FS2 Exam 2 Study Guide

In Linux, in which directory are most system configuration files stored? /home /dev /var /etc

/etc

On a Linux computer, by what are file systems exported to remote hosts represented? /etc/fstab /var/run/utmp /ver/log/wtmp /etc/exports

/etc/exports

In Linux, in which directory are most applications and commands stored? /home /etc /var /usr

/usr

At what hard link count is a file effectively deleted? 0 1 -1 2

0

What is the largest disk partition Ext4f can support? 4 TB 16 TB 10 TB 8 TB

16 TB

What do you call a forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation? A portable workstation A field workstation A quasi-workstation A lightweight workstation

A portable workstation

In which format are most digital photographs stored? TIFF EXIF GIF PNG

EXIF

Which tool allows network traffic to be viewed graphically? Etherape Tcpdump john Ethereal

Etherape

Which acronym refers to the file structure database that Microsoft originally designed for floppy disks? VFAT FAT32 NTFS FAT

FAT

All TIF files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 3B. True False

False

Because there are a number of different versions of UNIX and Linux, these OSs are referred to CLI platforms. True False

False

In software acquisition, there are three types of data-copying methods. True False

False

Most organizations keep e-mail for longer than 90 days. True False

False

Operating systems do not have tools for recovering image files. True False

False

The HFS and HFS+ file systems have four descriptors for the end of a file (EOF). True False

False

Type 1 hypervisors are useally the ones you find loaded on a suspect machine. True False

False

Typically, a virtual machine consists of just one file. True False

False

When intruders break into a network, they rarely leave a trail behind. True False

False

macOS is built with the new Apple File System (APFS). The current version offers better security, encryption, and performance speeds, but users can't mount HFS+ drives. True False

False

Which JFIF format has a hexadecimal value of FFD8 FFE0 in the first four bytes? JPEG EPS BMP GIF

JPEG

Which term is often used when discussing Linux because technically, Linux is only the core of the OS? Module Root Kernel GRUB

Kernel

In older versions of macOS, in which fork are file metadata and application information stored? Resource Inode Node Block

Resource

What is the primary hash algorithm used by the NIST project created to collect all known hash valuse for commercial software and OS files? SHA-1 MD5 CRC-32 RC4

SHA-1

Which hashing algorithm is provided by WinHex? CRC RC4 SHA-1 AES

SHA-1

What tyoe of disk is commonly used with Sun Solaris systems? FIRE IDE F.R.E.D. SPARC DiskSpy

SPARC

What technique has been used to protect copyrighted material by inserting digital watermarks into a file? Encryption Steganography Archiving Compression

Steganography

Which term comes from the Greek word for "hidden writing"? Lexicography Hagiography Cryptography Steganography

Steganography

Which term refers to a data-hiding technique that uses host files to cover the contents of a secret message? Graphie Steganalysis Steganos Steganography

Steganography

In addition to search warrants, what defines the scope of civil and criminal cases? Investigator preferences Risk assessment reports Subpoenas Lab policies and procedures

Subpoenas

From which file format is the image format XIF derived? TIF JPEG GIF BMP

TIF

Which digital forensics tool is categorized as a single-purpose hardware component? Magnet Forensics AXIOM AccessData FTK Tableau T35es-R2-SATA/IDE eSATA bridge Safeback

Tableau T35es-R2-SATA/IDE eSATA bridge

In older versions of macOS, where is all information about the volume stored? The Volume Bitmap (VB) The Extents Overflow File (EOF) The Volume Control Block (VCB) The Master Directory Block (MDB)

The Master Directory Block (MDB)

What macOS system application tracks each block on a volume to determine which blocks are in use and which ones are available to receive data? The Volume Control Block The Master Directory Block The Volume Bitmap Then Extents Overflow File

The Volume Bitmap

Where are directories and files stored on a disk drive? The boot block The inode block The data block The superblock

The data block

In macOS, which fork typically contains data the user creates? The resource fork The data fork The user fork The content fork

The data fork

When Microsoft created Windows 95, into what were initialization (.ini) files consolidated? The inirecord The inidata The registry The metadata

The registry

Although a disk editor gives you the most flexibility in testing, it might not be capable of examining a compressed file's contents. True False

True

Before OS X, the Hierarchical File System (HFS) was used, in which files are stored in directories (folders) that can be nested in other directories. True False

True

Bitmap images are collections of dots, or pixels, in a grid format that form a graphic. True False

True

Computers used several OSs before Windows and MS-DOS dominated the market. True False

True

If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file. True False

True

In network forensics, you have to restore the drive to see how malware that attackers have installed on the system works. True False

True

Network logs record traffic in and out of a network. True False

True

Private-sector cases, such as employee abuse investigations, might not specify limitations in recovering data. True False

True

Software forensic tools are grouped into command-line applications and GUI applications. True False

True

Some notable UNIX distributions included Silicon Graphics, Inc. (SGI) IRIX, Santa Cruz Operation (SCO) UnixWare, Sun Solaris, IBM AIX, and HP-UX. True False

True

The Internet is the best source for learning more about file formats and their extensions. True False

True

The type of file system an OS uses determines how data is stored on the disk. True False

True

Virtual machines are now common for both personal and business use. True False

True

What kinds of images are bases on mathemeatical instructions that define lines, curves, text, ovals, and other geometric shapes? Vector graphics Line-art images Metafile graphics Bitmap images

Vector graphics

Which product responded to the need for security and preformance by producing different CPU designs? Parallels Virtualization Virtualization Technology (VT) KVM Hyper-V

Virtualization Technology (VT)

What is the general term for software or hardwarre that is used to protect evidence disks by preventing data from being written to them? Drive-protectors Data-protectors Write-blockers Disk-blockers

Write-blockers

Which header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03? TIFF GIF XIF JPEG

XIF

What term is used for the machines used in a DDoS attack? Pawns Zombies Dupes Soldiers

Zombies

Building your own forensics workstation: is inappropriate in the private sector. is always less expensive than choosing a vendor-supplied workstation. limits you to only one peripheral device per CPU because of potential conflicts. requires the time and skills necessary to support the chosen hardware.

requires the time and skills necessary to support the chosen hardware.

Where do software forensics tool copy data from a suspect's disk drive? Firmware A recovery copy An image file A backup file

An image file

Which tool probes, collects, and analyzes session data? TCPcap Argus Nmap Pcap

Argus

Which program incorporates an advanced encryption technique that can be used to hide data? NTI BestCrypt FTK PRTK

BestCrypt

What type of attacks use every possible letter, number, and character found on a keyboard when cracking a password? Brute-force Statistics Profile Dictionary

Brute-force

Because digital forensics tools have limitations in performing hashing, what tools should be used to ensure data integrity? Steganalysis tools High-level language assemblers HTML editors Hexadecimal editors

Hexadecimal editors

Which standards document demands accuracy for all aspects of the testing process? ISO 5725 ISO 5321 ISO 17025 ISO 3657

ISO 5725

What does scope creep typically do? -Virtually guarantees a conviction and substantial penalty -Increases the time and resources needed to extract, analyze, and present data -Creates overburdened staff who become careless with their work -Leads to the discovery and prosecution of other crimes

Increases the time and resources needed to extract, analyze, and present data

In a file's inode, what are the first 10 pointers called? Triple pointers Double pointers Indirect pointers Direct pointers

Indirect pointers

What contains file and directory metadata and provides a mechanism for linking data stored in data blocks? Xnodes Inodes Extnodes InfNodes

Inodes

Which type of compression compresses data permently by discarding bits of information in the file? Lossy Huffman Redundant Lossless

Lossy

Many password-protected OSs and applications stroe passwords in the form of which type of hash values? MD5 SSL AES SSH

MD5

Which tool enables the investigator to acquire the forensic image and process it in the same step? Magenet DEFR Magnet dd Magnet AXIOM Magnet FTK

Magnet AXIOM

Which tool lists all open network sockets, including those hidden by rootkits? Memoryze EnCase Knoppix R-Tools

Memoryze

Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr? Boot.ini Hal.dll BootSect.dos NTDetect.com

NTDetect.com

Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10? HPFS FAT32 VFAT NTFS

NTFS

Which tool was designed as an easy-to-use interface for inspecting and analyzing large tcpdump files? Etherape Ethertext Tcpread Netdude

Netdude

Which type of forensics can help you determine whether a system is truely under attack or a user has inadvertently installed an untested patch or custom program? Network forensics DDoS forensics Intrusion forensics Traffic forensics

Network forensics

Which filename refers to the Windows XP system service dispatch stubs to executables functions and internal support functions? Ntdll.dll User32.dll Advapi32.dll Gdi32.dll

Ntdll.dll

Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM? Hal.dll Ntkrnlpa.exe BootSect.dos lo.sys

Ntkrnlpa.exe

Macintosh moved to the Intel processor and became UNIX based with which operating system? High Sierra OS X El Capitan Lion

OS X