Computer Forensics Exam 2

Each graphics file type has a unique header value.

T

ISO standard 27037 sta tes that the most important factors in data acquisition are the DEFR's competency and the use of validated tools.

T

The first 3 bytes of an XIF file are exactly the same as a TIF file.

T

The only pieces of metadata not in an inode are the filename and path.

T

Which of the following is not considered to be a non-standard graphics file format? a. .dxf b. .tga c. .rtl d. .psd

a. .dxf

What is the goal of the NSRL project, created by NIST a. Collect known hash values for commercial software and OS files using SHA hashes. b. Search for collisions in hash values, and contribute to fixing hashing programs. c. Create hash values for illegal files and distribute the information to law enforcement. d. Collect known hash values for commercial software and OS files using MD5 hashes.

a. Collect known hash values for commercial software and OS files using SHA hashes.

What hex value is the standard indicator for jpeg graphics files a. FF D8 b. FF D9 c. F8 D8 d. AB CD

a. FF D8

The __________ Linux Live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep, and utilizes a KDE interface. a. Kali b. Arch c. Ubuntu d. Helix3

a. Kali

A hash that begins with "$6" in the shadow file indicates that it is a hash from what hashing algorithm a. MD5 b. Blowfish c. SHA-1 d. SHA-512

a. MD5

What is the purpose of the reconstruction function in a forensics investigation a. Re-create a suspect's drive to show what happened during a crime or incident. b. Prove that two sets of data are identical. c. Copy all information from a suspect's drive, including information that may have been hidden. d. Generate reports or logs that detail the processes undertaken by a forensics investigator.

a. Re-create a suspect's drive to show what happened during a crime or incident.

What does the MFT header field at offset 0x00 contain? a. The MFT record identifier FILE b. The size of the MFT record c. The length of the header d. The update sequence array

a. The MFT record identifier FILE

What type of block does a UNIX/Linux computer only have one of a. boot block b. data block c. inode block d. superblock

a. boot block

Reconstructing fragments of files that have been deleted from a suspect drive, is known as ____________ in North America. a. carving b. scraping c. salvaging d. sculpting

a. carving

The ___________ command inserts a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry. a. delete b. edit c. update d. clear

a. delete

Which of the following commands creates an alternate data stream? a. echo text > myfile.txt:stream_name b. ads create myfile.txt{stream_name} "text" c. cat text myfile.txt=stream_name d. echo text

a. echo text > myfile.txt:stream_name

The ______________ command can be used to see network interfaces. a. ifconfig b. ipconfig c. show interfaces d. show ip brief

a. ifconfig

What command below will create a symbolic link to a file a. ln -s b. ls -ia c. ln -l d. ls -h

a. ln -s

Which of the following options is not a subfunction of extraction a. logical data copy b. decrypting c. bookmarking d. carving

a. logical data copy

What kind of graphics file combines bitmap and vector graphics types? a. metafile b. bitmap c. jpeg d. tif

a. metafile

Where is the root user's home directory located on a Mac OS X file system? a. /root b. /private/var/root c. /private/spool/root d. /home/root

b. /private/var/root

As part of a forensics investigation, you need to recover the logon and logoff history information on a Linux based OS. Where can this information be found? a. /var/log/utmp b. /var/log/wtmp c. /var/log/userlog d. /var/log/system.log

b. /var/log/wtmp

What hexadecimal code below identifies an NTFS file system in the partition table? a. 05 b. 07 c. 1B d. A5

b. 07

A Master Boot Record (MBR) partition table marks the first partition starting at what offset? a. 0x1CE b. 0x1BE c. 0x1AE d. 0x1DE

b. 0x1BE

How many bits are required to create a pixel capable of displaying 65,536 different colors? a. 8 bits b. 16 bits c. 32 bits d. 64 bits

b. 16 bits

What act defines precisely how copyright laws pertain to graphics? a. 1988 Image Ownership Act b. 1976 Copyright Act c. 1923 Patented Image Act d. 1976 Computer Fraud and Abuse Act

b. 1976 Copyright Act

Within the /etc/shadow file, what field contains the password hash for a user account if one exists? a. 1st field b. 2nd field c. 3rd field d. 4th field

b. 2nd field

A typical disk drive stores how many bytes in a single sector? a. 8 b. 512 c. 1024 d. 4096

b. 512

What is the minimum size of a block in UNIX/Linux filesystems a. 128 bytes b. 512 bytes c. 1024 bits d. 2048 bits

b. 512 bytes

In general, what would a lightweight forensics workstation consist of? a. A tablet with peripherals and forensics apps b. A laptop computer built into a carrying case with a small selection of peripheral options c. A laptop computer with almost as many bays and peripherals as a tower d. A tower with several bays and many peripheral devices

b. A laptop computer built into a carrying case with a small selection of peripheral options

What program serves as the GUI front end for accessing Sleuth Kit's tools a. DetectiveGUI b. Autopsy c. KDE d. SMART

b. Autopsy

The ReFS storage engine uses a __________ sort method for fast access to large data sets. a. A+-tree b. B+-tree c. reverse d. numerical

b. B+-tree

Which of the following is stated within the ISO 27037 standard a. Hardware acquisition tools can only use CRC-32 hashing. b. Digital Evidence First Responders should use validated tools. c. Software forensics tools must provide a GUI interface. d. Software forensics tools must use the Windows OS.

b. Digital Evidence First Responders should use validated tools.

For EXIF JPEG files, the hexadecimal value starting at offset 2 is _____________. a. FFE0 b. FFE1 c. FFD8 d. FFD9

b. FFE1

What tool below was written for MS-DOS and was commonly used for manual digital investigations a. SMART b. Norton DiskEdit c. ByteBack d. DataLifter

b. Norton DiskEdit

If a file has 510 bytes of data, what is byte 510? a. The physical EOF. b. The logical EOF. c. The terminating EOF. d. The end of the sector.

b. The logical EOF.

When using the File Allocation Table (FAT), where is the FAT database typically written to? a. The innermost track b. The outermost track c. The first sector d. The first partition

b. The outermost track

_______________ proves that two sets of data are identical by calculating hash values or using another similar method. a. Verification b. Validation c. Integration d. Compilation

b. Validation

What file type starts at offset 0 with a hexidecimal value of FFD8 a. tiff b. jpeg c. xdg d. bmp

b. jpeg

Addresses that allow the MFT to link to nonresident files are known as _______________. a. virtual cluster numbers b. logical cluster numbers c. sequential cluster numbers d. polarity cluster numbers

b. logical cluster numbers

The Lempel-Ziv-Welch (LZW) algorithm is used in _____________ compression. a. lossy b. lossless c. vector quantization d. adaptive

b. lossless

Passwords are typically stored as one-way _____________ rather than in plaintext. a. hex values b. variables c. hashes d. slack spaces

b. variables

What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume? a. $MftMirr b. $TransAct c. $LogFile d. $Backup

c. $LogFile

How many different colors can be displayed by a 24 bit colored pixel a. 256 b. 65,536 c. 16,777,216 d. 4,294,967,296

c. 16,777,216

All TIF files start at offset 0 with what 6 hexadecimal characters? a. 2A 49 48 b. FF 26 9B c. 49 49 2A d. AC 49 2A

c. 49 49 2A

Which graphics file format below is rarely compressed a. GIF b. JPEG c. BMP d. None of the above

c. BMP

What option below is an example of a platform specific encryption tool a. GnuPG b. TrueCrypt c. BitLocker d. Pretty Good Privacy (PGP)

c. BitLocker

For all JPEG files, the ending hexadecimal marker, also known as the end of image (EOI), is ____________. a. FFE0 b. FFD8 c. FFD9 d. FFFF

c. FFD9

On Mac OS X systems, what utility can be used to encrypt / decrypt a user's home directory a. Disk Utility b. BitLocker c. FileVault d. iCrypt

c. FileVault

________________ contain file and directory metadata and provide a mechanism for linking data stored in data blocks. a. Blocks b. Clusters c. Inodes d. Plist files

c. Inodes

Who is the current maintainer of the Linux kernel a. Tim Cook b. Eric Shmidt c. Linus Torvalds d. Lennart Poettering

c. Linus Torvalds

What registry file contains user account management and security settings a. Default.dat b. Software.dat c. SAM.dat d. Ntuser.dat

c. SAM.dat

In what mode do most write-blockers run a. RW mode b. BIOS mode c. Shell mode d. GUI mode

c. Shell mode

What registry file contains installed programs' settings and associated usernames and passwords? a. Default.dat b. Security.dat c. Software.dat d. System.dat

c. Software.dat

In simple terms, _____________ compression discards bits in much the same way rounding off decimal values discards numbers. a. Huffman b. Lempel-Ziv-Welch (LZW) c. Vector Quantization d. Adaptive Quantization

c. Vector Quantization

Most manufacturers use what technique in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks? a. Disk Track Recording (DTR) b. Zone Based Areal Density (ZBAD) c. Zone Bit Recording (ZBR) d. Cylindrical Head Calculation (CHC)

c. Zone Bit Recording (ZBR)

Select below the command that can be used to display bad block information on a Linux file system, but also has the capability to destroy valuable information. a. dd b. fdisk c. badblocks d. mke2fs

c. badblocks

The Mac OS reduces file fragmentation by using _______________. a. inodes b. superblocks c. clumps d. chunks

c. clumps

What term below describes a column of tracks on two or more disk platters a. sector b. cluster c. cylinder d. header

c. cylinder

The process of converting raw picture data to another format is called _________________. a. splicing b. carving c. demosaicing d. vector quantization

c. demosaicing

What command below can be used to decrypt EFS files? a. cipher b. copy c. efsrecvr d. decrypt

c. efsrecvr

Select below the file system that was developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks: a. FAT12 b. FAT32 c. exFAT d. VFAT

c. exFAT

What format was developed as a standard for storing metadata in image files? a. jpeg b. tif c. exif d. bitmap

c. exif

A keyword search is part of the analysis process within what forensic function? a. reporting b. reconstruction c. extraction d. acquisition

c. extraction

What term is used to describe a disk's logical structure of platters, tracks, and sectors? a. cylinder b. trigonometry c. geometry d. mapping

c. geometry

The _________ branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and System. a. registry b. storage c. hive d. tree

c. hive

In a B*-tree file system, what node stores link information to previous and next nodes? a. inode b. header node c. index node d. map node

c. index node

When looking at a byte of information in binary, such as 11101100, what is the first bit on the left referred to as a. major significant bit (MSB) b. least significant bit (LSB) c. most significant bit (MSB) d. leading significant bit (LSB)

c. most significant bit (MSB)

What file under the /etc folder contains the hashed passwords for a local system a. passwd b. hashes c. shadow d. users

c. shadow

Adding the _____________ flag to the ls -l command has the effect of of showing all files beginning with the "." character in addition to other files. a. -s b. -d c. -l d. -a

d. -a

The ProDiscover utility makes use of the proprietary __________ file format. a. .img b. .pro c. .iso d. .eve

d. .eve

The _____________ format is a proprietary format used by Adobe Photoshop. a. .tga b. .fh11 c. .svg d. .psd

d. .psd

________________ is a specialized carving tool that can read many image file formats, such as RAW and Expert Witness. a. AccessData FTK b. X-Ways Forensics c. Guidance Software EnCase d. Foremost

d. Foremost

What algorithm is used to decompress Windows files a. Fibonacci b. Zopfli c. Shannon-Fano d. Lempel-Ziv

d. Lempel-Ziv

Select below the utility that is not a lossless compression utility: a. PKZip b. WinZip c. StuffIt d. Lzip

d. Lzip

What information below is not included within an inode a. The mode and type of the file or directory b. The number of links to a file or directory c. The file's or directory's last access time and last modified time d. The file's or directory's path

d. The file's or directory's path

What third party encryption tool creates a virtual encrypted volume, which is a file mounted as though it were a disk drive a. PGP Full Disk Encryption b. Voltage SecureFile c. BestCrypt d. TrueCrypt

d. TrueCrypt

Which of the following is not a valid configuration of Unicode? a. UTF-8 b. UTF-16 c. UTF-32 d. UTF-64

d. UTF-64

The physical data copy subfunction exists under the ______________ function. a. reporting b. validation / verification c. extraction d. acquisition

d. acquisition

When performing disk acquisition, the raw data format is typically created with the UNIX/Linux _____________ command. a. format b. tar c. dump d. dd

d. dd

What file is used to store any file information that is not in the MDB or a VCB? a. page file b. metadata database file c. slack file d. extents overflow file

d. extents overflow file

In what temporary location below might passwords be stored a. system32.dll b. CD-ROM drive c. Windows registry d. pagefile.sys

d. pagefile.sys

Which of the following is not a type of graphic file that is created by a graphics program? a. bitmap images b. vector graphics c. metafile graphics d. raster graphics

d. raster graphics

Referred to as a digital negative, the _______ is typically used on many higher-end digital cameras. a. raster file format b. bitmap file format c. jpeg file format d. raw file format

d. raw file format

Which of the following formats is not considered to be a standard graphics file format? a. gif b. jpeg c. dxf d. tga

d. tga

Each MFT record starts with a header identifying it as a resident or nonresident attribute.

F

FAT32 is used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.3 and 4.0.

F

In UNIX and Linux, everything except monitors are considered files.

F

Making a logical acquisition of a drive with whole disk encryption can result in unreadable files.

F

Physically copying the entire drive is the only type of data-copying method used in software acquisitions.

F

Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.

F