One way to identify the presence of hidden partitions on a suspect’s hard drive is to: A. Add up the total size of all known partitions and compare it to the total size of the hard drive B. Examine the FAT and identify hidden partitions by noting an H in the partition Type field C. […]

What does mactime, an essential part of the coroner’s toolkit do? A. It traverses the file system and produces a listing of all files based on the modification, access and change timestamps B. It can recover deleted file space and search it for data. However, it does not allow the investigator to preview them C. […]

Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual media. He shuts the system down by pulling the power plug so […]

When investigating a Windows System, it is important to view the contents of the page or swap file because: A. Windows stores all of the systems configuration information in this file B. This is file that windows use to communicate directly with Registry C. A Large volume of data can exist within the swap file […]

A state department site was recently attacked and all the servers had their disks erased. The incident response team sealed the area and commenced investigation. During evidence collection they came across a zip disks that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found […]

Which of the following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file? A. Sector B. Metadata C. MFT D. Slack Space

What should you do when approached by a reporter about a case that you are working on or have worked on? A. Refer the reporter to the attorney that retained you B. Say, “no comment” C. Answer all the reporter’s questions as completely as possible D. Answer only the questions that help your case

This is original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive. A. Master Boot Record (MBR) B. Master File Table (MFT) C. File Allocation Table (FAT) D. Disk Operating System (DOS)

You are working in the security Department of law firm. One of the attorneys asks you about the topic of sending fake email because he has a client who has been charged with doing just that. His client alleges that he is innocent and that there is no way for a fake email to actually […]

Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of […]