____ involves obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases.

Evidence that is used to clear the suspect is known as ______.

A sworn statement of support of the facts about or evidence of a crime is known as a(n) _____.

____ allows legal counsel to use previous cases similar to the current one because the laws dont yet exist.

A(n) _____ usually appears when a computer starts and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.

During the _____________ step for problem solving you review the decisions youve made and the steps you have already completed

The secure evidence locker is located at the ____.

Of all the Microsoft operating systems, ____ is the least intrusive in terms of changing data.

A(n) ____ is a bit-by-bit copy of the original storage medium.

In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____.

The _____ provides guidelines to members for managing a forensics lab and acquiring crime and forensics lab accreditation.

The ____ identifies the number of hard disk types, such as IDE or SCSI, and the OS used to commit crimes.

True or False: To ensure a forensics labs efficiency, the lab manager sets reasonable production schedules for processing work.

To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a(n) ____ or a secure storage safe.

Certain kinds of equipment can intercept _____, which can be used to determine the data the device is transmitting or displaying.

One way to investigate older and unusual computing systems is to keep track of ____ that still use these old systems.

A(n) ____ ensures that you can restore your workstations and investigation file servers to their original condition in the presence of a catastrophic failure.

____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment.

A(n) ____ is a plan you can use to sell your services to your management or clients.

When determining how much floor space is needed for your lab, a good rule of thumb is to plan for ______square feet per person.

Most forensics tools can read the _____ format, making it a universal acquisition format for most tools.

The preferred way to collect digital evidence is through a(n) _____ acquisition.

Popular archiving tools, such as PKZip and WinZip, use an algorithm referred to as ____.

The dd command combined with the _____ command segments output into separate volumes.

____ is a Windows data acquisition program thats included with a licensed copy of AccessData Forensic Toolkit

A _____ utility is designed to create a binary or hexadecimal number that represents the uniqueness of a data set.

The dcfldd option that outputs hash results to a text file is the _____ option.

____ uses data striping and dedicated parity and requires at least three disks.

With _____, you have the option of running it in stealth mode to hide it from the suspect.

____ was the first digital forensics vendor to develop a remote acquisition and analysis tool based on its desktop tool EnCase.

The ISO standard 27037 gives guidance on what procedures countries should have in place for _____.

A statement made while testifying at a hearing by someone other than an actual witness is known as _____.

____ records are data the system maintains, such as system log files and proxy server logs.

NGOs must comply with state public disclosure and federal _____ laws and make certain documents available as public records.

____ is facts or circumstances that lead a reasonable person to believe a crime has been committed or is about to be committed.

Evidence is commonly lost or corrupted through ____, which involves police officers and other professionals who arent part of the crime scene processing team.

If a 30-year lifespan for data storage is acceptable for your digital evidence, older _____ systems are a good choice.

The _____ is a mathematical algorithm that determines whether a files contents have changed.

Answer: CRC or Cyclic Redundancy Check

A(n) ____ is a unique hash number generated by a software tool, such as the Linux md5sum command.

Real-time surveillance requires _____ data transmissions, which allows network administrators and others to determine what data is being transmitted over the network.

____ refers to a disks structure of platters, tracks, and sectors.

In Microsoft file structures, sectors are grouped to form ____, which are storage allocation units of one or more sectors.

True or False: The Master Boot Record (MBR) is located at sector 0 of the disk drive.

Of particular interest when youre examining NTFS disks are ____, which are ways data can be appended to existing files.

The purpose of the ____ is to provide a mechanism for recovering encrypted files under EFS if theres a problem with the users original private key.

A single sign-on password, a fingerprint scan, or a token (USB device) are all examples of the _____ feature found in whole disk encryption.

The _____ is a database in Windows that stores hardware and software configuration information, network connections, user preferences (including usernames and passwords), and setup information.

Specific branches located in HKEY_USER and HKEY_LOCAL_MACHINE are known as _____.

Answer: hives

____ is the Windows XP OS kernel, located in the %system-root%\Windows\System32 folder.

A(n) ____ addresses the need for having a variety of resources by allowing you to create a representation of another computer on an existing physical computer.

____, the first task in digital forensics investigations, involves making a copy of the original drive.

Verification proves that two sets of data are identical by calculating _____ or using another similar method.

The ____ function is the recovery task in a computing investigation and is the most demanding of all tasks to master.

Many password recovery tools have a feature for generating potential password lists for a(n) ____ attack.

The purpose of having a(n) ____ function in a forensics tool is to re-create a suspect drive to show what happened during a crime or an incident.

The first tools that analyzed and extracted data from floppy disks and hard disks were ____ tools for IBM PC file systems.

A useful option in SMART is the _____, which color-codes hex values to make it easier to see where a file begins and ends.

A forensic workstation that is usually a laptop computer built into a carrying case with a small selection of peripheral options is known as a _____ workstation.

____ are used to protect evidence disks by preventing you from writing data to them.

NIST created the ____ project with the goal of collecting all known hash values for commercial software and OS files.

The term _____ is often used when discussing Linux because technically, Linux is only the core of the OS.

Adoption of the _____ file system was slower in some distributions, but its now considered the standard file system for most distributions.

____ contain file and directory metadata and provide a mechanism for linking data stored in data blocks.

Where does Linux keep a record of bad sectors?

Unlike hard links, _____ can point to items on other drives or other parts of the network.

Mac OS X is built on a core called _____, which consists of a Berkeley Software Distribution (BSD) UNIX application layer built on a Mach microkernel.

The _____ typically contains data the user creates, such as text or spreadsheets.

In Mac, a group of consecutive logical blocks is known as a(n) _____.

The _____ is used to store any file information not in the MDB or a VCB.

Since Mac OS 8.6, _____ have been used to manage passwords for applications, Web sites, and other system files.