# Midterm 1. Which of the following processes involves the technical methods and organizational measures for discovering, tracing, and inculpating individuals or groups responsible for cyberattacks? - [X] Cyber Attribution - [ ] Data recovery - [ ] Physical acquisition - [ ] eDiscovery 2. Which of the following techniques best describes an organization’s ability to optimally use digital evidence in a limited time and with minimal investigation costs? - [ ] Trial obfuscation - [ ] Vulnerability assessment - [ ] Chain of custody - [X] Forensic readiness 3. In which of the following steps of forensic readiness planning do investigators determine what currently happens to potential evidence data and the impact on the business while retrieving the information? - [ ] Identify the potential evidence required for an incident. - [X] Determine the sources of evidence. - [ ] Establish a policy for securely handling and storing the collected evidence. - [ ] Keep an incident response team ready to review the incident and preserve the evidence. 4. Which of the following practices indicates that an organization is not forensically prepared to maintain business continuity? - [ ] Quickly determine the incidents - [ ] Minimize the required resources - [X] Inability to collect legally sound evidence - [ ] Legally persecute the perpetrators and claim damages 5. Which of the following AI techniques can assist the forensic investigators in performing sentiment analysis, topic modeling, and identifying suspicious or relevant conversations on communication records? - [ ] Image and video analysis - [ ] Expert systems - [X] Natural language processing - [ ] Reasoning process 6. Which of the following techniques involves the analysis of logs to detect and study an incident that may have already occurred in a network or device? - [X] Postmortem - [ ] Steganalysis - [ ] Social engineering - [ ] Cryptanalysis 7. Which of the following terms refers to the principles used to describe the expected behavior of an investigator while handling a case? - [X] Code of ethics - [ ] Tactics, techniques, and procedures - [ ] System baselining - [ ] Lawful interception 8. Identify the type of data acquisition technique in which an investigator can collect volatile data from suspected devices only when the device is powered on. - [ ] Dead acquisition - [X] Live acquisition - [ ] Static acquisition - [ ] Non-volatile acquisition 9. Which of the following types of data is considered the most volatile according to the RFC 3227 guidelines for evidence collection and archiving? - [ ] Physical configuration - [ ] Network topology - [ ] Archival media - [X] Registers and processor cache 10. Which of the following techniques refers to a backup program an investigator should have in case hardware or software does not work or there is any failure during an acquisition? - [ ] Data duplication - [X] Plan for contingency - [ ] Chain of custody - [ ] Data analysis 11. In which of the following forensic data acquisition steps do the investigators overwrite the data by applying a code of sequential zeros or ones to protect it from recovery? - [ ] Planning for contingency - [ ] Acquiring volatile data - [X] Sanitize the target media - [ ] Validating data acquisition 12. Which of the following is a program that allows bundling all files together into a single executable file via compression to bypass security software detection? - [ ] Obfuscator - [X] Packer - [ ] Payload - [ ] Dropper 13. Which of the following sections of the (ACPO) Principles of Digital Evidence states that no action taken by law enforcement agencies, persons employed within those agencies, or their agents should change data that may subsequently be relied upon in court? - [ ] Principle 3 - [ ] Principle 4 - [X] Principle 1 - [ ] Principle 2 14. Which of the following federal rules of evidence stipulates that “rules should be construed so as to administer every proceeding fairly, eliminating unjustifiable expense and delay, and promoting the development of evidence law, to the end of ascertaining the truth and securing a just determination”? - [ ] Rule 1003. Admissibility of duplicates - [X] Rule 102: Purpose - [ ] Rule 801: Hearsay rule - [ ] Rule 105: Limited admissibility 15. Which of the following eDiscovery team members performs the deployment of tools on a suspected computer machine and configures, implements, and maintains the deployed tools? - [ ] eDiscovery Attorney - [X] eDiscovery Software Expert - [ ] IT Support Personnel - [ ] Processing/Review Personnel 16. Which of the following types of acknowledgement is required from an individual who is present while obtaining a documented agreement and who testifies that the parties mentioned in the agreement have voluntarily accepted the agreement? - [ ] Obtaining a warrant for search and seizure - [X] Obtaining witness signatures - [ ] Seeking consent - [ ] Searches without a warrant 17. Which of the following is a legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory? - [ ] Search warrant - [X] Chain of custody - [ ] Witness signature - [ ] Seeking consent 18. Which of the following issues in computer forensics might arise because of the improper handling of evidence during an investigation, making the evidence inadmissible in a court of law? - [ ] Infrastructure issues - [ ] Legal jurisdiction issues - [X] Legal issues - [ ] Privacy issues 19. Which of the following is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards? - [X] PCI DSS - [ ] GLBA - [ ] FISMA - [ ] SOX 20. Identify the ISO standard that provides recommendations for specific activities in handling digital evidence, such as the identification, collection, acquisition, and preservation of digital evidence. - [ ] ISO/IEC 27041 - [X] ISO/IEC 27037 - [ ] ISO/IEC 27050 - [ ] ISO/IEC 27042