ETI All MCQ
ETI All MCQ
ETI All MCQ
mcqs
2. embedded system is
A. an electronic system
B. a pure mechanical system
C. an electro-mechanical system
D. (a) or (c)
ans: d
8. which of the following is (are) example(s) of an embedded system for data communication?usb
mass storage device
A. network router
B. digital camera
C. music player
D. all of these
E. none of these
unit 2 -internet of things. mcqs
ans: b
9. what are the essential tight constraints related to the design metrics of an embedded system?
A. ability to fit on a single chip
B. low power consumption
C. fast data processing for real-time operations
D. all of the above
ans: d
11. which of the following is an (are) example(s) of an embedded system for signal processing?
A. apple ipod (media player device)
B. sandisk usb mass storage device
C. both (a) and (b)
D. none of these
ans: d
18. which architecture involves both the volatile and non-volatile memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a
19. which architecture provides separate buses for program and data memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a
21. which of the following processor architecture supports easier instruction pipelining?
A. harvard
B. von neumann
C. both of them
D. none of these
ans: a
ans: a
A. pic
B. avr
C. arm
D. asic
ans: - b
35. the huge numbers of devices connected to the internet of things have to communicate
automatically, not via humans, what is this called?
A. bot to bot(b2b)
B. machine to machine(m2m)
C. intercloud
D. skynet
ans: b
37. interconnection of internet and computing devices embedded in everyday objects, enabling
them to send and receive data is called
A. internet of things
B. network interconnection
C. object determination
D. none of these
ans: a
38. is a computing concept that describes the idea of everyday physical objects
being connected to the internet.
A. iot (internet of things)
B. mqtt
C. coap
D. spi
unit 2 -internet of things. mcqs
ans: -a
44. consists of communication protocols for electronic devices, typically a mobile device
and a standard device.
A. rfid
B. mqtt
C. nfc
D. none of the above
ans:c
45. refers to establish a proper connection between all the things of iot.
A. connectivity
B. analyzing
C. sensing
D. active engagement
ans: - a
46. iot devices which have unique identities and can perform .
A. remote sensing
B. actuating
unit 2 -internet of things. mcqs
C. monitoring capabilities
D. all of the above
ans: - d
53. lr-wpans standards from the basis of specifications for high-level communication protocolsuch
as .
A. zigbee
B. allsean
C. tyrell
D. microsoft's azure
ans: a
unit 2 -internet of things. mcqs
56 include lte.
A. 2g
B. 3g
C. 4g
D. none of the above
ans:c
57. layer protocols determine how the data is physically sent over the network’s
physical layer or medium.
A. application layer
B. transport layer
C. network layer
D. link-layer
ans: - d
58 layer is responsible for sending of ip datagrams from the source network to the
destination network.
A. application layer
B. transport layer
C. network layer
D. link-layer
ans: c
60. protocols provide end to end message transfer capability independent of the
underlying network.
A. network layer
B. transport layer
C. application layer
D. link-layer
ans: - b
61. the protocols define how the applications interface with the lower-layer protocol to sendthe
data over the network.
A. application layer
unit 2 -internet of things. mcqs
B. transport layer
C. network layer
D. link-layer
ans: a
63. 802.3 is the standard for 10base5 ethernet that uses cable as shared medium.
A. twisted pair cable
B. coaxial cable
C. fiber optic cable
D. none of the above
ans: - b
66. is useful for time-sensitive application that have very small data units to
exchange and do not want the overhead of connection setup.
A. tcp
B. udp
C. transport layer
D. none of the above.
ans: - b
69. which one out of these is not a data link layer technology?
A. bluetooth
B. uart
C. wi-fi
D. http
ans: d
72. mqtt is better than http for sending and receiving data.
A. true
B. false
ans: a
75 mqtt is:
A. based on client-server architecture
B. based on publish-subscribe architecture
C. based on both of the above
D. based on none of the above
ans: b
82. which protocol is used to link all the devices in the iot?
A. tcp/ip
B. network
C. udp
D. http
ans: a
A. webchat
B. error control
C. connection services
D. congestion control
ans: a
87. using which layer in transport layer data integrity can be assured?
A. checksum
B. repetition codes
C. cyclic redundancy checks
D. error correction codes
ans: a
A. xmpp
B. http
C. coap
D. mqtt
ans: a
94. is a bi-directional, fully duplex communication model that uses a persistent connection
between client and server.
A. request-response
B. publish-subscriber
C. push-pull
D. exclusive pair
ans:d
95. is a stateful communication model and the server is aware of all open connections.
A. request-response
B. publish-subscriber
C. push-pull
D. exclusive pair
ans:d
104. which of the following is the fundamental unit of the virtualized client in an iaas deployment?
a) work unit
b) workspace
c) workload
d) all of the mentioned
ans:c
105. offering provides the tools and development environment to deploy applications on
another vendor’s application.
A. paas
B. iaas
C. caas
D. all of the mentioned
ans.b
107. is suitable for iot applications to have low latency or high throughput requirements.
A. rest
B. publish-subscriber
unit 2 -internet of things. mcqs
C. push-pull
D. websocket
ans:d
111. the process of collecting, organizing and collecting large sets of data called as
A. wsn
B. cloud computing
C. big data
D. none of the above
ans:c
119. which characteristics involve the facility the thing to respond in an intelligent way to a
particular situation?
A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: a
122. the number of devices that need to be managed and that communicate with each other will be
much larger.
A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: d
123. in iot as one of the key characteristics, devices have different hardware
platforms and networks.
A. sensors
unit 2 -internet of things. mcqs
B. heterogeneity
C. security
D. connectivity
ans: b
B. night-vision equipment
C. sonars
D. all of the above
ans: d
137. is an open-source electronic platform based on easy to used hardware and software.
A. arduino
B. uno
C. raspberry pi
D. node
ans: a
139. detect the presence or absence of nearby objects without any physical contact.
A. smoke sensor
unit 2 -internet of things. mcqs
B. pressure sensor
C. ir sensor
D. proximity sensor
ans:d
140 sensors include thermocouples, thermistors, resistor temperature detectors (rtds) and
integrated circuits (ics).
A. smoke sensor
B. temperature sensor
C. ir sensor
D. proximity sensor
ans: b
142 sensor is used for automatic door controls, automatic parking system, automated sinks,
automated toilet flushers, hand dryers.
A. smoke sensor
B. temperature sensor
C. ir sensor
D. motion sensor
ans:d
5. in the past, the method for expressing an opinion has been to frame a question based on
available factual evidence.
A. hypothetical
B. nested
C. challenging
D. contradictory
ans: a
6. more subtle because you are not aware that you are running these macros (the document
opens and the application automatically runs); spread via email
A. the purpose of the copyright
B. the danger of macro viruses
C. derivative works
D. computer-specific crime
ans: b
7. there are three c's in computer forensics. which is one of the three?
A. control
B. chance
C. chains
D. core
ans: a
14. phase includes putting the pieces of a digital puzzle together and developing
investigative hypotheses
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans: d
15. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans: b
16. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans: b
18. a set of instruction compiled into a program that perform a particular task is known as:
a. hardware.
b.cpu
c. motherboard
d. software
ans: d
20. to collect and analyze the digital evidence that was obtained from the physical investigation
phase, is the goal of which phase?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase.
ans: b
22. which phase entails a review of the whole investigation and identifies an area of improvement?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase
ans: c
24. is well established science where various contribution have been made
A. forensic
B. crime
C. cyber crime
D. evidence
ans: a
29. is software that blocks unauthorized users from connecting to your computer.
A. firewall
B. quick launch
C. onelogin
D. centrify
ans: a
30. which of the following are general ethical norms for investigator?
A. to contribute to society and human beings.
B. to avoid harm to others.
C. to be honest and trustworthy.
D. all of the above
E. none of the above
ans: d
32. which of the following is not a general ethical norm for investigator?
A. to contribute to society and human beings.
B. uphold any relevant evidence.
C. to be honest and trustworthy.
D. to honor confidentially.
ans: b
33. which of the following is a not unethical norm for digital forensics investigation?
A. uphold any relevant evidence.
B. declare any confidential matters or knowledge.
C. distort or falsify education, training, credentials.
D. to respect the privacy of others.
ans: d
34. what is called as the process of creation a duplicate of digital media for purpose of
examining it?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
ans: a
35. which term refers to modifying a computer in a way which was not originally intended to
view information?
A. metadata
B. live analysis
C. hacking
D. bit copy
ans: c
36. the ability to recover and read deleted or damaged files from a criminal’s computer is an
example of a law enforcement specialty called?
A. robotics
B. simulation
C. computer forensics
D. animation
ans: c
37. what are the important parts of the mobile device which used in digital forensic?
A. sim
B. ram
C. rom.
d.emmc chip
ans: d
38. using what, data hiding in encrypted images be carried out in digital forensics?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
and: b
41. is the process of recording as much data as possible to create reports and analysison
user input.
A. data mining
B. data carving
C. metadata
D. data spoofing.
ans: a
42. searches through raw data on a hard drive without using a file system.
A. data mining
B. data carving
C. metadata
D. data spoofing.
ans: b
43. what is the first step to handle retrieving data from an encrypted hard drive?
A. formatting disk
B. storing data
C. finding configuration files.
D. deleting files
ans: c
chapter-6
types of hacking(co6)
2. which of the following tool is used for network testing and port scanning
A. netcat
B. superscan
C. netscan
D. all of above
ans:d
4. an attacker can create an attack by sending hundreds or thousands of e-mails with very
large attachments.
A. connection attack
B. auto responder attack
C. attachment overloading attack
D. all the above
ans:b
5. which of the following tools is used for windows for network queries from dns
lookups to trace routes?
A. samspade
B. superscan
C. netscan
D. netcat
ans:a
6. which tool is used for ping sweeps and port scanning?
A. netcat
B. samspade
C. superscan
D. all the above
ans:c
7. which of the following tool is used for security checks sas port scanning and firewall testing?
A. netcat
B. nmap
C. data communication
D. netscan
ans:a
10.keylogger reform
A. spyware
B. shoulder surfing
C. trojan
D. socialengineering
ans:a
12 ......... is a popular tool used for discovering network as well as security auditing.
C. ettercap
D. meta sploit
E. nmap
F. burpsuit
ans:c
12. which of this map do not check?
A. services different hosts are offering
B. on what os they are running.
C. what kind of firewall is in use?
D. what type of antivirus is in
use? ans: d
14. what are some of the most common vulnerabilities that exist in a network system?
A. changing manufacturer,or recommended settings of newly installed applications.
B. additional unused feature on commercial software package.
C. utilizing open source application code.
D. balancing security and ease of use of system.
ans:b
17. the first phase of hacking an it system is compromise of which foundation of security?
A. availability
B. confidentiality
C. integrity
D. authentication
ans:b
18. why would a ping sweep be used?
A. to identify livesystems
B. to locate live systems
C. to identify open ports
D. to locate firewalls
ans:a
21. which of the following will allow footprinting to be conducted without detection?
A. ping sweep
B. trace route
C. war dialers
d. arin
ans:d
22. performing hacking activities with the intent on gaining visibility for an unfair
situation is called .
A. cracking
B. analysis
C. hacktivism
D. exploitation
ans:c
31.is a popular tool used for network analysis in multiprotocol diverse network
A. snort
B. superscan
C. burpsuit
D. etterpeak
ans: d
39 ...............is used for searching multiple hosts in order to target just one specific open port.
A. pingsweep
B. portscan
C. ipconfig
D. spamming
ans:a
41.is a tool that allows you to look into the network and analyze data going across
the wire for network optimization,security and troubleshooting purposes.
A. network analyzer
B. cryptool
C. john-the-ripper
D. backtrack
ans:a
45. which type hacker represents the highest risk to your network?
A. black-hat hackers
B. grey-hat hackers
C. script kiddies
D. disgruntled employees
ans: d
49. a type of attack that overloads the resources of a single system to cause it to crash or hang.
A. resource starvation
B. active sniffing
C. passive sniffing
D. session hijacking
ans.c
50. in computer networking, is any technical effort to manipulate the normal behavior of
network connections and connected systems.
A. hacking
B. evidence
C. tracing
D. none of above
ans:-a
53.network consist devices such as routers,firewalls,hosts that you must assess as a part of
process.
A. prackers
B. blackhat hacking
C. gray hat hacking process
D. ethical hacking process.
ans:-d
54. network infrastructure vulnerabilities are the foundation for most technical security
issues in our information systems.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d
55.attack,which can take down your internet connection or your entire network.
A. mac
B. dos
C. ids
D. none of above
ans:-b
64.what are some of the most common vulnerabilities that exist in a network or system?
A. changing manufacturer, or recommended, settings of a newly installed application.
B. additional unused features on commercial software packages.
C. utilizing open source application code
D. balancing security concerns with functionality and ease of use of a system.
ans:b
name of subject: emerging trends in computer and information technology unit test: i
subject code: 22618 courses: if/cm6i
semester: vi
multiple choice questions and answers
chapter 1- artificial intelligence
1. which of these schools was not among the early leaders in ai research?
A. dartmouth university
B. harvard university
C. massachusetts institute of technology
D. stanford university
E. none of the above
ans: b
2. darpa, the agency that has funded a great deal of american ai research, is part of the
department of:
A. defense
B. energy
C. education
D. justice
E. none of the above
ans: a
3. the conference that launched the ai revolution in 1956 was held at:
A. dartmouth
B. harvard
C. new york
D. stanford
E. none of the above
ans: a
4. what is the term used for describing the judgmental or commonsense part of problem
solving?
A. heuristic
B. critical
C. value based
D. analytical
E. none of the above
ans: a
8. a.m. turing developed a technique for determining whether a computer could or could not
demonstrate the artificial intelligence,, presently, this technique is called
A. turing test
B. algorithm
C. boolean algebra
D. logarithm
E. none of the above
ans: a
13. the characteristics of the computer system capable of thinking, reasoning and learning is
known is
A. machine intelligence
B. human intelligence
C. artificial intelligence
D. virtual intelligence
ans: c
15. the first widely used commercial form of artificial intelligence (al) is being used in many
popular products like microwave ovens, automobiles and plug in circuit boards for desktop pcs.
what is name of ai?
A. boolean logic
B. human logic
C. fuzzy logic
D. functional logic
ans: c
16. what is the term used for describing the judgmental or commonsense part of problem
solving?
A. heuristic
B. critical
C. value based
D. analytical
ans: a
17. is a branch of computer science which deals with helping machines finds solutions to
complex problems in a more human like fashions
A. artificial intelligence
B. internet of things
C. embedded system
D. cyber security
ans: a
18. in the goal is for the software to use what it has learned in one area to solve problems in
other areas.
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: b
19. computer programs that mimic the way the human brain processes information is called as
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: c
20. a is a rule of thumb, strategy, trick, simplification, or any other kind of device which
drastically limits search for solutions in large problem spaces.
A. heuristic
B. critical
C. value based
D. analytical
ans: a
27. prolog is an ai programming language which solves problems with a form of symbolic
logic known as .
A. propositional logic
B. tautology
C. predicate calculus
D. temporal logic
ans: c
28. the level contains constituents at the third level which are knowledge based system,
heuristic search, automatic theorem proving, multi-agent system.
A. cognition level
B. gross level
C. functional level
D. all of above
ans: b
30. is used for ai because it supports the implementation of software that computes with
symbols very well.
A. lisp
B. eliza
C. prolog
D. nlp
ans: a
31. symbols, symbolic expressions and computing with those is at the core of
A. lisp
B. eliza
C. prolog
D. nlp
ans: a
32. that deals with the interaction between computers and humans using the natural
language
A. lisp
B. eliza
C. prolog
D. nlp
ans: d
34. aristotle’s theory of syllogism and descartes and kant’s critic of pure reasoning made
knowledge on .
A. logic
B. computation logic
C. cognition logic
D. all of above
ans: a
36. in 1960s, pushed the logical formalism to integrate reasoning with knowledge.
A. marvin minsky
B. alain colmerauer
C. john mccarthy
D. none of above
ans: a
37. sensing organs as input, mechanical movement organs as output and central nervous system
(cns) in brain as control and computing devices is known as of human being
A. information control paradigm
B. information processing paradigm
C. information processing control
D. none of above
ans: b
38. model were developed and incorporated in machines which mimicked the
functionalities of human origin.
A. functional model
B. neural model
C. computational model
D. none of above
ans: c
39. chomsky’s linguistic computational theory generated a model for syntactic analysis through
A. regular grammar
B. regular expression
C. regular word
D. none of these
ans: a
44. weak ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: c
45. strong ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: a
49. ai is a type of intelligence which could perform any intellectual task with efficiency
like human.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b
50. the idea behind ai to make such a system which could be smarter and think like
a human by its own.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b
51. the worldwide researchers are now focusing on developing machines with ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b
52. playing chess, purchasing suggestions on e-commerce site, self-driving cars, speech
recognition, and image recognition are the example of .
A. narrow ai
B. general ai
C. super ai
D. None of above
Ans: A
53. machine can perform any task better than human with cognitive properties is known as
ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c
54. ability to think, puzzle, make judgments, plan, learn, communication by its own is known as
ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c
56. which ai system not store memories or past experiences for future actions.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a
57. which machines only focus on current scenarios and react on it as per as possible best
action.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a
62. which ai should understand the human emotions, people, and beliefs and be able to interact
socially like humans.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: c
65. which is not the commonly used programming language for ai?
A. prolog
B. lisp
C. perl
D. java script
ans: c
68. classifying email as a spam, labeling webpages based on their content, voice recognition are
the example of .
A. supervised learning
B. unsupervised learning
C. machine learning
D. deep learning
ans: a
70. deep learning is a subfield of machine learning where concerned algorithms are inspired by
the structured and function of the brain called .
A. machine learning
B. artificial neural networks
C. deep learning
D. robotics
ans: b
2. embedded system is
A. an electronic system
B. a pure mechanical system
C. an electro-mechanical system
D. (a) or (c)
Ans: D
3. which of the following is not true about embedded systems?
A. built around specialized hardware
B. always contain an operating system
C. execution behavior may be deterministic
D. all of these
E. none of these
ans: e
8. which of the following is (are) example(s) of embedded system for data communication?
usb mass storage device
A. network router
B. digital camera
C. music player
D. all of these
E. none of these
ans: b
9. what are the essential tight constraint/s related to the design metrics of an embedded system?
A. ability to fit on a single chip
B. low power consumption
C. fast data processing for real-time operations
d .all of the above
Ans: D
10. a digital multi meter is an example of an embedded system for
A. data communication
B. monitoring
C. control
D. all of these
E. none of these
ans: b
11. which of the following is an (are) example(s) of an embedded system for signal processing?
A. apple ipod (media player device)
B. sandisk usb mass storage device
C. both (a) and (b)
D. none of these
ans: d
18. which architecture involves both the volatile and the non-volatile memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a
19. which architecture provides separate buses for program and data memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a
21. which of the following processor architecture supports easier instruction pipelining?
A. harvard
B. von neumann
C. both of them
D. none of these
ans: a
35. the huge numbers of devices connected to the internet of things have to communicate
automatically, not via humans, what is this called?
A. bot to bot(b2b)
B. machine to machine(m2m)
C. intercloud
D. skynet
ans: b
37. interconnection of internet and computing devices embedded in everyday objects, enabling
them to send and receive data is called
A. internet of things
B. network interconnection
C. object determination
D. none of these
ans: a
38. is a computing concept that describes the idea of everyday physical objects
being connected to the internet.
A. iot (internet of things)
B. mqtt
C. coap
D. spi
ans: -a
44. consists of communication protocols for electronic devices, typically a mobile device
and a standard device.
A. rfid
B. mqtt
C. nfc
D. none of above
ans:c
45. refers to establish a proper connection between all the things of iot.
A. connectivity
B. analyzing
C. sensing
D. active engagement
ans: - a
46. iot devices which have unique identities and can perform .
A. remote sensing
B. actuating
C. monitoring capabilities
D. all of the above
ans: - d
53. lr-wpans standards from basis of specifications for high level communication protocol
such as .
A. zigbee
B. allsean
C. tyrell
D. microsoft's azure
ans:a
56 include lte.
A. 2g
B. 3g
C. 4g
D. none of above
ans:c
57. layer protocols determine how the data is physically sent over the network’s
physical layer or medium.
A. application layer
B. transport layer
C. network layer
D. link layer
ans: - d
58 layer is responsible for sending of ip datagrams from the source network to the
destination network.
A. application layer
B. transport layer
C. network layer
D. link layer
Ans: C
59. layer perform the host addressing and packet routing.
A. application layer
B. transport layer
C. network layer
D. link layer
ans:c
60. protocols provide end to end message transfer capability independent of the
underlying network.
A. network layer
B. transport layer
C. application layer
D. link layer
ans: - b
61. the protocols define how the applications interface with the lower layer protocol to send
the data over the network.
A. application layer
B. transport layer
C. network layer
D. link layer
ans:a
63. 802.3 is the standard for 10base5 ethernet that uses cable as shared medium.
A. twisted pair cable
B. coaxial cable
C. fiber optic cable
D. none of the above
ans: - b
69. which one out of these is not a data link layer technology?
A. bluetooth
B. uart
C. wi-fi
D. http
ans: d
72. mqtt is better than http for sending and receiving data.
A. true
B. false
ans: a
73. mqtt is protocol.
A. machine to machine
B. internet of things
C. machine to machine and internet of things
D. machine things
ans: c
75 mqtt is:
A. based on client-server architecture
B. based on publish-subscribe architecture
C. based on both of the above
D. based on none of the above
ans: b
82. which protocol is used to link all the devices in the iot?
A. tcp/ip
B. network
C. udp
D. http
ans: a
95. is a stateful communication model and server is aware of all open connection.
A. request-response
B. publish-subscriber
C. push-pull
D. exclusive pair
ans:d
104. which of the following is the fundamental unit of virtualized client in an iaas deployment?
a) workunit
b) workspace
c) workload
d) all of the mentioned
ans:c
105. offering provides the tools and development environment to deploy applications on
another vendor’s application.
A. paas
B. iaas
C. caas
D. all of the mentioned
ans.b
107. is suitable for iot applications to have low latency or high throughput requirements.
A. rest
B. publish-subscriber
C. push-pull
D. websocket
ans:d
108 is a one of the most popular wireless technologies used by wsns.
A. zigbee
B. allsean
C. tyrell
D. z-wave
ans:a
111. the process of collecting, organizing and collecting large sets of data called as
A. wsn
B. cloud computing
C. big data
D. none of above
ans:c
119. which characteristics involve the facility the thing to respond in an intelligent way to a
particular situation?
A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: a
139. detect the presence or absence of nearby object without any physical contact.
A. smoke sensor
B. pressure sensor
C. ir sensor
D. proximity sensor
ans:d
140 sensors include thermocouples, thermistors, resistor temperature detectors (rtds) and
integratd circuits (ics).
A. smoke sensor
B. temperature sensor
C. ir sensor
D. proximity sensor
ans:b
142 sensor is used for automatic door controls, automatic parking system, automated sinks,
automated toilet flushers, hand dryers.
A. smoke sensor
B. temperature sensor
C. ir sensor
D. motion sensor
ans:d
5. in the past, the method for expressing an opinion has been to frame a question based on
available factual evidence.
A. hypothetical
B. nested
C. challenging
D. contradictory
ans: a
6. more subtle because you are not aware that you are running these macros (the document opens
and the application automatically runs); spread via email
A. the purpose of copyright
B. danger of macro viruses
C. derivative works
D. computer-specific crime
ans: b
7. there are three c's in computer forensics. which is one of the three?
A. control
B. chance
C. chains
D. core
ans: a
8. when federal bureau investigation program was created?
a.1979
b.1984
c.1995
d.1989
ans: b
15. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans:b
16. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
F. preservation phase
G. survey phase
H. documentation phase
I. reconstruction phase
J. presentation phase
ans:b
18. a set of instruction compiled into a program that perform a particular task is known as:
A. hardware.
b.cpu
c. motherboard
d. software
ans: d
22. which phase entails a review of the whole investigation and identifies area of improvement?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase
ans: c
24. is well established science where various contribution have been made
A. forensic
B. crime
C. cyber crime
D. evidence
ans: a
29. is software that blocks unauthorized users from connecting to your computer.
A. firewall
B. quick lauch
C. onelogin
D. centrify
ans: a
33. which of following is a not unethical norm for digital forensics investigation?
A. uphold any relevant evidence.
B. declare any confidential matters or knowledge.
C. distort or falsify education, training, credentials.
D. to respect the privacy of others.
ans: d
34. what is called as the process of creation a duplicate of digital media for purpose of
examining it?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
ans: a
35. which term refers for modifying a computer in a way which was not originally intended to
view information?
A. metadata
B. live analysis
C. hacking
D. bit copy
ans: c
36. the ability to recover and read deleted or damaged files from a criminal’s computer is an
example of a law enforcement specialty called?
A. robotics
B. simulation
C. computer forensics
D. animation
ans: c
37. what are the important parts of the mobile device which used in digital forensic?
A. sim
B. ram
C. rom.
d.emmc chip
ans: d
38. using what, data hiding in encrypted images be carried out in digital forensics?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
and: b
42. searches through raw data on a hard drive without using a file system.
A. data mining
B. data carving
C. meta data
D. data spoofing.
ans: b
43. what is first step to handle retrieving data from an encrypted hard drive?
A. formatting disk
B. storing data
C. finding configuration files.
D. deleting files.
ans: c
bharati vidyapeeth institute of technologyquestion bank
--------------------------------------------------------------------------------------------------
2. what are the three general categories of computer systems that can contain digital
evidence?
A. desktop, laptop, server
B. personal computer, internet, mobile telephone
C. hardware, software, networks
D. open computer systems, communication systems, and embedded systems
ans: d
10. private networks can be a richer source of evidence than the internet because:
A. they retain data for longer periods of time.
B. owners of private networks are more cooperative with law enforcement.
C. private networks contain a higher concentration of digital evidence.
D. all the above.
ans: c
11. due to caseload and budget constraints, often computer security professionals attempt to
limit the damage and close each investigation as quickly as possible. which of the following is
not a significant drawback to this approach?
A. each unreported incident robs attorneys and law enforcement personnel of an opportunity
to learn about the basics of computer-related crime.
B. responsibility for incident resolution frequently does not reside with the security
professional, but with management.
C. this approach results in under-reporting of criminal activity, deflating statistics that are
used to allocate corporate and government spending on combating computer-related
crime.
D. computer security professionals develop loose evidence processing habits that can make
it more difficult for law enforcement personnel and attorneys to prosecute an offender.
none of the above
ans: b
12. the criminological principle which states that, when anyone, or anything, enters a crime
scene he/she takes something of the scene with him/her, and leaves something of himself/herself
behind, is:
A. locard’s exchange principle
B. differential association theory
C. beccaria’s social contract
D. none of the above
ans: a
13. the author of a series of threatening e-mails consistently uses “im” instead of “i’m.” thisis
an example of:
A. an individual characteristic
B. an incidental characteristic
C. a class characteristic
D. an indeterminate characteristic
ans: a
14. personal computers and networks are often a valuable source of evidence. those
involved with should be comfortable with this technology.
A. criminal investigation
B. prosecution
C. defense work
D. all of the above
ans:
15. an argument for including computer forensic training computer security specialists is:
A. it provides an additional credential.
B. it provides them with the tools to conduct their own investigations.
C. it teaches them when it is time to call in law enforcement.
D. none of the above.
ans: c
16. the digital evidence are used to establish a credible link between
A. attacker and victim and the crime scene
B. attacker and the crime scene
C. victim and the crime scene
D. attacker and information
ans: a
18. from the two given statements 1 and 2, select the correct option from a-d.
a. original media can be used to carry out digital investigation process.
b. by default, every part of the victim’s computer is considered as unreliable.
19. the evidences or proof can be obtained from the electronic source is called the
A. digital evidence
B. demonstrative evidence
C. explainable evidence
D. substantial evidence
ans: a
25. when an incident takes place, a criminal will leave a hint evidence at the scene and remove a
hint from the scene which is called as
A. locard’s exchange principle
B. anderson’s exchange principle
C. charles’s anthony principle
D. kevin ashton principle
ans: a
30. the process of ensuring that providing or obtaining the data that you have collected is similar
to the data provided or presented in a court is known as
A. evidence validation
B. relative evidence
C. best evidence
D. illustrative evidence
ans: a
31. when cases got to trial your forensics examiner play one of role.
A. 2
B. 4
C. 3
D. 5
ans. a
A. eye witness
B. picture and video
C. paper work
D. none of the above
ans b
A. law of witness
B. law of litigation
C. law of evidence
D. all of the above
ans. c
true or false questions
1. digital evidence is only useful in a court of law.
A. true
B. false
ans: b
2. attorneys and police are encountering progressively more digital evidence in their
work.
A. true
B. false
ans: a
5. digital evidence can be duplicated exactly without any changes to the original data.
A. true
B. false
ans: b
6. computers were involved in the investigations into both world trade center attacks.
A. true
B. false
ans: a
10. the aim of a forensic examination is to prove with certainty what occurred.
A. true
B. false
ans: b
11. even digital investigations that do not result in legal action can benefit from principles of
forensic science.
A. true
B. false
ans: a
12. forensic science is the application of science to investigation and prosecution of crime or to
the just resolution of conflict.
A. true
B. false
ans: a
chapter 5
basics of hacking (co5)
A. b, c, d, a
B. b, a, c, d
C. a, b, c, d
D. d, c, b, a
ans. a
6. is the art of exploiting the human elements to gain access to the authorized user.
A. social engineering.
B. it engineering.
C. ethical hacking.
D. none of the above.
ans. a
15. is a person who find and exploits the weakness in computer system.
A. victim
B. hacker
C. developer
D. none of the above.
ans. b
19. keeping information secured can protect an organization image and save and organization lot
of money
A. true
B. false
ans. a
23. exploits that involves manipulating people and user even your self are the greatest
vulnerability within any computer
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. a
24.connecting into network through a rogue modem attached to computer behind a firewall is an
example of -
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. b
25. comprise of large portion of hacker attacks simply because every computer has one
and so well know exploits can be used against them
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. c
32.which hacker try to distribute political or social message through their work?
A. black hat hacker
B. hactivist
C. script kiddes
D. white hat hacker
ans. b
37. leaking your company data to the outside network without prior permission of senior
authority is a crime.
A. true
B. false
ans. a
38. a penetration tester must identify and keep in mind the &
requirements of a firm while evaluating the security postures.
A. privacy and security
B. rules and regulations
C. hacking techniques
D. ethics to talk to seniors
ans. a
39. the legal risks of ethical hacking include lawsuits due to of personal data.
A. stealing
B. disclosure
C. deleting
D. hacking
ans. b
40. before performing any penetration test, through legal procedure, which key points listed
below is not mandatory?
A. know the nature of the organization
B. characteristics of work done in the firm
C. system and network
D. type of broadband company used by the firm
ans. d
chapter-6
types of hacking (co6)
2. which of the following tool is used for network testing and port scanning
A. netcat
B. superscan
C. netscan
D. all of above
ans: d
5. which of the following tool is used for windows for network queries from dns lookups to
trace routes?
A. sam spade
B. superscan
C. netscan
D. netcat
ans: a
6. which tool is used for ping sweeps and port scanning?
A. netcat
B. samspade
C. superscan
D. all the above
ans: c
7. which of the following tool is used for security checks as port scanning and firewall testing?
A. netcat
B. nmap
C. data communication
D. netscan
ans: a
12. is a popular tool used for discovering network as well as security auditing.
A. ettercap
B. metasploit
C. nmap
D. burp suit
ans: c
13. which of this nmap do not check?
A. services different hosts are offering
B. on what os they are running.
C. what kind of firewall in use?
D. what type of antivirus in use?
ans: d
15. what are the some of the most common vulnerabilities that exist in a network system?
A. changing manufacturer, or recommended settings of newly installed application.
B. additional unused feature on commercial software package.
C. utilizing open source application code.
D. balancing security and ease of use of system.
ans: b
17. attempting to gain access to a network using an employee’s credentials is called the
mode of ethical hacking.
A. local networking
B. social engineering
C. physical entry
D. remote networking
ans: a
18. the first phase of hacking an it system is compromise of which foundation of security?
A. availability
B. confidentiality
C. integrity
D. authentication
ans: b
19. why would a ping sweep be used?
A. to identify live systems
B. to locate live systems
C. to identify open ports
D. to locate firewalls
ans: a
22. which of the following will allow foot printing to be conducted without detection?
A. pingsweep
B. traceroute
C. war dialers
D. arin
ans: d
23. performing hacking activities with the intent on gaining visibility for an unfair situation is
called .
A. cracking
B. analysis
C. hacktivism
D. exploitation
ans: c
30. framework made cracking of vulnerabilities easy like point and click.
A. net
B. metasploit
C. zeus
D. ettercap
ans: b
31. is a popular ip address and port scanner.
A. cain and abel
B. snort
C. angry ip scanner
D. ettercap
ans: c
32. is a popular tool used for network analysis in multiprotocol diverse network
A. snort
B. superscan
C. burp suit
D. etterpeak
ans: d
39 is used for searching of multiple hosts in order to target just one specific open port.
A. ping sweep
B. port scan
C. ipconfig
D. spamming
ans: a
41. is a tool that allows you to look into network and analyze data going across the wire
for network optimization, security and troubleshooting purposes.
A. network analyzer
B. crypt tool
C. john-the -ripper
D. back track
ans: a
45. which type of hacker represents the highest risk to your network?
A. black-hat hackers
B. grey-hat hackers
C. script kiddies
D. disgruntled employees
ans: d
49. a type of attack that overloads the resources of a single system to cause it to crash or hang.
A. resource starvation
B. active sniffing
C. passive sniffing
D. session hijacking
ans. c
50.in computer networking, is any technical effort to manipulate the normal behavior of
network connections and connected systems.
A. hacking
B. evidence
C. tracing
D. none of above
ans:-a
ans:-a
52.we can eliminate many well-known network vulnerabilities by simply patch-ing your
network hosts with their latest and .
A. hckers and prackers
B. vendor software and firmware patches
C. software amd hardware
D. none of above
ans:-b
53.network consist devices such as routers, firewalls, hosts that you must assess as a part of
process.
A. prackers
B. black hat hacking
C. grey hat hacking process
D. ethical hacking process.
ans:-d
54. network infrastructure vulnerabilities are the foundation for most technical security
issues in your information systems.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d
55. attack, which can take down your internet connection or your entire network.
A. mac
B. dos
C. ids
D. none of above
ans:-b
64.what are some of the most common vulnerabilities that exist in a network or system?
A. changing manufacturer, or recommended, settings of a newly installed application.
B. additional unused features on commercial software packages.
C. utilizing open source application code
D. balancing security concerns with functionality and ease of use of a system.
ans:b
question bank
unit test-ii
program: - computer engineering group program code:- cm/if
/cw
course title: -emerging trends in computer technology semester: - sixth
eti (22618) scheme: i
--------------------------------------------------------------------------------------------------
1. a valid definition of digital evidence is: a. data stored or transmitted using a computer
B. information of probative value
C. digital data of probative value
D. any digital evidence on a computer
ans: c
2. what are the three general categories of computer systems that can contain digital evidence?
A. desktop, laptop, server
B. personal computer, internet, mobile telephone
C. hardware, software, networks
D. open computer systems, communication systems, and embedded systems
ans: d
10. private networks can be a richer source of evidence than the internet because: a. they retain
data for longer periods of time.
B. owners of private networks are more cooperative with law enforcement.
C. private networks contain a higher concentration of digital evidence.
D. all the above.
ans: c
11. due to caseload and budget constraints, often computer security professionals attempt to limit
the damage and close each investigation as quickly as possible. which of the following is not a
significant drawback to this approach?
A. each unreported incident robs attorneys and law enforcement personnel of an opportunity
to learn about the basics of computer-related crime.
B. responsibility for incident resolution frequently does not reside with the security
professional, but with management.
C. this approach results in under-reporting of criminal activity, deflating statistics that are
used to allocate corporate and government spending on combating computer-related crime.
D. computer security professionals develop loose evidence processing habits that can make
it more difficult for law enforcement personnel and attorneys to prosecute an offender.
none of the above
ans: b
12. the criminological principle which states that, when anyone, or anything, enters a crime scene
he/she takes something of the scene with him/her, and leaves something of himself/herself
behind, is:
A. locard’s exchange principle
B. differential association theory
C. beccaria’s social contract
D. none of the above
ans: a
13. the author of a series of threatening e-mails consistently uses “im” instead of “i’m.” this is
an example of:
A. an individual characteristic
B. an incidental characteristic
C. a class characteristic
D. an indeterminate characteristic
ans: a
14. personal computers and networks are often a valuable source of evidence. those involved with
should be comfortable with this technology.
A. criminal investigation
B. prosecution
C. defense work
D. all of the above ans:
15. an argument for including computer forensic training computer security specialists is: a. it
provides an additional credential.
B. it provides them with the tools to conduct their own investigations.
C. it teaches them when it is time to call in law enforcement.
D. none of the above. ans: c
16. the digital evidence are used to establish a credible link between
A. attacker and victim and the crime scene
B. attacker and the crime scene
C. victim and the crime scene
D. attacker and information
ans: a
18. from the two given statements 1 and 2, select the correct option from a-d.
a. original media can be used to carry out digital investigation process.
b. by default, every part of the victim’s computer is considered as unreliable.
19. the evidences or proof can be obtained from the electronic source is called the
A. digital evidence
B. demonstrative evidence
C. explainable evidence
D. substantial evidence
ans: a
22. photographs, videos, sound recordings, x-rays, maps drawing, graphs, charts is a a type of
A. illustrative evidence
B. electronic evidence
C. documented evidence
D. explainable evidence
ans: a
25. when an incident takes place, a criminal will leave a hint evidence at the scene and remove a
hint from the scene which is called as
A. locard’s exchange principle
B. anderson’s exchange principle
C. charles’s anthony principle
D. kevin ashton principle
ans: a
26. which is not procedure to establish a chain of custody? a. save the original materials. b. take
photos of physical evidence.
C. don’t take screenshots of digital evidence content.
D. document date, time, and any other information of receipt.
ans: c
30. the process of ensuring that providing or obtaining the data that you have collected is similar
to the data provided or presented in a court is known as
A. evidence validation
B. relative evidence
C. best evidence
D. illustrative evidence
ans: a
31. when cases got to trial your forensics examiner play one of role.
A. 2
B. 4
C. 3 d. 5
ans. a
A. eye witness
B. picture and video
C. paper work
D. none of the above
ans b
A. law of witness
B. law of litigation
C. law of evidence
D. all of the above
ans. c
2. attorneys and police are encountering progressively more digital evidence in their work.
A. true
B. false
ans: a
5. digital evidence can be duplicated exactly without any changes to the original data. a. true
b. false
ans: b
6. computers were involved in the investigations into both world trade center attacks. a. true
b. false
ans: a
10. the aim of a forensic examination is to prove with certainty what occurred. a. true
b. false
ans: b
11. even digital investigations that do not result in legal action can benefit from principles of
forensic science.
A. true
B. false
ans: a
12. forensic science is the application of science to investigation and prosecution of crime or to
the just resolution of conflict.
A. true
B. false
ans: a
chapter 5
basics of hacking (co5)
A. b, c, d, a
B. b, a, c, d c. a, b, c, d
d. d, c, b, a
ans. a
6. is the art of exploiting the human elements to gain
access to the authorized user. a. social engineering. b. it
engineering.
C. ethical hacking.
D. none of the above.
ans. a
12.the intent of ethical hacker is to discover vulnerabilities from a point of view to better
secure system.
A. victims.
B. attackers.
C. both a & b d. none of these.
ans. b
15. is a person who find and exploits the weakness in computer system.
A. victim
B. hacker
C. developer
D. none of the above.
ans. b
19. keeping information secured can protect an organization image and save and organization lot
of money
A. true
B. false
ans. a
23. exploits that involves manipulating people and user even your self are the greatest
vulnerability within any computer
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. a
24.connecting into network through a rogue modem attached to computer behind a firewall is an
example of -
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. b
25. comprise of large portion of hacker attacks simply because every computer has one
and so well know exploits can be used against them
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. c
32.which hacker try to distribute political or social message through their work?
A. black hat hacker
B. hactivist
C. script kiddes
D. white hat hacker
ans. b
37. leaking your company data to the outside network without prior permission of senior authority
is a crime.
A. true
B. false
ans. a
38. a penetration tester must identify and keep in mind the &
requirements of a firm while evaluating the security postures.
A. privacy and security
B. rules and regulations
C. hacking techniques
D. ethics to talk to seniors
ans. a
39. the legal risks of ethical hacking include lawsuits due to of personal data. a.
stealing
B. disclosure
C. deleting
D. hacking
ans. b
40. before performing any penetration test, through legal procedure, which key points listed below
is not mandatory?
A. know the nature of the organization
B. characteristics of work done in the firm
C. system and network
D. type of broadband company used by the firm
ans. d
chapter-6
types of hacking (co6)
2. which of the following tool is used for network testing and port scanning
A. netcat
B. superscan
C. netscan
D. all of above
ans: d
5. which of the following tool is used for windows for network queries from dns lookups to
trace routes?
A. sam spade
B. superscan
C. netscan
D. netcat
ans: a
7. which of the following tool is used for security checks as port scanning and firewall testing?
A. netcat
B. nmap
C. data communication
D. netscan
ans: a
12. is a popular tool used for discovering network as well as security auditing.
A. ettercap
B. metasploit
C. nmap
D. burp suit ans: c
13. which of this nmap do not check?
A. services different hosts are offering
B. on what os they are running.
C. what kind of firewall in use?
D. what type of antivirus in use?
ans: d
14. what is purpose of denial of service attacks? a. exploit weakness in tcp/ip attack. b. to
execute a trojan horse on a system.
c. to overload a system so it is no longer operational.
d. to shutdown services by turning them off.
ans: c
15. what are the some of the most common vulnerabilities that exist in a network system? a.
changing manufacturer, or recommended settings of newly installed application.
B. additional unused feature on commercial software package.
C. utilizing open source application code.
D. balancing security and ease of use of system.
ans: b
16. which of the following is not a characteristic of ethical hacker? a. excellent knowledge of
windows.
B. understands the process of exploiting network vulnerabilities.
C. patience, persistence and perseverance.
D. has the highest level of security for the organization.
ans: d
17. attempting to gain access to a network using an employee’s credentials is called the
mode of ethical hacking.
A. local networking
B. social engineering
C. physical entry
D. remote networking
ans: a
18. the first phase of hacking an it system is compromise of which foundation of security?
A. availability
B. confidentiality
C. integrity
D. authentication ans: b
19. why would a ping sweep be used?
A. to identify live systems
B. to locate live systems
C. to identify open ports
D. to locate firewalls
ans: a
22. which of the following will allow foot printing to be conducted without detection?
A. pingsweep
B. traceroute
C. war dialers
D. arin
ans: d
23. performing hacking activities with the intent on gaining visibility for an unfair situation is
called .
A. cracking
B. analysis
C. hacktivism
D. exploitation
ans: c
28. what are the types of scanning? a. port, network, and services
B. network, vulnerability, and port
C. passive, active, and interactive
D. server, client, and network
ans: b
30. framework made cracking of vulnerabilities easy like point and click.
A. net
B. metasploit
C. zeus
D. ettercap ans: b
31. is a popular ip address and port scanner.
A. cain and abel
B. snort
C. angry ip scanner
D. ettercap
ans: c
32. is a popular tool used for network analysis in multiprotocol diverse network
A. snort
B. superscan
C. burp suit
D. etterpeak
ans: d
39 is used for searching of multiple hosts in order to target just one specific open port.
A. ping sweep
B. port scan
C. ipconfig
D. spamming
ans: a
41. is a tool that allows you to look into network and analyze data going across the wire
for network optimization, security and troubleshooting purposes.
a. network analyzer
b. crypt tool
c. john-the -ripper
d. back track
ans: a
44. what is the attack called “evil twin”? a. rouge access point
B. arp poisoning
C. session hijacking
D. mac spoofing
ans: a
45. which type of hacker represents the highest risk to your network?
A. black-hat hackers
B. grey-hat hackers
C. script kiddies
D. disgruntled employees
ans: d
47. when a hacker attempts to attack a host via the internet it is known as what type of attack? a.
local access
B. remote attack
C. internal attack
D. physical access
ans: b
49. a type of attack that overloads the resources of a single system to cause it to crash or hang.
A. resource starvation
B. active sniffing
C. passive sniffing
D. session hijacking
ans. c
50.in computer networking, is any technical effort to manipulate the normal behavior of
network connections and connected systems.
A. hacking
B. evidence
C. tracing
D. none of above
ans:-a
ans:-a
52.we can eliminate many well-known network vulnerabilities by simply patch-ing your network
hosts with their latest and .
A. hckers and prackers
B. vendor software and firmware patches
C. software amd hardware
D. none of above
ans:-b
53.network consist devices such as routers, firewalls, hosts that you must assess as a part of
process.
A. prackers
B. black hat hacking c. grey hat hacking process
d. ethical hacking process.
ans:-d
54. network infrastructure vulnerabilities are the foundation for most technical security issues in
your information systems.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d
55. attack, which can take down your internet connection or your entire network.
A. mac
B. dos
C. ids
D. none of above
ans:-b
60. include phishing, sql injection, hacking, social engineering, spamming, denial of
service attacks, trojans, virus and worm attacks.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d
62. which of the following is not a typical characteristic of an ethical hacker? a. excellent
knowledge of windows.
B. understands the process of exploiting network vulnerabilities.
C. patience, persistence and perseverance.
D. has the highest level of security for the organization.
ans:-d
63. what is the purpose of a denial of service attack?
A. exploit a weakness in the tcp/ip stack
B. to execute a trojan on a system
C. to overload a system so it is no longer operational
D. to shutdown services by turning them off
ans:- c
64.what are some of the most common vulnerabilities that exist in a network or system?
A. changing manufacturer, or recommended, settings of a newly installed application.
B. additional unused features on commercial software packages.
C. utilizing open source application code
D. balancing security concerns with functionality and ease of use of a system. ans:b
2. what are the three general categories of computer systems that can contain digital
evidence?
A. desktop, laptop, server
B. personal computer, internet, mobile telephone
C. hardware, software, networks
D. open computer systems, communication systems, and embedded systems
ans: d
10. private networks can be a richer source of evidence than the internet because:
A. they retain data for longer periods of time.
B. owners of private networks are more cooperative with law enforcement.
C. private networks contain a higher concentration of digital evidence.
D. all the above.
ans: c
11. due to caseload and budget constraints, often computer security professionals attempt to
limit the damage and close each investigation as quickly as possible. which of the following is
not a significant drawback to this approach?
A. each unreported incident robs attorneys and law enforcement personnel of an opportunity
to learn about the basics of computer-related crime.
B. responsibility for incident resolution frequently does not reside with the security
professional, but with management.
C. this approach results in under-reporting of criminal activity, deflating statistics that are
used to allocate corporate and government spending on combating computer-related
crime.
D. computer security professionals develop loose evidence processing habits that can make
it more difficult for law enforcement personnel and attorneys to prosecute an offender.
none of the above
ans: b
12. the criminological principle which states that, when anyone, or anything, enters a crime
scene he/she takes something of the scene with him/her, and leaves something of himself/herself
behind, is:
A. locard’s exchange principle
B. differential association theory
C. beccaria’s social contract
D. none of the above
ans: a
13. the author of a series of threatening e-mails consistently uses “im” instead of “i’m.” thisis
an example of:
A. an individual characteristic
B. an incidental characteristic
C. a class characteristic
D. an indeterminate characteristic
ans: a
14. personal computers and networks are often a valuable source of evidence. those
involved with should be comfortable with this technology.
A. criminal investigation
B. prosecution
C. defense work
D. all of the above
ans:
15. an argument for including computer forensic training computer security specialists is:
A. it provides an additional credential.
B. it provides them with the tools to conduct their own investigations.
C. it teaches them when it is time to call in law enforcement.
D. none of the above.
ans: c
16. the digital evidence are used to establish a credible link between
A. attacker and victim and the crime scene
B. attacker and the crime scene
C. victim and the crime scene
D. attacker and information
ans: a
18. from the two given statements 1 and 2, select the correct option from a-d.
a. original media can be used to carry out digital investigation process.
b. by default, every part of the victim’s computer is considered as unreliable.
19. the evidences or proof can be obtained from the electronic source is called the
A. digital evidence
B. demonstrative evidence
C. explainable evidence
D. substantial evidence
ans: a
25. when an incident takes place, a criminal will leave a hint evidence at the scene and remove a
hint from the scene which is called as
A. locard’s exchange principle
B. anderson’s exchange principle
C. charles’s anthony principle
D. kevin ashton principle
ans: a
30. the process of ensuring that providing or obtaining the data that you have collected is similar
to the data provided or presented in a court is known as
A. evidence validation
B. relative evidence
C. best evidence
D. illustrative evidence
ans: a
31. when cases got to trial your forensics examiner play one of role.
A. 2
B. 4
C. 3
D. 5
ans. a
A. eye witness
B. picture and video
C. paper work
D. none of the above
ans b
A. law of witness
B. law of litigation
C. law of evidence
D. all of the above
ans. c
true or false questions
1. digital evidence is only useful in a court of law.
A. true
B. false
ans: b
2. attorneys and police are encountering progressively more digital evidence in their
work.
A. true
B. false
ans: a
5. digital evidence can be duplicated exactly without any changes to the original data.
A. true
B. false
ans: b
6. computers were involved in the investigations into both world trade center attacks.
A. true
B. false
ans: a
10. the aim of a forensic examination is to prove with certainty what occurred.
A. true
B. false
ans: b
11. even digital investigations that do not result in legal action can benefit from principles of
forensic science.
A. true
B. false
ans: a
12. forensic science is the application of science to investigation and prosecution of crime or to
the just resolution of conflict.
A. true
B. false
ans: a
chapter 5
basics of hacking (co5)
A. b, c, d, a
B. b, a, c, d
C. a, b, c, d
D. d, c, b, a
ans. a
6. is the art of exploiting the human elements to gain access to the authorized user.
A. social engineering.
B. it engineering.
C. ethical hacking.
D. none of the above.
ans. a
15. is a person who find and exploits the weakness in computer system.
A. victim
B. hacker
C. developer
D. none of the above.
ans. b
19. keeping information secured can protect an organization image and save and organization lot
of money
A. true
B. false
ans. a
23. exploits that involves manipulating people and user even your self are the greatest
vulnerability within any computer
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. a
24. connecting into network through a rogue modem attached to computer behind a firewall is an
example of -
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. b
25. comprise of large portion of hacker attacks simply because every computer has one
and so well know exploits can be used against them
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. c
32. which hacker try to distribute political or social message through their work?
A. black hat hacker
B. hactivist
C. script kiddes
D. white hat hacker
ans. b
37. leaking your company data to the outside network without prior permission of senior
authority is a crime.
A. true
B. false
ans. a
38. a penetration tester must identify and keep in mind the &
requirements of a firm while evaluating the security postures.
A. privacy and security
B. rules and regulations
C. hacking techniques
D. ethics to talk to seniors
ans. a
39. the legal risks of ethical hacking include lawsuits due to of personal data.
A. stealing
B. disclosure
C. deleting
D. hacking
ans. b
40. before performing any penetration test, through legal procedure, which key points listed
below is not mandatory?
A. know the nature of the organization
B. characteristics of work done in the firm
C. system and network
D. type of broadband company used by the firm
ans. d
chapter-6
types of hacking (co6)
2. which of the following tool is used for network testing and port scanning
A. netcat
B. superscan
C. netscan
D. all of above
ans: d
5. which of the following tool is used for windows for network queries from dns lookups to
trace routes?
A. sam spade
B. superscan
C. netscan
D. netcat
ans: a
6. which tool is used for ping sweeps and port scanning?
A. netcat
B. samspade
C. superscan
D. all the above
ans: c
7. which of the following tool is used for security checks as port scanning and firewall testing?
A. netcat
B. nmap
C. data communication
D. netscan
ans: a
12. is a popular tool used for discovering network as well as security auditing.
A. ettercap
B. metasploit
C. nmap
D. burp suit
ans: c
13. which of this nmap do not check?
A. services different hosts are offering
B. on what os they are running.
C. what kind of firewall in use?
D. what type of antivirus in use?
ans: d
15. what are the some of the most common vulnerabilities that exist in a network system?
A. changing manufacturer, or recommended settings of newly installed application.
B. additional unused feature on commercial software package.
C. utilizing open source application code.
D. balancing security and ease of use of system.
ans: b
17. attempting to gain access to a network using an employee’s credentials is called the
mode of ethical hacking.
A. local networking
B. social engineering
C. physical entry
D. remote networking
ans: a
18. the first phase of hacking an it system is compromise of which foundation of security?
A. availability
B. confidentiality
C. integrity
D. authentication
ans: b
19. why would a ping sweep be used?
A. to identify live systems
B. to locate live systems
C. to identify open ports
D. to locate firewalls
ans: a
22. which of the following will allow foot printing to be conducted without detection?
A. pingsweep
B. traceroute
C. war dialers
D. arin
ans: d
23. performing hacking activities with the intent on gaining visibility for an unfair situation is
called .
A. cracking
B. analysis
C. hacktivism
D. exploitation
ans: c
30. framework made cracking of vulnerabilities easy like point and click.
A. net
B. metasploit
C. zeus
D. ettercap
ans: b
31. is a popular ip address and port scanner.
A. cain and abel
B. snort
C. angry ip scanner
D. ettercap
ans: c
32. is a popular tool used for network analysis in multiprotocol diverse network
A. snort
B. superscan
C. burp suit
D. etterpeak
ans: d
39 is used for searching of multiple hosts in order to target just one specific open port.
A. ping sweep
B. port scan
C. ipconfig
D. spamming
ans: a
41. is a tool that allows you to look into network and analyze data going across the wire
for network optimization, security and troubleshooting purposes.
A. network analyzer
B. crypt tool
C. john-the -ripper
D. back track
ans: a
45. which type of hacker represents the highest risk to your network?
A. black-hat hackers
B. grey-hat hackers
C. script kiddies
D. disgruntled employees
ans: d
49. a type of attack that overloads the resources of a single system to cause it to crash or hang.
A. resource starvation
B. active sniffing
C. passive sniffing
D. session hijacking
ans. c
50. in computer networking, is any technical effort to manipulate the normal behavior of
network connections and connected systems.
A. hacking
B. evidence
C. tracing
D. none of above
ans:-a
ans:-a
52. we can eliminate many well-known network vulnerabilities by simply patch-ing your
network hosts with their latest and .
A. hckers and prackers
B. vendor software and firmware patches
C. software amd hardware
D. none of above
ans:-b
53. network consist devices such as routers, firewalls, hosts that you must assess as a part of
process.
A. prackers
B. black hat hacking
C. grey hat hacking process
D. ethical hacking process.
ans:-d
54. network infrastructure vulnerabilities are the foundation for most technical security
issues in your information systems.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d
55. attack, which can take down your internet connection or your entire network.
A. mac
B. dos
C. ids
D. none of above
ans:-b
64. what are some of the most common vulnerabilities that exist in a network or system?
A. changing manufacturer, or recommended, settings of a newly installed application.
B. additional unused features on commercial software packages.
C. utilizing open source application code
D. balancing security concerns with functionality and ease of use of a system.
ans:b
name of subject: emerging trends in computer and information technology unit test: i
subject code: 22618 courses: if/cm6i
semester: vi
multiple choice questions and answers
chapter 1- artificial intelligence
1. which of these schools was not among the early leaders in ai research?
A. dartmouth university
B. harvard university
C. massachusetts institute of technology
D. stanford university
E. none of the above
ans: b
2. darpa, the agency that has funded a great deal of american ai research, is part of the
department of:
A. defense
B. energy
C. education
D. justice
E. none of the above
ans: a
3. the conference that launched the ai revolution in 1956 was held at:
A. dartmouth
B. harvard
C. new york
D. stanford
E. none of the above
ans: a
4. what is the term used for describing the judgmental or commonsense part of problem
solving?
A. heuristic
B. critical
C. value based
D. analytical
E. none of the above
ans: a
8. a.m. turing developed a technique for determining whether a computer could or could not
demonstrate the artificial intelligence,, presently, this technique is called
A. turing test
B. algorithm
C. boolean algebra
D. logarithm
E. none of the above
ans: a
13. the characteristics of the computer system capable of thinking, reasoning and learning is
known is
A. machine intelligence
B. human intelligence
C. artificial intelligence
D. virtual intelligence
ans: c
15. the first widely used commercial form of artificial intelligence (al) is being used in many
popular products like microwave ovens, automobiles and plug in circuit boards for desktop pcs.
what is name of ai?
A. boolean logic
B. human logic
C. fuzzy logic
D. functional logic
ans: c
16. what is the term used for describing the judgmental or commonsense part of problem
solving?
A. heuristic
B. critical
C. value based
D. analytical
ans: a
17. is a branch of computer science which deals with helping machines finds solutions to
complex problems in a more human like fashions
A. artificial intelligence
B. internet of things
C. embedded system
D. cyber security
ans: a
18. in the goal is for the software to use what it has learned in one area to solve problems in
other areas.
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: b
19. computer programs that mimic the way the human brain processes information is called as
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: c
20. a is a rule of thumb, strategy, trick, simplification, or any other kind of device which
drastically limits search for solutions in large problem spaces.
A. heuristic
B. critical
C. value based
D. analytical
ans: a
27. prolog is an ai programming language which solves problems with a form of symbolic
logic known as .
A. propositional logic
B. tautology
C. predicate calculus
D. temporal logic
ans: c
28. the level contains constituents at the third level which are knowledge based system,
heuristic search, automatic theorem proving, multi-agent system.
A. cognition level
B. gross level
C. functional level
D. all of above
ans: b
30. is used for ai because it supports the implementation of software that computes with
symbols very well.
A. lisp
B. eliza
C. prolog
D. nlp
ans: a
31. symbols, symbolic expressions and computing with those is at the core of
A. lisp
B. eliza
C. prolog
D. nlp
ans: a
32. that deals with the interaction between computers and humans using the natural
language
A. lisp
B. eliza
C. prolog
D. nlp
ans: d
34. aristotle’s theory of syllogism and descartes and kant’s critic of pure reasoning made
knowledge on .
A. logic
B. computation logic
C. cognition logic
D. all of above
ans: a
36. in 1960s, pushed the logical formalism to integrate reasoning with knowledge.
A. marvin minsky
B. alain colmerauer
C. john mccarthy
D. none of above
ans: a
37. sensing organs as input, mechanical movement organs as output and central nervous system
(cns) in brain as control and computing devices is known as of human being
A. information control paradigm
B. information processing paradigm
C. information processing control
D. none of above
ans: b
38. model were developed and incorporated in machines which mimicked the
functionalities of human origin.
A. functional model
B. neural model
C. computational model
D. none of above
ans: c
39. chomsky’s linguistic computational theory generated a model for syntactic analysis through
A. regular grammar
B. regular expression
C. regular word
D. none of these
ans: a
44. weak ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: c
45. strong ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: a
49. ai is a type of intelligence which could perform any intellectual task with efficiency
like human.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b
50. the idea behind ai to make such a system which could be smarter and think like
a human by its own.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b
51. the worldwide researchers are now focusing on developing machines with ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b
52. playing chess, purchasing suggestions on e-commerce site, self-driving cars, speech
recognition, and image recognition are the example of .
A. narrow ai
B. general ai
C. super ai
D. None of above
Ans: A
53. machine can perform any task better than human with cognitive properties is known as
ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c
54. ability to think, puzzle, make judgments, plan, learn, communication by its own is known as
ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c
56. which ai system not store memories or past experiences for future actions.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a
57. which machines only focus on current scenarios and react on it as per as possible best
action.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a
62. which ai should understand the human emotions, people, and beliefs and be able to interact
socially like humans.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: c
65. which is not the commonly used programming language for ai?
A. prolog
B. lisp
C. perl
D. java script
ans: c
68. classifying email as a spam, labeling webpages based on their content, voice recognition are
the example of .
A. supervised learning
B. unsupervised learning
C. machine learning
D. deep learning
ans: a
70. deep learning is a subfield of machine learning where concerned algorithms are inspired by
the structured and function of the brain called .
A. machine learning
B. artificial neural networks
C. deep learning
D. robotics
ans: b
2. embedded system is
A. an electronic system
B. a pure mechanical system
C. an electro-mechanical system
D. (a) or (c)
Ans: D
3. which of the following is not true about embedded systems?
A. built around specialized hardware
B. always contain an operating system
C. execution behavior may be deterministic
D. all of these
E. none of these
ans: e
8. which of the following is (are) example(s) of embedded system for data communication?
usb mass storage device
A. network router
B. digital camera
C. music player
D. all of these
E. none of these
ans: b
9. what are the essential tight constraint/s related to the design metrics of an embedded system?
A. ability to fit on a single chip
B. low power consumption
C. fast data processing for real-time operations
d .all of the above
Ans: D
10. a digital multi meter is an example of an embedded system for
A. data communication
B. monitoring
C. control
D. all of these
E. none of these
ans: b
11. which of the following is an (are) example(s) of an embedded system for signal processing?
A. apple ipod (media player device)
B. sandisk usb mass storage device
C. both (a) and (b)
D. none of these
ans: d
18. which architecture involves both the volatile and the non-volatile memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a
19. which architecture provides separate buses for program and data memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a
21. which of the following processor architecture supports easier instruction pipelining?
A. harvard
B. von neumann
C. both of them
D. none of these
ans: a
35. the huge numbers of devices connected to the internet of things have to communicate
automatically, not via humans, what is this called?
A. bot to bot(b2b)
B. machine to machine(m2m)
C. intercloud
D. skynet
ans: b
37. interconnection of internet and computing devices embedded in everyday objects, enabling
them to send and receive data is called
A. internet of things
B. network interconnection
C. object determination
D. none of these
ans: a
38. is a computing concept that describes the idea of everyday physical objects
being connected to the internet.
A. iot (internet of things)
B. mqtt
C. coap
D. spi
ans: -a
44. consists of communication protocols for electronic devices, typically a mobile device
and a standard device.
A. rfid
B. mqtt
C. nfc
D. none of above
ans:c
45. refers to establish a proper connection between all the things of iot.
A. connectivity
B. analyzing
C. sensing
D. active engagement
ans: - a
46. iot devices which have unique identities and can perform .
A. remote sensing
B. actuating
C. monitoring capabilities
D. all of the above
ans: - d
53. lr-wpans standards from basis of specifications for high level communication protocol
such as .
A. zigbee
B. allsean
C. tyrell
D. microsoft's azure
ans:a
56 include lte.
A. 2g
B. 3g
C. 4g
D. none of above
ans:c
57. layer protocols determine how the data is physically sent over the network’s
physical layer or medium.
A. application layer
B. transport layer
C. network layer
D. link layer
ans: - d
58 layer is responsible for sending of ip datagrams from the source network to the
destination network.
A. application layer
B. transport layer
C. network layer
D. link layer
Ans: C
59. layer perform the host addressing and packet routing.
A. application layer
B. transport layer
C. network layer
D. link layer
ans:c
60. protocols provide end to end message transfer capability independent of the
underlying network.
A. network layer
B. transport layer
C. application layer
D. link layer
ans: - b
61. the protocols define how the applications interface with the lower layer protocol to send
the data over the network.
A. application layer
B. transport layer
C. network layer
D. link layer
ans:a
63. 802.3 is the standard for 10base5 ethernet that uses cable as shared medium.
A. twisted pair cable
B. coaxial cable
C. fiber optic cable
D. none of the above
ans: - b
69. which one out of these is not a data link layer technology?
A. bluetooth
B. uart
C. wi-fi
D. http
ans: d
72. mqtt is better than http for sending and receiving data.
A. true
B. false
ans: a
73. mqtt is protocol.
A. machine to machine
B. internet of things
C. machine to machine and internet of things
D. machine things
ans: c
75 mqtt is:
A. based on client-server architecture
B. based on publish-subscribe architecture
C. based on both of the above
D. based on none of the above
ans: b
82. which protocol is used to link all the devices in the iot?
A. tcp/ip
B. network
C. udp
D. http
ans: a
95. is a stateful communication model and server is aware of all open connection.
A. request-response
B. publish-subscriber
C. push-pull
D. exclusive pair
ans:d
104. which of the following is the fundamental unit of virtualized client in an iaas deployment?
a) workunit
b) workspace
c) workload
d) all of the mentioned
ans:c
105. offering provides the tools and development environment to deploy applications on
another vendor’s application.
A. paas
B. iaas
C. caas
D. all of the mentioned
ans.b
107. is suitable for iot applications to have low latency or high throughput requirements.
A. rest
B. publish-subscriber
C. push-pull
D. websocket
ans:d
108 is a one of the most popular wireless technologies used by wsns.
A. zigbee
B. allsean
C. tyrell
D. z-wave
ans:a
111. the process of collecting, organizing and collecting large sets of data called as
A. wsn
B. cloud computing
C. big data
D. none of above
ans:c
119. which characteristics involve the facility the thing to respond in an intelligent way to a
particular situation?
A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: a
139. detect the presence or absence of nearby object without any physical contact.
A. smoke sensor
B. pressure sensor
C. ir sensor
D. proximity sensor
ans:d
140 sensors include thermocouples, thermistors, resistor temperature detectors (rtds) and
integratd circuits (ics).
A. smoke sensor
B. temperature sensor
C. ir sensor
D. proximity sensor
ans:b
142 sensor is used for automatic door controls, automatic parking system, automated sinks,
automated toilet flushers, hand dryers.
A. smoke sensor
B. temperature sensor
C. ir sensor
D. motion sensor
ans:d
5. in the past, the method for expressing an opinion has been to frame a question based on
available factual evidence.
A. hypothetical
B. nested
C. challenging
D. contradictory
ans: a
6. more subtle because you are not aware that you are running these macros (the document opens
and the application automatically runs); spread via email
A. the purpose of copyright
B. danger of macro viruses
C. derivative works
D. computer-specific crime
ans: b
7. there are three c's in computer forensics. which is one of the three?
A. control
B. chance
C. chains
D. core
ans: a
8. when federal bureau investigation program was created?
a.1979
b.1984
c.1995
d.1989
ans: b
15. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans:b
16. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
F. preservation phase
G. survey phase
H. documentation phase
I. reconstruction phase
J. presentation phase
ans:b
18. a set of instruction compiled into a program that perform a particular task is known as:
A. hardware.
b.cpu
c. motherboard
d. software
ans: d
22. which phase entails a review of the whole investigation and identifies area of improvement?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase
ans: c
24. is well established science where various contribution have been made
A. forensic
B. crime
C. cyber crime
D. evidence
ans: a
29. is software that blocks unauthorized users from connecting to your computer.
A. firewall
B. quick lauch
C. onelogin
D. centrify
ans: a
33. which of following is a not unethical norm for digital forensics investigation?
A. uphold any relevant evidence.
B. declare any confidential matters or knowledge.
C. distort or falsify education, training, credentials.
D. to respect the privacy of others.
ans: d
34. what is called as the process of creation a duplicate of digital media for purpose of
examining it?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
ans: a
35. which term refers for modifying a computer in a way which was not originally intended to
view information?
A. metadata
B. live analysis
C. hacking
D. bit copy
ans: c
36. the ability to recover and read deleted or damaged files from a criminal’s computer is an
example of a law enforcement specialty called?
A. robotics
B. simulation
C. computer forensics
D. animation
ans: c
37. what are the important parts of the mobile device which used in digital forensic?
A. sim
B. ram
C. rom.
d.emmc chip
ans: d
38. using what, data hiding in encrypted images be carried out in digital forensics?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
and: b
42. searches through raw data on a hard drive without using a file system.
A. data mining
B. data carving
C. meta data
D. data spoofing.
ans: b
43. what is first step to handle retrieving data from an encrypted hard drive?
A. formatting disk
B. storing data
C. finding configuration files.
D. deleting files.
ans: c
multiple choice questions & answers (mcqs)
In LISP, the function returns the list that results after the first element is removed (the rest f the
list), is
a) car
b) last
c) cons
d) cdr
Which of the following contains the output segments of Artificial Intelligence programming?
a) Printed language and synthesized speech
b) Manipulation of physical object
c) Locomotion
d) All of the mentioned
A series of Artificial Intelligence systems, developed by Pat Langley to explore the role of
heuristics in scientific discovery is
a) RAMD
b) BACON
c) MIT
d) DU
A.M. turing developed a technique for determining whether a computer could or could not
demonstrate the artificial Intelligence, Presently, this technique is called
a) Turing Test
b) Algorithm
c) Boolean Algebra
d) Logarithm
Which approach to speech recognition avoids the problem caused by the variation in speech
patterns among different speakers?
a) Continuous speech recognition
b) Isolated word recognition
c) Connected word recognition
d) Speaker-dependent recognition
darpa, the agency that has funded a great deal of american artificial intelligence research, ispart
of the department of
a) defense
b) energy
c) education
d) justice
. which of these schools was not among the early leaders in artificial intelligence research?
a) dartmouth university
b) harvard university
c) massachusetts institute of technology
d) stanford university
a certain professor at the stanford university coined the word ‘artificial intelligence’ in 1956 ata
conference held at dartmouth college. can you name the professor?
a) david levy
b) john mccarthy
c) joseph weizenbaum
d) hans berliner
in 1985, the famous chess player david levy beat a world champion chess program in four
straight games by using orthodox moves that confused the program. what was the name of the
chess program?
a) kaissa
b) cray blitz
c) golf
d) digdug
. the explanation facility of an expert system may be used to
a) construct a diagnostic model
b) expedite the debugging process
c) explain the system’s reasoning process
d) expedite the debugging process & explain the system’s reasoning process
the conference that launched the ai revolution in 1956 was held at?
a) dartmouth
b) harvard
c) new york
d) stanford
a) simulation
b) cognitization
c) duplication
d) psychic amelioration
graphic interfaces were first used in a xerox product called
a) interlisp
b) ethernet
c) smalltalk
d) zetalisp
the al researcher who co-authored both the handbook of artificial intelligence and the fifth
generation is
a) bruce lee
b) randy davis
c) ed feigenbaum
d) mark fox
a) frame-based cai
b) generative cai
c) problem-solving cai
d) intelligent cai
kee is a product of
a) teknowledge
b) intellicorpn
c) texas instruments
d) tech knowledge
A network with named nodes and labeled arcs that can be used to represent certain natural
language grammars to facilitate parsing.
a) Tree Network
b) Star Network
c) Transition Network
d) Complete Network
Which of the factors affect the performance of learner system does not include?
a) Representation scheme used
b) Training scenario
c) Type of feedback
d) Good data structures
which instruments are used for perceiving and acting upon the environment?
a) sensors and actuators
b) sensors
c) perceiver
d) none of the mentioned
Which element in the agent are used for selecting external actions?
a) Perceive
b) Performance
c) Learning
d) Actuator
what is an ‘agent’?
a) perceives its environment through sensors and acting upon that environment through actuators
b) takes input from the surroundings and uses its intelligence and performs the desired
operations
c) a embedded program controlling line following robot
d) all of the mentioned
rational agent is the one who always does the right thing.
a) true
b) false
an omniscient agent knows the actual outcome of its actions and can act accordingly; but
omniscience is impossible in reality. rational agent always does the right thing; but rationality is
possible in reality.
a) true
b) false
Satellite Image Analysis System is (Choose the one that is not applicable).
a) Episodic
b) Semi-Static
c) Single agent
d) Partially Observable
An agent is composed of
a) Architecture
b) Agent Function
c) Perception Sequence
d) Architecture and Program
mqtt is protocol.
a) machine to machine
b) internet of things
c) machine to machine and internet of things
d) machine things
by clicking which key the pubnub will display public, subscribe, and secret keys.
a) pane
b) demo keyset
c) portal
d) network
the messagechannel class declares the _ class attribute that defines the key string.
a) command_key
b) command-key
c) commandkey
d) key_command
method saves the received arguments in three attributes.
a) init
b) init
c) init
d) _init_
and saves the publish and subscribe keys that we have generated with the
pubnub admin portal.
a) public_key and subscribe_key
b) public-key and subscribe-key
c) publickey and subscribekey
d) key_public and key_subscribe
specifies the function that will be called when there is a new message received from
the channel.
a) reconnect
b) error
c) connect
d) callback
specifies the function that will be called when a successful connection with the
pubnub cloud.
a) callback
b) error
c) connect
d) reconnect
the message is sent to the input queue of a message flow that contains a _
a) subscriber
b) server
c) publication node
d) client
rostopic uses at the command line for representing the content of the message.
a) yaml_syntax
b) rostopic bw
c) rostopic delay
d) rostopic echo
Which command displays the band width?
a) rostopic hz
b) rostopic delay
c) rostopic echo
d) rostopic bw
rostopic delay will provide delay for _
a) Topics which has header
b) Topics which has tail
c) Topics which has tail and head
d) To all topics
Every call to publish() will return a class that conforms to the interface.
a) Batch
b) Client
c) Server
d) Future
Mobile Cloud applications move the Power and away from mobile
phone and into cloud.
a) Computing and internet
b) Data storage and computing
c) Computing and data storage
d) Internet and computing
saas stands for
a) service as a smartphone
b) service as a software
c) smartphone as a service
d) software as a service
paas stands as
a) platform as a software
b) photo as a service
c) platform as a service
d) photo as a software
the architecture of mcc is such that various mobile devices are connected to their respective
mobile networks via
a) software
b) satellite
c) access point
d) base station
the part of the code which involves complex computations and requires more time to execute is
referred to as _
a) static session
b) threshold session
c) dynamic session
d) critical session
which of the following offers external chips for memory and peripheral interface circuits?
a) microcontroller
b) microprocessor
c) peripheral system
d) embedded system
what is cisc?
a) computing instruction set complex
b) complex instruction set computing
c) complimentary instruction set computing
d) complex instruction set complementary
which of the following provides a buffer between the user and the low-level interfaces to the
hardware?
a) operating system
b) kernel
c) software
d) hardware
which of the following enables the user to utilise the system efficiently?
a) kernel
b) operating system
c) software
d) hardware
which of the following can make the application program hardware independent?
a) software
b) application manager
c) operating system
d) kernel
which of the following are not dependent on the actual hardware performing the physical task?
a) applications
b) hardware
c) registers
d) parameter block
which of the following bus can easily upgrade the system hardware?
a) control bus
b) data bus
c) vmebus
d) bus interface unit
which of the following becomes a limiting factor while an application program has to be
complete?
a) memory
b) peripheral
c) input
d) output
which of the following decides which task can have the next time slot?
a) single task operating system
b) applications
c) kernel
d) software
which of the following controls the time slicing mechanism in a multitasking operating system?
a) kernel
b) single tasking kernel
c) multitasking kernel
d) application manager
which of the following provides a time period for the context switch?
a) timer
b) counter
c) time slice
d) time machine
which of the following stores all the task information that the system requires?
a) task access block
b) register
c) accumulator
d) task control block
which of the following contains all the task and their status?
a) register
b) ready list
c) access list
d) task list
Which determines the sequence and the associated task’s priority?
a) scheduling algorithm
b) ready list
c) task control block
d) application register
Which of the following can implement the message passing and control?
a) application software
b) operating system
c) software
d) kernel
How many types of messages are associated with the real-time operating system?
a) 2
b) 3
c) 4
d) 5
what are the essential tight constraint/s related to the design metrics of an embedded system?
a. system
b. behaviour
c. rt
d. logic
a. single-functioned characteristic
b. tightly-constraint characteristics
c. reactive & real time characteristics
d. all of the above
what is the name of the it law that india is having in the indian legislature?
a) india’s technology (it) act, 2000
b) india’s digital information technology (dit) act, 2000
c) india’s information technology (it) act, 2000
d) the technology act, 2008
under which section of it act, stealing any digital asset or information is written a cyber-crime.
a) 65
b) 65-d
c) 67
d) 70
what is the punishment in india for stealing computer documents, assets or any software’s
source code from any organization, individual, or from any other means?
a) 6 months of imprisonment and a fine of rs. 50,000
b) 1 year of imprisonment and a fine of rs. 100,000
c) 2 years of imprisonment and a fine of rs. 250,000
d) 3 years of imprisonment and a fine of rs. 500,000
what type of cyber-crime, its laws and punishments does section 66 of the indian it act holds?
a) cracking or illegally hack into any system
b) putting antivirus into the victim
c) stealing data
d) stealing hardware components
cracking digital identity of any individual or doing identity theft, comes under of it
act.
a) section 65
b) section 66
c) section 68
d) section 70
download copy, extract data from an open system done fraudulently is treated as
a) cyber-warfare
b) cyber-security act
c) data-backup
d) cyber-crime
any cyber-crime that comes under section 66 of it act, the accused person gets fined of aroundrs
a) 2 lacs
b) 3 lacs
c) 4 lacs
d) 5 lacs
how many years of imprisonment can an accused person face, if he/she comes under any cyber-
crime listed in section 66 of the indian it act, 2000?
a) 1 year
b) 2 years
c) 3 years
d) 4 years
any digital content which any individual creates and is not acceptable to the society, it’s a cyber-
crime that comes under of it act.
a) section 66
b) section 67
c) section 68
d) section 69
it act 2008 make cyber-crime details more precise where it mentioned if anyone publishes
sexually explicit digital content then under of it act, 2008 he/she has to pay a
legitimate amount of fine.
a) section 67-a
b) section 67-b
c) section 67-c
d) section 67-d
if anyone publishes sexually explicit type digital content, it will cost that person imprisonment of
years.
a) 2
b) 3
c) 4
d) 5
using spy cameras in malls and shops to capture private parts of any person comes under
of it act, 2008.
a) section 66
b) section 67
c) section 68
d) section 69
using spy cameras in malls and shops to capture private parts of any person comes under section
67 of it act, 2008 and is punished with a fine of rs. 5 lacs.
a) true
b) false
using of spy cameras in malls and shops to capture private parts of any person comes under
section 67 of it act, 2008 and is punished with imprisonment of
a) 2 years
b) 3 years
c) 4 years
d) 5 years
which of the following attach is not used by lc4 to recover windows password?
a) brute-force attack
b) dictionary attack
c) mitm attack
d) hybrid attacks
is the world’s most popular vulnerability scanner used in companies for checking
vulnerabilities in the network.
a) wireshark
b) nessus
c) snort
d) webinspect
5. toneloc is abbreviated as
a) tone locking
b) tone locator
c) tone locker
d) tune locator
is a platform that essentially keeps the log of data from networks, devices as
well as applications in a single location.
a) eventlog analyser
b) nordvpn
c) wireshark
d) packetfilter analyzer
. helps in protecting businesses against data breaches that may make threats
to cloud.
a) centrify
b) mailbox exchange recovery
c) nessus
d) dashline
advertisement
is a popular corporate security tool that is used to detect the attack on email with
cloud only services.
a) cain and abel
b) proofpoint
c) angry ip scanner
d) ettercap
which of the following deals with network intrusion detection and real-time traffic analysis?
a) john the ripper
b) l0phtcrack
c) snort
d) nessus
wireshark is a tool.
a) network protocol analysis
b) network connection security
c) connection analysis
d) defending malicious packet-filtering
is the sum of all the possible points in software or system where unauthorized users
can enter as well as extract data from the system.
a) attack vector
b) attack surface
c) attack point
d) attack arena
is the cyclic practice for identifying & classifying and then solving the
vulnerabilities in a system.
a) bug protection
b) bug bounty
c) vulnerability measurement
d) vulnerability management
remote exploits is that type of exploits acts over any network to exploit on security
vulnerability.
a) true
b) false
type of exploit requires accessing to any vulnerable system for enhancing privilege for
an attacker to run the exploit.
a) local exploits
b) remote exploits
c) system exploits
d) network exploits
is the timeframe from when the loophole in security was introduced till the time
when the bug was fixed.
a) time-frame of vulnerability
b) window of vulnerability
c) time-lap of vulnerability
d) entry-door of vulnerability
isms is abbreviated as _
a) information server management system
b) information security management software
c) internet server management system
d) information security management system
has now evolved to be one of the most popular automated tools for unethical
hacking.
a) Automated apps
b) Database software
c) Malware
d) Worms
Leaking your company data to the outside network without prior permission of senior authority
is a crime.
a) True
b) False
before performing any penetration test, through legal procedure, which key points listed below is
not mandatory?
a) know the nature of the organization
b) characteristics of work done in the firm
c) system and network
d) type of broadband company used by the firm
an ethical hacker must ensure that proprietary information of the firm does not get leaked.
a) true
b) false
after performing the ethical hacker should never disclose client information to
other parties.
a) hacking
b) cracking
c) penetration testing
d) exploiting
is the branch of cyber security that deals with morality and provides different
theories and a principle regarding the view-points about what is right and wrong.
a) social ethics
b) ethics in cyber-security
c) corporate ethics
d) ethics in black hat hacking
. helps to classify arguments and situations, better understand a cyber-crime and helps
to determine appropriate actions.
a) cyber-ethics
b) social ethics
c) cyber-bullying
d) corporate behaviour
a tries to formulate a web resource occupied or busy its users by flooding the
url of the victim with unlimited requests than the server can handle.
a) phishing attack
b) dos attack
c) website attack
d) mitm attack
during a dos attack, the regular traffic on the target will be either dawdling
down or entirely interrupted.
a) network
b) system
c) website
d) router
dos is abbreviated as
a) denial of service
b) distribution of server
c) distribution of service
d) denial of server
a dos attack coming from a large number of ip addresses, making it hard to manually filter or
crash the traffic from such sources is known as a _
a) gos attack
b) pdos attack
c) dos attack
d) ddos attack
which of the following do not comes under network layer dos flooding?
a) udp flooding
b) http flooding
c) syn flooding
d) ntp amplification
which of the following do not comes under network layer dos flooding?
a) dns amplification
b) udp flooding
c) dns query flooding
d) ntp amplification
ddos are high traffic events that are measured in gigabits per second (gbps) or packets per
second (pps).
a) true
b) false
a ddos with 20 to 40 gbps is enough for totally shutting down the majority networkinfrastructures.
a) true
b) false
which of the following type of data, phishers cannot steal from its target victims?
a) bank details
b) phone number
c) passwords
d) apps installed in the mobile
was the first type of phishing where the phishers developed an algorithm for
generating random credit card numbers.
a) algo-based phishing
b) email-based phishing
c) domain phishing
d) vishing
= voice + phishing.
a) algo-based phishing
b) vishing
c) domain phishing
d) email-based phishing
. or smishing is one of the simplest types of phishing where the target victims
may get a fake order detail with a cancellation link.
a) algo-based phishing
b) sms phishing
c) domain phishing
d) spear phishing
are programs or devices that capture the vital information from the target
network or particular network.
a) routers
b) trappers
c) wireless-crackers
d) sniffers
a sniffer, on the whole turns your system’s nic to the licentious mode so that it can listen to allyour
data transmitted on its division.
a) true
b) false
a on the whole turns your system’s nic to the licentious mode so that it can
listen to all your data transmitted on its division.
a) phishing site
b) sniffer tool
c) password cracker
d) nic cracker
in sniffing, the network traffic is not only supervised & locked but also be can
be altered in different ways to accomplish the attack.
a) passive
b) signal
c) network
d) active
are those devices which can be plugged into your network at the hardware
level & it can monitor traffic.
a) hardware sniffers & analyzers
b) hardware protocol analyzers
c) hardware protocol sniffers
d) hardware traffic sniffers and observers
question bank (i scheme)
name of subject: emerging trends in computer and information technology unit test: i
subject code: 22618 courses: if/cm6i
semester: vi
multiple choice questions and answers
chapter 1- artificial intelligence
1. which of these schools was not among the early leaders in ai research?
A. dartmouth university
B. harvard university
C. massachusetts institute of technology
D. stanford university
E. none of the above
ans: b
2. darpa, the agency that has funded a great deal of american ai research, is part of the
department of:
A. defense
B. energy
C. education
D. justice
E. none of the above
ans: a
3. the conference that launched the ai revolution in 1956 was held at:
A. dartmouth
B. harvard
C. new york
D. stanford
E. none of the above
ans: a
4. what is the term used for describing the judgmental or commonsense part of problem
solving?
A. heuristic
B. critical
C. value based
D. analytical
E. none of the above
ans: a
8. a.m. turing developed a technique for determining whether a computer could or could not
demonstrate the artificial intelligence,, presently, this technique is called
A. turing test
B. algorithm
C. boolean algebra
D. logarithm
E. none of the above
ans: a
13. the characteristics of the computer system capable of thinking, reasoning and learning is
known is
A. machine intelligence
B. human intelligence
C. artificial intelligence
D. virtual intelligence
ans: c
15. the first widely used commercial form of artificial intelligence (al) is being used in many
popular products like microwave ovens, automobiles and plug in circuit boards for desktop pcs.
what is name of ai?
A. boolean logic
B. human logic
C. fuzzy logic
D. functional logic
ans: c
16. what is the term used for describing the judgmental or commonsense part of problem
solving?
A. heuristic
B. critical
C. value based
D. analytical
ans: a
17. is a branch of computer science which deals with helping machines finds solutions to
complex problems in a more human like fashions
A. artificial intelligence
B. internet of things
C. embedded system
D. cyber security
ans: a
18. in the goal is for the software to use what it has learned in one area to solve problems in
other areas.
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: b
19. computer programs that mimic the way the human brain processes information is called as
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: c
20. a is a rule of thumb, strategy, trick, simplification, or any other kind of device which
drastically limits search for solutions in large problem spaces.
A. heuristic
B. critical
C. value based
D. analytical
ans: a
27. prolog is an ai programming language which solves problems with a form of symbolic
logic known as .
A. propositional logic
B. tautology
C. predicate calculus
D. temporal logic
ans: c
28. the level contains constituents at the third level which are knowledge based system,
heuristic search, automatic theorem proving, multi-agent system.
A. cognition level
B. gross level
C. functional level
D. all of above
ans: b
30. is used for ai because it supports the implementation of software that computes with
symbols very well.
A. lisp
B. eliza
C. prolog
D. nlp
ans: a
31. symbols, symbolic expressions and computing with those is at the core of
A. lisp
B. eliza
C. prolog
D. nlp
ans: a
32. that deals with the interaction between computers and humans using the natural
language
A. lisp
B. eliza
C. prolog
D. nlp
ans: d
34. aristotle’s theory of syllogism and descartes and kant’s critic of pure reasoning made
knowledge on .
A. logic
B. computation logic
C. cognition logic
D. all of above
ans: a
36. in 1960s, pushed the logical formalism to integrate reasoning with knowledge.
A. marvin minsky
B. alain colmerauer
C. john mccarthy
D. none of above
ans: a
37. sensing organs as input, mechanical movement organs as output and central nervous system
(cns) in brain as control and computing devices is known as of human being
A. information control paradigm
B. information processing paradigm
C. information processing control
D. none of above
ans: b
38. model were developed and incorporated in machines which mimicked the
functionalities of human origin.
A. functional model
B. neural model
C. computational model
D. none of above
ans: c
39. chomsky’s linguistic computational theory generated a model for syntactic analysis through
A. regular grammar
B. regular expression
C. regular word
D. none of these
ans: a
44. weak ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: c
45. strong ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: a
49. ai is a type of intelligence which could perform any intellectual task with efficiency
like human.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b
50. the idea behind ai to make such a system which could be smarter and think like
a human by its own.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b
51. the worldwide researchers are now focusing on developing machines with ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: b
52. playing chess, purchasing suggestions on e-commerce site, self-driving cars, speech
recognition, and image recognition are the example of .
A. narrow ai
B. general ai
C. super ai
D. None of above
Ans: A
53. machine can perform any task better than human with cognitive properties is known as
ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c
54. ability to think, puzzle, make judgments, plan, learn, communication by its own is known as
ai.
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: c
56. which ai system not store memories or past experiences for future actions.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a
57. which machines only focus on current scenarios and react on it as per as possible best
action.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: a
62. which ai should understand the human emotions, people, and beliefs and be able to interact
socially like humans.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: c
65. which is not the commonly used programming language for ai?
A. prolog
B. lisp
C. perl
D. java script
ans: c
68. classifying email as a spam, labeling webpages based on their content, voice recognition are
the example of .
A. supervised learning
B. unsupervised learning
C. machine learning
D. deep learning
ans: a
70. deep learning is a subfield of machine learning where concerned algorithms are inspired by
the structured and function of the brain called .
A. machine learning
B. artificial neural networks
C. deep learning
D. robotics
ans: b
2. embedded system is
A. an electronic system
B. a pure mechanical system
C. an electro-mechanical system
D. (a) or (c)
Ans: D
3. which of the following is not true about embedded systems?
A. built around specialized hardware
B. always contain an operating system
C. execution behavior may be deterministic
D. all of these
E. none of these
ans: e
8. which of the following is (are) example(s) of embedded system for data communication?
usb mass storage device
A. network router
B. digital camera
C. music player
D. all of these
E. none of these
ans: b
9. what are the essential tight constraint/s related to the design metrics of an embedded system?
A. ability to fit on a single chip
B. low power consumption
C. fast data processing for real-time operations
d .all of the above
Ans: D
10. a digital multi meter is an example of an embedded system for
A. data communication
B. monitoring
C. control
D. all of these
E. none of these
ans: b
11. which of the following is an (are) example(s) of an embedded system for signal processing?
A. apple ipod (media player device)
B. sandisk usb mass storage device
C. both (a) and (b)
D. none of these
ans: d
18. which architecture involves both the volatile and the non-volatile memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a
19. which architecture provides separate buses for program and data memory?
A. harvard architecture
B. von neumann architecture
C. none of the mentioned
D. all of the mentioned
ans: a
21. which of the following processor architecture supports easier instruction pipelining?
A. harvard
B. von neumann
C. both of them
D. none of these
ans: a
35. the huge numbers of devices connected to the internet of things have to communicate
automatically, not via humans, what is this called?
A. bot to bot(b2b)
B. machine to machine(m2m)
C. intercloud
D. skynet
ans: b
37. interconnection of internet and computing devices embedded in everyday objects, enabling
them to send and receive data is called
A. internet of things
B. network interconnection
C. object determination
D. none of these
ans: a
38. is a computing concept that describes the idea of everyday physical objects
being connected to the internet.
A. iot (internet of things)
B. mqtt
C. coap
D. spi
ans: -a
44. consists of communication protocols for electronic devices, typically a mobile device
and a standard device.
A. rfid
B. mqtt
C. nfc
D. none of above
ans:c
45. refers to establish a proper connection between all the things of iot.
A. connectivity
B. analyzing
C. sensing
D. active engagement
ans: - a
46. iot devices which have unique identities and can perform .
A. remote sensing
B. actuating
C. monitoring capabilities
D. all of the above
ans: - d
53. lr-wpans standards from basis of specifications for high level communication protocol
such as .
A. zigbee
B. allsean
C. tyrell
D. microsoft's azure
ans:a
56 include lte.
A. 2g
B. 3g
C. 4g
D. none of above
ans:c
57. layer protocols determine how the data is physically sent over the network’s
physical layer or medium.
A. application layer
B. transport layer
C. network layer
D. link layer
ans: - d
58 layer is responsible for sending of ip datagrams from the source network to the
destination network.
A. application layer
B. transport layer
C. network layer
D. link layer
Ans: C
59. layer perform the host addressing and packet routing.
A. application layer
B. transport layer
C. network layer
D. link layer
ans:c
60. protocols provide end to end message transfer capability independent of the
underlying network.
A. network layer
B. transport layer
C. application layer
D. link layer
ans: - b
61. the protocols define how the applications interface with the lower layer protocol to send
the data over the network.
A. application layer
B. transport layer
C. network layer
D. link layer
ans:a
63. 802.3 is the standard for 10base5 ethernet that uses cable as shared medium.
A. twisted pair cable
B. coaxial cable
C. fiber optic cable
D. none of the above
ans: - b
69. which one out of these is not a data link layer technology?
A. bluetooth
B. uart
C. wi-fi
D. http
ans: d
72. mqtt is better than http for sending and receiving data.
A. true
B. false
ans: a
73. mqtt is protocol.
A. machine to machine
B. internet of things
C. machine to machine and internet of things
D. machine things
ans: c
75 mqtt is:
A. based on client-server architecture
B. based on publish-subscribe architecture
C. based on both of the above
D. based on none of the above
ans: b
82. which protocol is used to link all the devices in the iot?
A. tcp/ip
B. network
C. udp
D. http
ans: a
95. is a stateful communication model and server is aware of all open connection.
A. request-response
B. publish-subscriber
C. push-pull
D. exclusive pair
ans:d
104. which of the following is the fundamental unit of virtualized client in an iaas deployment?
a) workunit
b) workspace
c) workload
d) all of the mentioned
ans:c
105. offering provides the tools and development environment to deploy applications on
another vendor’s application.
A. paas
B. iaas
C. caas
D. all of the mentioned
ans.b
107. is suitable for iot applications to have low latency or high throughput requirements.
A. rest
B. publish-subscriber
C. push-pull
D. websocket
ans:d
108 is a one of the most popular wireless technologies used by wsns.
A. zigbee
B. allsean
C. tyrell
D. z-wave
ans:a
111. the process of collecting, organizing and collecting large sets of data called as
A. wsn
B. cloud computing
C. big data
D. none of above
ans:c
119. which characteristics involve the facility the thing to respond in an intelligent way to a
particular situation?
A. intelligence
B. connectivity
C. dynamic nature
D. enormous scale
ans: a
139. detect the presence or absence of nearby object without any physical contact.
A. smoke sensor
B. pressure sensor
C. ir sensor
D. proximity sensor
ans:d
140 sensors include thermocouples, thermistors, resistor temperature detectors (rtds) and
integratd circuits (ics).
A. smoke sensor
B. temperature sensor
C. ir sensor
D. proximity sensor
ans:b
142 sensor is used for automatic door controls, automatic parking system, automated sinks,
automated toilet flushers, hand dryers.
A. smoke sensor
B. temperature sensor
C. ir sensor
D. motion sensor
ans:d
5. in the past, the method for expressing an opinion has been to frame a question based on
available factual evidence.
A. hypothetical
B. nested
C. challenging
D. contradictory
ans: a
6. more subtle because you are not aware that you are running these macros (the document opens
and the application automatically runs); spread via email
A. the purpose of copyright
B. danger of macro viruses
C. derivative works
D. computer-specific crime
ans: b
7. there are three c's in computer forensics. which is one of the three?
A. control
B. chance
C. chains
D. core
ans: a
8. when federal bureau investigation program was created?
a.1979
b.1984
c.1995
d.1989
ans: b
15. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
A. preservation phase
B. survey phase
C. documentation phase
D. reconstruction phase
E. presentation phase
ans:b
16. in phase investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location
F. preservation phase
G. survey phase
H. documentation phase
I. reconstruction phase
J. presentation phase
ans:b
18. a set of instruction compiled into a program that perform a particular task is known as:
A. hardware.
b.cpu
c. motherboard
d. software
ans: d
22. which phase entails a review of the whole investigation and identifies area of improvement?
A. physical crime investigation
B. digital crime investigation.
C. review phase.
D. deployment phase
ans: c
24. is well established science where various contribution have been made
A. forensic
B. crime
C. cyber crime
D. evidence
ans: a
29. is software that blocks unauthorized users from connecting to your computer.
A. firewall
B. quick lauch
C. onelogin
D. centrify
ans: a
33. which of following is a not unethical norm for digital forensics investigation?
A. uphold any relevant evidence.
B. declare any confidential matters or knowledge.
C. distort or falsify education, training, credentials.
D. to respect the privacy of others.
ans: d
34. what is called as the process of creation a duplicate of digital media for purpose of
examining it?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
ans: a
35. which term refers for modifying a computer in a way which was not originally intended to
view information?
A. metadata
B. live analysis
C. hacking
D. bit copy
ans: c
36. the ability to recover and read deleted or damaged files from a criminal’s computer is an
example of a law enforcement specialty called?
A. robotics
B. simulation
C. computer forensics
D. animation
ans: c
37. what are the important parts of the mobile device which used in digital forensic?
A. sim
B. ram
C. rom.
d.emmc chip
ans: d
38. using what, data hiding in encrypted images be carried out in digital forensics?
A. acquisition.
B. steganography.
C. live analysis
D. hashing.
and: b
42. searches through raw data on a hard drive without using a file system.
A. data mining
B. data carving
C. meta data
D. data spoofing.
ans: b
43. what is first step to handle retrieving data from an encrypted hard drive?
A. formatting disk
B. storing data
C. finding configuration files.
D. deleting files.
ans: c
bharati vidyapeeth institute of technologyquestion bank
--------------------------------------------------------------------------------------------------
2. what are the three general categories of computer systems that can contain digital
evidence?
A. desktop, laptop, server
B. personal computer, internet, mobile telephone
C. hardware, software, networks
D. open computer systems, communication systems, and embedded systems
ans: d
10. private networks can be a richer source of evidence than the internet because:
A. they retain data for longer periods of time.
B. owners of private networks are more cooperative with law enforcement.
C. private networks contain a higher concentration of digital evidence.
D. all the above.
ans: c
11. due to caseload and budget constraints, often computer security professionals attempt to
limit the damage and close each investigation as quickly as possible. which of the following is
not a significant drawback to this approach?
A. each unreported incident robs attorneys and law enforcement personnel of an opportunity
to learn about the basics of computer-related crime.
B. responsibility for incident resolution frequently does not reside with the security
professional, but with management.
C. this approach results in under-reporting of criminal activity, deflating statistics that are
used to allocate corporate and government spending on combating computer-related
crime.
D. computer security professionals develop loose evidence processing habits that can make
it more difficult for law enforcement personnel and attorneys to prosecute an offender.
none of the above
ans: b
12. the criminological principle which states that, when anyone, or anything, enters a crime
scene he/she takes something of the scene with him/her, and leaves something of himself/herself
behind, is:
A. locard’s exchange principle
B. differential association theory
C. beccaria’s social contract
D. none of the above
ans: a
13. the author of a series of threatening e-mails consistently uses “im” instead of “i’m.” thisis
an example of:
A. an individual characteristic
B. an incidental characteristic
C. a class characteristic
D. an indeterminate characteristic
ans: a
14. personal computers and networks are often a valuable source of evidence. those
involved with should be comfortable with this technology.
A. criminal investigation
B. prosecution
C. defense work
d. All of the above
ans:
15. an argument for including computer forensic training computer security specialists is:
A. it provides an additional credential.
B. it provides them with the tools to conduct their own investigations.
C. it teaches them when it is time to call in law enforcement.
D. none of the above.
ans: c
16. the digital evidence are used to establish a credible link between
A. attacker and victim and the crime scene
B. attacker and the crime scene
C. victim and the crime scene
D. attacker and information
ans: a
18. from the two given statements 1 and 2, select the correct option from a-d.
a. original media can be used to carry out digital investigation process.
b. by default, every part of the victim’s computer is considered as unreliable.
19. the evidences or proof can be obtained from the electronic source is called the
A. digital evidence
B. demonstrative evidence
C. explainable evidence
D. substantial evidence
ans: a
25. when an incident takes place, a criminal will leave a hint evidence at the scene and remove a
hint from the scene which is called as
A. locard’s exchange principle
B. anderson’s exchange principle
C. charles’s anthony principle
D. kevin ashton principle
ans: a
30. the process of ensuring that providing or obtaining the data that you have collected is similar
to the data provided or presented in a court is known as
A. evidence validation
B. relative evidence
C. best evidence
D. illustrative evidence
ans: a
31. when cases got to trial your forensics examiner play one of role.
A. 2
B. 4
C. 3
D. 5
ans. a
A. eye witness
B. picture and video
C. paper work
D. none of the above
ans b
A. law of witness
B. law of litigation
C. law of evidence
D. all of the above
ans. c
true or false questions
1. digital evidence is only useful in a court of law.
A. true
B. false
ans: b
2. attorneys and police are encountering progressively more digital evidence in their
work.
A. true
B. false
ans: a
5. digital evidence can be duplicated exactly without any changes to the original data.
A. true
B. false
ans: b
6. computers were involved in the investigations into both world trade center attacks.
A. true
B. false
ans: a
10. the aim of a forensic examination is to prove with certainty what occurred.
A. true
B. false
ans: b
11. even digital investigations that do not result in legal action can benefit from principles of
forensic science.
A. true
B. false
ans: a
12. forensic science is the application of science to investigation and prosecution of crime or to
the just resolution of conflict.
A. true
B. false
ans: a
chapter 5
basics of hacking (co5)
A. b, c, d, a
B. b, a, c, d
C. a, b, c, d
D. d, c, b, a
ans. a
6. is the art of exploiting the human elements to gain access to the authorized user.
A. social engineering.
B. it engineering.
C. ethical hacking.
D. none of the above.
ans. a
15. is a person who find and exploits the weakness in computer system.
A. victim
B. hacker
C. developer
D. none of the above.
ans. b
19. keeping information secured can protect an organization image and save and organization lot
of money
A. true
B. false
ans. a
23. exploits that involves manipulating people and user even your self are the greatest
vulnerability within any computer
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. a
24.connecting into network through a rogue modem attached to computer behind a firewall is an
example of -
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. b
25. comprise of large portion of hacker attacks simply because every computer has one
and so well know exploits can be used against them
A. nontechnical attacks
B. network infrastructure attack
C. operating system attack
D. application and other specialized attack
ans. c
32.which hacker try to distribute political or social message through their work?
A. black hat hacker
B. hactivist
C. script kiddes
D. white hat hacker
ans. b
37. leaking your company data to the outside network without prior permission of senior
authority is a crime.
A. true
B. false
ans. a
38. a penetration tester must identify and keep in mind the &
requirements of a firm while evaluating the security postures.
A. privacy and security
B. rules and regulations
C. hacking techniques
D. ethics to talk to seniors
ans. a
39. the legal risks of ethical hacking include lawsuits due to of personal data.
A. stealing
B. disclosure
C. deleting
D. hacking
ans. b
40. before performing any penetration test, through legal procedure, which key points listed
below is not mandatory?
A. know the nature of the organization
B. characteristics of work done in the firm
C. system and network
D. type of broadband company used by the firm
ans. d
chapter-6
types of hacking (co6)
2. which of the following tool is used for network testing and port scanning
A. netcat
B. superscan
C. netscan
D. all of above
ans: d
5. which of the following tool is used for windows for network queries from dns lookups to
trace routes?
A. sam spade
B. superscan
C. netscan
D. netcat
ans: a
6. which tool is used for ping sweeps and port scanning?
A. netcat
B. samspade
C. superscan
D. all the above
ans: c
7. which of the following tool is used for security checks as port scanning and firewall testing?
A. netcat
B. nmap
C. data communication
D. netscan
ans: a
12. is a popular tool used for discovering network as well as security auditing.
A. ettercap
B. metasploit
C. nmap
D. burp suit
ans: c
13. which of this nmap do not check?
A. services different hosts are offering
B. on what os they are running.
C. what kind of firewall in use?
D. what type of antivirus in use?
ans: d
15. what are the some of the most common vulnerabilities that exist in a network system?
A. changing manufacturer, or recommended settings of newly installed application.
B. additional unused feature on commercial software package.
C. utilizing open source application code.
D. balancing security and ease of use of system.
ans: b
17. attempting to gain access to a network using an employee’s credentials is called the
mode of ethical hacking.
A. local networking
B. social engineering
C. physical entry
D. remote networking
ans: a
18. the first phase of hacking an it system is compromise of which foundation of security?
A. availability
B. confidentiality
C. integrity
D. authentication
ans: b
19. why would a ping sweep be used?
A. to identify live systems
B. to locate live systems
C. to identify open ports
D. to locate firewalls
ans: a
22. which of the following will allow foot printing to be conducted without detection?
A. pingsweep
B. traceroute
C. war dialers
D. arin
ans: d
23. performing hacking activities with the intent on gaining visibility for an unfair situation is
called .
A. cracking
B. analysis
C. hacktivism
D. exploitation
ans: c
30. framework made cracking of vulnerabilities easy like point and click.
A. net
B. metasploit
C. zeus
D. ettercap
ans: b
31. is a popular ip address and port scanner.
A. cain and abel
B. snort
C. angry ip scanner
D. ettercap
ans: c
32. is a popular tool used for network analysis in multiprotocol diverse network
A. snort
B. superscan
C. burp suit
D. etterpeak
ans: d
39 is used for searching of multiple hosts in order to target just one specific open port.
A. ping sweep
B. port scan
C. ipconfig
D. spamming
ans: a
41. is a tool that allows you to look into network and analyze data going across the wire
for network optimization, security and troubleshooting purposes.
A. network analyzer
B. crypt tool
C. john-the -ripper
D. back track
ans: a
45. which type of hacker represents the highest risk to your network?
A. black-hat hackers
B. grey-hat hackers
C. script kiddies
D. disgruntled employees
ans: d
49. a type of attack that overloads the resources of a single system to cause it to crash or hang.
A. resource starvation
B. active sniffing
C. passive sniffing
D. session hijacking
ans. c
50.in computer networking, is any technical effort to manipulate the normal behavior of
network connections and connected systems.
A. hacking
B. evidence
C. tracing
D. none of above
ans:-a
ans:-a
52.we can eliminate many well-known network vulnerabilities by simply patch-ing your
network hosts with their latest and .
A. hckers and prackers
B. vendor software and firmware patches
C. software amd hardware
D. none of above
ans:-b
53.network consist devices such as routers, firewalls, hosts that you must assess as a part of
process.
A. prackers
B. black hat hacking
C. grey hat hacking process
D. ethical hacking process.
ans:-d
54. network infrastructure vulnerabilities are the foundation for most technical security
issues in your information systems.
A. operating system vulnerabilities
B. web vulnerabilities
C. wireless network vulnerabilities
D. network infrastructure vulnerabilities
ans:-d
55. attack, which can take down your internet connection or your entire network.
A. mac
B. dos
C. ids
D. none of above
ans:-b
64.what are some of the most common vulnerabilities that exist in a network or system?
A. changing manufacturer, or recommended, settings of a newly installed application.
B. additional unused features on commercial software packages.
C. utilizing open source application code
D. balancing security concerns with functionality and ease of use of a system.
ans:b
This Online Exam is for Final Year students of Computer Engineering Group of MSBTE
affiliated Polytechnic.
Date : 21-05-2020
Time 10.00 to 11.30am.
Email address *
0 of 0 points
Full Name *
Institute Name *
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 1/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
Institute Code *
1546
Enrollment number *
1715460058
63 of 70 points
Narrow AI
General AI
Neural AI
Feedback
Narrow AI
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 2/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
2. DARPA, the agency that has funded a great deal of American AI 1/1
research, is part of the Department of:
Defence
Energy
Education
Jastice
Feedback
Defence
3. The conference that launched the AI revolution in 1956 was held at: 1/1
Dartmouth
Harvard
New York
Stanford
Feedback
Dartmouth
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 3/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
4. What is the term used for describing the judgmental or commonsense 1/1
part of problem solving?
Heuristic
Critical
Value based
Analytical
Feedback
Heuristic
Correct answer
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 4/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
David Levy
John McCarthy
Joseph Weizenbaum
Hans Berliner
Feedback
John McCarthy
7. The ability to recover and read deleted or damaged files from a 1/1
criminal’s computer is an example of a law enforcement specialty called?
Robotics
Simulation
Computer Forensics
Animation
Feedback
Computer Forensics
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 5/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
8. What are the important parts of the mobile device which used in 1/1
Digital forensic?
SIM
RAM
ROM
EMMC chip
Feedback
EMMC chip
9. Using what, data hiding in encrypted images be carried out in digital 1/1
forensics?
Acquisition.
Steganography.
Live analysis
Hashing.
Other:
Feedback
Steganography
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 6/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
e-mail harassment
Falsification of data
Sabotage
Identification of data
Feedback
Identification of data
11. Which file is used to store the user entered password? 1/1
.exe
.txt
.iso
.sam
Feedback
.sam
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 7/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
Data mining
Data carving
Meta data
Data Spoofing.
Feedback
Data mining
13. What is first step to Handle Retrieving Data from an Encrypted Hard 1/1
Drive?
Formatting diskStoring
data
Deleting files.
Feedback
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 8/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
14. In phase investigator transfers the relevant data from a venue out of 1/1
physical or administrative control of the investigator to a controlled
location
Preservation phase
Survey phase
Documentation phase
Reconstruction phase
Presentation phase
Feedback
Survey phase
Feedback
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsco… 9/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
16. A set of instruction compiled into a program that perform a particular 1/1
task is known as:
Hardware.
CPU
Motherboard
Software
Feedback
Software
A copy is made onto forensically sterile media. New media should always be used if
available.
Feedback
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 10/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
18. To collect and analyze the digital evidence that was obtained from the1/1
physical investigation phase, is the goal of which phase?
Review phase.
Deployment phase.
Feedback
Review phase
Deployment phase
Feedback
Deployment phase
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 11/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
20. Which phase entails a review of the whole investigation and identifies 1/1
area of improvement?
Review phase.
Deployment phase
Feedback
Review phase.
G. Palmar
J. Korn
Michael Anderson
S.Ciardhuain.
Feedback
Michael Anderson
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 12/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
Forensic
Crime
Cyber Crime
Evidence
Feedback
forensic
23. Who proposed End to End Digital Investigation Process (EEDIP)? 1/1
G. Palmar
Stephenson
Michael Anderson
S.Ciardhuain
Feedback
Stephenson.
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 13/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
Feedback
Feedback
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 14/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
Feedback
27. What are the three general categories of computer systems that can 1/1
contain digital evidence?
Desktop, laptop,server
software,networks
Feedback
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 15/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
Open computersystems
Communication systems
Embedded computersystems
Correct answer
Communication systems
Offenders who are unaware of them leave behind more clues than they otherwise
would have.
Feedback
Offenders who are unaware of them leave behind more clues than they otherwise would
have.
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 16/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
30. Private networks can be a richer source of evidence than the Internet 0/1
because:
Correct answer
31. The criminological principle which states that, when anyone, or 2/2
anything, enters a crime scene he/she takes something of the scene with
him/her, and leaves something of himself/herself behind, is:
Differential AssociationTheory
Beccaria’s SocialContract
None of theabove
Feedback
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 17/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
Encryption.
None ofthese.
Feedback
Strengths.
Weakness.
A &B
None of these.
Feedback
Weakness.
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 18/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
G. Palma.
Raymond.
Either.
Jhon Browman
Feedback
Raymond.
Fix identifiesweakness
Steal thedata
No correct answers
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 19/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
Nmap
LC4
ToneLOC
Nessus
Feedback
LC4
37. Which tool is used for depth analysis of a web application? 2/2
Whisker
Superscan
Nikto
Kismet
Feedback
Whisker
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 20/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
38. Which hacker try to distribute political or social message through 2/2
their work?
Black hathacker
Hactivist
Scriptkiddes
White hathacker
Feedback
Hactivist
39. A penetration tester must identify and keep in mind the & 2/2
requirements of a firm while evaluating the security postures.
hacking techniques
Feedback
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 21/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
40. Before performing any penetration test, through legal procedure, 2/2
which key points listed below is not mandatory?
Feedback
Script Kiddies
Feedback
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 22/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
42. Which of the following tool is used for Windows for network queries 2/2
from DNS lookups to trace routes?
SamSpade
SuperScan
NetScan
Netcat
Feedback
SamSpade
43. Which Nmap scan is does not completely open a TCP connection? 2/2
SYN stealthscan
TCP scan
XMAS treescan
ACKscan
Feedback
SYN stealthscan
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 23/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
Feedback
Local networking
Social engineering
Physical entry
Remote networking
Feedback
Local networking
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 24/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
Reconnaissance
Maintaining Access
Gaining Access
Scanning
Feedback
Gaining Access
47. Which type of hacker represents the highest risk to your network? 0/2
black-hathackers
grey-hathackers
script kiddies
disgruntled employees
Correct answer
disgruntled employees
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 25/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
General Purpose
Special Purpose
Feedback
Special Purpose
Data communication
Monitoring
control
All of above
Feedback
Monitoring
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 26/27
21/05/2020 state level online exam for emerging trends in computer engineering and information technology(22618)
ASIC
ASSP
CPU
CPLD
Feedback
CPU
this content is neither created nor endorsed by google. - t erms of service - p rivacy policy
forms
https://docs.google.com/forms/d/e/1FAIpQLSewPHDBW8z6BupgS-RKxbAZmZAz_W-rKu0CPZcACA733SoVyw/viewscore?viewsc… 27/27
chapter 1- artificial intelligence | eti mcq i scheme
1. which of these schools was not among the early leaders in ai research?
A. dartmouth university
B. harvard university
C. massachusetts institute of technology
D. stanford university
E. none of the above
ans: b
2. darpa, the agency that has funded a great deal of american ai research, is part of the
department of:
A. defense
B. energy
C. education
D. justice
E. none of the above
ans: a
3. the conference that launched the ai revolution in 1956 was held at:
A. dartmouth
B. harvard
C. new york
D. stanford
E. none of the above
ans: a
4. what is the term used for describing the judgmental or commonsense part of the problem
solving?
A. heuristic
B. critical
C. value-based
D. analytical
E. none of the above
ans: a
6. a certain professor at the stanford university coined the word 'artificial intelligence' in
1956 at a conference held at dartmouth college. can you name the professor?
A. david levy
B. john mccarthy
C. joseph weizenbaum
D. hans berliner
E. none of the above
ans: b
8. a.m. turing developed a technique for determining whether a computer could or could not
demonstrate the artificial intelligence,, presently, this technique is called
A. turing test
B. algorithm
C. boolean algebra
D. logarithm
E. none of the above
ans: a
13. the characteristics of the computer system capable of thinking, reasoning and learning is
known is
A. machine intelligence
B. human intelligence
C. artificial intelligence
D. virtual intelligence
ans: c
15. the first widely used commercial form of artificial intelligence (al) is being used in many
popular products like microwave ovens, automobiles and plug in circuit boards for desktop pcs.
what is name of ai?
A. boolean logic
B. human logic
C. fuzzy logic
D. functional logic
ans: c
16. what is the term used for describing the judgmental or commonsense part of the problem
solving?
A. heuristic
B. critical
C. value-based
D. analytical
ans: a
17. is a branch of computer science which deals with helping machines finds solutions to
complex problems in a more human-like fashions
A. artificial intelligence
B. internet of things
C. embedded system
D. cyber security
ans: a
18. in the goal is for the software to use what it has learned in one area to solve problems in
other areas.
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: b
19. computer programs that mimic the way the human brain processes information is called as
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: c
20. a is a rule of thumb, strategy, trick, simplification, or any other kind of device which
drastically limits the search for solutions in large problem spaces.
A. heuristic
B. critical
C. value based
D. analytical
ans: a
26. the concept derived from level is propositional logic, tautology, predicate
calculus, model, temporal logic.
A. cognition level
B. logic level
C. functional level
D. all of the above
ans: b
27. prolog is an ai programming language which solves problems with a form of symboliclogic
known as .
A. propositional logic
B. tautology
C. predicate calculus
D. temporal logic
ans: c
28. the level contains constituents at the third level which are knowledge-based system,
heuristic search, automatic theorem proving, multi-agent system.
A. cognition level
B. gross level
C. functional level
D. All of the above
Ans: B
29. prolog, lisp, nlp are the language of
A. artificial intelligence
B. machine learning
C. internet of things
D. deep learning
ans: a
30. is used for ai because it supports the implementation of software that computes with
symbols very well.
A. lisp
B. eliza
C. prolog
D. nlp
ans: a
31. symbols, symbolic expressions, and computing with those is at the core of
A. lisp
B. eliza
C. prolog
D. nlp
ans: a
32. that deals with the interaction between computers and humans using the natural
language
A. lisp
B. eliza
C. prolog
D. nlp
ans: d
34. aristotle 抯 theory of syllogism and descartes and kant's critic of pure reasoning made
knowledge on .
A. logic
B. computation logic
C. cognition logic
D. all of the above
ans: a
37. sensing organs as input, mechanical movement organs as output and central nervous system
(cns) in the brain as control and computing devices is known as of human being
A. information control paradigm
B. information processing paradigm
C. information processing control
D. none of the above
ans: b
38. model was developed and incorporated in machines which mimicked the
functionalities of human origin.
A. functional model
B. neural model
C. computational model
D. none of the above
ans: c
39. chomsky 抯 linguistic computational theory generated a model for syntactic analysis through
A. regular grammar
B. regular expression
C. regular word
D. none of these
ans: a
45. strong ai is
A. the embodiment of human intellectual capabilities within a computer.
B. a set of computer programs that produce output that would be considered to reflect
intelligence if it were generated by humans.
C. the study of mental faculties through the use of mental models implemented on a computer
D. all of the above
E. none of the above
ans: a
49. ai is a type of intelligence which could perform any intellectual task with efficiencylike
human.
A. narrow ai
B. general ai
C. super ai
D. none of the above
ans: b
50. the idea behind ai to make such a system which could be smarter and think likea
human by its own.
A. narrow ai
B. general ai
C. super ai
D. none of the above
ans: b
51. the worldwide researchers are now focusing on developing machines with ai.
A. narrow ai
B. general ai
C. super ai
D. none of the above
ans: b
52. playing chess, purchasing suggestions on e-commerce site, self-driving cars, speech
recognition and image recognition are the example of .
A. narrow ai
B. general ai
C. super ai
D. none of above
ans: a
53. a machine can perform any task better than a human with cognitive properties is known asai.
A. narrow ai
B. general ai
C. super ai
D. none of the above
ans: c
54. ability to think, puzzle, make judgments, plan, learn, communication by its own is known as
ai.
A. narrow ai
B. general ai
C. super ai
D. none of the above
ans: c
56. which ai system not store memories or past experiences for future actions.
A. reactive machine
B. limited memory
C. theory of mind
D. none of the above
ans: a
57. which machines only focus on current scenarios and react on it as per as possible best
action.
A. reactive machine
B. limited memory
C. theory of mind
D. none of the above
ans: a
60. which can stores past experiences or some data for short period time.
A. reactive machine
B. limited memory
C. theory of mind
D. none of above
ans: b
62. which ai should understand human emotions, people, and beliefs and be able to interact
socially like humans.
A. reactive machine
B. limited memory
C. theory of mind
D. none of the above
ans: c
67 is a branch of science that deals with programming the systems in such a way
that they automatically learn and improve with experience
A. machine learning
B. deep learning
C. neural networks
D. none of these
ans: a
68. classifying email as spam, labeling webpages based on their content, voice recognition arethe
example of .
A. supervised learning
B. unsupervised learning
C. machine learning
D. deep learning
ans: a
70. deep learning is a subfield of machine learning where concerned algorithms are inspired bythe
structured and function of the brain called .
A. machine learning
B. artificial neural networks
C. deep learning
D. robotics
ans: b
33 how many times setup function runs in arduino ide: none of the above 10 2 1 d
34 raspbian is: assembler language compiler os d
common gateway common gateway common gate common gateway
35 cgi stands for: d
interest interrupt interference interface
none of the
42 the network layer concerns with bits frames packets d
mentioned
none of the
43 ethernet frame consists of ip address both (a) and (b) mac address d
mentioned
sr.no question op1 op2 op3 op4 answer
interconnection of
a vast collection of none of the
44 what is internet? local area a single network b
different networks mentioned
networks
45 what is the clock frequency of 8087? 10 mhz 5 mhz 6 mhz 4 mhz c
46 how are negative numbers stored in a coprocessor? 1’s complement 2’s complement decimal gray b
47 how many bits are used for storing signed integers? 2 4 8 16 d
48 which of the processor has an internal coprocessor? 8087 80287 80387 80486dx d
control unit and floating point unit coprocessor unit
integer unit and
49 what are the two major sections in a coprocessor? numeric control and coprocessor and numeric a
control unit
unit unit control unit
50 which are the processors based on risc? sparc 80386 mc68030 mc68020 a
80% instruction is 80% instruction is 80%instruction is 80% instruction is
generated and executed and 20% executed and 20% generated and
51 what is 80/20 rule? a
20% instruction is instruction is instruction is not 20% instructions
executed generated executed are not generated
52 which of the architecture is more complex? sparc mc68030 mc68030 8086 a
53 which is the first company who defined risc architecture? intel ibm motorola mips b
which of the following processors execute its instruction in
54 8086 8087 8088 mips r2000 d
a single cycle?
55 which of the following is a coprocessor of 80386? 80387 8087 8088 8089 a
name the processor which helps in floating point
56 microprocessor microcontroller coprocessor controller c
calculations.
57 which is the coprocessor of 8086? 8087 8088 8086 8080 a
which of the following is a coprocessor of motorola 68000
58 68001 68011 68881 68010 c
family?
which of the following processors can perform exponential,
59 8086 8087 8080 8088 b
logarithmic and trigonometric functions?
60 how many stack register does an 8087 have? 4 8 16 32 b
61 which of the following processor can handle infinity values? 8080 8086 8087 8088 c
sr.no question op1 op2 op3 op4 answer
62 which coprocessor supports affine closure? 80187 80287 80387 8088 b
63 which one is the floating point coprocessor of 80286? 8087 80187 80287 80387 c
64 how many pins does 8087 have? 40 pin dip 20 pin dip 40 pin 20 pin a
which one of the following offers cpus as integrated
65 microcontroller microprocessor embedded system memory system a
memory or peripheral interfaces?
which of the following offers external chips for memory and
66 microcontroller microprocessor peripheral system embedded system b
peripheral interface circuits?
67 how many bits does an mc6800 family have? 16 32 4 8 d
national cop
68 which of the following is a 4-bit architecture? mc6800 8086 80386 d
series
computing computing complimentary complex
69 what is cisc? instruction set instruction set instruction set instruction set a
complex complex computing complementary
how is the protection and security for an embedded system memory disk
70 otp ipr security chips b
made? security
71 which of the following possesses a cisc architecture? mc68020 arc atmel avr blackfin a
72 which of the following is a risc architecture? 80286 mips zilog z80 80386 b
73 which one of the following is board based system? data bus address bus vmebus dma bus c
versa module versa module vertical module vertical module
74 vme bus stands for a
europa bus embedded bus embedded bus europa bus
75 the arm processors don’t support byte addressability. block level logical volumes distance signals d
reality-time real-time real-data
76 deadline-driven constraints so called none of above b
constraints constraints constraints
processor must accept and process the frame before the hard real-time real-time real-data soft real-time
77 a
next frame arrives, typically called systems constraints constraints systems
fast data
what are the essential tight constraint/s related to the ability to fit on a low power
78 processing for real- all of the above d
design metrics of an embedded system? single chip consumption
time operations
which function/s is/are provided by integrated memory optional on-chip 4 levels of virtual memory
79 all of the above d
management unit in 80386 architecture? paging protection support
undefined
an attempt access low priority arm processor is
80 abort mode generally enters when instructions are to a
memory fails interrupt is raised on rest
be handled
what is/are the configuration status of control unit in risc
81 hardwired microprogrammed both a and b none of the above a
processors?
sr.no question op1 op2 op3 op4 answer
low cost and low
the main importance of arm micro-processors is providing higher degree of lower error or efficient memory
82 power a
operation with multi-tasking glitches management
consumption
main frame distributed
83 arm processors where basically designed for mobile systems super computers c
systems systems
84 who has invented flash memory? dr.fujiomasuoka john ellis josh fisher john ruttenberg a
85 which of the following is serial access memory? ram flash memory shifters rom c
magnetic core ferrimagnetic anti-magnetic
86 which is the early form of non-volatile memory? anti-ferromagnetic a
memory memory memory
which of the following memories has more speed in
87 sram dram eprom eeprom a
accessing data?
88 in which memory, the signals are multiplexed? dram sram eprom eeprom a
89 how many main signals are used with memory chips? 2 4 6 8 b
to provide data to to select a location
to select a to select a
90 what is the purpose of address bus? and from within the c
specified chip read/write cycle
the chip memory chip
which are the two main types of processor
91 sockets and slots sockets and pins slots and pins pins and ports a
connection to the motherboard?
92 which of the following has programmable hardware? microcontroller microprocessor coprocessor fpga d
nxp
93 who invented trimedia processor? intel ibm apple d
semiconductor
which one of the following is the successor of 8086 and
94 80286 80387 8051 8087 d
8088 processor?
95 which is the processor behind the ibm pc at? 80387 8088 80286 8086 c
real mode and alternate and mode a and mode
96 which are the two modes of 80286? mode1 and mode2 a
protected mode main b
which register set of 80286 form the same register set of
97 ah,al bx bx,ax el a
8086 processor?
which are the 4 general purposes 16 bit register in intel
98 cs,ds,ss,es ax,bx,cx,dx ip,fl,di,si di,si,bp,sp b
80286?
99 which are the 4 segmented registers in intel 80286? ax,bx,cx,dx as,bs,cs,ds sp,di,si,bp ip,fl,si,di b
100 how is expanded memory accessed in 80286? paging interleaving ram external storage a
sr.no question op1 op2 op3 op4 answer
101 when is the register set gets expanded in 80286? in real mode in expanded mode in protected mode interrupt mode c
which are the two register available in the protected mode general and general and index and base index and
102 c
of 80286? segmented pointer pointer segmented
103 what kind of support does 80286 access in protected mode? real mode address access data access virtual memory d
which of the following is a process of analyzing the set of design space hardware/softwar
104 scheduling compilation a
possible designs? exploration e partitioning
high-level hardware/softwar
105 in which design activity, the loops are interchangeable? compilation scheduling c
transformation e partitioning
name the processor which helps in floating point
106 microprocessor microcontroller coprocessor controller c
calculations
undefined
an attempt access low priority arm processor is
107 abort mode generally enters when instructions are to a
memory fails interrupt is raised on rest
be handled
108 how is the nature of instruction size in cisc processors? fixed vriable both a and b none of the above b
embedded systems applications typically involve processing
109 block level logical volumes distance signals d
information as
deadline-driven
real-time real-data
110 deadline-driven constraints so called constraints so none of above b
constraints constraints
called
what is/are the configuration status of control unit in risc
111 hardwired microprogrammed both a and b none of the above a
processors?
112 which one of the following are header files? proc() truct() files #include d
113 which one of the following is also called a loader? linker locater compiler assembler a
course :- emerging trends in computer and infromation technology
chapter 1 - internet of things
sr.
question a b c d answer
no.
1 what are the undesirable properties of knowledge? voluminous difficult to characterize variability all of the above d
separate words into
individual morphemes and is an extension of
2 morphological segmentation does discourse analysis none b
identify the class of the propositional logic
morphemes
when two individual
knowledge should be
situations are represented,
represented such that it knowledge should be
how should knowledge be represented to be used for knowledge should provide
3 should be understood by represented in a way that all of these d
an ai technique? generalization such that
the people who have it can be easily modified
only common properties
of both situations are provided it
how many types of entities are there in knowledge
4 facts symbols both a and b none c
representation?
what are the properties of a good knowledge
5 representation adequacy inferential adequacy inferential efficiency all of these d
representation system?
6 natural language processing (nlp) is field of computer science artificial intelligence linguistics all of the mentioned d
putting your intelligence
7 what is artificial intelligence? programming with your ow making a machine intellige putting more memory into c
into computer
8 artificial intelligence has its expansion in the followin planning and scheduling game playing robotics all of the above d
what is the name of the computer program that data base management management information
19 expert system artificial intelligence d
contains the distilled knowledge of an expert? system system
claude shannon described the operation of electronic
20 switching circuits with a system of mathematical lisp xlisp boolean algebra neural networking d
logic called:
1956, dartmouth
1950, computing
what of the following is considered to be a pivotal 1949, donald o, the university conference 1961, computer and
21 machinery and c
event in the history of ai. organization of behavior. organized by john computer sense.
intelligence.
mccarthy
high-resolution, bit-mapped displays are useful for
22 clearer characters graphics more characters all of the above c
displaying:
a bidirectional feedback loop links computer
23 artificial science heuristic processing human intelligence cognitive science d
modelling with:
which of the following have people traditionally recognizing relative
24 finding similarities resolving ambiguity all of the above d
done better than computers? importance
the explanation facility of an expert system may be construct a diagnostic expedite the debugging explain the system's
25 both b and c d
used to: model process reasoning process
a set of computer
the study of mental
programs that produce
the embodiment of human faculties through the use
output that would be
26 strong artificial intelligence is intellectual capabilities of mental models all of the mentioned b
considered to reflect
within a computer. implemented on a
intelligence if it were
computer.
generated by humans.
which nobel laureate is also known as the father of
27 herbert a. simon howard aiken charles babbage alan turing a
artificial intelligence?
a set of computer
the study of mental
programs that produce
the embodiment of human faculties through the use
output that would be
28 weak ai is intellectual capabilities of mental models all of the above c
considered to reflect
within a computer. implemented on a
intelligence if it were
computer.
generated by humans.
who is considered to be the "father" of artificial
29 fisher ada john mccarthy allen newell alan turning b
intelligence?
a.m. turing developed a technique for determining
whether a computer could or could not demonstrate
30 turing test algorithm boolean algebra logarithm a
the artificial intelligence,, presently, this technique is
called
which of these schools was not among the early massachusetts institute of
31 dartmouth university harvard university stanford university b
leaders in ai research? technology
a certain professor at the stanford university coined
the word 'artificial intelligence' in 1956 at a
32 david levy john mccarthy joseph weizenbaum hans berliner b
conference held at dartmouth college. can you name
the professor?
the embodiment of human a set of computer the study of mental
33 strong ai is intellectual capabilities programs that produce faculties through the use all of the above a
within a computer. output that would be of mental models
34 mqtt stands for mq telemetry things mq transport telemetry mq transport things mq telemetry transport d
what are the three general categories of computer desktop, laptop, personal computer, hardware, software, open computer
2 systems that can contain digital evidence? server internet, mobile networks systems, d
telephone communication
in terms of digital evidence, a hard drive is an example open computer communication embedded none of the above
3 of: systems systems computer systems a
in terms of digital evidence, a mobile telephone is an open computer communication embedded none of the above
4 example of: systems systems computer systems c
in terms of digital evidence, a smart card is an open computer communication embedded none of the above
5 example of: systems systems computer systems c
in terms of digital evidence, the internet is an example open computer communication embedded none of the above
6 of: systems systems computer systems b
computers can be involved in which of the following homicide and sexual computer intrusions civil disputes all of the above
types of crime? assault and intellectual
7 d
property theft
a logon record tells us that, at a specific time: an unknown person the owner of a the account was none of the above
logged into the specific account used to log into the
8 c
system using the logged into the system
account system
cybertrails are advantageous because: they are not nobody can be they are easy to offenders who are
connected to the harmed by crime on follow. unaware of them
physical world the internet. leave behind more
9 clues than they d
otherwise would
have.
private networks can be a richer source of evidence they retain data for owners of private private networks all of the above.
than the internet because: longer periods of networks are more contain a higher
10 time. cooperative with concentration of c
law enforcement. digital evidence.
due to caseload and budget constraints, often each unreported responsibility for this approach results computer security
computer security professionals attempt to limit the incident robs incident resolution in under- reporting professionals
damage and close each investigation as quickly as attorneys and law frequently does not of criminalactivity, develop loose
possible. which of the following is not a significant enforcement reside with the deflating statistics evidence processing
personnel of an security that are used to habits
drawback to this approach?
opportunity to learn professional, but allocate corporate that can make it
11 about the basics of with management. and government more difficult for b
computer-related spending on law enforcement
crime. combating computer personnel and
related crime. attorneys to
prosecute an
offender.
the following specializations exist in digital first responder forensic examiner digital investigator all of the above
18 investigations: (a.k.a. digital crime d
scene technician)
the first tool for making forensic copies of computer encase expert witness dd safeback
19 c
storage media was:
one of the most common approaches to validating examine the source ask others if the compare results of computer forensic
20 forensic software is to: code multiple tools for
software is reliable tool testing projects c
discrepancies
an instrumentality of a crime is: an instrument used a weapon or tool anything that plays all of the above
21 to commit a crime designed to commit a significant role in a d
a crime crime
. contraband can include: child pornography devices or programs encryption devices all of the above
for eavesdropping or applications
22 d
on communications
an attorney asking a digital investigator to find influencing the due diligence quid pro quo voir dire
32 evidence supporting a particular line of inquiry is an examiner a
example of:
logical reasoning common sense preconceived theory investigator’s
a digital investigator pursuing a line of investigation in intuition
33 c
a case because that line of investigation proved
successful in two previous cases is an example of:
balance of beyond a reasonable acquittal none of the above
a scientific truth attempts to identify roles that are probabilities doubt
34 b
universally true. legal judgment, on the other hand,
has a standard of proof in criminal prosecutions of:
regarding the admissibility of evidence, which of the relevance authenticity best evidence nominally
35 prejudicial d
following is not a consideration:
uninformed consent forcible entry obtained without none of the above
36 according to the text, the most common mistake that authorization c
prevents evidence seized from being admitted is:
in obtaining a warrant, an investigator must convince evidence of a crime a crime has been the owner or the evidence is
the judge on all of the following points except: is in existence committed resident of the place likely to exist at the
to be searched is place to be searched
37 c
likely to have
committed the
crime
if, while searching a computer for evidence of a abandon the continue with the stop the search and continue with the
specific crime, evidence of a new, unrelated crime is original search, and original search but obtain a warrant original search,
38 discovered, the best course of action is: pursue the new line also pursue the new that addresses the ignoring the new c
of investigation inquiry new inquiry information
the process of documenting the seizure of digital chain of custody field notes interim report none of the above
39 evidence and, in particular, when that evidence a
changes hands, is known as:
when assessing the reliability of digital evidence, the whether chain of whether there are whether the whether the
investigator is concerned with whether the computer custody was indications that the evidence was evidence media was
40 that generated the evidence was functioning normally, maintained actual digital properly secured in compatible with b
and: evidence was transit forensic machines
tampered with
the fact that with modern technology, a photocopy of a best evidence rule due diligence quid pro quo voir dire
41 document has become acceptable in place of the a
original is known as:
evidence contained in a document provided to prove inadmissible illegally obtained hearsay evidence direct evidence
42 that statements made in court are true is referred to evidence evidence c
as:
business records are considered to be an exception to: direct evidence inadmissible illegally obtained hearsay evidence
43 evidence evidence d
which of the following is not one of the levels of probably maybe almost definitely possibly
44 b
certainty associated with a particular finding?
45 direct evidence establishes a: fact assumption error line of inquiry a
what is one of the most complex aspects of jurisdiction arranging to travel determining which finding a court that finding a federal
when the internet is involved? to remote locations court can enforce a is in two states court that can hear a
46 to apprehend judgment over a civil suit b
criminals defendant
in the us, to enforce a judgment over a defendant, a subject matter and general and limited diversity and long none of the above
47 court must have which of the following? personal jurisdiction jurisdiction arm jurisdiction a
the miller test takes which of the following into it appeals to the it depicts sexual it lacks any all of the above
public interest conduct in a monetary value
48 account when determining if pornography is obscene? b
patently offensive
way
which of the following rights is not explicitly right of the people right of personal right of the people right to a speedy
49 mentioned in the us constitution? to keep and bear privacy peaceably to and public trial b
arms assemble
the definition of a “protected computer” is, according a computer that is a computer that is a computer that is all of the above.
to the cfaa: used exclusively by used non- used in state or
a financial exclusively by a foreign commerce
institution or the financial institution or communication.
50 federal government. or the federal d
government and the
crime affects that
use.
the legislation that made the theft of trade secrets a the lanham act the economic the child none of the above
51 federal crime was espionage act pornography b
protection act
which state does not have a law prohibiting simple california texas washington none of the above
52 hacking – gaining unauthorized access to a computer? d
the term “computer contaminant” refers to: excessive dust viruses, worms, and spam e-mails nigerian scam e-
53 found inside the other malware mails b
computer case
in those states with legislation addressing computer computers computer specialized all of the above
54 forgery, contraband in the form of “forgery devices” equipment computer software d
may include:
compelling a suspect to reveal passwords to provide second amendment fourth amendment fifth amendment seventh
55 access to encrypted media is considered to fall under amendment c
the:
an example of a content-related crime would be: cyberstalking child pornography hacking none of the above
56 b
hacking is an example of: computer-assisted computer-related computer-integrity computer
57 crime crime crime malfeasance crime
c
forgery is an example of: computer assisted computer-related computer-integrity computer
58 crime crime crime malfeasance crime
a
in ireland, the non-fatal offences against the state act computerized cyberbullying nigerian scams hacking
59 welfare fraud b
of 1997 specifically addresses:
jurisdiction claims may be based on: location of the location of the location of all of the above
60 perpetrator’s victim’s computer intermediary d
computer computers
standard operating procedures (sops) are important help individuals ensure that the best increase the all of the above
because they: avoid common available methods probability that two
mistakes are used forensic examiners
will reach the same
61 d
conclusions when
they examine the
evidence
the goal of an investigation is to: convict the suspect discover the truthfind incriminating all of the above
62 evidence
b
an investigation can be hindered by the following: preconceived improperly handled offender all of the above
63 theories evidence concealment d
behavior
when you have developed a theory, what can you do to predict, based on perform conclude, based on all of the above
confirm that your hypothesis is correct? your hypothesis, experiments to test your findings,
64 where artifacts results and rule out whether the d
should be located alternate evidence supports
explanations the hypothesis
which of the following would be considered an the originating ip a scratch on the date-time stamps of all of the above
individual characteristic? address in a glass of a flatbed files on a disk or
65 b
network packet or e- scanner or digital entries in a database
mail header camera lens
when digital photographs containing child someone in the someone in the someone in the none of the above.
pornography are found on a home computer, house transferred house took the house took the
investigators can assert that: a the photographs photographs with a photographs with a
66 onto the computer digital camera and digital camera and d
from a disk or the transferred transferred them
internet them directly onto directly onto the
the computer. computer
forensic examination involves which of the following: assessment, seizure and recovery, all of the above
experimentation, preservation harvesting, filtering,
67 fusion, correlation, organization, and c
and validation search
forensic analysis involves the following: assessment, seizure and recovery, all of the above
experimentation, preservation harvesting, filtering,
68 fusion, correlation, organization, and a
and validation search
the first step in applying the scientific method to a form a theory on experiment or test make one or more form a conclusion
digital investigation is to: what may have the available observations based based on the results
69 occurred evidence to confirm on events that of your findings c
or refute your occurred
prediction
which of the following should the digital investigator should the evidence will the evidence will there be all of the above
consider when arranging for the transportation of be physically in the copies be shared environmental
possession of the with other experts factors associated
70 evidence? d
investigator at all at other locations? with the digital
times? media?
in the staircase model, why is case management case documents are case management case management none of the above.
shown spanning across all of the steps in the process intangible objects provides stability documents the
model? that can be held. and enables process function.
71 investigators to tie b
all relevant
information
together.
process models have their origins in the early theories complicated difficult linear polymorphic
72 of computer forensics which defined the field in terms c
of a process
generating a plan of action and obtaining supporting preparation survey/identificatio preservation examination and
73 resources and materials falls under which step in the n analysis a
digital investigation?
the process model whose goal is to completely the physical model the staircase model the evidence flow the subphase
74 describe the flow of information in a digital model model c
investigation is known as:
the following organizations have published guidelines us secret service association of chief us department of all of the above
75 for handling digital crime scenes: police officers justice d
when a first responder encounters technology or seize the equipment seek assistance leave that ask the suspect for
as if it were a known from a more particular piece of details on the
76 equipment that he is not familiar with, the b
recommended course of action is to: device experienced digital equipment at the equipment
investigator crime scene
when preparing a questionnaire for interviewing passwords encryption keys admission of guilt details on
individuals of the crime scene which of the following removable storage
77 c
should not be requested:
when entering a crime scene, the initial survey should: include user involve tracing collect relevant all of the above
manuals cables data such as
78 d
passwords and
account details
examples of data that should be immediately usb drives digital picture system and usb bracelets
79 preserved include: frames network c
information
the crime scene preservation process includes all but protecting against acquiring digital confirming system controlling access
80 which of the following: unauthorized evidence date and time to the crime scene c
alterations
a thorough crime scene survey should include: manuals for removable media mobile devices all of the above
81 software d
applications
the challenge to controlling access to a digital crime information may be the computer may the computer case none of the above.
stored on internet be shared. may be locked.
82 scene is that: a
servers in different
locations
in the case where digital investigators dealing with notify personnel at notify personnel at utilize remote none of the above
distributed systems need to collect data from remote the remote sites to the remote sites to forensics tools to
sites, the following procedure is recommended: leave everything as shut down all acquire data from
83 is, and arrange for systems and send the remote sites’ c
travel to the remote the hard drives to ram as well as the
locations the forensic lab hard drives
when presenting evidence on an organizational system the ceo of the the cso (chief additional forensic
84 network, the digital investigator may require the administrators organization security officer) investigators a
assistance of:
which of the following is not a safety consideration for additional protection against proper tools for protective gloves
a first responder? personnel to control elf emanations disassembling and and eyewear
85 those present at the from monitors reassembling b
crime scene computer cases
digital investigators like to preserve every potential the law resources the interests of all of the above
86 source of digital evidence; however, they are business d
constrained by:
during the initial survey of a crime scene, why it is this simplifies photographing to record the fact none of the above.
necessary to photograph or videotape the area and inventorying the items to be seized that a particular
items of potential interest in their current state? crime scene records their actual item was actually
condition, and found at the crime
87 precludes damage scene. c
claims when the
items are returned
to the offender.
why is the first step to secure the physical crime scene to prevent them to prevent them to give them time to keep them from
by removing everyone from the immediate area? from contaminating from asking to fill out a personal blocking the view
evidence questions about the information survey when photographs
88 a
case before they can are being taken
be interviewed
when a piece of evidence has both a biological and a the crime scene the digital neither; the both the crime
digital component, who should process it first? technician, because investigator, evidence should be scene technician and
biological artifacts because processing preserved and the digital
are much more the biological transported to the investigator, in a
fragile artifacts will destroy lab for processing cooperative effort,
digital evidence assuring that the
89 d
biological evidence
is collected in a way
that does not
damage the digital
component
the process of evaluating available evidence equivocal forensic investigative threshold behavioral imprints
objectively, independent of the interpretations of analysis reconstruction assessment
90 a
others, to determine its true meaning is referred to as:
the words that an offender uses on the internet, the investigation threshold behavioral imprints crime scene
tools that an offender uses online, and how an offender reconstruction assessment analysis
91 c
conceals his identity and criminal activity are referred
to in the text as:
investigative reconstruction is composed of three which of the functional intentional relational
following is not one
92 different forms b
of those three
forms?
creating a histogram of times to reveal periods of high functional intentional relational temporal
93 activity is an example of which form of investigative d
reconstruction?
the investigation and study of victim characteristics is criminal profiling behavioral imprints victimology crime scene
94 analysis c
known as:
why should victimology include a thorough search of because the because it is well because nearly none of the above.
the internet for cybertrails? a internet can known that even everyone uses the
significantly traditional criminal internet.
95 a
increase the victims offenses are
risk documented on the
internet.
the type of report that is a preliminary summary of sitrep threshold full investigative field notes
96 assessment report report b
findings is known as:
according to the text, the distinguishing features of a hard evidence fruit of the poison caveat emptor crime scene
crime scene as evidenced by the offender’s behavioral tree characteristics
97 d
decisions regarding the victim and the offense location
are known as:
in crimes against individuals the period leading 24-hour 48- hour 60-minute 15-minute
up to the crime often contains the most important
98 a
clues regarding the relationship between the offender
and the victim
one of the most important things to establish when a where the what operating who or what was none of the above
99 computer is directly involved in the commission of a computer was system is in use the intended victim c
crime is: purchased or target
an example of online behavior that puts an individual using your real putting personal posting photographs all of the above
name online information in your on a social
100 at higher risk for cyberstalking is: d
profile networking page
in the movie home alone one of the burglars would psychotic episode signature-oriented modus operandi vandalism
always turn the water on in the sinks so that the house behavior
101 would be flooded when the owners returned. in terms b
of crime scene characteristics, this is an example of:
the totality of choices an offender makes during the the criminal’s mo crime scene tangible evidence none of the above
102 characteristics b
commission of a crime are referred to as:
because seemingly minor details regarding the what the offender what the offender what the offender all of the above
offender can be important, investigators should get brought to the crime took from the crime changed at the crime
103 d
into the habit of contemplating which of the following: scene scene scene
one reason digital investigators write threshold they will be they keep their they take less time they serve as field
assessments more often than full reports is because: included in a final supervisor aware of to prepare and may notes for the
report, and so, their productivity. be sufficient to close investigator.
distribute the time out an investigation.
104 for final report c
preparation over the
entire period of the
investigation
every violent crime investigation should incorporate investigative leads likely suspects previously all the above
105 digital evidence because digital evidence may reveal: unknown crimes d
how the offender approaches and obtains control of a motives choice of weapons modus operandi signature behaviors
106 victim or target is significant because it exposes the a
offender’s:
crime scenes fall into two categories – primary and remote secondary ancillary theoretical
107 b
when reconstructing evidence surrounding a violent lay out all the work with the construct a timeline begin the process of
crime, it is generally helpful to: evidence so it can be crime scene of events from converting field
viewed in its technicians so that a digital evidence notes to a final
108 entirety better report c
understanding of the
crime is achieved
one reason not to put too much trust into those who there has always they are typically they are usually not they may be the
run the company’s computers is that: been an antagonism too busy to take the authorized to offenders.
between system time to answer your answer questions.
109 d
administrators and questions
law enforcement
although crime scenes are typically photographed, it is diagramming is a the process of the quality of none of the above.
a good idea to create diagrams of the crime scene common crime creating a diagram photographs taken
because: scene technician’s can result in a digital at the crime scene is
skill; however, it investigator noticing not known until the
110 requires continual an important item of film is developed. b
practice evidence that would
otherwise have been
missed
given the scope and consequences of violent crimes, collect only that focus only on the seek out and focus only on the
when collecting digital evidence it is advisable to: digital evidence that primary crime preserve all offender’s digital
is clearly connected scene, as searching available digital evidence, as the
to the offense the offender’s home evidence victim’s digital
111 c
and workplace evidence is usually
requires additional of little value
authorization
when swift action is needed, law enforcement searches of this exigent eminent domain mens rea
112 personnel may be permitted to conduct searches kind are permitted circumstances a
without a warrant under:
when processing the digital crime scene in a violent a good supply of more than one standard operating a good supply of
crime investigation it is important to have to electrostatic bags reliable camera for procedures for nitrile gloves
for holding sensitive photographing the processing a digital
113 ensure that all digital evidence and findings can hold c
up under close scrutiny electronic crime scene crime scene
components
the federal statute that has a provision allowing ecpa ccpa the privacy act fcra
internet service providers to disclose subscriber
114 a
information to law enforcement in exigent
circumstances is:
when reconstructing evidence surrounding a violent diagram the crime create a timeline of create a threat none of the above
115 crime, it is generally helpful to: scene events from digital assessment report b
evidence
a thief who has programmed and released a virus to power assertive profit oriented power reassurance anger retaliatory
roam a network looking for victim passwords used for
116 b
online banking is an example of what offense
behavior?
the case of a michigan bank robber requiring tellers to deviant aberrant criminal humor crime scene investigative
117 undress so he could photograph them is an example of: behavior characteristics reconstruction c
the assessment of the victim as they relate to the threat assessment signature behaviors behavioral evidence victimology
118 offender, the crime scene, the incident, and the methodology analysis d
criminal justice system is known as:
computers and mobile devices are treated as temporary immediate remote secondary
119 crime scenes in violent crime investigations d
during the commission of a crime, evidence is locard’s exchange sutherland’s martin’s rule d parkinson’s rule of
120 transferred between the offender’s computer and the principle general theory of available space a
target this is an example of: criminology
intruders who have a preferred toolkit that they have usually have little show little initiative are generally more pose less of a threat
experience and are – letting the tool do experienced
121 pieced together over time, with distinctive features: c
relying on the kit the work
in the case of a computer intrusion, the target the remote crime the auxiliary crime the virtual crime the primary crime
122 scene scene scen scene d
computer is:
a computer intruder’s method of approach and attack skill level knowledge of the intent all of the above
123 target d
can reveal significant amount about their:
determining skill level can lead to: determining the likely hiding places suspects offense behaviors
124 extent of the for rootkits and c
intrusion malware
if digital investigators find an unauthorized file, they immediately move check for other execute the file to permanently delete
125 should: the file to removable suspicious files in determine its the file b
media the same directory purpose
remote forensic solutions can be used to access live acquire and, image systems conduct image large systems
sometimes, analyze without ever having examination and across the internet
126 systems, and include the ability to: a
memory to leave the lab analysis without the
need to image
a forensic analysis conducted on a forensic duplicate virtual analysis clone analysis post-mortem ex post facto
127 of the system in question is referred to as: analysis analysis c
capturing all of the network traffic to and from the allow the network reveal the source of seriously slow none of the above
compromised system can: administrators to the attack down the network,
participate in the affecting normal
investigation, work
128 b
establishing rapport
for later interviews
a common technique that is highly useful and can be this embodies a temporal proximity timeline analysis file system analysis
applied in a computer intrusion investigation is to principle known as:
129 a
simply focus on file system activities around the time
of known events
the registry key new software time and date trojans a list of recently run
hklm\software\microsoft\windows\current versionis entries information programs
130 c
one of the most common locations for:
when collecting data from a compromised computer, cmos most volatile magnetic optical
131 consideration should be given to collecting the b
data first.
the forensic examiner needs to be aware that the is seldom useful can take an is only needed for changes the
132 process of collecting memory: and not often called extremely long standalone systems contents of memory d
for period of time c d
a more thorough method of collecting specific volatile examine the collect the full selectively collect take screenshots
133 data from a computer is to: specific memory contents of physical contents of physical b
addresses live memory memory
why are “non-volatile” storage locations contained in this is an old rfc no form of data an rfc is a request none of the above.
the rfc 8227 “order of volatility”? and has not been storage is for comments – and
134 updated permanent corrections are b
expected.
the first state in the united states to enact a law to texas b hawaii c california d new york
135 c
deal with cyberstalkers was: a
the first cyberstalking law in the us was passed in: 1985 b 1990 c 1995 d 2000
136 b
stalkers want to exert power over their victims, fear anxiety autosuggestion peer pressure
137 a
primarily through:
a stalker’s ability to frighten and control a victim telephone numbers addresses personal all of the above
138 increases with the amount of information that he can preferences d
gather, such as:
stalkers have taken to the internet because: the cost of an they depend they no longer have none of the above
internet connection heavily on to go out to do their
has dropped information and the stalking
139 b
considerably internet contains
vast amounts
an implication from studies indicating that many part of the blame the offender is investigators investigators
stalkers had prior acquaintance with their victims is can be assigned to likely to be found in should pay should always check
the victim the same area as the particular attention the immediate
140 that: c
victim to acquaintances of family
the victim
an excellent set of guidelines developed specifically for the national center the national white the department of the national
141 victims of stalking is available from: for victims of crime collar crime center justice institute of justice a
when a cyberstalking case is stalled, it is a good idea to the victim might the information the time between none of the above
interview the victim again, because: have been that investigators the first and second
withholding have gathered might interviews has given
142 b
information during help the victim the victim time to
the first interview recall additional seek counseling
details
in determining how and why the offender selected a knew the victim learned about the noticed the victim all of the above
143 specific victim, the investigator should determine victim through a in a chat room d
whether the cyberstalker: personal web page
a key aspect of developing victimology is determining hobbies likes and dislikes risks roles
144 c
victim and offender
when searching for evidence of cyberstalking, it is grooming surreptitious initial contact congenial
145 useful to distinguish between an offender’s harassing monitoring b
behaviors and behaviors
that part of cyberstalking where the offender is using profiling trolling surreptitious none of the above.
146 monitoring c
the internet to find a victim is known as:
when a cyberstalker chooses victims at random, he is opportunistic power assertive profit-oriented none of the above
147 stalker stalker stalker a
said to be an:
the initial stage in a cyberstalking investigation is to: search for analyze crime scene conduct interview the victim
148 additional digital characteristics victimology and risk d
evidence assessments
it is extremely important for the investigator to be if the victim if the investigation the victim must be the victims
extremely cautious when dealing with a stalking case becomes offended is conducted too protected, in case frequently become
because: by the investigator’s openly, the offender the offender decides emotionally
methods, she is may stop the to escalate to attached to the
149 c
likely to go file a harassment and physical violence investigator
complaint move on to another
victim
which of the following is not part of the set of preparation interdiction documentation reconstruction
150 b
forensic methodologies referenced in this book?
preparation planning prior to processing a crime scene what computer what the systems whether a network all of the above
151 should include: equipment to expect are used for is involved d
at the site
the forensic crime scene processing kit should include evidence bags, tags, forensically compilers for hardware write
and other items to sanitized hard developing forensic blockers
152 all of the following, except: c
label and package drives to store tools on site
evidence acquired data
when processing the digital crime scene, one aspect of recognizing determining if confirming that the making sure there is
surveying for potential sources of digital evidence is: relevant hardware electrical wiring is operating sufficient space to
such as computers, capable of environment is set up the forensic
153 a
removable media, supporting forensic suitable for crime scene
etc machines electronic processing kit
equipment
the documentation specifies who handled evidence inventory chain of custody evidence intake preservation notes
154 the evidence, when, where, and for what purpose b
when documenting a crime scene, the computer and the more evidence this provides a it is prudent to all of the above.
surrounding area should be photographed, detailed collected, the record for what to document the same
155 sketches should be made, and copious notes should be stronger the case. look for when you evidence in several c
taken, because: return for the ways.
second visit.
in regard to preservation, in a child pornography photographs papers digital cameras all of the above
156 investigation, which of the following should be d
collected?
if it is determined that some hardware should be nearest reach direct connectivity independent slice-the-pie
collected, but there is no compelling need to collect doctrine doctrine component doctrine doctrine
157 c
everything, the most sensible approach is to employ:
according to the us federal guidelines for searching 60-80 degrees 50-90 degrees 50-90 degrees 60-80 degrees
and seizing computers, safe temperature ranges for fahrenheit centigrade fahrenheit centigrade
158 c
most magnetic media are:
which of the following is not an artifact that will be running processes open network ports data stored in system date and
159 irrevocably lost if the computer is shut down? memory time d
which of the following is not one of the place the evidential preview the extract just the acquire everything
recommended approaches to preserving digital computers and evidential computer, information needed from evidential
storage media in taking appropriate from evidential computer and
160 evidence? b
secure storage for notes computers and storage media
later processing storage media
the reason unix “dd” is considered a de facto standard the majority of tools “dd” stands for “dd,” although a the developers of
for making bitstream copies is: for examining digital “digital data” and unix tool, is “dd” have made
evidence can was developed for universally able to arrangements with
161 a
interpret bitstream making forensic traverse windows other forensic
copies copies. file systems. software companies.
regarding the examination of a piece of digital what is it what classifications where did it come what is its value?
evidence, which of the following is not one of the (identification)? distinguish it? from?
162 d
fundamental questions that need to be answered?
which of the following issues is not one that a forensic invasive the facility in the the location, available methods
examiner faces when dealing with windows-based characteristics of standard windows organization, and for recovering data
163 media? the windows environment for content of windows from windows b
environment mounting a hard system log files media
drive as read-only
forensically acceptable alternatives to using a linux boot floppy fire bootable cd- booting into safe hardware write
164 windows evidence acquisition boot disk include all rom mode blockers c
but which of the following?
the standard windows environment supports all of fat16 ext2 fat32 ntfs
165 b
the following file systems except
before evidentiary media is “acquired,” forensic hash preview validate analyze
166 examiners often the media to make sure it b
contains data relevant to the investigation
log files are used by the forensic examiner to associate system verify the integrity confirm login determine if a
events with specific of the file system c passwords d specific individual is
167 a
user accounts b the guilty party
the windows nt event log appevent contains a log of records activities notes system none of the above
application usage that have security events such as
168 a
implications, such as shutdowns
logins
when examining the windows registry key, the “last the last time when a value in the current system the number of
regedit was run b that registry key time allowable changes
169 write time” indicates: b
was altered or has been exceeded
added
file system traces include all of the following except: metadata cmos settings swap file contents data object date-
170 time stamps b
when a file is moved within a volume, the last is unchanged changes if a file is changes if a file is is unchanged;
moved to different moved to the root however, the
171 accessed date time: a
directory created date-time
does change
internet traces may be found in which of the following web browser cache instant messenger cookies all of the above
172 cache d
categories?
the windows nt event log secevent evt: contains a log of records activities notes system none of the above
application usage that have security events such as
173 b
implications, such as shutdowns
logins
which of the following is not one of the methods fddi telecommunication wifi access points bluetooth piconets
174 mobile devices use to communicate? networks a
one major advantage of mobile devices from a forensic people very seldom the process for flash memory is manufacturers
perspective is that: delete information deleting information deleted block-by- reserve a part of
from mobile devices is much more block and mobile memory for storing
complicated than for devices generally deleted items
adding information, wait for a block to be
175 c
and users frequently full before it is
don’t delete things deleted
correctly
the reason that malware developers are beginning to because available the malware since the coding is since mobile
target mobile devices is: memory is much market has become much simpler on devices are used
smaller and the very crowded and mobile devices, more and more for
operating system is developers are many new online banking and
much less looking for new programmers are making purchases,
176 d
sophisticated on avenues trying at this they have become
mobile devices, it is particular platform prime targets for
much easier to computer criminals
develop malicious
code
software designed to monitor activities on mobile malware b spouseware c trojan defense d none of the above
177 b
devices has come to be called: a
one of the dangers (from a forensic standpoint) of connected network service connected network service
mobile devices is: networks can providers may networks can enable providers may
contain provide information offenders to delete provide additional
investigatively for comparison with data remotely historical call
178 c
useful information data extracted from records
a mobile device
one of the difficulties unique to forensic processing of md five hashes documentation an investigator any issues
mobile devices is: must be calculated must show must make a encountered with
for data recovered continuous calculated decision processing the
from mobile devices possession and to either prevent or device should be
179 control allow the device to documented c
receive new data
over wireless
networks
powering down a mobile device and removing the when the battery is doing so may the process of you now have two
battery may cause problems in that: a removed from a activate security removing the pieces of evidence,
mobile device, the measures such as battering can cause which have to be
180 information in lock codes and a capacitive documented b
memory is lost encryption discharge,
destroying the
device
which of the following are methods for preserving reconfigure the place the device in jam rf signaling in all of the above
device to prevent an rf-shielded the immediate area
181 mobile devices by isolating them from the networks? d
communication pouch
from the network
why is it important to collect charging cables when mobile device to reduce owner in those cases none of the above
seizing mobile devices? batteries have a complaints about where evidence
limited charge life missing cables seized is forfeit, you
span, and the device when, at some point, want to make sure
will need a charger seized devices are you have everything
182 a
to maintain the returned you need to operate
battery until the the device
device can be
processed
which of the following is not one of the currently manual operation logical acquisition
connecting the physical acquisition
available methods for extracting data from mobile via user interface via communicationcommunication port via the
183 devices? port directly to an output communication port c
device such as a
printer
forensic examiners should be aware that a mobile may as well be may only indicate may require that none of the above
device with a blank or broken display: thrown away, as no that the screen is the mobile device be
data will be damaged and it may sent out to the
184 b
recovered from it still be possible to manufacturer for
extract data repairs
a peculiarity of mobile devices is the format that they ascii unicode gsm 7-bit baudot
185 c
store sms messages, which is: a
the primary reason that brute-force methods are not a four-digit pin after three failed pin disclosure by none of the above
represents 10,000 attempts, the sim the offender can be
186 used when trying to access an sim card with the pin b
set is: possible card will become required by a court
combinations locked order
an understanding of networks helps with which of the establishing tracking down understanding all of the above
continuity of offense offenders traces of online
187 following: d
activities left on a pc
when a windows system connects to a shared folder tcp/ip smb netbios all of the above
on another windows machine on the internet, which
188 d
of the following protocols are used?
hosts that connect two or more networks are called: routers switches hubs all of the above
189 a
190 which of the following are layer 7 protocols? ethernet http tcp all of the above b
ethernet uses which of the following technologies? cdpd csma/cd cdma all of the above
191 b
192 another name for a hub is: switch router concentrator nic c
currently, the most widely used internet protocols are: tcp udp ip all of the above
193 d
the osi reference model divides internets into seven transport, session, presentation, data- physical, data-link, data-link, network,
layers choose the correct order, by layer network, link, application, network, transport, session, application,
194 presentation, data- physical, transport, session, physical, network, c
link, application, session, network presentation, session
physical application
the layer that actually carries data via cables or radio transport layer physical layer network layer data-link layer
195 b
signals is the:
a hub joins hosts at the physical level whereas a switch transport physical network data-link
196 d
joins them at the layer
the layer responsible for managing the delivery of application layer presentation layer transport layer session layer
197 c
data is the:
which of the following network technologies uses a ethernet fddi asynchronous 802.11
198 transfer mode b
fiber-optic medium?
preservation of digital evidence can involve which of collecting computer making a forensic copying the files all of the above
the following? hardware image of storage that are needed
199 d
media from storage media
a forensic image of a drive preserves which of the memory contents file slack and system date and screen contents
200 unallocated space time b
following?
examination of digital evidence includes (but is not seizure, recovery, experimentation, arrest,
201 limited to) which of the following activities? preservation, and harvesting, and fusion, and interviewing, and b
documentation reduction correlation trial
analysis of digital evidence includes which of the seizure, recovery, experimentation, arrest,
202 following activities? preservation, and harvesting, and fusion, and interviewing, and c
documentation reduction correlation trial
evidence can be related to its source in which of the top, middle, bottom ip address, md5 production, parent, uncle,
203 following ways? value, filename, date- segment, alteration, orphan c
time stamps location
when a website is under investigation, before determine where inform personnel at conduct a none of the above
obtaining authorization to seize the systems it is the web servers are the web server reconnaissance
204 necessary to: located location that you’ll probe of the target a
be coming to seize website
the systems
which of the following is not an information scanning the studying security attempting to examining e-mail
205 gathering process? system remotely audit reports bypass logon headers c
security
unlike law enforcement, system administrators are open unread e- monitor network modify system logs divulge user
permitted to on their network when it is mails traffic personal
206 information b
necessary to protect the network and the data it
contains
although it was not designed with evidence collection encase ftk wireshark chkdsk
207 in mind, can still be useful for examining c
network traffic
issues to be aware of when connecting to a computer creating and keeping a log of documenting which all of the above
over a network and collecting information include: following a set of actions taken during server actually
208 standard operating the collection contains the data d
procedures process that’s being
collected
occasionally, an intrusion detection system may false warning failsafe def con false positive
trigger an alarm caused by an innocent packet that
209 d
coincidentally contains intrusion class characteristics
this type of alert is called:
information security professionals submit samples of bugtraq sam spade cnet security focus
log files associated with certain intrusion tools to help
210 a
others detect attacks on the mailing lists at:
which of the following are situations where a the hard drive is the system cannot the digital all of the above
bitstream copy may not be viable? too large to copy be shut down investigator does
211 not have authority d
to copy the entire
drive
who is authorized to conduct online undercover anyone computer security journalists law enforcement
212 investigations when child pornography is involved? professionals d
which of the following internet services can be used to irc usenet kazaa all of the above
213 d
exchange illegal materials?
what are two of the most useful headers for from and message- nntp-posting-host path and subject rfc1036 and
214 id and x-trace rfc2980 b
determining the origination of usenet messages?
what information should you document when date/time of screenshots of download copies of all of the above
searching for evidence on the web? search, search significant search the webpages and
215 engine and terms results calculate their md5 d
used, address of value
pertinent results
why is it important to hide your identity when to reduce the risk to get yourself in to make it easier for all of the above
of alerting the the mindset of you to determinethe
216 conducting an online investigation? a
offender covert web offender’s
investigating location
when it is not possible to determine the identity of the look for unusual search the web look for similar all of the above
author of a usenet message using ip addresses in the signature and use of using distinctive usenet messages
217 d
header, what else can you do to learn more about the language aspects of posts posted using an alias
author?
what characteristics of irc make it attractive to irc enables them to irc provides them irc gives them all of the above
criminals? exchange illegal with some level of direct, “live” access
218 materials with other anonymity to a large pool of d
criminals potential victims
which of the following enables a user to connect to irc freenet psybnc bot fserve all of the above
219 and run irc fserves without disclosing their ip b
address?
which of the following applications leave traces of internet explorer kazaa irc all of the above
220 d
internet activities on a personal computer?
which of the following tools can reconstruct tcp tcpdump wireshark snoop encase
221 b
streams?
what peer-to-peer clients use the fast track network? kazaa grokster imesh all of the above
222 d
web whacker and httrack are examples of tools that: search the web deface websites capture websites launch websites
223 c
metaverseink is a: search tool (people newsgroup social networking a file-sharing peer-
224 or things) for virtual aggregator meta-tool to-peer network a
worlds
second life is one of the better known: research websites archive websites virtual worlds web-based game
225 shows
c
synchronous chat networks are particularly conducive privacy immediacy impermanence all of the above
226 d
to criminal activity because of their
what is the maximum cable length for a 10baset 10 feet 100 feet 10 meters 100 meters
227 d
network?
what is the approximate theoretical maximum number 10 mb 75 mb 100 mb 175 mb
228 of bytes that can be downloaded in one minute on a b
10baset network?
which of the following commands can be used to netstat ping nbtstat traceroute
229 obtain the mac address of a remote windows c
computer?
what is the maximum cable length for a 10 base five 100 feet 500 feet 100 m 500 m
230 d
segment?
arp stands for: address resource advanced retrieval address resolution added resource
231 protection protocol protocol processing c
the best operating system for capturing network microsoft openbsd/freebsd linux solaris
232 traffic on high-speed networks is: dos/windows b
which of the following applications is used to capture snort wireshark tcpdump all of the above
233 d
network traffic?
how many bytes per packet does tcpdump capture by 10 bytes 68 bytes 128 bytes 1024 bytes
234 b
default?
which of the following tools can reconstruct tcp tcpdump wireshark snoop encase
235 b
streams?
the transition method in which only one computer can baseband narrowband broadband sideband
236 transmit while all the others listen is known as: a
although arp is part of tcp/ip, it is generally physical data-link network transport
237 b
considered a part of the layer
the form of arp that atm uses to discover mac arpatm atmarp macatm atmmac
238 b
addresses is known as:
tcp is an abbreviation for: transit transportation cost transport control time
239 communication product protocol communication c
protocol protocol
what system is used to convert ip addresses to their tcp/ip dns arp routing
240 b
associated names?
241 what protocol does the “ping” command use? tcp ip icmp all of the above c
which of the following logs record the ip addresses of wtmp xferlog syslog access log
242 computers accessing an ftp server? a b
in addition to the ip address of the sender, smtp e- the message id the time the the name of the all of the above
243 mail server logs contain which of the following? message was sender d
received
digital evidence and computer crime, third edition
instructor’s manual
by samuel norris
contents
part 4 – computers
chapter 15 – computer basics for digital investigators 113
chapter 16 – applying forensic science to computers 122
chapter 17 – digital evidence on windows systems 129
chapter 18 – digital evidence on unix systems 139
chapter 19 – digital evidence on macintosh systems 151
chapter 20 – digital evidence on mobile devices 159
objectives
on completion of this chapter, the student will
- recognize that there will be a digital component in nearly every crime.
- be able to list some of the ways criminals use technology.
- recognize that increased use of technology increases evidence.
- be able to define “digital evidence.”
- be aware of who is concerned with proper processing of digital evidence.
- recognize how digital forensics has changed over time.
- recognize the purpose and importance of “best practices” and accepted standards.
- be able to define “digital forensics.”
- be aware of how locard’s exchange principle applies to digital forensics.
- recognize the difference between class characteristics and individual characteristics.
- recognize that evidence preservation is not an absolute.
- be aware of the steps to authenticate evidentiary data.
- recognize the need for documenting “continuity of possession.”
- be aware that hashing is an accepted method of establishing authenticity of data.
- recognize the need for objectivity on the part of the examiner.
- recognize that repeatability is a requirement of forensic soundness.
- recognize that digital evidence is volatile.
- be aware that digital data is seen through one or more layers of abstraction.
- recognize that “evidence dynamics” will affect the state of the digital crime scene.
- recognize the role that applied research plays in digital forensics.
digital evidence has come to play some part in virtually every crime. it would, in fact, be difficult
to describe a crime scene that does not have a digital element. criminals have always found ways
to use technology to their own ends, and digital technology is no different. there is an upside to
this – the more digital technology is used, the more likely that there will be resultingdigital
evidence.
digital forensics has undergone a number of changes from little more than looking at the
hexadecimal values on floppy media to automated forensic tools that process terabytes of data in
search of digital evidence.
digital evidence is the target of the forensic examiner, who pursues those digital elements that
support (or refute) a particular scenario. however, if the evidence is to be used in court, the
collection and processing must adhere to strict rules of evidence. therefore, it is important that
everyone who is involved in the legal process – law enforcement, attorneys, and the judiciary –
understands the concepts of digital forensics and adheres to best practices and standard
procedures.
one such concept is locard’s exchange principle, which proposes that something is taken and
something is left behind when someone enters a crime scene. this same is true with digital
digital forensics methodology is constantly in flux – the “bad guys” figure out some way to
exploit a new technology and the “good guys” develop tools to capture and document the exploit.
that is the way it has always been and always will be.
2. what are the three general categories of computer systems that can contain digital
evidence?
a. desktop, laptop, server
b. personal computer, internet, mobile telephone
c. hardware, software, networks
d. open computer systems, communication systems, embedded systems
10. private networks can be a richer source of evidence than the internet because:
a. they retain data for longer periods of time.
b. owners of private networks are more cooperative with law enforcement.
c. private networks contain a higher concentration of digital evidence.
d. all of the above.
11. due to caseload and budget constraints, often computer security professionals
attempt to limit the damage and close each investigation as quickly as possible.
which of the following is not a significant drawback to this approach?
a. each unreported incident robs attorneys and law enforcement personnel of an
opportunity to learn about the basics of computer-related crime.
b. responsibility for incident resolution frequently does not reside with the security
professional, but with management.
c. this approach results in under-reporting of criminal activity, deflating
statistics that are used to allocate corporate and government spending on
combating computer-related crime.
d. computer security professionals develop loose evidence processing habits
that can make it more difficult for law enforcement personnel and attorneys to
prosecute an offender.
13. the author of a series of threatening e-mails consistently uses “im” instead of “i’m.” thisis
an example of:
a. an individual characteristic
b. an incidental characteristic
c. a class characteristic
d. an indeterminate characteristic
14. personal computers and networks are often a valuable source of evidence. those
involved with ________ should be comfortable with this technology.
a. criminal investigation
b. prosecution
c. defense work
d. all of the above
15. an argument for including computer forensic training computer security specialists is:
a. it provides an additional credential.
b. it provides them with the tools to conduct their own investigations.
c. it teaches them when it is time to call in law enforcement.
d. none of the above.
2. attorneys and police are encountering progressively more digital evidence in theirwork.
a. true
b. false
5. digital evidence can be duplicated exactly without any changes to the original data.
a. true
b. false
6. computers were involved in the investigations into both world trade center attacks.
a. true
b. false
7. computer professionals who take inappropriate actions when they encounter child
pornography on their employer’s systems can lose their jobs or break the law.
a. true
b. false
12. the aim of a forensic examination is to prove with certainty what occurred.
a. true
b. false
13. even digital investigations that do not result in legal action can benefit from principles of
forensic science.
a. true
b. false
14. forensic science is the application of science to investigation and prosecution of crime or to
the just resolution of conflict.
a. true
b. false
15. when a file is deleted from a hard drive, it can often be recovered.
a. true
b. false
1. when criminals use computers, what advantages does this have from an investigative
standpoint?
answer guidance: 1) computer activities leave trails/online activities leave cybertrails, 2) these
traces/trails can be linked to the associated physical world activities, and 3) some offenders have
a false sense of security when they use computers and therefore expose themselves to greater
risk, giving us a clearer view of them — windows to the world.
2. what are the three general categories of computer systems that can contain digital evidence?
in each category, give a specific source of digital evidence that interests you and describe the
type of evidence that you might find.
answer guidance: open systems, communication systems, and embedded systems, examples of
each are provided on page 12. note that a server on the internet is often an open computer
system but plays a role in a communications system. therefore, the server may have information
relating to the communications on the internet such as log files of network activities.
3. why is it important for computer security professionals to become familiar with digital
evidence?
answer guidance: so they know how to process evidence properly in preparation for a serious
incident and to protect themselves and employers against liability (see p. 14).
4. at what point should computer security professionals stop handling digital evidence and
contact law enforcement?
answer guidance: this is a difficult question that requires more than a simplistic “stop and
contact law enforcement whenever they detect a crime” answer. it is unrealistic to expect an
organization to report every potential criminal act to law enforcement. computer security
professionals should report incident to law enforcement when their organization’s policy
specifies. this presumes that some organizational thought and planning has been applied to the
issue. computer security professionals should stop handling digital evidence when the task is
beyond their training and experience or when they would be committing an offense by
performing an action (e.g., hacking back to intruder’s computer, accessing child pornography).
- abstraction
- messy amalgam and fragmentation
- mutability: evidence dynamics
- attribution: linking digital to physical
- distributed
- transient
- voluminous
- anonymity
- diversity of technologies
- keeping up with legislation
- shortage of trained investigators, attorneys, judges, etc.
6. what is the difference between digital evidence, electronic evidence, and computer evidence?
answer guidance: computer evidence and electronic evidence refer to hardware whereas digital
evidence refers to the data that is contained by hardware.
7. describe a case reported in the media or from personal experience that demonstrates how
digital evidence can be useful in the investigation of a violent crime or civil dispute.
scenario
describe a day in your life and the associated sources of digital evidence that your actions may
have created.
resources
the following organizations with related resources are mentioned in this chapter.
objectives
on completion of this chapter, the student will
- be aware of new terms that have arisen as technology has been used for committing
crimes.
- be aware of the difficulty in defining computer crime.
- recognize the differences between the following terms:
o digital forensics
o computer forensics
o network forensics
o mobile device forensics
o malware forensics
- recognize the difference between “forensic examination” and “forensic analysis.”
- be aware of the various roles computers may play in a crime.
chapter guide
since the late 1980s there have been significant advances in investigating crime involving
computers. in addition to advances in tool development, there have been refinements in the law,
computer crime categories, and digital investigative methods and theory. however, because it is
still an emerging field, digital forensics requires additional development and refinement. even
the term digital forensics has only recently replaced computer forensics, forensic computing, and
other terms that describe the field as a whole. see pages 26-38 for more details.
although every effort is made to prevent bugs in software used in digital investigations, they do
exist and can result in evidence being lost or interpreted incorrectly. therefore, in addition to
in addition to validating their own work and tools, forensic examiners can benefit from the
results of the us national institute of standards and testing (nist) computer forensic tool testing
(cftt) program. this program is currently testing hardware write blockers as well as the ability of
forensic tools to acquire digital evidence from storage media and recover deleted files. this
testing does not include the recovery of overwritten data using more sophisticated equipment.
some forensic laboratories can recover partially overwritten data using special equipment
designed for testing hard drives called “spin stand testers.” basically, this equipmentenables
technicians to direct the read head to read the edges of a track that may not have been
overwritten by newer data that are stored in the middle of the track. although it is theoretically
possible to recover completely overwritten data using powerful microscopes, an analysis by the
us national bureau of economic research suggests that this is not feasible in practice:
the role a computer plays in a crime will dictate how it and its contents are processed. therefore,
it is important for digital investigators to understand the different roles, which are clearly
described in the usdoj’s “searching and seizing computers and obtaining electronic evidence in
criminal investigations.” the following table provides examples in each category:
this conceptual framework helps investigators quickly identify important sources of evidence in
the large amounts of information that are common in digital investigations. in addition, these
categories provide a foundation for procedures. for instance, different methods, personnel, and
tools are required to process hardware as contraband (e.g., mobile phone cloning equipment)
versus information as evidence.
other categorizations of the impact of technology on crime can also be useful but have their
limitations (see decc2e, pages 31-33). another useful categorization presented by nigel jonesin
digital investigation (volume 1, issue 3, www.digitalinvestigation.net) is provided below:
• the target of crime, including the denial of service attacks and viruses that are
distributed to bring computer systems to a halt
• an aid to crime, allowing crimes to be committed in different and easier ways than
before
• a communications tool, allowing criminals more opportunities to communicate with
each other with less chance of discovery than traditional communication methods
• a witness to crime, where technology in the possession of those other than victims and
suspects could provide compelling evidence of criminal activity
• a storage device, containing evidence of criminal activity whether wittingly or
unwittingly stored
discussion of these categories can help students expand their understanding of computer-related
crime.
4. the first tool for making forensic copies of computer storage media was:
a. encase
b. expert witness
c. dd
d. safeback
12. computer equipment purchased with stolen credit card information is an example of:
a. hardware as contraband or fruits of crime
b. hardware as an instrumentality
c. hardware as evidence
d. information as contraband or fruits of crime
15. in the course of conducting forensic analysis, which of the following actions are carried
out?
a. critical thinking
b. fusion
c. validation
16. all of the above
1. a single crime can fall into more than one of the following categories: hardware or
information as evidence, instrumentality, and contraband or fruits of crime.
a. true
b. false
2. the american society of crime laboratory directors (ascld) is the only group to
establish guidelines for how digital evidence is handled in crime labs.
a. true
b. false
3. the nist computer forensic tool testing project has identified all bugs in all forensic
hardware and software.
a. true
b. false
7. the main reason for seizing contraband or fruits of crime is to prevent and deter future
crimes.
a. true
b. false
8. a computer can be considered instrumentality because it contained a file that detailed the
growing characteristics of marijuana plants.
a. true
b. false
10. when a computer contains only a few pieces of digital evidence, investigators are
authorized to collect the entire computer.
a. true
b. false
11. when a computer is used to forge documents or break into other computers, it is the
subject of the crime.
a. true
b. false
12. a flatbed scanner used to digitize child pornography can be considered in both the
hardware as instrumentality and hardware as evidence categories.
a. true
b. false
13. the terms “forensic examination” and “forensic analysis” are the same, and can be used
interchangeably.
a. true
b. false
14. the distinction between a computer as the object and subject of a crime is useful from an
investigative standpoint because it relates to the intent of the offender.
a. true
b. false
15. network sniffer software is illegal to possess, and therefore is considered contraband.
a. true
b. false
1. discuss the benefits and shortcomings of creating specializations of crime scene experts,
evidence examiners, and investigators. what are the advantages and disadvantages for requiring
individuals in each specialization to pass a standard competency test?
2. what term do you think best describes this field (e.g., computer forensics, forensic
computing, digital forensics) and why?
answer guidance: digital forensics is the most fitting for this course because just referring to
computers limits the scope.
3. what roles can computers play in a crime? give an example of each role.
answer guidance: the most effective and widely accepted categorization is provided by the us
department of justice as discussed on pages 34-39.
it is important to emphasize that digital investigators will be presenting their findings to a non-
technical audience. therefore, is imperative that digital investigators are able to convey complex
concepts in easier to understand terms.
4. a scientific truth attempts to identify roles that are universally true. legal judgment, on
the other hand, has a standard of proof in criminal prosecutions of:
a. balance of probabilities
b. beyond a reasonable doubt
c. acquittal
d. none of the above
6. according to the text, the most common mistake that prevents evidence seized from
being admitted is:
a. uninformed consent
7. in obtaining a warrant, an investigator must convince the judge on all of the following
points except:
a. evidence of a crime is in existence
b. a crime has been committed
c. the owner or resident of the place to be searched is likely to have committed
the crime
d. the evidence is likely to exist at the place to be searched
8. if, while searching a computer for evidence of a specific crime, evidence of a new,
unrelated crime is discovered, the best course of action is:
a. abandon the original search, and pursue the new line of investigation
b. continue with the original search but also pursue the new inquiry
c. stop the search and obtain a warrant that addresses the new inquiry
d. continue with the original search, ignoring the new information
9. the process of documenting the seizure of digital evidence and, in particular, when that
evidence changes hands, is known as:
a. chain of custody
b. field notes
c. interim report
d. none of the above
10. when assessing the reliability of digital evidence, the investigator is concerned with
whether the computer that generated the evidence was functioning normally, and:
a. whether chain of custody was maintained
b. whether there are indications that the actual digital evidence was tampered
with
c. whether the evidence was properly secured in transit
d. whether the evidence media was compatible with forensic machines
11. the fact that with modern technology, a photocopy of a document has become acceptable
in place of the original is known as:
a. best evidence rule
b. due diligence
c. quid pro quo
14. which of the following is not one of the levels of certainty associated with a particular
finding?
a. probably
b. maybe
c. almost definitely
d. possibly
1. there is no need for any specialized training in the collection of digital evidence.
a. true
b. false
4. in the united states, the prosecution must prove guilt beyond a reasonable doubt.
a. true
b. false
5. chain of custody is the process of documenting who has handled evidence, where and
when, as it travels from the crime scene to the courts.
a. true
b. false
8. coerced testimony is the most common mistake that prevents evidence seized from being
admitted.
a. true
b. false
10. exceeding the scope of a warrant is not likely to affect the admissibility of the evidence
collected.
a. true
b. false
11. digital evidence cannot be direct evidence because of its separation from the events it
represents.
a. true
b. false
12. when creating an expert report, digital investigators should support assertions in their
reports with multiple independent sources of evidence.
a. true
b. false
13. voir dire is the process of becoming accepted as an expert by the court.
a. true
b. false
14. during testimony, when a lawyer appears not to be tech savvy, it is a good practice to
guess what the attorney is trying to ask.
a. true
b. false
15. a proper response to a question that you do not know the answer to is, “i don’t know.”
a. true
b. false
develop a procedure for systematically examining a crime scene for digital evidence.
answer guidance: initial entrance to the crime scene, officer safety, separate the suspect from
the computer, look for removable media, written passwords, evidence of networks, etc.
answer guidance: readable fonts, structure that contains a summary, the details of the report,
and attachments, etc.
hold a mock court, with the instructor acting as opposing counsel, and testify under cross-
examination.
answer guidance: thoroughly know the content of the report, don’t panic (or lose your temper),
etc.
scenario
you are accompanying a raid on a suspected software pirate. what would you be looking for?
what precautions would you be taking? what evidence collection considerations would you be
considering?
objectives
on completion of this chapter, the student will:
- be aware of how us law deals with the major cybercrimes.
- be aware how us law deals with digital privacy.
- recognize that the primary source for federal law dealing with cybercrimes is the
computer fraud and abuse act
- recognize that the child pornography protection act was adopted by congress out of
concern for the increased proliferation of child pornography.
- be aware that copyright infringement in the form of software piracy is a crime.
- be aware that the lanham act provides protection for trademarks and trade secrets.
- recognize that state cybercrime law is often focused on crimes of access, dissemination
of malware, denial of service, computer forgery, computer fraud and theft, computer
extortion, and crimes against children.
- recognize that the constitutional freedom from unreasonable searches is the fourth
amendment.
- be aware that wiretapping deals with several issues:
- content of communications
- traffic data
- technology is not in general public use
- recognize that there are fifth amendment issues relating to encryption.
chapter guide
this chapter contains a significant amount of material that can form the foundation for more than
one lesson. the ultimate aim is to have students compare the policies and laws in the us and eu,
and highlight the similarities and differences between them in the following areas:
technology provides criminals with new opportunities, and many existing laws do not
adequately address the use of computers. prosecution of crimes such as child exploitation, theft
of intellectual property, internet fraud, and cyberstalking has yet to be resolved, for a number of
reasons. one issue is jurisdiction. if an internet fraud is conducted in one state, via an offshore
isp, against a victim in another state – who has jurisdiction? where did the crime take place? a
related issue is extradition of criminals from other countries.
legislation covering computer misuse has matured but continues to evolve as case law and
technology develop. in the us, computer fraud and abuse are defined and addressed by the cfaa at
the federal level, and by state law for the remainder of smaller offenses. in the uk andeu, fraud,
forgery, and computer misuse are defined slightly differently.
another issue is the varying definitions of, and the confusion between, “pornography,” “child
pornography,” and “obscenity.” application of the miller test and copa’s guidelines to
determine when pornography has crossed over to obscenity has been the focus of a number of
court cases, and the definitions are far from being accepted.
in regard to child pornography, at present in the us, “virtual” child pornography is still protected
by the first amendment. cppa was an unsuccessful attempt to remove this protection, the premise
being that child pornography, real or digitally created, was inherently evil. however, under uk
law “pseudo-photographs” are considered illegal, and the coe includes “realistic images
representing a minor engaged in sexually explicit conduct” in their definition of child
pornography. the rationale for making virtual child pornography illegal is that it increases the
availability of such materials and thereby increases the demand. a counterargument is that law
enforcement may not be able to distinguish between virtual versus real child pornography,
making it more difficult to address the illegal activities. sentencing guidelines for child
pornography convictions continues to be an area of controversy, and the discussion about
sentencing in the uk is provided to stimulate discussion.
our “right to privacy” is an equally ambiguous concept. from a legal standpoint, it is 1) the right
to be free from governmental intrusion (protected by the constitution) and 2) the protectionfrom
intrusion into our private lives by others (protected by common law). although search andseizure
requirements and procedures in the us and uk are very similar, in europe, personal dataare
protected by an eu directive and by associated legislation in individual countries.
historically, the eu has offered greater privacy protection than the us, making it more difficult
intellectual property theft is based on copyright law. alex haley was accused of plagiarizing
parts of his epic roots. napster, kazaa, and other peer-to-peer applications engaged in the
unauthorized distribution (sharing) of copyrighted music. legal definitions are, again, behind
the times. if a data thief breaks into a computer and copies confidential data, is it theft? the
data is intact and still in place. has the owner of the data been deprived of its use?
1. what is one of the most complex aspects of jurisdiction when the internet is involved?
a. arranging to travel to remote locations to apprehend criminals
b. determining which court can enforce a judgment over a defendant
c. finding a court that is in two states
d. finding a federal court that can hear a civil suit
2. in the us, to enforce a judgment over a defendant, a court must have which of the
following?
a. subject matter and personal jurisdiction
b. general and limited jurisdiction
c. diversity and long arm jurisdiction
d. none of the above
4. the miller test takes which of the following into account when determining if
pornography is obscene?
a. it appeals to the public interest
b. it depicts sexual conduct in a patently offensive way
c. it lacks any monetary value
d. all of the above
5. in the case of new york v. ferber, in 1982, the supreme court defined child
pornography as:
a. sketches from the imagination or literary descriptions of children engaged in
sexual activities
b. visual depictions of sexual conduct by children or by persons who look younger
than their actual age
c. works that visually depict explicit sexual conduct by children below a
specified age
d. any public or private materials depicting children engaged in sexual activities no
matter the medium
9. under the cfaa, the provision that is used to prosecute those who create or spread
viruses, worms, and other malware is:
a. 1030(a)(5)(a)
b. 1030(a)(5)(b)
c. 1030(a)(5)(c)
d. 1030(a)(5)(d)
10. under the cfaa, it is a federal crime to knowingly transfer, possess, or use a means of
identification of another person without being authorized, with the intent to commit or to
aid or abet any unlawful activity. the session that addresses this is:
a. 1028(a)(5)
b. 1028(a)(6)
c. 1028(a)(7)
d. 1028(a)(8)
12. which state does not have a law prohibiting simple hacking – gaining unauthorized
access to a computer?
a. california
b. texas
c. washington
d. none of the above
14. in those states with legislation addressing computer forgery, contraband in the form of
“forgery devices” may include:
a. computers
b. computer equipment
c. specialized computer software
d. all of the above
2. the criminal justice systems in the eu and us work in essentially the same way.
a. true
b. false
5. in the us and uk, it is legal to possess child pornography but illegal to distribute it to
others.
a. true
b. false
10. in the us, the government may require a warrant to search a public area.
a. true
b. false
11. in the us, the government does not require a warrant to search through
garbage/rubbish bags left outside of an individual’s home.
a. true
b. false
12. in the us, the government does not require a search warrant to observe an
individual’s home from outside its walls using “radar-based through-the-wall
surveillance systems.”
a. true
b. false
14. copyright law does not prohibit individuals from downloading digital copies of
protected materials without paying because it is considered fair use.
a. true
b. false
15. the fourth amendment addresses the citizens’ right to bear arms.
a. true
b. false
debate the application of fifth amendment protection from incrimination to the refusal to
divulge passwords to encrypted data.
scenario
you are asked to describe to a non-technical jury how data are stored on a hard disk drive. how
would you go about describing this and what visual aids and/or analogies would you use?
objectives
on completion of this chapter, the student will:
- be aware of differences between super-national and national legal frameworks.
- recognize the progression of cybercrime legislation in europe.
- be able to list the three the computer crime categories specified in the cybercrime
convention:
o computer-integrity crime
o computer-assisted crime
o content-related crime
- be aware of other computer related offenses:
o copyright infringement
o cyberbullying
- be aware of various forms of jurisdiction
2. in the uk, an application for a search warrant must include which of the following?
a. reasonable grounds for believing that a crime has been committed
b. a specific description of the premises to be searched
c. which law has been broken
d. all of the above
3. how do europe and north america address the challenges of jurisdiction when a computer
crime involves both continents?
a. search warrants
b. treaties
c. presidential intervention
d. all of the above
4. the english sentencing advisory panel (sap) categorized the increasing seriousness of child
pornography material into five levels. which of the following is considered the worst,level
5?
a. sadism or bestiality
b. sexual activity between children or solo masturbation by a child
c. non-penetrative sexual activity between adults and children
d. penetrative sexual activity between adults and children
10. in the uk, prosecution of child pornography falls under what act?
a. the protection of children act of 1978
b. the crimes against children act of 1996
c. the council of europe convention on cybercrime
d. none of the above
11. in ireland, the non-fatal offences against the state act of 1997 specifically addresses:
a. computerized welfare fraud
b. cyberbullying
c. nigerian scams
d. hacking
12. the netherlands claims universal jurisdiction for the crime of:
a. attacks on the king
b. transnational computer crimes
c. terrorist network activity
d. malware distribution
14. in the civil-law countries, such as the netherlands, criminal law is “inquisitional” where:
a. the judge takes an active role in “finding the truth”
b. the judge takes a more passive role, with “truth-finding” assigned to prosecution and
defense
c. the judge and attorneys from both prosecution and defense meet in private chambers
to determine guilt or innocence.
d. the public serves as judge, with prosecution and defense presenting their case in a
public forum.
15. england became the first european country to enact a law to address computer crime
specifically. this law – the computer misuse act – was enacted in:
a. 1985
b. 1990
c. 1995
d. 2000
2. the criminal justice systems in the eu and us work in essentially the same way.
a. true
b. false
3. in the uk, it is legal to possess child pornography but illegal to distribute it to others.
a. true
b. false
4. in the uk, downloading child pornography is equated with “making” illegal material
according to the legal definition.
a. true
b. false
9. in irish computer crime law, jurisdiction is often integrated into the legislative section
setting out the offense.
a. true
10. in england, child prostitution and pornography are scheduled offenses to the english
serious crime act 2007.
a. true
b. false
11. european law is civil-based, whereas the common-law countries are considered an
adversarial system.
a. true
b. false
12. in the eu, crimes like illegal access, illegal interception, and data interference are
categorized as computer-integrity crimes.
a. true
b. false
13. in the eu, computer-assisted crimes consist of those crimes which cannot be committed
in the absence of computers or computer networks.
a. true
b. false
14. in the eu, content-related crimes relate to traditional offenses where computers are tools
rather than targets but, unlike computer-assisted crimes it is the content of data rather
than the result of an action that is the core of the offense.
a. true
b. false
15. data interference is the intentional “serious hindering without right to the functioning of
a computer system.”
a. true
b. false
research agencies that you would need to contact for five nations outside of europe.
answer guidance: check the cia factbook for information on government agencies, follow up.
you have been notified of the existence of threatening e-mails being sent to the ceo of your
company. an examination of the e-mails revealed that they originated from outside of the
country.
describe the steps you would take in your investigation. in particular, address the issue ofjurisdiction
and locating your counterparts in the target country.
objectives
chapter guide
following the twelve steps described in this chapter increase the likelihood that an investigation
will lead to the truth and will serve justice. more specifically, the ultimate aim of the model
covered in this chapter is to help investigators ascend a sequence of steps that are generally
accepted, reliable, and repeatable, and lead to logical, well-documented conclusions of high
integrity. to fully appreciate the flexibility and power of this model, it is necessary to explore
how it applies to different types of investigations. for instance, the incident handling section of
the educause effective security practices guide (http://www.educause.edu/security/guide)
outlines how this methodology is applied to computer security incidents. in addition, it is
instructive to compare this model with others such as the one described in “getting physical with
the digital investigation process” by carrier and spafford (available online at
http://www.ijde.org/docs/03_fall_carrier_spa.pdf).
locard’s exchange principle states that anyone or anything entering a crime scene leaves
something behind or takes something with him when he leaves. although this principle was
developed nearly a century ago for investigations in the physical world, it applies to crime in the
digital realm. for example, a threatening e-mail creates a trail from the sender’s computer, on e-
mail servers that handle the message and on the recipient’s computer. these exchanges of digital
evidence and the resulting cybertrails enable investigators to establish the continuity of offense
and link online activities to a specific computer or individual.
notably, investigators can also inadvertently cause evidence exchange when they enter or leave a
crime scene. adherence to standard operating procedures helps minimize such spoliation of
digital crime scenes, and thorough documentation helps reduce the resulting confusion.
a “class characteristic” is a general feature shared with similar items such as kodak digital
cameras that embeds the make and model names in the photographs they take. an “individual
characteristic” is a unique feature specific to a particular thing, place, person, or action. for
example, a scratch on a camera lens that appears in photographs it takes, a distinct monument in
the background of a photograph, or the defendant’s face appearing in a photograph are all
individual characteristics that may help investigators associate the photograph with its source
i.e., a particular camera, location, or person. see the example on page 99.
the importance of class characteristics of digital evidence cannot be overstated. digital evidence
examiners use class characteristics to determine what type of data are in files, and thus what type
of information they can extract from them. examiners also use class characteristics to group like
files and filter irrelevant groups to reduce the amount of data they must deal with. ultimately,
class characteristics can combine to narrow the focus of an investigation to a particular group of
suspects, computers, or certain geographic regions.
as an investigation moves from one computer to another, the examiner should examine each
system to establish the path that data relating to the offense took in order to reach its destination.
searching for “continuity of offense” substantiates the examiner’s findings and adds weight to
evidence found. see page 99 for more information.
many people incorrectly think of examination as synonymous with analysis when in fact these
are two very different processes. examination is the process of extracting and preparing data for
analysis. the examination process involves data recovery, translation, reduction, organization,
and searching. a thorough examination results in all relevant data being organized and presented
in a manner that facilitates detailed analysis. analysis involves gaining an understanding of and
reaching conclusions about the incident based on evidence produced during the examination
process. analysis also involves assessing key findings through experimentation, fusion,
correlation, and validation.
a checklist is provided here as an example of what investigators look for when conducting a
digital investigation. this type of checklist helps digital investigators document important details
and contributes to case management by helping them keep track of what they have found.
4. when you have developed a theory, what can you do to confirm that your hypothesis is
correct?
a. predict, based on your hypothesis, where artifacts should be located
b. perform experiments to test results and rule out alternate explanations
c. conclude, based on your findings, whether the evidence supports the hypothesis
d. all of the above
10. the first step in applying the scientific method to a digital investigation is to:
a. form a theory on what may have occurred
b. experiment or test the available evidence to confirm or refute your prediction
c. make one or more observations based on events that occurred
d. form a conclusion based on the results of your findings
11. which of the following should the digital investigator consider when arranging for the
transportation of evidence?
a. should the evidence be physically in the possession of the investigator at all
times?
b. will the evidence copies be shared with other experts at other locations?
c. will there be environmental factors associated with the digital media?
d. all of the above
12. in the staircase model, why is case management shown spanning across all of the steps
in the process model?
13. process models have their origins in the early theories of computer forensics which
defined the field in terms of a process.
a. complicated
b. difficult
c. linear
d. polymorphic
14. generating a plan of action and obtaining supporting resources and materials falls under
which step in the digital investigation?
a. preparation
b. survey/identification
c. preservation
d. examination and analysis
15. the process model whose goal is to completely describe the flow of information in a
digital investigation is known as:
a. the physical model
b. the staircase model
c. the evidence flow model
d. the subphase model
1. not all incidents should be fully investigated nor do they all deserve the same priority
and attention.
a. true
b. false
3. the legal truth is always in agreement with the scientific truth in an investigation.
a. true
b. false
5. when a network is involved in a crime, investigators must seize and preserve all systems
on the network.
a. true
b. false
8. beebe and clark contend that most investigative process models are too low level.
a. true
b. false
11. evidential artifacts found in the experimentation and testing process of the scientific
method which are compatible with a particular hypothesis can be taken as proof of the
hypothesis.
a. true
b. false
11. preparation for the preservation step ensures that the best evidence can be preserved
when the opportunity arises.
a. true
b. false
12. if alternative theories are suggested later, digital investigators have an obligation to
reevaluate their findings.
a. true
b. false
13. forensic examination is the process of extracting, viewing, and analyzing information
from the evidence collected.
a. true
b. false
14. survey/triage forensic inspection is the targeted review of all available media to determine which
items contain the most useful evidence and require additional processing.
a. true
b. false
answer guidance: proper evidence processing is essential because digital evidence is fragile and
often transient (see section 1.3) – if it is not processed using proper procedures and tools it may
be damaged and deemed inadmissible. evidence is the foundation of a case and if important
evidence is excluded because of improper processing, this can make it difficult to prove a case.
additionally, weak evidence can lead to incorrect conclusions and miscarriages of justice.
2. what is locard’s exchange principle? give an example of how this principle applies to
computer crime.
answer guidance: locard’s exchange principle is one of the cornerstones of forensic science.
the principle is that anyone, or anything, entering a crime scene takes something of the scene
with them, and leaves something of themself behind when they depart from the scene. such
evidence transfer occurs in both the physical and digital realms and can be useful in internet
investigations for establishing compelling links between the offender, victim, and crime scene.
3. how are class characteristics useful in an investigation? give an example involving digital
evidence.
answer guidance: investigators can use class characteristics to determine what types of data are
in files, and thus what type of information they can extract from them. digital evidence
examiners use class characteristics to group like files and filter irrelevant groups to reduce the
amount of data they must deal with. ultimately, class characteristics can combine to narrow the
focus of an investigation to a particular group of suspects, computers, or certain geographic
regions.
4. how would you search for all image files on a disk? explain the rationale of your approach.
answer guidance: in some cases, it may be sufficient to search for files using file extensions of
common graphics formats like .jpg and .gif. although this approach may result in sufficient
incriminating evidence to proceed, it does not recover all files on the disk. searching a disk for
additionally, it is necessary to examine “special” files such as zip archives, encrypted files, etc.,
to determine if they contain image files. it goes without saying that you perform all of your
operations on a copy or a write-protected original but i still like to hear you say it.
objectives
chapter guide
although no two digital crime scenes will ever be the same, the application of accepted methods
and best practices goes a long way to assuring that the scene is protected and digital evidence is
preserved.
the ultimate aim of investigative models is to help digital investigation take steps that are
generally accepted, reliable, and repeatable.
application of the scientific method to crime scene processing and digital investigation provides
a rigor to the processes involved. adhering to pre-existing policies and procedures provides
consistency and thoroughness, and ensures that the best available methods – the best practices –
are followed.
1. the following organizations have published guidelines for handling digital crime scenes:
a. us secret service
b. association of chief police officers
c. us department of justice
d. all of the above
2. when a first responder encounters technology or equipment that he is not familiar with, the
recommended course of action is to:
a. seize the equipment as if it were a known device
b. seek assistance from a more experienced digital investigator
c. leave that particular piece of equipment at the crime scene
d. ask the suspect for details on the equipment
3. when preparing a questionnaire for interviewing individuals of the crime scene which of the
following should not be requested:
a. passwords
b. encryption keys
c. admission of guilt
d. details on removable storage
6. the crime scene preservation process includes all but which of the following:
a. protecting against unauthorized alterations
b. acquiring digital evidence
c. confirming system date and time
d. controlling access to the crime scene
9. in the case where digital investigators dealing with distributed systems need to collect data
from remote sites, the following procedure is recommended:
a. notify personnel at the remote sites to leave everything as is, and arrange for travel to
the remote locations
b. notify personnel at the remote sites to shut down all systems and send the hard drives
to the forensic lab
c. utilize remote forensics tools to acquire data from the remote sites’ ram as well
as the hard drives
d. none of the above
10. when presenting evidence on an organizational network, the digital investigator may require
the assistance of:
a. system administrators
b. the ceo of the organization
c. the cso (chief security officer)
d. additional forensic investigators
11. which of the following is not a safety consideration for a first responder?
a. additional personnel to control those present at the crime scene
b. protection against elf emanations from monitors
c. proper tools for disassembling and reassembling computer cases
d. protective gloves and eyewear
12. digital investigators like to preserve every potential source of digital evidence; however,
they are constrained by:
a. the law
13. during the initial survey of a crime scene, why it is necessary to photograph or videotape the
area and items of potential interest in their current state?
a. this simplifies inventorying the crime scene.
b. photographing items to be seized records their actual condition, and precludes
damage claims when the items are returned to the offender.
c. to record the fact that a particular item was actually found at the crime scene.
d. none of the above.
14. why is the first step to secure the physical crime scene by removing everyone from the
immediate area?
a. to prevent them from contaminating evidence
b. to prevent them from asking questions about the case before they can be interviewed
c. to give them time to fill out a personal information survey
d. to keep them from blocking the view when photographs are being taken
15. when a piece of evidence has both a biological and a digital component, who should process
it first?
a. the crime scene technician, because biological artifacts are much more fragile
b. the digital investigator, because processing the biological artifacts will destroy
digital evidence
c. neither; the evidence should be preserved and transported to the lab for processing
d. both the crime scene technician and the digital investigator, in a cooperative
effort, assuring that the biological evidence is collected in a way that does not
damage the digital component
1. when first entering a crime scene, the first responder should immediately focus on the
computers and technology.
a. true
b. false
2. since crime scenes are typically pretty much the same, very little planning needs to take place
prior to first entering the scene.
a. true
b. false
3. on entering a crime scene, an investigator notes that a piece of equipment with antennas
attached is connected to one of the target computers. since this indicates a wireless connection,
it is advisable to either disconnect or disable the piece of equipment.
a. true
b. false
4. in most situations, it is advisable to let the physical crime scene technicians, under the
direction of the forensic investigator, process the scene first.
a. true
b. false
5. the likelihood of collecting notable information from a running computer is relatively small,
so it is safe to shut down any running computer to preserve the data on the hard drive.
a. true
b. false
6. when shutting down a live system it is generally recommended to unplug the power from the
back of the computer.
a. true
b. false
7. the proper collection of evidence at a crime scene is crucial in terms of admissibility in court.
a. true
b. false
9. computer security professionals should obtain instructions and written authorization from
their attorneys before gathering digital evidence relating to an investigation with an organization.
a. true
b. false
10. the fourth amendment, like ecpa, only applies to the government, not the private sector.
a. true
b. false
11. when an organization itself is under investigation, it is always feasible to collect all the data
for every system.
a. true
b. false
12. the contents of volatile memory are becoming more and more important.
a. true
b. false
13. the decision to seize an entire computer versus create a forensic duplicate of the internal
hard drive will be influenced by the role of the computer.
a. true
b. false
14. when seizing a computer, it is advisable to remove the computer’s case and to unplug power
cables from hard drives.
a. true
b. false
15. capturing volatile data or specific files from a live system is a straightforward process
usually handled by the first responder.
a. true
b. false
answer guidance: physical layout and access, equipment, personnel separation, connectivity
issues.
answer guidance: specific details of the items to be seized, probable cause for seizing the
property, location to be searched, types of evidence that will be seized, etc.
scenario
you are participating in the pre-raid briefing of a software piracy site. your part in the raid is to
present and seize all the computers at the site.
what questions would you ask the intelligence briefer about your part in the mission?
what information and recommendations would you provide to the briefing?
objectives
chapter guide
investigatory reconstruction provides a methodology for gaining a better understanding of a
crime and focusing an investigation. objectively reviewing available evidence provides a
greater understanding of the case.
as the situation dictates, the investigator may prepare a threshold assessment or a full
investigative reconstruction.
2. the words that an offender uses on the internet, the tools that an offender uses online,
and how an offender conceals his identity and criminal activity are referred to in the text
as:
a. investigation reconstruction
b. threshold assessment
c. behavioral imprints
d. crime scene analysis
8. according to the text, the distinguishing features of a crime scene as evidenced by the
offender’s behavioral decisions regarding the victim and the offense location are known
as:
a. hard evidence
b. fruit of the poison tree
c. caveat emptor
d. crime scene characteristics
9. in crimes against individuals the period leading up to the crime often contains the
most important clues regarding the relationship between the offender and the victim.
a. 24-hour
b. 48- hour
c. 60-minute
d. 15-minute
10. one of the most important things to establish when a computer is directly involved in the
commission of a crime is:
a. where the computer was purchased
b. what operating system is in use
c. who or what was the intended victim or target
d. none of the above
11. an example of online behavior that puts an individual at higher risk for cyberstalking is:
a. using your real name online
b. putting personal information in your profile
c. posting photographs on a social networking page
12. in the movie home alone one of the burglars would always turn the water on in the sinks
so that the house would be flooded when the owners returned. in terms of crime scene
characteristics, this is an example of:
a. psychotic episode
b. signature-oriented behavior
c. modus operandi
d. vandalism
13. the totality of choices an offender makes during the commission of a crime are referred
to as:
a. the criminal’s mo
b. crime scene characteristics
c. tangible evidence
d. none of the above
14. because seemingly minor details regarding the offender can be important, investigators
should get into the habit of contemplating which of the following:
a. what the offender brought to the crime scene
b. what the offender took from the crime scene
c. what the offender changed at the crime scene
d. all of the above
15. one reason digital investigators write threshold assessments more often than full reports
is because:
a. they will be included in a final report, and so, distribute the time for final report
preparation over the entire period of the investigation.
b. they keep their supervisor aware of their productivity.
c. they take less time to prepare and may be sufficient to close out an
investigation.
d. they serve as field notes for the investigator.
4. minor details regarding the offender are unimportant, and can safely be ignored.
a. true
b. false
5. the temporal form of investigative reconstruction helps identify event sequences and
patterns.
a. true
b. false
6. the machine with an old operating system, no patches, and many services running,
located on an unprotected network, containing valuable information, and with a history of
intrusions or intrusion attempts, is at low risk of being broken into.
a. true
b. false
8. when assessing the risk of a target computer, investigators should determine if the
offender needed a high level of skill.
a. true
9. different offenders can use the same method of approach for control for very different
reasons; however, it is possible to make reliable generations on the basis of individual
crime scene characteristics.
a. true
b. false
10. when a computer is the target of an attack, it is also useful to determine if the system was
at high or low risk of being targeted.
a. true
b. false
11. a threshold assessment report may have a similar structure to a full investigative report
but includes more details and has firmer conclusions based on all the evidence available.
a. true
b. false
12. threshold assessments have eliminated the need for digital investigators to write full
reports.
a. true
b. false
13. among the more informative aspects of the offender-victim relationships are victim risk
and the effort than an offender was willing to make to access a specific victim.
a. true
b. false
14. although it is possible that the internet can significantly increase the victim’s risk, it is
not necessary for victimology to include a thorough search for cybertrails.
a. true
b. false
15. forensic analysis and reconstruction only include evidence that was left at a crime scene
and are intrinsically limited.
a. true
b. false
1. explain why it can be difficult to determine if someone took a copy of a digital file.
answer guidance: most operating systems do not mark a file that has been copied, information
may be found in log files, the system may contain information about remote storage devices that
have been attached.
answer guidance: the weapon is the source of control over the victim, whether it is a gun or a
computer. different offenders rely on implied or actual threats. the offender’s approach showshis
confidences, concerns, intents, and motives.
scenario
two of three porcine brothers had their houses systematically destroyed by a large lycan. in fear
for their lives, they sought shelter with a third brother. suspecting that his house would also
come under attack, he reinforced the structure and added certain countermeasures that would
come into play only if the perimeter was breached. indeed, an attack on his house was mounted,
and the perimeter was breached – resulting in the demise of the intruder.
when police arrived, the three porcine brothers were charged with negligent homicide. thehouse
was secured as a crime scene.
(follow-up: all charges were dropped when the brothers cited castle doctrine and self defense.)
prepare a threshold assessment based on the information and crime scene provided above.
the students should understand that technology, for the most part, is not inherently good or bad –
it simply is. it is the application of that technology that is important. criminals are quick to see
how a new technology can be adapted to their purposes. the forensic examiner’s job is to analyze
that new technology, first of all to see how the technology was implemented, and secondof all to
determine if the technology has any value as a tool in a forensic investigation.
4. a criminal’s set of learned behaviors that can evolve and develop over time are referred
to as:
a. motivational typology
b. offense behaviors
c. modus operandi
d. the none of the above
5. the emotional, psychological, or material need that that impels, and is satisfied by, a
behavior is known as:
a. motive
b. modus operandi
c. offense behaviors
d. offender behaviors
7. profit-oriented offense behavior indicates that the offender’s motivation was based on:
a. anger
b. revenge
c. restoration of self-confidence
d. material or personal gain
8. in power assertive offense behavior, the offenders may not take precautions that they
have learned are generally unnecessary. one reason for this is because:
a. the crimes they commit usually have minimal punishment.
b. the offenses are usually fantasized and not really carry out.
c. they have no respect for law enforcement.
d. all of the above.
9. maury roy travis was arrested for multiple murders based on:
a. the fact that the police were able to link into all of his crimes prior to his capture
b. his inadvertent cybertrail of information recovered from an online map
c. the large number of tangible leads the police had to work on
d. his lack of skill and poor planning
10. in the example of programs being released, an example of power assertive offense
behavior would be:
a. a terrorist releasing a virus that would shut down segments of the power
grid
b. a 13-year-old running a tool that attempts to guess phonecard pin numbers
c. a keylogger that is installed on the computer of anyone who visits a particular
website
d. a program that simulates the windows blue screen of death (bsod) as a
screensaver
11. the cotton gin and the gatling gun are examples of:
a. the role innovation played in american history
b. new technology that had unintended social consequences
c. proof that inventors should be monitored by the government
d. none of the above
13. the study that was taken and modify by the fbi’s national center for the analysis of
violent crime was:
a. locard’s principle
b. the groth rapist motivational typology
c. lombroso’s typology
d. gibb’s numerical rules
14. which offense behavior is characterized by the belief that the victim will enjoy and
eroticize the offense behavior and may subsequently fall in love with the offender?
a. power reassurance
b. power assertive
c. anger retaliatory
d. anger excitation
15. in this offense behavior, the goal is the victim’s total fear and submission for the
purposes of feeding the offender’s sexual desires.
a. power reassurance
b. power assertive
c. anger retaliatory
d. anger excitation
1. computers and the internet are no different from other technologies adapted by the
criminal.
a. true
b. false
2. when the advanced research projects agency began funding a mechanism for ensured
communications between military installations, they understood full well that they were
developing a pervasive form of social-global connectedness.
a. true
b. false
5. using e-mail for anonymous harassment is an example of how technology has been used
as a vehicle for criminal behavior.
a. true
b. false
6. as a general rule, law enforcement groupies are always engaged in some form of
criminal activity.
a. true
b. false
7. as criminals learn about new forensic technologies and techniques being applied to their
particular area of criminal behavior, they must be willing to modify their mo, if possible,
to circumvent those efforts.
a. true
b. false
9. anger retaliatory offense behavior is behavior wherein the offender obtains sexual
gratification from the victim’s pain and suffering.
a. true
b. false
10. in regard to profit-oriented offense behavior, any behavior that is not purely profit
motivated, which satisfies an emotional or psychological need, should be examined with
the lens of the other behavior motivational types.
a. true
b. false
11. the technology that proved to be the downfall of maury roy travis was the online
mapping service that had logged his ip address.
a. true
b. false
12. maury roy travis, compared with other serial murderers, was foolish, impulsive, and
unskilled.
a. true
b. false
13. the criminal’s mo consists of learned behaviors that can evolve and develop over time.
a. true
b. false
15. modus operandi and motive are considered to be the same thing.
a. true
b. false
1. explain the possible benefits of conducting a thorough analysis of modus operandi during
an investigation.
answer guidance: analysis of methods may provide new investigative leads, insights
into the skill level of the offender, connection to other cases.
2. you are investigating the hacking and defacing of a corporate website. provide a
motivational analysis for this incident based on each of the offense behaviors listed in the
text.
scenario
prepare an investigative plan listing the lines of investigation that you plan to pursue.
note that this is not an exercise to demonstrate your understanding of forensic techniques.
rather, this exercise is directed toward developing skills in the creation of planning documents.
use the example cited in the chapter to assist in your design.
to date, there are huge amounts of information about people’s personal and professional
lives stored on computers, mobile devices, corporate computers, and the internet. this vast
store of information can show where victims of violent offenders were, and what they were
doing, when the attack occurred. digital evidence may reveal investigative leads, likely
suspects, previously unknown crimes, and personal information that puts the victim at risk.
1. every violent crime investigation should incorporate digital evidence because digital
evidence may reveal:
a. investigative leads
b. likely suspects
c. previously unknown crimes
d. all the above
2. how the offender approaches and obtains control of a victim or target is significant
because it exposes the offender’s:
a. motives
b. choice of weapons
c. modus operandi
d. signature behaviors
5. one reason not to put too much trust into those who run the company’s computers is that:
a. there has always been an antagonism between system administrators and law
enforcement.
b. they are typically too busy to take the time to answer your questions.
c. they are usually not authorized to answer questions.
d. they may be the offenders.
7. given the scope and consequences of violent crimes, when collecting digital evidence it
is advisable to:
a. collect only that digital evidence that is clearly connected to the offense
b. focus only on the primary crime scene, as searching the offender’s home and
workplace requires additional authorization
c. seek out and preserve all available digital evidence
d. focus only on the offender’s digital evidence, as the victim’s digital evidence is
usually of little value
8. when swift action is needed, law enforcement personnel may be permitted to conduct
searches without a warrant. searches of this kind are permitted under:
a. exigent circumstances
b. eminent domain
c. mens rea
d. usa patriot act
9. when processing the digital crime scene in a violent crime investigation it is important to
have to ensure that all digital evidence and findings can hold up under close
scrutiny.
a. a good supply of electrostatic bags for holding sensitive electronic components
b. more than one reliable camera for photographing the crime scene
c. standard operating procedures for processing a digital crime scene
d. a good supply of nitrile gloves
10. the federal statute that has a provision allowing internet service providers to disclose
subscriber information to law enforcement in exigent circumstances is:
a. ecpa
b. ccpa
c. the privacy act
11. when reconstructing evidence surrounding a violent crime, it is generally helpful to:
a. diagram the crime scene
b. create a timeline of events from digital evidence
c. create a threat assessment report
d. none of the above
12. a thief who has programmed and released a virus to roam a network looking for victim
passwords used for online banking is an example of what offense behavior?
a. power assertive
b. profit oriented
c. power reassurance
d. anger retaliatory
13. the case of a michigan bank robber requiring tellers to undress so he could photograph
them is an example of:
a. deviant aberrant behavior
b. criminal humor
c. crime scene characteristics
d. investigative reconstruction
14. the assessment of the victim as they relate to the offender, the crime scene, the incident,
and the criminal justice system is known as:
a. threat assessment methodology
b. signature behaviors
c. behavioral evidence analysis
d. victimology
15. computers and mobile devices are treated as crime scenes in violent crime
investigations.
a. temporary
b. immediate
c. remote
d. secondary
1. victimology is the assessment of the offender as he relates to the crime scene, the
incident, and the criminal justice system.
a. true
b. false
2. the key to any investigation is luck, which has value only when it is properly acted upon.
a. true
b. false
3. digital investigators can use information gleaned from many forms of digital evidence to
find likely suspects and develop leads.
a. true
b. false
4. data from internet service providers used by the victim or suspect can help determine
their activities around the time of the crime.
a. true
b. false
5. mobile devices may contain information about communications as well as audio or video
recordings relating to an offense.
a. true
b. false
6. privately owned networks are usually a poor source of information when investigating
violent crimes.
a. true
b. false
7. given the scope and consequences of violent crimes, it is advisable to seek out and
preserve all available digital evidence.
a. true
b. false
10. the investigator reconstruction process involves pulling all evidence together and letting
it speak for itself.
a. true
b. false
12. it is safe to place your trust in an organization’s it staff, since forensic training is a basic
requirement in most it departments.
a. true
b. false
13. computers and mobile devices are treated as primary crime scenes in violent crime
investigations.
a. true
b. false
14. when investigating suspects of a violent crime, it is important to look for behaviors that
leave digital traces.
a. true
b. false
15. what an offender does at a crime scene typically reveals little useful information to
digital investigators.
a. true
b. false
prepare a sample crime scene processing procedures field guide, based on the information
provided in this chapter. the format of this guide should facilitate use at the scene.
answer guidance: field guides are typically in “cookbook” format, with larger print and
telegraphic prose intended to serve as reminders.
scenario
you have just arrived at the scene of workplace violence where an individual shot his coworker.
describe, in detail, the steps that you would take to process the digital crime scene.
things to consider: comments from coworkers, contents of computer and cell phone, other
digital evidence relating to the incident.
with people spending an increasing amount of time using mobile devices, computers, and
networks, there are bound to be more alibis that depend on digital evidence.
digital evidence will rarely show that someone was at a specific location at a specific time;
however, it can show that the device was at that location. through the use of other supporting
evidence, such as a phone call in progress or an e-mail sent, the device can be associated with an
individual.
1. investigators should not rely on one piece of digital evidence when examining an alibi –
they should look for an associated .
a. cybertrail
b. piece of physical evidence
c. statement
d. none of the above
2. when investigating an alibi that depends on digital evidence, the first step is to
assess the reliability of the information on the computers and networks involved.
a. true
b. false
4. investigators can rely on one piece of digital evidence when examining an alibi.
a. true
b. false
5. computer networks can contain a large amount of information about times and
locations.
a. true
b. false
6. credit card companies are not permitted to keep records of the dates, times, and
locations of all purchases.
a. true
b. false
7. telephone companies keep a record of the number, the time and duration of the
call, and sometimes the caller’s number.
a. true
b. false
10. digital evidence can rarely prove conclusively that someone was at a specific
place at a specific time.
a. true
b. false
1. discuss the reasons why a digital investigator would confirm an alibi. isn’t that a job for the
suspect’s defense counsel?
answer guidance: the digital investigator’s mission is to find out the truth.
scenario
a suspect claims that evidence artifacts found on his computer were placed there by his
estranged wife out of malice. as evidence, he points out that the created dates on some the files
occurred when he was on vacation.
prepare an investigative plan on how you would confirm or refute his alibi.
forensic examiners need to be aware that they may be requested to find a particular piece of
evidence, or find evidence that confirms an investigator’s suspicions. that is not the examiner’s
job. examiners find the truth, regardless of its convenience.
investigators must learn to study sex offenders, so they can recognize and understand the
patterns of behavior that force sex offenders to take greater risks.
3. which of the following are reasons that digital evidence may not be preserved properly or
at all?
a. victims may destroy key evidence because they are embarrassed by it.
b. corporate security professionals may not be aware of proper evidence handling
concepts.
c. poorly trained police officers may overlook important items.
d. all of the above.
5. when the offender is unknown, the reconstruction process becomes a necessary step to:
a. reassure the victim that progress is being made
b. prioritize suspects
c. accommodate multiple cases
d. open new lines of investigation
8. of lanning’s three general categories of sex offenders, which of the following is not a
characteristic of the situational category?
a. generally more power/anger motivated
b. are compulsive record keepers
c. generally pick convenient targets
d. none of the above
9. the process of correlating evidence through temporal, relational, and functional analysis
is known as:
a. crime scene analysis
b. offense behavior analysis
c. investigative reconstruction
d. victimology
10. an offender’s choice of location, tools, and actions taken are referred to as:
a. mo
b. motivation
c. crime scene characteristics
d. signature behaviors
14. if an offender’s computer reveals a large number of contacts, a good solution is:
a. to pass the contact information to local departments and have them contact the
individuals in person
b. to draft a simple form letter summarizing the investigation and listing the
suspects’ online nicknames and e-mail addresses, and request assistance
c. to reach out to each contact, using the offender’s computer and online personas
d. to determine what schools the contacts attend and have their principals call the
students and their parents in for consultation
15. one way that a digital examiner can reduce the likelihood of overlooking or
misinterpreting important details is:
a. to always work in pairs, so each examiner can check the other’s work
b. carefully apply the scientific method
c. videotape the entire examination process so that key areas can be reviewed
d. take verbal notes with a digital voice recorder
1. the internet enables sexual offenders to commit a crime without ever physically
assaulting a victim.
a. true
b. false
2. sex offender peer support groups can give offenders access to child pornography,
children, and technical knowledge.
a. true
b. false
3. generalizations regarding investigations are of particular use, even though cases tend to
be unique.
a. true
b. false
4. it is important to stress that sexual abuse and illegal pornography did not exist before the
internet.
a. true
b. false
5. “grooming” refers to the ways that a sexual offender gains control over victims.
a. true
b. false
6. because sex offenders tend to be nonviolent, investigators do not need to take the same
precautions when serving warrants on computer-related offenses as they would with other
crimes.
a. true
b. false
7. when dealing with online sexual offenders, it is critically important to take advantage of
the internet as a source of evidence.
a. true
b. false
9. confronting the victim with evidence of their abuse is standard practice in sex offender
cases.
a. true
b. false
10. the initial stage of any investigation is to determine if a crime has actually occurred.
a. true
b. false
11. the practice of private citizens luring offenders is not recommended for reasons of safety
and inadvertent violation of the law.
a. true
b. false
13. providing information about an offender’s method of approach, attack, or control may
help investigators interact with an offender or provide potential victims with protective
advice.
a. true
b. false
14. lanning identifies three general categories of sex offenders: situational, preferential, and
differential.
a. true
b. false
15. sex offenders do not change over time nor do they modify their behavior, simplifying the
investigative process.
a. true
1. discuss the responsibility of the digital investigator in bringing charges of sex offense
or possession of child pornography against a member of the local community.
answer guidance: the mere accusation, even as just “a person of interest,” can ruin
reputations that takes years to recover.
scenario
the local community you serve is very small, and you have known this individual most
of your professional life.
the cyber vigilante group has a reputation for notifying local police and waiting a few
days to hear of an arrest, and if they do not they take the information to the press and
complain that they notified the police and nothing was done.
prepare a briefing on the situation, to be given to your captain and the mayor. including a
few recommendations.
a common truth is that criminals tend to steal things of value. therefore, a company’sinformation
may be a target.
2. intruders who have a preferred toolkit that they have pieced together over time, with
distinctive features:
a. usually have little experience and are relying on the kit
b. show little initiative – letting the tool do the work
c. are generally more experienced
d. pose less of a threat
4. a computer intruder’s method of approach and attack can reveal a significant amount
about their:
a. skill level
b. knowledge of the target
c. intent
d. all of the above
9. capturing all of the network traffic to and from the compromised system can:
a. allow the network administrators to participate in the investigation, establishing
rapport for later interviews
b. reveal the source of the attack
c. seriously slow down the network, affecting normal work
d. none of the above
10. a common technique that is highly useful and can be applied in a computer intrusion
investigation is to simply focus on file system activities around the time of known events.
this embodies a principle known as:
a. temporal proximity
b. timeline analysis
c. file system analysis
d. temporal aggregation
12. when collecting data from a compromised computer, consideration should be given to
collecting the data first.
a. cmos
13. the forensic examiner needs to be aware that the process of collecting memory:
a. is seldom useful and not often called for
b. can take an extremely long period of time
c. is only needed for standalone systems
d. changes the contents of memory
14. a more thorough method of collecting specific volatile data from a computer is to:
a. examine the specific memory addresses live
b. collect the full contents of physical memory
c. selectively collect contents of physical memory
d. take screenshots.
15. why are “non-volatile” storage locations contained in the rfc 8227 “order of
volatility”?
a. this is an old rfc and has not been updated.
b. no form of data storage is permanent.
c. an rfc is a request for comments – and corrections are expected.
d. none of the above.
1. social engineering refers to any attempt to contact legitimate users of the target system
and trick them into giving out information that can be used by the intruder to break into
the system.
a. true
b. false
4. although new exploits are published daily, it takes skill and experience to break into a
computer system, commit a crime, and cover one’s tracks.
a. true
b. false
6. reverse social engineering is any attempt by intruders to have someone in the target
organization contact them for assistance.
a. true
b. false
10. gathering information about a system through the use of a port scanner is considered a
direct attack method.
a. true
b. false
11. “spear phishing” is an intrusion technique wherein mass e-mails that appear or claim to
be from a legitimate source request that the recipient follow instructions contained in the
e-mail.
a. true
b. false
12. the first step when investigating a computer intrusion incident is to determine if there
actually was one – there must be a corpus delicti.
a. true
b. false
13. investigating computer intrusions usually involves a small amount of digital evidence
from only a few sources.
a. true
b. false
15. examining a live system is prone to error, may change data on the system, and may even
cause the system to stop functioning.
a. true
b. false
1. discuss why computer intrusions are among the most challenging types of cybercrimes from a
digital evidence perspective.
answer guidance: every network is different; every computer intruder is different, with
different motivations.
2. discuss the difference between automated and dynamic modus operandi, including the kinds
of information to look for, and the value of conducting this kind of analysis.
answer guidance: while automated exploits are almost generic, analysis of dynamic mo may
reveal the choice of tools used in the intrusion, shedding light on a particular kind of offender
behavior.
scenario
you are participating in an intrusion investigation. the investigation has progressed to the point
where a suspect has been identified. a raid is planned on the suspect’s site, and you will be in
attendance to collect, preserve, and examine the intruder’s computer.
as part of the raid planning, you have been asked to prepare a plan detailing how you will
examine the intruder’s computers.
after preparing your plan, you will present it to the rest of the team in a planning meeting.
notes: this exercise is designed to get the student accustomed to developing planning
documents, and more importantly, to be able to articulate that plan to others of the team who
may not have the same level of expertise.
cyberstalking is a new variation to regular stalking. the internet has just provided anotheravenue.
1. the first state in the united states to enact a law to deal with cyberstalkers was:
a. texas
b. hawaii
c. california
d. new york
4. a stalker’s ability to frighten and control a victim increases with the amount of
information that he can gather, such as:
a. telephone numbers
b. addresses
c. personal preferences
d. all of the above
6. an implication from studies indicating that many stalkers had prior acquaintance with
their victims is that:
a. part of the blame can be assigned to the victim.
b. the offender is likely to be found in the same area as the victim.
c. investigators should pay particular attention to acquaintances of the victim.
d. investigators should always check the immediate family.
8. when a cyberstalking case is stalled, it is a good idea to interview the victim again,
because:
a. the victim might have been withholding information during the first interview.
b. the information that investigators have gathered might help the victim recall
additional details.
c. the time between the first and second interviews has given the victim time to
seek counseling.
d. none of the above.
9. in determining how and why the offender selected a specific victim, the investigator
should determine whether the cyberstalker:
a. knew the victim
b. learned about the victim through a personal web page
c. noticed the victim in a chat room
d. all of the above
12. that part of cyberstalking where the offender is using the internet to find a victim is
known as:
15. it is extremely important for the investigator to be extremely cautious when dealing with
a stalking case because:
a. if the victim becomes offended by the investigator’s methods, she is likely to go
file a complaint.
b. if the investigation is conducted too openly, the offender may stop the harassment
and move on to another victim.
c. the victim must be protected, in case the offender decides to escalate to
physical violence.
d. the victims frequently become emotionally attached to the investigator.
1. cyberstalking works in a completely different way than stalking in the physical world.
a. true
b. false
2. in general stalkers want to exert power over their victims in some way, primarily through
fear.
a. true
b. false
4. the internet contains a vast amount of personal information about people but it is
relatively difficult to search for specific items.
a. true
b. false
5. studies indicate that stalkers will always have prior acquaintance with their victims.
a. true
b. false
8. the first step in a cyberstalking investigation is to conduct the victimology and risk
assessment.
a. true
b. false
10. there is never correlation between the victim’s internet activities and physical
surroundings or real-world activities.
a. true
b. false
11. when searching for evidence of cyberstalking, it is useful to distinguish between the
offenders’ harassing behaviors and surreptitious monitoring behaviors.
a. true
b. false
12. the primary aim of the motivational stage of the investigation is to understand the
victim-offender relationship.
a. true
b. false
13. as part of the investigation, an investigator should ask why a particular stalker used the
internet.
a. true
b. false
14. investigators might not be able to define the primary crime scene clearly because digital
evidence is often spread all over the internet.
a. true
b. false
15. as part of the interview process, the investigator should tell the victim that the stalker
will cease harassing them when they’re no longer giving the desired response.
a. true
b. false
1. regardless of the type of investigation, investigators ask “who, what, when, where, and
why” questions. however, when dealing with cyberstalking victims, those questions
have to be asked tactfully, and without assigning blame.
prepare a set of initial questions and discuss how you would ask those questions to a
cyberstalking victim.
2. discuss how you would apply the concept of crime scene characteristics to a
cyberstalking case.
3. discuss how you would explain your risk assessment findings to the victim.
scenario
you have been contacted by a young woman complaining her ex-boyfriend is reading and
blocking her e-mail. in the course of your interview with the victim, she tells you that the e-mail
account is with aol, and it is actually registered to and paid for by the ex-boyfriend. it seems that
while they were together, he set up an account for her under his account.
describe how you would proceed with the investigation at this point.
a basic understanding of how computers operate and how data is stored is a fundamental skill
for forensic examiners. this includes understanding and controlling the boot process, recovering
data, and analyzing data.
most digital investigators use automated forensic tools; however, it is absolutely crucial that they
understand what these tools are doing. the best way to gain that understanding is by
experimentation. that would include creating a file and viewing the results, deleting the file and
viewing those results, using a low level hex editor, and carving data associated with the file into
a new one.
3. the storage capacity of a hard drive with 256 heads, 63 sectors, and 1024 cylinders is:
a. 8.4 gbytes
b. 7.8 gbytes
c. 8 gbytes
d. 9 gbytes
4. what can you do to determine the number of sectors on a hard drive larger than 8gb?
a. use a unix tool like hdparm
b. use a windows tools like encase
c. check the drive manufacturer’s website for the specific drive
d. all of the above
11. on intel-based computers, system date and time information is maintained in:
a. cmos
b. system.conf
c. mbr
d. boot record
13. which of the following are limitations to salvaging data through data carving?
a. file name and date-time stamps that were associated with the file are not salvaged.
b. the size of the original file may not be known, making it necessary to guess how much
data to carve out.
c. simple carving assumes all portions of the file were stored contiguously, and not
fragmented.
d. all of the above.
14. the boot sector in a fat volume contains all of the following information except:
a. partition table
b. the number of file allocation tables available
c. cluster size
d. volume label
15. in ntfs, an example of a file system feature that can be used to conceal data is:
a. setting the read/only attribute on the folder you want to protect
b. storing data in a hidden partition
2. by default, computers will boot from a floppy disk if one is present in the system.
a. true
b. false
4. hard drive settings stored in a computer’s cmos ram chip are always correct and
accurate.
a. true
b. false
5. the post verifies that all of the computer’s components are functioning properly.
a. true
b. false
7. the macintosh open firmware can be instructed to boot from a cd-rom by holding
down the “b” key.
a. true
b. false
8. the sun openboot prom can be interrupted by depressing the “stop” key.
a. true
b. false
9. although storage media come in many forms, hard disks are the richest sources of digital
evidence on computers.
a. true
10. digital forensics examiners do not need to be concerned about the distinction between
little-endian and big-endian representations because automated tools make the necessary
translation.
a. true
b. false
12. sectors are 557 bytes long but only 512 bytes are used to store data.
a. true
b. false
13. many digital forensics laboratories have the capability to recover overwritten data from a
hard drive.
a. true
b. false
15. the number of sectors on any hard drive is calculated by multiplying its chs values.
a. true
b. false
1. describe the main steps that your computer takes during the boot process from the time you press
the power switch to the first appearance of the operating system. why is this important to a
forensic examiner?
answer guidance: the main steps that a computer takes to boot up are: cpu reset → load first
sector of book disk (mbr) into memory → bios & post (compare actual configuration with
cmos settings) → load active operating system using information in partition table → locate
boot disk (search order specified in cmos).
2. what type of computer do you have and how do you interrupt the boot process to display the
cmos settings?
3. list four of the most important cmos settings of your computer. list two cmos settings that you
do not understand or that you think are unimportant.
note: winhex has a conversion table; under the view menu, select tables and then choose ansi ascii.
6. what is the storage capacity of a hard drive with 64 heads, 63 sectors, and 787 cylinders?
answer guidance: 64 × 63 × 787 = 3,173,184 sectors = 1,624,670,208 bytes = 1.5gb.
7. where is the partition table located on a hard drive, and what does it contain?
answer guidance: the partition table is located 446 bytes into the first sector of the drive and
contains information about each partition on the disk, including the first and last sectors.
8. how do you remove data from a hard drive to prevent it from being recovered (e.g., delete
partition table, reformat drive, delete files)?
answer guidance: although a low-level format effectively removes data from a drive, it can be
difficult to obtain tools to perform a low-level format for all types of disks. therefore it is more
practical to “wipe” the drive by overwriting sectors several times with certain patterns. for instance,
using unix, a drive can be effectively overwritten with zeros using the command sequence ‘dd
if=/dev/zero of=/dev/hdb; sync’ three times. you should then verify that the wiping process was
successful by looking at the first, middle, and last sectors in a hex viewer. you can also verify that the
drive was wiped using the following unix command: ‘dd if=/dev/hdb | xxd | grep –v “0000 0000 0000
0000 0000 0000 0000 0000”. this command should return nothing provided the drive only contains
zeros.
you suspect that the data carving tool you are using to recover deleted files from a hard drive is not
recovering all of the files that are available for recovery. how would you determine this limitation in the
tool and what would you do to resolve the problem?
computer technology continues to evolve rapidly but the fundamental components have
changed little. because processes at the top level have not changed rapidly, it is both
possible and reasonable to develop sops to be used in the field.
1. which of the following is not part of the set of forensic methodologies referenced in
this book?
a. preparation
b. interdiction
c. documentation
d. reconstruction
3. the forensic crime scene processing kit should include all of the following, except:
a. evidence bags, tags, and other items to label and package evidence
b. forensically sanitized hard drives to store acquired data
c. compilers for developing forensic tools on site
d. hardware write blockers
4. when processing the digital crime scene, one aspect of surveying for potential sources of
digital evidence is:
a. recognizing relevant hardware such as computers, removable media, etc.
b. determining if electrical wiring is capable of supporting forensic machines
c. confirming that the operating environment is suitable for electronic equipment
d. making sure there is sufficient space to set up the forensic crime scene processing
kit
6. when documenting a crime scene, the computer and surrounding area should be
photographed, detailed sketches should be made, and copious notes should be taken,
because:
9. a crime scene investigator decides to collect the entire computer. in addition, he decides
to collect all of the peripheral devices associated with that computer. what reason could
he give to justify this?
a. it is especially important to collect peripheral hardware related to the type of
digital evidence one would expect to find in the computer.
b. since the computer is being collected, the suspect has no need for the peripherals.
c. the presence of the peripheral devices is essential to imaging the suspect hard
drive.
d. none of the above.
10. according to the us federal guidelines for searching and seizing computers, safe
temperature ranges for most magnetic media are:
a. 60-80 degrees fahrenheit
b. 50-90 degrees centigrade
c. 50-90 degrees fahrenheit
d. 60-80 degrees centigrade
11. which of the following is not an artifact that will be irrevocably lost if the computer is
shut down?
a. running processes
12. which of the following is not one of the recommended approaches to preserving digital
evidence?
a. place the evidential computers and storage media in secure storage for later
processing.
b. preview the evidential computer, taking appropriate notes.
c. extract just the information needed from evidential computers and storage media.
d. acquire everything from evidential computer and storage media.
13. the reason unix “dd” is considered a de facto standard for making bitstream copies is:
a. the majority of tools for examining digital evidence can interpret bitstream
copies.
b. “dd” stands for “digital data” and was developed for making forensic copies.
c. “dd,” although a unix tool, is universally able to traverse windows file systems.
d. the developers of “dd” have made arrangements with other forensic software
companies.
14. regarding the examination of a piece of digital evidence, which of the following is not
one of the fundamental questions that need to be answered?
a. what is it (identification)?
b. what classifications distinguish it?
c. where did it come from?
d. what is its value?
15. the file signature of a microsoft word document is an example of what type of
characteristic?
a. an individual characteristic
b. a class characteristic
c. an intermediate characteristic
d. a medial characteristic
1. since computer seizures usually happen pretty much the same way, there is no real need
to do any pre-planning.
a. true
b. false
2. if possible, prior to entering a crime scene, it is useful to try and determine what kind of
computer equipment to expect.
a. true
b. false
3. a forensic crime scene processing kit should contain quantities of those items used to
process computer equipment.
a. true
b. false
4. when surveying the crime scene for hardware, the investigator should focus on the
computer systems since that is where most of the important evidence will be.
a. true
b. false
5. chain of custody documents record who handled the evidence, when, where, and for
what purpose.
a. true
b. false
7. the severity and the category of cybercrime largely determine how much digital evidence
is collected.
a. true
b. false
8. under independent component doctrine, if a computer system must remain in place but it
is necessary to take the original hard drive, a reasonable compromise is to duplicate the
9. at a crime scene, digital evidence will be found on the computer, on mobile devices, and
on shelves, bookcases, and the area surrounding the computer. therefore, there is no
need to search the garbage for evidence.
a. true
b. false
10. when a computer is to be moved or stored, evidence tape should be put around the main
components of the computer in such a way that any attempt to open the casing or use the
computer will be evident.
a. true
b. false
11. the updated acpo recommendation for seizing a running computer is to pull the
electrical cord from the back of the computer.
a. true
b. false
12. a sound forensic practice is to make at least two copies of digital evidence and to
confirm that at least one of the copies was successful and can be accessed on another
computer.
a. true
b. false
13. given the risks of collecting a few files only, in most cases it is advisable to preserve the
full contents of the disk.
a. true
b. false
14. computers used to store and analyze digital evidence should be connected to the internet,
so that online research can be conducted.
a. true
b. false
answer guidance: class characteristics are generally true for a particular object. individual
characteristics are how that object has been changed by the user.
2. you have arrived at a crime scene containing one computer, one printer, connecting cables,
connection to a phone line, and a shelf above the computer containing books, user manuals, and
printouts.
would you seize the computer? if so, would you seize the printer?
project
research and report on the origins and both the intended and unintended uses of the unixprogram
“dd.”
chapter guide
the windows environment is complex and poses a number of challenges for the forensic
examiner (fe). some issues include:
the forensic examiner must constantly strive to be current with new developments (such as
cloud computing) in hardware and software.
file systems
windows supports a variety of file systems. floppy disks are formatted fat12 (each entry in the
fat is 12 bits). hard drives may be formatted fat16, fat32, or ntfs. the fe must besufficiently
familiar with all supported file systems so that inconsistencies can be recognized.
for fat-based file systems, three data structures are created during the formatting process: mbr
(master boot record), two fats (file allocation table), and a root directory. when the os receives a
request to open a particular file, it first searches the root directory and path to locate the file
name. if successful, it reads other significant information stored in the file’s directory entry,
namely the file size (in bytes) and starting cluster. the os retrieves the data from the specified
cluster and checks the file size parameter to see if the file is larger than one cluster. if it is, the
os checks the fat for the next cluster number and loads the data stored at that location. this
procedure continues until the last of the file data is read. the fat and directory entry are updated
when the file is changed or deleted. data can be hidden in a variety of places including the
directory structure, unused areas of the fat, between the end of file dataand the cluster boundary
(file slack), and unallocated space.
ntfs uses a different method, storing file information in the master file table (mft) using a b-tree
(binary tree) structure. deleted files may be more difficult to recover because ntfs creates
entries as needed and reuses entries before creating new ones, making it more likely thata new
file will overwrite an existing one. the data may be intact, but the file system referencesmay be
lost.
in those cases where a large number of drives must be examined for specific information, the
results of keyword searching will indicate which drives contain relevant information. winhex
forensic, encase, disksearch pro, and linux have the capability to search for keywords.
when notable data is found, then that media becomes evidence and must be “acquired” – that is,
copied completely. there must be a reliable method of verifying that the original and the copies
are identical. message hashing algorithms such as md5 and sha-256 are accepted as reliable
methods for determining whether two blocks of data (file, drive, etc.) are identical. safeback,
winhex forensic, encase, forensic toolkit (ftk) snapback dataarrest, and byte back all employ
integrity checks to assure that copies are identical to the original, to the bit level.
data recovery
although automated tools exist for recovering data, the fe must understand the fundamental
underlying principles. knowing how to manually recover damaged fats and directories requiresa
level of understanding sufficient to enable the fe to explain the relevant processes to the court.
deleted directory recovery is more complex. on windows, encase, ftk, and winhex/x-ways
forensics can recover files and directories for fat and ntfs. on unix, smart and the sleuth kit can
recover files and directories for fat and ntfs. another method for data recovery is called “file
carving” and consists of examining raw data, usually in slack space, locating the beginning and
end of a file, and “carving” this block of data out to a separate file, with the proper extension.
the file is then examined with the appropriate application.
passwords may be at the bios, os, and individual application level. the fe should have theresources
available to overcome them at any level.
encryption is another issue the fe must deal with. there are many levels of encryption, some
much more secure than others. in the case where the level of encryption is measured in millions
log files
no matter how incriminating the data found on a computer, it is necessary for the fe to associate
that data with a suspect. there are many instances where the defense could argue that “anyone”
could have accessed the target system. log files are used by the fe to attempt to determine who
was responsible for creating a particular piece of evidence.
windows 9x/me do not maintain log files. windows nt/2000/xp have the capability of
logging a great deal of information, but have to be configured in advance to do so. objects
tracked can include login/out (both successes and failures), user activities, internet access,
significant events, and other information. log analysis is a critical skill for the fe.
registry
windows stores configuration and usage information in the registry. regedit and regedt32 are
tools to view and modify the windows registry. among other useful things to be gleaned from the
registry is the use of removable drives. if working with a live system at the crime scene, the fe
would examine the registry for references to external storage devices.
internet traces
systems connected to the internet usually contain a wide variety of relevant data. websites
visited, e-mails, internet cache, temporary internet files, chat room logs, newsgroups accessed,
and files downloaded are all examples of the types of data that would be of interest to an fe.
- web browsing
the date-time stamp of an internet cache file corresponds to the date and time that the
web page was viewed. correlate this with the date-time stamp of files downloaded to
© 2011 Elsevier Inc. All rights reserved. Page 135
determine the origin of such files. browsers maintain a database of sites visited that
remains intact when the cache files are deleted. this database (netscape.hst for
netscape and index.dat for internet explorer) can be mined for a wealth of
information. tools exist to display the contents in a usable format. the ubiquitous
“cookies” that websites push onto a system may also provide useful information
about what sites were visited and when.
- usenet access
usenet readers store all the urls that have been accessed, as well as which usenet
newsgroups have been accessed and joined. considerable information can be derived
from this data.
e-mail contents and header information can provide the fe with a great deal of
information. it is necessary to have software that can read various proprietary e-mail
formats and mime encoded message attachments. the e-mail header information is
frequently “spoofed,” however, and the intermediate jumps that the e-mail packets
took along the way can provide the fe with useful investigative leads.
- other applications
internet messengers such as aol im, yahoo! pager, and others are a good source for
investigative leads. peer-to-peer file sharing programs may retain information on the
hosts visited. irc and other chat clients may retain logs but only if configured to do
so.
- network storage
indicators of remote storage are definitely of interest to the fe. with the proliferationof
wireless home networks, it is conceivable that a suspect might be using his
unsuspecting neighbor’s wireless network to store pornographic images. file backup
sites exist on the internet. for that matter, the suspect’s isp may provide storage space
for its customers. a search for the presence of file transfer programs may provide
indicators to where such storage might be located. it is advisable to obtain the
requisite legal permissions before accessing remote storage sites.
program analysis
there are times when a controlled experiment with a malicious program may provide insights on
where to look for evidence on a case system. recreating an intrusion on a test system will
provide log entries, which can then be sought on the actual system. analysis can be
accomplished by:
1. which of the following issues is not one that a forensic examiner faces when dealing
with windows-based media?
a. invasive characteristics of the windows environment
b. the facility in the standard windows environment for mounting a hard drive
as read-only
c. the location, organization, and content of windows system log files
d. available methods for recovering data from windows media
3. the standard windows environment supports all of the following file systems except
.
a. fat16
b. ext2
c. fat32
d. ntfs
a. logically
6. 6. which of the following software tools is not used for data recovery?
a. winhex (x-ways) forensic
b. encase
c. ftk
d. safeback
7. you find the following deleted file on a floppy disk. how many clusters does this file
occupy?
a. 200
b. 78
c. 39
d. 21
10. when examining the windows registry key, the “last write time” indicates:
a. the last time regedit was run
b. when a value in that registry key was altered or added
c. the current system time
d. the number of allowable changes has been exceeded
15. when examining the “news.rc,” you find the following entry:
alt.binaries.hacking.utilities! 1-8905,8912,8921,8924,8926,8929,8930,8932
1. given their widespread use and simple structure, fat file systems are a good starting
point for forensic analysts to understand file systems and recovery of deleted data.
a. true
b. false
2. usenet readers store all the urls that have been accessed, but do not record which
usenet newsgroups have been accessed and joined.
a. true
b. false
4. with the correct cmos setting, it is possible to mount a hard drive as read-only in the
windows environment.
a. true
b. false
5. encase provides the means to create a windows evidence acquisition boot disk to
allow for network acquisition of an evidence drive.
a. true
b. false
7. ntfs time represents time as the number of 100-nanosecond intervals since january 1,
1601 00:00:00 utc.
a. true
b. false
8. in fat32 file systems both the directory and fat entries are updated when a file is
deleted.
a. true
© 2011 Elsevier Inc. All rights reserved. Page 140
b. false
9. encase can recover deleted files but does not have the capability of recovering deleted
directories.
a. true
b. false
10. in the windows environment, simply opening a file to read, without writing it back to
disk, can change the date-time stamp.
a. true
b. false
11. in ntfs, when a file is deleted from a directory, the last modified and accessed date-time
stamps of the parent directory listing are updated.
a. true
b. false
12. the md5 hashing algorithm is no longer considered to be a reliable method for
determining whether two blocks of text are identical.
a. true
b. false
13. a forensic examiner would use logical access to examine media if the file and directory
structures were to be analyzed.
a. true
b. false
14. “file carving” is an examination technique where the beginning and end of a file are
located, and the block of data spanning the two locations is copied to a new file, with the
appropriate extension.
a. true
b. false
15. just like windows nt, windows 98 has event logs that record system activities.
a. true
b. false
for each of the following questions, develop discussion notes and be prepared to discuss your
findings.
1. is it necessary for forensic examiners to understand how data is stored by various types of
file systems? explain why or why not. support your answer with examples.
2. when examining evidence media, is it necessary to use the same operating system used
on the original? explain why or why not. support your answer with examples.
3. is the data-time stamp of various file system objects significant in the analysis of
evidentiary media? explain why or why not. support your answer with examples.
scenario
you are the digital forensic examiner at a pre-trial session with the judge and opposing counsel.
you have been asked to explain the various methods that data is stored and erased in the
windows environment. your discussion should include concepts such as slack space,
unallocated space, the sequence of events that take place when a file is deleted, and any other
points that you deem important. keep in mind that you must prepare your discussion in terms
that non-technical people can understand.
chapter guide
various permutations of unix (solaris, aix, hp-ux) have been around for over 30 years. it isan
extremely stable, powerful multi-user environment with built-in support for networking.
because some of the variants have been made available under open source agreements (linux,
openbsd, freebsd), startup implementation costs have been minimized. in addition, a great deal
of software have also been released under open source agreement, providing a wide rangeof
low cost applications, making unix implementations very popular, especially for e- commerce,
information security, and digital forensics. apache webserver, which comes with most linux
distributions, is one of the most widely used web servers on the internet.
the unix environment makes a large portion of system information such as configuration files
and system logs readily available. this is unix’s greatest strength and its greatest weakness.
file systems
unix supports several file systems such as ufs (unix file system), ext2 and ext3 (extended file
system 2 and 3), and reiser. they all have similar structures for managing the file system. each
unix partition is divided into block groups (aka “cylinder groups”). each block group contains,
among other things, an inode (index node) table. an inode table consists of entries representing
either directories or files. a directory inode entry contains the names of those files and directories
associated with it, and their respective inode numbers. a file inode entry contains all of the file’s
information except its name (i.e., owner/group id, permissions, file type,date-time stamps,
reference count, file size in bytes, data block numbers). the file block numberspoint to the actual
data. in addition to containing data, each block group contains duplicates of critical file system
components, that is, the superblock and group descriptors to facilitate recovery if the primary
copy is damaged. the superblock contains information about the file system such as block size,
number of blocks per block group, the last time the file system was mounted, last time it was
written to, and the sector of the root directory inode.
unix adds another time to the mac (modified, accessed, created) times referenced in the chapter
on windows systems – deleted time. if a file or directory is not deleted, the deletedtime value is
set to a default time – zero from the unix standpoint, as it represents time in epoch time (the
number of seconds since january 1, 1970, 00:00:00 utc).
unix ctime is not equivalent to nt fs creation time. in unix a change (ctime) alters a file’sinode. a
modification (mtime) alters the contents of the file.
when a file is deleted, its directory entry is hidden and the associated inode is marked as
available. the directory entry and data remain on the disk until they are overwritten and,
therefore, may be recoverable.
linux has a number of features that make it an ideal choice for forensic examinations:
- a great many utilities useful for conducting forensic examinations come with the standard
distribution (dd, md5sum, grep).
- the system pipe (“|”) allows the output of one tool to be “piped” as input for another tool. a
single command may move data through several tools and into a final text file.
- linux supports a variety of file systems types, facilitating the examination of foreign file
systems.
- linux permits direct access to devices and may allow data to be recovered that would not be
accessible through the file system.
- linux is open source, with its inherent support base.
- there exists a large body of third-party tools suitable for conducting forensic examinations.
data recovery
unix file systems, unlike dos/windows, do not have slack space. the data area either contains
data or is unallocated. deleted data is treated as unallocated space. unix attempts toreuse
existing inodes before allocating new ones, so there is an increased likelihood of losing data.
unix-based tools
windows-based tools
in the windows arena, there are a few forensic examination software tools that can recover
deleted unix files.
- encase can recover deleted file data, placing them all in a “lost files” area, however, it does
not currently refer data using inode numbers or recover deleted directory entries.
- ftk can recover deleted files and directories from ext2, into an area called “[orphan]”.
software tools that can be used for recovering file data directly from data blocks include:
- foremost – this open source program from sourceforge.net can recover unfragmented files by
searching for file signature headers and footers and copying the data inclusively into
sequentially numbered files with the correct extension.
although it is possible to connect pcs into “beowulf clusters,” essentially arrays of parallel
processing units, strong encryption would still require months, years, decades, or even longer to
be broken. the forensic examiner seldom has the luxury of that much time.
an understanding of how encryption is typically conducted can lead to the unencrypted data.
for example, if a file is encrypted, then two copies exist. if the plaintext copy is just deleted, it
may be recovered.
encrypted log-on passwords can be recovered using brute-force password guessing programs
like crack and jack the ripper. booting into single user mode and modifying the password filecan
allow access in multiuser mode.
log files
virtually every system event, including log-on and log-off, is logged somewhere in one or more
system logs, depending on how the system is configured. log analysis tools are available to
correlate various log entries when reconstructing system events.
data remnants can be found in the data area or in swap space. print spoolers and other
applications create recoverable temporary files. as stated earlier, the deleted plaintext version of
an encrypted file may be recoverable. mac (modify, access, create) and deleted times can be
recovered. the examiner uses this information to reconstruct system events, and create activity
charts and a variety of other relevant information. (see pp. 311-315 for further information and
examples.)
internet traces
unix is first and foremost a networking environment and there are many applications for
connecting to the internet. although most of these applications do not create logs, they leave
behind many recoverable traces.
web browsers keep track of sites visited in history and cache files. examiners can examine this
data to determine where a user has been, and when.
incoming e-mail is stored in “/var/spool/mail” under each user’s account name. outbound e-
mails are temporarily stored in “/var/spool/mqueue/mail”. in most cases e-mails are stored as
plaintext, but mime-encoded attachments require special software for decoding. proprietary e-
mail formats such as outlook and aol usually should be viewed in their respective applications.
network traces
the network-based nature of unix requires that forensic examiners always look for evidence of
network connections. many networked applications retain activity logs and configuration files.
evidence of shared network drives should also be sought. (see decc2e, pp. 319-320, for further
information.)
summary
as there are a great many unix-based systems fielded, it is extremely likely that a forensic
examiner will encounter such systems on a frequent basis. therefore, a thorough understandingof
how data is stored on unix-based systems is essential.
1. unlike the standard dos/windows environments, the unix environment has the capabilityof ,
thereby preventing the contents of evidentiary media from being changed.
a. encrypting all data on the media
b. copying the contents of the media
c. warning the examiner of an impending write
d. mounting storage media as read-only
2. what is the most efficient method for a forensic examiner to confirm whether a particular
tool or methodology works in a forensically acceptable manner?
a. search the internet for accounts of other examiners using the tool or methodology
b. contact the author of the tool or methodology and have them provide
confirmation
c. test the tool under controlled conditions
d. contact other forensic examiners to determine if they have any experience with
the tool or methodology
5. , which is part of the standard linux distribution, can be used to make a bitstream
copy of evidentiary media to either image files or sterile media.
a. grep
b. icat
c. dd
d. sha1sum
6. mac times, which are found in the , are an example of file system traces.
a. inode table
b. mbr’s partition table
7. why is it important to determine the level of network connectivity on a unix system as soonas
possible?
a. as unix systems may be configured to store critical evidence on remote
systems, network connections must be determined and exploited before any
evidence stored remotely is destroyed.
b. to keep suspects and spectators from accessing the target system during the
investigation.
c. to determine if the system administrator is a suspect.
d. none of the above.
8. the coroner’s toolkit and the sleuth kit are examples of open source .
a. hard drive repair tools
b. system administrator tools
c. forensic examination tools
d. network management tools
9. in unix, when a file is moved within a volume, the inode change date-time (ctime) is:
a. unchanged
b. updated
c. set to epoch time
d. set to last modified date-time
10. deleting a file has the effect of preserving its inode until it is reused because:
a. the inode is flagged as deleted.
b. the inode table entry is moved to the recycle bin.
c. deleted inodes are not accessible to the file system.
d. the inode number is added to a deleted files journal entry.
11. when a file is deleted on a unix system, the ctime of its parent directory is:
a. unchanged
b. updated
c. set to epoch time
d. set to last modified date-time
12. one of the most common web browsers on unix systems is:
a. internet explorer
14. on unix systems that receive e-mail, incoming messages are held in , in separate
files for each user account until a user accesses them.
a. /home/<useraccount>/desktop/mail
b. /var/spool/mqueue/mail
c. /etc/mailbox/mail
d. none of the above
15. the file system mount table shows local and remote file systems that are automatically
mounted when the system is booted. this information is stored in:
a. /etc/fstab
b. /etc/mount/mtab
c. /etc/hosts
d. none of the above
1. one of the most useful areas to search for notable data on a linux system is in file slack.
a. true
b. false
2. one of the difficulties in examining unix systems is that the file system is extremely
complex, making it difficult for the examiner to recover data.
a. true
b. false
3. grep is a standard linux tool that searches a specified file or region for a specified string.
a. true
b. false
4. the unix convention of “piping” the results of one command into another is a serious
limitation and is detrimental to using the unix platform for forensic examinations.
a. true
b. false
5. most data-carving tools operate on the assumption that the operating system generally
tries to save data in contiguous sectors.
a. true
b. false
7. as unix was never designed to work on networks, there are very few native utilities
designed to access the internet.
a. true
b. false
8. unix log files (or those of any operating system, for that matter) can provide a great deal
of useful information to the examiner.
a. true
b. false
11. when requesting a search warrant, remotely connected systems cannot be considered part
of the target system, so it may be necessary to obtain proper authorization before
examining them.
a. true
b. false
12. a list of currently mounted drives, including those not listed in the file system mount
table, is kept in “/etc/mtab.”
a. true
b. false
13. when a target system is connected to other systems in remote locations, it is expedient
for the digital investigator to access these systems via remote access.
a. true
b. false
14. the “istat” command, found in the coroner’s toolkit, can be used to examine specific
inode bitmaps.
a. true
b. false
15. the mainstay of acquiring digital evidence using unix is the “icopy” command.
a. true
b. false
for each of the following questions, develop discussion notes and be prepared to discuss your
findings.
1. consider the statement “forensic examiners should have a high degree of competence in all
operating systems and their respective file systems.” do you agree or disagree? support your
answer with examples.
2. which is the more effective forensic examiner, one who can operate forensic tools in a
variety of operating environments (operating system, file system, etc.) and conducts
examinations in the native environment of the evidentiary media, or one who thoroughly
understands a single operating environment and examines evidentiary media in that
environment, regardless of the native operating environment of the media. support your
answer with examples.
scenario
you are on-site, conducting a preliminary examination of a linux system. the hardware suiteincludes
a 56kb modem. what areas of search should be included in your examination?
prepare an examination plan that details what you will look for, and why.
chapter guide
macs represent a small but growing segment of the total number of computers and are sufficiently
common to crop up frequently in digital investigations. therefore, forensic examiners must be prepared to
collect and analyze data from the mac environment. this task can be a challenge as there are currently very
few mac tools that specifically address forensic recovery. in addition, the integration of unix into mac os x
and the flexibility of the mac file systems can create a complex digital crime scene. at the same time, as
with other computer systems, there are many interesting nooks and crannies on macs where digital dust
can gather, and forensic examiners who familiarize themselves with these systems will be rewarded with
useful digital evidence.
unlike intel-based systems, macs do not have a bios per se. instead, they use open firmware that can be
opened using the “command+option+o+f” key combination at the beginning of the boot process. the
current system date and time is generally visible in the opening message of newer versions of open
firmware.
as with windows, the mac boot process is very invasive. to prevent altering evidentiary data, conventional
wisdom dictates that the hard drives be disconnected before attempting to power up a mac. mac-
formatted drives can be acquired in the linux environment using dd, and likewise can be acquired inthe
windows environment using tools such as encase or winhex. winhex forensic can acquire and examine
any cluster-based file system.
the mac file systems (16-bit hfs and 32-bit hfs+) are structured similar to other file systems discussed in
the text. boot records reside at the beginning of each volume. system file structures consist of catalog
files and extents overflow files. relevant to forensic examiners is how date-time stamps are recorded.
deletion of a file results in it being moved to the trash folder but it is not marked as deleted until it is
removed from the there. when a file is deleted, its key length is zeroed and reference to it may be
removed from the catalog. the net result is that the data may only be recoverable by keyword search of
unallocated space.
norton unerase has a good likelihood of recovering erased files. other tools, such as disk warrior and
prosoft data rescue, work well, also. using several of the tools in combination increases the likelihoodof
data recovery. alternatively, file carving tools such as encase and winhex can be used to block file data
and save it to a new file.
older macintosh systems do not keep logs but mac os 9 and mac os x have a logging capability. of
interest to examiners are the systems logs that mac os x keeps. some items tracked such as external media
connected to the computer, user logon/logoff activity, and system clock changes can be evident from
temporal discontinuities in these logs. macs also keep records of recently accessed applications and
documents. tools like desktop db diver can provide a great deal of information about what applications
have been accessed. also of interest is how macintosh handles file deletions – files are moved to the
“trash” folder. examination of desktop db and desktop df may reveal the user’s activities.
mac os 9 and x are network-aware, and keep exploitable network-related information. also, internet
applications record activities to some degree. netscape history files are exploitable and may contain a
great deal of notable data. internet explorer maintains a history of browsing activities in history.html,
downloads.html, as well as .waf cache files, and stores cookies in various locations, depending on
version. the amount and quality of e-mail related data is dependent on the application – some log a great
deal of information and others do not.
the single biggest obstacle to successfully exploiting macintosh computers is limited choice in forensic
tools designed with the mac in mind. therefore, to be effective, examiners must know where and how to
look for information without the assistance of automated tools.
2. the boot sector and additional details about the volume are stored in:
a. the first sector of the volume
b. at offset 0x300 from the beginning of the drive
c. the last sector of the volume
d. cmos
6. a difference between hfs and other file systems studied is that folders:
a. are listed in a separate extents overflow file
b. do not contain lists of their contents
c. do not show when they were last backed up
d. are stored in two places on the disk
8. the most common approach to salvaging deleted data on macintosh systems is to:
a. use encase to recover the files.
b. use the catalog utility.
c. use file carving techniques.
d. there is currently no solution to recovering deleted files from a macintosh.
11. the last access times of files copied from a mac running os 9 onto a fat-formatteddisk
are meaningless because hfs does not maintain:
a. access time
b. modified time
c. created time
d. ctime
15. when a file is deleted, its catalog entry may be deleted as well. if this occurs,
a. a backup of the catalog file will still contain the information.
b. all references to the data are removed from the disk.
c. the file information is moved to the extent overflow file.
d. the file information is moved to “.trash,” with the same name as the file, and
an extent of “.info.”
3. by default, when mac os x boots up, it will attempt to mount an evidence disk.
a. true
b. false
7. digital evidence examiners can use the sleuth kit on mac os x to examine ntfs,fat,
ufs, ext, and hfs file systems.
a. true
b. false
8. due to the design of the macintosh catalog file, it is easy to recover deleted files
manually, using forensic tools.
a. true
b. false
12. by default, eudora for macintosh records more information than eudora for windows.
a. true
b. false
14. in each volume of a macintosh system, there is a database named “desktop db” that
contains information about activities on the system including programs that were run and
files and websites that were accessed.
a. true
b. false
15. one of the interesting file system traces that is created when files are saved from a
macintosh to external media formatted using fat is a “. spotlight” folder.
a. true
b. false
1. are macintosh systems more or less useful than windows systems as sources of digital evidence?
justify your answer.
2. it can be difficult to recover deleted files from hfs and hfs+ file systems manually. how can you
assure yourself that automated tools used for this purpose are working correctly?
3. how does mac os 9 differ from mac os x and what significance does this have from a forensic
perspective?
scenario
you receive a mac os x system and are asked to summarize the applications and data on the hard drive. in
addition, you are asked to report any recent system usage and any signs of encryption, external storage
media, or clock tampering. what data would you look for on the hard drive, where would you find them,
and what tools would you use?
- recognize that the use of cell phones and smart phones is an integral part of modern society.
- recognize that mobile devices can contain vast amounts of personal information.
- be familiar with the terminology used with mobile devices.
- be aware that criminals will use and store information on mobile devices, providing an additional
source for evidence.
- be aware that the dynamic nature of mobile devices presents challenges to forensics examiners.
- recognize that a major advantage of mobile devices from a forensic standpoint is that they can
contain deleted information even after attempts to delete.
- be aware that characteristics of flash memory chips may result in the recovery of user-deleted
information.
- be aware that mobile devices have become a new target for malware developers.
- recognize that mobile devices can connect to various networks via cellular towers, wifi access
points, and bluetooth, and those connected networks may also contain notable data.
- recognize that handheld devices may be synchronized to desktop applications, and notable data
may be found there, as well.
- recognize that information from mobile devices can assist the investigator in discovering the
user’s social network.
- be aware that, while the same forensic principles apply to mobile devices as they do to regular
computers, the dynamic, connected nature of mobile devices can present challenges.
- be aware of the procedures for seizing mobile devices.
- be aware of the value and benefits of first obtaining a physical acquisition of mobile devices.
- be aware of the value of obtaining a logical acquisition of mobile devices.
- be aware of various methods for acquiring mobile devices, such as:
o data cable
o bluetooth
- be aware of various mobile device forensic tools currently on the market.
- be aware of various methods of applying the forensic examination and analysis methodology to
mobile devices.
- be aware of various methods for data recovery on mobile devices.
- be aware of the variety of formats used on mobile devices.
- be aware of the issues involved with the acquisition and examination of sim cards.
- be aware of the forensic challenges relating to sim card security.
- recognize the value and the need to apply investigative reconstruction techniques to mobile
devices.
o temporal analysis
o relational analysis
o functional analysis
the instructor should convey to the student that, because mobile devices are so pervasive and becoming
more so every day, they should both expect and be prepared to deal with the ever growing variety of
mobile devices. it would, in fact, be reasonable to expect to find a mobile device involved in nearly every
type of case that law enforcement would counter.
forensic examination and analysis of mobile devices presents challenges above and beyond those of
traditional forensic investigations; however, the quality of the evidence obtained will make it worthwhile.
1. which of the following is not one of the methods mobile devices use to communicate?
a. fddi
b. telecommunication networks
c. wifi access points
d. bluetooth piconets
3. the reason that malware developers are beginning to target mobile devices is:
a. because available memory is much smaller and the operating system is much less
sophisticated on mobile devices, it is much easier to develop malicious code.
b. the malware market has become very crowded and developers are looking for new
avenues.
c. since the coding is much simpler on mobile devices, many new programmers are trying
at this particular platform.
d. since mobile devices are used more and more for online banking and making
purchases, they have become prime targets for computer criminals.
7. powering down a mobile device and removing the battery may cause problems in that:
a. when the battery is removed from a mobile device, the information in memory is lost.
b. doing so may activate security measures such as lock codes and encryption.
c. the process of removing the battering can cause a capacitive discharge, destroying the
device.
d. you now have two pieces of evidence, which have to be documented.
8. which of the following are methods for preserving mobile devices by isolating them from the
networks?
a. reconfigure the device to prevent communication from the network.
b. place the device in an rf-shielded pouch.
c. jam rf signaling in the immediate area.
d. all of the above.
10. which of the following is not one of the currently available methods for extracting data from
mobile devices?
a. manual operation via user interface
b. logical acquisition via communication port
c. connecting the communication port directly to an output device such as a printer
d. physical acquisition via the communication port
11. forensic examiners should be aware that a mobile device with a blank or broken display:
a. may as well be thrown away, as no data will be recovered from it
b. may only indicate that the screen is damaged and it may still be possible to extract
data
c. may require that the mobile device be sent out to the manufacturer for repairs
d. none of the above
13. a peculiarity of mobile devices is the format that they store sms messages, which is:
a. ascii
b. unicode
c. gsm 7-bit
d. baudot
14. certain data on mobile devices, in particular phone numbers, are stored in “nibble reversed”
format. in that case, the phone number 12025437078 would be displayed as:
a. 2120457370f8
b. 20217345870
c. 87073452021
d. 8f0737542021
15. the primary reason that brute-force methods are not used when trying to access an sim card with
the pin set is:
a. a four-digit pin represents 10,000 possible combinations.
b. after three failed attempts, the sim card will become locked.
c. pin disclosure by the offender can be required by a court order.
d. none of the above.
1. since mobile devices consist of a cpu, memory, storage, and software, the same as traditional
computers, they are processed in exactly the same way.
a. true
b. false
3. given the small amount of usable data obtainable from mobile devices, the forensic investigator
needs to weigh the value of investing time examining mobile devices.
a. true
b. false
4. one drawback of mobile device examination is that when a user deletes data on a mobile device
that data is never recoverable.
a. true
b. false
5. mobile devices have become a promising new target for malware developers.
a. true
b. false
6. the dynamic nature of mobile device communications presents additional challenges for the
forensic examiner.
a. true
b. false
7. although mobile devices may connect to networks, wifi and bluetooth connections, and
desktops synchronizing software, the forensic examiner should focus entirely on the mobile
device itself.
a. true
b. false
8. there are currently no forensic tools available for processing mobile devices.
a. true
b. false
9. the forensic examiner’s best option for the most complete collection of data from a mobile
device is to make a physical acquisition.
a. true
10. one of the difficulties in processing mobile devices is that the manufacturers always use
proprietary storage formats.
a. true
b. false
11. when analyzing a gps-enabled mobile device, it is often possible to recover location
information, import it into mapping software, and display the locations on a map.
a. true
b. false
12. something forensic examiners need to keep in mind when trying to brute force an sim card that
has had a pin set is that the card will lock after the second failed attempt.
a. true
b. false
13. best practices for seizing a mobile device is to power the device off and remove the battery so
that no new connections are made over the network.
a. true
b. false
14. certain data on mobile devices, particularly phone numbers, are stored in nibble-reversed format.
a. true
b. false
15. it is often possible to perform a forensic analysis of a physical duplicate of mobile devices using
file system forensic tools.
a. true
b. false
1. discuss the preservation, examination, and analysis issues that make processing mobile devices
unique.
2. discuss methodologies for processing a crime scene involving mobile devices. take into
account the special issues relating to mobile devices.
answer guidance: search for media and sim cards, seizing related peripherals and
communication cables, charging stands, etc., how to isolate the device from the network(s),
powering off issues.
scenario
you are at a crime scene and a cell phone is discovered, powered on. crime scene technicians have
processed it for prints and turned it over to you. you are examining the interface when a text
message is received. what steps will you take?
- be aware of the reasons that digital investigators have to have a thorough understanding of
networks.
- be aware of the hardware and protocols that constitute a network.
- be aware of the various network technologies a digital investigator is likely to encounter.
- be aware of the tools that assist in network investigations.
chapter guide
all digital investigators require some understanding of networks since most computers we encounter are
connected to one. in fact, computers have become network-centered and it is no longer sufficient to only
think of digital evidence on storage media. to comprehend traces of internet activities left on personal
computers and to establish continuity of offense, digital investigators require knowledge of evidence that
exists on surrounding networks. these sources include server logs, network devices, and traffic on both
wired and wireless networks.
this chapter provides an overview of network history, concepts, and the most common network
technologies: arcnet, ethernet, fddi, atm, ieee 801.11 (wireless), cellular, and satellite networks. some
students will be confused or intimidated by the concepts of tcp flows, network layers, log files, and
remote access using applications like telnet and ssh. therefore, it is advisable to lead students through the
reading and provide them with some hands-on exercises to ensure that the basic concepts are clear. the
“barbara the bookie” exercise is designed to get students thinking about the different network
technologies and how they might be encountered in an investigation. it is also instructive to have students
connect to a remote system such as a backbone router as shown here:
on august 15 at 11:20 edt, telnet was used to connect from a windows machine to a public
internet router (see www.traceroute.org for a list of route servers).
+--------------------------------------------------------------------+
| |
| tiscali international network - route monitor |
| (as3257) |
| |
| this system is solely for internet operational purposes. any |
| misuse is strictly prohibited. all connections to this router |
| are logged. |
| |
| this server provides a view on the tiscali routing table that |
| is used in frankfurt/germany. if you are interested in other |
| regions of the backbone check out http://www.ip.tiscali.net/lg |
| |
| please report problems to [email protected] |
+--------------------------------------------------------------------+
route-server.ip.tiscali.net>show clock
*16:30:32.532 cedt sun aug 15 2004
route-server.ip.tiscali.net>show log
syslog logging: enabled (10 messages dropped, 4 messages rate-limited, 0 flushes
, 0 overruns, xml disabled)
console logging: disabled
monitor logging: level debugging, 0 messages logged, xml disabled
buffer logging: disabled, xml disabled
logging exception size (8192 bytes)
count and timestamp logging messages: enabled
trap logging: level debugging, 17859 message lines logged
logging to 213.200.88.198, 17859 message lines logged, xml disabled
in addition to demonstrating client-server interaction, this exercise gives routers and the internet
backbone a tangible form that students may not otherwise realize. notably, the router’s clock indicates
that it is 16:30 central european time (gmt + 1) whereas the time according to the windows host was 11:20
us eastern time (gmt – 5). pointing out to students that router clocks often drift when they are not
synchronized with a reliable source can emphasize the need for documenting the system clock on any
system that they are collecting evidence from. also, the results of the show logging command contain
the remote syslog server (213.200.88.198 = flowscan.ip.tiscali.net) that receives logs from this router.
in addition, the open system interconnection (osi) model is used in this chapter to give the reader an
understanding of the different functions of networks and the types of crime and associated evidence that
exist. the osi model is comprised of seven layers summarized here:
# name summary
1 physical media that carries data (e.g., network cable)
2 data-link enables basic network connectivity between computers connected directly
by the same network technology (e.g., ethernet)
3 network routes information to its destination using addresses (e.g., ip addresses)
4 transport establishes, maintains, and terminates connections between hosts (e.g.,
tcp)
5 session maintains connections between hosts to ensure continuity when the
communication on underlying network layers disconnect or fail (e.g., rpc
used by windows and unix to maintain connections to network file
shares)
6 presentation formats and converts data to meet the conventions of the specific computer
being used (e.g., ascii versus ebcdic)
7 application creates network functionality that enables services like e-mail (e.g.,
smtp)
data in each layer are encapsulated by lower layers. for example, an e-mail message is encapsulated in an
ip datagram, which in turn is encapsulated in an ethernet frame. notably, the osi model does not fit
2. when a windows system connects to a shared folder on another windows machine on the
internet, which of the following protocols are used?
a. tcp/ip
b. smb
c. netbios
d. all of the above
10. the osi reference model divides internets into seven layers. choose the correct order, by
layer.
a. transport, session, network, presentation, data-link, application, physical
b. presentation, data-link, application, physical, transport, session, network
c. physical, data-link, network, transport, session, presentation, application
d. data-link, network, session, application, physical, network, session
11. the layer that actually carries data via cables or radio signals is the:
a. transport layer
b. physical layer
c. network layer
d. data-link layer
12. a hub joins hosts at the physical level whereas a switch joins them at the layer.
a. transport
b. physical
c. network
d. data-link
13. the layer responsible for managing the delivery of data is the:
a. application layer
b. presentation layer
c. transport layer
d. session layer
6. capturing network traffic at the physical layer gives investigators access to application
layer data such as web pages viewed and images downloaded.
a. true
b. false
9. every mobile telephone has a unique electronic serial number (esn) and mobile id
number (min).
a. true
© 2011 Elsevier Inc. All rights reserved. Page 176
b. false
10. mobile telephones can be used to locate the person using them.
a. true
b. false
13. mac addresses are uniquely associated with an nic whereas ip addresses can be
changed.
a. true
b. false
15. individuals who can access the physical layer have unlimited access to all of the data on
the network unless it is encrypted.
a. true
b. false
1. give an example of the type of digital evidence that can be found at each layer of the osi
model and how it can be useful to an investigation.
3. child pornographers are connecting to the home networks of innocent individuals via
insecure wireless access points. how can this help or hinder a digital investigation?
answer guidance: although connecting through wireless access points can provide a level of
anonymity, criminal activities may come to the attention of law enforcement when home users
notice something unusual occurring. however, investigators may mistakenly attribute illegal
activities to the innocent owners of the wireless access point.
4. what internet servers do you access regularly and what activities might those systems
record in log files?
scenario
shortly before she was killed, the victim of a homicide turned on her computer, connected to the
internet, and used both a web-based e-mail service and an instant messenger (im) program
before shutting her computer down.
what traces of internet activity would you look for on the computer?
what useful digital evidence might exist on the victim’s internet service provider, and on the
web-based e-mail server?
would there be any im data on the internet that could be useful?
chapter summary
as discussed in earlier chapters, when handling digital evidence it is necessary to establish chain
of custody, document the state of items in situ, and take other steps to preserve the evidence so
that it can be authenticated at a later date. this chapter presents a methodology for processing
digital evidence and describes key concepts and their importance, including copying all data
from a disk and calculating the cryptographic hash of a disk. students will benefit from hands-on
exercises dealing with preservation of digital evidence at this stage. the guidelines in chapter 23
provide a basis for a standard operating procedure (sop) for preserving and documenting digital
evidence on computers.
note: the practice of obtaining two separate copies of storage media using two different tools
may be prohibitively expensive in investigations involving hundreds of computers. in such
situations, to save time and resources, it may be necessary to make one copy and then a backup
of that copy. however, some attempt should be made to verify that a complete and accurate copy
of each drive has been obtained. it is not safe to assume that a forensic acquisition tool will
report all errors that might be encountered which is why it is advisable to obtain a second copy of
each piece of storage media using another tool.
additionally, this chapter provides an overview of examination and analysis of digital evidence.
some digital investigators begin a forensic examination by looking for items in places where
they are commonly found such as e-mail in their default location, or by searching for certain
passwords such as credit card numbers. this ad hoc approach to looking for digital evidence is
not effective, resulting in an incomplete examination and overlooked evidence. for instance,
when e-mail is stored in a user-selected location or when credit cards are stored in compressed
files, an ad hoc approach may miss them. therefore, to uncover the truth in a way that is reliable
© 2011 Elsevier Inc. All rights reserved. Page 179
and repeatable, digital investigators need a methodology for the examination step of the
investigative process presented in chapter 4. this chapter takes concepts from forensic science
and demonstrates how they apply to the examination and analysis of digital evidence. chapter 24
demonstrates how some of the examination tasks can be implemented using common tools,
providing the basics for an sop for examining digital evidence on computers.
an effort is made to connect the applied material in this chapter with the investigative and
reconstruction processes described in earlier chapters. additionally, this chapter familiarizes
students with various file types. instructors are encouraged to explore other file types to give
students the broadest possible exposure to common files and their associated metadata. for
instance, the metadata within microsoft office documents can be explored using a hexadecimal
viewer and compared with utilities such as metadata assistant
(http://www.payneconsulting.com/). similarly, it is instructive to teach students to view metadata
within digital photographs that could be used to link images to a particular camera, and use the
content of photographs to glean information about the context (e.g., who, what, where, when).
3. examination of digital evidence includes (but is not limited to) which of the following
activities?
a. seizure, preservation, and documentation
b. recovery, harvesting, and reduction
c. experimentation, fusion, and correlation
d. arrest, interviewing, and trial
5. on a windows machine, the md5 value of the sentence “the suspect’s name is kate” is:a.
b5152ca3b8445d09384fed12e9089464
b. db1a7ba15d440722cb741943f9b1538a
c. 73654cee43a5c9acca03527afb2933f8
d. 834b78bb23b9f9544a3a3b9267952ddd
note: various tools can be used for this question including winhex.
11. although it was not designed with evidence collection in mind, can still be
useful for examining network traffic.
a. encase
b. ftk
c. wireshark
d. chkdsk
12. issues to be aware of when connecting to a computer over a network and collecting
information include:
a. creating and following a set of standard operating procedures
b. keeping a log of actions taken during the collection process
c. documenting which server actually contains the data that’s being collected
d. all of the above
14. information security professionals submit samples of log files associated with certain
intrusion tools to help others detect attacks on the mailing lists at:
a. bugtraq
b. sam spade
c. cnet
d. security focus
15. which of the following are situations where a bitstream copy may not be viable?
a. the hard drive is too large to copy.
b. the system cannot be shut down.
c. the digital investigator does not have authority to copy the entire drive.
d. all of the above.
3. all forensic tools acquire digital evidence from storage media in the same way.
a. true
b. false
5. chain of custody enables anyone to determine where a piece of evidence has been, who
handled it when, and what was done to it since it was seized.
a. true
b. false
7. the chance of two different files having the same md5 value is roughly one in 340 billion
billion billion billion which is approximately equivalent to winning 30,000 billionbillion
billion first prizes in the hong kong mark six – the lotto game in hong kong which
randomly picks 6 numbers from 1 to 47 with a one in 10,737,573 chance of winning first
prize.
a. true
b. false
8. after the md5 value of a piece of digital evidence has been calculated, any change in
that piece of evidence can be detected.
a. true
b. false
10. when seeking authorization to search a network and digital evidence that may exist in
more than one jurisdiction it is not necessary to obtain a search warrant for each location.
a. true
b. false
11. digital investigators should remember that evidence can reside in unexpected places,
such as network routers.
a. true
b. false
12. active monitoring is time consuming, invasive, and costly and should only be used as a
last resort.
a. true
b. false
13. a digital evidence class characteristic is similar to toolmark analysis in the physical
world.
a. true
b. false
1. if you are investigating a homicide and, while executing a search warrant, you find a
computer in the suspect’s home that appears to contain child pornography, what would
you do?
answer guidance: ideally, your warrant would be worded to permit you to secure/seize all
computer hardware at the scene. if in doubt, it is still desirable to secure the evidence to
prevent destruction using an exception (e.g., plain view, consent) but this does not give you
authorization to examine the contents of the computer for further evidence of child
pornography creation/manufacture/distribution. therefore, a separate warrant is required to
investigate this separate offense.
2. other than verifying the integrity of a file, how can the md5 value of a file be useful?
answer guidance: as a class characteristic of the file, the md5 value can be used to search
other sources of digital evidence for identical files (chapter 9, page 220). for instance, files
known to contain child pornography can be found on storage media and in network traffic by
looking for files with the same md5 value. in addition, files known to belong to an operating
system or application can be found and filtered based on their md5 values, thus reducing the
number of files that a digital examiner/investigator has to deal with.
answer guidance: someone could have modified digital evidence before the md5 value
was calculated. ultimately, the trustworthiness of digital evidence comes down to the
trustworthiness of the individual who collected it (see page 220).
answer guidance: a digital signature tells you that a particular individual or group
calculated the md5 value of given data at a specific time. this is achieved using a signing
key and associated passphrase that only the individual or group possess. the important point
to note is that a group of people can possess multiple copies of a single key. therefore, the
signature tells you which key was used but not which individual used it. additional
documentation is required to determine which individual was responsible, emphasizing the
importance of documenting your actions.
6. how would you search for all image files on a disk? explain the rationale of your
approach.
answer guidance: this is the same question asked in chapter 4 but the knowledge of class
characteristics should have altered the way students think about media searching and file
recovery.
scenario
suppose that your immediate area is a crime scene. what potential sources of digital
evidence do you find? for two of these items, describe how you would preserve and
document them.
chapter guide
the internet is both an attractive venue for criminal activities and a powerful investigative tool. this
chapter discusses both aspects to give investigators intelligence about how criminals operate online, and
to help investigators use digital evidence on the internet to apprehend offenders. the main internet
services are covered, including the web, e-mail, newsgroups, internet chat, and p2p. new services are
emerging that extend the capabilities of the internet, providing criminals with new opportunities, and
making digital investigations more challenging. therefore, in addition to becoming familiar with existing
internet services, students need to learn how to explore new technologies from an evidentiary and
investigative viewpoint, as well as from a criminal viewpoint. for instance, the technology used by kazaa
has been developed to provide p2p phone conversations (www.skype.com) that are encrypted and difficult
to trace. students who are familiar with the underlying functionality of the internet (chapters 14-17) are
better equipped to deal with new internet technology.
many people think of the internet as separate from the physical world. this is simply not the case and to
neglect the very real and direct link between people and the online activities that involve them limits
one’s ability to investigate and understand crimes with an online component. the internet effectively
provides us with windows into aspects of the world that we otherwise might not know about. as
discussed in chapter 1, a trained eye can use data on computers and the internet to learn a great deal
this “windows into the world” concept is important for several reasons:
• many cybercrimes can be addressed using existing laws that were developed with physical world
crime in mind.
• a crime on the internet usually reflects a crime in the physical world, with human perpetrators
and victims, and should be treated with the same gravity.
• when a crime is committed in the physical world, the internet often contains related digital
evidence and should be considered as an extension of the crime scene. this is true even when the
internet was not directly involved in the crime.
• while criminals feel safe on the internet, they are observable and thus vulnerable. we can take
this opportunity to uncover crimes in the physical world that would not be visible without the
internet.
this last point is worth reiterating and expanding. there is currently an inordinate amount of criminal
activity on the internet, providing us with a unique opportunity to learn more about criminal activities that
are usually hidden. by recording offenders’ activities in more detail, computers and networks can provide
a window into their world, giving us a clearer view of how they operate.
providing students with sample e-mail and usenet messages to track, arranging online field trips on irc
and other virtual playgrounds, and having them preserve data they find can help them develop practical
experience that will be useful in digital investigations.
2. which of the following internet services can be used to exchange illegal materials?
a. irc
b. usenet
c. kazaa
d. all of the above
3. what are two of the most useful headers for determining the origination of usenet messages?
a. from and message-id
b. nntp-posting-host and x-trace
c. path and subject
d. rfc1036 and rfc2980
4. what information should you document when searching for evidence on the web?
a. date/time of search, search engine and terms used, address of pertinent results
b. screenshots of significant search results
c. download copies of the webpages and calculate their md5 value
d. all of the above
6. when it is not possible to determine the identity of the author of a usenet message using ip
addresses in the header, what else can you do to learn more about the author?
a. look for unusual signature and use of language
b. search the web using distinctive aspects of posts
c. look for similar usenet messages posted using an alias
d. all of the above
8. which of the following enables a user to connect to irc and run irc fserves without disclosing
their ip address?
a. freenet
b. psybnc bot
c. fserve
d. all of the above
9. which of the following applications leave traces of internet activities on a personal computer?
a. internet explorer
b. kazaa
c. irc
d. all of the above
13. metaverseink is a:
a. search tool (people or things) for virtual worlds
b. newsgroup aggregator
c. social networking meta-tool
d. a file-sharing peer-to-peer network
1. the cybertrail is only useful for gathering information about an offender, not a victim.
a. true
b. false
3. when you access a web page, the content may be located on a server other than the one you
accessed.
a. true
b. false
5. whois databases contain contact information relating to ip addresses but not domain names.
a. true
b. false
6. criminals let their guard down in chat networks because they feel protected by the perceived
anonymity.
a. true
b. false
7. the web archive (web.archive.org) contains a complete and accurate copy of web pages as they
existed at a particular time.
a. true
b. false
8. e-mail received headers can be relied on for tracking purposes because they cannot be forged.
a. true
b. false
9. when evidence is located on the internet, investigators should document and preserve it
immediately or it may be gone the next time they look for it.
a. true
b. false
12. freenet is not being widely used by criminals to exchange illegal materials because it is too
difficult to use.
a. true
b. false
13. kazaa has one feature that can be beneficial from an investigative standpoint – whenever
possible, it obtains files from peers in the same geographical region.
a. true
b. false
14. posting information online takes control of the information away from the person and such
information can remain online indefinitely.
a. true
b. false
15. given the wealth of information that social networks contain, digital investigators will often find
useful information at these sites.
a. true
b. false
1. what website does http://www.paypal.com@1113781300 refer to? explain how you got your answer.
2. what are the main approaches to searching the internet and when are they most useful?
3. what are the pros and cons of metasearch engines like www.dogpile.com?
4. what are the advantages and disadvantages from an investigative perspective of usenet archives like
google groups?
5. what is the most interesting channel you can find on irc? note that you can answer this question by
connect to irc or searching http://searchirc.com/.
7. describe one way that criminals on irc can conceal their actual ip address to make tracking them
more difficult.
1. the purpose of this scenario is to develop e-mail tracking skills. give students an e-mail message
and have them determine where it came from. have them describe how they determined where
the message came from and report what they find using the tools described in this chapter. if
certain tools (e.g., whois or finger) do not provide useful information, this should be noted in the
report. it is not necessary to determine the identity of the sender. however, once students have
determined where the message was sent from, have them describe the steps they would take to
figure out who sent the message. you can make this assignment more challenging by selecting a
forged e-mail such as those in many unsolicited bulk e-mail (a.k.a. spam) messages.
2. it can also be instructive to set up an irc file server for students to connect to and download files.
panzer (http://arnts.tripod.com/) is a feature rich, user-friendly irc file-serving package, and is
used by criminals to exchange illegal materials. the following log gives a sense of what students
will see when connecting to a panzer server (the ip address of the computer running the server is
141.157.67.68):
[10:59] <fserver> auto on/off .... auto-shows credit after dir list
[10:59] <fserver> xp ............. win xp dcc problem fix
[10:59] <fserver> multidcc ....... shows how you can download multiple files at once
[10:59] <fserver>
[10:59] <fserver> current credit: free ratio: no ratio / leech
[10:59] <fserver>
[10:59] <fserver> for usage help, type: help <topic>
[10:59] <fserver> topics: upload - download - credit - ratio - auto
[10:59] <fserver>
[10:59] <student> dir
[10:59] <fserver> [\*.*]
[10:59] <fserver> image01.jpg 1.23 mb
chapter guide
this chapter expands on the overview provided in chapter 21, describing network technologies
in more detail, focusing on ethernet. tools and techniques for preserving, examining, and
analyzing network traffic are presented.
to begin familiarizing students with the physical and data-link layers, have them inspect a
computer that is connected to an ethernet network. show them the physical network card and
cable, and perhaps even a hub or switch connecting several computers. also, show them the arp
table on a computer after it has connected to other systems on the local area network. for
instance, the following output is from a windows machine with ip address 192.168.0.6 that
connected to two nearby computers.
c:\>ping 192.168.0.2
c:\>ping 192.168.0.3
c:\>arp -a
% arp -a
? (192.168.0.1) at 0:30:ab:1d:cd:ef
? (192.168.0.2) at 0:8:74:28:8c:7d
? (192.168.0.6) at 0:6:1b:ce:df:24
? (192.168.0.255) at ff:ff:ff:ff:ff:ff
having students play around with arp tables on a network computer provides an opportunity to
discuss how arp functions, demonstrates ip ↔ mac address mapping, and shows that both 00- 30-
ab-1d-cd-ef and 0:30:ab:1d:cd:ef are valid representations of ethernet addresses.
capturing and examining network traffic is one of the most rewarding and most difficult
endeavors a digital investigator can undertake. it is not an exaggeration to say that you can see
what offenders see and say in their network traffic. web pages viewed, e-mail sent and received,
online chat, files exchanged, and any other unencrypted data can be extracted from network
traffic and reconstructed for examination. from a criminal’s perspective, consider how much
valuable information could be obtained by monitoring wireless network traffic in a busy location
such as an airport terminal where people are accessing the internet while waiting for a plane.
because of the significant amount of private information that exists at this layer, it can be
difficult to gain authorization to eavesdrop on networks. also, because of the distributed nature
of the internet, it can be difficult to gain access to the network that carries the relevant traffic.
extracting the few streams of useful traffic from the raging river of high-speed networks is
another challenge. provided these hurdles can be overcome, the resulting digital evidence can be
the equivalent of a video recording of the crime, giving a detailed view of what occurred.
there can also be useful data on network devices at the physical and data-link layers, such as
switches (some routers perform layer 2 functions). these data include mac addresses and records
of current or past connections. given the volatility of the data stored in the memory of these,
these sources of digital evidence are rarely preserved after the fact. nonetheless, it is important
for digital investigators to be prepared to process these sources of evidence if the need and
opportunity arises. also, some computer security professionals take steps to preserve such data
for tracking down problems on and misuse of their networks.
if you would like to share additional traffic data or other examples relevant to this network layer
with other teachers, please submit them to [email protected] and they will be
posted on the book website at http://www.disclosedigital.com/downloads.html.
2. what is the approximate theoretical maximum number of bytes that can be downloaded
in one minute on a 10baset network?
a. 10 mb
b. 75 mb
c. 100 mb
d. 175 mb
4. which of the following commands can be used to obtain the mac address of a remote
windows computer?
a. netstat
b. ping
c. nbtstat
d. traceroute
11. the transition method in which only one computer can transmit while all the others listen
is known as:
a. baseband
b. narrowband
c. broadband
d. sideband
12. although arp is part of tcp/ip, it is generally considered a part of the layer.
a. physical
b. data-link
c. network
d. transport
13. if a criminal reconfigures his computer with someone else’s ip address to conceal his
identity, the local router would have an entry in its showing that criminal’s actual
mac address associated with somebody else’s ip address.
a. host table
b. bootp
c. cmos
d. arp table
15. sniffers put nics into , forcing them to listen in on all of the
communications that are occurring on the network.
a. covert mode
b. wiretap mode
c. promiscuous mode
d. none of the above
3. the netstat command can be used to obtain the mac address of a remote computer.
a. true
b. false
6. a computer connected to the internet via a dial-up modem can eavesdrop on network
traffic from other computers that are dialed into the same internet service provider.
a. true
b. false
7. dhcp can be configured to assign a static ip address to a particular computer every timeit
is connected to the network.
a. true
b. false
9. it is possible to obtain file names from network traffic as well as the file contents.
a. true
b. false
11. one of the drawbacks of copying network traffic using a spanned port is that a
spanned port copies only valid ethernet packets.
a. true
b. false
12. a common approach to collecting digital evidence from the physical layer is using a
sniffer.
a. true
b. false
14. it is not possible to use a sniffer when connected to a network via a modem.
a. true
b. false
15. one key point about mac addresses is that they do not go beyond the router.
a. true
b. false
1. should law enforcement be given backdoors that enable them to monitor all encrypted
internet communications?
2. describe how a computer obtains the ethernet address of another computer that it wants
to communicate with.
3. obtain the mac address of a computer and describe how you did it.
answer guidance: this can be performed on a local computer by various means or remotely
on some windows computers using “nbtstat –a ip_address.”
answer guidance: generally zeros are inserted for padding but some ethernet drivers use
data from the system to pad ethernet frames. this is considered a data disclosure
vulnerability and could be useful to investigators, providing more information about the
originating computer. see “etherleak: ethernet frame padding information leakage” by ofir
arkin and josh anderson, january 2003 (http://www.sys-security.com/html/papers.html).
answer guidance: it allows one computer to substitute its mac address in the arp cacheof
other computers on the local network. this can be used for man-in-the-middle attacks.
a company learns that someone has obtained an employee’s virtual private network (vpn) account
and is using it to connect to their network. the company asks you to monitor network traffic for
only this account over a period of days to determine what the individual is doing. whathardware
and software would you use to capture the network traffic, where would you place the
eavesdropping equipment, how would you avoid monitoring other employees’ network traffic,
and how would you preserve the network traffic as evidence?
chapter guide
this chapter expands on the overview provided in chapter 21, describing tcp/ip in more detail and
demonstrating the usefulness of ip addresses in investigations. because tcp/ip forms such an integral
part of the internet, information related to these layers are too numerous to describe individually.
extending the analogy on page 441, the glue that holds a network together gets stuck in many places for
digital investigators to recover. case examples are provided to improve students’ familiarity with the
many types of evidence that contain data relating to the transport and network layers. this chapter also
sets the foundation for understanding the internet and its use as an investigative tool and source of digital
evidence. in addition to fundamental aspects of ip addresses, concepts such as routing, domain name
lookups, servers and ports, and connection management are covered. tcp flows and streams are revisited
and the abuses of tcp/ip that exist are described in an effort to dispel misunderstandings of ip spoofing
and session hijacking.
a simplified example of setting up a network and tracking down an offender is provided in section 21.2.
students can also be encouraged to explore the networks around them provided they do not cause any
harm.
to help students become more familiar with the network and transport layers, have them inspect a
computer that is connected to the internet. show them the nslookup, netstat, and tracert/traceroute
commands available on most systems. also, to familiarize students with tcp/ip, have them view a network
capture file using ethereal (now wireshark) or a similar tool. have them look at ip addresses and
reconstruct tcp streams to view the interactions between clients and servers.
5. which of the following logs record the ip addresses of computers accessing an ftp server?
a. wtmp
b. xferlog
c. syslog
d. access log
6. in addition to the ip address of the sender, smtp e-mail server logs contain which of the
following?
a. the message id
b. the time the message was received
c. the name of the sender
d. all of the above
7. which of the following servers maintain logs of when users accessed their e-mail?
a. smtp
b. imapd
c. sendmail
11. the ip software on each contains a routing table that is used to determine where to send
information.
a. host
b. server
c. router
d. switch
12. it is sometimes possible to obtain a list of all machines in the dns belonging to a specific
organization by performing a .
a. web crawl
b. zone transfer
c. reverse ip
d. ip transfer
13. to make large-scale internetworking more reliable, tcp creates what are called “tcp streams,”
also known as , to establish, maintain, and terminate connections between hosts.
a. virtual circuits
b. dedicated circuits
c. temporary circuits
d. parallel circuits
15. the creator of the first internet worm and one of the first individuals to be prosecuted under the
computer fraud and abuse act was:
a. captain crunch
b. scott tyree
c. richard morris jr.
d. kevin mitnick
1. the udp protocol will resend packets that were not received by the destination
computer.
a. true
b. false
3. tcp session hijacking can only be performed using a computer on the same network
segment as the client and/or server.
a. true
b. false
4. the domain name system can be used to obtain the names of people who are
responsible for a given computer.
a. true
b. false
6. it is sometimes possible to obtain a list of all machines in the dns belonging to a specific
organization by performing a zone transfer.
a. true
b. false
10. an ip address can only be assigned one name in the domain name system.
a. true
b. false
11. radius and tacacs authentication servers keep logs of the ip addresses that were
assigned to user accounts connecting to the internet.
a. true
b. false
12. all servers keep logs of the ip addresses of clients that connected to them.
a. true
b. false
13. “dig,” which comes installed on unix and windows systems, is a tool used for querying
dns.
a. true
b. false
14. any host, even a personal computer in someone’s home, can function as a server on the
internet.
a. true
b. false
15. on a packet-switched network, computers are not connected using dedicated circuits.
a. true
b. false
1. should internet service providers be required to keep log files of all their customers’ internet activities?
justify your answer.
2. when illegal activities are traced back to a particular house, how can you be sure that it is the
offender’s? what should you look for before obtaining a search warrant and breaking down the door of
the house?
answer guidance: make some effort to perform surveillance on the subject network to determine if
malicious activity is originating from the computer or simply being used as a platform by a remote
intruder to commit offenses.
scenario
a threatening message was sent from a web-based e-mail service. information in the header indicates that
the sender connected to the web-based e-mail server through a proxy to conceal his/her actual ip address.
describe how you would determine the sender’s actual ip address? as you think about this scenario,
consider the possibility that you cannot gain access to information on the proxy server itself.
instructor hint: send an e-mail that contains a web bug that will provide information about the computer
used to read the message.