drives to store tools on site
evidence acquired data
when processing the digital crime scene, one aspect of recognizing determining if confirming that the making sure there is
surveying for potential sources of digital evidence is: relevant hardware electrical wiring is operating sufficient space to
such as computers, capable of environment is set up the forensic
153 a
removable media, supporting forensic suitable for crime scene
etc machines electronic processing kit
equipment
the documentation specifies who handled evidence inventory chain of custody evidence intake preservation notes
154 the evidence, when, where, and for what purpose b

when documenting a crime scene, the computer and the more evidence this provides a it is prudent to all of the above.
surrounding area should be photographed, detailed collected, the record for what to document the same
155 sketches should be made, and copious notes should be stronger the case. look for when you evidence in several c
taken, because: return for the ways.
second visit.
in regard to preservation, in a child pornography photographs papers digital cameras all of the above
156 investigation, which of the following should be d
collected?
if it is determined that some hardware should be nearest reach direct connectivity independent slice-the-pie
collected, but there is no compelling need to collect doctrine doctrine component doctrine doctrine
157 c
everything, the most sensible approach is to employ:

according to the us federal guidelines for searching 60-80 degrees 50-90 degrees 50-90 degrees 60-80 degrees
and seizing computers, safe temperature ranges for fahrenheit centigrade fahrenheit centigrade
158 c
most magnetic media are:

which of the following is not an artifact that will be running processes open network ports data stored in system date and
159 irrevocably lost if the computer is shut down? memory time d

which of the following is not one of the place the evidential preview the extract just the acquire everything
recommended approaches to preserving digital computers and evidential computer, information needed from evidential
storage media in taking appropriate from evidential computer and
160 evidence? b
secure storage for notes computers and storage media
later processing storage media

the reason unix “dd” is considered a de facto standard the majority of tools “dd” stands for “dd,” although a the developers of
for making bitstream copies is: for examining digital “digital data” and unix tool, is “dd” have made
evidence can was developed for universally able to arrangements with
161 a
interpret bitstream making forensic traverse windows other forensic
copies copies. file systems. software companies.

regarding the examination of a piece of digital what is it what classifications where did it come what is its value?
evidence, which of the following is not one of the (identification)? distinguish it? from?
162 d
fundamental questions that need to be answered?

which of the following issues is not one that a forensic invasive the facility in the the location, available methods
examiner faces when dealing with windows-based characteristics of standard windows organization, and for recovering data
163 media? the windows environment for content of windows from windows b
environment mounting a hard system log files media
drive as read-only
forensically acceptable alternatives to using a linux boot floppy fire bootable cd- booting into safe hardware write
164 windows evidence acquisition boot disk include all rom mode blockers c
but which of the following?
the standard windows environment supports all of fat16 ext2 fat32 ntfs
165 b
the following file systems except
before evidentiary media is “acquired,” forensic hash preview validate analyze
166 examiners often the media to make sure it b
contains data relevant to the investigation
log files are used by the forensic examiner to associate system verify the integrity confirm login determine if a
events with specific of the file system c passwords d specific individual is
167 a
user accounts b the guilty party

the windows nt event log appevent contains a log of records activities notes system none of the above
application usage that have security events such as
168 a
implications, such as shutdowns
logins
when examining the windows registry key, the “last the last time when a value in the current system the number of
regedit was run b that registry key time allowable changes
169 write time” indicates: b
was altered or has been exceeded
added
file system traces include all of the following except: metadata cmos settings swap file contents data object date-
170 time stamps b
when a file is moved within a volume, the last is unchanged changes if a file is changes if a file is is unchanged;
moved to different moved to the root however, the
171 accessed date time: a
directory created date-time
does change
internet traces may be found in which of the following web browser cache instant messenger cookies all of the above
172 cache d
categories?
the windows nt event log secevent evt: contains a log of records activities notes system none of the above
application usage that have security events such as
173 b
implications, such as shutdowns
logins
which of the following is not one of the methods fddi telecommunication wifi access points bluetooth piconets
174 mobile devices use to communicate? networks a
one major advantage of mobile devices from a forensic people very seldom the process for flash memory is manufacturers
perspective is that: delete information deleting information deleted block-by- reserve a part of
from mobile devices is much more block and mobile memory for storing
complicated than for devices generally deleted items
adding information, wait for a block to be
175 c
and users frequently full before it is
don’t delete things deleted
correctly

the reason that malware developers are beginning to because available the malware since the coding is since mobile
target mobile devices is: memory is much market has become much simpler on devices are used
smaller and the very crowded and mobile devices, more and more for
operating system is developers are many new online banking and
much less looking for new programmers are making purchases,
176 d
sophisticated on avenues trying at this they have become
mobile devices, it is particular platform prime targets for
much easier to computer criminals
develop malicious
code
software designed to monitor activities on mobile malware b spouseware c trojan defense d none of the above
177 b
devices has come to be called: a
one of the dangers (from a forensic standpoint) of connected network service connected network service
mobile devices is: networks can providers may networks can enable providers may
contain provide information offenders to delete provide additional
investigatively for comparison with data remotely historical call
178 c
useful information data extracted from records
a mobile device

one of the difficulties unique to forensic processing of md five hashes documentation an investigator any issues
mobile devices is: must be calculated must show must make a encountered with
for data recovered continuous calculated decision processing the
from mobile devices possession and to either prevent or device should be
179 control allow the device to documented c
receive new data
over wireless
networks
powering down a mobile device and removing the when the battery is doing so may the process of you now have two
battery may cause problems in that: a removed from a activate security removing the pieces of evidence,
mobile device, the measures such as battering can cause which have to be
180 information in lock codes and a capacitive documented b
memory is lost encryption discharge,
destroying the
device
which of the following are methods for preserving reconfigure the place the device in jam rf signaling in all of the above
device to prevent an rf-shielded the immediate area
181 mobile devices by isolating them from the networks? d
communication pouch
from the network
why is it important to collect charging cables when mobile device to reduce owner in those cases none of the above
seizing mobile devices? batteries have a complaints about where evidence
limited charge life missing cables seized is forfeit, you
span, and the device when, at some point, want to make sure
will need a charger seized devices are you have everything
182 a
to maintain the returned you need to operate
battery until the the device
device can be
processed

which of the following is not one of the currently manual operation logical acquisition
connecting the physical acquisition
available methods for extracting data from mobile via user interface via communicationcommunication port via the
183 devices? port directly to an output communication port c
device such as a
printer
forensic examiners should be aware that a mobile may as well be may only indicate may require that none of the above
device with a blank or broken display: thrown away, as no that the screen is the mobile device be
data will be damaged and it may sent out to the
184 b
recovered from it still be possible to manufacturer for
extract data repairs

a peculiarity of mobile devices is the format that they ascii unicode gsm 7-bit baudot
185 c
store sms messages, which is: a
the primary reason that brute-force methods are not a four-digit pin after three failed pin disclosure by none of the above
represents 10,000 attempts, the sim the offender can be
186 used when trying to access an sim card with the pin b
set is: possible card will become required by a court
combinations locked order
an understanding of networks helps with which of the establishing tracking down understanding all of the above
continuity of offense offenders traces of online
187 following: d
activities left on a pc

when a windows system connects to a shared folder tcp/ip smb netbios all of the above
on another windows machine on the internet, which
188 d
of the following protocols are used?

hosts that connect two or more networks are called: routers switches hubs all of the above
189 a
190 which of the following are layer 7 protocols? ethernet http tcp all of the above b
ethernet uses which of the following technologies? cdpd csma/cd cdma all of the above
191 b
192 another name for a hub is: switch router concentrator nic c
currently, the most widely used internet protocols are: tcp udp ip all of the above
193 d
the osi reference model divides internets into seven transport, session, presentation, data- physical, data-link, data-link, network,
layers choose the correct order, by layer network, link, application, network, transport, session, application,
194 presentation, data- physical, transport, session, physical, network, c
link, application, session, network presentation, session
physical application
the layer that actually carries data via cables or radio transport layer physical layer network layer data-link layer
195 b
signals is the:
a hub joins hosts at the physical level whereas a switch transport physical network data-link
196 d
joins them at the layer
the layer responsible for managing the delivery of application layer presentation layer transport layer session layer
197 c
data is the:
which of the following network technologies uses a ethernet fddi asynchronous 802.11
198 transfer mode b
fiber-optic medium?
preservation of digital evidence can involve which of collecting computer making a forensic copying the files all of the above
the following? hardware image of storage that are needed
199 d
media from storage media

a forensic image of a drive preserves which of the memory contents file slack and system date and screen contents
200 unallocated space time b
following?
examination of digital evidence includes (but is not seizure, recovery, experimentation, arrest,
201 limited to) which of the following activities? preservation, and harvesting, and fusion, and interviewing, and b
documentation reduction correlation trial
analysis of digital evidence includes which of the seizure, recovery, experimentation, arrest,
202 following activities? preservation, and harvesting, and fusion, and interviewing, and c
documentation reduction correlation trial
evidence can be related to its source in which of the top, middle, bottom ip address, md5 production, parent, uncle,
203 following ways? value, filename, date- segment, alteration, orphan c
time stamps location
when a website is under investigation, before determine where inform personnel at conduct a none of the above
obtaining authorization to seize the systems it is the web servers are the web server reconnaissance
204 necessary to: located location that you’ll probe of the target a
be coming to seize website
the systems
which of the following is not an information scanning the studying security attempting to examining e-mail
205 gathering process? system remotely audit reports bypass logon headers c
security
unlike law enforcement, system administrators are open unread e- monitor network modify system logs divulge user
permitted to on their network when it is mails traffic personal
206 information b
necessary to protect the network and the data it
contains
although it was not designed with evidence collection encase ftk wireshark chkdsk
207 in mind, can still be useful for examining c
network traffic
issues to be aware of when connecting to a computer creating and keeping a log of documenting which all of the above
over a network and collecting information include: following a set of actions taken during server actually
208 standard operating the collection contains the data d
procedures process that’s being
collected
occasionally, an intrusion detection system may false warning failsafe def con false positive
trigger an alarm caused by an innocent packet that
209 d
coincidentally contains intrusion class characteristics
this type of alert is called:
information security professionals submit samples of bugtraq sam spade cnet security focus
log files associated with certain intrusion tools to help
210 a
others detect attacks on the mailing lists at:
which of the following are situations where a the hard drive is the system cannot the digital all of the above
bitstream copy may not be viable? too large to copy be shut down investigator does
211 not have authority d
to copy the entire
drive
who is authorized to conduct online undercover anyone computer security journalists law enforcement
212 investigations when child pornography is involved? professionals d

which of the following internet services can be used to irc usenet kazaa all of the above
213 d
exchange illegal materials?
what are two of the most useful headers for from and message- nntp-posting-host path and subject rfc1036 and
214 id and x-trace rfc2980 b
determining the origination of usenet messages?
what information should you document when date/time of screenshots of download copies of all of the above
searching for evidence on the web? search, search significant search the webpages and
215 engine and terms results calculate their md5 d
used, address of value
pertinent results
why is it important to hide your identity when to reduce the risk to get yourself in to make it easier for all of the above
of alerting the the mindset of you to determinethe
216 conducting an online investigation? a
offender covert web offender’s
investigating location
when it is not possible to determine the identity of the look for unusual search the web look for similar all of the above
author of a usenet message using ip addresses in the signature and use of using distinctive usenet messages
217 d
header, what else can you do to learn more about the language aspects of posts posted using an alias
author?
what characteristics of irc make it attractive to irc enables them to irc provides them irc gives them all of the above
criminals? exchange illegal with some level of direct, “live” access
218 materials with other anonymity to a large pool of d
criminals potential victims

which of the following enables a user to connect to irc freenet psybnc bot fserve all of the above
219 and run irc fserves without disclosing their ip b
address?
which of the following applications leave traces of internet explorer kazaa irc all of the above
220 d
internet activities on a personal computer?
which of the following tools can reconstruct tcp tcpdump wireshark snoop encase
221 b
streams?
what peer-to-peer clients use the fast track network? kazaa grokster imesh all of the above
222 d
web whacker and httrack are examples of tools that: search the web deface websites capture websites launch websites
223 c
metaverseink is a: search tool (people newsgroup social networking a file-sharing peer-
224 or things) for virtual aggregator meta-tool to-peer network a
worlds
second life is one of the better known: research websites archive websites virtual worlds web-based game
225 shows
c
synchronous chat networks are particularly conducive privacy immediacy impermanence all of the above
226 d
to criminal activity because of their
what is the maximum cable length for a 10baset 10 feet 100 feet 10 meters 100 meters
227 d
network?
what is the approximate theoretical maximum number 10 mb 75 mb 100 mb 175 mb
228 of bytes that can be downloaded in one minute on a b
10baset network?
which of the following commands can be used to netstat ping nbtstat traceroute
229 obtain the mac address of a remote windows c
computer?
what is the maximum cable length for a 10 base five 100 feet 500 feet 100 m 500 m
230 d
segment?
arp stands for: address resource advanced retrieval address resolution added resource
231 protection protocol protocol processing c

the best operating system for capturing network microsoft openbsd/freebsd linux solaris
232 traffic on high-speed networks is: dos/windows b

which of the following applications is used to capture snort wireshark tcpdump all of the above
233 d
network traffic?
how many bytes per packet does tcpdump capture by 10 bytes 68 bytes 128 bytes 1024 bytes
234 b
default?
which of the following tools can reconstruct tcp tcpdump wireshark snoop encase
235 b
streams?
the transition method in which only one computer can baseband narrowband broadband sideband
236 transmit while all the others listen is known as: a
although arp is part of tcp/ip, it is generally physical data-link network transport
237 b
considered a part of the layer
the form of arp that atm uses to discover mac arpatm atmarp macatm atmmac
238 b
addresses is known as:
tcp is an abbreviation for: transit transportation cost transport control time
239 communication product protocol communication c
protocol protocol
what system is used to convert ip addresses to their tcp/ip dns arp routing
240 b
associated names?
241 what protocol does the “ping” command use? tcp ip icmp all of the above c
which of the following logs record the ip addresses of wtmp xferlog syslog access log
242 computers accessing an ftp server? a b

in addition to the ip address of the sender, smtp e- the message id the time the the name of the all of the above
243 mail server logs contain which of the following? message was sender d
received
digital evidence and computer crime, third edition

instructor’s manual

by samuel norris

contents

part 1 – digital forensics


chapter 1 – foundations of digital forensics 2
chapter 2 – language of computer crime investigation 11
chapter 3 – digital evidence in the courtroom 21
chapter 4 – cybercrime law: a united states perspective 29
chapter 5 – cybercrime law: a european perspective 38

part 2 – digital investigations


chapter 6 – conducting digital investigations 46
chapter 7 – handling a digital crime scene 57
chapter 8 – investigative reconstruction with digital evidence 64
chapter 9 – modus operandi, motive, and technology 71

part 3 – apprehending offenders


chapter 10 – violent crime and digital evidence 78
chapter 11 – digital evidence as alibi 85
chapter 12 – sex offenders on the internet 91
chapter 13 – computer intrusions 98
chapter 14 – cyberstalking 106

part 4 – computers
chapter 15 – computer basics for digital investigators 113
chapter 16 – applying forensic science to computers 122
chapter 17 – digital evidence on windows systems 129
chapter 18 – digital evidence on unix systems 139
chapter 19 – digital evidence on macintosh systems 151
chapter 20 – digital evidence on mobile devices 159

part 5 – network forensics


chapter 21 – network basics for digital investigators 167
chapter 22 – applying forensic science to networks 176
chapter 23 – digital evidence on the internet 185
chapter 24 – digital evidence at the physical and data-link layers 195
chapter 25 – digital evidence at the network and transport layers 204

© 2011 Elsevier Inc. All rights reserved. Page 1


chapter 1
foundations of digital forensics

objectives
on completion of this chapter, the student will
- recognize that there will be a digital component in nearly every crime.
- be able to list some of the ways criminals use technology.
- recognize that increased use of technology increases evidence.
- be able to define “digital evidence.”
- be aware of who is concerned with proper processing of digital evidence.
- recognize how digital forensics has changed over time.
- recognize the purpose and importance of “best practices” and accepted standards.
- be able to define “digital forensics.”
- be aware of how locard’s exchange principle applies to digital forensics.
- recognize the difference between class characteristics and individual characteristics.
- recognize that evidence preservation is not an absolute.
- be aware of the steps to authenticate evidentiary data.
- recognize the need for documenting “continuity of possession.”
- be aware that hashing is an accepted method of establishing authenticity of data.
- recognize the need for objectivity on the part of the examiner.
- recognize that repeatability is a requirement of forensic soundness.
- recognize that digital evidence is volatile.
- be aware that digital data is seen through one or more layers of abstraction.
- recognize that “evidence dynamics” will affect the state of the digital crime scene.
- recognize the role that applied research plays in digital forensics.

digital evidence has come to play some part in virtually every crime. it would, in fact, be difficult
to describe a crime scene that does not have a digital element. criminals have always found ways
to use technology to their own ends, and digital technology is no different. there is an upside to
this – the more digital technology is used, the more likely that there will be resultingdigital
evidence.
digital forensics has undergone a number of changes from little more than looking at the
hexadecimal values on floppy media to automated forensic tools that process terabytes of data in
search of digital evidence.
digital evidence is the target of the forensic examiner, who pursues those digital elements that
support (or refute) a particular scenario. however, if the evidence is to be used in court, the
collection and processing must adhere to strict rules of evidence. therefore, it is important that
everyone who is involved in the legal process – law enforcement, attorneys, and the judiciary –
understands the concepts of digital forensics and adheres to best practices and standard
procedures.
one such concept is locard’s exchange principle, which proposes that something is taken and
something is left behind when someone enters a crime scene. this same is true with digital

© 2011 Elsevier Inc. All rights reserved. Page 2


media. the substance of this exchange may possess either class characteristics or individual
characteristics, the latter being more specific.
the concept that digital evidence should never be changed is desirable but not an absolute. there
will be times where necessity dictates that evidence, by being observed, has changed. this should,
however, be noted in case documentation.
the above notwithstanding, every effort should be made to properly copy the evidentiary media,
and then to verify or authenticate the data collected so that the examiner can state the copied data
is identical to the original. the accepted method for doing this is through “hashing,” which will
be covered in a later chapter.
another issue is tracking the movement of the evidentiary data through the collection, storage,
and analyzing processes. it is important establish a “continuity of possession” document that
records when evidence changes hands, with whom, and why.
two other points central to forensic methodology are: objectivity and repeatability. the first,
objectivity, means that the forensic examiner seeks the truth of events, not to prove that a suspect
is the perpetrator. the second, repeatability, demands that, given identical media and processes,
the same results should result.
challenges to the forensic process and digital evidence include:
1. the idea that the true data (magnetic patterns) is never observed, but rather, it is observed
through some level of abstraction (the hexadecimal view of a file).
2. the concept of “evidence dynamics” – changes that creep into evidence, either by
accident or error, that change the data.

digital forensics methodology is constantly in flux – the “bad guys” figure out some way to
exploit a new technology and the “good guys” develop tools to capture and document the exploit.
that is the way it has always been and always will be.

© 2011 Elsevier Inc. All rights reserved. Page 3


multiple choice questions

1. a valid definition of digital evidence is:


a. data stored or transmitted using a computer
b. information of probative value
c. digital data of probative value
d. any digital evidence on a computer

2. what are the three general categories of computer systems that can contain digital
evidence?
a. desktop, laptop, server
b. personal computer, internet, mobile telephone
c. hardware, software, networks
d. open computer systems, communication systems, embedded systems

3. in terms of digital evidence, a hard drive is an example of:


a. open computer systems
b. communication systems
c. embedded computer systems
d. none of the above

4. in terms of digital evidence, a mobile telephone is an example of:


a. open computer systems
b. communication systems
c. embedded computer systems
d. none of the above

5. in terms of digital evidence, a smart card is an example of:


a. open computer systems
b. communication systems
c. embedded computer systems
d. none of the above

6. in terms of digital evidence, the internet is an example of:


a. open computer systems
b. communication systems
c. embedded computer systems
d. none of the above

© 2011 Elsevier Inc. All rights reserved. Page 4


7. computers can be involved in which of the following types of crime?
a. homicide and sexual assault
b. computer intrusions and intellectual property theft
c. civil disputes
d. all of the above

8. a logon record tells us that, at a specific time:


a. an unknown person logged into the system using the account
b. the owner of a specific account logged into the system
c. the account was used to log into the system
d. none of the above

9. cybertrails are advantageous because:


a. they are not connected to the physical world.
b. nobody can be harmed by crime on the internet.
c. they are easy to follow.
d. offenders who are unaware of them leave behind more clues than they otherwise
would have.

10. private networks can be a richer source of evidence than the internet because:
a. they retain data for longer periods of time.
b. owners of private networks are more cooperative with law enforcement.
c. private networks contain a higher concentration of digital evidence.
d. all of the above.

11. due to caseload and budget constraints, often computer security professionals
attempt to limit the damage and close each investigation as quickly as possible.
which of the following is not a significant drawback to this approach?
a. each unreported incident robs attorneys and law enforcement personnel of an
opportunity to learn about the basics of computer-related crime.
b. responsibility for incident resolution frequently does not reside with the security
professional, but with management.
c. this approach results in under-reporting of criminal activity, deflating
statistics that are used to allocate corporate and government spending on
combating computer-related crime.
d. computer security professionals develop loose evidence processing habits
that can make it more difficult for law enforcement personnel and attorneys to
prosecute an offender.

© 2011 Elsevier Inc. All rights reserved. Page 5


12. the criminological principle which states that, when anyone, or anything, enters a
crime scene he/she takes something of the scene with him/her, and leaves
something of himself/herself behind, is:
a. locard’s exchange principle
b. differential association theory
c. beccaria’s social contract
d. none of the above

13. the author of a series of threatening e-mails consistently uses “im” instead of “i’m.” thisis
an example of:
a. an individual characteristic
b. an incidental characteristic
c. a class characteristic
d. an indeterminate characteristic

14. personal computers and networks are often a valuable source of evidence. those
involved with ________ should be comfortable with this technology.
a. criminal investigation
b. prosecution
c. defense work
d. all of the above

15. an argument for including computer forensic training computer security specialists is:
a. it provides an additional credential.
b. it provides them with the tools to conduct their own investigations.
c. it teaches them when it is time to call in law enforcement.
d. none of the above.

© 2011 Elsevier Inc. All rights reserved. Page 6


true or false questions

1. digital evidence is only useful in a court of law.


a. true
b. false

2. attorneys and police are encountering progressively more digital evidence in theirwork.
a. true
b. false

3. video surveillance can be a form of digital evidence.


a. true
b. false

4. all forensic examinations should be performed on the original digital evidence.


a. true
b. false

5. digital evidence can be duplicated exactly without any changes to the original data.
a. true
b. false

6. computers were involved in the investigations into both world trade center attacks.
a. true
b. false

7. computer professionals who take inappropriate actions when they encounter child
pornography on their employer’s systems can lose their jobs or break the law.
a. true
b. false

8. digital evidence is always circumstantial.


a. true
b. false

9. digital evidence alone can be used to build a solid case.


a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 7


10. automobiles have computers that record data such as vehicle speed, brake status, and throttle
position when an accident occurs.
a. true
b. false

11. computers can be used by terrorists to detonate bombs.


a. true
b. false

12. the aim of a forensic examination is to prove with certainty what occurred.
a. true
b. false

13. even digital investigations that do not result in legal action can benefit from principles of
forensic science.
a. true
b. false

14. forensic science is the application of science to investigation and prosecution of crime or to
the just resolution of conflict.
a. true
b. false

15. when a file is deleted from a hard drive, it can often be recovered.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 8


essay questions

1. when criminals use computers, what advantages does this have from an investigative
standpoint?

answer guidance: 1) computer activities leave trails/online activities leave cybertrails, 2) these
traces/trails can be linked to the associated physical world activities, and 3) some offenders have
a false sense of security when they use computers and therefore expose themselves to greater
risk, giving us a clearer view of them — windows to the world.

2. what are the three general categories of computer systems that can contain digital evidence?
in each category, give a specific source of digital evidence that interests you and describe the
type of evidence that you might find.

answer guidance: open systems, communication systems, and embedded systems, examples of
each are provided on page 12. note that a server on the internet is often an open computer
system but plays a role in a communications system. therefore, the server may have information
relating to the communications on the internet such as log files of network activities.

3. why is it important for computer security professionals to become familiar with digital
evidence?

answer guidance: so they know how to process evidence properly in preparation for a serious
incident and to protect themselves and employers against liability (see p. 14).

4. at what point should computer security professionals stop handling digital evidence and
contact law enforcement?

answer guidance: this is a difficult question that requires more than a simplistic “stop and
contact law enforcement whenever they detect a crime” answer. it is unrealistic to expect an
organization to report every potential criminal act to law enforcement. computer security
professionals should report incident to law enforcement when their organization’s policy
specifies. this presumes that some organizational thought and planning has been applied to the
issue. computer security professionals should stop handling digital evidence when the task is
beyond their training and experience or when they would be committing an offense by
performing an action (e.g., hacking back to intruder’s computer, accessing child pornography).

© 2011 Elsevier Inc. All rights reserved. Page 9


5. what are the main challenges of investigating computer-related crime?

answer guidance: there are an abundance of challenges. a summary list includes:

- abstraction
- messy amalgam and fragmentation
- mutability: evidence dynamics
- attribution: linking digital to physical
- distributed
- transient
- voluminous
- anonymity
- diversity of technologies
- keeping up with legislation
- shortage of trained investigators, attorneys, judges, etc.

6. what is the difference between digital evidence, electronic evidence, and computer evidence?

answer guidance: computer evidence and electronic evidence refer to hardware whereas digital
evidence refers to the data that is contained by hardware.

7. describe a case reported in the media or from personal experience that demonstrates how
digital evidence can be useful in the investigation of a violent crime or civil dispute.

scenario
describe a day in your life and the associated sources of digital evidence that your actions may
have created.

© 2011 Elsevier Inc. All rights reserved. Page 10


chapter 2
language of computer crime investigation

resources
the following organizations with related resources are mentioned in this chapter.

resource source description


dfrws http://www.dfrws.org digital forensics research workshop.
enfsi http://www.enfsi.org european forensic it working group.
fletc http://www.fletc.gov provides computer forensic training to law enforcement
personnel.
nist http://www.cftt.nist.gov conducts tests on evidence processing tools.
nw3c http://www.nw3c.org provides computer forensic training to law enforcement
personnel.
search http://www.search.org provides computer forensic training to law enforcement
personnel.
swgde http://www.swgde.org scientific working group for digital evidence.
usdoj http://www.cybercrime.gov computer search and seizure manual.

objectives
on completion of this chapter, the student will
- be aware of new terms that have arisen as technology has been used for committing
crimes.
- be aware of the difficulty in defining computer crime.
- recognize the differences between the following terms:
o digital forensics
o computer forensics
o network forensics
o mobile device forensics
o malware forensics
- recognize the difference between “forensic examination” and “forensic analysis.”
- be aware of the various roles computers may play in a crime.

chapter guide
since the late 1980s there have been significant advances in investigating crime involving
computers. in addition to advances in tool development, there have been refinements in the law,
computer crime categories, and digital investigative methods and theory. however, because it is
still an emerging field, digital forensics requires additional development and refinement. even
the term digital forensics has only recently replaced computer forensics, forensic computing, and
other terms that describe the field as a whole. see pages 26-38 for more details.

although every effort is made to prevent bugs in software used in digital investigations, they do
exist and can result in evidence being lost or interpreted incorrectly. therefore, in addition to

© 2011 Elsevier Inc. All rights reserved. Page 11


knowing which tools are best for a given task, digital investigators must be capable of validating
the results to ensure that their results are correct. validation involves checking and documenting
the results of one tool with another either by comparing the results from both tools to ensure they
are in agreement, or by using one tool to verify low-level data has been interpreted correctly by
another tool. for instance, two tools should recover the same deleted files from a given file
system, and all tools should calculate date-time stamps correctly.

in addition to validating their own work and tools, forensic examiners can benefit from the
results of the us national institute of standards and testing (nist) computer forensic tool testing
(cftt) program. this program is currently testing hardware write blockers as well as the ability of
forensic tools to acquire digital evidence from storage media and recover deleted files. this
testing does not include the recovery of overwritten data using more sophisticated equipment.
some forensic laboratories can recover partially overwritten data using special equipment
designed for testing hard drives called “spin stand testers.” basically, this equipmentenables
technicians to direct the read head to read the edges of a track that may not have been
overwritten by newer data that are stored in the middle of the track. although it is theoretically
possible to recover completely overwritten data using powerful microscopes, an analysis by the
us national bureau of economic research suggests that this is not feasible in practice:

can intelligence agencies read overwritten data? a response to gutmann,by


daniel feenberg, national bureau of economic research,
http://www.nber.org/sys-admin/overwritten-data-guttman.html.

the role a computer plays in a crime will dictate how it and its contents are processed. therefore,
it is important for digital investigators to understand the different roles, which are clearly
described in the usdoj’s “searching and seizing computers and obtaining electronic evidence in
criminal investigations.” the following table provides examples in each category:

contraband fruits of crime instrumentality evidence


hardware cloned mobile stolen computers, or printer used to mobile phone may
telephones, or equipment produce counterfeit be evidence of
hardware for purchased with banknotes, or parole violation even
intercepting stolen credit cards scanner used to if it was not used to
communications produce child deal drugs
pornography
information digital photographs valuable data stolen programs used to a personal diary on
or videos of child from computers such break into computers a computer
exploitation, or as bank account and capture describing details of
strong encryption in details passwords a crime, or log files
some countries showing criminal
activity

© 2011 Elsevier Inc. All rights reserved. Page 12


notably, a source of evidence can fall into multiple categories. for instance, a flatbed scanner
used to digitize child pornography can be considered in both the hardware as instrumentality and
hardware as evidence categories.

this conceptual framework helps investigators quickly identify important sources of evidence in
the large amounts of information that are common in digital investigations. in addition, these
categories provide a foundation for procedures. for instance, different methods, personnel, and
tools are required to process hardware as contraband (e.g., mobile phone cloning equipment)
versus information as evidence.

other categorizations of the impact of technology on crime can also be useful but have their
limitations (see decc2e, pages 31-33). another useful categorization presented by nigel jonesin
digital investigation (volume 1, issue 3, www.digitalinvestigation.net) is provided below:

• the target of crime, including the denial of service attacks and viruses that are
distributed to bring computer systems to a halt
• an aid to crime, allowing crimes to be committed in different and easier ways than
before
• a communications tool, allowing criminals more opportunities to communicate with
each other with less chance of discovery than traditional communication methods
• a witness to crime, where technology in the possession of those other than victims and
suspects could provide compelling evidence of criminal activity
• a storage device, containing evidence of criminal activity whether wittingly or
unwittingly stored

discussion of these categories can help students expand their understanding of computer-related
crime.

© 2011 Elsevier Inc. All rights reserved. Page 13


multiple choice questions

1. computers can play the following roles in a crime:


a. target, object, and subject
b. evidence, instrumentality, contraband, or fruit of crime
c. object, evidence, and tool
d. symbol, instrumentality, and source of evidence

2. the first us law to address computer crime was:


a. computer fraud and abuse act (cfaa)
b. florida computer crime act
c. computer abuse act
d. none of the above

3. the following specializations exist in digital investigations:


a. first responder (a.k.a. digital crime scene technician)
b. forensic examiner
c. digital investigator
d. all of the above

4. the first tool for making forensic copies of computer storage media was:
a. encase
b. expert witness
c. dd
d. safeback

5. one of the most common approaches to validating forensic software is to:


a. examine the source code
b. ask others if the software is reliable
c. compare results of multiple tools for discrepancies
d. computer forensic tool testing projects

6. an instrumentality of a crime is:


a. an instrument used to commit a crime
b. a weapon or tool designed to commit a crime
c. anything that plays a significant role in a crime
d. all of the above

© 2011 Elsevier Inc. All rights reserved. Page 14


7. contraband can include:
a. child pornography
b. devices or programs for eavesdropping on communications
c. encryption devices or applications
d. all of the above

8. a cloned mobile telephone is an example of:


a. hardware as contraband or fruits of crime
b. hardware as an instrumentality
c. information as contraband or fruits of crime
d. information as evidence

9. digital photographs or videos of child exploitation is an example of:


a. hardware as contraband or fruits of crime
b. hardware as an instrumentality
c. hardware as evidence
d. information as contraband or fruits of crime

10. stolen bank account information is an example of:


a. hardware as contraband or fruits of crime
b. information as contraband or fruits of crime
c. information as an instrumentality
d. information as evidence

11. a network sniffer program is an example of:


a. hardware as contraband or fruits of crime
b. hardware as an instrumentality
c. information as an instrumentality
d. information as evidence

12. computer equipment purchased with stolen credit card information is an example of:
a. hardware as contraband or fruits of crime
b. hardware as an instrumentality
c. hardware as evidence
d. information as contraband or fruits of crime

© 2011 Elsevier Inc. All rights reserved. Page 15


13. a printer used for counterfeiting is an example of:
a. hardware as contraband or fruits of crime
b. hardware as an instrumentality
c. hardware as evidence
d. information as contraband or fruits of crime

14. phone company records are an example of:


a. hardware as contraband or fruits of crime
b. information as contraband or fruits of crime
c. information as an instrumentality
d. information as evidence

15. in the course of conducting forensic analysis, which of the following actions are carried
out?
a. critical thinking
b. fusion
c. validation
16. all of the above

© 2011 Elsevier Inc. All rights reserved. Page 16


true or false questions

1. a single crime can fall into more than one of the following categories: hardware or
information as evidence, instrumentality, and contraband or fruits of crime.
a. true
b. false

2. the american society of crime laboratory directors (ascld) is the only group to
establish guidelines for how digital evidence is handled in crime labs.
a. true
b. false

3. the nist computer forensic tool testing project has identified all bugs in all forensic
hardware and software.
a. true
b. false

4. a network can be an instrumentality of a crime.


a. true
b. false

5. there is a general agreement as to the meaning of the term “computer crime.”


a. true
b. false

6. contraband is property that the private citizen is not permitted to possess.


a. true
b. false

7. the main reason for seizing contraband or fruits of crime is to prevent and deter future
crimes.
a. true
b. false

8. a computer can be considered instrumentality because it contained a file that detailed the
growing characteristics of marijuana plants.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 17


9. the us computer assistance law enforcement act (calea) that took effect in 2000 compels
telephone companies to keep detailed records of their customers’ calls for up tothree
years.
a. true
b. false

10. when a computer contains only a few pieces of digital evidence, investigators are
authorized to collect the entire computer.
a. true
b. false

11. when a computer is used to forge documents or break into other computers, it is the
subject of the crime.
a. true
b. false

12. a flatbed scanner used to digitize child pornography can be considered in both the
hardware as instrumentality and hardware as evidence categories.
a. true
b. false

13. the terms “forensic examination” and “forensic analysis” are the same, and can be used
interchangeably.
a. true
b. false

14. the distinction between a computer as the object and subject of a crime is useful from an
investigative standpoint because it relates to the intent of the offender.
a. true
b. false

15. network sniffer software is illegal to possess, and therefore is considered contraband.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 18


essay questions

1. discuss the benefits and shortcomings of creating specializations of crime scene experts,
evidence examiners, and investigators. what are the advantages and disadvantages for requiring
individuals in each specialization to pass a standard competency test?

answer guidance: example advantages: specialization enables professionalization, greater


expertise, and higher quality. a standard competency test helps differentiate qualified individuals
from unqualified ones. such tests also ensure that individuals have basic requisite skills to
perform work competently, thus increasing consistency and reducing mistakes. regular retesting
might help keep individuals updated on technological advances. example disadvantages:
specialization increases the cost of training and staffing. separation of task can lead to
miscommunication, hindering an investigation. it may not be possible to agree upon a standard
test, particularly on an international scale. in addition, standard tests might emphasize book
learning over experience — a combination of both is needed. testing might not keep pace with
technology, and if the testing body does not represent all groups in the field, it could be unfair to
some.

2. what term do you think best describes this field (e.g., computer forensics, forensic
computing, digital forensics) and why?

answer guidance: digital forensics is the most fitting for this course because just referring to
computers limits the scope.

3. what roles can computers play in a crime? give an example of each role.

answer guidance: the most effective and widely accepted categorization is provided by the us
department of justice as discussed on pages 34-39.

© 2011 Elsevier Inc. All rights reserved. Page 19


scenario
a computer crime was committed last wednesday. detail the trail of digits left by your activities
that day that can serve as an alibi.

© 2011 Elsevier Inc. All rights reserved. Page 20


chapter 3
digital evidence in the courtroom
objectives
on completing this chapter, the student will:
- be aware of the difference between concerns of the law and scientific knowledge.
- be aware of the concerns of the court in regard to forensic examination of digital
evidence
▪ the integrity of the digital investigator
▪ authenticity of the digital evidence they present
- be aware of the us federal rules of evidence and how they relate to the authenticityof
evidence.
- recognize that the duty of experts is to present objective unbiased truth in the matters
before the court.
- recognize that digital examiners have a duty to resist influences, both subtle and
overt, to form an opinion on a case.
- recognize that every case is unique and be aware of the problem of preconceived
theories.
- be aware that in the courts, theories based on scientific truth are subordinate to the
legal judgment.
- be aware of the connection between proper evidence handling and admissibility.
- be aware of the connection between authorization to search and admissibility.
- be aware of four considerations when searching and seizing digital evidence:
▪ does the fourth amendment and/or electronic communications privacy act
(ecpa) apply?
▪ have fourth amendment and/or ecpa requirements been met?
▪ how long can investigators remain at the scene?
▪ what do investigators need to reenter?
- be aware of the role of chain of custody in assuring evidence authenticity.
- be aware of the concept of “best evidence.”
- be aware of why hearsay evidence may not be admissible.
- recognize that there are exceptions to the hearsay rule.
- be aware of the application of levels of certainty to digital evidence.
- recognize that there is a difference between direct and circumstantial evidence.
- be aware of the four criteria for evaluating scientific theories and techniques.
- recognize that a well-written report can bolster a weak case, and that a poorly written
report can undermine a strong case.
- be aware that a digital investigator, before taking the stand, must first be recognized
as an expert by the court.

© 2011 Elsevier Inc. All rights reserved. Page 21


the foundation of a case involving digital evidence is proper evidence handling from proper
practices of seizing, storing, and accessing evidence, and verification that evidence was properly
handled.

it is important to emphasize that digital investigators will be presenting their findings to a non-
technical audience. therefore, is imperative that digital investigators are able to convey complex
concepts in easier to understand terms.

© 2011 Elsevier Inc. All rights reserved. Page 22


multiple choice questions

1. having a member of the search team trained to handle digital evidence:


a. can reduce the number of people who handle the evidence
b. can serve to streamline the presentation of the case
c. can reduce the opportunity for opposing counsel to impugn the integrity of the
evidence
d. all of the above

2. an attorney asking a digital investigator to find evidence supporting a particular line of


inquiry is an example of:
a. influencing the examiner
b. due diligence
c. quid pro quo
d. voir dire

3. a digital investigator pursuing a line of investigation in a case because that line of


investigation proved successful in two previous cases is an example of:
a. logical reasoning
b. common sense
c. preconceived theory
d. investigator’s intuition

4. a scientific truth attempts to identify roles that are universally true. legal judgment, on
the other hand, has a standard of proof in criminal prosecutions of:
a. balance of probabilities
b. beyond a reasonable doubt
c. acquittal
d. none of the above

5. regarding the admissibility of evidence, which of the following is not a consideration:


a. relevance
b. authenticity
c. best evidence
d. nominally prejudicial

6. according to the text, the most common mistake that prevents evidence seized from
being admitted is:
a. uninformed consent

© 2011 Elsevier Inc. All rights reserved. Page 23


b. forcible entry
c. obtained without authorization
d. none of the above

7. in obtaining a warrant, an investigator must convince the judge on all of the following
points except:
a. evidence of a crime is in existence
b. a crime has been committed
c. the owner or resident of the place to be searched is likely to have committed
the crime
d. the evidence is likely to exist at the place to be searched

8. if, while searching a computer for evidence of a specific crime, evidence of a new,
unrelated crime is discovered, the best course of action is:
a. abandon the original search, and pursue the new line of investigation
b. continue with the original search but also pursue the new inquiry
c. stop the search and obtain a warrant that addresses the new inquiry
d. continue with the original search, ignoring the new information

9. the process of documenting the seizure of digital evidence and, in particular, when that
evidence changes hands, is known as:
a. chain of custody
b. field notes
c. interim report
d. none of the above

10. when assessing the reliability of digital evidence, the investigator is concerned with
whether the computer that generated the evidence was functioning normally, and:
a. whether chain of custody was maintained
b. whether there are indications that the actual digital evidence was tampered
with
c. whether the evidence was properly secured in transit
d. whether the evidence media was compatible with forensic machines

11. the fact that with modern technology, a photocopy of a document has become acceptable
in place of the original is known as:
a. best evidence rule
b. due diligence
c. quid pro quo

© 2011 Elsevier Inc. All rights reserved. Page 24


d. voir dire
12. evidence contained in a document provided to prove that statements made in court are
true is referred to as:
a. inadmissible evidence
b. illegally obtained evidence
c. hearsay evidence
d. direct evidence

13. business records are considered to be an exception to:


a. direct evidence
b. inadmissible evidence
c. illegally obtained evidence
d. hearsay evidence

14. which of the following is not one of the levels of certainty associated with a particular
finding?
a. probably
b. maybe
c. almost definitely
d. possibly

15. direct evidence establishes a:


a. fact
b. assumption
c. error
d. line of inquiry

© 2011 Elsevier Inc. All rights reserved. Page 25


true or false questions

1. there is no need for any specialized training in the collection of digital evidence.
a. true
b. false

2. it is the duty of a digital investigator to ignore influences from any source.


a. true
b. false

3. the application of preconceived theories to a particular case is a good method of


reducing caseload.
a. true
b. false

4. in the united states, the prosecution must prove guilt beyond a reasonable doubt.
a. true
b. false

5. chain of custody is the process of documenting who has handled evidence, where and
when, as it travels from the crime scene to the courts.
a. true
b. false

6. typically, a photocopy of a document is considered hearsay evidence and is not


admissible in court.
a. true
b. false

7. direct evidence establishes a fact.


a. true
b. false

8. coerced testimony is the most common mistake that prevents evidence seized from being
admitted.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 26


9. determining whether digital evidence has been tampered with is a major concern of the
digital examiner.
a. true
b. false

10. exceeding the scope of a warrant is not likely to affect the admissibility of the evidence
collected.
a. true
b. false

11. digital evidence cannot be direct evidence because of its separation from the events it
represents.
a. true
b. false

12. when creating an expert report, digital investigators should support assertions in their
reports with multiple independent sources of evidence.
a. true
b. false

13. voir dire is the process of becoming accepted as an expert by the court.
a. true
b. false

14. during testimony, when a lawyer appears not to be tech savvy, it is a good practice to
guess what the attorney is trying to ask.
a. true
b. false

15. a proper response to a question that you do not know the answer to is, “i don’t know.”
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 27


essay questions

develop a procedure for systematically examining a crime scene for digital evidence.

answer guidance: initial entrance to the crime scene, officer safety, separate the suspect from
the computer, look for removable media, written passwords, evidence of networks, etc.

develop a format for a digital examination report.

answer guidance: readable fonts, structure that contains a summary, the details of the report,
and attachments, etc.

hold a mock court, with the instructor acting as opposing counsel, and testify under cross-
examination.

answer guidance: thoroughly know the content of the report, don’t panic (or lose your temper),
etc.

scenario

you are accompanying a raid on a suspected software pirate. what would you be looking for?
what precautions would you be taking? what evidence collection considerations would you be
considering?

© 2011 Elsevier Inc. All rights reserved. Page 28


chapter 4
cybercrime law: a united states perspective
resources
the following useful resources are related to this chapter:

resource source description


us doj http://www.cybercrime.gov/ us doj cybercrime resources
coe http://www.coe.int/files/cybercrime coe cybercrime resources
sap http://www.sentencing-guidelines.gov.uk uk sentencing advisory panel
epic http://www.epic.org/ electronic privacy information center
findlaw http://www.findlaw.com/01topics/10cyberspace/ cybercrime resources

objectives
on completion of this chapter, the student will:
- be aware of how us law deals with the major cybercrimes.
- be aware how us law deals with digital privacy.
- recognize that the primary source for federal law dealing with cybercrimes is the
computer fraud and abuse act
- recognize that the child pornography protection act was adopted by congress out of
concern for the increased proliferation of child pornography.
- be aware that copyright infringement in the form of software piracy is a crime.
- be aware that the lanham act provides protection for trademarks and trade secrets.
- recognize that state cybercrime law is often focused on crimes of access, dissemination
of malware, denial of service, computer forgery, computer fraud and theft, computer
extortion, and crimes against children.
- recognize that the constitutional freedom from unreasonable searches is the fourth
amendment.
- be aware that wiretapping deals with several issues:
- content of communications
- traffic data
- technology is not in general public use
- recognize that there are fifth amendment issues relating to encryption.

chapter guide
this chapter contains a significant amount of material that can form the foundation for more than
one lesson. the ultimate aim is to have students compare the policies and laws in the us and eu,
and highlight the similarities and differences between them in the following areas:

• fraud, forgery, intrusions, and other computer abuse


• child pornography

© 2011 Elsevier Inc. All rights reserved. Page 29


• privacy
• search and seizure
• jurisdiction

technology provides criminals with new opportunities, and many existing laws do not
adequately address the use of computers. prosecution of crimes such as child exploitation, theft
of intellectual property, internet fraud, and cyberstalking has yet to be resolved, for a number of
reasons. one issue is jurisdiction. if an internet fraud is conducted in one state, via an offshore
isp, against a victim in another state – who has jurisdiction? where did the crime take place? a
related issue is extradition of criminals from other countries.

legislation covering computer misuse has matured but continues to evolve as case law and
technology develop. in the us, computer fraud and abuse are defined and addressed by the cfaa at
the federal level, and by state law for the remainder of smaller offenses. in the uk andeu, fraud,
forgery, and computer misuse are defined slightly differently.

another issue is the varying definitions of, and the confusion between, “pornography,” “child
pornography,” and “obscenity.” application of the miller test and copa’s guidelines to
determine when pornography has crossed over to obscenity has been the focus of a number of
court cases, and the definitions are far from being accepted.

in regard to child pornography, at present in the us, “virtual” child pornography is still protected
by the first amendment. cppa was an unsuccessful attempt to remove this protection, the premise
being that child pornography, real or digitally created, was inherently evil. however, under uk
law “pseudo-photographs” are considered illegal, and the coe includes “realistic images
representing a minor engaged in sexually explicit conduct” in their definition of child
pornography. the rationale for making virtual child pornography illegal is that it increases the
availability of such materials and thereby increases the demand. a counterargument is that law
enforcement may not be able to distinguish between virtual versus real child pornography,
making it more difficult to address the illegal activities. sentencing guidelines for child
pornography convictions continues to be an area of controversy, and the discussion about
sentencing in the uk is provided to stimulate discussion.

our “right to privacy” is an equally ambiguous concept. from a legal standpoint, it is 1) the right
to be free from governmental intrusion (protected by the constitution) and 2) the protectionfrom
intrusion into our private lives by others (protected by common law). although search andseizure
requirements and procedures in the us and uk are very similar, in europe, personal dataare
protected by an eu directive and by associated legislation in individual countries.
historically, the eu has offered greater privacy protection than the us, making it more difficult

© 2011 Elsevier Inc. All rights reserved. Page 30


for entities in these two to exchange these data. however, in response to increases in
international terrorism, some eu countries are considering legislation to give authorities greater
access to personal data.

intellectual property theft is based on copyright law. alex haley was accused of plagiarizing
parts of his epic roots. napster, kazaa, and other peer-to-peer applications engaged in the
unauthorized distribution (sharing) of copyrighted music. legal definitions are, again, behind
the times. if a data thief breaks into a computer and copies confidential data, is it theft? the
data is intact and still in place. has the owner of the data been deprived of its use?

© 2011 Elsevier Inc. All rights reserved. Page 31


multiple choice questions

1. what is one of the most complex aspects of jurisdiction when the internet is involved?
a. arranging to travel to remote locations to apprehend criminals
b. determining which court can enforce a judgment over a defendant
c. finding a court that is in two states
d. finding a federal court that can hear a civil suit

2. in the us, to enforce a judgment over a defendant, a court must have which of the
following?
a. subject matter and personal jurisdiction
b. general and limited jurisdiction
c. diversity and long arm jurisdiction
d. none of the above

3. which of the following occurred most recently?


a. communications decency act (cda)
b. ashcroft v. american civil liberties union
c. child online protection act (copa)
d. reno v. american civil liberties union

4. the miller test takes which of the following into account when determining if
pornography is obscene?
a. it appeals to the public interest
b. it depicts sexual conduct in a patently offensive way
c. it lacks any monetary value
d. all of the above

5. in the case of new york v. ferber, in 1982, the supreme court defined child
pornography as:
a. sketches from the imagination or literary descriptions of children engaged in
sexual activities
b. visual depictions of sexual conduct by children or by persons who look younger
than their actual age
c. works that visually depict explicit sexual conduct by children below a
specified age
d. any public or private materials depicting children engaged in sexual activities no
matter the medium

© 2011 Elsevier Inc. All rights reserved. Page 32


6. which of the following rights is not explicitly mentioned in the us constitution?
a. right of the people to keep and bear arms
b. right of personal privacy
c. right of the people peaceably to assemble
d. right to a speedy and public trial

7. which of the following is not a consideration in determining “fair use” of copyrighted


materials?
a. the purpose and character of the use
b. the amount and substantiality of the portion of the copyrighted work used
c. the expense involved in creating the original material
d. effect on the potential market for the work

8. the definition of a “protected computer” is, according to the cfaa:


a. a computer that is used exclusively by a financial institution or the federal
government.
b. a computer that is used non-exclusively by a financial institution or the federal
government and the crime affects that use.
c. a computer that is used in state or foreign commerce or communication.
d. all of the above.

9. under the cfaa, the provision that is used to prosecute those who create or spread
viruses, worms, and other malware is:
a. 1030(a)(5)(a)
b. 1030(a)(5)(b)
c. 1030(a)(5)(c)
d. 1030(a)(5)(d)

10. under the cfaa, it is a federal crime to knowingly transfer, possess, or use a means of
identification of another person without being authorized, with the intent to commit or to
aid or abet any unlawful activity. the session that addresses this is:
a. 1028(a)(5)
b. 1028(a)(6)
c. 1028(a)(7)
d. 1028(a)(8)

© 2011 Elsevier Inc. All rights reserved. Page 33


11. the legislation that made the theft of trade secrets a federal crime was
a. the lanham act
b. the economic espionage act
c. the child pornography protection act
d. none of the above

12. which state does not have a law prohibiting simple hacking – gaining unauthorized
access to a computer?
a. california
b. texas
c. washington
d. none of the above

13. the term “computer contaminant” refers to:


a. excessive dust found inside the computer case
b. viruses, worms, and other malware
c. spam e-mails
d. nigerian scam e-mails

14. in those states with legislation addressing computer forgery, contraband in the form of
“forgery devices” may include:
a. computers
b. computer equipment
c. specialized computer software
d. all of the above

15. compelling a suspect to reveal passwords to provide access to encrypted media is


considered to fall under the:
a. second amendment
b. fourth amendment
c. fifth amendment
d. seventh amendment

© 2011 Elsevier Inc. All rights reserved. Page 34


true or false questions

1. all cybercrimes can be addressed using existing laws.


a. true
b. false

2. the criminal justice systems in the eu and us work in essentially the same way.
a. true
b. false

3. long-arm statutes enable us states to enforce their laws on out-of-state individuals or


organizations.
a. true
b. false

4. a single photograph can be deemed acceptable in california and obscene in


tennessee.
a. true
b. false

5. in the us and uk, it is legal to possess child pornography but illegal to distribute it to
others.
a. true
b. false

6. the us first amendment protects obscenity but not child pornography.


a. true
b. false

7. virtual child pornography is illegal under uk law but not us law.


a. true
b. false

8. privacy is a clearly defined concept according to us law.


a. true
b. false

9. the us fourth amendment prohibits employers from unauthorized searches and


seizures of their employees.

© 2011 Elsevier Inc. All rights reserved. Page 35


a. true
b. false

10. in the us, the government may require a warrant to search a public area.
a. true
b. false

11. in the us, the government does not require a warrant to search through
garbage/rubbish bags left outside of an individual’s home.
a. true
b. false

12. in the us, the government does not require a search warrant to observe an
individual’s home from outside its walls using “radar-based through-the-wall
surveillance systems.”
a. true
b. false

13. the us electronic communications privacy act prohibits employers from


unauthorized searches and seizures of their employees’ electronic communications.
a. true
b. false

14. copyright law does not prohibit individuals from downloading digital copies of
protected materials without paying because it is considered fair use.
a. true
b. false

15. the fourth amendment addresses the citizens’ right to bear arms.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 36


essay questions

debate the application of fifth amendment protection from incrimination to the refusal to
divulge passwords to encrypted data.

discuss the difference between pornography and obscenity.

scenario

you are asked to describe to a non-technical jury how data are stored on a hard disk drive. how
would you go about describing this and what visual aids and/or analogies would you use?

© 2011 Elsevier Inc. All rights reserved. Page 37


chapter 5
cybercrime law: a european perspective

objectives
on completion of this chapter, the student will:
- be aware of differences between super-national and national legal frameworks.
- recognize the progression of cybercrime legislation in europe.
- be able to list the three the computer crime categories specified in the cybercrime
convention:
o computer-integrity crime
o computer-assisted crime
o content-related crime
- be aware of other computer related offenses:
o copyright infringement
o cyberbullying
- be aware of various forms of jurisdiction

cybercrime is in a constant state of flux – and cybercrime investigation is likewise constantly


evolving to meet new threats. the transnational aspect of cybercrime requires international
accords to facilitate mutual assistance and mitigate jurisdictional disputes. implicit in such
accords is the need for countries to constantly update legislation to meet news cybercrime
threats.

© 2011 Elsevier Inc. All rights reserved. Page 38


multiple choice questions

1. which of the following courts is located in france?


a. court of first instance
b. european court of justice
c. le conseil d'état
d. all of the above

2. in the uk, an application for a search warrant must include which of the following?
a. reasonable grounds for believing that a crime has been committed
b. a specific description of the premises to be searched
c. which law has been broken
d. all of the above

3. how do europe and north america address the challenges of jurisdiction when a computer
crime involves both continents?
a. search warrants
b. treaties
c. presidential intervention
d. all of the above

4. the english sentencing advisory panel (sap) categorized the increasing seriousness of child
pornography material into five levels. which of the following is considered the worst,level
5?
a. sadism or bestiality
b. sexual activity between children or solo masturbation by a child
c. non-penetrative sexual activity between adults and children
d. penetrative sexual activity between adults and children

5. the eu framework decision makes illegal access to information systems (intentional,


without right). member states are required to ensure that this is:
a. handled as a civil court issue
b. punishable as a criminal offense
c. the responsibility of the owner of the computer system
d. handled as a reprimand only

6. the council of europe convention on cybercrime introduces three categories of computer


offense. the most serious category is:
a. computer-assisted crimes

© 2011 Elsevier Inc. All rights reserved. Page 39


b. computer-related crimes
c. computer-integrity crimes
d. computer malfeasance crimes

7. an example of a content-related crime would be:


a. cyberstalking
b. child pornography
c. hacking
d. none of the above

8. hacking is an example of:


a. computer-assisted crime
b. computer-related crime
c. computer-integrity crime
d. computer malfeasance crime

9. forgery is an example of:


a. computer assisted crime
b. computer-related crime
c. computer-integrity crime
d. computer malfeasance crime

10. in the uk, prosecution of child pornography falls under what act?
a. the protection of children act of 1978
b. the crimes against children act of 1996
c. the council of europe convention on cybercrime
d. none of the above

11. in ireland, the non-fatal offences against the state act of 1997 specifically addresses:
a. computerized welfare fraud
b. cyberbullying
c. nigerian scams
d. hacking

12. the netherlands claims universal jurisdiction for the crime of:
a. attacks on the king
b. transnational computer crimes
c. terrorist network activity
d. malware distribution

© 2011 Elsevier Inc. All rights reserved. Page 40


13. jurisdiction claims may be based on:
a. location of the perpetrator’s computer
b. location of the victim’s computer
c. location of intermediary computers
d. all of the above

14. in the civil-law countries, such as the netherlands, criminal law is “inquisitional” where:
a. the judge takes an active role in “finding the truth”
b. the judge takes a more passive role, with “truth-finding” assigned to prosecution and
defense
c. the judge and attorneys from both prosecution and defense meet in private chambers
to determine guilt or innocence.
d. the public serves as judge, with prosecution and defense presenting their case in a
public forum.

15. england became the first european country to enact a law to address computer crime
specifically. this law – the computer misuse act – was enacted in:
a. 1985
b. 1990
c. 1995
d. 2000

© 2011 Elsevier Inc. All rights reserved. Page 41


true or false questions

1. all cybercrimes can be addressed using existing laws.


a. true
b. false

2. the criminal justice systems in the eu and us work in essentially the same way.
a. true
b. false

3. in the uk, it is legal to possess child pornography but illegal to distribute it to others.
a. true
b. false

4. in the uk, downloading child pornography is equated with “making” illegal material
according to the legal definition.
a. true
b. false

5. virtual child pornography is illegal under uk law.


a. true
b. false

6. according to the coe convention on cybercrime, it is not illegal to break into a


computer provided the intruder does not cause any damage.
a. true
b. false

7. “online grooming” was criminalized by the lanzarote convention.


a. true
b. false

8. scotland has specific legislation addressing cyberbullying.


a. true
b. false

9. in irish computer crime law, jurisdiction is often integrated into the legislative section
setting out the offense.
a. true

© 2011 Elsevier Inc. All rights reserved. Page 42


b. false

10. in england, child prostitution and pornography are scheduled offenses to the english
serious crime act 2007.
a. true
b. false

11. european law is civil-based, whereas the common-law countries are considered an
adversarial system.
a. true
b. false

12. in the eu, crimes like illegal access, illegal interception, and data interference are
categorized as computer-integrity crimes.
a. true
b. false

13. in the eu, computer-assisted crimes consist of those crimes which cannot be committed
in the absence of computers or computer networks.
a. true
b. false

14. in the eu, content-related crimes relate to traditional offenses where computers are tools
rather than targets but, unlike computer-assisted crimes it is the content of data rather
than the result of an action that is the core of the offense.
a. true
b. false

15. data interference is the intentional “serious hindering without right to the functioning of
a computer system.”
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 43


essay questions

discuss the difficulties an examiner might encounter in a transnational investigation.

answer guidance: jurisdiction, treaties, reciprocity, counterparts in other countries.

research agencies that you would need to contact for five nations outside of europe.

answer guidance: check the cia factbook for information on government agencies, follow up.

© 2011 Elsevier Inc. All rights reserved. Page 44


scenario

you have been notified of the existence of threatening e-mails being sent to the ceo of your
company. an examination of the e-mails revealed that they originated from outside of the
country.

describe the steps you would take in your investigation. in particular, address the issue ofjurisdiction
and locating your counterparts in the target country.

© 2011 Elsevier Inc. All rights reserved. Page 45


chapter 6 conducting
digital investigations

objectives

on completion of this chapter, the student will:


- be able to discuss various digital investigation process models.
o physical model
o staircase model
o evidence flow model
o subphase model
o roles and responsibilities model
- recognize that there are other activities inherent in conducting an investigation.
o a triggering event
o authorization to precede
o threshold considerations
o transportation
o verification
o case management
- recognize the application of the scientific method to digital investigations.
o observation
o hypothesis
o prediction
o experimentation/testing
o conclusion

chapter guide

following the twelve steps described in this chapter increase the likelihood that an investigation
will lead to the truth and will serve justice. more specifically, the ultimate aim of the model
covered in this chapter is to help investigators ascend a sequence of steps that are generally
accepted, reliable, and repeatable, and lead to logical, well-documented conclusions of high
integrity. to fully appreciate the flexibility and power of this model, it is necessary to explore
how it applies to different types of investigations. for instance, the incident handling section of
the educause effective security practices guide (http://www.educause.edu/security/guide)
outlines how this methodology is applied to computer security incidents. in addition, it is
instructive to compare this model with others such as the one described in “getting physical with
the digital investigation process” by carrier and spafford (available online at
http://www.ijde.org/docs/03_fall_carrier_spa.pdf).

© 2011 Elsevier Inc. All rights reserved. Page 46


the general discussions about remaining objective, overcoming preconceived theories, and the
differences between scientific and legal truths provide an important foundation for all
investigations. exercises that challenge students to question assumptions and to construct logical
arguments are useful in the introductory level courses. several other key concepts within the
investigative process should be emphasized:

• locard’s exchange principle


• individual versus class characteristics
• continuity of offense
• examination versus analysis

locard’s exchange principle states that anyone or anything entering a crime scene leaves
something behind or takes something with him when he leaves. although this principle was
developed nearly a century ago for investigations in the physical world, it applies to crime in the
digital realm. for example, a threatening e-mail creates a trail from the sender’s computer, on e-
mail servers that handle the message and on the recipient’s computer. these exchanges of digital
evidence and the resulting cybertrails enable investigators to establish the continuity of offense
and link online activities to a specific computer or individual.

notably, investigators can also inadvertently cause evidence exchange when they enter or leave a
crime scene. adherence to standard operating procedures helps minimize such spoliation of
digital crime scenes, and thorough documentation helps reduce the resulting confusion.
a “class characteristic” is a general feature shared with similar items such as kodak digital
cameras that embeds the make and model names in the photographs they take. an “individual
characteristic” is a unique feature specific to a particular thing, place, person, or action. for
example, a scratch on a camera lens that appears in photographs it takes, a distinct monument in
the background of a photograph, or the defendant’s face appearing in a photograph are all
individual characteristics that may help investigators associate the photograph with its source
i.e., a particular camera, location, or person. see the example on page 99.

students often think of ip addresses in e-mail headers or network packets as an individual


characteristic. however, an ip address in an e-mail header is not necessarily unique to a specific
computer. e-mail messages from several computers will have the same source ip address when
they are connecting through a web proxy or nat device. computers accessing the internet via
dial-up (ppp) connections are assigned ip addresses within a certain range using dhcp – two
computers dialing in at different times may be assigned the same ip address. denial of service
attack tools often use randomly generated source ip addresses to make it more difficult to
determine the source of the attack. therefore, the ip address is a class characteristic that must be

© 2011 Elsevier Inc. All rights reserved. Page 47


combined with other class characteristics in the e-mail header (i.e., date and time) or network
packet to determine which computer was involved.

the importance of class characteristics of digital evidence cannot be overstated. digital evidence
examiners use class characteristics to determine what type of data are in files, and thus what type
of information they can extract from them. examiners also use class characteristics to group like
files and filter irrelevant groups to reduce the amount of data they must deal with. ultimately,
class characteristics can combine to narrow the focus of an investigation to a particular group of
suspects, computers, or certain geographic regions.

as an investigation moves from one computer to another, the examiner should examine each
system to establish the path that data relating to the offense took in order to reach its destination.
searching for “continuity of offense” substantiates the examiner’s findings and adds weight to
evidence found. see page 99 for more information.

many people incorrectly think of examination as synonymous with analysis when in fact these
are two very different processes. examination is the process of extracting and preparing data for
analysis. the examination process involves data recovery, translation, reduction, organization,
and searching. a thorough examination results in all relevant data being organized and presented
in a manner that facilitates detailed analysis. analysis involves gaining an understanding of and
reaching conclusions about the incident based on evidence produced during the examination
process. analysis also involves assessing key findings through experimentation, fusion,
correlation, and validation.

a checklist is provided here as an example of what investigators look for when conducting a
digital investigation. this type of checklist helps digital investigators document important details
and contributes to case management by helping them keep track of what they have found.

© 2011 Elsevier Inc. All rights reserved. Page 48


crime scene checklist case number:
date: investigator: location:
case description:
computer
type: □ rack/server □ desktop □ laptop make/model:
□ pda □ cell phone □ other:
os: □ linux □ solaris □ win nt/xp □ mac os x □ aix
□ bsd □ hp-ux □ win 95/98 □ mac os 8/9 □ other:
network interface: scsi interface:
seized by: authorization: □ warrant □ other:
state when seized: □ on □ off □ standby/hibernation □ other:
shutdown method: □ normal □ cut power □ unknown ram: □ kb □ mb
s/n: evidence no.:
cmos date/time: photograph exhibit no.:
actual date/time: usage/ownership history:
internal storage
hdd 0: make/model: s/n: connection/jumpers:
md5 hash value:
hdd 1: make/model: s/n: connection/jumpers:
md5 hash value:
hdd 2: make/model: s/n: connection/jumpers:
md5 hash value:
hdd 3: make/model: s/n: connection/jumpers:
md5 hash value:
acquisition: □ dd □ encase □ ftk □ imagemaster □ other:
external storage devices
type internal external type internal external
3.5 floppy □ □ dvd read or write □ □
zip/jazz □ □ backup tapes □ □
cd read or write □ □ other:
notes:
network
lan type: □ none □ ethernet □ 802.11 □ other:
wan type: □ dial-up □ dsl □ cable □ t1
notes:
logs
authentication □ radius/ tacacs □ web □ pop/imap □ other:
application □ http □ ftp □ smtp □ other:
system □ nt event log □ syslog □ wtmp □ other:
network □ firewall □ ids □ netflow □ other:
state tables □ firewall □ switch □ router □ other:
notes:

© 2011 Elsevier Inc. All rights reserved. Page 49


multiple choice questions

1. standard operating procedures (sops) are important because they:


a. help individuals avoid common mistakes
b. ensure that the best available methods are used
c. increase the probability that two forensic examiners will reach the same
conclusions when they examine the evidence
d. all of the above

2. the goal of an investigation is to:


a. convict the suspect
b. discover the truth
c. find incriminating evidence
d. all of the above

3. an investigation can be hindered by the following:


a. preconceived theories
b. improperly handled evidence
c. offender concealment behavior
d. all of the above

4. when you have developed a theory, what can you do to confirm that your hypothesis is
correct?
a. predict, based on your hypothesis, where artifacts should be located
b. perform experiments to test results and rule out alternate explanations
c. conclude, based on your findings, whether the evidence supports the hypothesis
d. all of the above

5. which of the following is not a class characteristic of files on magnetic media:


a. extension (e.g., .jpg, .exe)
b. date-time stamp (e.g., 02/28/2004 03:00 pm)
c. name (e.g., encase.exe)
d. directory structure

6. which of the following would be considered an individual characteristic?


a. the originating ip address in a network packet or e-mail header
b. a scratch on the glass of a flatbed scanner or digital camera lens
c. date-time stamps of files on a disk or entries in a database
d. all of the above

© 2011 Elsevier Inc. All rights reserved. Page 50


7. when digital photographs containing child pornography are found on a home computer,
investigators can assert that:
a. someone in the house transferred the photographs onto the computer from a disk
or the internet.
b. someone in the house took the photographs with a digital camera and transferred
them directly onto the computer.
c. someone gained unauthorized access to the computer via the internet and
transferred the photographs onto the computer.
d. none of the above.

8. forensic examination involves which of the following:


a. assessment, experimentation, fusion, correlation, and validation
b. seizure and preservation
c. recovery, harvesting, filtering, organization, and search
d. all of the above

9. forensic analysis involves the following:


a. assessment, experimentation, fusion, correlation, and validation
b. seizure and preservation
c. recovery, harvesting, filtering, organization, and search
d. all of the above

10. the first step in applying the scientific method to a digital investigation is to:
a. form a theory on what may have occurred
b. experiment or test the available evidence to confirm or refute your prediction
c. make one or more observations based on events that occurred
d. form a conclusion based on the results of your findings

11. which of the following should the digital investigator consider when arranging for the
transportation of evidence?
a. should the evidence be physically in the possession of the investigator at all
times?
b. will the evidence copies be shared with other experts at other locations?
c. will there be environmental factors associated with the digital media?
d. all of the above

12. in the staircase model, why is case management shown spanning across all of the steps
in the process model?

© 2011 Elsevier Inc. All rights reserved. Page 51


a. case documents are intangible objects that can be held.
b. case management provides stability and enables investigators to tie all
relevant information together.
c. case management documents the process function.
d. none of the above.

13. process models have their origins in the early theories of computer forensics which
defined the field in terms of a process.
a. complicated
b. difficult
c. linear
d. polymorphic

14. generating a plan of action and obtaining supporting resources and materials falls under
which step in the digital investigation?
a. preparation
b. survey/identification
c. preservation
d. examination and analysis

15. the process model whose goal is to completely describe the flow of information in a
digital investigation is known as:
a. the physical model
b. the staircase model
c. the evidence flow model
d. the subphase model

© 2011 Elsevier Inc. All rights reserved. Page 52


true or false questions

1. not all incidents should be fully investigated nor do they all deserve the same priority
and attention.
a. true
b. false

2. the scientific method uses computers to verify findings in an investigation.


a. true
b. false

3. the legal truth is always in agreement with the scientific truth in an investigation.
a. true
b. false

4. forensic examination and forensic analysis are separate processes.


a. true
b. false

5. when a network is involved in a crime, investigators must seize and preserve all systems
on the network.
a. true
b. false

6. when seizing a computer, it is always acceptable to lose the contents of ram.


a. true
b. false

7. case management is a critical part of digital investigations.


a. true
b. false

8. beebe and clark contend that most investigative process models are too low level.
a. true
b. false

9. the process model whose primary strength is a notion of a continuous flow of


information is known as the subphase model.
a. true

© 2011 Elsevier Inc. All rights reserved. Page 53


b. false
10. of particular significance in the scientific method is the weight attached to finding
evidence which supports a particular hypothesis.
a. true
b. false

11. evidential artifacts found in the experimentation and testing process of the scientific
method which are compatible with a particular hypothesis can be taken as proof of the
hypothesis.
a. true
b. false

11. preparation for the preservation step ensures that the best evidence can be preserved
when the opportunity arises.
a. true
b. false

12. if alternative theories are suggested later, digital investigators have an obligation to
reevaluate their findings.
a. true
b. false

13. forensic examination is the process of extracting, viewing, and analyzing information
from the evidence collected.
a. true
b. false

14. survey/triage forensic inspection is the targeted review of all available media to determine which
items contain the most useful evidence and require additional processing.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 54


essay questions

1. why is it important to process digital evidence properly while conducting an investigation?

answer guidance: proper evidence processing is essential because digital evidence is fragile and
often transient (see section 1.3) – if it is not processed using proper procedures and tools it may
be damaged and deemed inadmissible. evidence is the foundation of a case and if important
evidence is excluded because of improper processing, this can make it difficult to prove a case.

additionally, weak evidence can lead to incorrect conclusions and miscarriages of justice.

2. what is locard’s exchange principle? give an example of how this principle applies to
computer crime.

answer guidance: locard’s exchange principle is one of the cornerstones of forensic science.
the principle is that anyone, or anything, entering a crime scene takes something of the scene
with them, and leaves something of themself behind when they depart from the scene. such
evidence transfer occurs in both the physical and digital realms and can be useful in internet
investigations for establishing compelling links between the offender, victim, and crime scene.

also, investigators can inadvertently participate in the exchange of evidence, resulting in


evidence dynamics. in addition to transfer between people and crime scenes, keep in mind that
evidence transfer also happens between victims and offenders.

3. how are class characteristics useful in an investigation? give an example involving digital
evidence.

answer guidance: investigators can use class characteristics to determine what types of data are
in files, and thus what type of information they can extract from them. digital evidence
examiners use class characteristics to group like files and filter irrelevant groups to reduce the
amount of data they must deal with. ultimately, class characteristics can combine to narrow the
focus of an investigation to a particular group of suspects, computers, or certain geographic
regions.

4. how would you search for all image files on a disk? explain the rationale of your approach.

answer guidance: in some cases, it may be sufficient to search for files using file extensions of
common graphics formats like .jpg and .gif. although this approach may result in sufficient
incriminating evidence to proceed, it does not recover all files on the disk. searching a disk for

© 2011 Elsevier Inc. All rights reserved. Page 55


class characteristics such as the file headers of common graphics formats will locate more files.

additionally, it is necessary to examine “special” files such as zip archives, encrypted files, etc.,
to determine if they contain image files. it goes without saying that you perform all of your
operations on a copy or a write-protected original but i still like to hear you say it.

© 2011 Elsevier Inc. All rights reserved. Page 56


chapter 7
handling a digital crime scene

objectives

on completion of this chapter, the student will:


- understand that crime scene investigation is the first, most crucial step in the forensic
process.
- be aware of sources for digital crime scene processing guidelines.
- be able to list fundamental principles for digital crime scene processing.
- be aware of the role of authorization in crime scene processing.
- understand that a plan should be developed for processing a crime scene.
- be aware of the steps to preserve the digital crime scene.

chapter guide

although no two digital crime scenes will ever be the same, the application of accepted methods
and best practices goes a long way to assuring that the scene is protected and digital evidence is
preserved.

the ultimate aim of investigative models is to help digital investigation take steps that are
generally accepted, reliable, and repeatable.

application of the scientific method to crime scene processing and digital investigation provides
a rigor to the processes involved. adhering to pre-existing policies and procedures provides
consistency and thoroughness, and ensures that the best available methods – the best practices –
are followed.

© 2011 Elsevier Inc. All rights reserved. Page 57


multiple choice questions

1. the following organizations have published guidelines for handling digital crime scenes:
a. us secret service
b. association of chief police officers
c. us department of justice
d. all of the above

2. when a first responder encounters technology or equipment that he is not familiar with, the
recommended course of action is to:
a. seize the equipment as if it were a known device
b. seek assistance from a more experienced digital investigator
c. leave that particular piece of equipment at the crime scene
d. ask the suspect for details on the equipment

3. when preparing a questionnaire for interviewing individuals of the crime scene which of the
following should not be requested:
a. passwords
b. encryption keys
c. admission of guilt
d. details on removable storage

4. when entering a crime scene, the initial survey should:


a. include user manuals
b. involve tracing cables
c. collect relevant data such as passwords and account details
d. all of the above

5. examples of data that should be immediately preserved include:


a. usb drives
b. digital picture frames
c. system and network information
d. usb bracelets

6. the crime scene preservation process includes all but which of the following:
a. protecting against unauthorized alterations
b. acquiring digital evidence
c. confirming system date and time
d. controlling access to the crime scene

© 2011 Elsevier Inc. All rights reserved. Page 58


7. a thorough crime scene survey should include:
a. manuals for software applications
b. removable media
c. mobile devices
d. all of the above

8. the challenge to controlling access to a digital crime scene is that:


a. information may be stored on internet servers in different locations.
b. the computer may be shared.
c. the computer case may be locked.
d. none of the above.

9. in the case where digital investigators dealing with distributed systems need to collect data
from remote sites, the following procedure is recommended:
a. notify personnel at the remote sites to leave everything as is, and arrange for travel to
the remote locations
b. notify personnel at the remote sites to shut down all systems and send the hard drives
to the forensic lab
c. utilize remote forensics tools to acquire data from the remote sites’ ram as well
as the hard drives
d. none of the above

10. when presenting evidence on an organizational network, the digital investigator may require
the assistance of:
a. system administrators
b. the ceo of the organization
c. the cso (chief security officer)
d. additional forensic investigators

11. which of the following is not a safety consideration for a first responder?
a. additional personnel to control those present at the crime scene
b. protection against elf emanations from monitors
c. proper tools for disassembling and reassembling computer cases
d. protective gloves and eyewear

12. digital investigators like to preserve every potential source of digital evidence; however,
they are constrained by:
a. the law

© 2011 Elsevier Inc. All rights reserved. Page 59


b. resources
c. the interests of business
d. all of the above

13. during the initial survey of a crime scene, why it is necessary to photograph or videotape the
area and items of potential interest in their current state?
a. this simplifies inventorying the crime scene.
b. photographing items to be seized records their actual condition, and precludes
damage claims when the items are returned to the offender.
c. to record the fact that a particular item was actually found at the crime scene.
d. none of the above.

14. why is the first step to secure the physical crime scene by removing everyone from the
immediate area?
a. to prevent them from contaminating evidence
b. to prevent them from asking questions about the case before they can be interviewed
c. to give them time to fill out a personal information survey
d. to keep them from blocking the view when photographs are being taken

15. when a piece of evidence has both a biological and a digital component, who should process
it first?
a. the crime scene technician, because biological artifacts are much more fragile
b. the digital investigator, because processing the biological artifacts will destroy
digital evidence
c. neither; the evidence should be preserved and transported to the lab for processing
d. both the crime scene technician and the digital investigator, in a cooperative
effort, assuring that the biological evidence is collected in a way that does not
damage the digital component

© 2011 Elsevier Inc. All rights reserved. Page 60


true or false questions

1. when first entering a crime scene, the first responder should immediately focus on the
computers and technology.
a. true
b. false

2. since crime scenes are typically pretty much the same, very little planning needs to take place
prior to first entering the scene.
a. true
b. false

3. on entering a crime scene, an investigator notes that a piece of equipment with antennas
attached is connected to one of the target computers. since this indicates a wireless connection,
it is advisable to either disconnect or disable the piece of equipment.
a. true
b. false

4. in most situations, it is advisable to let the physical crime scene technicians, under the
direction of the forensic investigator, process the scene first.
a. true
b. false

5. the likelihood of collecting notable information from a running computer is relatively small,
so it is safe to shut down any running computer to preserve the data on the hard drive.
a. true
b. false

6. when shutting down a live system it is generally recommended to unplug the power from the
back of the computer.
a. true
b. false

7. the proper collection of evidence at a crime scene is crucial in terms of admissibility in court.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 61


8. when performing triage at a crime scene, an important first step is to turn on any computers
that are off and immediately look for items of evidence.
a. true
b. false

9. computer security professionals should obtain instructions and written authorization from
their attorneys before gathering digital evidence relating to an investigation with an organization.
a. true
b. false

10. the fourth amendment, like ecpa, only applies to the government, not the private sector.
a. true
b. false

11. when an organization itself is under investigation, it is always feasible to collect all the data
for every system.
a. true
b. false

12. the contents of volatile memory are becoming more and more important.
a. true
b. false

13. the decision to seize an entire computer versus create a forensic duplicate of the internal
hard drive will be influenced by the role of the computer.
a. true
b. false

14. when seizing a computer, it is advisable to remove the computer’s case and to unplug power
cables from hard drives.
a. true
b. false

15. capturing volatile data or specific files from a live system is a straightforward process
usually handled by the first responder.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 62


essay questions

1. what considerations are there when developing a crime scene plan?

answer guidance: physical layout and access, equipment, personnel separation, connectivity
issues.

2. what information would you provide when preparing a search warrant?

answer guidance: specific details of the items to be seized, probable cause for seizing the
property, location to be searched, types of evidence that will be seized, etc.

scenario

you are participating in the pre-raid briefing of a software piracy site. your part in the raid is to
present and seize all the computers at the site.
what questions would you ask the intelligence briefer about your part in the mission?
what information and recommendations would you provide to the briefing?

© 2011 Elsevier Inc. All rights reserved. Page 63


chapter 8
investigative reconstruction with digital evidence

objectives

on completion of this chapter, the student will:


- be aware that crime is not always committed in a straightforward manner.
- recognize that investigative reconstruction refers to the systematic process of piecing
together evidence.
- recognize the need to conduct equivocal forensic analysis to assure that evidence is
evaluated objectively.
- be aware that the results of investigative reconstruction may need additional influences
and preconceived theories.
- recognize that evidence that is used to reconstruct crimes falls into three categories:
a. relational
b. functional
c. temporal
- recognize the role of victimology in the course of an investigation.
- recognize the connection between crime scene characteristics and modus operandi.
- be aware that the two most common types of reports are:
a. a threshold assessment (a preliminary summary of findings)
b. a full investigative report

chapter guide
investigatory reconstruction provides a methodology for gaining a better understanding of a
crime and focusing an investigation. objectively reviewing available evidence provides a
greater understanding of the case.

as the situation dictates, the investigator may prepare a threshold assessment or a full
investigative reconstruction.

© 2011 Elsevier Inc. All rights reserved. Page 64


multiple choice questions

1. the process of evaluating available evidence objectively, independent of the


interpretations of others, to determine its true meaning is referred to as:
a. equivocal forensic analysis
b. investigative reconstruction
c. threshold assessment
d. behavioral imprints

2. the words that an offender uses on the internet, the tools that an offender uses online,
and how an offender conceals his identity and criminal activity are referred to in the text
as:
a. investigation reconstruction
b. threshold assessment
c. behavioral imprints
d. crime scene analysis

3. investigative reconstruction is composed of three different forms. which of the following


is not one of those three forms?
a. functional
b. intentional
c. relational
d. temporal

4. creating a histogram of times to reveal periods of high activity is an example of which


form of investigative reconstruction?
a. functional
b. intentional
c. relational
d. temporal

5. the investigation and study of victim characteristics is known as:


a. criminal profiling
b. behavioral imprints
c. victimology
d. crime scene analysis

© 2011 Elsevier Inc. All rights reserved. Page 65


6. why should victimology include a thorough search of the internet for cybertrails?
a. because the internet can significantly increase the victims risk.
b. because it is well known that even traditional criminal offenses are documented
on the internet.
c. because nearly everyone uses the internet.
d. none of the above.

7. the type of report that is a preliminary summary of findings is known as:


a. sitrep
b. threshold assessment report
c. full investigative report
d. field notes

8. according to the text, the distinguishing features of a crime scene as evidenced by the
offender’s behavioral decisions regarding the victim and the offense location are known
as:
a. hard evidence
b. fruit of the poison tree
c. caveat emptor
d. crime scene characteristics

9. in crimes against individuals the period leading up to the crime often contains the
most important clues regarding the relationship between the offender and the victim.
a. 24-hour
b. 48- hour
c. 60-minute
d. 15-minute

10. one of the most important things to establish when a computer is directly involved in the
commission of a crime is:
a. where the computer was purchased
b. what operating system is in use
c. who or what was the intended victim or target
d. none of the above

11. an example of online behavior that puts an individual at higher risk for cyberstalking is:
a. using your real name online
b. putting personal information in your profile
c. posting photographs on a social networking page

© 2011 Elsevier Inc. All rights reserved. Page 66


d. all of the above

12. in the movie home alone one of the burglars would always turn the water on in the sinks
so that the house would be flooded when the owners returned. in terms of crime scene
characteristics, this is an example of:
a. psychotic episode
b. signature-oriented behavior
c. modus operandi
d. vandalism

13. the totality of choices an offender makes during the commission of a crime are referred
to as:
a. the criminal’s mo
b. crime scene characteristics
c. tangible evidence
d. none of the above

14. because seemingly minor details regarding the offender can be important, investigators
should get into the habit of contemplating which of the following:
a. what the offender brought to the crime scene
b. what the offender took from the crime scene
c. what the offender changed at the crime scene
d. all of the above

15. one reason digital investigators write threshold assessments more often than full reports
is because:
a. they will be included in a final report, and so, distribute the time for final report
preparation over the entire period of the investigation.
b. they keep their supervisor aware of their productivity.
c. they take less time to prepare and may be sufficient to close out an
investigation.
d. they serve as field notes for the investigator.

© 2011 Elsevier Inc. All rights reserved. Page 67


true or false questions

1. “investigative reconstruction” refers to the systematic process of piecing together


evidence and information gathered during an investigation to gain a better understanding
of what transpired between the victim and the offender during a crime.
a. true
b. false

2. investigative reconstruction can be used to locate concealed evidence.


a. true
b. false

3. the functional form of investigative reconstruction answers the questions “who?”


“what?” and “where?”
a. true
b. false

4. minor details regarding the offender are unimportant, and can safely be ignored.
a. true
b. false

5. the temporal form of investigative reconstruction helps identify event sequences and
patterns.
a. true
b. false

6. the machine with an old operating system, no patches, and many services running,
located on an unprotected network, containing valuable information, and with a history of
intrusions or intrusion attempts, is at low risk of being broken into.
a. true
b. false

7. victimology is the investigation and study of victim characteristics.


a. true
b. false

8. when assessing the risk of a target computer, investigators should determine if the
offender needed a high level of skill.
a. true

© 2011 Elsevier Inc. All rights reserved. Page 68


b. false

9. different offenders can use the same method of approach for control for very different
reasons; however, it is possible to make reliable generations on the basis of individual
crime scene characteristics.
a. true
b. false

10. when a computer is the target of an attack, it is also useful to determine if the system was
at high or low risk of being targeted.
a. true
b. false

11. a threshold assessment report may have a similar structure to a full investigative report
but includes more details and has firmer conclusions based on all the evidence available.
a. true
b. false

12. threshold assessments have eliminated the need for digital investigators to write full
reports.
a. true
b. false

13. among the more informative aspects of the offender-victim relationships are victim risk
and the effort than an offender was willing to make to access a specific victim.
a. true
b. false

14. although it is possible that the internet can significantly increase the victim’s risk, it is
not necessary for victimology to include a thorough search for cybertrails.
a. true
b. false

15. forensic analysis and reconstruction only include evidence that was left at a crime scene
and are intrinsically limited.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 69


essay questions

1. explain why it can be difficult to determine if someone took a copy of a digital file.

answer guidance: most operating systems do not mark a file that has been copied, information
may be found in log files, the system may contain information about remote storage devices that
have been attached.

2. explain why an offender’s choice of weapon is significant to an investigation.

answer guidance: the weapon is the source of control over the victim, whether it is a gun or a
computer. different offenders rely on implied or actual threats. the offender’s approach showshis
confidences, concerns, intents, and motives.

scenario

two of three porcine brothers had their houses systematically destroyed by a large lycan. in fear
for their lives, they sought shelter with a third brother. suspecting that his house would also
come under attack, he reinforced the structure and added certain countermeasures that would
come into play only if the perimeter was breached. indeed, an attack on his house was mounted,
and the perimeter was breached – resulting in the demise of the intruder.

when police arrived, the three porcine brothers were charged with negligent homicide. thehouse
was secured as a crime scene.

(follow-up: all charges were dropped when the brothers cited castle doctrine and self defense.)

prepare a threshold assessment based on the information and crime scene provided above.

© 2011 Elsevier Inc. All rights reserved. Page 70


chapter 9
modus operandi, motive, and technology

on completion of this chapter, the student should:


- be aware that introduction of any new technologies may have unintended consequences.
- recognize that the technology is not evil – however, its application may be.
- recognize that “modus operandi” answers the “how” part of the investigation.
- recognize that adopting new technologies into a criminal modus operandi is not new.
- recognize that “motive” answers the “why” part of the investigation.
- be aware that “offense behaviors” classify criminal acts into discrete categories:
a. power reassurance
b. power assertive
c. anger retaliatory
d. sadistic
e. opportunistic
f. profit oriented
- recognize that using the matrix of offense behaviors, it is possible to take a specific
offense and apply it to each behavior.
- be aware of some of the current technologies, and how they are used by criminals.

the students should understand that technology, for the most part, is not inherently good or bad –
it simply is. it is the application of that technology that is important. criminals are quick to see
how a new technology can be adapted to their purposes. the forensic examiner’s job is to analyze
that new technology, first of all to see how the technology was implemented, and secondof all to
determine if the technology has any value as a tool in a forensic investigation.

© 2011 Elsevier Inc. All rights reserved. Page 71


multiple choice questions

1. an unintended consequence of the advanced research projects agency’s development of


a mechanism for ensured communication between military installations was:
a. mainframe computing
b. the internet
c. microwave communication
d. the ada programming language

2. modus operandi (mo) is a latin term that means:


a. seize the data
b. ways and means
c. operator error
d. a method of operating

3. motive reflects the crimes were committed.


a. how
b. why
c. where
d. when

4. a criminal’s set of learned behaviors that can evolve and develop over time are referred
to as:
a. motivational typology
b. offense behaviors
c. modus operandi
d. the none of the above

5. the emotional, psychological, or material need that that impels, and is satisfied by, a
behavior is known as:
a. motive
b. modus operandi
c. offense behaviors
d. offender behaviors

6. which of the following is not an offense behavior?


a. motivational typology
b. power reassurance
c. power assertive

© 2011 Elsevier Inc. All rights reserved. Page 72


d. opportunistic

7. profit-oriented offense behavior indicates that the offender’s motivation was based on:
a. anger
b. revenge
c. restoration of self-confidence
d. material or personal gain

8. in power assertive offense behavior, the offenders may not take precautions that they
have learned are generally unnecessary. one reason for this is because:
a. the crimes they commit usually have minimal punishment.
b. the offenses are usually fantasized and not really carry out.
c. they have no respect for law enforcement.
d. all of the above.

9. maury roy travis was arrested for multiple murders based on:
a. the fact that the police were able to link into all of his crimes prior to his capture
b. his inadvertent cybertrail of information recovered from an online map
c. the large number of tangible leads the police had to work on
d. his lack of skill and poor planning

10. in the example of programs being released, an example of power assertive offense
behavior would be:
a. a terrorist releasing a virus that would shut down segments of the power
grid
b. a 13-year-old running a tool that attempts to guess phonecard pin numbers
c. a keylogger that is installed on the computer of anyone who visits a particular
website
d. a program that simulates the windows blue screen of death (bsod) as a
screensaver

11. the cotton gin and the gatling gun are examples of:
a. the role innovation played in american history
b. new technology that had unintended social consequences
c. proof that inventors should be monitored by the government
d. none of the above

12. criminal motivation is, generally:


a. technology dependent

© 2011 Elsevier Inc. All rights reserved. Page 73


b. technology-based
c. technology independent
d. technology-centric

13. the study that was taken and modify by the fbi’s national center for the analysis of
violent crime was:
a. locard’s principle
b. the groth rapist motivational typology
c. lombroso’s typology
d. gibb’s numerical rules

14. which offense behavior is characterized by the belief that the victim will enjoy and
eroticize the offense behavior and may subsequently fall in love with the offender?
a. power reassurance
b. power assertive
c. anger retaliatory
d. anger excitation

15. in this offense behavior, the goal is the victim’s total fear and submission for the
purposes of feeding the offender’s sexual desires.
a. power reassurance
b. power assertive
c. anger retaliatory
d. anger excitation

© 2011 Elsevier Inc. All rights reserved. Page 74


true or false questions

1. computers and the internet are no different from other technologies adapted by the
criminal.
a. true
b. false

2. when the advanced research projects agency began funding a mechanism for ensured
communications between military installations, they understood full well that they were
developing a pervasive form of social-global connectedness.
a. true
b. false

3. modus operandi is a latin term that means “the method of operating.”


a. true
b. false

4. an offender’s mo behavior is functional by nature – one of the purposes is that it


facilitates the offender’s escape.
a. true
b. false

5. using e-mail for anonymous harassment is an example of how technology has been used
as a vehicle for criminal behavior.
a. true
b. false

6. as a general rule, law enforcement groupies are always engaged in some form of
criminal activity.
a. true
b. false

7. as criminals learn about new forensic technologies and techniques being applied to their
particular area of criminal behavior, they must be willing to modify their mo, if possible,
to circumvent those efforts.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 75


8. power reassurance – one of the offense behaviors – intends to restore the criminal self-
confidence or self-worth through the use of extremely high aggression means.
a. true
b. false

9. anger retaliatory offense behavior is behavior wherein the offender obtains sexual
gratification from the victim’s pain and suffering.
a. true
b. false

10. in regard to profit-oriented offense behavior, any behavior that is not purely profit
motivated, which satisfies an emotional or psychological need, should be examined with
the lens of the other behavior motivational types.
a. true
b. false

11. the technology that proved to be the downfall of maury roy travis was the online
mapping service that had logged his ip address.
a. true
b. false

12. maury roy travis, compared with other serial murderers, was foolish, impulsive, and
unskilled.
a. true
b. false

13. the criminal’s mo consists of learned behaviors that can evolve and develop over time.
a. true
b. false

14. a criminal’s mo reflects how he committed his crimes.


a. true
b. false

15. modus operandi and motive are considered to be the same thing.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 76


essay questions

1. explain the possible benefits of conducting a thorough analysis of modus operandi during
an investigation.

answer guidance: analysis of methods may provide new investigative leads, insights
into the skill level of the offender, connection to other cases.

2. you are investigating the hacking and defacing of a corporate website. provide a
motivational analysis for this incident based on each of the offense behaviors listed in the
text.

answer guidance: the offense behaviors to consider are: compensatory, entitlement,


anger, sadistic, profit oriented.

scenario

as a security investigator, you have been asked to determine if company confidential


information (intellectual property) has been copied from enterprise computers. investigation
centers on a particular computer that has shown a high volume of network traffic at unusual
times. in the course of conducting your investigation you discover that large capacity removable
media has been attached to the suspect computer. a preview examination reveals that software
used for secure deletion had been downloaded to the desktop.

prepare an investigative plan listing the lines of investigation that you plan to pursue.

note that this is not an exercise to demonstrate your understanding of forensic techniques.
rather, this exercise is directed toward developing skills in the creation of planning documents.
use the example cited in the chapter to assist in your design.

© 2011 Elsevier Inc. All rights reserved. Page 77


chapter 10
violent crime and digital evidence

on completion of this chapter, the student will:


- be aware that violent crime does not occur in an evidentiary vacuum. recognize the role
of computers in violent crime and as a source of information about:
o the victim
o the offender
o the use of the computer as the instrument of violent crime
- recognize that mobile devices are a potential source of digital evidence.
- recognize that personal computers are a potential source of digital evidence.
- be aware that private networks usually contain a higher concentration of digital
evidence.
- recognize that it is imperative to reach out and collect all available digital evidence.
- recognize the role of the exigent circumstances in ecpa requests.
- recognize the importance of developing a preservation plan at a violent crime scene.
- be aware of the importance of diagramming and clearly labeling evidence items.
- recognize that substantial amounts of digital evidence may reside in workplace
computers.
- be aware that network administrators may not be motivated to provide access or
assistance.
- be aware that enterprise systems may be used by offenders to gain information about
victims.
- recognize that evidentiary “facts” may have more than one interpretation.
- recognize that the study of the victims of violent crime – victimology – may provide
valuable insights to the investigation.
- recognize that, although the individual pieces of digital evidence may not be revealing,
the aggregate of such digital evidence may show patterns of behavior.
- be aware of the need to look for offender behaviors that may leave digital traces.
- recognize the difference between the primary and secondary crime scenes.

to date, there are huge amounts of information about people’s personal and professional
lives stored on computers, mobile devices, corporate computers, and the internet. this vast
store of information can show where victims of violent offenders were, and what they were
doing, when the attack occurred. digital evidence may reveal investigative leads, likely
suspects, previously unknown crimes, and personal information that puts the victim at risk.

© 2011 Elsevier Inc. All rights reserved. Page 78


multiple choice questions

1. every violent crime investigation should incorporate digital evidence because digital
evidence may reveal:
a. investigative leads
b. likely suspects
c. previously unknown crimes
d. all the above

2. how the offender approaches and obtains control of a victim or target is significant
because it exposes the offender’s:
a. motives
b. choice of weapons
c. modus operandi
d. signature behaviors

3. crime scenes fall into two categories – primary and .


a. remote
b. secondary
c. ancillary
d. theoretical

4. when reconstructing evidence surrounding a violent crime, it is generally helpful to:


a. lay out all the evidence so it can be viewed in its entirety
b. work with the crime scene technicians so that a better understanding of the crime
is achieved
c. construct a timeline of events from digital evidence
d. begin the process of converting field notes to a final report

5. one reason not to put too much trust into those who run the company’s computers is that:
a. there has always been an antagonism between system administrators and law
enforcement.
b. they are typically too busy to take the time to answer your questions.
c. they are usually not authorized to answer questions.
d. they may be the offenders.

© 2011 Elsevier Inc. All rights reserved. Page 79


6. although crime scenes are typically photographed, it is a good idea to create diagrams of
the crime scene because:
a. diagramming is a common crime scene technician’s skill; however, it requires
continual practice.
b. the process of creating a diagram can result in a digital investigator noticing
an important item of evidence that would otherwise have been missed.
c. the quality of photographs taken at the crime scene is not known until the film is
developed.
d. none of the above.

7. given the scope and consequences of violent crimes, when collecting digital evidence it
is advisable to:
a. collect only that digital evidence that is clearly connected to the offense
b. focus only on the primary crime scene, as searching the offender’s home and
workplace requires additional authorization
c. seek out and preserve all available digital evidence
d. focus only on the offender’s digital evidence, as the victim’s digital evidence is
usually of little value

8. when swift action is needed, law enforcement personnel may be permitted to conduct
searches without a warrant. searches of this kind are permitted under:
a. exigent circumstances
b. eminent domain
c. mens rea
d. usa patriot act

9. when processing the digital crime scene in a violent crime investigation it is important to
have to ensure that all digital evidence and findings can hold up under close
scrutiny.
a. a good supply of electrostatic bags for holding sensitive electronic components
b. more than one reliable camera for photographing the crime scene
c. standard operating procedures for processing a digital crime scene
d. a good supply of nitrile gloves

10. the federal statute that has a provision allowing internet service providers to disclose
subscriber information to law enforcement in exigent circumstances is:
a. ecpa
b. ccpa
c. the privacy act

© 2011 Elsevier Inc. All rights reserved. Page 80


d. fcra

11. when reconstructing evidence surrounding a violent crime, it is generally helpful to:
a. diagram the crime scene
b. create a timeline of events from digital evidence
c. create a threat assessment report
d. none of the above

12. a thief who has programmed and released a virus to roam a network looking for victim
passwords used for online banking is an example of what offense behavior?
a. power assertive
b. profit oriented
c. power reassurance
d. anger retaliatory

13. the case of a michigan bank robber requiring tellers to undress so he could photograph
them is an example of:
a. deviant aberrant behavior
b. criminal humor
c. crime scene characteristics
d. investigative reconstruction

14. the assessment of the victim as they relate to the offender, the crime scene, the incident,
and the criminal justice system is known as:
a. threat assessment methodology
b. signature behaviors
c. behavioral evidence analysis
d. victimology

15. computers and mobile devices are treated as crime scenes in violent crime
investigations.
a. temporary
b. immediate
c. remote
d. secondary

© 2011 Elsevier Inc. All rights reserved. Page 81


true or false questions

1. victimology is the assessment of the offender as he relates to the crime scene, the
incident, and the criminal justice system.
a. true
b. false

2. the key to any investigation is luck, which has value only when it is properly acted upon.
a. true
b. false

3. digital investigators can use information gleaned from many forms of digital evidence to
find likely suspects and develop leads.
a. true
b. false

4. data from internet service providers used by the victim or suspect can help determine
their activities around the time of the crime.
a. true
b. false

5. mobile devices may contain information about communications as well as audio or video
recordings relating to an offense.
a. true
b. false

6. privately owned networks are usually a poor source of information when investigating
violent crimes.
a. true
b. false

7. given the scope and consequences of violent crimes, it is advisable to seek out and
preserve all available digital evidence.
a. true
b. false

8. when investigating a violent crime, it is important to obtain proper authorization to


examine the primary crime scene; however, secondary crime scenes are typically covered
under that authorization.

© 2011 Elsevier Inc. All rights reserved. Page 82


a. true
b. false

9. a mincey warrant, which is easier to obtain, is an option when investigators really


believe there is some emergency.
a. true
b. false

10. the investigator reconstruction process involves pulling all evidence together and letting
it speak for itself.
a. true
b. false

11. when reconstructing evidence surrounding a violent crime, it is helpful to create a


timeline of events from digital evidence.
a. true
b. false

12. it is safe to place your trust in an organization’s it staff, since forensic training is a basic
requirement in most it departments.
a. true
b. false

13. computers and mobile devices are treated as primary crime scenes in violent crime
investigations.
a. true
b. false

14. when investigating suspects of a violent crime, it is important to look for behaviors that
leave digital traces.
a. true
b. false

15. what an offender does at a crime scene typically reveals little useful information to
digital investigators.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 83


essay questions

prepare a sample crime scene processing procedures field guide, based on the information
provided in this chapter. the format of this guide should facilitate use at the scene.

answer guidance: field guides are typically in “cookbook” format, with larger print and
telegraphic prose intended to serve as reminders.

scenario

you have just arrived at the scene of workplace violence where an individual shot his coworker.
describe, in detail, the steps that you would take to process the digital crime scene.

things to consider: comments from coworkers, contents of computer and cell phone, other
digital evidence relating to the incident.

© 2011 Elsevier Inc. All rights reserved. Page 84


chapter 11 digital
evidence as alibi

on completion of this chapter, the student will:


- recognize that key pieces of information in an alibi are: time and location.
- be aware of potential sources for time and location information.
- be aware that, when corroborating an alibi in, “the absence of evidence is not evidence of
absence.”
- recognize that it is necessary to find evidence that demonstrates the lie.
- be aware of how time can confirm or refute an alibi.
- be aware of how location can confirm or refute an alibi.
- recognize that time/location evidence relates to the device, not the user.

with people spending an increasing amount of time using mobile devices, computers, and
networks, there are bound to be more alibis that depend on digital evidence.

digital evidence will rarely show that someone was at a specific location at a specific time;
however, it can show that the device was at that location. through the use of other supporting
evidence, such as a phone call in progress or an e-mail sent, the device can be associated with an
individual.

© 2011 Elsevier Inc. All rights reserved. Page 85


multiple choice questions

1. investigators should not rely on one piece of digital evidence when examining an alibi –
they should look for an associated .
a. cybertrail
b. piece of physical evidence
c. statement
d. none of the above

2. types of digital evidence that might corroborate an alibi include:


a. evidence of computer usage when the offense was supposed to occurred
b. computer records from credit cards, the telephone company, or subway ticket
usage
c. gps information from mobile devices indicating the user’s location and time
d. all of the above

3. it is unwise to rely only on a recovered ip address because:


a. an ip address may change many times during a session.
b. offenders can change their ip address.
c. by changing the system time, the contents of log files containing ip addresses can
be falsified.
d. ip addresses only exist in system memory.

4. it is quite difficult to fabricate an alibi on a network successfully because:


a. an offender may not have the proper access.
b. an offender would need system administrator access level to make the necessary
changes.
c. an individual rarely has the ability to falsify digital evidence on all the
computers that are involved.
d. creating an alibi on a network could take months of work.

5. it is important to gather as many sources of supporting evidence as possible because:


a. the more evidence, the stronger the case.
b. no amount of supporting evidence can prove conclusively that an individual
was in a specific place at a specific time.
c. the volume of evidence produced dictates the strength of the alibi.
d. none of the above.

6. to demonstrate that someone is lying about an alibi, it is necessary to:

© 2011 Elsevier Inc. All rights reserved. Page 86


a. find evidence that clearly demonstrates the lie
b. require the suspect to submit to a polygraph
c. interrogate the suspect using a number of methods
d. show that no evidence confirming the alibi is available

7. in confirming an alibi involving an obscure piece of equipment, if no documentation is


available, the manufacturer is no longer in business, or the equipment/network is so
complicated that nobody fully understands how it works, you should:
a. state that the alibi is considered unproven
b. search the internet for any pertinent information
c. recreate the events surrounding the alibi
d. contact other investigators and average their opinions

© 2011 Elsevier Inc. All rights reserved. Page 87


true or false questions

1. absence of evidence refutes an alibi.


a. true
b. false

2. when investigating an alibi that depends on digital evidence, the first step is to
assess the reliability of the information on the computers and networks involved.
a. true
b. false

3. it is not difficult to fabricate an alibi on a network successfully.


a. true
b. false

4. investigators can rely on one piece of digital evidence when examining an alibi.
a. true
b. false

5. computer networks can contain a large amount of information about times and
locations.
a. true
b. false

6. credit card companies are not permitted to keep records of the dates, times, and
locations of all purchases.
a. true
b. false

7. telephone companies keep a record of the number, the time and duration of the
call, and sometimes the caller’s number.
a. true
b. false

8. with people spending an increasing amount of time using mobile devices,


computers, and networks, it is very likely that more alibis will depend on digital
evidence.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 88


9. it is not easy to change the time on a personal computer.
a. true
b. false

10. digital evidence can rarely prove conclusively that someone was at a specific
place at a specific time.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 89


essay questions

1. discuss the reasons why a digital investigator would confirm an alibi. isn’t that a job for the
suspect’s defense counsel?

answer guidance: the digital investigator’s mission is to find out the truth.

scenario

a suspect claims that evidence artifacts found on his computer were placed there by his
estranged wife out of malice. as evidence, he points out that the created dates on some the files
occurred when he was on vacation.

prepare an investigative plan on how you would confirm or refute his alibi.

© 2011 Elsevier Inc. All rights reserved. Page 90


chapter 12
sex offenders on the internet

on completion of this chapter, the students will:


- be aware of the reasons why the internet is attractive to sex offenders.
- recognize that sexual abuse and illegal pornography existed long before the internet.
- recognize that computers, networks, and the internet can be used to reveal sex offender
methods.
- be aware that the most common sex offenses on the internet include:
o solicitation of minors for sex
o creation, possession, or distribution of child pornography
- be aware that there are restrictions on releasing child pornography to the defense.
- recognize that private sector security personnel can face both legal and corporate issues
in carrying out their duties.
- recognize that, with sexual predators/offenders, the internet is an important source of
evidence.
- recognize the potential difficulty in proving the dissemination of child pornography.
- be aware of various common defenses (trojan defense, malware, “mouse trapping”).
- be aware of the risks when private citizens mount undercover operations.
- recognize the value in analyzing sexual offenders.
- recognize the value of looking for offender patterns.
- recognize the value of victim behavioral analysis.
- recognize the value of determining how a victim is chosen.
- recognize the value of analyzing crime scene characteristics.
- be aware of the methods offenders use to approach victims.
- recognize that motivation may vary with the type of pornography.
- recognize the importance of understanding an offender’s motivation.

forensic examiners need to be aware that they may be requested to find a particular piece of
evidence, or find evidence that confirms an investigator’s suspicions. that is not the examiner’s
job. examiners find the truth, regardless of its convenience.

investigators must learn to study sex offenders, so they can recognize and understand the
patterns of behavior that force sex offenders to take greater risks.

© 2011 Elsevier Inc. All rights reserved. Page 91


multiple choice questions

1. which of the following is a reason the internet is attractive to sex offenders?


a. greater access to victims.
b. extending their reach
c. the vast amount of information about potential victims
d. all of the above

2. which of the following is an impact of sex offender peer support groups?


a. enabling offenders to view their behavior as socially acceptable
b. raising the sex offender’s inhibitions to act on impulses
c. a clearinghouse of state and federal agencies ready to assist the sex offender
d. trained counselors available 24 hours a day

3. which of the following are reasons that digital evidence may not be preserved properly or
at all?
a. victims may destroy key evidence because they are embarrassed by it.
b. corporate security professionals may not be aware of proper evidence handling
concepts.
c. poorly trained police officers may overlook important items.
d. all of the above.

4. the reconstruction process becomes a necessity when:


a. there is more than one victim involved
b. there is more than one sex offender involved
c. the victim is unknown
d. the sex offender is unknown

5. when the offender is unknown, the reconstruction process becomes a necessary step to:
a. reassure the victim that progress is being made
b. prioritize suspects
c. accommodate multiple cases
d. open new lines of investigation

6. detailed knowledge of an offender can help investigators:


a. protect past victims
b. warn potential victims
c. communicate with the offender
d. all of the above

© 2011 Elsevier Inc. All rights reserved. Page 92


7. victimology can help determine:
a. why the victim was selected
b. what victim behavior caused the offense
c. to what extent the victim was at fault
d. the offender’s modus operandi

8. of lanning’s three general categories of sex offenders, which of the following is not a
characteristic of the situational category?
a. generally more power/anger motivated
b. are compulsive record keepers
c. generally pick convenient targets
d. none of the above

9. the process of correlating evidence through temporal, relational, and functional analysis
is known as:
a. crime scene analysis
b. offense behavior analysis
c. investigative reconstruction
d. victimology

10. an offender’s choice of location, tools, and actions taken are referred to as:
a. mo
b. motivation
c. crime scene characteristics
d. signature behaviors

11. failure to interpret evidence, obtain information from an unknown offender, or


apprehend an unknown offender can be caused by:
a. excessive caseload
b. scrutiny of the press
c. negative public opinion
d. failure to understand the offender’s motivation

12. typically, children are not used in undercover investigations because:


a. children, like child actors, can be difficult to control.
b. parents are not comfortable with their child participating in an undercover
operation.
c. there is concern for their welfare.

© 2011 Elsevier Inc. All rights reserved. Page 93


d. typically, there are no funds in the budget for undercover investigations using
children.
13. one of the risks that private citizens take in luring online predators is that:
a. if the subject of the investigation is child pornography, their efforts may
cause them to have possession of child pornography and be arrested along
with the offender.
b. should the neighbors find out, they could possibly be forced to move out of their
neighborhood.
c. one of their neighbors could be an online predator.
d. the police consider cyber vigilantes to be a nuisance.

14. if an offender’s computer reveals a large number of contacts, a good solution is:
a. to pass the contact information to local departments and have them contact the
individuals in person
b. to draft a simple form letter summarizing the investigation and listing the
suspects’ online nicknames and e-mail addresses, and request assistance
c. to reach out to each contact, using the offender’s computer and online personas
d. to determine what schools the contacts attend and have their principals call the
students and their parents in for consultation

15. one way that a digital examiner can reduce the likelihood of overlooking or
misinterpreting important details is:
a. to always work in pairs, so each examiner can check the other’s work
b. carefully apply the scientific method
c. videotape the entire examination process so that key areas can be reviewed
d. take verbal notes with a digital voice recorder

© 2011 Elsevier Inc. All rights reserved. Page 94


true or false questions

1. the internet enables sexual offenders to commit a crime without ever physically
assaulting a victim.
a. true
b. false

2. sex offender peer support groups can give offenders access to child pornography,
children, and technical knowledge.
a. true
b. false

3. generalizations regarding investigations are of particular use, even though cases tend to
be unique.
a. true
b. false

4. it is important to stress that sexual abuse and illegal pornography did not exist before the
internet.
a. true
b. false

5. “grooming” refers to the ways that a sexual offender gains control over victims.
a. true
b. false

6. because sex offenders tend to be nonviolent, investigators do not need to take the same
precautions when serving warrants on computer-related offenses as they would with other
crimes.
a. true
b. false

7. when dealing with online sexual offenders, it is critically important to take advantage of
the internet as a source of evidence.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 95


8. given the potential for concealment in sex offender cases, it is important to examine all
digital evidence carefully rather than simply searching for a obvious items such as images
that are not hidden.
a. true
b. false

9. confronting the victim with evidence of their abuse is standard practice in sex offender
cases.
a. true
b. false

10. the initial stage of any investigation is to determine if a crime has actually occurred.
a. true
b. false

11. the practice of private citizens luring offenders is not recommended for reasons of safety
and inadvertent violation of the law.
a. true
b. false

12. an accepted method of conducting undercover investigations involves using a minor,


especially if the minor is the victim.
a. true
b. false

13. providing information about an offender’s method of approach, attack, or control may
help investigators interact with an offender or provide potential victims with protective
advice.
a. true
b. false

14. lanning identifies three general categories of sex offenders: situational, preferential, and
differential.
a. true
b. false

15. sex offenders do not change over time nor do they modify their behavior, simplifying the
investigative process.
a. true

© 2011 Elsevier Inc. All rights reserved. Page 96


b. false

© 2011 Elsevier Inc. All rights reserved. Page 97


essay questions

1. discuss the responsibility of the digital investigator in bringing charges of sex offense
or possession of child pornography against a member of the local community.

answer guidance: the mere accusation, even as just “a person of interest,” can ruin
reputations that takes years to recover.

scenario

you, as a member of local law enforcement, were contacted by a member of a cyber


vigilante group, informing you that they have been gathering information about an
individual in your community who, they assert, has been downloading large amounts of
child pornography. they provide samples of the types of child pornography that the
sender individual has supposedly downloaded.

the local community you serve is very small, and you have known this individual most
of your professional life.

the cyber vigilante group has a reputation for notifying local police and waiting a few
days to hear of an arrest, and if they do not they take the information to the press and
complain that they notified the police and nothing was done.

prepare a briefing on the situation, to be given to your captain and the mayor. including a
few recommendations.

© 2011 Elsevier Inc. All rights reserved. Page 98


chapter 13 computer
intrusions

on completion of this chapter the student will:


- recognize that the value of digital data has made it the target.
- be aware of the reasons that criminals break into computers.
- be aware of how computer intruders operate.
- be aware of the tactics used in computer intrusions:
o phishing
o spear phishing
o drive-by download
o cross site scripting
- recognize that the first step in an intrusion investigation is to confirm that there actually
was one.
- be aware of the need to determine the intruder’s goals.
- recognize that an intrusion investigation requires a wide range of forensic skills.
- recognize the difference between “intrusion investigation” and “incident response.”
- recognize that the scientific method can be applied to intrusion investigations.
- be aware of conflicting goals of the investigators and network administrators.
- be aware of the risks in investigating live systems.
- recognize both the value and risk in observing the intruder.
- be aware that intruders may have a high degree of technical knowledge and/or may
employ advanced software.
- recognize that the majority of compromised systems in an intrusion will contain
malicious programs.
- be aware that malware must be analyzed as part of the intrusion investigation.
- recognize that intrusion investigations frequently cross jurisdictional lines.
- recognize that the intrusion must ultimately be linked to a person.
- recognize the importance of preserving volatile data.
- recognize the values and risks of collecting full memory dumps.
- be aware that remote forensics tools can collect volatile data.
- recognize why it is important to collect all network traffic to/from a compromised
system.
- be aware of the methods used in an intrusion investigation.
- recognize that malware and analysis strategy is given by the kind of malware and its
goals.
- recognize that intrusion crime scene analysis may reveal information about the intruders’
skills and intentions.
- recognize the value of examining the intruders’ computers.

© 2011 Elsevier Inc. All rights reserved. Page 99


just as a company’s most valuable assets may be the data on its computers, failure to protect
those assets may result in financial loss, regulatory sanctions, and reputational harm. more than
one company has been forced into bankruptcy when the computer containing their company
information crashed.

a common truth is that criminals tend to steal things of value. therefore, a company’sinformation
may be a target.

© 2011 Elsevier Inc. All rights reserved. Page 100


multiple choice questions

1. during the commission of a crime, evidence is transferred between the offender’s


computer and the target. this is an example of:
a. locard’s exchange principle
b. sutherland’s general theory of criminology
c. martin’s rule
d. parkinson’s rule of available space

2. intruders who have a preferred toolkit that they have pieced together over time, with
distinctive features:
a. usually have little experience and are relying on the kit
b. show little initiative – letting the tool do the work
c. are generally more experienced
d. pose less of a threat

3. in the case of a computer intrusion, the target computer is:


a. the remote crime scene
b. the auxiliary crime scene
c. the virtual crime scen.
d. the primary crime scene

4. a computer intruder’s method of approach and attack can reveal a significant amount
about their:
a. skill level
b. knowledge of the target
c. intent
d. all of the above

5. determining skill level can lead to:


a. determining the extent of the intrusion
b. likely hiding places for rootkits and malware
c. suspects
d. offense behaviors

6. if digital investigators find an unauthorized file, they should:


a. immediately move the file to removable media
b. check for other suspicious files in the same directory
c. execute the file to determine its purpose

© 2011 Elsevier Inc. All rights reserved. Page 101


d. permanently delete the file
7. remote forensic solutions can be used to access live systems, and include the ability to:
a. acquire and, sometimes, analyze memory
b. image systems without ever having to leave the lab
c. conduct examination and analysis without the need to image
d. image large systems across the internet

8. a forensic analysis conducted on a forensic duplicate of the system in question is referred


to as:
a. virtual analysis
b. clone analysis
c. post-mortem analysis
d. ex post facto analysis

9. capturing all of the network traffic to and from the compromised system can:
a. allow the network administrators to participate in the investigation, establishing
rapport for later interviews
b. reveal the source of the attack
c. seriously slow down the network, affecting normal work
d. none of the above

10. a common technique that is highly useful and can be applied in a computer intrusion
investigation is to simply focus on file system activities around the time of known events.
this embodies a principle known as:
a. temporal proximity
b. timeline analysis
c. file system analysis
d. temporal aggregation

11. the registry key hklm\software\microsoft\windows\current version is one of themost


common locations for:
a. new software entries
b. time and date information
c. trojans
d. a list of recently run programs

12. when collecting data from a compromised computer, consideration should be given to
collecting the data first.
a. cmos

© 2011 Elsevier Inc. All rights reserved. Page 102


b. most volatile
c. magnetic
d. optical

13. the forensic examiner needs to be aware that the process of collecting memory:
a. is seldom useful and not often called for
b. can take an extremely long period of time
c. is only needed for standalone systems
d. changes the contents of memory

14. a more thorough method of collecting specific volatile data from a computer is to:
a. examine the specific memory addresses live
b. collect the full contents of physical memory
c. selectively collect contents of physical memory
d. take screenshots.

15. why are “non-volatile” storage locations contained in the rfc 8227 “order of
volatility”?
a. this is an old rfc and has not been updated.
b. no form of data storage is permanent.
c. an rfc is a request for comments – and corrections are expected.
d. none of the above.

© 2011 Elsevier Inc. All rights reserved. Page 103


true or false questions

1. social engineering refers to any attempt to contact legitimate users of the target system
and trick them into giving out information that can be used by the intruder to break into
the system.
a. true
b. false

2. a valid profile of a computer intruder is an antisocial adolescent.


a. true
b. false

3. a growing number of intrusions are committed by organized criminal organizations and


state-sponsored groups.
a. true
b. false

4. although new exploits are published daily, it takes skill and experience to break into a
computer system, commit a crime, and cover one’s tracks.
a. true
b. false

5. a thorough understanding of the tactics and techniques used by criminals is “nice to


know” but is not essential to the successful investigation of criminal behavior.
a. true
b. false

6. reverse social engineering is any attempt by intruders to have someone in the target
organization contact them for assistance.
a. true
b. false

7. the first stage of a computer intrusion is abuse.


a. true
b. false

8. in a computer intrusion, the stage after attack is abuse.


a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 104


9. an example of the entrenchment phase of an intrusion would be uploading a backdoor
through the remote shell.
a. true
b. false

10. gathering information about a system through the use of a port scanner is considered a
direct attack method.
a. true
b. false

11. “spear phishing” is an intrusion technique wherein mass e-mails that appear or claim to
be from a legitimate source request that the recipient follow instructions contained in the
e-mail.
a. true
b. false

12. the first step when investigating a computer intrusion incident is to determine if there
actually was one – there must be a corpus delicti.
a. true
b. false

13. investigating computer intrusions usually involves a small amount of digital evidence
from only a few sources.
a. true
b. false

14. incident response can be viewed as a subset or part of an intrusion investigation.


a. true
b. false

15. examining a live system is prone to error, may change data on the system, and may even
cause the system to stop functioning.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 105


essay questions

1. discuss why computer intrusions are among the most challenging types of cybercrimes from a
digital evidence perspective.

answer guidance: every network is different; every computer intruder is different, with
different motivations.

2. discuss the difference between automated and dynamic modus operandi, including the kinds
of information to look for, and the value of conducting this kind of analysis.

answer guidance: while automated exploits are almost generic, analysis of dynamic mo may
reveal the choice of tools used in the intrusion, shedding light on a particular kind of offender
behavior.

scenario

you are participating in an intrusion investigation. the investigation has progressed to the point
where a suspect has been identified. a raid is planned on the suspect’s site, and you will be in
attendance to collect, preserve, and examine the intruder’s computer.

as part of the raid planning, you have been asked to prepare a plan detailing how you will
examine the intruder’s computers.

after preparing your plan, you will present it to the rest of the team in a planning meeting.

notes: this exercise is designed to get the student accustomed to developing planning
documents, and more importantly, to be able to articulate that plan to others of the team who
may not have the same level of expertise.

© 2011 Elsevier Inc. All rights reserved. Page 106


chapter 14
cyberstalking

on completion of this chapter, the student will:


- recognize that fixation is a prominent feature of cyberstalking.
- be aware that cyberstalking may be accompanied by more traditional, physical forms.
- recognize that cyberstalking is based on power over the victim.
- be aware that, although often the cyberstalker has been equated with the victim, this may
not be as true with the internet.
- recognize the methods used by cyberstalkers to control their victims.
- be aware of steps to take when investigating cyberstalking.
- recognize that various interviewing techniques are needed when investigating
cyberstalking.
- be aware of victimological aspects when investigating cyberstalking.
- recognize the risk assessment aspect of victimology.
- be aware of the need to extend the search to the internet.
- recognize the various motivational typologies is may occur in a cyberstalking.

cyberstalking is a new variation to regular stalking. the internet has just provided anotheravenue.

a cyberstalking investigation requires a strong investigative methodology that includes


understanding motivation. the cyberstalker’s computer typically provides a rich array of digital
evidence.

© 2011 Elsevier Inc. All rights reserved. Page 107


multiple choice questions

1. the first state in the united states to enact a law to deal with cyberstalkers was:
a. texas
b. hawaii
c. california
d. new york

2. the first cyberstalking law in the us was passed in:a.


1985
b. 1990
c. 1995
d. 2000

3. stalkers want to exert power over their victims, primarily through:


a. fear
b. anxiety
c. autosuggestion
d. peer pressure

4. a stalker’s ability to frighten and control a victim increases with the amount of
information that he can gather, such as:
a. telephone numbers
b. addresses
c. personal preferences
d. all of the above

5. stalkers have taken to the internet because:


a. the cost of an internet connection has dropped considerably.
b. they depend heavily on information and the internet contains vast amounts.
c. they no longer have to go out to do their stalking.
d. none of the above.

6. an implication from studies indicating that many stalkers had prior acquaintance with
their victims is that:
a. part of the blame can be assigned to the victim.
b. the offender is likely to be found in the same area as the victim.
c. investigators should pay particular attention to acquaintances of the victim.
d. investigators should always check the immediate family.

© 2011 Elsevier Inc. All rights reserved. Page 108


7. an excellent set of guidelines developed specifically for victims of stalking is available
from:
a. the national center for victims of crime
b. the national white collar crime center
c. the department of justice
d. the national institute of justice

8. when a cyberstalking case is stalled, it is a good idea to interview the victim again,
because:
a. the victim might have been withholding information during the first interview.
b. the information that investigators have gathered might help the victim recall
additional details.
c. the time between the first and second interviews has given the victim time to
seek counseling.
d. none of the above.

9. in determining how and why the offender selected a specific victim, the investigator
should determine whether the cyberstalker:
a. knew the victim
b. learned about the victim through a personal web page
c. noticed the victim in a chat room
d. all of the above

10. a key aspect of developing victimology is determining victim and offender .


a. hobbies
b. likes and dislikes
c. risks
d. roles

11. when searching for evidence of cyberstalking, it is useful to distinguish between an


offender’s harassing behaviors and behaviors.
a. grooming
b. surreptitious monitoring
c. initial contact
d. congenial

12. that part of cyberstalking where the offender is using the internet to find a victim is
known as:

© 2011 Elsevier Inc. All rights reserved. Page 109


a. profiling
b. trolling
c. surreptitious monitoring
d. none of the above.

13. when a cyberstalker chooses victims at random, he is said to be an:


a. opportunistic stalker
b. power assertive stalker
c. profit-oriented stalker
d. none of the above

14. the initial stage in a cyberstalking investigation is to:


a. search for additional digital evidence
b. analyze crime scene characteristics
c. conduct victimology and risk assessments
d. interview the victim

15. it is extremely important for the investigator to be extremely cautious when dealing with
a stalking case because:
a. if the victim becomes offended by the investigator’s methods, she is likely to go
file a complaint.
b. if the investigation is conducted too openly, the offender may stop the harassment
and move on to another victim.
c. the victim must be protected, in case the offender decides to escalate to
physical violence.
d. the victims frequently become emotionally attached to the investigator.

© 2011 Elsevier Inc. All rights reserved. Page 110


true or false questions

1. cyberstalking works in a completely different way than stalking in the physical world.
a. true
b. false

2. in general stalkers want to exert power over their victims in some way, primarily through
fear.
a. true
b. false

3. stalkers use information to impinge on their victims’ lives.


a. true
b. false

4. the internet contains a vast amount of personal information about people but it is
relatively difficult to search for specific items.
a. true
b. false

5. studies indicate that stalkers will always have prior acquaintance with their victims.
a. true
b. false

6. when interviewing the victim, investigators should be as tactful as possible while


questioning everything, and assume nothing.
a. true
b. false

7. a key aspect of developing victimology is determining victim and offender risk.


a. true
b. false

8. the first step in a cyberstalking investigation is to conduct the victimology and risk
assessment.
a. true
b. false

9. the victim is usually only aware of the harassing component of cyberstalking.

© 2011 Elsevier Inc. All rights reserved. Page 111


a. true
b. false

10. there is never correlation between the victim’s internet activities and physical
surroundings or real-world activities.
a. true
b. false

11. when searching for evidence of cyberstalking, it is useful to distinguish between the
offenders’ harassing behaviors and surreptitious monitoring behaviors.
a. true
b. false

12. the primary aim of the motivational stage of the investigation is to understand the
victim-offender relationship.
a. true
b. false

13. as part of the investigation, an investigator should ask why a particular stalker used the
internet.
a. true
b. false

14. investigators might not be able to define the primary crime scene clearly because digital
evidence is often spread all over the internet.
a. true
b. false

15. as part of the interview process, the investigator should tell the victim that the stalker
will cease harassing them when they’re no longer giving the desired response.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 112


essay questions

1. regardless of the type of investigation, investigators ask “who, what, when, where, and
why” questions. however, when dealing with cyberstalking victims, those questions
have to be asked tactfully, and without assigning blame.

prepare a set of initial questions and discuss how you would ask those questions to a
cyberstalking victim.

2. discuss how you would apply the concept of crime scene characteristics to a
cyberstalking case.
3. discuss how you would explain your risk assessment findings to the victim.

scenario

you have been contacted by a young woman complaining her ex-boyfriend is reading and
blocking her e-mail. in the course of your interview with the victim, she tells you that the e-mail
account is with aol, and it is actually registered to and paid for by the ex-boyfriend. it seems that
while they were together, he set up an account for her under his account.

describe how you would proceed with the investigation at this point.

© 2011 Elsevier Inc. All rights reserved. Page 113


chapter 15
computer basics for digital investigators

on completion of this chapter, the student will:


- be aware of the process that occurs when a computer boots.
- recognize how data is stored on a magnetic media.
- recognize the significance of file formats.
- be aware of how file carving affects recovered data.
- recognize various methods that can be used to hide data on magnetic media.
- be aware of how various file systems are implemented.
- be aware of the various data structures that comprise a file system.
- be aware of various methods for hiding data within a file system.
- be aware of difficulties in dealing with passwords and encryption.
- be aware of encryption concepts.
- be aware of methods for detecting and dealing with encryption.

a basic understanding of how computers operate and how data is stored is a fundamental skill
for forensic examiners. this includes understanding and controlling the boot process, recovering
data, and analyzing data.

most digital investigators use automated forensic tools; however, it is absolutely crucial that they
understand what these tools are doing. the best way to gain that understanding is by
experimentation. that would include creating a file and viewing the results, deleting the file and
viewing those results, using a low level hex editor, and carving data associated with the file into
a new one.

© 2011 Elsevier Inc. All rights reserved. Page 114


multiple choice questions

1. how many bytes are in a kilobyte?


a. 8
b. 100
c. 1000
d. 1024

2. the big-endian representation of “fb 78 7a 23” is:


a. 78 fb 23 7a
b. 7a 23 fb 78
c. 23 7a 78 fb
d. fb 7a 78 23

3. the storage capacity of a hard drive with 256 heads, 63 sectors, and 1024 cylinders is:
a. 8.4 gbytes
b. 7.8 gbytes
c. 8 gbytes
d. 9 gbytes

4. what can you do to determine the number of sectors on a hard drive larger than 8gb?
a. use a unix tool like hdparm
b. use a windows tools like encase
c. check the drive manufacturer’s website for the specific drive
d. all of the above

5. the first sector of a hard disk contains a:


a. boot sector
b. master boot record
c. volume
d. partition

6. the first sector of a volume contains a:


a. boot sector
b. master boot record
c. root directory
d. partition

7. file slack space is:


a. the space between the end of a volume and the end of a partition
b. the sectors in a cluster that are not occupied by the file in that cluster
c. the space on a disk that is not allocated to files
d. the space left on a disk after a file is deleted

© 2011 Elsevier Inc. All rights reserved. Page 115


8. unallocated space is:
a. the space between the end of a volume and the end of a partition
b. the space in a cluster that is not occupied by the file in that cluster
c. the space on a disk that is not assigned to files
d. the space left on a disk after a file is deleted

9. encrypted data can be recovered using which of the following methods?


a. trying every possible encryption key
b. obtaining the passphrase used to protect the encryption key
c. recovering plaintext versions of data from unallocated and slack space
d. all of the above

10. which encryption scheme is weakest?


a. rsa
b. rot13
c. des
d. dsa

11. on intel-based computers, system date and time information is maintained in:
a. cmos
b. system.conf
c. mbr
d. boot record

12. solaris computers store data in:


a. hexadecimal
b. little-endian
c. octal
d. big-endian

13. which of the following are limitations to salvaging data through data carving?
a. file name and date-time stamps that were associated with the file are not salvaged.
b. the size of the original file may not be known, making it necessary to guess how much
data to carve out.
c. simple carving assumes all portions of the file were stored contiguously, and not
fragmented.
d. all of the above.

14. the boot sector in a fat volume contains all of the following information except:
a. partition table
b. the number of file allocation tables available
c. cluster size
d. volume label

15. in ntfs, an example of a file system feature that can be used to conceal data is:
a. setting the read/only attribute on the folder you want to protect
b. storing data in a hidden partition

© 2011 Elsevier Inc. All rights reserved. Page 116


c. using alternate data streams
d. none of the above

© 2011 Elsevier Inc. All rights reserved. Page 117


true or false questions

1. the eniac was the first digital computer.


a. true
b. false

2. by default, computers will boot from a floppy disk if one is present in the system.
a. true
b. false

3. the cmos ram chip stores a computer’s date and time.


a. true
b. false

4. hard drive settings stored in a computer’s cmos ram chip are always correct and
accurate.
a. true
b. false

5. the post verifies that all of the computer’s components are functioning properly.
a. true
b. false

6. the bios can be password protected.


a. true
b. false

7. the macintosh open firmware can be instructed to boot from a cd-rom by holding
down the “b” key.
a. true
b. false

8. the sun openboot prom can be interrupted by depressing the “stop” key.
a. true
b. false

9. although storage media come in many forms, hard disks are the richest sources of digital
evidence on computers.
a. true

© 2011 Elsevier Inc. All rights reserved. Page 118


b. false

10. digital forensics examiners do not need to be concerned about the distinction between
little-endian and big-endian representations because automated tools make the necessary
translation.
a. true
b. false

11. unicode can represent more characters than ascii.


a. true
b. false

12. sectors are 557 bytes long but only 512 bytes are used to store data.
a. true
b. false

13. many digital forensics laboratories have the capability to recover overwritten data from a
hard drive.
a. true
b. false

14. a sector is composed of multiple clusters.


a. true
b. false

15. the number of sectors on any hard drive is calculated by multiplying its chs values.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 119


discussion questions

1. describe the main steps that your computer takes during the boot process from the time you press
the power switch to the first appearance of the operating system. why is this important to a
forensic examiner?
answer guidance: the main steps that a computer takes to boot up are: cpu reset → load first
sector of book disk (mbr) into memory → bios & post (compare actual configuration with
cmos settings) → load active operating system using information in partition table → locate
boot disk (search order specified in cmos).

2. what type of computer do you have and how do you interrupt the boot process to display the
cmos settings?

3. list four of the most important cmos settings of your computer. list two cmos settings that you
do not understand or that you think are unimportant.

4. what is the ascii representation of the binary data


“01000011011011110111001001110010011001010110001101110100”?
answer guidance: break this string of binary data into 8-bit segments and determine the ascii
equivalent of each 8-bit segment as shown here (it may help you to convert to hexadecimal first):
0100 0011 = 43 = c
0110 1111 = 6f = o
0111 0010 = 72 = r
0111 0010 = 72 = r
0110 0101 = 65 = e
0110 0011 = 63 = c
0111 0100 = 74 = t

note: winhex has a conversion table; under the view menu, select tables and then choose ansi ascii.

5. what is the ascii representation of this hexadecimal data:


“54686520737573706563742773206e616d65206973204d69636861656c”?
answer guidance: determine the ascii value associated with each hexadecimal character in this
string as follows:
54 = t
68 = h
65 = e
20 = space
73 = s
75 = u
73 = s
70 = p
65 = e

© 2011 Elsevier Inc. All rights reserved. Page 120


63 = c
74 = t
27 = '
73 = s
20 = space
6e = n
61 = a
6d = m
65 = e
20 = space
69 = i
73 = s
20 = space
4d = m
69 = i
63 = c
68 = h
61 = a
65 = e
6c = l

6. what is the storage capacity of a hard drive with 64 heads, 63 sectors, and 787 cylinders?
answer guidance: 64 × 63 × 787 = 3,173,184 sectors = 1,624,670,208 bytes = 1.5gb.

7. where is the partition table located on a hard drive, and what does it contain?
answer guidance: the partition table is located 446 bytes into the first sector of the drive and
contains information about each partition on the disk, including the first and last sectors.

8. how do you remove data from a hard drive to prevent it from being recovered (e.g., delete
partition table, reformat drive, delete files)?
answer guidance: although a low-level format effectively removes data from a drive, it can be
difficult to obtain tools to perform a low-level format for all types of disks. therefore it is more
practical to “wipe” the drive by overwriting sectors several times with certain patterns. for instance,
using unix, a drive can be effectively overwritten with zeros using the command sequence ‘dd
if=/dev/zero of=/dev/hdb; sync’ three times. you should then verify that the wiping process was
successful by looking at the first, middle, and last sectors in a hex viewer. you can also verify that the
drive was wiped using the following unix command: ‘dd if=/dev/hdb | xxd | grep –v “0000 0000 0000
0000 0000 0000 0000 0000”. this command should return nothing provided the drive only contains
zeros.

9. what is file slack and why is it important to digital investigators?


answer guidance: file slack refers to the sectors in a cluster that are not occupied by the file in that
cluster. this space can contain fragments of files that may contain useful digital evidence.

© 2011 Elsevier Inc. All rights reserved. Page 121


© 2011 Elsevier Inc. All rights reserved. Page 122
scenario

you suspect that the data carving tool you are using to recover deleted files from a hard drive is not
recovering all of the files that are available for recovery. how would you determine this limitation in the
tool and what would you do to resolve the problem?

© 2011 Elsevier Inc. All rights reserved. Page 123


chapter 16
applying forensic science to computers

on completion of this chapter the student will:


- be able to apply those forensic methodologies discussed earlier in this book to stand-
alone computer systems. the methodologies include:
o preparation
o survey
o documentation
o preservation
o examination and analysis
o reconstruction
o reporting results
- recognize the value of data reduction.
- be aware of the process of examining a piece of evidence.
- recognize that data recovery procedures may need to be applied to digital evidence.
- recognize the value of conducting functional, relational, and temporal analyses to a
computer.

computer technology continues to evolve rapidly but the fundamental components have
changed little. because processes at the top level have not changed rapidly, it is both
possible and reasonable to develop sops to be used in the field.

© 2011 Elsevier Inc. All rights reserved. Page 124


multiple choice questions

1. which of the following is not part of the set of forensic methodologies referenced in
this book?
a. preparation
b. interdiction
c. documentation
d. reconstruction

2. preparation planning prior to processing a crime scene should include:


a. what computer equipment to expect at the site
b. what the systems are used for
c. whether a network is involved
d. all of the above

3. the forensic crime scene processing kit should include all of the following, except:
a. evidence bags, tags, and other items to label and package evidence
b. forensically sanitized hard drives to store acquired data
c. compilers for developing forensic tools on site
d. hardware write blockers

4. when processing the digital crime scene, one aspect of surveying for potential sources of
digital evidence is:
a. recognizing relevant hardware such as computers, removable media, etc.
b. determining if electrical wiring is capable of supporting forensic machines
c. confirming that the operating environment is suitable for electronic equipment
d. making sure there is sufficient space to set up the forensic crime scene processing
kit

5. the documentation specifies who handled the evidence, when, where,


and for what purpose.
a. evidence inventory
b. chain of custody
c. evidence intake
d. preservation notes

6. when documenting a crime scene, the computer and surrounding area should be
photographed, detailed sketches should be made, and copious notes should be taken,
because:

© 2011 Elsevier Inc. All rights reserved. Page 125


a. the more evidence collected, the stronger the case.
b. this provides a record for what to look for when you return for the second visit.
c. it is prudent to document the same evidence in several ways.
d. all of the above.

7. in regard to preservation, in a child pornography investigation, which of the following


should be collected?
a. photographs
b. papers
c. digital cameras
d. all of the above

8. if it is determined that some hardware should be collected, but there is no compelling


need to collect everything, the most sensible approach is to employ:
a. nearest reach doctrine
b. direct connectivity doctrine
c. independent component doctrine
d. slice-the-pie doctrine

9. a crime scene investigator decides to collect the entire computer. in addition, he decides
to collect all of the peripheral devices associated with that computer. what reason could
he give to justify this?
a. it is especially important to collect peripheral hardware related to the type of
digital evidence one would expect to find in the computer.
b. since the computer is being collected, the suspect has no need for the peripherals.
c. the presence of the peripheral devices is essential to imaging the suspect hard
drive.
d. none of the above.

10. according to the us federal guidelines for searching and seizing computers, safe
temperature ranges for most magnetic media are:
a. 60-80 degrees fahrenheit
b. 50-90 degrees centigrade
c. 50-90 degrees fahrenheit
d. 60-80 degrees centigrade

11. which of the following is not an artifact that will be irrevocably lost if the computer is
shut down?
a. running processes

© 2011 Elsevier Inc. All rights reserved. Page 126


b. open network ports
c. data stored in memory
d. system date and time

12. which of the following is not one of the recommended approaches to preserving digital
evidence?
a. place the evidential computers and storage media in secure storage for later
processing.
b. preview the evidential computer, taking appropriate notes.
c. extract just the information needed from evidential computers and storage media.
d. acquire everything from evidential computer and storage media.

13. the reason unix “dd” is considered a de facto standard for making bitstream copies is:
a. the majority of tools for examining digital evidence can interpret bitstream
copies.
b. “dd” stands for “digital data” and was developed for making forensic copies.
c. “dd,” although a unix tool, is universally able to traverse windows file systems.
d. the developers of “dd” have made arrangements with other forensic software
companies.

14. regarding the examination of a piece of digital evidence, which of the following is not
one of the fundamental questions that need to be answered?
a. what is it (identification)?
b. what classifications distinguish it?
c. where did it come from?
d. what is its value?

15. the file signature of a microsoft word document is an example of what type of
characteristic?
a. an individual characteristic
b. a class characteristic
c. an intermediate characteristic
d. a medial characteristic

© 2011 Elsevier Inc. All rights reserved. Page 127


true or false questions

1. since computer seizures usually happen pretty much the same way, there is no real need
to do any pre-planning.
a. true
b. false

2. if possible, prior to entering a crime scene, it is useful to try and determine what kind of
computer equipment to expect.
a. true
b. false

3. a forensic crime scene processing kit should contain quantities of those items used to
process computer equipment.
a. true
b. false

4. when surveying the crime scene for hardware, the investigator should focus on the
computer systems since that is where most of the important evidence will be.
a. true
b. false

5. chain of custody documents record who handled the evidence, when, where, and for
what purpose.
a. true
b. false

6. it is not prudent to document the evidence more than one way.


a. true
b. false

7. the severity and the category of cybercrime largely determine how much digital evidence
is collected.
a. true
b. false

8. under independent component doctrine, if a computer system must remain in place but it
is necessary to take the original hard drive, a reasonable compromise is to duplicate the

© 2011 Elsevier Inc. All rights reserved. Page 128


hard drive, restoring the contents onto a similar hard drive that can be placed in the
computer, and to take the original into evidence.
a. true
b. false

9. at a crime scene, digital evidence will be found on the computer, on mobile devices, and
on shelves, bookcases, and the area surrounding the computer. therefore, there is no
need to search the garbage for evidence.
a. true
b. false

10. when a computer is to be moved or stored, evidence tape should be put around the main
components of the computer in such a way that any attempt to open the casing or use the
computer will be evident.
a. true
b. false

11. the updated acpo recommendation for seizing a running computer is to pull the
electrical cord from the back of the computer.
a. true
b. false

12. a sound forensic practice is to make at least two copies of digital evidence and to
confirm that at least one of the copies was successful and can be accessed on another
computer.
a. true
b. false

13. given the risks of collecting a few files only, in most cases it is advisable to preserve the
full contents of the disk.
a. true
b. false

14. computers used to store and analyze digital evidence should be connected to the internet,
so that online research can be conducted.
a. true
b. false

15. “dd” is the only way to make a bitstream copy.

© 2011 Elsevier Inc. All rights reserved. Page 129


a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 130


essay questions

1. list the class and individual characteristics of each of the following:


- a jpeg file
- a thumb drive
- a user manual with handwritten notes

answer guidance: class characteristics are generally true for a particular object. individual
characteristics are how that object has been changed by the user.

2. you have arrived at a crime scene containing one computer, one printer, connecting cables,
connection to a phone line, and a shelf above the computer containing books, user manuals, and
printouts.

what is your first step in processing the crime scene?

would you seize the computer? if so, would you seize the printer?

what communication issues do you see with the above installation?

project
research and report on the origins and both the intended and unintended uses of the unixprogram
“dd.”

© 2011 Elsevier Inc. All rights reserved. Page 131


chapter 17
digital evidence on windows systems

on completion of this chapter, the student will:


- be aware that windows-based systems will comprise the majority of cases.
- recognize that powerful forensic tools are not a substitute for knowledge and experience
and in each of the following areas:
o file systems
o data recovery
o log files
o registry
o internet traces
o program analysis
- be aware of the workings of each of the file systems covered.
- recognize how dates and times are recorded in various windows file systems.
- be aware that currently there are no tools available to analyze ntfs journaling.

chapter guide
the windows environment is complex and poses a number of challenges for the forensic
examiner (fe). some issues include:

- invasive characteristics of the windows environment (invasive because it does not


mount disks read-only).
- the way windows file system(s) are implemented.
- no facility in the windows environment for mounting a hard drive as read-only.
- the location, organization, and content of windows system log files.
- available methods for recovering data from windows media.
- exploiting windows file system traces.
- analyzing the windows registry.
- internet usage analysis in the windows environment.
- program effects analysis.

the forensic examiner must constantly strive to be current with new developments (such as
cloud computing) in hardware and software.

file systems
windows supports a variety of file systems. floppy disks are formatted fat12 (each entry in the
fat is 12 bits). hard drives may be formatted fat16, fat32, or ntfs. the fe must besufficiently
familiar with all supported file systems so that inconsistencies can be recognized.

© 2011 Elsevier Inc. All rights reserved. Page 132


knowing what a “normal” file structure should look like and where data can be hidden in each
file system is essential to successfully examining windows media.

for fat-based file systems, three data structures are created during the formatting process: mbr
(master boot record), two fats (file allocation table), and a root directory. when the os receives a
request to open a particular file, it first searches the root directory and path to locate the file
name. if successful, it reads other significant information stored in the file’s directory entry,
namely the file size (in bytes) and starting cluster. the os retrieves the data from the specified
cluster and checks the file size parameter to see if the file is larger than one cluster. if it is, the
os checks the fat for the next cluster number and loads the data stored at that location. this
procedure continues until the last of the file data is read. the fat and directory entry are updated
when the file is changed or deleted. data can be hidden in a variety of places including the
directory structure, unused areas of the fat, between the end of file dataand the cluster boundary
(file slack), and unallocated space.

ntfs uses a different method, storing file information in the master file table (mft) using a b-tree
(binary tree) structure. deleted files may be more difficult to recover because ntfs creates
entries as needed and reuses entries before creating new ones, making it more likely thata new
file will overwrite an existing one. the data may be intact, but the file system referencesmay be
lost.

overview of digital evidence processing tools


forensic-recovery activities commonly carried out include:
• previewing a drive for relevant data (keyword search)
• evidence media acquisition
• validation of evidentiary data
• evidence analysis

in those cases where a large number of drives must be examined for specific information, the
results of keyword searching will indicate which drives contain relevant information. winhex
forensic, encase, disksearch pro, and linux have the capability to search for keywords.

when notable data is found, then that media becomes evidence and must be “acquired” – that is,
copied completely. there must be a reliable method of verifying that the original and the copies
are identical. message hashing algorithms such as md5 and sha-256 are accepted as reliable
methods for determining whether two blocks of data (file, drive, etc.) are identical. safeback,
winhex forensic, encase, forensic toolkit (ftk) snapback dataarrest, and byte back all employ
integrity checks to assure that copies are identical to the original, to the bit level.

© 2011 Elsevier Inc. All rights reserved. Page 133


media can be examined either logically (accessed through the bios) or physically (accessed
directly). both methods have strengths and weaknesses and the choice is dependent on the
circumstances. logical access utilizes file structures, so file data is more easily examined.
however, logical access may miss some data. physical access, on the other hand, is more likely
to get all available data. however, the interpretation of findings is more difficult due to absence
of file and directory markers. the fe should be knowledgeable in either format, since both
methods are likely to be used at some point in an examination. winhex forensic and norton
diskedit can view media in physical mode – winhex can also view it logically. integrated
applications like winhex forensic, encase, and ftk for windows and the sleuth kit for linux/unix
can view data physically or logically. be aware that, unless a particular applicationhas
undergone exhaustive validation testing, the fe has no guarantee that the displayed results
represent actual data. by having an arsenal of tools, the fe can apply more than one tool to the
target data, and compare the results.

data recovery
although automated tools exist for recovering data, the fe must understand the fundamental
underlying principles. knowing how to manually recover damaged fats and directories requiresa
level of understanding sufficient to enable the fe to explain the relevant processes to the court.

“then, your honor, i pressed ‘r’ for recover…” is not sufficient.

deleted directory recovery is more complex. on windows, encase, ftk, and winhex/x-ways
forensics can recover files and directories for fat and ntfs. on unix, smart and the sleuth kit can
recover files and directories for fat and ntfs. another method for data recovery is called “file
carving” and consists of examining raw data, usually in slack space, locating the beginning and
end of a file, and “carving” this block of data out to a separate file, with the proper extension.
the file is then examined with the appropriate application.

dealing with password protection and encryption


fes are often required to overcome password protection and/or encryption. hex editors like
winhex can sometimes be used to remove a password from a file. a variety of tools are available,
both validated and unvalidated, for password cracking and can be found on the internet. test
before using on an actual case.

passwords may be at the bios, os, and individual application level. the fe should have theresources
available to overcome them at any level.

encryption is another issue the fe must deal with. there are many levels of encryption, some
much more secure than others. in the case where the level of encryption is measured in millions

© 2011 Elsevier Inc. All rights reserved. Page 134


of years to break, other means of obtaining the data must be utilized. some encryption
applications recommend the creation of a “recovery disk” in case the password is forgotten. the
recovery disk allows the data to be recovered. therefore, where encryption is employed, first
responders should collect other media as well.

log files
no matter how incriminating the data found on a computer, it is necessary for the fe to associate
that data with a suspect. there are many instances where the defense could argue that “anyone”
could have accessed the target system. log files are used by the fe to attempt to determine who
was responsible for creating a particular piece of evidence.

windows 9x/me do not maintain log files. windows nt/2000/xp have the capability of
logging a great deal of information, but have to be configured in advance to do so. objects
tracked can include login/out (both successes and failures), user activities, internet access,
significant events, and other information. log analysis is a critical skill for the fe.

file system traces


windows systems create a trail of events that are very difficult to completely eliminate. it takes
a thorough understanding of system events to hide all traces of a particular act. a great deal of
information can be derived from these traces. date-time stamps of objects may substantiate or
destroy alibis. metadata may provide unencrypted versions of encrypted data. print spoolers
may contain data from documents that were completely erased. once the fe has collected all the
notable data, the significance of the data must be assessed. file system traces provide a clearer
picture of how a particular piece of evidence came to be.

registry
windows stores configuration and usage information in the registry. regedit and regedt32 are
tools to view and modify the windows registry. among other useful things to be gleaned from the
registry is the use of removable drives. if working with a live system at the crime scene, the fe
would examine the registry for references to external storage devices.

internet traces
systems connected to the internet usually contain a wide variety of relevant data. websites
visited, e-mails, internet cache, temporary internet files, chat room logs, newsgroups accessed,
and files downloaded are all examples of the types of data that would be of interest to an fe.

- web browsing

the date-time stamp of an internet cache file corresponds to the date and time that the
web page was viewed. correlate this with the date-time stamp of files downloaded to
© 2011 Elsevier Inc. All rights reserved. Page 135
determine the origin of such files. browsers maintain a database of sites visited that
remains intact when the cache files are deleted. this database (netscape.hst for
netscape and index.dat for internet explorer) can be mined for a wealth of
information. tools exist to display the contents in a usable format. the ubiquitous
“cookies” that websites push onto a system may also provide useful information
about what sites were visited and when.

- usenet access

usenet readers store all the urls that have been accessed, as well as which usenet
newsgroups have been accessed and joined. considerable information can be derived
from this data.

- e-mail

e-mail contents and header information can provide the fe with a great deal of
information. it is necessary to have software that can read various proprietary e-mail
formats and mime encoded message attachments. the e-mail header information is
frequently “spoofed,” however, and the intermediate jumps that the e-mail packets
took along the way can provide the fe with useful investigative leads.

- other applications

internet messengers such as aol im, yahoo! pager, and others are a good source for
investigative leads. peer-to-peer file sharing programs may retain information on the
hosts visited. irc and other chat clients may retain logs but only if configured to do
so.

- network storage

indicators of remote storage are definitely of interest to the fe. with the proliferationof
wireless home networks, it is conceivable that a suspect might be using his
unsuspecting neighbor’s wireless network to store pornographic images. file backup
sites exist on the internet. for that matter, the suspect’s isp may provide storage space
for its customers. a search for the presence of file transfer programs may provide
indicators to where such storage might be located. it is advisable to obtain the
requisite legal permissions before accessing remote storage sites.

program analysis
there are times when a controlled experiment with a malicious program may provide insights on
where to look for evidence on a case system. recreating an intrusion on a test system will
provide log entries, which can then be sought on the actual system. analysis can be
accomplished by:

© 2011 Elsevier Inc. All rights reserved. Page 136


- analyzing the source code
- analyzing the executable code
- running the code on a test system
the processes, such as network traffic, that occur when a particular application executes may be
of interest to the forensic examiner.

multiple choice questions

1. which of the following issues is not one that a forensic examiner faces when dealing
with windows-based media?
a. invasive characteristics of the windows environment
b. the facility in the standard windows environment for mounting a hard drive
as read-only
c. the location, organization, and content of windows system log files
d. available methods for recovering data from windows media

2. forensically acceptable alternatives to using a windows evidence acquisition boot disk


include all but which of the following?
a. linux boot floppy
b. fire bootable cd-rom
c. booting into safe mode
d. hardware write blockers

3. the standard windows environment supports all of the following file systems except
.
a. fat16
b. ext2
c. fat32
d. ntfs

4. before evidentiary media is “acquired,” forensic examiners often the media to


make sure it contains data relevant to the investigation.
a. hash
b. preview
c. validate
d. analyze

5. media can be accessed for examination either or . (choose two)

a. logically

© 2011 Elsevier Inc. All rights reserved. Page 137


b. sequentially
c. randomly
d. physically

6. 6. which of the following software tools is not used for data recovery?
a. winhex (x-ways) forensic
b. encase
c. ftk
d. safeback

7. you find the following deleted file on a floppy disk. how many clusters does this file
occupy?

name .ext id size date time cluster 76 a r s h d v


_reenf~1 doc erased 19968 5-08-03 2:34 pm 275 a-----

a. 200
b. 78
c. 39
d. 21

8. log files are used by the forensic examiner to .


a. associate system events with specific user accounts
b. verify the integrity of the file system
c. confirm login passwords
d. determine if a specific individual is the guilty party

9. the windows nt event log appevent.evt:


a. contains a log of application usage
b. records activities that have security implications, such as logins
c. notes system events such as shutdowns
d. none of the above

10. when examining the windows registry key, the “last write time” indicates:
a. the last time regedit was run
b. when a value in that registry key was altered or added
c. the current system time
d. the number of allowable changes has been exceeded

11. file system traces include all of the following except:


a. metadata
b. cmos settings
c. swap file contents
d. data object date-time stamps
© 2011 Elsevier Inc. All rights reserved. Page 138
12. when a file is moved within a volume, the last accessed date time:
a. is unchanged
b. changes if a file is moved to different directory
c. changes if a file is moved to the root
d. is unchanged; however, the created date-time does change

13. internet traces may be found in which of the following categories?


a. web browser cache
b. instant messenger cache
c. cookies
d. all of the above

14. the windows nt event log secevent.evt:


a. contains a log of application usage
b. records activities that have security implications, such as logins
c. notes system events such as shutdowns
d. none of the above

15. when examining the “news.rc,” you find the following entry:

alt.binaries.hacking.utilities! 1-8905,8912,8921,8924,8926,8929,8930,8932

what does the “!” mean?


a. the user is subscribed to this group.
b. the user was once subscribed, but is currently unsubscribed, to this group.
c. the group is up to date.
d. the last message retrieval was aborted.

© 2011 Elsevier Inc. All rights reserved. Page 139


true or false questions

1. given their widespread use and simple structure, fat file systems are a good starting
point for forensic analysts to understand file systems and recovery of deleted data.
a. true
b. false

2. usenet readers store all the urls that have been accessed, but do not record which
usenet newsgroups have been accessed and joined.
a. true
b. false

3. the windows environment is invasive and poses a challenge to forensic examiners.


a. true
b. false

4. with the correct cmos setting, it is possible to mount a hard drive as read-only in the
windows environment.
a. true
b. false

5. encase provides the means to create a windows evidence acquisition boot disk to
allow for network acquisition of an evidence drive.
a. true
b. false

6. windows evidentiary media must be acquired and examined with windows-based


examination software.
a. true
b. false

7. ntfs time represents time as the number of 100-nanosecond intervals since january 1,
1601 00:00:00 utc.
a. true
b. false

8. in fat32 file systems both the directory and fat entries are updated when a file is
deleted.
a. true
© 2011 Elsevier Inc. All rights reserved. Page 140
b. false

9. encase can recover deleted files but does not have the capability of recovering deleted
directories.
a. true
b. false

10. in the windows environment, simply opening a file to read, without writing it back to
disk, can change the date-time stamp.
a. true
b. false

11. in ntfs, when a file is deleted from a directory, the last modified and accessed date-time
stamps of the parent directory listing are updated.
a. true
b. false

12. the md5 hashing algorithm is no longer considered to be a reliable method for
determining whether two blocks of text are identical.
a. true
b. false

13. a forensic examiner would use logical access to examine media if the file and directory
structures were to be analyzed.
a. true
b. false

14. “file carving” is an examination technique where the beginning and end of a file are
located, and the block of data spanning the two locations is copied to a new file, with the
appropriate extension.
a. true
b. false

15. just like windows nt, windows 98 has event logs that record system activities.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 141


essay questions

for each of the following questions, develop discussion notes and be prepared to discuss your
findings.

1. is it necessary for forensic examiners to understand how data is stored by various types of
file systems? explain why or why not. support your answer with examples.

2. when examining evidence media, is it necessary to use the same operating system used
on the original? explain why or why not. support your answer with examples.

3. is the data-time stamp of various file system objects significant in the analysis of
evidentiary media? explain why or why not. support your answer with examples.

scenario

you are the digital forensic examiner at a pre-trial session with the judge and opposing counsel.
you have been asked to explain the various methods that data is stored and erased in the
windows environment. your discussion should include concepts such as slack space,
unallocated space, the sequence of events that take place when a file is deleted, and any other
points that you deem important. keep in mind that you must prepare your discussion in terms
that non-technical people can understand.

© 2011 Elsevier Inc. All rights reserved. Page 142


chapter 18
digital evidence on unix systems

on completion of this chapter, the student will:

- recognize that most unix systems information is available for review.


- be aware that the openness of unix systems presents both opportunities and
challenges to digital investigation.
- recognize the values and limitations of using unix-based acquisition boot disks.
- be aware that there are many different unix file systems, the most common of
which are:
- ufs
- reiser
- ext2
- ext3
- recognize that many native unix tools are useful to the digital examiner.
- recognize that there are numerous open source unix-based forensics tools available.
- be aware that currently there are no tools available that can analyze the ext3
journaling system.
- be aware that unix does not have a file slack.
- be aware that some automated forensic tools can process some portions of unix file
systems.
- recognize that deleted data on unix file systems can be recovered by data carving.
- be aware of possible solutions for passwords and encrypted files on unix systems.
- recognize the value of examining unix log files in the course of an investigation.
- be aware of the variety of file system traces that may be found on a unix system.
- recognize the value of network traces.

chapter guide
various permutations of unix (solaris, aix, hp-ux) have been around for over 30 years. it isan
extremely stable, powerful multi-user environment with built-in support for networking.
because some of the variants have been made available under open source agreements (linux,
openbsd, freebsd), startup implementation costs have been minimized. in addition, a great deal
of software have also been released under open source agreement, providing a wide rangeof
low cost applications, making unix implementations very popular, especially for e- commerce,
information security, and digital forensics. apache webserver, which comes with most linux
distributions, is one of the most widely used web servers on the internet.

the unix environment makes a large portion of system information such as configuration files
and system logs readily available. this is unix’s greatest strength and its greatest weakness.

© 2011 Elsevier Inc. All rights reserved. Page 143


unix evidence acquisition boot disk
a fundamental capability of the unix file system is to mount storage devices as read-only.
however, there is still a possibility that it could make changes on an evidentiary device, so a
hardware write-blocker can be used. (recall that this capability is not supported in the standard
dos/windows environments.) since this capability is inherent in the unix environment, making an
evidence acquisition boot disk is the straightforward process of making some media such as a
bootable cd-rom bootable in a unix variant and including the software tools neededfor
acquisition, validation, and analysis. keep in mind that unix and its variants are, by nature,
hardware specific. a boot disk created for sun sparc systems will most likely not work on an
intel-based system. another consideration is the availability of device drivers. an evidence
acquisition boot disk should contain drivers for various kinds of removable storage such as usb
and firewire.

file systems

unix supports several file systems such as ufs (unix file system), ext2 and ext3 (extended file
system 2 and 3), and reiser. they all have similar structures for managing the file system. each
unix partition is divided into block groups (aka “cylinder groups”). each block group contains,
among other things, an inode (index node) table. an inode table consists of entries representing
either directories or files. a directory inode entry contains the names of those files and directories
associated with it, and their respective inode numbers. a file inode entry contains all of the file’s
information except its name (i.e., owner/group id, permissions, file type,date-time stamps,
reference count, file size in bytes, data block numbers). the file block numberspoint to the actual
data. in addition to containing data, each block group contains duplicates of critical file system
components, that is, the superblock and group descriptors to facilitate recovery if the primary
copy is damaged. the superblock contains information about the file system such as block size,
number of blocks per block group, the last time the file system was mounted, last time it was
written to, and the sector of the root directory inode.

unix adds another time to the mac (modified, accessed, created) times referenced in the chapter
on windows systems – deleted time. if a file or directory is not deleted, the deletedtime value is
set to a default time – zero from the unix standpoint, as it represents time in epoch time (the
number of seconds since january 1, 1970, 00:00:00 utc).

unix ctime is not equivalent to nt fs creation time. in unix a change (ctime) alters a file’sinode. a
modification (mtime) alters the contents of the file.

when a file is deleted, its directory entry is hidden and the associated inode is marked as
available. the directory entry and data remain on the disk until they are overwritten and,
therefore, may be recoverable.

© 2011 Elsevier Inc. All rights reserved. Page 144


overview of digital evidence processing tools

linux has a number of features that make it an ideal choice for forensic examinations:

- a great many utilities useful for conducting forensic examinations come with the standard
distribution (dd, md5sum, grep).
- the system pipe (“|”) allows the output of one tool to be “piped” as input for another tool. a
single command may move data through several tools and into a final text file.
- linux supports a variety of file systems types, facilitating the examination of foreign file
systems.
- linux permits direct access to devices and may allow data to be recovered that would not be
accessible through the file system.
- linux is open source, with its inherent support base.
- there exists a large body of third-party tools suitable for conducting forensic examinations.

data recovery

unix file systems, unlike dos/windows, do not have slack space. the data area either contains
data or is unallocated. deleted data is treated as unallocated space. unix attempts toreuse
existing inodes before allocating new ones, so there is an increased likelihood of losing data.

unix-based tools

there are several methods available for recovering deleted files:


- search for specific inodes and recover the data associated
- search directories for deleted entries

windows-based tools

in the windows arena, there are a few forensic examination software tools that can recover
deleted unix files.

- encase can recover deleted file data, placing them all in a “lost files” area, however, it does
not currently refer data using inode numbers or recover deleted directory entries.
- ftk can recover deleted files and directories from ext2, into an area called “[orphan]”.

file carving with unix

software tools that can be used for recovering file data directly from data blocks include:
- foremost – this open source program from sourceforge.net can recover unfragmented files by
searching for file signature headers and footers and copying the data inclusively into
sequentially numbered files with the correct extension.

© 2011 Elsevier Inc. All rights reserved. Page 145


- lazarus – a tct (the coroner’s toolkit) utility uses a similar, though more thorough,
method for carving out file data.

dealing with password protection and encryption

although it is possible to connect pcs into “beowulf clusters,” essentially arrays of parallel
processing units, strong encryption would still require months, years, decades, or even longer to
be broken. the forensic examiner seldom has the luxury of that much time.

an understanding of how encryption is typically conducted can lead to the unencrypted data.
for example, if a file is encrypted, then two copies exist. if the plaintext copy is just deleted, it
may be recovered.

encrypted log-on passwords can be recovered using brute-force password guessing programs
like crack and jack the ripper. booting into single user mode and modifying the password filecan
allow access in multiuser mode.

log files

virtually every system event, including log-on and log-off, is logged somewhere in one or more
system logs, depending on how the system is configured. log analysis tools are available to
correlate various log entries when reconstructing system events.

(see decc2e, p. 311, for further information.)

file system traces

data remnants can be found in the data area or in swap space. print spoolers and other
applications create recoverable temporary files. as stated earlier, the deleted plaintext version of
an encrypted file may be recoverable. mac (modify, access, create) and deleted times can be
recovered. the examiner uses this information to reconstruct system events, and create activity
charts and a variety of other relevant information. (see pp. 311-315 for further information and
examples.)

internet traces

unix is first and foremost a networking environment and there are many applications for
connecting to the internet. although most of these applications do not create logs, they leave
behind many recoverable traces.

© 2011 Elsevier Inc. All rights reserved. Page 146


web browsing

web browsers keep track of sites visited in history and cache files. examiners can examine this
data to determine where a user has been, and when.

e-mail

incoming e-mail is stored in “/var/spool/mail” under each user’s account name. outbound e-
mails are temporarily stored in “/var/spool/mqueue/mail”. in most cases e-mails are stored as
plaintext, but mime-encoded attachments require special software for decoding. proprietary e-
mail formats such as outlook and aol usually should be viewed in their respective applications.

network traces

the network-based nature of unix requires that forensic examiners always look for evidence of
network connections. many networked applications retain activity logs and configuration files.
evidence of shared network drives should also be sought. (see decc2e, pp. 319-320, for further
information.)

summary

as there are a great many unix-based systems fielded, it is extremely likely that a forensic
examiner will encounter such systems on a frequent basis. therefore, a thorough understandingof
how data is stored on unix-based systems is essential.

© 2011 Elsevier Inc. All rights reserved. Page 147


multiple choice questions

1. unlike the standard dos/windows environments, the unix environment has the capabilityof ,
thereby preventing the contents of evidentiary media from being changed.
a. encrypting all data on the media
b. copying the contents of the media
c. warning the examiner of an impending write
d. mounting storage media as read-only

2. what is the most efficient method for a forensic examiner to confirm whether a particular
tool or methodology works in a forensically acceptable manner?
a. search the internet for accounts of other examiners using the tool or methodology
b. contact the author of the tool or methodology and have them provide
confirmation
c. test the tool under controlled conditions
d. contact other forensic examiners to determine if they have any experience with
the tool or methodology

3. the inode table can be found in the .


a. block group
b. superblock table
c. mbr
d. partition table

4. in a block group, file data is located in .


a. the block bitmap
b. data blocks
c. inode bitmap
d. directory entry

5. , which is part of the standard linux distribution, can be used to make a bitstream
copy of evidentiary media to either image files or sterile media.
a. grep
b. icat
c. dd
d. sha1sum

6. mac times, which are found in the , are an example of file system traces.

a. inode table
b. mbr’s partition table

© 2011 Elsevier Inc. All rights reserved. Page 148


c. inode bitmap
d. data blocks

7. why is it important to determine the level of network connectivity on a unix system as soonas
possible?
a. as unix systems may be configured to store critical evidence on remote
systems, network connections must be determined and exploited before any
evidence stored remotely is destroyed.
b. to keep suspects and spectators from accessing the target system during the
investigation.
c. to determine if the system administrator is a suspect.
d. none of the above.

8. the coroner’s toolkit and the sleuth kit are examples of open source .
a. hard drive repair tools
b. system administrator tools
c. forensic examination tools
d. network management tools

9. in unix, when a file is moved within a volume, the inode change date-time (ctime) is:
a. unchanged
b. updated
c. set to epoch time
d. set to last modified date-time

10. deleting a file has the effect of preserving its inode until it is reused because:
a. the inode is flagged as deleted.
b. the inode table entry is moved to the recycle bin.
c. deleted inodes are not accessible to the file system.
d. the inode number is added to a deleted files journal entry.

11. when a file is deleted on a unix system, the ctime of its parent directory is:
a. unchanged
b. updated
c. set to epoch time
d. set to last modified date-time

12. one of the most common web browsers on unix systems is:
a. internet explorer

© 2011 Elsevier Inc. All rights reserved. Page 149


b. safari
c. opera
d. firefox

13. firefox 3 stores potentially notable information in:


a. dbf format databases
b. ascii text files
c. sqlite databases
d. proprietary format files

14. on unix systems that receive e-mail, incoming messages are held in , in separate
files for each user account until a user accesses them.
a. /home/<useraccount>/desktop/mail
b. /var/spool/mqueue/mail
c. /etc/mailbox/mail
d. none of the above

15. the file system mount table shows local and remote file systems that are automatically
mounted when the system is booted. this information is stored in:
a. /etc/fstab
b. /etc/mount/mtab
c. /etc/hosts
d. none of the above

© 2011 Elsevier Inc. All rights reserved. Page 150


true or false questions

1. one of the most useful areas to search for notable data on a linux system is in file slack.
a. true
b. false

2. one of the difficulties in examining unix systems is that the file system is extremely
complex, making it difficult for the examiner to recover data.
a. true
b. false

3. grep is a standard linux tool that searches a specified file or region for a specified string.
a. true
b. false

4. the unix convention of “piping” the results of one command into another is a serious
limitation and is detrimental to using the unix platform for forensic examinations.
a. true
b. false

5. most data-carving tools operate on the assumption that the operating system generally
tries to save data in contiguous sectors.
a. true
b. false

6. given a sufficiently powerful computer, even “strong” encryption can be broken in a


short time.
a. true
b. false

7. as unix was never designed to work on networks, there are very few native utilities
designed to access the internet.
a. true
b. false

8. unix log files (or those of any operating system, for that matter) can provide a great deal
of useful information to the examiner.
a. true
b. false

9. on unix systems, e-mails and all attachments are stored as plaintext in


“/var/spool/mail,” or “/var/mail,” or in a directory under the user’s account.
a. true
© 2011 Elsevier Inc. All rights reserved. Page 151
b. false
10. when examining a unix system, searching for network traces is not usually necessary.
a. true
b. false

11. when requesting a search warrant, remotely connected systems cannot be considered part
of the target system, so it may be necessary to obtain proper authorization before
examining them.
a. true
b. false

12. a list of currently mounted drives, including those not listed in the file system mount
table, is kept in “/etc/mtab.”
a. true
b. false

13. when a target system is connected to other systems in remote locations, it is expedient
for the digital investigator to access these systems via remote access.
a. true
b. false

14. the “istat” command, found in the coroner’s toolkit, can be used to examine specific
inode bitmaps.
a. true
b. false

15. the mainstay of acquiring digital evidence using unix is the “icopy” command.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 152


discussion questions

for each of the following questions, develop discussion notes and be prepared to discuss your
findings.

1. consider the statement “forensic examiners should have a high degree of competence in all
operating systems and their respective file systems.” do you agree or disagree? support your
answer with examples.

2. which is the more effective forensic examiner, one who can operate forensic tools in a
variety of operating environments (operating system, file system, etc.) and conducts
examinations in the native environment of the evidentiary media, or one who thoroughly
understands a single operating environment and examines evidentiary media in that
environment, regardless of the native operating environment of the media. support your
answer with examples.

scenario

you are on-site, conducting a preliminary examination of a linux system. the hardware suiteincludes
a 56kb modem. what areas of search should be included in your examination?
prepare an examination plan that details what you will look for, and why.

© 2011 Elsevier Inc. All rights reserved. Page 153


chapter 19
digital evidence on macintosh systems

on completion of this chapter, the student will:


- be aware of how to hfs (and hfs plus) manage folders and files.
- recognize the unique features of hfs.
- be aware of the differences between hfs and hfs plus.
- be aware of various data recovery methods that can be used for hfs.
- recognize the forensic value of file carving and hfs.
- be aware of what file system traces to expect in hfs.
- be aware of the differences in date-time stamp behavior in hfs.
- be aware of various methods for processing internet traces.
- be aware of how an e-mail is implemented in the macintosh.

chapter guide

macs represent a small but growing segment of the total number of computers and are sufficiently
common to crop up frequently in digital investigations. therefore, forensic examiners must be prepared to
collect and analyze data from the mac environment. this task can be a challenge as there are currently very
few mac tools that specifically address forensic recovery. in addition, the integration of unix into mac os x
and the flexibility of the mac file systems can create a complex digital crime scene. at the same time, as
with other computer systems, there are many interesting nooks and crannies on macs where digital dust
can gather, and forensic examiners who familiarize themselves with these systems will be rewarded with
useful digital evidence.

unlike intel-based systems, macs do not have a bios per se. instead, they use open firmware that can be
opened using the “command+option+o+f” key combination at the beginning of the boot process. the
current system date and time is generally visible in the opening message of newer versions of open
firmware.

as with windows, the mac boot process is very invasive. to prevent altering evidentiary data, conventional
wisdom dictates that the hard drives be disconnected before attempting to power up a mac. mac-
formatted drives can be acquired in the linux environment using dd, and likewise can be acquired inthe
windows environment using tools such as encase or winhex. winhex forensic can acquire and examine
any cluster-based file system.

the mac file systems (16-bit hfs and 32-bit hfs+) are structured similar to other file systems discussed in
the text. boot records reside at the beginning of each volume. system file structures consist of catalog
files and extents overflow files. relevant to forensic examiners is how date-time stamps are recorded.

© 2011 Elsevier Inc. All rights reserved. Page 154


catalog file records are organized in a balanced tree (b-tree), a storage structure optimized for searching.
each record contains a catalog node id. four types of records are supported: folders, files, folder threads,
and file threads. notable data such as folder and file names and mac times can be found here. data are
stored in two places on the disk. data type is determined by both extent and relevant information stored
in the catalog file. (see section 12.1 for details.)

deletion of a file results in it being moved to the trash folder but it is not marked as deleted until it is
removed from the there. when a file is deleted, its key length is zeroed and reference to it may be
removed from the catalog. the net result is that the data may only be recoverable by keyword search of
unallocated space.

norton unerase has a good likelihood of recovering erased files. other tools, such as disk warrior and
prosoft data rescue, work well, also. using several of the tools in combination increases the likelihoodof
data recovery. alternatively, file carving tools such as encase and winhex can be used to block file data
and save it to a new file.

older macintosh systems do not keep logs but mac os 9 and mac os x have a logging capability. of
interest to examiners are the systems logs that mac os x keeps. some items tracked such as external media
connected to the computer, user logon/logoff activity, and system clock changes can be evident from
temporal discontinuities in these logs. macs also keep records of recently accessed applications and
documents. tools like desktop db diver can provide a great deal of information about what applications
have been accessed. also of interest is how macintosh handles file deletions – files are moved to the
“trash” folder. examination of desktop db and desktop df may reveal the user’s activities.

mac os 9 and x are network-aware, and keep exploitable network-related information. also, internet
applications record activities to some degree. netscape history files are exploitable and may contain a
great deal of notable data. internet explorer maintains a history of browsing activities in history.html,
downloads.html, as well as .waf cache files, and stores cookies in various locations, depending on
version. the amount and quality of e-mail related data is dependent on the application – some log a great
deal of information and others do not.

the single biggest obstacle to successfully exploiting macintosh computers is limited choice in forensic
tools designed with the mac in mind. therefore, to be effective, examiners must know where and how to
look for information without the assistance of automated tools.

© 2011 Elsevier Inc. All rights reserved. Page 155


multiple choice questions

1. macintosh stores its partition table in:


a. the last sector of the drive
b. non-volatile memory
c. the first sector of the drive
d. at offset 1024

2. the boot sector and additional details about the volume are stored in:
a. the first sector of the volume
b. at offset 0x300 from the beginning of the drive
c. the last sector of the volume
d. cmos

3. hfs supports a maximum of clusters.


a. 28
b. 216
c. 232
d. 264

4. hfs represents time as:


a. the number of nanoseconds since january 1, 1601 00:00:00 gmt
b. the number of milliseconds since january 1, 1980 00:00:00 gmt
c. the number of seconds since january 1, 1601 00:00:00 gmt
d. the number of seconds since january 1, 1904 00:00:00 gmt

5. the hfs equivalent to the ntfs mft is:


a. lister file
b. files.db
c. catalog file
d. seeker.db

6. a difference between hfs and other file systems studied is that folders:
a. are listed in a separate extents overflow file
b. do not contain lists of their contents
c. do not show when they were last backed up
d. are stored in two places on the disk

© 2011 Elsevier Inc. All rights reserved. Page 156


7. it may not be possible to recover the file names and date-time stamps from an hfs
volume with forensic tools because:
a. that information is overwritten when a file is deleted.
b. the inode table is deleted.
c. that information is only held in memory.
d. the b-tree data structure frequently rebalances.

8. the most common approach to salvaging deleted data on macintosh systems is to:
a. use encase to recover the files.
b. use the catalog utility.
c. use file carving techniques.
d. there is currently no solution to recovering deleted files from a macintosh.

9. on mac os x, when a file is deleted, it is copied to the:


a. recycler folder
b. .trash folder
c. [orphans]
d. none of the above

10. recently accessed files and applications are listed in:


a. ~/library/recent
b. catalog:recent
c. ~/library/preferences/com.apple.recent.items
d. com.apple.textedit.plist

11. the last access times of files copied from a mac running os 9 onto a fat-formatteddisk
are meaningless because hfs does not maintain:
a. access time
b. modified time
c. created time
d. ctime

12. the default browser used on mac os x is:


a. internet explorer
b. safari
c. firefox
d. opera

13. the folder ~/library/mail downloads contains:

© 2011 Elsevier Inc. All rights reserved. Page 157


a. internet downloads
b. e-mails that contain attachments
c. unread e-mails
d. e-mail attachments that have been opened

14. keychains (~/library/keychains) are files that store:


a. usernames and passwords
b. private encryption keys
c. favorite websites
d. recent documents

15. when a file is deleted, its catalog entry may be deleted as well. if this occurs,
a. a backup of the catalog file will still contain the information.
b. all references to the data are removed from the disk.
c. the file information is moved to the extent overflow file.
d. the file information is moved to “.trash,” with the same name as the file, and
an extent of “.info.”

© 2011 Elsevier Inc. All rights reserved. Page 158


true or false questions
1. there is a wide selection of forensic tools available for exploiting macs.
a. true
b. false

2. macintosh disks can only be examined on a macintosh system.


a. true
b. false

3. by default, when mac os x boots up, it will attempt to mount an evidence disk.
a. true
b. false

4. hfs plus stores file and folder names in unicode format.


a. true
b. false

5. examination of a mac computer must be done manually – no automated tools exist.


a. true
b. false

6. on a macintosh, when a file is deleted, its key length is set to zero.


a. true
b. false

7. digital evidence examiners can use the sleuth kit on mac os x to examine ntfs,fat,
ufs, ext, and hfs file systems.
a. true
b. false

8. due to the design of the macintosh catalog file, it is easy to recover deleted files
manually, using forensic tools.
a. true
b. false

9. mac os x has logging capabilities, but os9 did not.


a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 159


10. internet explorer cookies are always found in system
folder:preferences:explorer:cookies.txt.
a. true
b. false

11. typically, the degree of e-mail logging is dependent on the application.


a. true
b. false

12. by default, eudora for macintosh records more information than eudora for windows.
a. true
b. false

13. all “.plist” files are in plaintext.


a. true
b. false

14. in each volume of a macintosh system, there is a database named “desktop db” that
contains information about activities on the system including programs that were run and
files and websites that were accessed.
a. true
b. false

15. one of the interesting file system traces that is created when files are saved from a
macintosh to external media formatted using fat is a “. spotlight” folder.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 160


discussion questions
for each of the following questions, develop discussion notes and be prepared to discuss your findings.

1. are macintosh systems more or less useful than windows systems as sources of digital evidence?
justify your answer.

2. it can be difficult to recover deleted files from hfs and hfs+ file systems manually. how can you
assure yourself that automated tools used for this purpose are working correctly?

3. how does mac os 9 differ from mac os x and what significance does this have from a forensic
perspective?

scenario
you receive a mac os x system and are asked to summarize the applications and data on the hard drive. in
addition, you are asked to report any recent system usage and any signs of encryption, external storage
media, or clock tampering. what data would you look for on the hard drive, where would you find them,
and what tools would you use?

© 2011 Elsevier Inc. All rights reserved. Page 161


chapter 20
digital evidence on mobile devices

on completion of this chapter, the student will:

- recognize that the use of cell phones and smart phones is an integral part of modern society.
- recognize that mobile devices can contain vast amounts of personal information.
- be familiar with the terminology used with mobile devices.
- be aware that criminals will use and store information on mobile devices, providing an additional
source for evidence.
- be aware that the dynamic nature of mobile devices presents challenges to forensics examiners.
- recognize that a major advantage of mobile devices from a forensic standpoint is that they can
contain deleted information even after attempts to delete.
- be aware that characteristics of flash memory chips may result in the recovery of user-deleted
information.
- be aware that mobile devices have become a new target for malware developers.
- recognize that mobile devices can connect to various networks via cellular towers, wifi access
points, and bluetooth, and those connected networks may also contain notable data.
- recognize that handheld devices may be synchronized to desktop applications, and notable data
may be found there, as well.
- recognize that information from mobile devices can assist the investigator in discovering the
user’s social network.
- be aware that, while the same forensic principles apply to mobile devices as they do to regular
computers, the dynamic, connected nature of mobile devices can present challenges.
- be aware of the procedures for seizing mobile devices.
- be aware of the value and benefits of first obtaining a physical acquisition of mobile devices.
- be aware of the value of obtaining a logical acquisition of mobile devices.
- be aware of various methods for acquiring mobile devices, such as:
o data cable
o bluetooth
- be aware of various mobile device forensic tools currently on the market.
- be aware of various methods of applying the forensic examination and analysis methodology to
mobile devices.
- be aware of various methods for data recovery on mobile devices.
- be aware of the variety of formats used on mobile devices.
- be aware of the issues involved with the acquisition and examination of sim cards.
- be aware of the forensic challenges relating to sim card security.
- recognize the value and the need to apply investigative reconstruction techniques to mobile
devices.
o temporal analysis
o relational analysis
o functional analysis

© 2011 Elsevier Inc. All rights reserved. Page 162


class notes

the instructor should convey to the student that, because mobile devices are so pervasive and becoming
more so every day, they should both expect and be prepared to deal with the ever growing variety of
mobile devices. it would, in fact, be reasonable to expect to find a mobile device involved in nearly every
type of case that law enforcement would counter.

forensic examination and analysis of mobile devices presents challenges above and beyond those of
traditional forensic investigations; however, the quality of the evidence obtained will make it worthwhile.

© 2011 Elsevier Inc. All rights reserved. Page 163


multiple choice questions

1. which of the following is not one of the methods mobile devices use to communicate?
a. fddi
b. telecommunication networks
c. wifi access points
d. bluetooth piconets

2. one major advantage of mobile devices from a forensic perspective is that:


a. people very seldom delete information from mobile devices.
b. the process for deleting information is much more complicated than for adding
information, and users frequently don’t delete things correctly.
c. flash memory is deleted block-by-block and mobile devices generally wait for a
block to be full before it is deleted.
d. manufacturers reserve a part of memory for storing deleted items.

3. the reason that malware developers are beginning to target mobile devices is:
a. because available memory is much smaller and the operating system is much less
sophisticated on mobile devices, it is much easier to develop malicious code.
b. the malware market has become very crowded and developers are looking for new
avenues.
c. since the coding is much simpler on mobile devices, many new programmers are trying
at this particular platform.
d. since mobile devices are used more and more for online banking and making
purchases, they have become prime targets for computer criminals.

4. software designed to monitor activities on mobile devices has come to be called:


a. malware
b. spouseware
c. trojan defense
d. none of the above

5. one of the dangers (from a forensic standpoint) of mobile devices is:


a. connected networks can contain investigatively useful information.
b. network service providers may provide information for comparison with data extracted
from a mobile device.
c. connected networks can enable offenders to delete data remotely.
d. network service providers may provide additional historical call records.

© 2011 Elsevier Inc. All rights reserved. Page 164


6. one of the difficulties unique to forensic processing of mobile devices is:
a. md five hashes must be calculated for data recovered from mobile devices.
b. documentation must show continuous possession and control.
c. an investigator must make a calculated decision to either prevent or allow the
device to receive new data over wireless networks.
d. any issues encountered with processing the device should be documented.

7. powering down a mobile device and removing the battery may cause problems in that:
a. when the battery is removed from a mobile device, the information in memory is lost.
b. doing so may activate security measures such as lock codes and encryption.
c. the process of removing the battering can cause a capacitive discharge, destroying the
device.
d. you now have two pieces of evidence, which have to be documented.

8. which of the following are methods for preserving mobile devices by isolating them from the
networks?
a. reconfigure the device to prevent communication from the network.
b. place the device in an rf-shielded pouch.
c. jam rf signaling in the immediate area.
d. all of the above.

9. why is it important to collect charging cables when seizing mobile devices?


a. mobile device batteries have a limited charge life span, and the device will need a
charger to maintain the battery until the device can be processed.
b. to reduce owner complaints about missing cables when, at some point, seized devices
are returned.
c. in those cases where evidence seized is forfeit, you want to make sure you have
everything you need to operate the device.
d. none of the above.

10. which of the following is not one of the currently available methods for extracting data from
mobile devices?
a. manual operation via user interface
b. logical acquisition via communication port
c. connecting the communication port directly to an output device such as a printer
d. physical acquisition via the communication port

11. forensic examiners should be aware that a mobile device with a blank or broken display:
a. may as well be thrown away, as no data will be recovered from it
b. may only indicate that the screen is damaged and it may still be possible to extract
data
c. may require that the mobile device be sent out to the manufacturer for repairs
d. none of the above

© 2011 Elsevier Inc. All rights reserved. Page 165


12. the ieee standard that specifies a standardized interface for testing integrated circuits,
interconnections between components, and a means of observing and modifying circuit activity
during a component’s operation is:
a. rg-45
b. fddi
c. wimax
d. jtag

13. a peculiarity of mobile devices is the format that they store sms messages, which is:
a. ascii
b. unicode
c. gsm 7-bit
d. baudot

14. certain data on mobile devices, in particular phone numbers, are stored in “nibble reversed”
format. in that case, the phone number 12025437078 would be displayed as:
a. 2120457370f8
b. 20217345870
c. 87073452021
d. 8f0737542021

15. the primary reason that brute-force methods are not used when trying to access an sim card with
the pin set is:
a. a four-digit pin represents 10,000 possible combinations.
b. after three failed attempts, the sim card will become locked.
c. pin disclosure by the offender can be required by a court order.
d. none of the above.

© 2011 Elsevier Inc. All rights reserved. Page 166


true or false questions

1. since mobile devices consist of a cpu, memory, storage, and software, the same as traditional
computers, they are processed in exactly the same way.
a. true
b. false

2. mobile devices are considered to be a type of embedded system.


a. true
b. false

3. given the small amount of usable data obtainable from mobile devices, the forensic investigator
needs to weigh the value of investing time examining mobile devices.
a. true
b. false

4. one drawback of mobile device examination is that when a user deletes data on a mobile device
that data is never recoverable.
a. true
b. false

5. mobile devices have become a promising new target for malware developers.
a. true
b. false

6. the dynamic nature of mobile device communications presents additional challenges for the
forensic examiner.
a. true
b. false

7. although mobile devices may connect to networks, wifi and bluetooth connections, and
desktops synchronizing software, the forensic examiner should focus entirely on the mobile
device itself.
a. true
b. false

8. there are currently no forensic tools available for processing mobile devices.
a. true
b. false

9. the forensic examiner’s best option for the most complete collection of data from a mobile
device is to make a physical acquisition.
a. true

© 2011 Elsevier Inc. All rights reserved. Page 167


b. false

10. one of the difficulties in processing mobile devices is that the manufacturers always use
proprietary storage formats.
a. true
b. false

11. when analyzing a gps-enabled mobile device, it is often possible to recover location
information, import it into mapping software, and display the locations on a map.
a. true
b. false

12. something forensic examiners need to keep in mind when trying to brute force an sim card that
has had a pin set is that the card will lock after the second failed attempt.
a. true
b. false

13. best practices for seizing a mobile device is to power the device off and remove the battery so
that no new connections are made over the network.
a. true
b. false

14. certain data on mobile devices, particularly phone numbers, are stored in nibble-reversed format.
a. true
b. false

15. it is often possible to perform a forensic analysis of a physical duplicate of mobile devices using
file system forensic tools.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 168


essay questions

1. discuss the preservation, examination, and analysis issues that make processing mobile devices
unique.

answer guidance: a “computer” as a communication device; full duplex communication from


the network, nonstandard and proprietary data formats.

2. discuss methodologies for processing a crime scene involving mobile devices. take into
account the special issues relating to mobile devices.

answer guidance: search for media and sim cards, seizing related peripherals and
communication cables, charging stands, etc., how to isolate the device from the network(s),
powering off issues.

scenario

you are at a crime scene and a cell phone is discovered, powered on. crime scene technicians have
processed it for prints and turned it over to you. you are examining the interface when a text
message is received. what steps will you take?

© 2011 Elsevier Inc. All rights reserved. Page 169


chapter 21
network basics for digital investigators

- be aware of the reasons that digital investigators have to have a thorough understanding of
networks.
- be aware of the hardware and protocols that constitute a network.
- be aware of the various network technologies a digital investigator is likely to encounter.
- be aware of the tools that assist in network investigations.

chapter guide

all digital investigators require some understanding of networks since most computers we encounter are
connected to one. in fact, computers have become network-centered and it is no longer sufficient to only
think of digital evidence on storage media. to comprehend traces of internet activities left on personal
computers and to establish continuity of offense, digital investigators require knowledge of evidence that
exists on surrounding networks. these sources include server logs, network devices, and traffic on both
wired and wireless networks.

this chapter provides an overview of network history, concepts, and the most common network
technologies: arcnet, ethernet, fddi, atm, ieee 801.11 (wireless), cellular, and satellite networks. some
students will be confused or intimidated by the concepts of tcp flows, network layers, log files, and
remote access using applications like telnet and ssh. therefore, it is advisable to lead students through the
reading and provide them with some hands-on exercises to ensure that the basic concepts are clear. the
“barbara the bookie” exercise is designed to get students thinking about the different network
technologies and how they might be encountered in an investigation. it is also instructive to have students
connect to a remote system such as a backbone router as shown here:

on august 15 at 11:20 edt, telnet was used to connect from a windows machine to a public
internet router (see www.traceroute.org for a list of route servers).

c:\> telnet route-server.ip.tiscali.net

+--------------------------------------------------------------------+
| |
| tiscali international network - route monitor |
| (as3257) |
| |
| this system is solely for internet operational purposes. any |
| misuse is strictly prohibited. all connections to this router |
| are logged. |
| |
| this server provides a view on the tiscali routing table that |
| is used in frankfurt/germany. if you are interested in other |
| regions of the backbone check out http://www.ip.tiscali.net/lg |
| |
| please report problems to [email protected] |
+--------------------------------------------------------------------+

route-server.ip.tiscali.net>show clock
*16:30:32.532 cedt sun aug 15 2004

© 2011 Elsevier Inc. All rights reserved. Page 170


route-server.ip.tiscali.net>who
line user host(s) idle location
* 2 vty 0 idle 00:00:00
pool-141-157-94-144.balt.east.verizon.net

interface user mode idle peer address

route-server.ip.tiscali.net>show log
syslog logging: enabled (10 messages dropped, 4 messages rate-limited, 0 flushes
, 0 overruns, xml disabled)
console logging: disabled
monitor logging: level debugging, 0 messages logged, xml disabled
buffer logging: disabled, xml disabled
logging exception size (8192 bytes)
count and timestamp logging messages: enabled
trap logging: level debugging, 17859 message lines logged
logging to 213.200.88.198, 17859 message lines logged, xml disabled

in addition to demonstrating client-server interaction, this exercise gives routers and the internet
backbone a tangible form that students may not otherwise realize. notably, the router’s clock indicates
that it is 16:30 central european time (gmt + 1) whereas the time according to the windows host was 11:20
us eastern time (gmt – 5). pointing out to students that router clocks often drift when they are not
synchronized with a reliable source can emphasize the need for documenting the system clock on any
system that they are collecting evidence from. also, the results of the show logging command contain
the remote syslog server (213.200.88.198 = flowscan.ip.tiscali.net) that receives logs from this router.

in addition, the open system interconnection (osi) model is used in this chapter to give the reader an
understanding of the different functions of networks and the types of crime and associated evidence that
exist. the osi model is comprised of seven layers summarized here:

# name summary
1 physical media that carries data (e.g., network cable)
2 data-link enables basic network connectivity between computers connected directly
by the same network technology (e.g., ethernet)
3 network routes information to its destination using addresses (e.g., ip addresses)
4 transport establishes, maintains, and terminates connections between hosts (e.g.,
tcp)
5 session maintains connections between hosts to ensure continuity when the
communication on underlying network layers disconnect or fail (e.g., rpc
used by windows and unix to maintain connections to network file
shares)
6 presentation formats and converts data to meet the conventions of the specific computer
being used (e.g., ascii versus ebcdic)
7 application creates network functionality that enables services like e-mail (e.g.,
smtp)

data in each layer are encapsulated by lower layers. for example, an e-mail message is encapsulated in an
ip datagram, which in turn is encapsulated in an ethernet frame. notably, the osi model does not fit

© 2011 Elsevier Inc. All rights reserved. Page 171


exactly with tcp/ip, the most widely use internet protocols, but there is sufficient overlap for our
purposes.

© 2011 Elsevier Inc. All rights reserved. Page 172


multiple choice questions
1. an understanding of networks helps with which of the following:
a. establishing continuity of offense
b. tracking down offenders
c. understanding traces of online activities left on a pc
d. all of the above

2. when a windows system connects to a shared folder on another windows machine on the
internet, which of the following protocols are used?
a. tcp/ip
b. smb
c. netbios
d. all of the above

3. hosts that connect two or more networks are called:


a. routers
b. switches
c. hubs
d. all of the above

4. which of the following are layer 7 protocols?


a. ethernet
b. http
c. tcp
d. all of the above

5. which of the following is a wireless protocol?


a. 802.11b
b. 802.11x
c. hyperlan2
d. all of the above

6. ethernet uses which of the following technologies?


a. cdpd
b. csma/cd
c. cdma
d. all of the above

7. which of the following is a layer 2 address?


a. 00-02-2d-65-c9-83
b. 192.168.9.5
c. 121.19.7.360
d. 1042556

© 2011 Elsevier Inc. All rights reserved. Page 173


8. another name for a hub is:
a. switch
b. router
c. concentrator
d. nic

9. currently, the most widely used internet protocols are:


a. tcp
b. udp
c. ip
d. all of the above

10. the osi reference model divides internets into seven layers. choose the correct order, by
layer.
a. transport, session, network, presentation, data-link, application, physical
b. presentation, data-link, application, physical, transport, session, network
c. physical, data-link, network, transport, session, presentation, application
d. data-link, network, session, application, physical, network, session

11. the layer that actually carries data via cables or radio signals is the:
a. transport layer
b. physical layer
c. network layer
d. data-link layer

12. a hub joins hosts at the physical level whereas a switch joins them at the layer.
a. transport
b. physical
c. network
d. data-link

13. the layer responsible for managing the delivery of data is the:
a. application layer
b. presentation layer
c. transport layer
d. session layer

14. is a transport layer protocol.


a. tcp
b. ip
c. http
d. ftp

© 2011 Elsevier Inc. All rights reserved. Page 174


15. which of the following network technologies uses a fiber-optic medium?
a. ethernet
b. fddi
c. asynchronous transfer mode
d. 802.11

© 2011 Elsevier Inc. All rights reserved. Page 175


true or false questions

1. an understanding of networks is only necessary for investigating computer intrusions and


denial of service attacks.
a. true
b. false

2. it is possible to reconstruct events surrounding a crime scene using only evidence on


networks when the subject’s hard drive is not available.
a. true
b. false

3. ethernet frames are encapsulated within ip datagrams.


a. true
b. false

4. a switch prevents eavesdropping on a network.


a. true
b. false

5. tcp connections only carry data in one direction.


a. true
b. false

6. capturing network traffic at the physical layer gives investigators access to application
layer data such as web pages viewed and images downloaded.
a. true
b. false

7. tcp is a layer 4 protocol.


a. true
b. false

8. tcp addresses can be used to track down an offender.


a. true
b. false

9. every mobile telephone has a unique electronic serial number (esn) and mobile id
number (min).
a. true
© 2011 Elsevier Inc. All rights reserved. Page 176
b. false
10. mobile telephones can be used to locate the person using them.
a. true
b. false

11. tcp/ip enables computers using different network technologies to communicate.


a. true
b. false

12. air is a network (layer 3) medium for transmitting data.


a. true
b. false

13. mac addresses are uniquely associated with an nic whereas ip addresses can be
changed.
a. true
b. false

14. a single, prolonged netbios connection can be made up of multiple tcp/ip


connections.
a. true
b. false

15. individuals who can access the physical layer have unlimited access to all of the data on
the network unless it is encrypted.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 177


discussion questions

1. give an example of the type of digital evidence that can be found at each layer of the osi
model and how it can be useful to an investigation.

2. in figure 21.13, identify each layer and describe its purpose.

answer guidance: ethernet = layer 2; ip = layer 3; tcp = layer 4; http = layer 7;


media/jpeg = data (a.k.a. payload).

3. child pornographers are connecting to the home networks of innocent individuals via
insecure wireless access points. how can this help or hinder a digital investigation?

answer guidance: although connecting through wireless access points can provide a level of
anonymity, criminal activities may come to the attention of law enforcement when home users
notice something unusual occurring. however, investigators may mistakenly attribute illegal
activities to the innocent owners of the wireless access point.

4. what internet servers do you access regularly and what activities might those systems
record in log files?

scenario
shortly before she was killed, the victim of a homicide turned on her computer, connected to the
internet, and used both a web-based e-mail service and an instant messenger (im) program
before shutting her computer down.

what traces of internet activity would you look for on the computer?
what useful digital evidence might exist on the victim’s internet service provider, and on the
web-based e-mail server?
would there be any im data on the internet that could be useful?

© 2011 Elsevier Inc. All rights reserved. Page 178


chapter 22
applying forensic science to networks

on completion of this chapter, the student will:


- be aware of the need to gather intelligence about the target systems prior to the actual search.
- recognize the similarity between the intelligence gathering in preparation for seizing and
conducting vulnerability assessments.
- be aware of proper methods for preserving evidence on networked devices.
- be aware of the need and methods for data filtering and reduction.
- recognize the value in analyzing class and individual characteristics of network evidence.
- recognize the value of conducting behavioral evidence analysis on network evidence.
- recognize that the volume and complexity of evidence collected in a network investigation
requires different reporting methods.

chapter summary

as discussed in earlier chapters, when handling digital evidence it is necessary to establish chain
of custody, document the state of items in situ, and take other steps to preserve the evidence so
that it can be authenticated at a later date. this chapter presents a methodology for processing
digital evidence and describes key concepts and their importance, including copying all data
from a disk and calculating the cryptographic hash of a disk. students will benefit from hands-on
exercises dealing with preservation of digital evidence at this stage. the guidelines in chapter 23
provide a basis for a standard operating procedure (sop) for preserving and documenting digital
evidence on computers.

note: the practice of obtaining two separate copies of storage media using two different tools
may be prohibitively expensive in investigations involving hundreds of computers. in such
situations, to save time and resources, it may be necessary to make one copy and then a backup
of that copy. however, some attempt should be made to verify that a complete and accurate copy
of each drive has been obtained. it is not safe to assume that a forensic acquisition tool will
report all errors that might be encountered which is why it is advisable to obtain a second copy of
each piece of storage media using another tool.

additionally, this chapter provides an overview of examination and analysis of digital evidence.
some digital investigators begin a forensic examination by looking for items in places where
they are commonly found such as e-mail in their default location, or by searching for certain
passwords such as credit card numbers. this ad hoc approach to looking for digital evidence is
not effective, resulting in an incomplete examination and overlooked evidence. for instance,
when e-mail is stored in a user-selected location or when credit cards are stored in compressed
files, an ad hoc approach may miss them. therefore, to uncover the truth in a way that is reliable
© 2011 Elsevier Inc. All rights reserved. Page 179
and repeatable, digital investigators need a methodology for the examination step of the
investigative process presented in chapter 4. this chapter takes concepts from forensic science
and demonstrates how they apply to the examination and analysis of digital evidence. chapter 24
demonstrates how some of the examination tasks can be implemented using common tools,
providing the basics for an sop for examining digital evidence on computers.

an effort is made to connect the applied material in this chapter with the investigative and
reconstruction processes described in earlier chapters. additionally, this chapter familiarizes
students with various file types. instructors are encouraged to explore other file types to give
students the broadest possible exposure to common files and their associated metadata. for
instance, the metadata within microsoft office documents can be explored using a hexadecimal
viewer and compared with utilities such as metadata assistant
(http://www.payneconsulting.com/). similarly, it is instructive to teach students to view metadata
within digital photographs that could be used to link images to a particular camera, and use the
content of photographs to glean information about the context (e.g., who, what, where, when).

the importance of report writing is also emphasized in this chapter.

© 2011 Elsevier Inc. All rights reserved. Page 180


multiple choice questions

1. preservation of digital evidence can involve which of the following?


a. collecting computer hardware
b. making a forensic image of storage media
c. copying the files that are needed from storage media
d. all of the above

2. a forensic image of a drive preserves which of the following?


a. memory contents
b. file slack and unallocated space
c. system date and time
d. screen contents

3. examination of digital evidence includes (but is not limited to) which of the following
activities?
a. seizure, preservation, and documentation
b. recovery, harvesting, and reduction
c. experimentation, fusion, and correlation
d. arrest, interviewing, and trial

4. analysis of digital evidence includes which of the following activities?


a. seizure, preservation, and documentation
b. recovery, harvesting, and reduction
c. experimentation, fusion, and correlation
d. arrest, interviewing, and trial

5. on a windows machine, the md5 value of the sentence “the suspect’s name is kate” is:a.
b5152ca3b8445d09384fed12e9089464
b. db1a7ba15d440722cb741943f9b1538a
c. 73654cee43a5c9acca03527afb2933f8
d. 834b78bb23b9f9544a3a3b9267952ddd

note: various tools can be used for this question including winhex.

6. evidence can be related to its source in which of the following ways?


a. top, middle, bottom
b. ip address, md5 value, filename, date-time stamps
c. production, segment, alteration, location
d. parent, uncle, orphan

7. different types of analysis include which of the following?


a. relational (e.g., link analysis) and temporal (e.g., timeline analysis)
b. cryptography
© 2011 Elsevier Inc. All rights reserved. Page 181
c. metadata hashing
d. digital photography

8. when a website is under investigation, before obtaining authorization to seize the


systems it is necessary to:
a. determine where the web servers are located
b. inform personnel at the web server location that you’ll be coming to seize the
systems
c. conduct a reconnaissance probe of the target website
d. none of the above

9. which of the following is not an information gathering process?


a. scanning the system remotely
b. studying security audit reports
c. attempting to bypass logon security
d. examining e-mail headers

10. unlike law enforcement, system administrators are permitted to on their


network when it is necessary to protect the network and the data it contains.
a. open unread e-mails.
b. monitor network traffic.
c. modify system logs.
d. divulge user personal information.

11. although it was not designed with evidence collection in mind, can still be
useful for examining network traffic.
a. encase
b. ftk
c. wireshark
d. chkdsk

12. issues to be aware of when connecting to a computer over a network and collecting
information include:
a. creating and following a set of standard operating procedures
b. keeping a log of actions taken during the collection process
c. documenting which server actually contains the data that’s being collected
d. all of the above

© 2011 Elsevier Inc. All rights reserved. Page 182


13. occasionally, an intrusion detection system may trigger an alarm caused by an innocent
packet that coincidentally contains intrusion class characteristics. this type of alert is
called:
a. false warning
b. failsafe
c. def con
d. false positive

14. information security professionals submit samples of log files associated with certain
intrusion tools to help others detect attacks on the mailing lists at:
a. bugtraq
b. sam spade
c. cnet
d. security focus

15. which of the following are situations where a bitstream copy may not be viable?
a. the hard drive is too large to copy.
b. the system cannot be shut down.
c. the digital investigator does not have authority to copy the entire drive.
d. all of the above.

© 2011 Elsevier Inc. All rights reserved. Page 183


true or false questions

1. when a computer contains digital evidence, it is always advisable to turn it off


immediately.
a. true
b. false

2. a forensic image of a hard disk drive preserves the partition table.


a. true
b. false

3. all forensic tools acquire digital evidence from storage media in the same way.
a. true
b. false

4. it is not necessary to sanitize/wipe a hard drive purchased directly from a manufacturer.


a. true
b. false

5. chain of custody enables anyone to determine where a piece of evidence has been, who
handled it when, and what was done to it since it was seized.
a. true
b. false

6. no two files can have the same md5 value.


a. true
b. false

7. the chance of two different files having the same md5 value is roughly one in 340 billion
billion billion billion which is approximately equivalent to winning 30,000 billionbillion
billion first prizes in the hong kong mark six – the lotto game in hong kong which
randomly picks 6 numbers from 1 to 47 with a one in 10,737,573 chance of winning first
prize.
a. true
b. false

8. after the md5 value of a piece of digital evidence has been calculated, any change in
that piece of evidence can be detected.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 184


9. when drawing up an affidavit for a warrant, it is important to specifically mention all
desired digital evidence.
a. true
b. false

10. when seeking authorization to search a network and digital evidence that may exist in
more than one jurisdiction it is not necessary to obtain a search warrant for each location.
a. true
b. false

11. digital investigators should remember that evidence can reside in unexpected places,
such as network routers.
a. true
b. false

12. active monitoring is time consuming, invasive, and costly and should only be used as a
last resort.
a. true
b. false

13. a digital evidence class characteristic is similar to toolmark analysis in the physical
world.
a. true
b. false

14. tcp/ip network traffic never contains useful class characteristics.


a. true
b. false

15. it is not possible to recover deleted system or network log files.


a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 185


discussion questions

1. if you are investigating a homicide and, while executing a search warrant, you find a
computer in the suspect’s home that appears to contain child pornography, what would
you do?

answer guidance: ideally, your warrant would be worded to permit you to secure/seize all
computer hardware at the scene. if in doubt, it is still desirable to secure the evidence to
prevent destruction using an exception (e.g., plain view, consent) but this does not give you
authorization to examine the contents of the computer for further evidence of child
pornography creation/manufacture/distribution. therefore, a separate warrant is required to
investigate this separate offense.

2. other than verifying the integrity of a file, how can the md5 value of a file be useful?

answer guidance: as a class characteristic of the file, the md5 value can be used to search
other sources of digital evidence for identical files (chapter 9, page 220). for instance, files
known to contain child pornography can be found on storage media and in network traffic by
looking for files with the same md5 value. in addition, files known to belong to an operating
system or application can be found and filtered based on their md5 values, thus reducing the
number of files that a digital examiner/investigator has to deal with.

3. what are the limitations of the message digest of digital evidence?

answer guidance: someone could have modified digital evidence before the md5 value
was calculated. ultimately, the trustworthiness of digital evidence comes down to the
trustworthiness of the individual who collected it (see page 220).

4. what does a digital signature tell you?

answer guidance: a digital signature tells you that a particular individual or group
calculated the md5 value of given data at a specific time. this is achieved using a signing
key and associated passphrase that only the individual or group possess. the important point
to note is that a group of people can possess multiple copies of a single key. therefore, the
signature tells you which key was used but not which individual used it. additional
documentation is required to determine which individual was responsible, emphasizing the
importance of documenting your actions.

5. what is the difference between a class characteristic and an individualizing


characteristic? give examples of each involving digital evidence.

© 2011 Elsevier Inc. All rights reserved. Page 186


answer guidance: a class characteristic is a general feature shared with similar items such
as kodak digital cameras that embed the make and model names in the photographs they
take. an individual characteristic is a unique feature specific to a particular thing, place,
person, or action. for example, a scratch on a camera lens that appears in photographs it
takes, a distinct monument in the background of a photograph, or the defendant’s face
appearing in a photograph are all individual characteristics that may help investigators
associate the photograph with its source, i.e., a particular camera, location, or person.

6. how would you search for all image files on a disk? explain the rationale of your
approach.

answer guidance: this is the same question asked in chapter 4 but the knowledge of class
characteristics should have altered the way students think about media searching and file
recovery.

scenario

suppose that your immediate area is a crime scene. what potential sources of digital
evidence do you find? for two of these items, describe how you would preserve and
document them.

© 2011 Elsevier Inc. All rights reserved. Page 187


chapter 23
digital evidence on the internet

on completion of this chapter, the student will:


- be aware of the role of the internet in criminal investigations.
- recognize that internet services retain information about people and organizations.
- be aware of the difficulties in connecting an internet artifact with a person (i.e., proving that
a specific e-mail was sent by a specific individual).
- recognize the value of analyzing social networking in internet investigations.
- be aware of the characteristics of various synchronous chat networks.
- be aware of the nature of peer-to-peer computer networks and some methods of gathering
evidence.
- recognize the value of analyzing various virtual world platforms.
- recognize the value of the internet as an investigative tool.
- be aware of how search engines can be used in investigating an internet crime.
- be aware that the “invisible web” is a valuable source of investigative information.
- recognize the value of “whois” databases for gathering contact information on web
addresses.
- recognize that online anonymity is a necessary part of internet investigations.

chapter guide

the internet is both an attractive venue for criminal activities and a powerful investigative tool. this
chapter discusses both aspects to give investigators intelligence about how criminals operate online, and
to help investigators use digital evidence on the internet to apprehend offenders. the main internet
services are covered, including the web, e-mail, newsgroups, internet chat, and p2p. new services are
emerging that extend the capabilities of the internet, providing criminals with new opportunities, and
making digital investigations more challenging. therefore, in addition to becoming familiar with existing
internet services, students need to learn how to explore new technologies from an evidentiary and
investigative viewpoint, as well as from a criminal viewpoint. for instance, the technology used by kazaa
has been developed to provide p2p phone conversations (www.skype.com) that are encrypted and difficult
to trace. students who are familiar with the underlying functionality of the internet (chapters 14-17) are
better equipped to deal with new internet technology.

many people think of the internet as separate from the physical world. this is simply not the case and to
neglect the very real and direct link between people and the online activities that involve them limits
one’s ability to investigate and understand crimes with an online component. the internet effectively
provides us with windows into aspects of the world that we otherwise might not know about. as
discussed in chapter 1, a trained eye can use data on computers and the internet to learn a great deal

© 2011 Elsevier Inc. All rights reserved. Page 188


about an individual, providing such insight that it is like looking through a stained glass window into the
individual’s personal life and thoughts.

this “windows into the world” concept is important for several reasons:

• many cybercrimes can be addressed using existing laws that were developed with physical world
crime in mind.

• a crime on the internet usually reflects a crime in the physical world, with human perpetrators
and victims, and should be treated with the same gravity.

• when a crime is committed in the physical world, the internet often contains related digital
evidence and should be considered as an extension of the crime scene. this is true even when the
internet was not directly involved in the crime.

• while criminals feel safe on the internet, they are observable and thus vulnerable. we can take
this opportunity to uncover crimes in the physical world that would not be visible without the
internet.

this last point is worth reiterating and expanding. there is currently an inordinate amount of criminal
activity on the internet, providing us with a unique opportunity to learn more about criminal activities that
are usually hidden. by recording offenders’ activities in more detail, computers and networks can provide
a window into their world, giving us a clearer view of how they operate.

providing students with sample e-mail and usenet messages to track, arranging online field trips on irc
and other virtual playgrounds, and having them preserve data they find can help them develop practical
experience that will be useful in digital investigations.

© 2011 Elsevier Inc. All rights reserved. Page 189


multiple choice questions
1. who is authorized to conduct online undercover investigations when child pornography is
involved?
a. anyone
b. computer security professionals
c. journalists
d. law enforcement

2. which of the following internet services can be used to exchange illegal materials?
a. irc
b. usenet
c. kazaa
d. all of the above

3. what are two of the most useful headers for determining the origination of usenet messages?
a. from and message-id
b. nntp-posting-host and x-trace
c. path and subject
d. rfc1036 and rfc2980

4. what information should you document when searching for evidence on the web?
a. date/time of search, search engine and terms used, address of pertinent results
b. screenshots of significant search results
c. download copies of the webpages and calculate their md5 value
d. all of the above

5. why is it important to hide your identity when conducting an online investigation?


a. to reduce the risk of alerting the offender
b. to get yourself in the mindset of covert web investigating
c. to make it easier for you to determine the offender’s location
d. all of the above

6. when it is not possible to determine the identity of the author of a usenet message using ip
addresses in the header, what else can you do to learn more about the author?
a. look for unusual signature and use of language
b. search the web using distinctive aspects of posts
c. look for similar usenet messages posted using an alias
d. all of the above

© 2011 Elsevier Inc. All rights reserved. Page 190


7. what characteristics of irc make it attractive to criminals?
a. irc enables them to exchange illegal materials with other criminals.
b. irc provides them with some level of anonymity.
c. irc gives them direct, “live” access to a large pool of potential victims.
d. all of the above.

8. which of the following enables a user to connect to irc and run irc fserves without disclosing
their ip address?
a. freenet
b. psybnc bot
c. fserve
d. all of the above

9. which of the following applications leave traces of internet activities on a personal computer?
a. internet explorer
b. kazaa
c. irc
d. all of the above

10. which of the following tools can reconstruct tcp streams?


a. tcpdump
b. wireshark
c. snoop
d. encase

11. what peer-to-peer clients use the fast track network?


a. kazaa
b. grokster
c. imesh
d. all of the above

12. web whacker and httrack are examples of tools that:


a. search the web
b. deface websites
c. capture websites
d. launch websites

13. metaverseink is a:
a. search tool (people or things) for virtual worlds
b. newsgroup aggregator
c. social networking meta-tool
d. a file-sharing peer-to-peer network

14. second life is one of the better known:


a. research websites
b. archive websites
c. virtual worlds
d. web-based game shows

© 2011 Elsevier Inc. All rights reserved. Page 191


15. synchronous chat networks are particularly conducive to criminal activity because of their
a. privacy
b. immediacy
c. impermanence
d. all of the above

© 2011 Elsevier Inc. All rights reserved. Page 192


true or false questions

1. the cybertrail is only useful for gathering information about an offender, not a victim.
a. true
b. false

2. the “invisible web” can only be accessed by government employees.


a. true
b. false

3. when you access a web page, the content may be located on a server other than the one you
accessed.
a. true
b. false

4. all web search engines use the same search syntax.


a. true
b. false

5. whois databases contain contact information relating to ip addresses but not domain names.
a. true
b. false

6. criminals let their guard down in chat networks because they feel protected by the perceived
anonymity.
a. true
b. false

7. the web archive (web.archive.org) contains a complete and accurate copy of web pages as they
existed at a particular time.
a. true
b. false

8. e-mail received headers can be relied on for tracking purposes because they cannot be forged.
a. true
b. false

9. when evidence is located on the internet, investigators should document and preserve it
immediately or it may be gone the next time they look for it.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 193


10. pseudonymous e-mail enables the sender to receive responses to messages whereas anonymous e-
mail does not.
a. true
b. false

11. it is not possible to decrypt and view captured network traffic.


a. true
b. false

12. freenet is not being widely used by criminals to exchange illegal materials because it is too
difficult to use.
a. true
b. false

13. kazaa has one feature that can be beneficial from an investigative standpoint – whenever
possible, it obtains files from peers in the same geographical region.
a. true
b. false

14. posting information online takes control of the information away from the person and such
information can remain online indefinitely.
a. true
b. false

15. given the wealth of information that social networks contain, digital investigators will often find
useful information at these sites.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 194


discussion questions

1. what website does http://www.paypal.com@1113781300 refer to? explain how you got your answer.

2. what are the main approaches to searching the internet and when are they most useful?

3. what are the pros and cons of metasearch engines like www.dogpile.com?

4. what are the advantages and disadvantages from an investigative perspective of usenet archives like
google groups?

5. what is the most interesting channel you can find on irc? note that you can answer this question by
connect to irc or searching http://searchirc.com/.

6. describe one way that files can be exchanged on irc.

7. describe one way that criminals on irc can conceal their actual ip address to make tracking them
more difficult.

© 2011 Elsevier Inc. All rights reserved. Page 195


scenario

1. the purpose of this scenario is to develop e-mail tracking skills. give students an e-mail message
and have them determine where it came from. have them describe how they determined where
the message came from and report what they find using the tools described in this chapter. if
certain tools (e.g., whois or finger) do not provide useful information, this should be noted in the
report. it is not necessary to determine the identity of the sender. however, once students have
determined where the message was sent from, have them describe the steps they would take to
figure out who sent the message. you can make this assignment more challenging by selecting a
forged e-mail such as those in many unsolicited bulk e-mail (a.k.a. spam) messages.

2. it can also be instructive to set up an irc file server for students to connect to and download files.
panzer (http://arnts.tripod.com/) is a feature rich, user-friendly irc file-serving package, and is
used by criminals to exchange illegal materials. the following log gives a sense of what students
will see when connecting to a panzer server (the ip address of the computer running the server is
141.157.67.68):

session start: wed feb 25 10:59:24 2004


session ident: fserver
[10:59] dcc chat session
-
[10:59] client: fserver (141.157.67.68)
[10:59] time: wed feb 25 10:59:24 2004
-
[10:59] acknowledging chat request...
[10:59] dcc chat connection established
-
[10:59] <fserver> mirc v6.12 file server
[10:59] <fserver> use: cd dir ls get read help exit
[10:59] <fserver> [\]
[10:59] <fserver>
[10:59] <fserver>
[10:59] <fserver> panzer fileserver v2.4
[10:59] <fserver> http://arnts.tripod.com/
[10:59] <fserver>
[10:59] <fserver> commands:
[10:59] <fserver> credit ......... your current credit
[10:59] <fserver> queue .......... shows your queued files
[10:59] <fserver> stat ........... stat's this file server

[10:59] <fserver> auto on/off .... auto-shows credit after dir list
[10:59] <fserver> xp ............. win xp dcc problem fix
[10:59] <fserver> multidcc ....... shows how you can download multiple files at once
[10:59] <fserver>
[10:59] <fserver> current credit: free ratio: no ratio / leech
[10:59] <fserver>
[10:59] <fserver> for usage help, type: help <topic>
[10:59] <fserver> topics: upload - download - credit - ratio - auto
[10:59] <fserver>
[10:59] <student> dir
[10:59] <fserver> [\*.*]
[10:59] <fserver> image01.jpg 1.23 mb

© 2011 Elsevier Inc. All rights reserved. Page 196


[10:59] <fserver> end of list
[11:00] <student> get image01.jpg
[11:00] <fserver> sending file image01.jpg
[11:01] <student> credit
[11:01] <fserver> current credit: free
[11:01] <student> stat
[11:01] <fserver>
[11:01] <fserver> stat's file server
[11:01] <fserver>
[11:01] <fserver> thursday february 26 2004
[11:01] <fserver> total files available: unknown size: dirs:
[11:01] <fserver>
[11:01] <fserver> downloads uploads
[11:01] <fserver> total: 167 [13.22 gb] 2 [459 kb]
[11:01] <fserver> this year: 167 [13.22 gb] 2 [459 kb]
[11:01] <fserver>
[11:01] <fserver> this month: 167 [1.22 mb] 2 [459 kb]
[11:01] <fserver> last month: 0 [0 kb] 0 [0 kb]
[11:01] <fserver>
[11:01] <fserver> today: 57 [5.57 gb] 0 [268 kb]

[11:01] <fserver> yesterday: 36 [4.25 gb] 0 [134 kb]


[11:01] <fserver>
[11:01] <fserver> visits
[11:01] <fserver> total: 102 this month: 102 today: 46
[11:01] <fserver> this year: 102 last month: 0 yesterday: 23
[11:01] <fserver>
[11:01] <fserver> server visited by people from 0 different countries
[11:01] <fserver> top country by visits: n/a
[11:01] <fserver>
[11:05] <fserver> closing idle connection in 30 seconds
-
[11:05] dcc session closed

session start: wed feb 25 11:25:41 2004


session ident: fserver
[11:25] session ident: fserver ([email protected])
[11:25] <fserver> upload rejected, file-type unwanted.
session close: wed feb 25 11:27:45 2004

© 2011 Elsevier Inc. All rights reserved. Page 197


chapter 24
digital evidence at the physical and data-link layers

on completion of this chapter, the student will:


- be aware of some of the tools available to exploit the physical and data-link layers of a
network.
- recognize and be able to articulate the differences in various implementations of ethernet.
- be aware of the value of collecting mac addresses in addition to ip addresses.
- recognize the role of address resolution protocol (arp) in an ethernet network in the
investigative value of capturing arp cache.
- be aware of various methods for documenting, collecting, and preserving evidence at the
physical and data-link layers.
- recognize the value of applying analysis and reconstruction techniques to evidence from the
physical and data-link layers.

chapter guide

this chapter expands on the overview provided in chapter 21, describing network technologies
in more detail, focusing on ethernet. tools and techniques for preserving, examining, and
analyzing network traffic are presented.

to begin familiarizing students with the physical and data-link layers, have them inspect a
computer that is connected to an ethernet network. show them the physical network card and
cable, and perhaps even a hub or switch connecting several computers. also, show them the arp
table on a computer after it has connected to other systems on the local area network. for
instance, the following output is from a windows machine with ip address 192.168.0.6 that
connected to two nearby computers.

c:\>ping 192.168.0.2
c:\>ping 192.168.0.3
c:\>arp -a

interface: 192.168.0.6 --- 0x2


internet address physical address type
192.168.0.1 00-30-ab-1d-cd-ef dynamic
192.168.0.2 00-08-74-28-8c-7d dynamic
192.168.0.3 00-05-02-41-3d-04 dynamic

© 2011 Elsevier Inc. All rights reserved. Page 198


the following arp table is from a mac os x system with ip address 192.168.0.3 that was used to
connect to two windows machines, including the one in the previous example:

% arp -a
? (192.168.0.1) at 0:30:ab:1d:cd:ef
? (192.168.0.2) at 0:8:74:28:8c:7d
? (192.168.0.6) at 0:6:1b:ce:df:24
? (192.168.0.255) at ff:ff:ff:ff:ff:ff

having students play around with arp tables on a network computer provides an opportunity to
discuss how arp functions, demonstrates ip ↔ mac address mapping, and shows that both 00- 30-
ab-1d-cd-ef and 0:30:ab:1d:cd:ef are valid representations of ethernet addresses.

capturing and examining network traffic is one of the most rewarding and most difficult
endeavors a digital investigator can undertake. it is not an exaggeration to say that you can see
what offenders see and say in their network traffic. web pages viewed, e-mail sent and received,
online chat, files exchanged, and any other unencrypted data can be extracted from network
traffic and reconstructed for examination. from a criminal’s perspective, consider how much
valuable information could be obtained by monitoring wireless network traffic in a busy location
such as an airport terminal where people are accessing the internet while waiting for a plane.

because of the significant amount of private information that exists at this layer, it can be
difficult to gain authorization to eavesdrop on networks. also, because of the distributed nature
of the internet, it can be difficult to gain access to the network that carries the relevant traffic.
extracting the few streams of useful traffic from the raging river of high-speed networks is
another challenge. provided these hurdles can be overcome, the resulting digital evidence can be
the equivalent of a video recording of the crime, giving a detailed view of what occurred.

there can also be useful data on network devices at the physical and data-link layers, such as
switches (some routers perform layer 2 functions). these data include mac addresses and records
of current or past connections. given the volatility of the data stored in the memory of these,
these sources of digital evidence are rarely preserved after the fact. nonetheless, it is important
for digital investigators to be prepared to process these sources of evidence if the need and
opportunity arises. also, some computer security professionals take steps to preserve such data
for tracking down problems on and misuse of their networks.

if you would like to share additional traffic data or other examples relevant to this network layer
with other teachers, please submit them to [email protected] and they will be
posted on the book website at http://www.disclosedigital.com/downloads.html.

© 2011 Elsevier Inc. All rights reserved. Page 199


multiple choice questions

1. what is the maximum cable length for a 10baset network?


a. 10 feet
b. 100 feet
c. 10 meters
d. 100 meters

2. what is the approximate theoretical maximum number of bytes that can be downloaded
in one minute on a 10baset network?
a. 10 mb
b. 75 mb
c. 100 mb
d. 175 mb

3. which of the following is a valid mac address?a.


192.168.0.5
b. 00:10:4b:de:fc:e9
c. 0-0-e2-7a-c3-5b-6f
d. 08-00-56-s7-fd-d4

4. which of the following commands can be used to obtain the mac address of a remote
windows computer?
a. netstat
b. ping
c. nbtstat
d. traceroute

5. what is the maximum cable length for a 10 base five segment?


a. 100 feet
b. 500 feet
c. 100 m
d. 500 m

6. arp stands for:


a. address resource protection
b. advanced retrieval protocol
c. address resolution protocol
d. added resource processing

© 2011 Elsevier Inc. All rights reserved. Page 200


7. the best operating system for capturing network traffic on high-speed networks is:
a. microsoft dos/windows
b. openbsd/freebsd
c. linux
d. solaris

8. which of the following applications is used to capture network traffic?


a. snort
b. wireshark
c. tcpdump
d. all of the above

9. how many bytes per packet does tcpdump capture by default?


a. 10 bytes
b. 68 bytes
c. 128 bytes
d. 1024 bytes

10. which of the following tools can reconstruct tcp streams?


a. tcpdump
b. wireshark
c. snoop
d. encase

11. the transition method in which only one computer can transmit while all the others listen
is known as:
a. baseband
b. narrowband
c. broadband
d. sideband

12. although arp is part of tcp/ip, it is generally considered a part of the layer.
a. physical
b. data-link
c. network
d. transport

13. if a criminal reconfigures his computer with someone else’s ip address to conceal his
identity, the local router would have an entry in its showing that criminal’s actual
mac address associated with somebody else’s ip address.
a. host table
b. bootp
c. cmos
d. arp table

© 2011 Elsevier Inc. All rights reserved. Page 201


14. the form of arp that atm uses to discover mac addresses is known as:
a. arpatm
b. atmarp
c. macatm
d. atmmac

15. sniffers put nics into , forcing them to listen in on all of the
communications that are occurring on the network.
a. covert mode
b. wiretap mode
c. promiscuous mode
d. none of the above

© 2011 Elsevier Inc. All rights reserved. Page 202


true or false questions

1. routers use ethernet addresses to direct data between networks.


a. true
b. false

2. mac addresses can be associated with a particular computer.


a. true
b. false

3. the netstat command can be used to obtain the mac address of a remote computer.
a. true
b. false

4. each network packet stored in the tcpdump file is date-time stamped.


a. true
b. false

5. it is necessary to physically tap a network cable to capture the traffic it carries.


a. true
b. false

6. a computer connected to the internet via a dial-up modem can eavesdrop on network
traffic from other computers that are dialed into the same internet service provider.
a. true
b. false

7. dhcp can be configured to assign a static ip address to a particular computer every timeit
is connected to the network.
a. true
b. false

8. by default, tcpdump captures the entire contents of a packet.


a. true
b. false

9. it is possible to obtain file names from network traffic as well as the file contents.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 203


10. the tcpdump application can be used to reconstruct tcp streams.
a. true
b. false

11. one of the drawbacks of copying network traffic using a spanned port is that a
spanned port copies only valid ethernet packets.
a. true
b. false

12. a common approach to collecting digital evidence from the physical layer is using a
sniffer.
a. true
b. false

13. unlike arp cache, atmarp is stored on the individual computers.


a. true
b. false

14. it is not possible to use a sniffer when connected to a network via a modem.
a. true
b. false

15. one key point about mac addresses is that they do not go beyond the router.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 204


discussion questions

1. should law enforcement be given backdoors that enable them to monitor all encrypted
internet communications?

2. describe how a computer obtains the ethernet address of another computer that it wants
to communicate with.

answer guidance: arp request and response.

3. obtain the mac address of a computer and describe how you did it.

answer guidance: this can be performed on a local computer by various means or remotely
on some windows computers using “nbtstat –a ip_address.”

4. what data is contained in an ethernet header?

answer guidance: see page 727.

5. what information is contained in the padding of an ethernet frame?

answer guidance: generally zeros are inserted for padding but some ethernet drivers use
data from the system to pad ethernet frames. this is considered a data disclosure
vulnerability and could be useful to investigators, providing more information about the
originating computer. see “etherleak: ethernet frame padding information leakage” by ofir
arkin and josh anderson, january 2003 (http://www.sys-security.com/html/papers.html).

6. what is a “gratuitous arp request” and why is it dangerous?

answer guidance: it allows one computer to substitute its mac address in the arp cacheof
other computers on the local network. this can be used for man-in-the-middle attacks.

© 2011 Elsevier Inc. All rights reserved. Page 205


scenario

a company learns that someone has obtained an employee’s virtual private network (vpn) account
and is using it to connect to their network. the company asks you to monitor network traffic for
only this account over a period of days to determine what the individual is doing. whathardware
and software would you use to capture the network traffic, where would you place the
eavesdropping equipment, how would you avoid monitoring other employees’ network traffic,
and how would you preserve the network traffic as evidence?

© 2011 Elsevier Inc. All rights reserved. Page 206


chapter 25
digital evidence at the network and transport layers

on completion of this chapter, the student will:


- be aware of various network and transport layer protocols and how criminals use them.
- be aware of the components that constitute an ip address.
- recognize the reason for domain name system (dns) tables and a correlation between adns
listing and ip addresses.
- be aware of various tools that facilitate collecting digital evidence at the network and
transport layers.
- be aware of how a routing utilizes the network and transport layers.
- be aware of how tcp creates virtual circuits.
- recognize some of the various tcp abuses that are used by criminals.
- be aware of the process of setting up a network.
- recognize the sources for various types of tcp/ip-related evidence.
- be aware of the value of network log files kept by windows and unix systems.

chapter guide

this chapter expands on the overview provided in chapter 21, describing tcp/ip in more detail and
demonstrating the usefulness of ip addresses in investigations. because tcp/ip forms such an integral
part of the internet, information related to these layers are too numerous to describe individually.
extending the analogy on page 441, the glue that holds a network together gets stuck in many places for
digital investigators to recover. case examples are provided to improve students’ familiarity with the
many types of evidence that contain data relating to the transport and network layers. this chapter also
sets the foundation for understanding the internet and its use as an investigative tool and source of digital
evidence. in addition to fundamental aspects of ip addresses, concepts such as routing, domain name
lookups, servers and ports, and connection management are covered. tcp flows and streams are revisited
and the abuses of tcp/ip that exist are described in an effort to dispel misunderstandings of ip spoofing
and session hijacking.

a simplified example of setting up a network and tracking down an offender is provided in section 21.2.
students can also be encouraged to explore the networks around them provided they do not cause any
harm.

to help students become more familiar with the network and transport layers, have them inspect a
computer that is connected to the internet. show them the nslookup, netstat, and tracert/traceroute
commands available on most systems. also, to familiarize students with tcp/ip, have them view a network
capture file using ethereal (now wireshark) or a similar tool. have them look at ip addresses and
reconstruct tcp streams to view the interactions between clients and servers.

© 2011 Elsevier Inc. All rights reserved. Page 207


in addition to this class, it is to the student’s advantage to “collect” skill sets in networking, computer
security, and computer hardware.

© 2011 Elsevier Inc. All rights reserved. Page 208


multiple choice questions

1. tcp is an abbreviation for:


a. transit communication protocol
b. transportation cost product
c. transport control protocol
d. time communication protocol

2. what system is used to convert ip addresses to their associated names?


a. tcp/ip
b. dns
c. arp
d. routing

3. which of the following is a class a network?


a. 15.0.0.0
b. 145.19.0.0
c. 199.54.63.0
d. all of the above

4. what protocol does the “ping” command use?


a. tcp
b. ip
c. icmp
d. all of the above

5. which of the following logs record the ip addresses of computers accessing an ftp server?
a. wtmp
b. xferlog
c. syslog
d. access log

6. in addition to the ip address of the sender, smtp e-mail server logs contain which of the
following?
a. the message id
b. the time the message was received
c. the name of the sender
d. all of the above

7. which of the following servers maintain logs of when users accessed their e-mail?
a. smtp
b. imapd
c. sendmail

© 2011 Elsevier Inc. All rights reserved. Page 209


d. all of the above

8. ip address class b addresses start with 128.0.0.0 through:a.


176.0.0.0
b. 191.0.0.0
c. 192.0.0.0
d. 254.0.0.0

9. ip address [ 10.40.3.2 ] is a , network address:


a. class a, public
b. class b, public
c. class a, private
d. class b, private

10. is a tool for querying dns.


a. nslookup
b. ping
c. tracert
d. nmap

11. the ip software on each contains a routing table that is used to determine where to send
information.
a. host
b. server
c. router
d. switch

12. it is sometimes possible to obtain a list of all machines in the dns belonging to a specific
organization by performing a .
a. web crawl
b. zone transfer
c. reverse ip
d. ip transfer

13. to make large-scale internetworking more reliable, tcp creates what are called “tcp streams,”
also known as , to establish, maintain, and terminate connections between hosts.
a. virtual circuits
b. dedicated circuits
c. temporary circuits
d. parallel circuits

14. vnc software:


a. permits full remote control of a computer

© 2011 Elsevier Inc. All rights reserved. Page 210


b. has legitimate uses such as remote system administration.
c. can be used by computer intruders
d. all of the above

15. the creator of the first internet worm and one of the first individuals to be prosecuted under the
computer fraud and abuse act was:
a. captain crunch
b. scott tyree
c. richard morris jr.
d. kevin mitnick

© 2011 Elsevier Inc. All rights reserved. Page 211


true or false questions

1. the udp protocol will resend packets that were not received by the destination
computer.
a. true
b. false

2. the internet is a packet-switched network.


a. true
b. false

3. tcp session hijacking can only be performed using a computer on the same network
segment as the client and/or server.
a. true
b. false

4. the domain name system can be used to obtain the names of people who are
responsible for a given computer.
a. true
b. false

5. port 80 is generally associated with the domain name system.


a. true
b. false

6. it is sometimes possible to obtain a list of all machines in the dns belonging to a specific
organization by performing a zone transfer.
a. true
b. false

7. ip spoofing establishes a bi-directional tcp connection between the attacker’s computer


and the target.
a. true
b. false

8. the command ‘dig’ stands for ‘digital information groper’.


a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 212


9. network address translation (nat) enables many computers to connect to the internet
using only one ip address.
a. true
b. false

10. an ip address can only be assigned one name in the domain name system.
a. true
b. false

11. radius and tacacs authentication servers keep logs of the ip addresses that were
assigned to user accounts connecting to the internet.
a. true
b. false

12. all servers keep logs of the ip addresses of clients that connected to them.
a. true
b. false

13. “dig,” which comes installed on unix and windows systems, is a tool used for querying
dns.
a. true
b. false

14. any host, even a personal computer in someone’s home, can function as a server on the
internet.
a. true
b. false

15. on a packet-switched network, computers are not connected using dedicated circuits.
a. true
b. false

© 2011 Elsevier Inc. All rights reserved. Page 213


discussion questions

1. should internet service providers be required to keep log files of all their customers’ internet activities?
justify your answer.

2. when illegal activities are traced back to a particular house, how can you be sure that it is the
offender’s? what should you look for before obtaining a search warrant and breaking down the door of
the house?

answer guidance: make some effort to perform surveillance on the subject network to determine if
malicious activity is originating from the computer or simply being used as a platform by a remote
intruder to commit offenses.

scenario

a threatening message was sent from a web-based e-mail service. information in the header indicates that
the sender connected to the web-based e-mail server through a proxy to conceal his/her actual ip address.
describe how you would determine the sender’s actual ip address? as you think about this scenario,
consider the possibility that you cannot gain access to information on the proxy server itself.

instructor hint: send an e-mail that contains a web bug that will provide information about the computer
used to read the message.

© 2011 Elsevier Inc. All rights reserved. Page 214

You might also like