Digital Forensics Final Quiz

People need ethics to help maintain their balance, especially in difficult and contentious situations. • A. True • B. False

In the United States, there's no state or national licensing body for computer forensics examiners. • A. True • B. False

Experts should be paid in full for all previous work and for the anticipated time required for testimony. • A. True • B. False

Expert opinions cannot be presented without stating the underlying factual basis. • A. True • B. False

The American Bar Association (ABA) is a licensing body. • A. True • B. False

The most important laws applying to attorneys and witnesses are the ____. • A. professional ethics • B. rules of ethics • C. rules of evidence • D. professional codes of conduct

Computer forensics examiners have two roles: fact witness and ____ witness. • A. professional • B. direct • C. discovery • D. expert

Attorneys search ____ for information on expert witnesses. • A. cross-examination banks • B. examination banks • C. deposition banks • D. disqualification banks

____ questions can give you the factual structure to support and defend your opinion. • A. Rapid-fire • B. Hypothetical • C. Setup • D. Compound

FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful. • A. 702 • B. 703 • C. 704 • D. 705

FRE ____ describes whether basis for the testimony is adequate. • A. 700 • B. 701 • C. 702 • D. 703

The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients. • A. HTCIA • B. IACIS • C. ISFCE • D. ABA

____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities. • A. AMA's law • B. ABA's Model Rule • C. ABA's Model Codes • D. APA's Ethics Code

On NTFS drives, Unicode values are how many bits in length? • A. 8 bits • B. 32 bits • C. 16 bits • D. 64 bits

What are the first 8 bits of a Unicode value used for? • A. file type identification • B. font selection • C. character hexidecimal values • D. language identification

What do the last 8 bits of a Unicode value represent? • A. language identification • B. character hexadecimal values • C. file type identification • D. font selection

When converting plain text to hexadecimal for use with ProDiscover, you need to place ____________ between each character's hexadecimal values. • A. space (A0) values • B. blank (00) values • C. null (FF) values • D. null (00) values

In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous contact with an opposing party? • A. Tidemann v. Toshiba Corp • B. Wang Laboratories, Inc. v. Toshiba Corp • C. Tidemann v. Nadler Golf Car Sales, Inc. • D. Hewlett-Packard Co. v. EMC Corp

What Unicode value is used to identify the latin alphabet? • A. 0x00 • B. 0xF8 • C. 0xAB • D. 0x01

Currently, expert witnesses testify in more than __ percent of trials. • A. 55 • B. 80 • C. 92 • D. 76

People who fear having their ______________ acts revealed feel as though they must protest the ________________ acts of others being revealed. • A. legal • B. improper • C. secret • D. public

The purpose of requesting the ________________ is to deter attorneys from communicating with you solely for the purpose of disqualifying you. • A. case • B. retainer • C. juror list • D. evidence

Which of the following options would represent a valid retainer? • A. 2 to 8 hours of your usual billable rate • B. a verbal agreement • C. complete discussion of an ongoing case • D. dissemination of evidence

Before allowing an attorney to describe any case details, determine who the parties are to reduce the possibility of a _______________. • A. collaberation • B. conflict • C. mistrial • D. contradiction

A consultant who doesn't testify can earn a ____________________ for locating testifying experts or investigative leads. • A. contingency fee • B. retainer • C. stake in a case • D. reprimand

1 of 25 0.05 Points As an expert witness, you have opinions about what you have found or observed. A. True B. False

2 of 25 0.05 Points You should create a formal checklist of your procedures that's applied to all your cases or include such a checklist in your report. A. True B. False

3 of 25 0.05 Points As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers. A. True B. False

4 of 25 0.05 Points Like a job resume, your CV should be geared for a specific trial. A. True B. False

5 of 25 0.05 Points Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise. A. True B. False

6 of 25 0.05 Points When cases go to trial, you as a forensics examiner can play one of ____ roles. A. 2 B. 3 C. 4 D. 5

7 of 25 0.05 Points When you give ____ testimony, you present this evidence and explain what it is and how it was obtained. A. technical/scientific B. expert C. lay witness D. deposition

8 of 25 0.05 Points Validate your tools and verify your evidence with ____ to ensure its integrity. A. hashing algorithms B. watermarks C. steganography D. digital certificates

9 of 25 0.05 Points For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you're constantly enhancing your skills through training, teaching, and experience. A. testimony B. CV C. examination plan D. deposition

10 of 25 0.05 Points If your CV is more than ____ months old, you probably need to update it to reflect new cases and additional training. A. 2 B. 3 C. 4 D. 5

11 of 25 0.05 Points ____ is a written list of objections to certain testimony or exhibits. A. Defendant B. Empanelling the jury C. Plaintiff D. Motion in limine

12 of 25 0.05 Points Regarding a trial, the term ____ means rejecting potential jurors. A. voir dire B. rebuttal C. strikes D. venireman

13 of 25 0.05 Points ____ from both plaintiff and defense is an optional phase of the trial. Generally, it's allowed to cover an issue raised during cross-examination. A. Rebuttal B. Plaintiff C. Closing arguments D. Opening statements

14 of 25 0.05 Points If a microphone is present during your testimony, place it ____ to eight inches from you. A. 3 B. 4 C. 5 D. 6

15 of 25 0.05 Points Jurors typically average just over 12 years of education and an eighth-grade reading level.

16 of 25 0.05 Points ____ is an attempt by opposing attorneys to prevent you from serving on an important case. A. Conflict of interest B. Warrant C. Deposition D. Conflicting out

17 of 25 0.05 Points ____ evidence is evidence that exonerates or diminishes the defendant's liability. A. Rebuttal B. Plaintiff C. Inculpatory D. Exculpatory

18 of 25 0.05 Points You provide ____ testimony when you answer questions from the attorney who hired you. A. direct B. cross C. examination D. rebuttal

19 of 25 0.05 Points The ____ is the most important part of testimony at a trial. A. cross-examination B. direct examination C. rebuttal D. motions in limine

20 of 25 0.05 Points Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony. A. setup B. open-ended C. compound D. rapid-fire

21 of 25 0.05 Points Leading questions such as "Isn't it true that forensics experts always destroy their handwritten notes?" are referred to as ____ questions. A. hypothetical B. attorney C. setup D. nested

22 of 25 0.05 Points Sometimes opposing attorneys ask several questions inside one question; this practice is called a ____ question. A. leading B. hypothetical C. compound D. rapid-fire

23 of 25 0.05 Points A ____ differs from a trial testimony because there is no jury or judge. A. rebuttal B. plaintiff C. civil case D. deposition

24 of 25 0.05 Points There are two types of depositions: ____ and testimony preservation. A. examination B. discovery C. direct D. rebuttal

25 of 25 0.05 Points Discuss any potential problems with your attorney ____ a deposition. A. before B. after C. during D. during direct examination at

1 of 25 0.05 Points A report can provide justification for collecting more evidence and be used at a probable cause hearing. A. True B. False

2 of 25 0.05 Points Expert witnesses are not required to submit a written report for civil cases. A. True B. False

3 of 25 0.05 Points Technical terms, if included in a report, should be defined in ordinary language such that lawyers, judges, and jurors can understand them. A. True B. False

4 of 25 0.05 Points An expert's opinion is governed by FRCP, Rule 26, and the corresponding rule in many states. A. True B. False

5 of 25 0.05 Points Specially trained system and network administrators are often a CSP's first responders. A. True B. False

6 of 25 0.05 Points A report using the _________________ system divides material into sections and restarts numbering with each main section. A. numerically ordered B. hierarchical C. decimal numbering D. number formatted

7 of 25 0.05 Points When using the PassMark software to find forensic information in e-mails, messages that appear to be suspicious should be flagged __________. A. Yellow B. Green C. Red D. Orange

8 of 25 0.05 Points The report generator in ProDiscover defaults to ______________________, which can be opened by most word processors. A. HyperText Markup Language (HTML) B. Rich Text Format (RTF) C. Extensible Markup Language (XML) D. Microsoft Word document format

9 of 25 0.05 Points When writing a report, group related ideas and sentences into ___________________, A. chapters B. sections C. paragraphs D. separate reports

10 of 25 0.05 Points If a preliminary report is written, destroying the preliminary report after the final report is complete could be considered ______________. A. proper data security B. spoliation C. beneficial D. necessary

11 of 25 0.05 Points How many words should be in the abstract of a report? A. 50 to 100 words B. 100 to 150 words C. 150 to 200 words D. 200 to 250 words

12 of 25 0.05 Points The ________________ section of a report starts by referring to the report's purpose, states the main points, draws conclusions, and possibly renders an opinion. A. body B. conclusion C. appendix D. reference

13 of 25 0.05 Points What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a copy of the expert's written report that includes all opinions, the basis for the opinions, and the information considered in coming to those opinions? A. rule 24 B. rule 35 C. rule 36 D. rule 26

14 of 25 0.05 Points Which type of report typically takes place in an attorney's office? A. Examination Plan B. Written Report C. Preliminary Report D. Verbal Report

15 of 25 0.05 Points Lawyers may request _________________ of previous testimony by their own potential experts to ensure that the experts haven't previously testified to a contrary position. A. warrants B. transcripts C. subpoenas D. evidence

16 of 25 0.05 Points The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery; the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in which it belongs", was established in what court case? A. Daubert v. Merrell Dow Pharmaceuticals, Inc. B. Smith v. United States C. Frye v. United States D. Dillon v. United States

17 of 25 0.05 Points As with any research paper, write the ___________________ last. A. appendix B. body C. acknowledgements D. abstract

18 of 25 0.05 Points The _________________ numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect of the report, and each Arabic numeral is an important piece of supporting information. A. decimal B. ordered-sequential C. legal-sequential D. reverse-order

19 of 25 0.05 Points How you format _____________ is less important than being consistent in applying formatting. A. words B. text C. paragraphs D. sections

20 of 25 0.05 Points In addition to opinions and exhibits, the ______________ must specify fees paid for the expert's services and list all other civil or ciminal cases in which the expert has testified. A. verbal report B. informal report C. written report D. preliminary report

21 of 25 0.05 Points An ___________________ is a document that serves as a guideline for knowing what questions to expect when you're testifying. A. testimony procedure B. examination plan C. planned questionairre D. testimony excerpt

22 of 25 0.05 Points An expert's opinion is governed by ________________ and the corresponding rule in many states. A. FRE, Rule 705 B. FRE, Rule 507 C. FRCP 26 D. FRCP 62

23 of 25 0.05 Points _______________ is the process of opposing attorneys seeking information from each other. A. Subpoena B. Warranting C. Discovery D. Digging

24 of 25 0.05 Points If a report is long and complex, you should include a(n) _____________. A. appendix B. abstract C. glossary D. table of contents

25 of 25 0.05 Points __________________ means the tone of language you use to address the reader. A. Style B. Format C. Outline D. Prose

1 of 25 0.05 Points The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET). A. True B. False

2 of 25 0.05 Points A search warrant can be used in any kind of case, either civil or criminal. A. True B. False

3 of 25 0.05 Points Specially trained system and network administrators are often a CSP's first responders. A. True B. False

4 of 25 0.05 Points The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect. A. True B. False

5 of 25 0.05 Points In the United States, the Electronic Communications Privacy Act (ECPA) describes 5 mechanisms the government can use to get electronic information from a provider. A. True B. False

6 of 25 0.05 Points Metadata in a prefetch file contains an application's _____________ times in UTC format and a counter of how many times the application has run since the prefect file was created. A. startup / access B. log event C. ACL D. MAC

7 of 25 0.05 Points The __________________________ is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for privacy agreements, security measures, questionnaires, and more. A. OpenStack Framework Alliance B. vCloud Security Advisory Panel C. Cloud Security Alliance D. Cloud Architecture Group

8 of 25 0.05 Points Which of the following is NOT a service level for the cloud? A. Platform as a service B. Infrastructure as a service C. Virtualization as a service D. Software as a service

9 of 25 0.05 Points What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing? A. Amazon EC2 B. IBM Cloud C. Salesforce D. HP Helion

10 of 25 0.05 Points A ________________ is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities. A. court order B. temporary restraining order C. warrant D. subpoena

11 of 25 0.05 Points To reduce the time it takes to start applications, Microsoft has created __________ files, which contain the DLL pathnames and metadata used by applications. A. temp B. cache C. config D. prefetch

12 of 25 0.05 Points What information below is not something recorded in Google Drive's snapshot.db file? A. modified and created times B. URL pathnames C. file access records D. file SHA values and sizes

13 of 25 0.05 Points With cloud systems running in a virtual environment, _______________ can give you valuable information before, during, and after an incident. A. carving B. live acquisition C. RAM D. snapshot

14 of 25 0.05 Points Which of the following is not one of the five mechanisms the government can use to get electronic information from a provider? A. search warrants B. subpoenas C. court orders D. seizure order

15 of 25 0.05 Points Which is not a valid method of deployment for a cloud? A. community B. public C. targeted D. private

16 of 25 0.05 Points The ______________ tool can be used to bypass a virtual machine's hypervisor, and can be used with OpenStack. A. OpenForensics B. FROST C. WinHex D. ARC

17 of 25 0.05 Points What cloud service listed below provides a freeware type 1 hypervisor used for public and private clouds? A. HP Helion B. Amazon EC2 C. XenServer and XenCenter Windows Management Console D. Cisco Cloud Computing

18 of 25 0.05 Points Select the folder below that is most likely to contain Dropbox files for a specific user: A. C:UsersusernameAppDataDropbox B. C:Dropbox C. C:UsersDropbox D. C:UsersusernameDropbox

19 of 25 0.05 Points A _________________ is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it's accessed through the application's Web interface. A. configuration manager B. management plane C. backdoor D. programming language

20 of 25 0.05 Points The __________________ Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system. A. read_filejournal B. filetx.log C. filecache.dbx D. filecache.dll

21 of 25 0.05 Points In a prefetch file, the application's last access date and time are at offset _______________. A. 0x80 B. 0x88 C. 0xD4 D. 0x90

22 of 25 0.05 Points At what offset is a prefetch file's create date & time located? A. 0x88 B. 0x80 C. 0x98 D. 0x90

23 of 25 0.05 Points Which of the following is not a valid source for cloud forensics training? A. Sans Cloud Forensics with F-Response B. A+ Security C. INFOSEC Intitute D. (ISC)2 Certified Cyber Forensics Professional

24 of 25 0.05 Points Where is the snapshot database created by Google Drive located in Windows? A. C:Program FilesGoogleDrive B. C:UsersusernameAppDataLocalGoogleDrive C. C:UsersusernameGoogleGoogle Drive D. C:GoogleDrive

25 of 25 0.05 Points The Google drive file _________________ contains a detailed list of a user's cloud transactions. A. loggedtransactions.log B. sync_log.log C. transact_user.db D. history.db