Many vendors have developed write-blocking devices that connect to a computer through FireWire

According to the National Institute of Standards and Technology (NIST), the investigator follows a set of procedures designed to prevent the execution of any program that might modify the disk contents. These procedures involve a layered defense against any modifications to the source disk using the following strategies:

• Where possible, set a hardware jumper to make the disk read only.
• Use an operating system and other software that are trusted not to write to the disk unless given explicit instructions.
• Use a hard disk write block tool to intercept any inadvertent disk writes.

The first bullet point speaks of jumpers, but there may be times when the suspect drive’s jumper settings are not easily accessible. Further, not all drives have the ability to use jumpers.
The second two bullet points refer to software and hardware write blockers.

What are write blockers?

A write blocker is any tool that permits read-only access to data storage devices without compromising the integrity of the data. A write blocker, when used properly, can guarantee the protection of the data chain of custody. NIST‘s general write blocking requirements hold that:

• The tool shall not allow a protected drive to be changed.
• The tool shall not prevent obtaining any information from or about any drive.
• The tool shall not prevent any operations to a drive that is not protected.

Software versus hardware write blockers

Software and hardware write blockers do the same job. They prevent writes to storage devices. The main difference between the two types is that software write blockers are installed on a forensic computer workstation, whereas hardware write blockers have write blocking software installed on a controller chip inside a portable physical device.

As determined by NIST’s Software Write Block specifications, a software write block tool operates by monitoring and filtering drive I/O commands sent from an application or OS through a given access interface.

Programs running in the DOS environment can, in addition to direct access via the drive controller, use two other interfaces: DOS service interface (interrupt 0x21) or BIOS service interface (interrupt 0x13).

The primary purpose of a hardware write blocker is to intercept and prevent (or ‘block’) any modifying command operation from ever reaching the storage device. Some of its functions include monitoring and filtering any activity that is transmitted or received between its interface connections to the computer and the storage device.

Hardware write blockers provide built in interfaces to a number of storage devices, and can connect to other types of storage with adapters. Hardware devices that write block also provide visual indication of function through LEDs and switches. This makes them easy to use and makes functionality clear to users.

Through its WiebeTech line of digital investigation products, CRU offers a wide variety of hardware write-blocking solutions.

• The Media WriteBlocker is highly portable, with compact lightweight design. It provides easy, write-blocked access to a variety of flash media, including SD and CF cards.
• The DriveDock family of products provides fast write-blocked access to suspect drives. The LCD and menu system make it convenient to view drive information, error/warning messages, or remove HPA/DCOs.
• The Ditto Forensic FieldStation is ideal for remote data analysis and capture and it replaces the need for a laptop or other host machine during data acquisition.

To see more information about these products, you can start by choosing a product from the entire WiebeTech product line.

To view AOL e-mail headers click Action, ____ from the menu.
A) More options
B) Message properties
C) Options
D) View Message Source

A written report is frequently a(n) ____ or a declaration. A) subpoena
B) affidavit
C) deposition
D) perjury

____ from Technology Pathways is a forensics data analysis tool. You can use it to acquire and analyze data from several different file systems.
A) Guidance EnCase B) NTI SafeBack C) DataArrest SnapCopy D) ProDiscover Basic

A ____ is a column of tracks on two or more disk platters. A) cylinder
B) sector
C) track
D) head

The report’s ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements.
A) abstract B) conclusion C) introduction D) reference

To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.
A) True
B) False

____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the %system-root%\Windows\System32\Drivers folder.
A) Hal.dll B) Pagefile.sys
C) Ntoskrnl.exe D) Device drivers

Exchange logs information about changes to its data in a(n) ____ log. A) checkpoint
B) communication
C) transaction
D) tracking

Most computer investigations in the private sector involve ____. A) e-mail abuse
B) misuse of computing assets
C) Internet abuse
D) VPN abuse

B) misuse of computing assets

Your ____ as a computer investigation and forensics analyst is critical because it determines your credibility. A) professional policy
B) oath
C) line of authority
D) professional conduct

E-mail programs either save e-mail messages on the client computer or leave them on the server.
A) True
B) False

E-mail programs either save e-mail messages on the client computer or leave them on the server.
A) True
B) False

Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed. A) litigation
B) allegation
C) blotter
D) prosecution

To complete a forensic disk analysis and examination, you need to create a ____. A) forensic disk copy
B) risk assessment
C) budget plan
D) report

In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network. A) Dir B) ls C) Copy D) owner

The list of problems you normally expect in the type of case you are handling is known as the ____. A) standard risk assessment B) chain of evidence C) standard problems form D) problems checklist form

A) standard risk assessment

Published company policies provide a(n) ____ for a business to conduct internal investigations.
A) litigation path
B) allegation resource
C) line of allegation
D) line of authority

____ is a hidden text file containing startup options for Windows 9x.
A) Pagefile.sys
B) Hal.dll
C) Msdos.sys
D) Ntoskrnl.exe

Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers.
A) USB B) IDE
C) LCD
D) PCMCIA

Typically, UNIX installations are set to store logs such as maillog in the ____ directory.
A) /etc/Log
B) /log
C) /etc/var/log
D) /var/log

In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk. A) tracking
B) checkpoint
C) temporary
D) milestone

Computer investigations and forensics fall into the same category: public investigations.
A) True
B) False

Recovering pieces of a file is called ____.
A) carving
B) slacking
C) saving
D) rebuilding

Records in the MFT are referred to as ____.
A) hyperdata
B) metadata
C) inodes
D) infodata

The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
A) True
B) False

When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.
A) True
B) False

You can use ____ to boot to Windows without writing any data to the evidence disk.
A) a SCSI boot up disk
B) a Windows boot up disk
C) a write-blocker
D) Windows XP

____ was introduced when Microsoft created Windows NT and is the primary file system for Windows Vista.
A) FAT32 B) VFAT
C) NTFS
D) HPFS

Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer.
A) silver-tree B) gold-tree
C) silver-platter
D) gold-platter

After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.
A) True
B) False

To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click ____ to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header.
A) Options B) Details C) Properties D) Message Source

If you can’t open an image file in an image viewer, the next step is to examine the file’s ____.
A) extension
B) name
C) header data
D) size

The GroupWise logs are maintained in a standard log format in the ____ folders.
A) MIME
B) mbox
C) QuickFinder
D) GroupWise

With many computer forensics tools, you can open files with external viewers.
A) True
B) False

In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____. A) blotter
B) exhibit report
C) litigation report
D) affidavit

Forensics tools such as ____ can retrieve deleted files for use as evidence.
A) ProDiscover Basic B) ProDelete C) FDisk D) GainFile

When analyzing digital evidence, your job is to ____.
A) recover the data
B) destroy the data
C) copy the data
D) load the data

A report using the ____ numbering system divides material into sections and restarts numbering with each main section.
A) roman-sequential B) decimal
C) legal-sequential
D) indent

To retrieve an Outlook Express e-mail header right-click the message, and then click ____ to open a dialog box showing general information about the message.
A) Properties B) Options
C) Details
D) Message Source

Software forensics tools are commonly used to copy data from a suspect’s disk drive to a(n) ____.
A) backup file
B) firmware
C) image file
D) recovery copy

When you write your final report, state what you did and what you ____.
A) did not do
B) found
C) wanted to do
D) could not do

Computer forensics tools are divided into ____ major categories.
A) 2
B) 3
C) 4
D) 5

The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk.
A) partition-to-partition B) image-to-partition
C) disk-to-disk
D) image-to-disk

____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names.
A) www.freeality.com B) www.google.com
C) www.whatis.com
D) www.juno.com

Maintaining ____ means you must form and sustain unbiased opinions of your cases.
A) confidentiality
B) objectivity
C) integrity
D) credibility

You can always rely on the return path in an e-mail header to show the source account of an e-mail message.
A) True
B) False

One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.
A) disk imager B) write-blocker C) bit-stream copier
D) disk editor

In general, forensics workstations can be divided into ____ categories.
A) 2
B) 3
C) 4
D) 5

____ involves preventing data loss by using backups, uninterruptible power supply (UPS) devices, and off-site monitoring.
A) Computer forensics B) Data recovery
C) Disaster recovery
D) Network forensics

In the Pacific Northwest, ____ meets monthly to discuss problems that law enforcement and corporations face.
A) IACIS B) CTIN
C) FTK
D) FLETC

____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to NTLDR.
A) Hal.dll B) Boot.ini
C) NTDetect.com
D) BootSect.dos

____ is a text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration.
A) Autoexec.bat B) Config.sys
C) BootSect.dos
D) Io.sys

A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible.
A) True
B) False

In general, a criminal case follows three stages: the complaint, the investigation, and the ____.
A) litigation
B) allegation
C) blotter
D) prosecution

In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____.
A) checked values B) verification
C) evidence backup D) repeatable findings

Many password recovery tools have a feature that allows generating potential lists for a ____ attack.
A) brute-force
B) password dictionary
C) birthday
D) salting

The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.
A) NSRL B) CFTT
C) FS-TST
D) PARTAB

The uppercase letter ____ has a hexadecimal value of 41.
A) “A”
B) “C”
C) “G”
D) “Z”

Files with extension ____ are created using Microsoft Outlook Express.
A) .sxc
B) .doc
C) .dbx
D) .ods

With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk.
A) command-line B) shell-based
C) prompt-based
D) GUI

Under copyright laws, computer programs may be registered as ____.
A) literary works
B) motion pictures
C) architectural works
D) audiovisual works

You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.
A) graphics viewers
B) image readers
C) image viewers
D) graphics editors

Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format.
A) POP3
B) mbox
C) MIME
D) SMTP

In the following list, ____ is the only steg tool.
A) EnCase
B) iLook
C) DriveSpy
D) Outguess

One way to examine a partition’s physical level is to use a disk editor, such as Norton DiskEdit, WinHex, or Hex Workshop.
A) True
B) False

A(n) ____ is a document that lets you know what questions to expect when you are testifying.
A) written report
B) affidavit
C) examination plan
D) subpoena

Without a warning banner, employees might have an assumed ____ when using a company’s computer systems and network accesses.
A) line of authority B) right of privacy
C) line of privacy
D) line of right

It’s the investigator’s responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant.
A) litigation B) prosecution
C) exhibits
D) reports

A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute).
A) written report
B) verbal report
C) examination plan
D) cross-examination report

If a report is long and complex, you should provide a(n) ____.
A) appendix
B) glossary
C) table of contents
D) abstract

____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
A) Data recovery B) Network forensics
C) Computer forensics
D) Disaster recovery

____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. A) Bitmap images
B) Metafile graphics
C) Vector graphics
D) Line-art images

When working on a Windows environment you can press ____ to copy the selected text to the clipboard.

A) Ctrl+A B) Ctrl+C
C) Ctrl+V
D) Ctrl+Z

If you must write a preliminary report, use words such as “preliminary copy,”“draft copy,” or “working draft.” A) True
B) False

To be a successful computer forensics investigator, you must be familiar with more than one computing platform. A) True B) False

A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. A) warning banner B) right of privacy C) line of authority D) right banner

____ investigations typically include spam, inappropriate and offensive message content, and harassment or threats. A) VPN B) Internet C) E-mail D) Phone

Data streams can obscure valuable evidentiary data, intentionally or by coincidence.
A) True B) False

The Novell e-mail server software is called ____. A) Sendmail B) GroupWise C) Sawmill D) Guardian

____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program. A) Replacement B) Append C) Substitution D) Insertion

What's a virtual cluster number?

What Macos system application tracks each block on a volume to determine which blocks are in use and which ones are available to receive data?

What enables the user to run another OS on an existing physical computer?

What type of acquisition is typically done on a computer seized during a police raid?