II0-001 Exam Questions

A well rounded information security program should include:

BCP consists of:

The best type of evidence to have would be:

The four steps in evidence handling in the proper order are:

An event is considered an incident when it meets or exceed which standard?

Training employees on Incident Response Teams authority is critical because:

All of the following are states a file cluster can exist in an Microsoft XP operating system except:

For proper investigative methods to be valid, they must:

Slack space is space not used within a partition of a hard drive.

To identify which partition in the MBR is active, you should look for:

The MBR typically starts at sector:

An expert report differs from an investigative report in which of the following ways?

Which of the following methods will not ensure the admissibility of electronic evidence (in terms of collection)?:

In an information forensics investigation, when opposing litigants have an expert, it is acceptable to QUESTION NO: the integrity of the expert?

An effective method of remotely collecting logs (as evidence) is to TFTP the files and then hash them.

Disk arrays are impossible to correctly image as you are unable to get correct drive geometry.

When performing a forensic lockdown, the investigator is ensuring which of the following?:

According to IIFS100, the following is the proper sequence for image verification:

Compression of collected evidence can't be utilized because:

A copy of the MBR is located on the center of a hard drive?

A Microsoft MFT has a duplicate copy for recovery from corruption of the primary MFT?

Resident attributes refers to file information, in an NTFS file system, that resides in the MFT.

Which of the following represents the data found at a NTFS hard drive, and lasts for 3 bytes?

What Federal rule requires that all opinions of a witness giving expert testimony in civil litigation be written and signed; and the basis and reasoning therefore be formatted to i...

A forensic investigator must be familiar with the following:

When collecting a desktop computer system from a crime scene that is powered on and operating what is the correct way of shutting the system down?

There are two types of evidence: what are they?

Which of the following is not related to Rules of Evidence?

Which of the following is NOT a necessary step when documenting the crime scene?

After a forensics investigator seizes and transports the computer, what is the next step?

The process of evidence handling, protection of the evidence and providing accountability for who handled the evidence during the investigation is referred to as what?

What prohibits the government from performing unreasonable searches without having probable cause?

There are several types of evidence that can be used in a trial. Which type of evidence listed below provides the most reliability?

When handling evidence, which of the following is not a common guideline?

Copies of original evidence, such as disks and other media, are considered what in court unless they are collected during the normal course of business operations?

Electronic evidence is easily

The Best Evidence Rule is

An investigator should treat each incident

You can show that the evidence was not tampered with by

The investigator needs to think about reporting

A deposition is a method of

The investigator must be ethical

The measure of a magnetic media's ability to retain data is the media's:

The MD5 hashing algorithm produces a number (message digest) of what size regardless of how large the submitted source data.

The Privacy Protection Act of 1980

The 1st sector of a hard disk is sometimes called:

An advanced application of making use of proxies to hide an IP that makes tracing virtually impossible is called:

The data structure for DNS queries contains all of the following except?

In an email header, what information should never be trusted?

Information that is included in an email header includes all of the following except: