Chapter 15 Review
2) A, C
3) A, B, C
4) C, D
5) B, D, E
6) A, C
7) Testimony preservation and discovery.
9) A, B
11) A pretrial motion for the purpose of excluding certain evidence.
12) A, B, D, E
13) A, B, C
16) B, C, D
Chapter 14 Review
10) Any additional resource material not included in the text, raw data, figures
not used in the body of the report, and anticipated exhibits.
12) You can incorporate the log
Chapter 12 Review
Internal memory, SIM card, external memory card, and the system server.
Call Data and Service related data
Airplane mode, Turn the device off, and place the device in a paint can (one
Chapter 9 Review
1) (B) Files associated with an application,
(C) System files the OS uses (D) Any files pertaining to the company.
2) (D) both a and b.
3) (A) Filter known program files from view
(D) Filter out evidence that doesn't relate to your invest
Chapter 8 Review
3) Compare the unknown graphics file header with a known graphics file that
you expect it to be.
4) Lossless compression
Chapter 6 Review
Command-line applications and GUI applications.
True One reason to use to choose a logical acquisition is drive encryption.
True hardware devices have built-in software for data acquisition.
Data viewing, key
Allows you the ability to promote professional relationships with people who
specialize in technical areas different from your own specialty.
Chapter 3 Review
1) Is a method used when a suspects drive is write-protected and it cant be
altered. If disk evidence is preserved correctly, static acquisitions are
2) Raw Format, Proprietary Format & Advanced Forensic Format.
3) Two advanta
Chapter 2 Review
A, B, C
The Uniform Crime Report for your area and a list of the cases that have been
handled in your area or at your company.
6) The estimated number of cases your lab expects to examine and identifying
Chapter 7 Review
1) Data forks contains the data the user creates such as text or spreadsheets
while resource forks contain additional information such as the menus,
dialog boxes, icons etc.
2) B, D
4) It added support for partitions larger than 16 T
Chapter 16 Review
1) Standards that others apply to you and your own internal rules you use to
measure your performance.
3) Recent developments in technology, new tools with new capabilities, and the
facts of the current case being distinguishabl
Chapter 5 Review
Cylinder, Header, Sector
Filenames, directory names, date and time stamps.
Contains the list of most recently used files and desktop configuration
9) 246 sectors.
11)Provides more in
Chapter 4 Review
A, B, C
You cant predict the hash value of a file or device, no two hash values can be
the same, if anything changes in the file or device, the hash value must
8. When hash values are the s
1. What is the difference between authentication and authorization? Can a system permit
authorization without authentication? Why or why not?
Authentication is confirming the identity of the entity accessing a logical or physical area
1. What is information security? How does it differ from network security?
Information security is the protection of information and its critical elements, including the
systems and hardware that use, store, and transmit that information. Information Secu
1. What is the difference between criminal law and civil law?
Civil law embodies a wide variety of laws pertaining to relationships between and among
individuals and organizations. Criminal law addresses violations harmful to society and is
1. When an organization undertakes an information security-driven review of job descriptions,
which job descriptions must be reviewed? Which IT jobs not directly associated with
information security should be reviewed?
When an organization unde
1. Describe two types of ethical standards.
Standards that others apply to you or that you're compelled to adhere to by external
forces (such as licensing bodies), and your own internal rules you use to measure your
1. Which of the following describes fact testimony?
a. Scientific or technical testimony describing information recovered during an
2. Which of the following describes expert witness testimony? (Choose all that apply.)
1. Which of the following represents known files you can eliminate from an investigation?
b. Files associated with an application
c. System files the OS uses
2. For which of the following reasons should you wipe a target drive?
d. Both a and b
1. E-mail headers contain which of the following information? (Choose all that apply.)
e. All of the above
2. What's the main piece of information you look for in an email message you're investigating?
b. Originating e-mail domain or IP address
1. Virtual Machine Extension (VMX) are part of which of the following?
b. Type 2 hypervisor
2. You can expect to find a type 2 hypervisor on what type of device? (Choose all that apply)
3. Which of the following file extensi
1. List four places where mobile device information might be stored.
Internal memory, SIM card, any external/removable memory cards, & the system server.
2. Typically, you need a search warrant to retrieve information from a service provider. True/
Chapter 13 (503)
1. Amazon was an early provider of Web-based services that eventually developed into the
cloud concept. True/False
2. What are the three levels of cloud service defined by NIST?
Software as a Service (SaaS), Platform as a Service (Pa
1. Which of the following rules or laws requires an expert to prepare and submit a report?
a. FRCP 26
2. For what purpose have hypothetical questions traditionally been used in litigation?
a. To frame the factual context of rendering an expert