WGU C702 Questions And Answers.pdf///WGU C702 Questions And Answers.pdf(VERIFIED AND UPDATED)

WGU C702 Questions And Answers Which of the following is not an objective of computer forensics? A. Computer forensics deals with the process of finding evidence related to a digital crime to find the victims and prevent legal action against them. B. Computer forensics deals with the process of finding evidence related to a crime to find the culprits and initiate legal action against them. C. Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them. D. Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and avoid legal action against them. - C Which of the following is not an objective of computer forensics? A. Track and prosecute the perpetrators in a court of law. B. Identify, gather, and preserve the evidence of a cybercrime. C. Interpret, document, and present the evidence to be admissible during prosecution. D. Document vulnerabilities allowing further loss of intellectual property, finances, and reputation during an attack. - D Which of the following is true regarding the enterprise theory of investigation (ETI) ? A. It adopts a holistic approach toward any criminal activity as a criminal operation rather than as a single criminal act. B. It adopts an approach toward criminal activity as a criminal act. C. It differs from traditional investigative methods, and it is less complex and less timeconsuming. D. It encourages reactive action on the structure of the criminal enterprise. - A Forensic readiness referrers to: A. having no impact on prospects of successful legal action B. replacing the need to meet all regulatory requirements C. the establishment of specific incident response procedures and designated trained personnel to prevent a breach D. an organization's ability to make optimal use of digital evidence in a limited time period and with minimal investigation costs - D Which of the following is not an element of cybercrime? A. anonymity through masquerading B. fast-paced speed C. volatile evidence D. evidence smaller in size - D Which of the following is true of cyber crimes? A. Investigators, with a warrant, have the authority to forcibly seize the computing devices. B. Investigators attempt to demonstrate information to the opposite party to support the claims and induce settlement. C. The searching of the devices is based on mutual understanding and provides a wider time frame to hide the evidence. D. The claimant is responsible for the collection and analysis of the evidence. - A Which of the following is true of civil crimes? A. The initial reporting of the evidence is generally informal. B. A formal investigation report is required. C. Law enforcement agencies are responsible for collecting and analyzing evidence. D. The standards of proof need to be very high. - A Which of the following is not a consideration during a cybercrimes investigation? A. collection of clues and forensic evidence B. analysis of digital evidence C. presentation of admissible evidence D. value or cost to the victim - D Which of the following is a user-created source of potential evidence? A. address book B. printer spool C. cookies D. log files - A Which of the following is a computer-created source of potential evidence? A. bookmarks B. spreadsheet C. swap file D. steganography - C Which of the following is not where potential evidence may be located? A. digital camera B. smart card C. processor D. thumb drive - C Under which of the following conditions will duplicate evidence not suffice? A. when original evidence is destroyed in the normal course of business B. when original evidence is in possession of the originator C. when original evidence is in possession of a third party D. when original evidence is destroyed due to fire or flood - B Which of the following Federal Rules of Evidence governs proceedings in the courts of the United States? A. Rule 105 B. Rule 103 C. Rule 101 D. Rule 102 - C Which of the following Federal Rules of Evidence ensures that the truth may be ascertained and the proceedings justly determined? A. Rule 105 B. Rule 102 C. Rule 101 D. Rule 103 - B Which of the following Federal Rules of Evidence contains Rulings on Evidence? A. Rule 103 B. Rule 105 C. Rule 102 D. Rule 101 - A Which of the following Federal Rules of Evidence states that the court shall restrict the evidence to its proper scope and instruct the jury accordingly? A. Rule 102 B. Rule 103 C. Rule 101 D. Rule 105 - D Which of the following answers refers to a set of methodological procedures and techniques to identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment in such a manner that the discovered evidence is acceptable during a legal and/or administrative proceeding in a court of law? A. disaster recovery B. incident handling C. computer forensics D. network analysis - C Computer forensics deals with the process of finding _______ related to digital crime to find the culprits and initiate legal action against them. A. insider threats B. evidence C. fraud D. malware - B Minimizing the tangible and intangible losses to the organization or an individual is considered an essential computer forensics use. A. True B. False - A Cybercrimes can be classified into the following two types of attacks, based on the line of attack. A. Fraud and Spam B. Phishing and Malware C. Internal and External - C Espionage, theft of intellectual property, manipulation of records, and Trojan horse attacks are examples of what? A. insider attacks or secondary threats B. insider attacks or primary threats C. outsider attacks or secondary threats D. outsider attacks or primary threats - B External attacks occur when there are inadequate information-security policies and procedures. A. True B. False - A Which type of cases involve disputes between two parties? A. civil B. investigative C. administrative D. criminal - A A computer forensic examiner can investigate any crime as long as he or she takes detailed notes and follows appropriate processes. A. True B. False - B _______ is the standard investigative model used by the FBI when conducting investigations against major criminal organizations. A. Enterprise Theory of Investigation (ETI) B. Both Enterprise Theory of Investigation (ETI) and Entrepreneur Theory of Investigation C. Entrepreneur Theory of Investigation - A Digital devices store data about sessions such as user and type of connection. A. True B. False - A Forensic readiness includes technical and non-technical actions that maximize an organization's competence to use digital evidence. A. True B. False - A Which of the following is the process of developing a strategy to address the occurrence of any security breach in the system or network? A. best evidence rule B. incident response C. security policy D. forensic readiness planning - B Codes of ethics are the principals stated to describe the expected behavior of an investigator while handling a case. Which of the following is not a principal that a computer forensic investigator must follow? A. Ensure integrity of the evidence throughout the investigation process. B. Act with utmost ethical and moral principles. C. Provide personal or prejudiced opinions. D. Act in accordance with federal statutes, state statutes, and local laws and policies. - C What must an investigator do in order to offer a good report to a court of law and ease the prosecution? A. preserve the evidence B. prosecute the evidence C. obfuscate the evidence D. authorize the evidence - A What is the role of an expert witness? A. to testify against the plaintiff B. to support the defense C. to evaluate the court's decisions D. to educate the public and court - D Which of the following is NOT a legitimate authorizer of a search warrant? A. magistrate B. concerned authority C. first responder D. court of law - C Under which of the following circumstances has a court of law allowed investigators to perform searches without a warrant? A. Delay in obtaining a warrant may lead to the preservation of evidence and expedite the investigation process. B. Delay in obtaining a warrant may lead to the destruction of evidence and hamper the investigation process. C. Expediting the process of obtaining a warrant may lead to a delay in prosecution of a perpetrator. D. Expediting the process of obtaining a warrant may lead to the timely prosecution of a perpetrator. - B Which of the following should be considered before planning and evaluating the budget for the forensic investigation case? A. use of outdated, but trusted, technologies B. breakdown of costs into daily and annual expenditure C. past success rate as a measure of value D. current media coverage of high-profile computer crimes - B Which of the following should be physical location and structural design considerations for forensics labs? A. Lightweight construction materials need to be used. B. Lab exteriors should have no windows. C. Room size should be compact with standard HVAC equipment. D. Computer systems should be visible from every angle. - B Which of the following should be work area considerations for forensics labs? A. Multiple examiners should share workspace for efficiency. B. Additional equipment such as notepads, printers, etc. should be stored elsewhere. C. Examiner station has an area of about 50-63 square feet. D. Physical computer examinations should take place in a separate workspace. - C Which of the following is NOT part of the Computer Forensics Investigation Methodology? A. testify as an expert witness B. data analysis C. testify as an expert defendant D. data acquisition - C Which of the following is NOT part of the Computer Forensics Investigation Methodology? A. Secure the evidence. B. Assess the evidence. C. Destroy the evidence. D. Collect the evidence. - C Investigators can immediately take action after receiving a report of a security incident. A. False B. True - A In forensics laws, "authenticating or identifying evidences" comes under which rule? A. Rule 708 B. Rule 801 C. Rule 608 D. Rule 901 - D Courts call knowledgeable persons to testify to the accuracy of the investigative process. These people who testify are known as the: A. judges B. character witnesses C. counselors D. expert witnesses - D A chain of custody is a critical document in the computer forensics investigation process because the document provides legal validation of appropriate evidence handling. A. True B. False - A Identify the following project which was launched by the National Institute of Standards and Technology (NIST), that establishes a "methodology for testing computer forensics software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware." A. Computer Forensic Tool Testing Project (CFTTP) B. Computer Forensic Hardware Project (CFHP) C. Enterprise Theory of Investigation (ETI) D. Computer Forensic Investigation Project (CFIP) - A In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case? A. evidence procedures are not important unless you work for a law enforcement agency B. evidence must be handled in the same way regardless of the type of case C. evidence in a civil case must be secured more tightly than in a criminal case D. evidence in a criminal case must be secured more tightly than in a civil case - B Which part of the Windows Registry contains the user's password file? A. HKEY_LOCAL_MACHINE B. HKEY_CURRENT_CONFIGURATION C. HKEY_USER D. HKEY_CURRENT_USER - C If a suspect's computer is located in an area that may have toxic chemicals, you must: A. coordinate with the HAZMAT team B. do not enter alone C. assume the suspect machine is contaminated D. determine a way to obtain the suspect computer - A Profiling is a forensics technique for analyzing evidence with the goal of identifying the perpetrator from their pervious activity. After a computer has been compromised by a hacker, which of the following would be most important in forming a profile of the incident? A. The vulnerability exploited in the incident B. The manufacture of the system compromised C. The nature of the attack D. The logic, formatting and elegance of the code used in the attack - D What information do you need to recover when searching a victims computer for a crime committed with specific e-mail message? A. Username and password B. Firewall log C. E-mail header D. Internet service provider information - C The use of warning banners helps a company avoid litigation by overcoming an employees assumed ___________________ when connecting to the companys intranet, network, or virtual private network (VPN) and will allow the companys investigators to monitor, search, and retrieve information stored within the network. A. right of privacy B. right to Internet access C. right to work D. right of free speech - A When examining a hard disk without a write-blocker, you should not start Windows because Windows will write data to the: A. Case files B. Recycle Bin C. BIOS D. MSDOS.SYS - B How many sectors will a 125 KB file use in a FAT32 file system? A. 16 B. 25 C. 256 D. 32 - C Which part of the Windows Registry contains the user's password file? A. HKEY_CURRENT_CONFIGURATION B. HKEY_USER C. HKEY_CURRENT_USER D. HKEY_LOCAL_MACHINE - B You are working as an independent computer forensics investigator and receive a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a simple backup copy of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a simple backup copy will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceedings? A. incremental backup copy B. full backup copy C. robust copy D. bit-stream copy - D A law enforcement officer may only search for and seize criminal evidence with ____________________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists, and the evidence of the specific crime exists at the place to be searched. A. probable cause B. a preponderance of the evidence C. mere suspicion D. beyond a reasonable doubt - A To make sure the evidence you recover and analyze with computer forensics software can be admitted in court, you must test and validate the software. What group is actively providing tools and creating procedures for testing and validating computer forensics software? A. Association of Computer Forensics Software Manufactures (ACFSM) B. Computer Forensics Tools Validation Committee (CFTVC) C. National Institute of Standards and Technology (NIST) D. Society for Valid Forensics Tools and Testing (SVFTT) - C When investigating a Windows system, it is important to view the contents of the "page" or "swap" file because: A. Windows stores all of the systems configuration information in this file B. a large volume of data can exist within the swap file of which the computer user has no knowledge C. this is the file that Windows uses to store the history of the last 100 commands that were run from the command line D. this is the file that Windows uses to communicate directly with the Registry - B Profiling is a forensics technique for analyzing evidence with the goal of identifying the perpetrator from their pervious activity. After a computer has been compromised by a hacker, which of the following would be most important in forming a profile of the incident? A. The nature of the attack B. The vulnerability exploited in the incident C. The manufacture of the system compromised D. The logic, formatting and elegance of the code used in the attack - D When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk? A. a disk editor B. a firewall C. a write-blocker D. a protocol analyzer - C If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive. A. CMOS B. B C. deltree command D. Scandisk utility - A The use of warning banners helps a company avoid litigation by overcoming an employees assumed ___________________ when connecting to the company's intranet, network, or virtual private network (VPN) and will allow the company's investigators to monitor, search, and retrieve information stored within the network. A. right of free speech B. right to Internet access C. right of privacy D. right to work - C When obtaining a warrant it is important to: A. particularly describe the place to be searched and particularly describe the items to be seized B. particularly describe the place to be searched and generally describe the items to be seized C. generally describe the place to be searched and particularly describe the items to be seized D. generally describe the place to be searched and generally describe the items to be seized - A Printing under a windows computer normally requires which one of the following files types to be created? A. EME B. CME C. MEM D. EMF - D When you carve an image, recovering the image depends on which of the following skills? A. recognizing the pattern of the header content B. recognizing the pattern of the data content C. recognizing the pattern of a corrupt file D. recovering the image from a tape backup - A Printing under a windows computer normally requires which one of the following files types to be created? A. EMF B. EME C. CME D. MEM - A What does the superblock in Linux define? A. location of the firstinode B. file system names C. available space D. disk geometry - A If a suspect's computer is located in an area that may have toxic chemicals, you must A. determine a way to obtain the suspect computer B. coordinate with the HAZMAT team C. assume the suspect machine is contaminated D. do not enter alone - B You are working for a large clothing manufacturer as a computer forensics investigator and are called in to investigate an unusual case of an employee possibly stealing clothing designs from the company and selling them under a different brand name for a different company. What you discover during the course of the investigation is that the clothing designs are actually original products of the employee and the company has no policy against an employee selling his own designs on his own time. The only thing that you can find that the employee is doing wrong is that his clothing design incorporates the same graphic symbol as that of the company with only the wording in the graphic being different. What area of the law is the employee violating? A. copyright law B. IP Law C. patent law D. trademark law - D Which of the following is NOT a graphics file? A. P B. P C. P D. P - A From the following spam mail header, identify the host IP that sent this spam? From Tue Nov 27 17:27:11 2001 Received: from (viruswall [137.189.96.52]) by (8.11.6/8.11.6) with ESMTP id fAR9RAP23061 for ; Tue, 27 Nov 2001 17:27:10 +0800 (HKT) Received: from ( [203.218.39.20]) by (8.12.1/8.12.1) with SMTP id fAR9QXwZ for ; Tue, 27 Nov 2001 17:26:36 +0800 (HKT) Message-Id: >926. From: "china hotel web" To: "Shlam" Subject: SHANGHAI (HILTON HOTEL) PACKAGE Date: Tue, 27 Nov 2001 17:25:58 +0800 MIME-Version: 1.0 X-Priority: 3 X-MSMail Priority: Normal Reply-To: "china hotel web" A. 203.218.39.50 B. 203.218.39.20 C. 137.189.96.52 D. 8.12.1.0 - B You have used a newly released forensic investigation tool, which doesnt meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case? A. Only the local law enforcement should use the tool B. You are not certified for using the tool C. The toolhasnt been tested by the International Standards Organization (ISO) D. The tool has not been reviewed and accepted by your peers - D When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk? A. a disk editor B. a write-blocker C. a protocol analyzer D. a firewall - B If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive. A. Scandisk utility B. deltree command C. CMOS D. B - C Jones had been trying to penetrate a remote production system for the past two weeks. This time however, he is able to get into the system. He was able to use the system for a period of three weeks. However law enforcement agencies were recording his every activity and this was later presented as evidence. The organization had used a virtual environment to trap Jones. What is a virtual environment? A. An environment set up after the user logs in B. A system usingTrojaned commands C. Ahoneypot that traps hackers D. An environment set up beforean user logs in - C You are working as an independent computer forensics investigator and receive a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a simple backup copy of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a simple backup copy will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceedings? A. incremental backup copy B. bit-stream copy C. robust copy D. full backup copy - B The offset in a hexadecimal code is: A. The 0x at the beginning of the code B. The first byte after the colon C. The last byte after the colon D. The 0x at the end of the code - A What does mactime, an essential part of the coroner's toolkit do? A. It is a tool specific to the MAC OS and forms a core component of the toolkit B. It traverses the file system and produces a listing of all files based on the modification, access and change timestamps C. The toolsscans for i-node information, which is used by other tools in the tool kit D. It can recover deleted file space and search it for data. However, it does not allow the investigator to preview them - B When examining a file with a Hex Editor, what space does the file header occupy? A. the first several bytes of the file B. the last several bytes of the file C. none, file headers are contained in the FAT D. one byte at the beginning of the file - A In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court? A. chain of custody B. law of probability C. rules of evidence D. policy of separation - A E-mail logs contain all but which of the following information to help you in your investigation? A. attachments sent with the e-mail message B. contents of the e-mail message C. user account that was used to send the message D. unique message identifier E. date and time the message was sent - A Microsoft Outlook maintains email messages in a proprietary format in what type of file? A. .email B. .doc C. .pst D. .mail - C You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacturer. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO? A. Trade secrets B. the attorney-work-product rule C. ISO 17799 D. Good manners - B When conducting computer forensic analysis, you must guard against _________ so that you remain focused on the primary job and insure that the level of work does not increase beyond what was originally expected. A. scope creep B. hard drive failure C. unauthorized expenses D. overzealous marketing - A Which of the following should a computer forensics investigations lab have? A. isolation B. restricted access C. open access D. an entry log - B Which of the following is NOT a digital data storage type? A. optical storage devices B. flash memory devices C. magnetic storage devices D. quantum storage devices - D Which of the following is NOT a common computer file system? A. EXT2 B. FAT32 C. EFX3 D. NTFS - C Which field type refers to the volume descriptor as a primary? A. Number 1 B. Number 0 C. Number 2 D. Number 3 - A Which logical drive holds the information regarding the data and files that are stored in the disk? A. primary partition B. secondary partition C. extended partition D. tertiary partition - C How large is the partition table structure that stores information about the partitions present on the hard disk? A. 32-bit B. 32-byte C. 64-bit D. 64-byte - D How many bits are used by the MBR partition scheme for storing LBAs (Logical Block Addresses) and the size information on a 512-byte sector? A. 32 B. 64 C. 256 D. 128 - A In the GUID Partition Table, which Logical Block Address contains the Partition Entry Array? A. LBA 2 B. LBA 0 C. LBA 3 D. LBA 1 - A Which of the following describes when the user restarts the system via the operating system? A. hot booting B. hard booting C. cold booting D. warm booting - D Which Windows operating system powers on and starts up using either the traditional BIOS-MBR method or the newer UEFI-GPT method? A. Windows 8 B. Windows 7 C. Windows Vista D. Windows XP - A Which item describes the following UEFI boot process phase? The phase of EFI consisting of initializing the CPU, temporary memory, and boot firmware volume (BFV); locating and executing the chapters to initialize all the found hardware in the system; and creating a Hand-Off Block List with all found resources interface descriptors. A. RT (Run Time) Phase B. DXE (Driver Execution Environment) Phase C. BDS (Boot Device Selection) Phase D. PEI (Pre-EFI Initialization) Phase - D Which of the following basic partitioning tools displays details about GPT partition tables in Windows OS? A. Gparted B. Disk Utility C. DiskPart D. Fdisk - C What stage of the Linux boot process includes the task of loading the Linux kernel and optional initial RAM disk? A. BIOS Stage B. POST Stage C. Bootloader Stage D. Kernel Stage - C What component of a typical FAT32 file system consists of data that the document framework uses to get to the volume and utilizes the framework parcel to stack the working portion documents? A. Reserved Area B. Data Area C. FAT Area D. Boot Sector - D Which component of the NTFS architecture is a computer system file driver for NTFS? A. N B. boot sector C. N D. Master Boot Record - C What is the name of the abstract layer that resides on top of a complete file system, allows client applications to access various file systems, and consists of a dispatching layer and numerous caches? A. GNUC Library (glibc) B. Virtual File System (VFS) C. Kernel Space D. User Space - B Which information held by the superblock contains major and minor items that allow the mounting code to determine whether or not supported features are available to the file system? A. block size B. magic number C. revision level D. mount count - C Which file system used in Linux was developed by Stephen Tweedie in 2001 as a journaling file system that improves reliability of the system? A. Ext B. Ext4 C. Ext3 D. Ext2 - C How many bit values does HFS use to address allocation blocks? A. 32 B. 64 C. 16 D. 8 - C What UFS file system part is composed of a few blocks in the partition reserved at the beginning? A. super block B. cylinder groups C. data groups D. boot blocks - D What is a machine-readable language used in major digital operations, such as sending and receiving emails? A. ASCII B. .NET C. JAVA D. XML - A What is JPEG an acronym of? A. Joint Photographic Exchange Group B. Joint Photographic Experts Group C. Joint Picture Experts Group D. Joint Picture Exchange Group - B What is the proprietary Microsoft Office presentation file extension used in PowerPoint? A. PDF B. PPT C. RTF D. TXT - B Which of the following is an example of optical media? A. CD/DVD B. Flash media C. USB device D. Hard drive - A In Sector, addressing ________ determines the address of the individual sector on the disk. A. Clusters, Heads, and Series (CHS) B. Cylinders, Heads, and Sectors (CHS) C. Clusters, Series, and Heads (CSH) D. Logical Block Address (LBA) - B ________ is a 128-bit unique reference number used as an identifier in computer software. A. Global Unique Identifier (GUID) B. BIOS Parameter Block (BPB) C. Master Boot Record (MBR) D. Unified Extensible Firmware Interface (UEFI) - A Mac OS uses a hierarchical file system. A. False B. True - B The main advantage of RAID is that if a single physical disk fails: A. The system will isolate the defective disk. B. The operating system will protect the remaining disks. C. The system will continue to function without loss of data. D. The system will build another drive. - C The command "fsstat" displays the details associated with an image file. A. False B. True - A What is the simplest RAID level that does not involve any redundancy, and fragments the file into the user-defined stripe size of the array? A. RAID 1 B. RAID 5 C. RAID 10 D. RAID 0 - D An investigator may commit some common mistakes while collecting data from the system that result in the loss of critical evidence. Which of the following is NOT a mistake that investigators commonly make? A. poor knowledge of the instrument B. use of correct cables and cabling techniques C. choosing wrong resolution for data acquisition - B In Linux Standard Tools, forensic investigators use the following built-in Linux Commands to copy data from a disk drive: A. dc and dcfldd B. dd and dcfldd C. dd and ddfldc D. dc and ddfldc - B Because they are always changing, the information in the registers or the processor cache are the most volatile data. A. True B. False - A Forensic data duplication involves the creation of a file that has every bit of information from the source in a raw bit-stream format. A. False B. True - B What document is used as a written record consisting of all processes involved in seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence? A. investigation of evidence document B. chain of custody document C. written report D. description document - B What is the process of permanently deleting or destroying data from storage media? A. purge B. systems capture C. media sanitization D. disclosure - C The process of acquiring volatile data from working computers (locked or in sleep condition) that are already powered on is: A. static data acquisition B. standard data acquisition C. live data acquisition D. imaging data acquisition - C Which of the following refers to the data stored in the registries, cache, and RAM of digital devices? A. registries B. systems data C. physical memory D. volatile information - D What happens when a file is deleted by a Microsoft operating system using the FAT file system? A. a copy of the file is stored and the original file is erased B. the file is erased and cannot be recovered C. only the reference to the file is removed from the FAT D. the file is erased but can be recovered - C Jones had been trying to penetrate a remote production system for the past two weeks. This time however, he is able to get into the system. He was able to use the system for a period of three weeks. However law enforcement agencies were recording his every activity and this was later presented as evidence. The organization had used a virtual environment to trap Jones. What is a virtual environment? A. A system usingTrojaned commands B. Ahoneypot that traps hackers C. An environment set up beforean user logs in D. An environment set up after the user logs in - B You are called by an author who is writing a book and he wants to know how long the copyright for his book will last after he has the book published? A. the life of the author B. the life of the author plus 70 years C. 70 years D. copyrights last forever - B If a suspect's computer is located in an area that may have toxic chemicals, you must A. coordinate with the HAZMAT team B. determine a way to obtain the suspect computer C. do not enter alone D. assume the suspect machine is contaminated - A When investigating a network that uses DHCP to assign IP addresses, where would you look to determine which system (MAC address) had a specific IP address at a specific time? A. in the Web Server log files B. in the DHCP Server log files C. on the individual computer's ARP cache D. there is no way to determine the specific IP address - B What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer? A. steganography B. rootkit C. key escrow D. offset - A While working for a prosecutor, what do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense? A. destroy the evidence B. bring the information to the attention of the prosecutor, his or her supervisor or finally to the judge (court) C. present the evidence to the defense attorney D. keep the information on file for later review - B What information do you need to recover when searching a victims computer for a crime committed with specific e-mail message? A. Firewall log B. Internet service provider information C. E-mail header D. Username and password - C This is the original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive. A. Disk Operating System (DOS) B. Master File Table (MFT) C. Master Boot Record (MBR) D. File Allocation Table (FAT) - D What file structure database would you expect to find on floppy disks? A. NTFS B. FAT12 C. FAT32 D. FAT16 - B When conducting computer forensic analysis, you must guard against _________ so that you remain focused on the primary job and insure that the level of work does not increase beyond what was originally expected. A. unauthorized expenses B. overzealous marketing C. scope creep D. hard drive failure - C Office documents (Word, Excel, PowerPoint) contain a code that allows tracking the MAC, or unique identifier, of the machine that created the document. What is that code called? A. Microsoft Virtual Machine Identifier B. Globally Unique ID C. Personal Application Protocol D. Individual ASCII String - B While working for a prosecutor, what do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense? A. keep the information on file for later review B. present the evidence to the defense attorney C. destroy the evidence D. bring the information to the attention of the prosecutor, his or her supervisor or finally to the judge (court) - D What does the acronym POST mean as it relates to a PC? A. Pre Operational Situation Test B. Power On Self Test C. Primary Operating System Test D. Primary Operations Short Test - B You are called in to assist the police in an investigation involving a suspected drug dealer. The suspects house was searched by the police after a warrant was obtained and they located a floppy disk in the suspects bedroom. The disk contains several files, but they appear to be password protected. What are two common methods used by password cracking software that you can use to obtain the password? A. limited force and library attack B. brute force and dictionary attack C. minimum force and appendix attack D. maximum force and thesaurus attack - B A law enforcement officer may only search for and seize criminal evidence with ____________________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists, and the evidence of the specific crime exists at the place to be searched. A. mere suspicion B. probable cause C. beyond a reasonable doubt D. a preponderance of the evidence - B What binary coding is used most often for e-mail purposes? A. SMTP B. IMAP C. Uuencode D. MIME - C In the context of file deletion process, which of the following statement holds true? A. The longer a disk is inuse, the less likely it is that deleted files will be overwritten B. Secure delete programs work by completely overwriting the file in one go C. When files are deleted, the data is overwritten and the cluster marked as available D. While booting, the machine may create temporary files that can delete evidence - D When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk? A. a write-blocker B. a disk editor C. a protocol analyzer D. a firewall - A Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual media. He shuts the system down by pulling the power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to disconnecting any. What do you think would be the next sequence of events? A. Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media B. Prepare the system for acquisition; Connect the target media; Copy the media; Secure the evidence C. Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media D. Secure the evidence; Prepare the system for acquisition; Connect the target media; Copy the media - B In the context of file deletion process, which of the following statement holds true? A. When files are deleted, the data is overwritten and the cluster marked as available B. Secure delete programs work by completely overwriting the file in one go C. The longer a disk is inuse, the less likely it is that deleted files will be overwrittenD. While booting, the machine may create temporary files that can delete evidence - D If you discover a criminal act while investigating a corporate policy abuse, it becomes a public- sector investigation and should be referred to law enforcement? A. True B. False - A What does the acronym POST mean as it relates to a PC? A. PowerOn Self Test B. Primary Operations Short Test C. Pre Operational Situation Test D. Primary Operating System Test - A Which of the following filesystem is used by Mac OS X? A. EXT2 B. HFS+ C. EFS D. NFS - B A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation? Choose the most feasible option. A. Approach the websites for evidence B. Check the Windows registry for connection data (You may or may not recover) C. Seek the help of co-workers who are eye-witnesses D. Image the disk and try to recover deleted files - D This is the original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive. A. Disk Operating System (DOS) B. Master File Table (MFT) C. Master Boot Record (MBR) D. File Allocation Table (FAT) - D Which of the following is NOT a graphics file? A. P B. P C. P D. P - B _______________________ is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. A. Event reaction B. Network forensics C. Incident response D. Computer forensics - D If you discover a criminal act while investigating a corporate policy abuse, it becomes a public- sector investigation and should be referred to law enforcement? A. True B. False - A Volatile memory is one of the leading problems for forensics. Worms such as Code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory? A. Use intrusion forensic techniques to study memory resident infections B. Create a separate partition of several hundred megabytes and place the swap file there C. Use VMware to be able to capture the data in memory and examine it D. Give the operating system a minimal amount of memory, forcing it to use a swap file - B Why should you note all cable connections for a computer you want to seize as evidence? A. to know what cable connections existed B. to know what hardware existed C. to prepare for shutting down the computer D. to document the evidence - A What happens when a file is deleted by a Microsoft operating system using the FAT file system? A. the file is erased but can be recovered B. only the reference to the file is removed from the FAT C. the file is erased and cannot be recovered D. a copy of the file is stored and the original file is erased - B In conducting a computer abuse investigation you become aware that the suspect of the investigation is using ABC Company as his Internet Service Provider (ISP). You contact the ISP and request that they provide you assistance with your investigation. What assistance can the ISP provide? A. the ISP can investigate computer abuse committed by their employees, but must preserve the privacy of their customers and therefore cannot assist you without a warrant B. the ISP can investigate anyone using their service and can provide you with assistance C. ISPs never maintain log files so they would be of no use to your investigation D. the ISP cannot conduct any type of investigations on anyone and therefore cannot assist you - A What should you do when approached by a reporter about a case that you are working on or have worked on? A. refer the reporter to the attorney that retained you B. answer only the questions that help your case C. say, "no comment" D. answer all the reporters questions as completely as possible - A You should make at least how many bit-stream copies of a suspect drive? A. 2 B. 3 C. 1 D. 4 - A You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case? A. All forms should be placed in an approved secure container because they are now primary evidence in the case. B. All forms should be placed in the report file because they are now primary evidence in the case. C. The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file. D. The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container. - D What happens when a file is deleted by a Microsoft operating system using the FAT file system? A. only the reference to the file is removed from the FAT B. a copy of the file is stored and the original file is erased C. the file is erased and cannot be recovered D. the file is erased but can be recovered - A You are working in the Security Department of a law firm. One of the attorneys asks you about the topic of sending fake email because he has a client who has been charged with doing just that. His client alleges that he is innocent and that there is no way for a fake email to actually be sent. You inform the attorney that his client is mistaken and that fake email is a possibility and that you can prove it. You return to your desk and craft a fake email to the attorney that appears to come from his boss. What port do you send the email to on the companys SMTP server? A. 135 B. 110 C. 10 D. 25 - D How many characters long is the fixed-length MD5 algorithm checksum of a critical system file? A. 32 B. 48 C. 16 D. 64 - A When reviewing web logs, you see an entry for resource not found in the HTTP status code field. What is the actual error code that you would see in the log for resource not found? A. 606 B. 202 C. 404 D. 909 - C Where are deleted items stored on Windows Vista and later versions of Windows? A. Drive:RECYCLED B. Drive:$Recycle.Bin C. Drive:RECYCLER D. Drive:Recycle.Bin$ - B Where are deleted items stored on Windows 98 and earlier versions of Windows? A. Drive:$Recycle.Bin B. Drive:RECYCLER C. Drive:Recycle.Bin$ D. Drive:RECYCLED - D Where are deleted items stored on the Windows 2000, XP, and NT versions of Windows? A. Drive:RECYCLER B. Drive:Recycle.Bin$ C. Drive:$Recycle.Bin D. Drive:RECYCLED - A What is the maximum size limit for the Recycle Bin in Windows prior to Windows Vista? A. 3.99 GB B. 0 C. 3.99 MB D. None - A Which of the following is NOT a feature of the Recover My Files tool? A. performing disk recovery after a hard disk crash B. recovering files from a network drive C. recovering from a hard drive, camera card, USB, Zip, floppy disk, or other media D. recovering files even if emptied from the recycle bin data - B What tool is used for format recovery, unformatting and recovering deleted files emptied from the Recycle Bin, or data lost due to partition loss or damage, software crash, virus infection, or unexpected shutdown and supports hardware RAID? A. DiskDigger B. Quick Recovery C. EaseUS D. FileSalvage - C Which tool undeletes and recovers lost files from hard drives, memory cards, and USB flash drives? A. EaseUS B. DiskDigger C. Drive Genius D. Quick Recovery - B Which tool recovers files that have been lost, deleted, corrupted, or even deteriorated? A. Quick Recovery B. EaseUS C. Recover My Files D. DiskDigger - A Which tool recovers lost data from hard drives, RAID, photographs, deleted files, iPods, and removable disks connected via FireWire or USB? A. Recover My Files B. EaseUS C. Total Recall D. DiskDigger - C What tool scans the entire system for deleted files and folders and recovers them? A. Advanced Disk Recovery B. DiskDigger C. EaseUS D. Recover My Files - A What tool for Mac recovers files from a crashed or virus-corrupted hard drive? A. DiskDigger B. Recover My Files C. Data Rescue 4 D. EaseUS - C Which of the following are frequently left by criminals, assisting investigators in understanding the process of crime and the motive behind it, and allowing them to attempt to identify the person(s) who committed it? A. files B. fingerprints C. bread crumbs D. invitations - B In Detecting Rootkits, the following technique is used to compare characteristics of all system processes and executable files with a database of known rootkit fingerprints. A. Runtime Execution Path Profiling B. Integrity-Based Detection C. Cross View-Based Detection D. Signature-Based Detection - D In Anti-Forensics Techniques, which of the following techniques is used to hide a secret message within an ordinary message and extract it at the destination to maintain confidentiality of data? A. decryption B encryption C. cryptography D. steganography - D Which of the following consists of volatile storage? A. RAM B. hard drive C. compact disc D. ROM - A What is NOT a command used to determine logged-on users? A. net sessions B. LogonSessions C. PsLoggedOn D. LoggedSessions - D What is NOT a command used to determine open files? A. Net file B. Openfiles C. Open files D. PsFile - C What command is used to determine the NetBIOS name table cache in Windows? A. Nbtstat B. Netstat C. Ifconfig D. Ipconfig - A Which tool helps collect information about network connections operative in a Windows system? A. Netstat B. Ifconfig C. Nbtstat D. Ipconfig - A Which of the following is NOT a command used to determine running processes in Windows? A. Netstat B. Pslist C. Listdlls D. Tasklist - A Which is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples? A. Volatile Framework B. Volatility Framework C. Volatility Extractor D. Volatile Extractor - B The information about the system users is stored in which file? A. SAM database file B. PAT database file C. NTUSER.BAT D. NTUSER.DAT - A The value 0 associated with the registry entry EnablePrefetcher tells the system to use which prefetch? A. Prefetching is disabled. B. Application prefetching is enabled. C. Boot prefetching is enabled. D. Both application and boot prefetching are enabled. - A What prefetch does value 1 from the registry entry EnablePrefetcher tell the system to use? A. Boot prefetching is enabled. B. Application prefetching is enabled. C. Both application and boot prefetching are enabled. D. Prefetching is disabled. - B What prefetch does value 2 from the registry entry EnablePrefetcher tell the system to use? A. Boot prefetching is enabled. B. Application prefetching is enabled. C. Prefetching is disabled. D. Both application and boot prefetching are enabled. - A What prefetch does value 3 from the registry entry EnablePrefetcher tell the system to use? A. Both application and boot prefetching are enabled. B. Application prefetching is enabled. C. Boot prefetching is enabled. D. Prefetching is disabled. - A What tool enables you to retrieve information about event logs and publishers in Windows 10? A. Wevtutil B. Regedit C. Msconfig D. EventViewer - A Intruders attempting to gain remote access to a system try to find the other systems connected to the network and visible to the compromised system. A. True B. False - A ________ command is used to display the network configuration of the NICs on the system. A. ipconfig /all B. ipconfig all C. ipconfig //all D. ipconfig all - A Investigators can use Linux commands to gather necessary information from the system. Identify the following shell command that is used to display the kernel ring buffer or information about device drivers loaded into the kernel. A. pstree B. Fsck C. Stat D. dmesg - D What are the unique identification numbers assigned to Windows user accounts for granting user access to particular resources? A. security definitions B. user access numbers C. Microsoft security ID D. Windows access number - C In Windows Event Log File Internals, the following file is used to store the Databases related to the system: A. S B. D C. S D. A - C Thumbnails of images remain on computers even after files are deleted. A. True B. False - A Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime? A. search warrant B. wire tap C. subpoena D. bench warrant - A You are working as computer forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firms employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will. What do you do? A. inform the owner that conducting an investigation without a policy is a violation of the 4th Amendment B. inform the owner that conducting an investigation without a policy is a violation of the employees expectation of privacy C. inform the owner that conducting an investigation without a policy is not a problem because the company is privately owned D. inform the owner that conducting an investigation without a policy is not a problem because a policy is only necessary for government agencies - B Lance wants to place a honeypot on his network. Which of the following would be your recommendations? A. Itdoesnt matter as all replies are faked B. Use a system that has a dynamic addressing on the network C. Use it on a system in an external DMZ in front of the firewall D. Use a system that is not directlyinteracing with the router - C When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers? A. Universal Time Set B. Network Time Protocol C. Time-Sync Protocol D. SyncTime Service - B The MD5 program is used to: A. view graphics files on an evidence drive B. wipe magnetic media before recycling it C. make directories on a evidence disk D. verify that a disk is not altered when you examine it - D You have used a newly released forensic investigation tool, which doesnt meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case? A. The toolhasnt been tested by the International Standards Organization (ISO) B. You are not certified for using the tool C. Only the local law enforcement should use the tool D. The tool has not been reviewed and accepted by your peers - D When using Windows acquisitions tools to acquire digital evidence, it is important to use a well- tested hardware write-blocking device to A. acquire data from the host-protected area on a disk B. prevent contamination to the evidence drive C. avoiding copying data from the boot partition D. automate collection from image files - B What file structure database would you expect to find on floppy disks? A. FAT16 B. FAT12 C. FAT32 D. NTFS - B Sectors in hard disks typically contain how many bytes?1 A. 512 B. 2048 C. 256 D. 1024 - A When reviewing web logs, you see an entry for resource not found in the HTTP status code field. What is the actual error code that you would see in the log for resource not found? A. 909 B. 606 C. 202 D. 404 - D This organization maintains a database of hash signatures for known software A. International Standards Organization B. Institute of Electrical and Electronics Engineers C. American National Standards Institute D. National Software Reference Library - D Sectors in hard disks typically contain how many bytes? A. 1024 B. 512 C. 2048 D. 256 - B An expert witness may give an opinion if: A. to deter the witness from expanding the scope of his or her investigation beyond the requirements of the case B. to stimulate discussion between the consulting expert and the expert witness C. the opinion, inferences, or conclusions depend on special knowledge, skill, or training not within the ordinary experience of lay jurors D. to define the issues of the case for determination by the finder of fact - C How many characters long is the fixed-length MD5 algorithm checksum of a critical system file? A. 64 B. 48 C. 32 D. 16 - C What type of attack occurs when an attacker can force a router to stop forwarding packets by flooding the router with many open connections simultaneously so that all the hosts behind the router are effectively disabled? A. digital attack B. denial of service C. ARP redirect D. physical attack - B What binary coding is used most often for e-mail purposes? A. Uuencode B. SMTP C. MIME D. IMAP - A To make sure the evidence you recover and analyze with computer forensics software can be admitted in court, you must test and validate the software. What group is actively providing tools and creating procedures for testing and validating computer forensics software? A. Computer Forensics Tools Validation Committee (CFTVC) B. National Institute of Standards and Technology (NIST) C. Society for Valid Forensics Tools and Testing (SVFTT) D. Association of Computer Forensics Software Manufactures (ACFSM) - B You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacturer. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO? A. Trade secrets B. ISO 17799 C. the attorney-work-product rule D. Good manners - C In general, _________________ involves the investigation of data that can be retrieved from the hard disk or other disks of a computer by applying scientific methods to retrieve the data. A. computer forensics B. network forensics C. data recovery D. disaster recovery - A Printing under a windows computer normally requires which one of the following files types to be created? A. EME B. CME C. MEM D. EMF - D What is the name of the standard Linux command that is also available as a Windows application that can be used to create bit-stream images? A. dd B. mcopy C. image D. MD5 - A Which of following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file? A. Sector B. Slack Space C. MFT D. Metadata - B Which part of the Windows Registry contains the user's password file? A. HKEY_LOCAL_MACHINE B. HKEY_CURRENT_USER C. HKEY_CURRENT_CONFIGURATION D. HKEY_USER - D E-mail logs contain all but which of the following information to help you in your investigation? A. user account that was used to send the message B. date and time the message was sent C. contents of the e-mail message D. unique message identifier E. attachments sent with the e-mail message - E If a suspect's computer is located in an area that may have toxic chemicals, you must A. coordinate with the HAZMAT team B. determine a way to obtain the suspect computer C. do not enter alone D. assume the suspect machine is contaminated - A Hackers can gain access to the Windows Registry and manipulate user passwords, DNS settings, access rights, or other features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (key) to the following Registry hive: A. HKEY_CURRENT_USERMicrosoftDefault B. HKEY_LOCAL_MACHINEHardwareWindowsStart C. HKEY_LOCAL_MACHINESoftwareMicrosoftCurrentVersionRun D. HKEY_LOCAL_USERSoftwareMicrosoftOldVersionLoad - C Windows identifies which application to open a file with by examining which of the following? A. The file attributes B. The file signature at the beginning of the file C. The file signature at the end of the file D. The file extension - D The efforts to obtain information before a trial by demanding documents, depositions, questions and answers written under oath, written requests for admissions of fact, and examination of the scene is a description of what legal term? A. Discovery B. Spoliation C. Detection D. Hearsay - A If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive. A. deltree command B. Scandisk utility C. CMOS D. B - C How many characters long is the fixed-length MD5 algorithm checksum of a critical system file? A. 32 B. 64 C. 48 D. 16 - A You have used a newly released forensic investigation tool, which doesn't meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case? A. You are not certified for using the tool B. The tool has not been reviewed and accepted by your peers C. Only the local law enforcement should use the tool D. The tool hasn't been tested by the International Standards Organization (ISO) - B Which of the following filesystem is used by Mac OS X? A. HFS+ B. EFS C. EXT2 D. NFS - A While working for a prosecutor, what do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense? A. destroy the evidence B. bring the information to the attention of the prosecutor, his or her supervisor or finally to the judge (court) C. present the evidence to the defense attorney D. keep the information on file for later review - B In Microsoft file structures, sectors are grouped together to form A. drives B. clusters C. partitions D. bitstreams - B In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court? A. law of probability B. rules of evidence C. policy of separation D. chain of custody - D When investigating a network that uses DHCP to assign IP addresses, where would you look to determine which system (MAC address) had a specific IP address at a specific time? A. there is no way to determine the specific IP address B. in the DHCP Server log files C. in the Web Server log files D. on the individual computer's ARP cache - B Hackers can gain access to the Windows Registry and manipulate user passwords, DNS settings, access rights, or other features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (key) to the following Registry hive: A. HKEY_LOCAL_USERSoftwareMicrosoftOldVersionLoad B. HKEY_LOCAL_MACHINEHardwareWindowsStart C. HKEY_LOCAL_MACHINESoftwareMicrosoftCurrentVersionRun D. HKEY_CURRENT_USERMicrosoftDefault - C What should you do when approached by a reporter about a case that you are working on or have worked on? A. refer the reporter to the attorney that retained you B. answer only the questions that help your case C. answer all the reporters questions as completely as possible D. say, "no comment" - A You have completed a forensic investigation case. You would like to destroy the data contained in various hard disks at the forensics lab due to sensitivity of the case. How would you permanently erase the data on the hard disks? (Recovery of data should be impossible) A. Smash the hard disk with a hammer B. Throw the hard disk into the fire C. Format the hard disk multiple times using a low level disk utility D. Run powerful magnets over the hard disk E. Overwrite the contents of the hard disk with junk data - B You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question wheather evidence has been changed while at the lab. What can you do to prove that the evidence is the same as it was when it first entered the lab? A. make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab B. sign a statement attesting that