CIS 387 Digital Forensics
[3 points] List three features NTFS has that FAT does not.
Unicode characters, security , journaling
Banners displaying corporate policies are used for ___.
avoid search warrant
A bit-stream copy of a disk refers to the copies (a copy) of ____ of the disk
All bits
The basic plan for your investigation includes gathering the evidence, establishing the ____, and performing the forensic analysis.
Chain of custody
A message hash can be used as ____ to check message integrity.
Message digest
In FAT32 file system, a backup copy of the boot sector can be found either in
Not ( the last sector of the volume , the middle of the volume , the last sector or in the middle of the volume )
After a judge approves and signs a search warrant, its ready to be executed, meaning you can collect evidence as defined by the warrant
T
EnCase's FastBloc SE is a software blocker that prevents modifications to evidence drives.
T
Forensic Chain-of-custody maintains a record of how evidence has been handled from the moment it was collected to the moment it is presented in a count
T
In FAT file system, directory entries can exist anywhere in the data area because they are stored in the clusters allocated to a directory.
T
In NTFS file system, location of the MFT provided in the boot sector.
T
In the NTFS file system, size of the boot sector is one cluster only and it is located in the first cluster of the volume.
T
The bootable flag is not always required for all partitions.
T
The type of file system an OS user determines how data is stored in the disk
T
Unless an acquisition tool looks for an HPA (host protected area), it will not be to acquire the image of the HPA using standard imaging tool.
T
What are the two main objectives of FAT data structure in a FAT file system?
To determine the cluster allocation status & Cluster chain
Assume a hard disk has 12,495 cylinders, 8 heads, and 63 sectors per track. The size of this hard disk is about ____ GB.
3
Each directory entry of the directory data structure of a FAT16 file system is ------- bytes in size
32
MFT entry # 1 is for the $MFTMirr file, which has a non-resident attribute that contains a backup copy of the at least first ---- MFT entries.
4
In NTFS file system, The MFT entry header is of ---- bytes in size.
42
Which amendment to the U.S. Constitution protects everyone's right to be secure in their person, residence and property from search and seizure
4th Amendment
Windows 2000 can be configured to access which of these file formats? (Choose all that apply.)
(FAT12 , FAT16, FAT32, NTFS)
For remote acquisitions, you are aware of ----
1) data transfer speed 2) access permissions over the network 3) anti-virus, anti-spyware, and firewall programs
When you perform an acquisition at a remote location, what should you consider to prepare for this task?
1) determining whether there is sufficient electrical power and lighting 2) checking the temperature at the location 3) checking the humidity at the location
In NTFS file system, a default size of each MFT entry is ---- bytes.
1024
Assume a hard disk has 8 platters. This hard disk ____ read/write heads
16
In DOS Partitions, a partition table consists of ---- bytes
16
In what year was the Computer Fraud and Abuse Act passed
1986
What is stored at FAT table entry # 0 and entry # 1?
Entry # 0 copy of the media type Entry # 1 dirty status
A FAT file system can be identified by inspecting the number of sectors per cluster field of the boot sector.
F
A RAID 3 array uses distributed data and distributed parity in a manner like RAID 5 array
F
According to the Microsoft specification, the maximum cluster size is 1024 bytes.
F
Changing a file's permissions(s) will change the file's hash result
F
Digital forensics and data recovery refer to the same activities
F
In the FAT32 file system, the root directory table starts at cluster 2.
F
Someone who wants to hide data can create hidden partitions or voids large unused gaps between partitions on a disk drive. Data that is hidden on partition gaps cannot be retrieved by forensics utilities
F
The 0x55AA signature at the byte 510 and 511 of the boot sector indicates that a FAT file system boot sector.
F
The FAT12/FAT16 file system contains FSINFO data structure which is stored at sector 1.
F
The law of search and seizure protects the rights of all people, excluding people suspect of crimes
F
Under normal circumstances, a private sector investigation is considered an agent of law enforcement
F
In NTFS file system the MFT starts at ------- of the volume.
any cluster
BIOS is NOT
in RAM (read/write memory)
When analyzing digital evidence, your job is to ____.
recover the data
In NTFS file system, a backup copy of the boot sector can be found either in ----
the last sector or in the middle of the volume
In the FAT32 file system, the FSINFO data structure is stored at ----
the sector # 1
What is the space on a drive called when a file is deleted? (Choose all that apply.)
unallocated space & free space