Scribd Logo
Upload

Welcome to Scribd!

  • Review 2

    Uploaded by

    co ca
    20 views14 pages
    This document contains a series of questions about digital forensic procedures and Windows system artifacts. It asks about which devices require immediate bagging, the most volatile evidence, and what data may be lost if an encrypted device is powered off. Other questions cover the initial steps of a forensic examiner at a crime scene, proper cloning procedures, and recommended acquisitions for devices with low or dead batteries. Later questions focus on artifacts like hibernation files, page files, deleted data reconstruction, and where user login and file timestamp information is stored within Windows systems.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document contains a series of questions about digital forensic procedures and Windows system artifacts. It asks about which devices require immediate bagging, the most volatile evidence, and what data may be lost if an encrypted device is powered off. Other questions cover the initial steps of a forensic examiner at a crime scene, proper cloning procedures, and recommended acquisitions for devices with low or dead batteries. Later questions focus on artifacts like hibernation files, page files, deleted data reconstruction, and where user login and file timestamp information is stored within Windows systems.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    20 views14 pages

    Review 2

    Uploaded by

    co ca
    This document contains a series of questions about digital forensic procedures and Windows system artifacts. It asks about which devices require immediate bagging, the most volatile evidence, and what data may be lost if an encrypted device is powered off. Other questions cover the initial steps of a forensic examiner at a crime scene, proper cloning procedures, and recommended acquisitions for devices with low or dead batteries. Later questions focus on artifacts like hibernation files, page files, deleted data reconstruction, and where user login and file timestamp information is stored within Windows systems.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    Review 2

    5-6. Collecting Evidence


    Which item must be placed in a Faraday bag
    immediately after seizure?

    A. SD cards
    B. Thumb drive
    C. Hard disk
    D. Cell phone
    E. Laptop
    Which item of evidence is the most volatile?

    A. Deleted files on a hard disk


    B. Downloads in progress
    C. Archival data
    D. Data stored in the cloud
    E. USB thumbdrive data
    If a suspect is using encryption, which data
    below is likely to be lost if the device is powered
    off?

    A. Cell phone
    B. USB thumb drive
    C. Contents of RAM
    D. Laptop hard drive
    E. All of the above
    Which is the first step done by a forensic
    examiner who arrives at a crime scene?

    A. Take photographs
    B. Label devices
    C. Take notes
    D. Fill out Chain of Custody form
    E. Remove extra people
    Joe is making a clone of the evidence drive onto
    a target drive. Which of these is not a good
    practice?

    A. Forensically wipe target drive first


    B. Use antivirus to scan the forensic workstation
    C. Use antivirus to scan the evidence drive
    D. Use a hardware write-blocker
    E. Calculate the MD5 hash
    You find a laptop at a crime scene with a dead
    battery. What type of acquisition should you
    perform?

    A. Live acquisition in a laboratory


    B. Static acquisition in a laboratory
    C. Live acquisition at the scene
    D. Static acquisition at the scene
    E. They are all equally useful
    You find a cell phone at a crime scene with a
    low battery, and no charger is available. What
    type of acquisition should you perform?

    A. Live acquisition in a laboratory


    B. Static acquisition in a laboratory
    C. Live acquisition at the scene
    D. Static acquisition at the scene
    E. They are all equally useful
    7-8. Windows System Artifacts
    Which type of data is created when a laptop lid
    is closed?

    A. Deleted data
    B. Hiberfil
    C. Page file
    D. Registry
    E. Metadata
    Which type of data must be reconstructed with
    file carving?

    A. Thumbnails
    B. MRU list
    C. Restore points
    D. Deleted data
    E. Metadata
    Where is the identity of the last-logged-in user
    stored?

    A. MRU list
    B. Hiberfil
    C. Page file
    D. Registry
    E. Metadata
    Where is the Modified timestamp for a file
    stored?

    A. MRU list
    B. Hiberfil
    C. Page file
    D. Registry
    E. Metadata

    You might also like