MCQs: Emerging Trends – Unit 4 Digital Evidence

1. A valid definition of digital evidence is:

• A. Data stored or transmitted using a computer
• B. Information of probative value
• C. Digital data of probative value
• D. Any digital evidence on a computer

2. What are the three general categories of computer systems that can contain digital evidence?

• A. Desktop, laptop, server
• B. Personal computer, Internet, mobile telephone
• C. Hardware, software, networks
• D. Open computer systems, communication systems, embedded systems

3. In terms of digital evidence, a hard drive is an example of:

• A. Open computer systems
• B. Communication systems
• C. Embedded computer systems
• D. None of the above

4. In terms of digital evidence, a mobile telephone is an example of:

• A. Open computer systems
• B. Communication systems
• C. Embedded computer systems
• D. None of the above

5. In terms of digital evidence, a Smart Card is an example of:

• A. Open computer systems
• B. Communication systems
• C. Embedded computer systems
• D. None of the above

6. In terms of digital evidence, the Internet is an example of:

• A. Open computer systems
• B. Communication systems
• C. Embedded computer systems
• D. None of the above

7. Computers can be involved in which of the following types of crime?

• A. Homicide and sexual assault
• B. Computer intrusions and intellectual property theft
• C. Civil disputes
• D. All of the above

8. A logon record tells us that, at a specific time:

• A. An unknown person logged into the system using the account
• B. The owner of a specific account logged into the system
• C. The account was used to log into the system
• D. None of the above

9. Cybertrails are advantageous because:

• A. They are not connected to the physical world
• B. Nobody can be harmed by crime on the Internet.
• C. They are easy to follow.
• D. Offenders who are unaware of them leave behind more clues than they otherwise would have.

10. Private networks can be a richer source of evidence than the Internet because:

• A. They retain data for longer periods of time.
• B. Owners of private networks are more cooperative with law enforcement.
• C. Private networks contain a higher concentration of digital evidence.
• D. All of the above.

11. Due to caseload and budget constraints, often computer security professionals attempt to limit the damage and close each investigation as quickly as possible. Which of the following is NOT a significant drawback to this approach?

• A. Each unreported incident robs attorneys and law enforcement personnel of an opportunity to learn about the basics of computer-related crime.
• B. Responsibility for incident resolution frequently does not reside with the security professional, but with management.
• C. This approach results in under-reporting of criminal activity, deflating statistics that are used to allocate corporate and government spending on combating computer-related crime.
• D. Computer security professionals develop loose evidence processing habits that can make it more difficult for law enforcement personnel and attorneys to prosecute an offender.

12. The criminological principle which states that, when anyone, or anything, enters a crime scene he/she takes something of the scene with him/her, and leaves something of himself/herself behind, is:

• A. Locard’s Exchange Principle
• B. Differential Association Theory
• C. Beccaria’s Social Contract
• D. None of the above

13. The author of a series of threatening e-mails consistently uses “im” instead of “I’m.” This is an example of:

• A. An individual characteristic
• B. An incidental characteristic
• C. A class characteristic
• D. An indeterminate characteristic

14. Personal computers and networks are often a valuable source of evidence. Those involved with _______ should be comfortable with this technology.

• A. Criminal investigation
• B. Prosecution
• C. Defense work
• D. All of the above

15. An argument for including computer forensic training computer security specialists is:

• A. It provides an additional credential.
• B. It provides them with the tools to conduct their own investigations.
• C. It teaches them when it is time to call in law enforcement.
• D. None of the above.

16. Computers can play the following roles in a crime:

• A. Target, object, and subject
• B. Evidence, instrumentality, contraband, or fruit of crime
• C. Object, evidence, and tool
• D. Symbol, instrumentality, and source of evidence

17. The first US law to address computer crime was:

• A. Computer Fraud and Abuse Act (CFAA)
• B. Florida Computer Crime Act
• C. Computer Abuse Act
• D. None of the above

18. The following specializations exist in digital investigations:

• A. First responder (a.k.a. digital crime scene technician)
• B. Forensic examiner
• C. Digital investigator
• D. All of the above

19. The first tool for making forensic copies of computer storage media was:

• A. EnCase
• B. Expert Witness
• C. dd
• D. Safeback

20. One of the most common approaches to validating forensic software is to:

• A. Examine the source code
• B. Ask others if the software is reliable
• C. Compare results of multiple tools for discrepancies
• D. Computer forensic tool testing projects

21. An instrumentality of a crime is:

• A. An instrument used to commit a crime
• B. A weapon or tool designed to commit a crime
• C. Anything that plays a significant role in a crime
• D. All of the above

22. . Contraband can include:

• A. Child pornography
• B. Devices or programs for eavesdropping on communications
• C. Encryption devices or applications
• D. All of the above

23. A cloned mobile telephone is an example of:

• A. Hardware as contraband or fruits of crime
• B. Hardware as an instrumentality
• C. Information as contraband or fruits of crime
• D. Information as evidence

24. Digital photographs or videos of child exploitation is an example of:

• A. Hardware as contraband or fruits of crime
• B. Hardware as an instrumentality
• C. Information as evidence
• D. Information as contraband or fruits of crime

25. Stolen bank account information is an example of:

• A. Hardware as contraband or fruits of crime
• B. Information as contraband or fruits of crime
• C. Information as an instrumentality
• D. Information as evidence

26. A network sniffer program is an example of:

• A. Hardware as contraband or fruits of crime
• B. Hardware as an instrumentality
• C. Information as contraband or fruits of crime
• D. Information as evidence

27. Computer equipment purchased with stolen credit card information is an example of:

• A. Hardware as contraband or fruits of crime
• B. Hardware as an instrumentality
• C. Hardware as evidence
• D. Information as contraband or fruits of crime

28. A printer used for counterfeiting is an example of:

• A. Hardware as contraband or fruits of crime
• B. Hardware as an instrumentality
• C. Hardware as evidence
• D. Information as contraband or fruits of crime

29. Phone company records are an example of:

• A. Hardware as contraband or fruits of crime
• B. Information as contraband or fruits of crime
• C. Information as an instrumentality
• D. Information as evidence

30. In the course of conducting forensic analysis, which of the following actions are carried out?

• A. Critical thinking
• B. Fusion
• C. Validation
• D. All of the above

31. Having a member of the search team trained to handle digital evidence:

• A. Can reduce the number of people who handle the evidence
• B. Can serve to streamline the presentation of the case
• C. Can reduce the opportunity for opposing counsel to impugn the integrity of the evidence
• D. All of the above

32. An attorney asking a digital investigator to find evidence supporting a particular line of inquiry is an example of:

• A. Influencing the examiner
• B. Due diligence
• C. Quid pro quo
• D. Voir dire

33. A digital investigator pursuing a line of investigation in a case because that line of investigation proved successful in two previous cases is an example of:

• A. Logical reasoning
• B. Common sense
• C. Preconceived theory
• D. Investigator’s intuition

34. A scientific truth attempts to identify roles that are universally true. Legal judgment, on the other hand, has a standard of proof in criminal prosecutions of:

• A. Balance of probabilities
• B. Beyond a reasonable doubt
• C. Acquittal
• D. None of the above

35. Regarding the admissibility of evidence, which of the following is not a consideration:

• A. Relevance
• B. Authenticity
• C. Best evidence
• D. Nominally prejudicial

36. According to the text, the most common mistake that prevents evidence seized from being admitted is:

• A. Uninformed consent
• B. Forcible entry
• C. Obtained without authorization
• D. None of the above

37. In obtaining a warrant, an investigator must convince the judge on all of the following points except:

• A. Evidence of a crime is in existence
• B. A crime has been committed
• C. The owner or resident of the place to be searched is likely to have committed the crime
• D. The evidence is likely to exist at the place to be searched

38. If, while searching a computer for evidence of a specific crime, evidence of a new, unrelated crime is discovered, the best course of action is:

• A. Abandon the original search, and pursue the new line of investigation
• B. Continue with the original search but also pursue the new inquiry
• C. Stop the search and obtain a warrant that addresses the new inquiry
• D. Continue with the original search, ignoring the new information

39. The process of documenting the seizure of digital evidence and, in particular, when that evidence changes hands, is known as:

• A. Chain of custody
• B. Field notes
• C. Interim report
• D. None of the above

40. When assessing the reliability of digital evidence, the investigator is concerned with whether the computer that generated the evidence was functioning normally, and:

• A. Whether chain of custody was maintained
• B. Whether there are indications that the actual digital evidence was tampered with
• C. Whether the evidence was properly secured in transit
• D. Whether the evidence media was compatible with forensic machines

41. The fact that with modern technology, a photocopy of a document has become acceptable in place of the original is known as:

• A. Best evidence rule
• B. Due diligence
• C. Quid pro quo
• D. Voir dire

42. Evidence contained in a document provided to prove that statements made in court are true is referred to as:

• A. Inadmissible evidence
• B. Illegally obtained evidence
• C. Hearsay evidence
• D. Direct evidence

43. Business records are considered to be an exception to:

• A. Direct evidence
• B. Inadmissible evidence
• C. Illegally obtained evidence
• D. Hearsay evidence

44. Which of the following is not one of the levels of certainty associated with a particular finding?

• A. Probably
• B. Maybe
• C. Almost definitely
• D. Possibly

45. Direct evidence establishes a:

• A. Fact
• B. Assumption
• C. Error
• D. Line of inquiry

46. What is one of the most complex aspects of jurisdiction when the Internet is involved?

• A. Arranging to travel to remote locations to apprehend criminals
• B. Determining which court can enforce a judgment over a defendant
• C. Finding a court that is in two states
• D. Finding a federal court that can hear a civil suit

47. In the US, to enforce a judgment over a defendant, a court must have which of the following?

• A. Subject matter and personal jurisdiction
• B. General and limited jurisdiction
• C. Diversity and long arm jurisdiction
• D. None of the above

48. The Miller test takes which of the following into account when determining if pornography is obscene?

• A. It appeals to the public interest
• B. It depicts sexual conduct in a patently offensive way
• C. It lacks any monetary value
• D. All of the above

49. Which of the following rights is not explicitly mentioned in the US Constitution?

• A. Right of the people to keep and bear arms
• B. Right of personal privacy
• C. Right of the people peaceably to assemble
• D. Right to a speedy and public trial

50. The definition of a “protected computer” is, according to the CFAA:

• A. A computer that is used exclusively by a financial institution or the Federal government.
• B. A computer that is used non-exclusively by a financial institution or the Federal government and the crime affects that use.
• C. A computer that is used in state or foreign commerce or communication.
• D. All of the above.

51. The legislation that made the theft of trade secrets a Federal crime was

• A. The Lanham Act
• B. The Economic Espionage Act
• C. The Child Pornography Protection Act
• D. None of the above

52. Which state does not have a law prohibiting simple hacking – gaining unauthorized access to a computer?

• A. California
• B. Texas
• C. Washington
• D. None of the above

53. The term “computer contaminant” refers to:

• A. Excessive dust found inside the computer case
• B. Viruses, worms, and other malware
• C. Spam e-mails
• D. Nigerian scam e-mails

54. In those states with legislation addressing computer forgery, contraband in the form of “forgery devices” may include:

• A. Computers
• B. Computer equipment
• C. Specialized computer software
• D. All of the above

55. Compelling a suspect to reveal passwords to provide access to encrypted media is considered to fall under the:

• A. Second Amendment
• B. Fourth Amendment
• C. Fifth Amendment
• D. Seventh Amendment

56. An example of a content-related crime would be:

• A. Cyberstalking
• B. Child pornography
• C. Hacking
• D. None of the above

57. Hacking is an example of:

• A. Computer-assisted crime
• B. Computer-related crime
• C. Computer-integrity crime
• D. Computer malfeasance crime

58. Forgery is an example of:

• A. Computer assisted crime
• B. Computer-related crime
• C. Computer-integrity crime
• D. Computer malfeasance crime

59. In Ireland, the Non-Fatal Offences Against the State Act of 1997 specifically addresses:

• A. Computerized welfare fraud
• B. Cyberbullying
• C. Nigerian scams
• D. Hacking

60. Jurisdiction claims may be based on:

• A. Location of the perpetrator’s computer
• B. Location of the victim’s computer
• C. Location of intermediary computers
• D. All of the above

61. Standard operating procedures (SOPs) are important because they:

• A. Help individuals avoid common mistakes
• B. Ensure that the best available methods are used
• C. Increase the probability that two forensic examiners will reach the same conclusions when they examine the evidence
• D. All of the above

62. The goal of an investigation is to:

• A. Convict the suspect
• B. Discover the truth
• C. Find incriminating evidence
• D. All of the above

63. An investigation can be hindered by the following:

• A. Preconceived theories
• B. Improperly handled evidence
• C. Offender concealment behavior
• D. All of the above

64. When you have developed a theory, what can you do to confirm that your hypothesis is correct?

• A. Predict, based on your hypothesis, where artifacts should be located
• B. Perform experiments to test results and rule out alternate explanations
• C. Conclude, based on your findings, whether the evidence supports the hypothesis
• D. All of the above

65. Which of the following would be considered an individual characteristic?

• A. The originating IP address in a network packet or e-mail header
• B. A scratch on the glass of a flatbed scanner or digital camera lens
• C. Date-time stamps of files on a disk or entries in a database
• D. All of the above

66. When digital photographs containing child pornography are found on a home computer, investigators can assert that: a

• A. Someone in the house transferred the photographs onto the computer from a disk or the Internet
• B. Someone in the house took the photographs with a digital camera and transferred them directly onto the computer.
• C. Someone in the house took the photographs with a digital camera and transferred them directly onto the computer
• D. None of the above.

67. Forensic examination involves which of the following:

• A. Assessment, experimentation, fusion, correlation, and validation
• B. Seizure and preservation
• C. Recovery, harvesting, filtering, organization, and search
• D. All of the above

68. Forensic analysis involves the following:

• A. Assessment, experimentation, fusion, correlation, and validation
• B. Seizure and preservation
• C. Recovery, harvesting, filtering, organization, and search
• D. All of the above

69. The first step in applying the scientific method to a digital investigation is to:

• A. Form a theory on what may have occurred
• B. Experiment or test the available evidence to confirm or refute your prediction
• C. Make one or more observations based on events that occurred
• D. Form a conclusion based on the results of your findings

70. Which of the following should the digital investigator consider when arranging for the transportation of evidence?

• A. Should the evidence be physically in the possession of the investigator at all times?
• B. Will the evidence copies be shared with other experts at other locations?
• C. Will there be environmental factors associated with the digital media?
• D. All of the above

71. In the Staircase Model, why is case management shown spanning across all of the steps in the process model?

• A. Case documents are intangible objects that can be held.
• B. Case management provides stability and enables investigators to tie all relevant information together.
• C. Case management documents the process function.
• D. None of the above.

72. Process models have their origins in the early theories of computer forensics which defined the field in terms of a ______ process

• A. Complicated
• B. Difficult
• C. Linear
• D. Polymorphic

73. Generating a plan of action and obtaining supporting resources and materials falls under which step in the digital investigation?

• A. Preparation
• B. Survey/identification
• C. Preservation
• D. Examination and analysis

74. The process model whose goal is to completely describe the flow of information in a digital investigation is known as:

• A. The Physical Model
• B. The Staircase Model
• C. The Evidence Flow Model
• D. The Subphase Model

75. The following organizations have published guidelines for handling digital crime scenes:

• A. US Secret Service
• B. Association of Chief Police Officers
• C. US Department of Justice
• D. All of the above

76. When a first responder encounters technology or equipment that he is not familiar with, the recommended course of action is to:

• A. Seize the equipment as if it were a known device
• B. Seek assistance from a more experienced digital investigator
• C. Leave that particular piece of equipment at the crime scene
• D. Ask the suspect for details on the equipment

77. When preparing a questionnaire for interviewing individuals of the crime scene which of the following should NOT be requested:

• A. Passwords
• B. Encryption keys
• C. Admission of guilt
• D. Details on removable storage

78. When entering a crime scene, the initial survey should:

• A. Include user manuals
• B. Involve tracing cables
• C. Collect relevant data such as passwords and account details
• D. All of the above

79. Examples of data that should be immediately preserved include:

• A. USB drives
• B. Digital picture frames
• C. System and network information
• D. USB bracelets

80. The crime scene preservation process includes all but which of the following:

• A. Protecting against unauthorized alterations
• B. Acquiring digital evidence
• C. Confirming system date and time
• D. Controlling access to the crime scene

81. A thorough crime scene survey should include:

• A. Manuals for software applications
• B. Removable media
• C. Mobile devices
• D. All of the above

82. The challenge to controlling access to a digital crime scene is that:

• A. Information may be stored on Internet servers in different locations
• B. The computer may be shared.
• C. The computer case may be locked.
• D. None of the above.

83. In the case where digital investigators dealing with distributed systems need to collect data from remote sites, the following procedure is recommended:

• A. Notify personnel at the remote sites to leave everything as is, and arrange for travel to the remote locations
• B. Notify personnel at the remote sites to shut down all systems and send the hard drives to the forensic lab
• C. Utilize remote forensics tools to acquire data from the remote sites’ RAM as well as the hard drives
• D. None of the above

84. When presenting evidence on an organizational network, the digital investigator may require the assistance of:

• A. System administrators
• B. The CEO of the organization
• C. The CSO (Chief Security Officer)
• D. Additional forensic investigators

85. Which of the following is not a safety consideration for a first responder?

• A. Additional personnel to control those present at the crime scene
• B. Protection against ELF emanations from monitors
• C. Proper tools for disassembling and reassembling computer cases
• D. Protective gloves and eyewear

86. Digital investigators like to preserve every potential source of digital evidence; however, they are constrained by:

• A. The law
• B. Resources
• C. The interests of business
• D. All of the above

87. During the initial survey of a crime scene, why it is necessary to photograph or videotape the area and items of potential interest in their current state?

• A. This simplifies inventorying the crime scene
• B. Photographing items to be seized records their actual condition, and precludes damage claims when the items are returned to the offender.
• C. To record the fact that a particular item was actually found at the crime scene.
• D. None of the above.

88. Why is the first step to secure the physical crime scene by removing everyone from the immediate area?

• A. To prevent them from contaminating evidence
• B. To prevent them from asking questions about the case before they can be interviewed
• C. To give them time to fill out a personal information survey
• D. To keep them from blocking the view when photographs are being taken

89. When a piece of evidence has both a biological and a digital component, who should process it first?

• A. The crime scene technician, because biological artifacts are much more fragile
• B. The digital investigator, because processing the biological artifacts will destroy digital evidence
• C. Neither; the evidence should be preserved and transported to the lab for processing
• D. Both the crime scene technician and the digital investigator, in a cooperative effort, assuring that the biological evidence is collected in a way that does not damage the digital component

90. The process of evaluating available evidence objectively, independent of the interpretations of others, to determine its true meaning is referred to as:

• A. Equivocal forensic analysis
• B. Investigative reconstruction
• C. Threshold assessment
• D. Behavioral imprints

91. The words that an offender uses on the Internet, the tools that an offender uses online, and how an offender conceals his identity and criminal activity are referred to in the text as:

• A. Investigation reconstruction
• B. Threshold assessment
• C. Behavioral imprints
• D. Crime scene analysis

92. Investigative reconstruction is composed of three different forms

• A. Which of the following is NOT one of those three forms?
• B. Functional
• C. Intentional
• D. Relational

93. Creating a histogram of times to reveal periods of high activity is an example of which form of investigative reconstruction?

• A. Functional
• B. Intentional
• C. Relational
• D. Temporal

94. The investigation and study of victim characteristics is known as:

• A. Criminal profiling
• B. Behavioral imprints
• C. Victimology
• D. Crime scene analysis

95. Why should victimology include a thorough search of the Internet for cybertrails? a

• A. Because the Internet can significantly increase the victims risk
• B. Because it is well known that even traditional criminal offenses are documented on the Internet.
• C. Because nearly everyone uses the Internet.
• D. None of the above.

96. The type of report that is a preliminary summary of findings is known as:

• A. SITREP
• B. Threshold Assessment report
• C. Full investigative report
• D. Field notes

97. According to the text, the distinguishing features of a crime scene as evidenced by the offender’s behavioral decisions regarding the victim and the offense location are known as:

• A. Hard evidence
• B. Fruit of the poison tree
• C. Caveat emptor
• D. Crime scene characteristics

98. In crimes against individuals the ______ period leading up to the crime often contains the most important clues regarding the relationship between the offender and the victim

• A. 24-hour
• B. 48- hour
• C. 60-minute
• D. 15-minute

99. One of the most important things to establish when a computer is directly involved in the commission of a crime is:

• A. Where the computer was purchased
• B. What operating system is in use
• C. Who or what was the intended victim or target
• D. None of the above

100. An example of online behavior that puts an individual at higher risk for cyberstalking is:

• A. Using your real name online
• B. Putting personal information in your profile
• C. Posting photographs on a social networking page
• D. All of the above

101. In the movie Home Alone one of the burglars would always turn the water on in the sinks so that the house would be flooded when the owners returned. In terms of crime scene characteristics, this is an example of:

• A. Psychotic episode
• B. Signature-oriented behavior
• C. Modus operandi
• D. Vandalism

102. The totality of choices an offender makes during the commission of a crime are referred to as:

• A. The criminal’s MO
• B. Crime scene characteristics
• C. Tangible evidence
• D. None of the above

103. Because seemingly minor details regarding the offender can be important, investigators should get into the habit of contemplating which of the following:

• A. What the offender brought to the crime scene
• B. What the offender took from the crime scene
• C. What the offender changed at the crime scene
• D. All of the above

104. One reason digital investigators write threshold assessments more often than full reports is because:

• A. They will be included in a final report, and so, distribute the time for final report preparation over the entire period of the investigation
• B. They keep their supervisor aware of their productivity.
• C. They take less time to prepare and may be sufficient to close out an investigation.
• D. They serve as field notes for the investigator.

105. Every violent crime investigation should incorporate digital evidence because digital evidence may reveal:

• A. Investigative leads
• B. Likely suspects
• C. Previously unknown crimes
• D. All the above

106. How the offender approaches and obtains control of a victim or target is significant because it exposes the offender’s:

• A. Motives
• B. Choice of weapons
• C. Modus operandi
• D. Signature behaviors

107. Crime scenes fall into two categories – primary and ____

• A. Remote
• B. Secondary
• C. Ancillary
• D. Theoretical

108. When reconstructing evidence surrounding a violent crime, it is generally helpful to:

• A. Lay out all the evidence so it can be viewed in its entirety
• B. Work with the crime scene technicians so that a better understanding of the crime is achieved
• C. Construct a timeline of events from digital evidence
• D. Begin the process of converting field notes to a final report

109. One reason not to put too much trust into those who run the company’s computers is that:

• A. There has always been an antagonism between system administrators and law enforcement
• B. They are typically too busy to take the time to answer your questions
• C. They are usually not authorized to answer questions.
• D. They may be the offenders.

110. Although crime scenes are typically photographed, it is a good idea to create diagrams of the crime scene because:

• A. Diagramming is a common crime scene technician’s skill; however, it requires continual practice
• B. The process of creating a diagram can result in a digital investigator noticing an important item of evidence that would otherwise have been missed
• C. The quality of photographs taken at the crime scene is not known until the film is developed.
• D. None of the above.

111. Given the scope and consequences of violent crimes, when collecting digital evidence it is advisable to:

• A. Collect only that digital evidence that is clearly connected to the offense
• B. Focus only on the primary crime scene, as searching the offender’s home and workplace requires additional authorization
• C. Seek out and preserve all available digital evidence
• D. Focus only on the offender’s digital evidence, as the victim’s digital evidence is usually of little value

112. When swift action is needed, law enforcement personnel may be permitted to conduct searches without a warrant

• A. Searches of this kind are permitted under:
• B. Exigent circumstances
• C. Eminent domain
• D. Mens rea

113. When processing the digital crime scene in a violent crime investigation it is important to have ________ to ensure that all digital evidence and findings can hold up under close scrutiny

• A. A good supply of electrostatic bags for holding sensitive electronic components
• B. More than one reliable camera for photographing the crime scene
• C. Standard operating procedures for processing a digital crime scene
• D. A good supply of nitrile gloves

114. The Federal statute that has a provision allowing Internet service providers to disclose subscriber information to law enforcement in exigent circumstances is:

• A. ECPA
• B. CCPA
• C. The Privacy Act
• D. FCRA

115. When reconstructing evidence surrounding a violent crime, it is generally helpful to:

• A. Diagram the crime scene
• B. Create a timeline of events from digital evidence
• C. Create a threat assessment report
• D. None of the above

116. A thief who has programmed and released a virus to roam a network looking for victim passwords used for online banking is an example of what offense behavior?

• A. Power assertive
• B. Profit oriented
• C. Power reassurance
• D. Anger retaliatory

117. The case of a Michigan bank robber requiring tellers to undress so he could photograph them is an example of:

• A. Deviant aberrant behavior
• B. Criminal humor
• C. Crime scene characteristics
• D. Investigative reconstruction

118. The assessment of the victim as they relate to the offender, the crime scene, the incident, and the criminal justice system is known as:

• A. Threat assessment methodology
• B. Signature behaviors
• C. Behavioral evidence analysis
• D. Victimology

119. Computers and mobile devices are treated as _________ crime scenes in violent crime investigations

• A. Temporary
• B. Immediate
• C. Remote
• D. Secondary

120. During the commission of a crime, evidence is transferred between the offender’s computer and the target This is an example of:

• A. Locard’s Exchange Principle
• B. Sutherland’s General Theory of Criminology
• C. Martin’s Rule d
• D. Parkinson’s Rule of Available Space

121. Intruders who have a preferred toolkit that they have pieced together over time, with distinctive features:

• A. Usually have little experience and are relying on the kit
• B. Show little initiative – letting the tool do the work
• C. Are generally more experienced
• D. Pose less of a threat

122. In the case of a computer intrusion, the target computer is:

• A. The remote crime scene
• B. The auxiliary crime scene
• C. The virtual crime scen
• D. The primary crime scene

123. A computer intruder’s method of approach and attack can reveal significant amount about their:

• A. Skill level
• B. Knowledge of the target
• C. Intent
• D. All of the above

124. Determining skill level can lead to:

• A. Determining the extent of the intrusion
• B. Likely hiding places for rootkits and malware
• C. Suspects
• D. Offense behaviors

125. If digital investigators find an unauthorized file, they should:

• A. Immediately move the file to removable media
• B. Check for other suspicious files in the same directory
• C. Execute the file to determine its purpose
• D. Permanently delete the file

126. Remote forensic solutions can be used to access live systems, and include the ability to:

• A. Acquire and, sometimes, analyze memory
• B. Image systems without ever having to leave the lab
• C. Conduct examination and analysis without the need to image
• D. Image large systems across the Internet

127. A forensic analysis conducted on a forensic duplicate of the system in question is referred to as:

• A. Virtual analysis
• B. Clone analysis
• C. Post-mortem analysis
• D. Ex post facto analysis

128. Capturing all of the network traffic to and from the compromised system can:

• A. Allow the network administrators to participate in the investigation, establishing rapport for later interviews
• B. Reveal the source of the attack
• C. Seriously slow down the network, affecting normal work
• D. None of the above

129. A common technique that is highly useful and can be applied in a computer intrusion investigation is to simply focus on file system activities around the time of known events

• A. This embodies a principle known as:
• B. Temporal proximity
• C. Timeline analysis
• D. File system analysis

130. The registry key HKLM\Software\Microsoft\Windows\Current Version is one of the most common locations for:

• A. New software entries
• B. Time and date information
• C. Trojans
• D. A list of recently run programs

131. When collecting data from a compromised computer, consideration should be given to collecting the ______ data first.

• A. CMOS
• B. Most volatile
• C. Magnetic
• D. Optical

132. The forensic examiner needs to be aware that the process of collecting memory:

• A. Is seldom useful and not often called for
• B. Can take an extremely long period of time c
• C. Is only needed for standalone systems d
• D. Changes the contents of memory

133. A more thorough method of collecting specific volatile data from a computer is to:

• A. Examine the specific memory addresses live
• B. Collect the full contents of physical memory
• C. Selectively collect contents of physical memory
• D. Take screenshots

134. Why are “non-volatile” storage locations contained in the RFC 8227 “Order of Volatility”?

• A. This is an old RFC and has not been updated
• B. No form of data storage is permanent
• C. An RFC is a Request for Comments – and corrections are expected.
• D. None of the above.

135. The first state in the United States to enact a law to deal with cyberstalkers was: a

• A. Texas b
• B. Hawaii c
• C. California d
• D. New York

136. The first cyberstalking law in the US was passed in:

• A. 1985 b
• B. 1990 c
• C. 1995 d
• D. 2000

137. Stalkers want to exert power over their victims, primarily through:

• A. Fear
• B. Anxiety
• C. Autosuggestion
• D. Peer pressure

138. A stalker’s ability to frighten and control a victim increases with the amount of information that he can gather, such as:

• A. Telephone numbers
• B. Addresses
• C. Personal preferences
• D. All of the above

139. Stalkers have taken to the Internet because:

• A. The cost of an Internet connection has dropped considerably
• B. They depend heavily on information and the Internet contains vast amounts
• C. They no longer have to go out to do their stalking
• D. None of the above

140. An implication from studies indicating that many stalkers had prior acquaintance with their victims is that:

• A. Part of the blame can be assigned to the victim
• B. The offender is likely to be found in the same area as the victim
• C. Investigators should pay particular attention to acquaintances of the victim
• D. Investigators should always check the immediate family

141. An excellent set of guidelines developed specifically for victims of stalking is available from:

• A. The National Center for Victims of Crime
• B. The National White Collar Crime Center
• C. The Department of Justice
• D. The National Institute of Justice

142. When a cyberstalking case is stalled, it is a good idea to interview the victim again, because:

• A. The victim might have been withholding information during the first interview
• B. The information that investigators have gathered might help the victim recall additional details
• C. The time between the first and second interviews has given the victim time to seek counseling
• D. None of the above

143. In determining how and why the offender selected a specific victim, the investigator should determine whether the cyberstalker:

• A. Knew the victim
• B. Learned about the victim through a personal web page
• C. Noticed the victim in a chat room
• D. All of the above

144. A key aspect of developing victimology is determining victim and offender _____

• A. Hobbies
• B. Likes and dislikes
• C. Risks
• D. Roles

145. When searching for evidence of cyberstalking, it is useful to distinguish between an offender’s harassing behaviors and ____________ behaviors

• A. Grooming
• B. Surreptitious monitoring
• C. Initial contact
• D. Congenial

146. That part of cyberstalking where the offender is using the Internet to find a victim is known as:

• A. Profiling
• B. Trolling
• C. Surreptitious monitoring
• D. None of the above.

147. When a cyberstalker chooses victims at random, he is said to be an:

• A. Opportunistic stalker
• B. Power assertive stalker
• C. Profit-oriented stalker
• D. None of the above

148. The initial stage in a cyberstalking investigation is to:

• A. Search for additional digital evidence
• B. Analyze crime scene characteristics
• C. Conduct victimology and risk assessments
• D. Interview the victim

149. It is extremely important for the investigator to be extremely cautious when dealing with a stalking case because:

• A. If the victim becomes offended by the investigator’s methods, she is likely to go file a complaint
• B. If the investigation is conducted too openly, the offender may stop the harassment and move on to another victim
• C. The victim must be protected, in case the offender decides to escalate to physical violence
• D. The victims frequently become emotionally attached to the investigator

150. Which of the following is NOT part of the set of forensic methodologies referenced in this book?

• A. Preparation
• B. Interdiction
• C. Documentation
• D. Reconstruction

151. Preparation planning prior to processing a crime scene should include:

• A. What computer equipment to expect at the site
• B. What the systems are used for
• C. Whether a network is involved
• D. All of the above

152. The forensic crime scene processing kit should include all of the following, EXCEPT:

• A. Evidence bags, tags, and other items to label and package evidence
• B. Forensically sanitized hard drives to store acquired data
• C. Compilers for developing forensic tools on site
• D. Hardware write blockers

153. When processing the digital crime scene, one aspect of surveying for potential sources of digital evidence is:

• A. Recognizing relevant hardware such as computers, removable media, etc
• B. Determining if electrical wiring is capable of supporting forensic machines
• C. Confirming that the operating environment is suitable for electronic equipment
• D. Making sure there is sufficient space to set up the forensic crime scene processing kit

154. The _____________ documentation specifies who handled the evidence, when, where, and for what purpose

• A. Evidence inventory
• B. Chain of custody
• C. Evidence intake
• D. Preservation notes

155. When documenting a crime scene, the computer and surrounding area should be photographed, detailed sketches should be made, and copious notes should be taken, because:

• A. The more evidence collected, the stronger the case.
• B. This provides a record for what to look for when you return for the second visit.
• C. It is prudent to document the same evidence in several ways.
• D. All of the above.

156. In regard to preservation, in a child pornography investigation, which of the following should be collected?

• A. Photographs
• B. Papers
• C. Digital cameras
• D. All of the above

157. If it is determined that some hardware should be collected, but there is no compelling need to collect everything, the most sensible approach is to employ:

• A. Nearest reach doctrine
• B. Direct connectivity doctrine
• C. Independent component doctrine
• D. Slice-the-pie doctrine

158. According to the us Federal guidelines for searching and seizing computers, safe temperature ranges for most magnetic media are:

• A. 60-80 degrees Fahrenheit
• B. 50-90 degrees centigrade
• C. 50-90 degrees Fahrenheit
• D. 60-80 degrees centigrade

159. Which of the following is NOT an artifact that will be irrevocably lost if the computer is shut down?

• A. Running processes
• B. Open network ports
• C. Data stored in memory
• D. System date and time

160. Which of the following is NOT one of the recommended approaches to preserving digital evidence?

• A. Place the evidential computers and storage media in secure storage for later processing
• B. Preview the evidential computer, taking appropriate notes
• C. Extract just the information needed from evidential computers and storage media
• D. Acquire everything from evidential computer and storage media

161. The reason UNIX “dd” is considered a de facto standard for making bitstream copies is:

• A. The majority of tools for examining digital evidence can interpret bitstream copies
• B. “dd” stands for “digital data” and was developed for making forensic copies.
• C. “dd,” although a UNIX tool, is universally able to traverse Windows file systems.
• D. The developers of “dd” have made arrangements with other forensic software companies.

162. Regarding the examination of a piece of digital evidence, which of the following is NOT one of the fundamental questions that need to be answered?

• A. What is it (identification)?
• B. What classifications distinguish it?
• C. Where did it come from?
• D. What is its value?

163. Which of the following issues is NOT one that a forensic examiner faces when dealing with Windows-based media?

• A. Invasive characteristics of the Windows environment
• B. The facility in the standard Windows environment for mounting a hard drive as Read-Only
• C. The location, organization, and content of Windows system log files
• D. Available methods for recovering data from Windows media

164. Forensically acceptable alternatives to using a Windows Evidence Acquisition Boot Disk include all but which of the following?

• A. Linux boot floppy
• B. FIRE bootable CD-ROM
• C. Booting into safe mode
• D. Hardware write blockers

165. The standard Windows environment supports all of the following file systems EXCEPT ______

• A. FAT16
• B. ext2
• C. FAT32
• D. NTFS

166. Before evidentiary media is “acquired,” forensic examiners often ________ the media to make sure it contains data relevant to the investigation

• A. Hash
• B. Preview
• C. Validate
• D. Analyze

167. Log files are used by the forensic examiner to __________

• A. Associate system events with specific user accounts b
• B. Verify the integrity of the file system c
• C. Confirm login passwords d
• D. Determine if a specific individual is the guilty party

168. The Windows NT Event log Appevent

• A. Contains a log of application usage
• B. Records activities that have security implications, such as logins
• C. Notes system events such as shutdowns
• D. None of the above

169. When examining the Windows registry key, the “Last Write Time” indicates:

• A. The last time RegEdit was run b
• B. When a value in that Registry key was altered or added
• C. The current system time
• D. The number of allowable changes has been exceeded

170. File system traces include all of the following EXCEPT:

• A. Metadata
• B. CMOS settings
• C. Swap file contents
• D. Data object date-time stamps

171. When a file is moved within a volume, the Last Accessed Date Time:

• A. Is unchanged
• B. Changes if a file is moved to different directory
• C. Changes if a file is moved to the root
• D. Is unchanged; however, the Created Date-Time does change

172. Internet traces may be found in which of the following categories?

• A. Web browser cache
• B. Instant messenger cache
• C. Cookies
• D. All of the above

173. The Windows NT Event log Secevent evt:

• A. Contains a log of application usage
• B. Records activities that have security implications, such as logins
• C. Notes system events such as shutdowns
• D. None of the above

174. Which of the following is NOT one of the methods mobile devices use to communicate?

• A. FDDI
• B. Telecommunication networks
• C. WiFi access points
• D. Bluetooth piconets

175. One major advantage of mobile devices from a forensic perspective is that:

• A. People very seldom delete information from mobile devices
• B. The process for deleting information is much more complicated than for adding information, and users frequently don’t delete things correctly
• C. Flash memory is deleted block-by-block and mobile devices generally wait for a block to be full before it is deleted
• D. Manufacturers reserve a part of memory for storing deleted items

176. The reason that malware developers are beginning to target mobile devices is:

• A. Because available memory is much smaller and the operating system is much less sophisticated on mobile devices, it is much easier to develop malicious code
• B. The malware market has become very crowded and developers are looking for new avenues
• C. Since the coding is much simpler on mobile devices, many new programmers are trying at this particular platform
• D. Since mobile devices are used more and more for online banking and making purchases, they have become prime targets for computer criminals

177. Software designed to monitor activities on mobile devices has come to be called: a

• A. Malware b
• B. Spouseware c
• C. Trojan defense d
• D. None of the above

178. One of the dangers (from a forensic standpoint) of mobile devices is:

• A. Connected networks can contain investigatively useful information
• B. Network service providers may provide information for comparison with data extracted from a mobile device
• C. Connected networks can enable offenders to delete data remotely
• D. Network service providers may provide additional historical call records

179. One of the difficulties unique to forensic processing of mobile devices is:

• A. MD five hashes must be calculated for data recovered from mobile devices
• B. Documentation must show continuous possession and control
• C. An investigator must make a calculated decision to either prevent or allow the device to receive new data over wireless networks
• D. Any issues encountered with processing the device should be documented

180. Powering down a mobile device and removing the battery may cause problems in that: a

• A. When the battery is removed from a mobile device, the information in memory is lost
• B. Doing so may activate security measures such as lock codes and encryption
• C. The process of removing the battering can cause a capacitive discharge, destroying the device
• D. You now have two pieces of evidence, which have to be documented

181. Which of the following are methods for preserving mobile devices by isolating them from the networks?

• A. Reconfigure the device to prevent communication from the network
• B. Place the device in an RF-shielded pouch
• C. Jam RF signaling in the immediate area
• D. All of the above

182. Why is it important to collect charging cables when seizing mobile devices?

• A. Mobile device batteries have a limited charge life span, and the device will need a charger to maintain the battery until the device can be processed
• B. To reduce owner complaints about missing cables when, at some point, seized devices are returned
• C. In those cases where evidence seized is forfeit, you want to make sure you have everything you need to operate the device
• D. None of the above

183. Which of the following is NOT one of the currently available methods for extracting data from mobile devices?

• A. Manual operation via user interface
• B. Logical acquisition via communication port
• C. Connecting the communication port directly to an output device such as a printer
• D. Physical acquisition via the communication port

184. Forensic examiners should be aware that a mobile device with a blank or broken display:

• A. May as well be thrown away, as no data will be recovered from it
• B. May only indicate that the screen is damaged and it may still be possible to extract data
• C. May require that the mobile device be sent out to the manufacturer for repairs
• D. None of the above

185. A peculiarity of mobile devices is the format that they store SMS messages, which is: a

• A. ASCII
• B. Unicode
• C. GSM 7-bit
• D. Baudot

186. The primary reason that brute-force methods are not used when trying to access an SIM card with the PIN set is:

• A. A four-digit PIN represents 10,000 possible combinations
• B. After three failed attempts, the SIM card will become locked
• C. PIN disclosure by the offender can be required by a court order
• D. None of the above

187. An understanding of networks helps with which of the following:

• A. Establishing continuity of offense
• B. Tracking down offenders
• C. Understanding traces of online activities left on a PC
• D. All of the above

188. When a Windows system connects to a shared folder on another Windows machine on the Internet, which of the following protocols are used?

• A. TCP/IP
• B. SMB
• C. NetBIOS
• D. All of the above

189. Hosts that connect two or more networks are called:

• A. Routers
• B. Switches
• C. Hubs
• D. All of the above

190. Which of the following are Layer 7 protocols?

• A. Ethernet
• B. HTTP
• C. TCP
• D. All of the above

191. Ethernet uses which of the following technologies?

• A. CDPD
• B. CSMA/CD
• C. CDMA
• D. All of the above

192. Another name for a hub is:

• A. Switch
• B. Router
• C. Concentrator
• D. NIC

193. Currently, the most widely used Internet protocols are:

• A. TCP
• B. UDP
• C. IP
• D. All of the above

194. The OSI reference model divides Internets into seven layers Choose the correct order, by layer

• A. Transport, Session, Network, Presentation, Data-link, Application, Physical
• B. Presentation, Data-link, Application, Physical, Transport, Session, Network
• C. Physical, Data-link, Network, Transport, Session, Presentation, Application
• D. Data-link, Network, Session, Application, Physical, Network, Session

195. The layer that actually carries data via cables or radio signals is the:

• A. Transport layer
• B. Physical layer
• C. Network layer
• D. Data-link layer

196. A hub joins hosts at the physical level whereas a switch joins them at the _____ layer

• A. Transport
• B. Physical
• C. Network
• D. Data-link

197. The layer responsible for managing the delivery of data is the:

• A. Application layer
• B. Presentation layer
• C. Transport layer
• D. Session layer

198. Which of the following network technologies uses a fiber-optic medium?

• A. Ethernet
• B. FDDI
• C. Asynchronous Transfer Mode
• D. 802.11

199. Preservation of digital evidence can involve which of the following?

• A. Collecting computer hardware
• B. Making a forensic image of storage media
• C. Copying the files that are needed from storage media
• D. All of the above

200. A forensic image of a drive preserves which of the following?

• A. Memory contents
• B. File slack and unallocated space
• C. System date and time
• D. Screen contents

201. Examination of digital evidence includes (but is not limited to) which of the following activities?

• A. Seizure, preservation, and documentation
• B. Recovery, harvesting, and reduction
• C. Experimentation, fusion, and correlation
• D. Arrest, interviewing, and trial

202. Analysis of digital evidence includes which of the following activities?

• A. Seizure, preservation, and documentation
• B. Recovery, harvesting, and reduction
• C. Experimentation, fusion, and correlation
• D. Arrest, interviewing, and trial

203. Evidence can be related to its source in which of the following ways?

• A. Top, middle, bottom
• B. IP address, MD5 value, filename, date-time stamps
• C. Production, segment, alteration, location
• D. Parent, uncle, orphan

204. When a website is under investigation, before obtaining authorization to seize the systems it is necessary to:

• A. Determine where the web servers are located
• B. Inform personnel at the web server location that you’ll be coming to seize the systems
• C. Conduct a reconnaissance probe of the target website
• D. None of the above

205. Which of the following is NOT an information gathering process?

• A. Scanning the system remotely
• B. Studying security audit reports
• C. Attempting to bypass logon security
• D. Examining e-mail headers

206. Unlike law enforcement, system administrators are permitted to ________ on their network when it is necessary to protect the network and the data it contains

• A. Open unread e-mails
• B. Monitor network traffic
• C. Modify system logs
• D. Divulge user personal information

207. Although it was not designed with evidence collection in mind, _______can still be useful for examining network traffic

• A. EnCase
• B. FTK
• C. Wireshark
• D. CHKDSK

208. Issues to be aware of when connecting to a computer over a network and collecting information include:

• A. Creating and following a set of standard operating procedures
• B. Keeping a log of actions taken during the collection process
• C. Documenting which server actually contains the data that’s being collected
• D. All of the above

209. Occasionally, an intrusion detection system may trigger an alarm caused by an innocent packet that coincidentally contains intrusion class characteristics This type of alert is called:

• A. False warning
• B. Failsafe
• C. DEF con
• D. False positive

210. Information security professionals submit samples of log files associated with certain intrusion tools to help others detect attacks on the mailing lists at:

• A. Bugtraq
• B. Sam Spade
• C. CNET
• D. Security Focus

211. Which of the following are situations where a bitstream copy may not be viable?

• A. The hard drive is too large to copy
• B. The system cannot be shut down
• C. The digital investigator does not have authority to copy the entire drive
• D. All of the above

212. Who is authorized to conduct online undercover investigations when child pornography is involved?

• A. Anyone
• B. Computer security professionals
• C. Journalists
• D. Law enforcement

213. Which of the following Internet services can be used to exchange illegal materials?

• A. IRC
• B. Usenet
• C. KaZaa
• D. All of the above

214. What are two of the most useful headers for determining the origination of Usenet messages?

• A. From and Message-ID
• B. NNTP-Posting-Host and X-Trace
• C. Path and Subject
• D. RFC1036 and RFC2980

215. What information should you document when searching for evidence on the Web?

• A. Date/time of search, search engine and terms used, address of pertinent results
• B. Screenshots of significant search results
• C. Download copies of the webpages and calculate their MD5 value
• D. All of the above

216. Why is it important to hide your identity when conducting an online investigation?

• A. To reduce the risk of alerting the offender
• B. To get yourself in the mindset of covert web investigating
• C. To make it easier for you to determine the offender’s location
• D. All of the above

217. When it is not possible to determine the identity of the author of a Usenet message using IP addresses in the header, what else can you do to learn more about the author?

• A. Look for unusual signature and use of language
• B. Search the Web using distinctive aspects of posts
• C. Look for similar Usenet messages posted using an alias
• D. All of the above

218. What characteristics of IRC make it attractive to criminals?

• A. IRC enables them to exchange illegal materials with other criminals
• B. IRC provides them with some level of anonymity
• C. IRC gives them direct, “live” access to a large pool of potential victims
• D. All of the above

219. Which of the following enables a user to connect to IRC and run IRC fserves without disclosing their IP address?

• A. Freenet
• B. psybnc bot
• C. Fserve
• D. All of the above

220. Which of the following applications leave traces of Internet activities on a personal computer?

• A. Internet Explorer
• B. KaZaA
• C. IRC
• D. All of the above

221. Which of the following tools can reconstruct TCP streams?

• A. Tcpdump
• B. Wireshark
• C. Snoop
• D. EnCase

222. What peer-to-peer clients use the Fast Track network?

• A. KaZaA
• B. Grokster
• C. iMesh
• D. All of the above

223. Web Whacker and Httrack are examples of tools that:

• A. Search the Web
• B. Deface websites
• C. Capture websites
• D. Launch websites

224. Metaverseink is a:

• A. Search tool (people or things) for virtual worlds
• B. Newsgroup aggregator
• C. Social networking meta-tool
• D. A file-sharing peer-to-peer network

225. Second Life is one of the better known:

• A. Research websites
• B. Archive websites
• C. Virtual worlds
• D. Web-based game shows

226. Synchronous chat networks are particularly conducive to criminal activity because of their

• A. Privacy
• B. Immediacy
• C. Impermanence
• D. All of the above

227. What is the maximum cable length for a 10BaseT network?

• A. 10 feet
• B. 100 feet
• C. 10 meters
• D. 100 meters

228. What is the approximate theoretical maximum number of bytes that can be downloaded in one minute on a 10BaseT network?

• A. 10 Mb
• B. 75 Mb
• C. 100 Mb
• D. 175 Mb

229. Which of the following commands can be used to obtain the MAC address of a remote Windows computer?

• A. Netstat
• B. Ping
• C. Nbtstat
• D. Traceroute

230. What is the maximum cable length for a 10 base five segment?

• A. 100 feet
• B. 500 feet
• C. 100 m
• D. 500 m

231. ARP stands for:

• A. Address Resource Protection
• B. Advanced Retrieval Protocol
• C. Address Resolution Protocol
• D. Added Resource Processing

232. The best operating system for capturing network traffic on high-speed networks is:

• A. Microsoft DOS/Windows
• B. OpenBSD/FreeBSD
• C. Linux
• D. Solaris

233. Which of the following applications is used to capture network traffic?

• A. Snort
• B. Wireshark
• C. Tcpdump
• D. All of the above

234. How many bytes per packet does tcpdump capture by default?

• A. 10 bytes
• B. 68 bytes
• C. 128 bytes
• D. 1024 bytes

235. Which of the following tools can reconstruct TCP streams?

• A. Tcpdump
• B. Wireshark
• C. Snoop
• D. EnCase

236. The transition method in which only one computer can transmit while all the others listen is known as:

• A. Baseband
• B. Narrowband
• C. Broadband
• D. Sideband

237. Although ARP is part of TCP/IP, it is generally considered a part of the ______ layer

• A. Physical
• B. Data-link
• C. Network
• D. Transport

238. The form of ARP that ATM uses to discover MAC addresses is known as:

• A. ARPATM
• B. ATMARP
• C. MACATM
• D. ATMMAC

239. TCP is an abbreviation for:

• A. Transit Communication Protocol
• B. Transportation Cost Product
• C. Transport Control Protocol
• D. Time Communication Protocol

240. What system is used to convert IP addresses to their associated names?

• A. TCP/IP
• B. DNS
• C. ARP
• D. Routing

241. What protocol does the “ping” command use?

• A. TCP
• B. IP
• C. ICMP
• D. All of the above

242. Which of the following logs record the IP addresses of computers accessing an FTP server? a

• A. Wtmp
• B. Xferlog
• C. Syslog
• D. Access log

243. In addition to the IP address of the sender, SMTP e-mail server logs contain which of the following?

• A. The Message ID
• B. The time the message was received
• C. The name of the sender
• D. All of the above