4.

Basics of Hacking(10M)

1. The digital evidence are used to establish a credible link between

a. Attacker and victim and the crime scene
b. Attacker and crime scene
c. victim and the crime scene
d. Attacker and Information

2. Digital evidences must follow the requirements of the

a. Ideal Evidences rule
b. Best Evidences rule
c. Exchange rule
d. All of the mentioned

3. From the two given statements 1 & 2, select the correct option from a-d
1) Original media can be used to carry out digital investigation process
2) By default, every part of the victim’s computer is considered unreliable.
a. a and b both are true
b. a is true and b is false
c. a and b both are false
d. a is false and b is true

4. The evidences of proof that can be obtained from the electronic source is called the
a. Digital Evidence
b. Demonstrative Evidence
c. Explainable Evidence
d. Substantial Evidence

5. Which of the following is not a type of volatile evidence?

a. Routing Table
b. Main Memory
c. Log files
d. Cached Data

6. A valid definition of digital evidence is:

a. Data stored or transmitted using a computer
b. Information of probative value
c. Digital data of probative value
d. Any digital evidence on a computer

Page 1 of 11
7. What are the three general categories of computer systems that can contain digital evidence?
a. Desktop, laptop, server
b. Personal computer, Internet, mobile telephone
c. Hardware, software, networks
d. Open computer systems, communication systems, embedded systems

8. In terms of digital evidence, a hard drive is an example of:

a. Open computer systems
b. Communication systems
c. Embedded computer systems
d. None of the above

9. In terms of digital evidence, a mobile telephone is an example of:

a. Open computer systems
b. Communication systems
c. Embedded computer systems
d. None of the above
e. In terms of digital evidence, a Smart Card is an example of:
f. Open computer systems
g. Communication systems
h. Embedded computer systems
i. None of the above

10. In terms of digital evidence, the Internet is an example of:

a. Open computer systems
b. Communication systems
c. Embedded computer systems
d. None of the above

11. Computers can be involved in which of the following types of crime?

a. Homicide and sexual assault
b. Computer intrusions and intellectual property theft
c. Civil disputes
d. All of the above

12. A logon record tells us that, at a specific time

a. An unknown person logged into the system using the account
b. The owner of a specific account logged into the system
c. The account was used to log into the system
d. None of the above

13. The criminological principle which states that, when anyone, or anything, enters a crime
scene he/she takes something of the scene with him/her, and leaves something of
himself/herself behind, is:
a. Locard’s Exchange Principle
b. Differential Association Theory
c. Beccaria‟s Social Contract
d. None of the above

14. Personal computers and networks are often a valuable source of evidence. Those involved
with------should be comfortable with this technology
a. Criminal investigation
b. Prosecution
c. Defense work
d. All of the above

Page 2 of 11
15. Digital evidence is only useful in a court of law.
a. True
b. False

16. Video surveillance can be a form of digital evidence.

a.True
b. False

17. All forensic examinations should be performed on the original digital evidence.
a. True
b. False

18. Digital evidence can be duplicated exactly without any changes to the original data.
a. True
b. False

19. Computers were involved in the investigations into both World Trade Center attacks.
a. True
b. False

20. Computer professionals who take inappropriate actions when they encounter child
pornography on their employer’s systems can lose their jobs or break the law.
a. True
b. False

21. Digital evidence is always circumstantial.

a. True
b. False

22. Digital evidence alone can be used to build a solid case.

a. True
b. False

23. Automobiles have computers that record data such as vehicle speed, brake status, and throttle position
when an accident occurs.
a. True
b. False

24. Computers can be used by terrorists to detonate bombs.

a. True
b. False

25. The aim of a forensic examination is to prove with certainty what occurred.
a. True
b. False

26. Even digital investigations that do not result in legal action can benefit from principles of forensic
science.
a. True
b. False

27. Forensic science is the application of science to investigation and prosecution of crime or to the just
resolution of conflict.
a. True
b. False

Page 3 of 11
28. When a file is deleted from a hard drive, it can often be recovered.
a. True
b. False

29. Preservation of digital evidence can involve which of the following?

a. Collecting computer hardware
b. Making a forensic image of storage media
c. Copying the files that are needed from storage media
d. All of the above
30. Examination of digital evidence includes (but is not limited to) which of the following activities?
a. Seizure, preservation, and documentation
b. Recovery, harvesting, and reduction
c. Experimentation, fusion, and correlation
d. Arrest, interviewing, and trial
31. Analysis of digital evidence includes which of the following activities?
a. Seizure, preservation, and documentation
b.Experimentation, fusion, and correlation
c. Recovery, harvesting, and reduction
d. Arrest, interviewing, and trial
32. Evidence can be related to its source in which of the following ways?
a. Top, middle, bottom
b. IP address, MD5 value, filename, date-time stamps
c. Production, segment, alteration, location
d. Parent, uncle, orphan
33. Different types of analysis include which of the following?
a.Relational (e.g., link analysis) and temporal (e.g., timeline analysis)
b.Cryptography
c. Metadata hashing
d.Digital photography
34. When a website is under investigation, before obtaining authorization to seize the systems it is
necessary to:
a. Determine where the web servers are located
b. Inform personnel at the web server location that you‟ll be coming to seize the systems
c. Conduct a reconnaissance probe of the target website
d. None of the above
35. Which of the following is NOT an information gathering process?
a. Scanning the system remotely
b. Studying security audit reports
c. Attempting to bypass logon security
d. Examining e-mail headers

36. Unlike law enforcement, system administrators are permitted to on their

network when it is necessary to protect the network and the data it contains.
a. Open unread e-mails.
b. Monitor network traffic.
c. Modify system logs.
d. Divulge user personal information.
37. Although it was not designed with evidence collection in mind, can still be
useful for examining network traffic.
a. EnCase
b. FTK
c. Wireshark
d. CHKDSK

Page 4 of 11
38. Issues to be aware of when connecting to a computer over a network and collecting information
include:
a. Creating and following a set of standard operating procedures
b. Keeping a log of actions taken during the collection process
c. Documenting which server actually contains the data that‟s being collected
d. All of the above

39. When a computer contains digital evidence, it is always advisable to turn it off immediately.
a. True
b. False
40. A forensic image of a hard disk drive preserves the partition table.
a. True
b. False

41. All forensic tools acquire digital evidence from storage media in the same way.
a. True
b. False
42. It is not necessary to sanitize/wipe a hard drive purchased directly from a manufacturer.
a. True
b. False
43. Chain of custody enables anyone to determine where a piece of evidence has been, who handled it
when, and what was done to it since it was seized.
a. True
b. False
44. No two files can have the same MD5 value.
a. True
b. False
45. After the MD5 value of a piece of digital evidence has been calculated, any change in that piece of
evidence can be detected.
a. True
b. False

46. When drawing up an affidavit for a warrant, it is important to specifically mention all desired digital
evidence.
a. True
b. False

47. When seeking authorization to search a network and digital evidence that may exist in more than one
jurisdiction it is not necessary to obtain a search warrant for each location.
a. True
b. False
48. Digital investigators should remember that evidence can reside in unexpected places, such as
network routers.
a. True
b. False

49. Active monitoring is time consuming, invasive, and costly and should only be used as a last resort.
a. True
b. False

50. A digital evidence class characteristic is similar to tool mark analysis in the physical world.
a. True
b. False

Page 5 of 11
 51. TCP/IP network traffic never contains useful class characteristics.
a. True
b. False
52. It is not possible to recover deleted system or network log files.
a. True
b. False
53. Having a member of the search team trained to handle digital evidence:
a. Can reduce the number of people who handle the evidence
b. Can serve to streamline the presentation of the case
c. Can reduce the opportunity for opposing counsel to impugn the integrity of the evidence
d. All of the above

54. A digital investigator pursuing a line of investigation in a case because that line of investigation
proved successful in two previous cases is an example of:
a. Logical reasoning
b. Common sense
c. Preconceived theory
d. Investigator‟s intuition

55. Regarding the admissibility of evidence, which of the following is not a consideration:
a. Relevance
b. Authenticity
c. Best evidence
d. Nominally prejudicial

56. According to the text, the most common mistake that prevents evidence seized from being
admitted is:
a. Uninformed consent
b. Forcible entry
c. Obtained without authorization
d. None of the above

57. The process of documenting the seizure of digital evidence and, in particular, when that evidence
changes hands, is known as:
a. Chain of custody
b. Field notes
c. Interim report
d. None of the above

58. When assessing the reliability of digital evidence, the investigator is concerned with whether the
computer that generated the evidence was functioning normally, and:
a. Whether chain of custody was maintained
b. Whether there are indications that the actual digital evidence was tampered with
c. Whether the evidence was properly secured in transit
d. Whether the evidence media was compatible with forensic machines

59. The fact that with modern technology, a photocopy of a document has become acceptable in place of
the original is known as:
a. Best evidence rule
b. Due diligence
c. Quid pro quo
d. Voir dire

Page 6 of 11
60. Evidence contained in a document provided to prove that statements made in court are true is
referred to as:
a. Inadmissible evidence
b. Illegally obtained evidence
c. Hearsay evidence
d. Direct evidence

61. Business records are considered to be an exception to:

a. Direct evidence
b. Inadmissible evidence
c. Illegally obtained evidence
d. Hearsay evidence

62. Direct evidence establishes a:

a. Fact
b. Assumption
c. Error
d. Line of inquiry

63. There is no need for any specialized training in the collection of digital evidence.
a. True
b. False

64. It is the duty of a digital investigator to ignore influences from any source.
a. True
b. False

65. The application of preconceived theories to a particular case is a good method of reducing
caseload.
a. True b. False

66. In the United States, the prosecution must prove guilt beyond a reasonable doubt.
a. True
b. False

67. Chain of custody is the process of documenting who has handled evidence, where and when, as it
travels from the crime scene to the courts.
a. True
b. False

68. Typically, a photocopy of a document is considered hearsay evidence and is not admissible
in court.
a. True
b. False

69. Direct evidence establishes a fact.

a. True
b. False

70. Coerced testimony is the most common mistake that prevents evidence seized from being admitted.
a. True
b. False

71. Determining whether digital evidence has been tampered with is a major concern of the digital
examiner.
a. True
b. False
Page 7 of 11
72. Exceeding the scope of a warrant is not likely to affect the admissibility of the evidence collected.
a. True
b. False

73. Digital evidence cannot be direct evidence because of its separation from the events it represents.
a. True
b. False

74. When creating an expert report, digital investigators should support assertions in their reports with
multiple independent sources of evidence.
a. True
b. False

75. Voir dire is the process of becoming accepted as an expert by the court.
a. True
b. False

76. During testimony, when a lawyer appears not to be tech savvy, it is a good practice to guess what
the attorney is trying to ask.
a. True
b. False

77. A proper response to a question that you do not know the answer to is, “I don’t know.”
a. True
b. False

78. The term “computer contaminant” refers to:

a. Excessive dust found inside the computer case
b. Viruses, worms, and other malware
c. Spam e-mails
d. Nigerian scam e-mails

79. In those states with legislation addressing computer forgery, contraband in the form of “forgery
devices” may include:
a. Computers
b. Computer equipment
c. Specialized computer software
d. All of the above

80. Hacking is an example of:

a. Computer-assisted crime
b. Computer-related crime
c. Computer-integrity crime
d. Computer malfeasance crime

81. Forgery is an example of:

a. Computer assisted crime
b. Computer-related crime
c. Computer-integrity crime
d. Computer malfeasance crime

82. Jurisdiction claims may be based on:

a. Location of the perpetrator‟s computer
b. Location of the victim‟s computer
c. Location of intermediary computers
d. All of the above
Page 8 of 11
83. The goal of an investigation is to:
a. Convict the suspect
b. Discover the truth
c. Find incriminating evidence
d. All of the above

84. An investigation can be hindered by the following:

a. Preconceived theories
b. b. Improperly handled evidence
c. Offender concealment behavior
d. All of the above

85. Forensic examination involves which of the following:

a. Assessment, experimentation, fusion, correlation, and validation
b.Seizure and preservation
c. Recovery, harvesting, filtering, organization, and search
d. All of the above

86. Forensic analysis involves the following:

a. Assessment, experimentation, fusion, correlation, and validation
b. Seizure and preservation
c. Recovery, harvesting, filtering, organization, and search
d. All of the above

87. The first step in applying the scientific method to a digital investigation is to:
a. Form a theory on what may have occurred
b. Experiment or test the available evidence to confirm or refute your prediction
c. Make one or more observations based on events that occurred
d. Form a conclusion based on the results of your findings

88. Which of the following should the digital investigator consider when arranging for the transportation
of evidence?
a. Should the evidence be physically in the possession of the investigator at all times?
b. Will the evidence copies be shared with other experts at other locations?
c. Will there be environmental factors associated with the digital media?
d. All of the above

89. Generating a plan of action and obtaining supporting resources and materials falls under which step
in the digital investigation?
a. Preparation
b. Survey/identification
c. Preservation
d. Examination and analysis

90. Forensic examination and forensic analysis are separate processes.

a. True
b. False

91. When a network is involved in a crime, investigators must seize and preserve all systems on the
network.
a. True
b. False

92. When seizing a computer, it is always acceptable to lose the contents of RAM.
a. True
b. False

Page 9 of 11
93. Case management is a critical part of digital investigations.
a. True
b. False

94. Forensic examination is the process of extracting, viewing, and analyzing information from the
evidence collected.
a. True
b. False

95. The crime scene preservation process includes all but which of the following:
a. Protecting against unauthorized alterations
b.Acquiring digital evidence
c. Confirming system date and time
d. Controlling access to the crime scene

96. The challenge to controlling access to a digital crime scene is that:

a. Information may be stored on Internet servers in different locations.
b. The computer may be shared.
c. The computer case may be locked.
d. None of the above.

97. When presenting evidence on an organizational network, the digital investigator may require the
assistance of:
a. System administrators
b. The CEO of the organization
c. The CSO (Chief Security Officer)
d. Additional forensic investigators

98. The proper collection of evidence at a crime scene is crucial in terms of admissibility in court.
a. True
b. False

99. The investigation and study of victim characteristics is known as:

a. Criminal profiling
b. Behavioral imprints
c. Victimology
d. Crime scene analysis

100. One reason digital investigators write threshold assessments more often than full reports is
because:
a. They will be included in a final report, and so, distribute the time for final report preparation over the entire
period of the investigation.
b. They keep their supervisor aware of their productivity.
c. They take less time to prepare and may be sufficient to close out an investigation.
d. They serve as field notes for the investigator.

101. One reason not to put too much trust into those who run the company’s computers is that:
a. There has always been an antagonism between system administrators and law enforcement.
b. They are typically too busy to take the time to answer your questions.
c. They are usually not authorized to answer questions.
d. They may be the offenders.

Page 10 of 11
102. Although crime scenes are typically photographed, it is a good idea to
create diagrams of the crime scene because:
a. Diagramming is a common crime scene technician‟s skill; however, it requires continual practice.
b. The process of creating a diagram can result in a digital investigator noticing an
important item of evidence that would otherwise have been missed.
c. The quality of photographs taken at the crime scene is not known until the film is developed.
d. None of the above

103. When processing the digital crime scene in a violent crime investigation it is
important to have
to ensure that all digital evidence and findings can hold up under close scrutiny.
a.A good supply of electrostatic bags for holding sensitive
electronic components
b.More than one reliable camera for photographing the crime
scene
c. Standard operating procedures for processing a digital crime scene
d.A good supply of nitrile gloves

Page 11 of 11