Marthwada Mitra Mandal's Polytechnic

Course :- Emerging Trends in Computer and Infromation Technology

Chapter 4 -Digital Evidence

Sr.No Question A B C D Answer

A valid definition of digital evidence is: Data stored or Information of Digital data of Any digital evidence
transmitted using a probative value probative value on a computer
1 computer C

What are the three general categories of computer Desktop, laptop, Personal computer, Hardware, software, Open computer
2 systems that can contain digital evidence? server Internet, mobile networks systems, D
telephone communication
In terms of digital evidence, a hard drive is an example Open computer Communication Embedded systems, embedded
None of the above
3 of: systems systems computer systems A

In terms of digital evidence, a mobile telephone is an Open computer Communication Embedded None of the above
4 example of: systems systems computer systems C

In terms of digital evidence, a Smart Card is an Open computer Communication Embedded None of the above
5 example of: systems systems computer systems C

In terms of digital evidence, the Internet is an example Open computer Communication Embedded None of the above
6 of: systems systems computer systems B

Computers can be involved in which of the following Homicide and sexual Computer intrusions Civil disputes All of the above
types of crime? assault and intellectual
7 property theft D

A logon record tells us that, at a specific time: An unknown person The owner of a The account was None of the above
logged into the specific account used to log into the
8 system using the logged into the system C
account system

Cybertrails are advantageous because: They are not Nobody can be They are easy to Offenders who are
connected to the harmed by crime on follow. unaware of them
physical world the Internet. leave behind more
clues than they
9 otherwise would D
have.
 Private networks can be a richer source of evidence They retain data for Owners of private Private networks All of the above.
than the Internet because: longer periods of networks are more contain a higher
10 time. cooperative with concentration of C
law enforcement. digital evidence.

Due to caseload and budget constraints, often Each unreported Responsibility for This approach Computer security
computer security professionals attempt to limit the incident robs incident resolution results in under- professionals
damage and close each investigation as quickly as attorneys and law frequently does not reporting of criminal develop loose
possible. Which of the following is NOT a significant enforcement reside with the activity, deflating evidence processing
drawback to this approach? personnel of an security statistics that are habits
opportunity to learn professional, but used to allocate that can make it
about the basics of with management. corporate and more difficult for
computer-related government law enforcement
11 crime. spending on personnel and B
combating attorneys to
computer-related prosecute an
crime. offender.

Locard’s Exchange Differential Beccaria’s Social None of the above

The criminological principle which states that, when Principle Association Theory Contract
12 anyone, or anything, enters a crime scene he/she A
takes something of the scene with him/her, and leaves
something of himself/herself behind, is:
An individual An incidental A class An indeterminate
The author of a series of threatening e-mails characteristic characteristic characteristic characteristic
13 consistently uses “im” instead of “I’m.” This is an A
example of:
Criminal Prosecution Defense work All of the above
Personal computers and networks are often a valuable
14 source of evidence. Those involved with _______ should investigation D
be comfortable with this technology.
An argument for including computer forensic training It provides an It provides them It teaches them None of the above.
computer security specialists is: additional with the tools to when it is time to
15 credential. conduct their own call in law C
investigations. enforcement.

Computers can play the following roles in a crime: Target, object, and Evidence, Object, evidence, Symbol,
subject instrumentality, and tool instrumentality, and
16 contraband, or fruit source of evidence B
of crime

The first US law to address computer crime was: Computer Fraud and Florida Computer Computer Abuse Act None of the above
17 Abuse Act (CFAA) Crime Act B
 The following specializations exist in digital First responder Forensic examiner Digital investigator All of the above
18 investigations: (a.k.a. digital crime D
scene technician)
The first tool for making forensic copies of computer EnCase Expert Witness dd Safeback
19 storage media was: C
One of the most common approaches to validating Examine the source Ask others if the Compare results of Computer forensic
20 forensic software is to: code software is reliable multiple tools for tool testing projects C
discrepancies
An instrumentality of a crime is: An instrument used A weapon or tool Anything that plays All of the above
21 to commit a crime designed to commit a significant role in a D
a crime crime
. Contraband can include: Child pornography Devices or programs Encryption devices All of the above
for eavesdropping or applications
22 on communications D

A cloned mobile telephone is an example of: Hardware as Hardware as an Information as Information as

23 contraband or fruits instrumentality contraband or fruits evidence A
of crime of crime
Digital photographs or videos of child exploitation is Hardware as Hardware as an Information as Information as
24 an example of: contraband or fruits instrumentality evidence contraband or fruits D
of crime of crime
Stolen bank account information is an example of: Hardware as Information as Information as an Information as
25 contraband or fruits contraband or fruits instrumentality evidence B
of crime of crime
A network sniffer program is an example of: Hardware as Hardware as an Information as Information as
26 contraband or fruits instrumentality contraband or fruits evidence C
of crime of crime
Computer equipment purchased with stolen credit Hardware as Hardware as an Hardware as Information as
27 card information is an example of: contraband or fruits instrumentality evidence contraband or fruits A
of crime of crime
A printer used for counterfeiting is an example of: Hardware as Hardware as an Hardware as Information as
28 contraband or fruits instrumentality evidence contraband or fruits B
of crime of crime
Phone company records are an example of: Hardware as Information as Information as an Information as
29 contraband or fruits contraband or fruits instrumentality evidence D
of crime of crime
In the course of conducting forensic analysis, which of Critical thinking Fusion Validation All of the above
30 the following actions are carried out? D
 Having a member of the search team trained to handle Can reduce the Can serve to Can reduce the All of the above
digital evidence: number of people streamline the opportunity for
who handle the presentation of the opposing counsel to
31 evidence case impugn the integrity D
of the evidence

Influencing the Due diligence Quid pro quo Voir dire

An attorney asking a digital investigator to find examiner
32 evidence supporting a particular line of inquiry is an A
example of:
Logical reasoning Common sense Preconceived theory Investigator’s
intuition
33 A digital investigator pursuing a line of investigation C
in a case because that line of investigation proved
successful in two previous cases is an example of:
Balance of Beyond a reasonable Acquittal None of the above
probabilities doubt
34 A scientific truth attempts to identify roles that are B
universally true. Legal judgment, on the other hand,
has a standard of proof in criminal prosecutions of:
Relevance Authenticity Best evidence Nominally
35 Regarding the admissibility of evidence, which of the prejudicial D
following is not a consideration:
Uninformed consent Forcible entry Obtained without None of the above
36 According to the text, the most common mistake that authorization C
prevents evidence seized from being admitted is:
In obtaining a warrant, an investigator must convince Evidence of a crime A crime has been The owner or The evidence is
the judge on all of the following points except: is in existence committed resident of the place likely to exist at the
to be searched is place to be searched
37 likely to have C
committed the crime

If, while searching a computer for evidence of a Abandon the Continue with the Stop the search and Continue with the
specific crime, evidence of a new, unrelated crime is original search, and original search but obtain a warrant original search,
pursue the new line also pursue the new that addresses the ignoring the new
38 discovered, the best course of action is: of investigation inquiry new inquiry information C

The process of documenting the seizure of digital Chain of custody Field notes Interim report None of the above
39 evidence and, in particular, when that evidence A
changes hands, is known as:
 When assessing the reliability of digital evidence, the Whether chain of Whether there are Whether the Whether the
investigator is concerned with whether the computer custody was indications that the evidence was evidence media was
maintained actual digital properly secured in compatible with
40 that generated the evidence was functioning normally, evidence was transit forensic machines B
and:
tampered with

The fact that with modern technology, a photocopy of Best evidence rule Due diligence Quid pro quo Voir dire
41 a document has become acceptable in place of the A
original is known as:
Evidence contained in a document provided to prove Inadmissible Illegally obtained Hearsay evidence Direct evidence
42 that statements made in court are true is referred to evidence evidence C
as:
Business records are considered to be an exception to: Direct evidence Inadmissible Illegally obtained Hearsay evidence
43 evidence evidence D
Which of the following is not one of the levels of Probably Maybe Almost definitely Possibly
44 certainty associated with a particular finding? B
45 Direct evidence establishes a: Fact Assumption Error Line of inquiry A
What is one of the most complex aspects of Arranging to travel Determining which Finding a court that Finding a federal
jurisdiction when the Internet is involved? to remote locations court can enforce a is in two states court that can hear a
46 to apprehend judgment over a civil suit B
criminals defendant

In the US, to enforce a judgment over a defendant, a Subject matter and General and limited Diversity and long None of the above
47 court must have which of the following? personal jurisdiction jurisdiction arm jurisdiction A

The Miller test takes which of the following into It appeals to the It depicts sexual It lacks any All of the above
account when determining if pornography is obscene? public interest conduct in a patently monetary value
48 offensive way B

Which of the following rights is not explicitly Right of the people Right of personal Right of the people Right to a speedy
49 mentioned in the US Constitution? to keep and bear privacy peaceably to and public trial B
arms assemble
The definition of a “protected computer” is, according A computer that is A computer that is A computer that is All of the above.
to the CFAA: used exclusively by a used non-exclusively used in state or
financial institution by a financial foreign commerce or
or the Federal institution or the communication.
50 government. Federal government D
and the crime affects
that use.
 The legislation that made the theft of trade secrets a The Lanham Act The Economic The Child None of the above
51 Federal crime was Espionage Act Pornography B
Protection Act
Which state does not have a law prohibiting simple California Texas Washington None of the above
52 hacking – gaining unauthorized access to a computer? D

The term “computer contaminant” refers to: Excessive dust Viruses, worms, and Spam e-mails Nigerian scam e-
53 found inside the other malware mails B
computer case
In those states with legislation addressing computer Computers Computer Specialized All of the above
54 forgery, contraband in the form of “forgery devices” equipment computer software D
may include:
Compelling a suspect to reveal passwords to provide Second Amendment Fourth Amendment Fifth Amendment Seventh
55 access to encrypted media is considered to fall under Amendment C
the:
56 An example of a content-related crime would be: Cyberstalking Child pornography Hacking None of the above B
Hacking is an example of: Computer-assisted Computer-related Computer-integrity Computer
57 crime crime crime malfeasance crime C
Forgery is an example of: Computer assisted Computer-related Computer-integrity Computer
58 crime crime crime malfeasance crime A
In Ireland, the Non-Fatal Offences Against the State Computerized Cyberbullying Nigerian scams Hacking
59 Act of 1997 specifically addresses: welfare fraud B
Jurisdiction claims may be based on: Location of the Location of the Location of All of the above
60 perpetrator’s victim’s computer intermediary D
computer computers
Standard operating procedures (SOPs) are important Help individuals Ensure that the best Increase the All of the above
because they: avoid common available methods probability that two
mistakes are used forensic examiners
will reach the same
61 conclusions when D
they examine the
evidence

The goal of an investigation is to: Convict the suspect Discover the truth Find incriminating All of the above
62 evidence B
An investigation can be hindered by the following: Preconceived Improperly handled Offender All of the above
63 theories evidence concealment D
behavior
 When you have developed a theory, what can you do Predict, based on Perform Conclude, based on All of the above
to confirm that your hypothesis is correct? your hypothesis, experiments to test your findings,
where artifacts results and rule out whether the
64 should be located alternate evidence supports D
explanations the hypothesis

Which of the following would be considered an The originating IP A scratch on the Date-time stamps of All of the above
individual characteristic? address in a glass of a flatbed files on a disk or
65 network packet or e- scanner or digital entries in a database B
mail header camera lens

When digital photographs containing child Someone in the Someone in the Someone in the None of the above.
pornography are found on a home computer, house transferred house took the house took the
investigators can assert that: a the photographs photographs with a photographs with a
onto the computer digital camera and digital camera and
66 from a disk or the transferred transferred them D
Internet them directly onto directly onto the
the computer. computer

Forensic examination involves which of the following: Assessment, Seizure and Recovery, All of the above
experimentation, preservation harvesting, filtering,
fusion, correlation, organization, and
67 and validation search C

Forensic analysis involves the following: Assessment, Seizure and Recovery, All of the above
experimentation, preservation harvesting, filtering,
fusion, correlation, organization, and
68 and validation search A

The first step in applying the scientific method to a Form a theory on Experiment or test Make one or more Form a conclusion
digital investigation is to: what may have the available observations based based on the results
occurred evidence to confirm on events that of your findings
69 or refute your occurred C
prediction

Which of the following should the digital investigator Should the evidence Will the evidence Will there be All of the above
consider when arranging for the transportation of be physically in the copies be shared environmental
evidence? possession of the with other experts at factors associated
70 investigator at all other locations? with the digital D
times? media?
 In the Staircase Model, why is case management Case documents are Case management Case management None of the above.
shown spanning across all of the steps in the process intangible objects provides stability documents the
model? that can be held. and enables process function.
investigators to tie
71 all relevant B
information
together.

Process models have their origins in the early theories Complicated Difficult Linear Polymorphic
72 of computer forensics which defined the field in terms C
of a ______ process
Generating a plan of action and obtaining supporting Preparation Survey/ Preservation Examination and
73 resources and materials falls under which step in the identification analysis A
digital investigation?
The process model whose goal is to completely The Physical Model The Staircase Model The Evidence Flow The Subphase
74 describe the flow of information in a digital Model Model C
investigation is known as:
The following organizations have published guidelines US Secret Service Association of Chief US Department of All of the above
75 for handling digital crime scenes: Police Officers Justice D

When a first responder encounters technology or Seize the equipment Seek assistance Leave that Ask the suspect for
equipment that he is not familiar with, the as if it were a known from a more particular piece of details on the
76 recommended course of action is to: device experienced digital equipment at the equipment B
investigator crime scene

When preparing a questionnaire for interviewing Passwords Encryption keys Admission of guilt Details on
77 individuals of the crime scene which of the following removable storage C
should NOT be requested:
When entering a crime scene, the initial survey Include user Involve tracing Collect relevant All of the above
should: manuals cables data such as
78 passwords and D
account details

Examples of data that should be immediately USB drives Digital picture System and USB bracelets
79 preserved include: frames network information C

The crime scene preservation process includes all but Protecting against Acquiring digital Confirming system Controlling access
80 which of the following: unauthorized evidence date and time to the crime scene C
alterations
A thorough crime scene survey should include: Manuals for Removable media Mobile devices All of the above
81 software D
applications
 The challenge to controlling access to a digital crime Information may be The computer may The computer case None of the above.
scene is that: stored on Internet be shared. may be locked.
82 servers in different A
locations

In the case where digital investigators dealing with Notify personnel at Notify personnel at Utilize remote None of the above
distributed systems need to collect data from remote the remote sites to the remote sites to forensics tools to
sites, the following procedure is recommended: leave everything as shut down all acquire data from
83 is, and arrange for systems and send the remote sites’ C
travel to the remote the hard drives to RAM as well as the
locations the forensic lab hard drives

When presenting evidence on an organizational System The CEO of the The CSO (Chief Additional forensic
84 network, the digital investigator may require the administrators organization Security Officer) investigators A
assistance of:
Which of the following is not a safety consideration for Additional Protection against Proper tools for Protective gloves
a first responder? personnel to control ELF emanations disassembling and and eyewear
those present at the from monitors reassembling
85 crime scene computer cases B

Digital investigators like to preserve every potential The law Resources The interests of All of the above
86 source of digital evidence; however, they are business D
constrained by:
During the initial survey of a crime scene, why it is This simplifies Photographing items To record the fact None of the above.
necessary to photograph or videotape the area and inventorying the to be seized records that a particular
items of potential interest in their current state? crime scene their actual item was actually
condition, and found at the crime
87 precludes damage scene. C
claims when the
items are returned
to the offender.

Why is the first step to secure the physical crime scene To prevent them To prevent them To give them time To keep them from
by removing everyone from the immediate area? from contaminating from asking to fill out a personal blocking the view
evidence questions about the information survey when photographs
88 case before they can are being taken A
be interviewed
 When a piece of evidence has both a biological and a The crime scene The digital Neither; the Both the crime
digital component, who should process it first? technician, because investigator, evidence should be scene technician and
biological artifacts because processing preserved and the digital
are much more the biological transported to the investigator, in a
fragile artifacts will destroy lab for processing cooperative effort,
digital evidence assuring that the
89 biological evidence D
is collected in a way
that does not
damage the digital
component

The process of evaluating available evidence Equivocal forensic Investigative Threshold Behavioral imprints
objectively, independent of the interpretations of analysis reconstruction assessment
90 others, to determine its true meaning is referred to as: A

The words that an offender uses on the Internet, the Investigation Threshold Behavioral imprints Crime scene
tools that an offender uses online, and how an reconstruction assessment analysis
91 offender conceals his identity and criminal activity are C
referred to in the text as:

Investigative reconstruction is composed of three Which of the Functional Intentional Relational

different forms following is NOT one
92 of those three B
forms?

Creating a histogram of times to reveal periods of high Functional Intentional Relational Temporal
93 activity is an example of which form of investigative D
reconstruction?
The investigation and study of victim characteristics is Criminal profiling Behavioral imprints Victimology Crime scene
94 known as: analysis C
Why should victimology include a thorough search of Because the Because it is well Because nearly None of the above.
the Internet for cybertrails? a Internet can known that even everyone uses the
significantly traditional criminal Internet.
95 increase the victims offenses are A
risk documented on the
Internet.

The type of report that is a preliminary summary of SITREP Threshold Full investigative Field notes
96 findings is known as: Assessment report report B
 According to the text, the distinguishing features of a Hard evidence Fruit of the poison Caveat emptor Crime scene
crime scene as evidenced by the offender’s behavioral tree characteristics
97 decisions regarding the victim and the offense location D
are known as:

In crimes against individuals the ______ period leading 24-hour 48- hour 60-minute 15-minute
up to the crime often contains the most important
98 clues regarding the relationship between the offender A
and the victim

One of the most important things to establish when a Where the What operating Who or what was None of the above
99 computer is directly involved in the commission of a computer
purchased
was system is in use the intended victim
or target
C
crime is:
An example of online behavior that puts an individual Using your real Putting personal Posting photographs All of the above
at higher risk for cyberstalking is: name online information in your on a social
100 profile networking page D

In the movie Home Alone one of the burglars would Psychotic episode Signature-oriented Modus operandi Vandalism
always turn the water on in the sinks so that the house behavior
would be flooded when the owners returned. In terms
101 of crime scene characteristics, this is an example of: B

The totality of choices an offender makes during the The criminal’s MO Crime scene Tangible evidence None of the above
102 commission of a crime are referred to as: characteristics B
Because seemingly minor details regarding the What the offender What the offender What the offender All of the above
offender can be important, investigators should get brought to the crime took from the crime changed at the crime
103 into the habit of contemplating which of the following: scene scene scene D

One reason digital investigators write threshold They will be They keep their They take less time They serve as field
assessments more often than full reports is because: included in a final supervisor aware of to prepare and may notes for the
report, and so, their productivity. be sufficient to close investigator.
distribute the time out an investigation.
104 for final report C
preparation over the
entire period of the
investigation

Every violent crime investigation should incorporate Investigative leads Likely suspects Previously All the above
105 digital evidence because digital evidence may reveal: unknown crimes D
 How the offender approaches and obtains control of a Motives Choice of weapons Modus operandi Signature behaviors
106 victim or target is significant because it exposes the A
offender’s:
Crime scenes fall into two categories – primary and Remote Secondary Ancillary Theoretical
107 ____ B
When reconstructing evidence surrounding a violent Lay out all the Work with the Construct a timeline Begin the process of
crime, it is generally helpful to: evidence so it can be crime scene of events from converting field
viewed in its technicians so that a digital evidence notes to a final
entirety better report
108 understanding of the C
crime is achieved

One reason not to put too much trust into those who There has always They are typically They are usually not They may be the
run the company’s computers is that: been an antagonism too busy to take the authorized to offenders.
between system time to answer your answer questions.
109 administrators and questions D
law enforcement

Although crime scenes are typically photographed, it Diagramming is a The process of The quality of None of the above.
is a good idea to create diagrams of the crime scene common crime creating a diagram photographs taken
because: scene technician’s can result in a digital at the crime scene is
skill; however, it investigator noticing not known until the
requires continual an important item of film is developed.
110 practice evidence that would B
otherwise have been
missed

Given the scope and consequences of violent crimes, Collect only that Focus only on the Seek out and Focus only on the
when collecting digital evidence it is advisable to: digital evidence that primary crime preserve all offender’s digital
is clearly connected scene, as searching available digital evidence, as the
to the offense the offender’s home evidence victim’s digital
111 and workplace evidence is usually C
requires additional of little value
authorization

When swift action is needed, law enforcement Searches of this Exigent Eminent domain Mens rea
112 personnel may be permitted to conduct searches kind are permitted circumstances A
without a warrant under:
 When processing the digital crime scene in a violent A good supply of More than one Standard operating A good supply of
crime investigation it is important to have ________ to electrostatic bags for reliable camera for procedures for nitrile gloves
holding sensitive photographing the processing a digital
113 ensure that all digital evidence and findings can hold electronic crime scene crime scene C
up under close scrutiny
components

The Federal statute that has a provision allowing ECPA CCPA The Privacy Act FCRA
Internet service providers to disclose subscriber
114 information to law enforcement in exigent A
circumstances is:

When reconstructing evidence surrounding a violent Diagram the crime Create a timeline of Create a threat None of the above
115 crime, it is generally helpful to: scene events from digital assessment report B
evidence
A thief who has programmed and released a virus to Power assertive Profit oriented Power reassurance Anger retaliatory
roam a network looking for victim passwords used for
116 online banking is an example of what offense B
behavior?

The case of a Michigan bank robber requiring tellers Deviant aberrant Criminal humor Crime scene Investigative
117 to undress so he could photograph them is an example behavior characteristics reconstruction C
of:
The assessment of the victim as they relate to the Threat assessment Signature behaviors Behavioral evidence Victimology
118 offender, the crime scene, the incident, and the methodology analysis D
criminal justice system is known as:
Computers and mobile devices are treated as _________ Temporary Immediate Remote Secondary
119 crime scenes in violent crime investigations D

During the commission of a crime, evidence is Locard’s Exchange Sutherland’s Martin’s Rule d Parkinson’s Rule of
120 transferred between the offender’s computer and the Principle General Theory of Available Space A
target This is an example of: Criminology

Intruders who have a preferred toolkit that they have Usually have little Show little initiative Are generally more Pose less of a threat
pieced together over time, with distinctive features: experience and are – letting the tool do experienced
121 relying on the kit the work C

In the case of a computer intrusion, the target The remote crime The auxiliary crime The virtual crime The primary crime
122 computer is: scene scene scen scene D
A computer intruder’s method of approach and attack Skill level Knowledge of the Intent All of the above
123 can reveal significant amount about their: target D
 Determining skill level can lead to: Determining the Likely hiding places Suspects Offense behaviors
124 extent of the for rootkits and C
intrusion malware
If digital investigators find an unauthorized file, they Immediately move Check for other Execute the file to Permanently delete
125 should: the file to removable suspicious files in determine its the file B
media the same directory purpose
Remote forensic solutions can be used to access live Acquire and, Image systems Conduct Image large systems
systems, and include the ability to: sometimes, analyze without ever having examination and across the Internet
126 memory to leave the lab analysis without the A
need to image

A forensic analysis conducted on a forensic duplicate Virtual analysis Clone analysis Post-mortem Ex post facto
127 of the system in question is referred to as: analysis analysis C

Capturing all of the network traffic to and from the Allow the network Reveal the source of Seriously slow None of the above
compromised system can: administrators to the attack down the network,
participate in the affecting normal
investigation, work
128 establishing rapport B
for later interviews

A common technique that is highly useful and can be This embodies a Temporal proximity Timeline analysis File system analysis
applied in a computer intrusion investigation is to principle known as:
129 simply focus on file system activities around the time A
of known events

The registry key HKLM\Software\Microsoft\ New software Time and date Trojans A list of recently run
130 Windows\Current Version is one of the most common entries information programs C
locations for:
When collecting data from a compromised computer, CMOS Most volatile Magnetic Optical
131 consideration should be given to collecting the ______ B
data first.
The forensic examiner needs to be aware that the Is seldom useful and Can take an Is only needed for Changes the
132 process of collecting memory: not often called for extremely long standalone systems contents of memory D
period of time c d
A more thorough method of collecting specific volatile Examine the Collect the full Selectively collect Take screenshots
133 data from a computer is to: specific memory contents of physical contents of physical B
addresses live memory memory
 Why are “non-volatile” storage locations contained in This is an old RFC No form of data An RFC is a Request None of the above.
the RFC 8227 “Order of Volatility”? and has not been storage is for Comments – and
updated permanent corrections are
134 expected. B

The first state in the United States to enact a law to Texas b Hawaii c California d New York
135 deal with cyberstalkers was: a C
136 The first cyberstalking law in the US was passed in: 1985 b 1990 c 1995 d 2000 B
Stalkers want to exert power over their victims, Fear Anxiety Autosuggestion Peer pressure
137 primarily through: A
A stalker’s ability to frighten and control a victim Telephone numbers Addresses Personal All of the above
138 increases with the amount of information that he can preferences D
gather, such as:
Stalkers have taken to the Internet because: The cost of an They depend They no longer have None of the above
Internet connection heavily on to go out to do their
has dropped information and the stalking
139 considerably Internet contains B
vast amounts

An implication from studies indicating that many Part of the blame The offender is Investigators should Investigators should
stalkers had prior acquaintance with their victims is can be assigned to likely to be found in pay particular always check the
the victim the same area as the attention to immediate family
140 that: victim acquaintances of the C
victim

An excellent set of guidelines developed specifically The National Center The National White The Department of The National
141 for victims of stalking is available from: for Victims of Crime Collar Crime Center Justice Institute of Justice A

When a cyberstalking case is stalled, it is a good idea The victim might The information The time between None of the above
to interview the victim again, because: have been that investigators the first and second
withholding have gathered might interviews has given
142 information during help the victim the victim time to B
the first interview recall additional seek counseling
details

In determining how and why the offender selected a Knew the victim Learned about the Noticed the victim All of the above
143 specific victim, the investigator should determine victim through a in a chat room D
whether the cyberstalker: personal web page

A key aspect of developing victimology is determining Hobbies Likes and dislikes Risks Roles
144 victim and offender _____ C
 When searching for evidence of cyberstalking, it is Grooming Surreptitious Initial contact Congenial
145 useful to distinguish between an offender’s harassing monitoring B
behaviors and ____________ behaviors
That part of cyberstalking where the offender is using Profiling Trolling Surreptitious None of the above.
146 the Internet to find a victim is known as: monitoring C
When a cyberstalker chooses victims at random, he is Opportunistic Power assertive Profit-oriented None of the above
147 said to be an: stalker stalker stalker A
The initial stage in a cyberstalking investigation is to: Search for Analyze crime scene Conduct Interview the victim
148 additional digital characteristics victimology and risk D
evidence assessments
It is extremely important for the investigator to be If the victim If the investigation The victim must be The victims
extremely cautious when dealing with a stalking case becomes offended is conducted too protected, in case frequently become
because: by the investigator’s openly, the offender the offender decides emotionally
methods, she is may stop the to escalate to attached to the
149 likely to go file a harassment and physical violence investigator C
complaint move on to another
victim

Which of the following is NOT part of the set of Preparation Interdiction Documentation Reconstruction
150 forensic methodologies referenced in this book? B
Preparation planning prior to processing a crime What computer What the systems Whether a network All of the above
151 scene should include: equipment to expect are used for is involved D
at the site
The forensic crime scene processing kit should include Evidence bags, tags, Forensically Compilers for Hardware write
all of the following, EXCEPT: and other items to sanitized hard developing forensic blockers
152 label and package drives to store tools on site C
evidence acquired data

When processing the digital crime scene, one aspect of Recognizing Determining if Confirming that the Making sure there is
surveying for potential sources of digital evidence is: relevant hardware electrical wiring is operating sufficient space to
such as computers, capable of environment is set up the forensic
153 removable media, supporting forensic suitable for crime scene A
etc machines electronic processing kit
equipment

The _____________ documentation specifies who handled Evidence inventory Chain of custody Evidence intake Preservation notes
154 the evidence, when, where, and for what purpose B
 When documenting a crime scene, the computer and The more evidence This provides a It is prudent to All of the above.
surrounding area should be photographed, detailed collected, the record for what to document the same
stronger the case. look for when you evidence in several
155 sketches should be made, and copious notes should be return for the ways. C
taken, because:
second visit.

In regard to preservation, in a child pornography Photographs Papers Digital cameras All of the above
156 investigation, which of the following should be D
collected?
If it is determined that some hardware should be Nearest reach Direct connectivity Independent Slice-the-pie
collected, but there is no compelling need to collect doctrine doctrine component doctrine doctrine
157 everything, the most sensible approach is to employ: C

According to the us Federal guidelines for searching 60-80 degrees 50-90 degrees 50-90 degrees 60-80 degrees
158 and seizing computers, safe temperature ranges for Fahrenheit centigrade Fahrenheit centigrade C
most magnetic media are:
Which of the following is NOT an artifact that will be Running processes Open network ports Data stored in System date and
159 irrevocably lost if the computer is shut down? memory time D
Which of the following is NOT one of the Place the evidential Preview the Extract just the Acquire everything
recommended approaches to preserving digital computers and evidential computer, information needed from evidential
evidence? storage media in taking appropriate from evidential computer and
160 secure storage for notes computers and storage media B
later processing storage media

The reason UNIX “dd” is considered a de facto The majority of tools “dd” stands for “dd,” although a The developers of
standard for making bitstream copies is: for examining digital “digital data” and UNIX tool, is “dd” have made
evidence can was developed for universally able to arrangements with
161 interpret bitstream making forensic traverse Windows other forensic A
copies copies. file systems. software companies.

Regarding the examination of a piece of digital What is it What classifications Where did it come What is its value?
162 evidence, which of the following is NOT one of the (identification)? distinguish it? from? D
fundamental questions that need to be answered?
Which of the following issues is NOT one that a Invasive The facility in the The location, Available methods
forensic examiner faces when dealing with Windows- characteristics of the standard Windows organization, and for recovering data
Windows environment for content of Windows from Windows
163 based media? environment mounting a hard system log files media B
drive as Read-Only
 Forensically acceptable alternatives to using a Linux boot floppy FIRE bootable CD- Booting into safe Hardware write
164 Windows Evidence Acquisition Boot Disk include all ROM mode blockers C
but which of the following?
The standard Windows environment supports all of FAT16 ext2 FAT32 NTFS
165 the following file systems EXCEPT ______ B
Before evidentiary media is “acquired,” forensic Hash Preview Validate Analyze
166 examiners often ________ the media to make sure it B
contains data relevant to the investigation
Log files are used by the forensic examiner to __________ Associate system Verify the integrity Confirm login Determine if a
167 events with specific of the file system c passwords d specific individual is A
user accounts b the guilty party
The Windows NT Event log Appevent Contains a log of Records activities Notes system events None of the above
application usage that have security such as shutdowns
168 implications, such as A
logins

When examining the Windows registry key, the “Last The last time When a value in The current system The number of
Write Time” indicates: RegEdit was run b that Registry key time allowable changes
169 was altered or has been exceeded B
added

File system traces include all of the following EXCEPT: Metadata CMOS settings Swap file contents Data object date-
170 time stamps B
When a file is moved within a volume, the Last Is unchanged Changes if a file is Changes if a file is Is unchanged;
Accessed Date Time: moved to different moved to the root however, the
171 directory Created Date-Time A
does change

Internet traces may be found in which of the following Web browser cache Instant messenger Cookies All of the above
172 categories? cache D
The Windows NT Event log Secevent evt: Contains a log of Records activities Notes system events None of the above
application usage that have security such as shutdowns
173 implications, such as B
logins

Which of the following is NOT one of the methods FDDI Telecommunication WiFi access points Bluetooth piconets
174 mobile devices use to communicate? networks A
 One major advantage of mobile devices from a People very seldom The process for Flash memory is Manufacturers
forensic perspective is that: delete information deleting information deleted block-by- reserve a part of
from mobile devices is much more block and mobile memory for storing
complicated than for devices generally deleted items
adding information, wait for a block to be
and users frequently full before it is
175 don’t delete things deleted C
correctly

The reason that malware developers are beginning to Because available The malware Since the coding is Since mobile
target mobile devices is: memory is much market has become much simpler on devices are used
smaller and the very crowded and mobile devices, more and more for
operating system is developers are many new online banking and
much less looking for new programmers are making purchases,
sophisticated on avenues trying at this they have become
176 mobile devices, it is particular platform prime targets for D
much easier to computer criminals
develop malicious
code

Software designed to monitor activities on mobile Malware b Spouseware c Trojan defense d None of the above
177 devices has come to be called: a B
One of the dangers (from a forensic standpoint) of Connected Network service Connected Network service
mobile devices is: networks can providers may networks can enable providers may
contain provide information offenders to delete provide additional
investigatively for comparison with data remotely historical call
178 useful information data extracted from records C
a mobile device

One of the difficulties unique to forensic processing of MD five hashes Documentation An investigator Any issues
mobile devices is: must be calculated must show must make a encountered with
for data recovered continuous calculated decision processing the
from mobile devices possession and to either prevent or device should be
179 control allow the device to documented C
receive new data
over wireless
networks
 Powering down a mobile device and removing the When the battery is Doing so may The process of You now have two
battery may cause problems in that: a removed from a activate security removing the pieces of evidence,
mobile device, the measures such as battering can cause which have to be
information in lock codes and a capacitive documented
180 memory is lost encryption discharge, B
destroying the
device

Which of the following are methods for preserving Reconfigure the Place the device in Jam RF signaling in All of the above
mobile devices by isolating them from the networks? device to prevent an RF-shielded the immediate area
181 communication pouch D
from the network

Why is it important to collect charging cables when Mobile device To reduce owner In those cases None of the above
seizing mobile devices? batteries have a complaints about where evidence
limited charge life missing cables seized is forfeit, you
span, and the device when, at some point, want to make sure
will need a charger seized devices are you have everything
182 to maintain the returned you need to operate A
battery until the the device
device can be
processed

Which of the following is NOT one of the currently Manual operation Logical acquisition Connecting the Physical acquisition
available methods for extracting data from mobile via user interface via communication communication port via the
port directly to an output communication port
183 devices? device such as a C
printer

Forensic examiners should be aware that a mobile May as well be May only indicate May require that None of the above
device with a blank or broken display: thrown away, as no that the screen is the mobile device be
data will be damaged and it may sent out to the
184 recovered from it still be possible to manufacturer for B
extract data repairs

A peculiarity of mobile devices is the format that they ASCII Unicode GSM 7-bit Baudot
185 store SMS messages, which is: a C
The primary reason that brute-force methods are not A four-digit PIN After three failed PIN disclosure by None of the above
used when trying to access an SIM card with the PIN represents 10,000 attempts, the SIM the offender can be
186 set is: possible card will become required by a court B
combinations locked order
 An understanding of networks helps with which of the Establishing Tracking down Understanding All of the above
following: continuity of offense offenders traces of online
187 activities left on a PC D

When a Windows system connects to a shared folder TCP/IP SMB NetBIOS All of the above
188 on another Windows machine on the Internet, which D
of the following protocols are used?
Hosts that connect two or more networks are called: Routers Switches Hubs All of the above
189 A
190 Which of the following are Layer 7 protocols? Ethernet HTTP TCP All of the above B
191 Ethernet uses which of the following technologies? CDPD CSMA/CD CDMA All of the above B
192 Another name for a hub is: Switch Router Concentrator NIC C
Currently, the most widely used Internet protocols TCP UDP IP All of the above
193 are: D
The OSI reference model divides Internets into seven Transport, Session, Presentation, Data- Physical, Data-link, Data-link, Network,
layers Choose the correct order, by layer Network, link, Application, Network, Transport, Session, Application,
Presentation, Data- Physical, Transport, Session, Physical, Network,
194 link, Application, Session, Network Presentation, Session C
Physical Application

The layer that actually carries data via cables or radio Transport layer Physical layer Network layer Data-link layer
195 signals is the: B
A hub joins hosts at the physical level whereas a Transport Physical Network Data-link
196 switch joins them at the _____ layer D
The layer responsible for managing the delivery of Application layer Presentation layer Transport layer Session layer
197 data is the: C
Which of the following network technologies uses a Ethernet FDDI Asynchronous 802.11
198 fiber-optic medium? Transfer Mode B
Preservation of digital evidence can involve which of Collecting computer Making a forensic Copying the files All of the above
199 the following? hardware image of storage that are needed D
media from storage media
A forensic image of a drive preserves which of the Memory contents File slack and System date and Screen contents
200 following? unallocated space time B
Examination of digital evidence includes (but is not Seizure, Recovery, Experimentation, Arrest,
201 limited to) which of the following activities? preservation, and harvesting, and fusion, and interviewing, and B
documentation reduction correlation trial
Analysis of digital evidence includes which of the Seizure, Recovery, Experimentation, Arrest,
202 following activities? preservation, and harvesting, and fusion, and interviewing, and C
documentation reduction correlation trial
 Evidence can be related to its source in which of the Top, middle, bottom IP address, MD5 Production, Parent, uncle,
203 following ways? value, filename, segment, alteration, orphan C
date-time stamps location
When a website is under investigation, before Determine where Inform personnel at Conduct a None of the above
obtaining authorization to seize the systems it is the web servers are the web server reconnaissance
located location that you’ll probe of the target
204 necessary to: be coming to seize website A
the systems

Which of the following is NOT an information Scanning the system Studying security Attempting to Examining e-mail
205 gathering process? remotely audit reports bypass logon headers C
security
Unlike law enforcement, system administrators are Open unread e- Monitor network Modify system logs Divulge user
permitted to ________ on their network when it is mails traffic personal
206 necessary to protect the network and the data it information B
contains

Although it was not designed with evidence collection EnCase FTK Wireshark CHKDSK
207 in mind, _______can still be useful for examining C
network traffic
Issues to be aware of when connecting to a computer Creating and Keeping a log of Documenting which All of the above
over a network and collecting information include: following a set of actions taken during server actually
standard operating the collection contains the data
208 procedures process that’s being D
collected

Occasionally, an intrusion detection system may False warning Failsafe DEF con False positive
trigger an alarm caused by an innocent packet that
209 coincidentally contains intrusion class characteristics D
This type of alert is called:

Information security professionals submit samples of Bugtraq Sam Spade CNET Security Focus
210 log files associated with certain intrusion tools to help A
others detect attacks on the mailing lists at:
Which of the following are situations where a The hard drive is The system cannot The digital All of the above
bitstream copy may not be viable? too large to copy be shut down investigator does
not have authority
211 to copy the entire D
drive

Who is authorized to conduct online undercover Anyone Computer security Journalists Law enforcement
212 investigations when child pornography is involved? professionals D
 Which of the following Internet services can be used IRC Usenet KaZaa All of the above
213 to exchange illegal materials? D
What are two of the most useful headers for From and Message- NNTP-Posting-Host Path and Subject RFC1036 and
214 determining the origination of Usenet messages? ID and X-Trace RFC2980 B
What information should you document when Date/time of search, Screenshots of Download copies of All of the above
searching for evidence on the Web? search engine and significant search the webpages and
terms used, address results calculate their MD5
215 of pertinent results value D

Why is it important to hide your identity when To reduce the risk To get yourself in To make it easier All of the above
conducting an online investigation? of alerting the the mindset of for you to determine
216 offender covert web the offender’s A
investigating location

When it is not possible to determine the identity of the Look for unusual Search the Web Look for similar All of the above
author of a Usenet message using IP addresses in the signature and use of using distinctive Usenet messages
217 header, what else can you do to learn more about the language aspects of posts posted using an alias D
author?

What characteristics of IRC make it attractive to IRC enables them to IRC provides them IRC gives them All of the above
criminals? exchange illegal with some level of direct, “live” access
218 materials with other anonymity to a large pool of D
criminals potential victims

Which of the following enables a user to connect to Freenet psybnc bot Fserve All of the above
219 IRC and run IRC fserves without disclosing their IP B
address?
Which of the following applications leave traces of Internet Explorer KaZaA IRC All of the above
220 Internet activities on a personal computer? D
Which of the following tools can reconstruct TCP Tcpdump Wireshark Snoop EnCase
221 streams? B
What peer-to-peer clients use the Fast Track network? KaZaA Grokster iMesh All of the above
222 D
Web Whacker and Httrack are examples of tools that: Search the Web Deface websites Capture websites Launch websites
223 C
Metaverseink is a: Search tool (people Newsgroup Social networking A file-sharing peer-
224 or things) for virtual aggregator meta-tool to-peer network A
worlds
Second Life is one of the better known: Research websites Archive websites Virtual worlds Web-based game
225 shows C
 Synchronous chat networks are particularly Privacy Immediacy Impermanence All of the above
226 conducive to criminal activity because of their D
What is the maximum cable length for a 10BaseT 10 feet 100 feet 10 meters 100 meters
227 network? D
What is the approximate theoretical maximum 10 Mb 75 Mb 100 Mb 175 Mb
228 number of bytes that can be downloaded in one B
minute on a 10BaseT network?
Which of the following commands can be used to Netstat Ping Nbtstat Traceroute
229 obtain the MAC address of a remote Windows C
computer?
What is the maximum cable length for a 10 base five 100 feet 500 feet 100 m 500 m
230 segment? D
ARP stands for: Address Resource Advanced Retrieval Address Resolution Added Resource
231 Protection Protocol Protocol Processing C

The best operating system for capturing network Microsoft OpenBSD/FreeBSD Linux Solaris
232 traffic on high-speed networks is: DOS/Windows B
Which of the following applications is used to capture Snort Wireshark Tcpdump All of the above
233 network traffic? D
How many bytes per packet does tcpdump capture by 10 bytes 68 bytes 128 bytes 1024 bytes
234 default? B
Which of the following tools can reconstruct TCP Tcpdump Wireshark Snoop EnCase
235 streams? B
The transition method in which only one computer Baseband Narrowband Broadband Sideband
236 can transmit while all the others listen is known as: A
Although ARP is part of TCP/IP, it is generally Physical Data-link Network Transport
237 considered a part of the ______ layer B
The form of ARP that ATM uses to discover MAC ARPATM ATMARP MACATM ATMMAC
238 addresses is known as: B
TCP is an abbreviation for: Transit Transportation Cost Transport Control Time
239 Communication Product Protocol Communication C
Protocol Protocol
What system is used to convert IP addresses to their TCP/IP DNS ARP Routing
240 associated names? B
241 What protocol does the “ping” command use? TCP IP ICMP All of the above C
Which of the following logs record the IP addresses of Wtmp Xferlog Syslog Access log
242 computers accessing an FTP server? a B
 In addition to the IP address of the sender, SMTP e- The Message ID The time the The name of the All of the above
243 mail server logs contain which of the following? message was sender D
received
r
 Marthwada Mitra Mandal's Polytechnic
Program: Computer Engineering
No. of
Sr. No. Extar curricular Activity Contact Person Date Program
students

10

11

12

13

14

15