Download NWIT 263 Digital Forensics Quiz 1: Questions and Answers and more Exams Forensics in PDF only on Docsity!
NWIT 263 Digital Forensics (Quiz 1) 100% Verified
Which hashing algorithms will FTK Imager use when one selects "Verify images after they are created"? - ANSWER SHA1 and MD
Which of the following statements regarding the use of hashing utilities by operating systems is CORRECT? - ANSWER one must use third-party utilities with Windows but Linux comes with built-in utlities
Which of the following best describes an FTK Imager Custom Content Image? - ANSWER it is a customized image with selected files from a live file system or an existing image
Which of the following commands would one run from the Linux shell to verify the integrity of a downloaded Kali .ISO file? - ANSWER sha256sum kali-linux-2021.2-installer-amd64.iso
Which of the following hashes would be considered the most secure?
7d0a8468ed220400c0b8e6f335baa7e070ce880a37e2ac5995b9a97b809026de626da 6ac7365249bb974c719edf543b52ed286646f437dc7f810cc2068375c
54b0c58c7ce9f2a8b551351102ee
2e99758548972a8e8822ad47fa1017ff72f06f3ff6a016851f45c398732bc50c
fa26be19de6bff93f70bc2308434e4a440bbad02 - ANSWER 7d0a8468ed220400c0b8e6f335baa7e070ce880a37e2ac5995b9a97b809026de626da 6ac7365249bb974c719edf543b52ed286646f437dc7f810cc2068375c
From which location is Recuva NOT able to find deleted files? - ANSWER CDs
Which of the following image files was created using the de facto forensic image format that is used today? - ANSWER ForensicImage.E
After a forensic image is created with FTK Imager, which of the following files stores an "Image Summary" of the image? - ANSWER ForensicImage.E01.txt
Which of the following can be considered metadata for a Windows Excel file?
the data the file was created
the data the file was last edited
the author of the document - ANSWER all of the above
Which of the following statements regarding RAM Slack is true? (Select two)
it is the space between from the E0F marker and the end of the sector
it consists of data dumped from RAM
it is the space from the E0F marker to the end of the cluster
it is another way of referring to the data in 'memory' - ANSWER it is the space between from the E0F marker and the end of the sector it consists of data dumped from RAM
can recover deleted files that can be used as evidence while applications like Recuva cannot
The hash 'd09dba7d' is considered the same as the hash 'D09DBA7D' - ANSWER true
After creating a forensic image with FTK Imager, a .CSV file is created if one selects the "Create directory listings of all files in the image after they are created". Which of the following can be found in this file?
the complete paths to files
the date a file was last accessed
whether the file had been deleted - ANSWER all of the above
Which of the following hashing utilties can be run from most versions of Linux? (Select two)
md5sum
sha1sum
md
sha - ANSWER md5sum sha1sum
What would one see if one selects the 'Filter by File Ownwer' option when creating a custom content image with FTK Imager? - ANSWER one would see a list of users found
in the evidence that one can select from for exporting
macOS contains which of the following built-in hashing utilities? (Select two)
hashsum
md
md5sum
shamus - ANSWER md shasum
AccessData's FTK Imager is an advanced version of AccessData's FTK (Forensic ToolKit) - ANSWER false
Which of the following is the primary purpose for using hashing in digital forensics investigations? - ANSWER to verify the integrity of the evidence
Both Windows and Linux come with built-in hashing utilities. - ANSWER false
Which of the following quotes would produce the exact same SHA256 hash?
Caleb loves nancy
Nancy loves caleb
Caleb loves nancy - ANSWER none of the above
