ITN277
The __________ directory holds compiled files, which means programs, including some malware, may be found there.
/bin
The __________ directory is different from any other directory in that it is not really stored on the hard disk. It is created in memory and keeps information about currently running processes.
/proc
____ images store graphics information as grids of individual pixels.
Bitmap
How can forensic investigators prove that evidence was not altered during the course of an investigation?
By showing that the hash code before the data is reviewed is identical to the hash code after the investigation
Which of the following is the definition of heap (H)?
Dynamic memory for a program comes from the heap segment; a process may use a memory allocator such as malloc to request dynamic memory
The majority of digital cameras use the ____ format to store digital pictures.
EXIF
How is an audit trail of every machine through which an e-mail message has passed created?
Each server along the way adds its own information to the message header.
Which of the following practices enhances security for an FTP transaction?
Encrypting user names and passwords
Many devices, such as floppy and CD-ROM drives, are mounted in the /var directory.
False
The Windows Registry is organized into five sections. The __________ section is very critical to forensic investigations. It has profiles for all the users, including their settings.
HKEY_USERS (HKU)
____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.
Insertion
Which of the following statements is true regarding Wireshark?
It is a popular tool for capturing network traffic in promiscuous mode.
A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10.
JPEG
____ compression compresses data by permanently discarding bits of information in the file.
Lossy
A port is a number that identifies a channel in which communication can occur. There are certain ports a forensic analyst should know on sight. Which port uses DNS to translate uniform resource locators into Web addresses and possibly retrieve other information about the system that matches the URL?
Port 53
What is the surest way to investigate actual IP packet interaction on a network?
Protocol capture and analysis
A number of tools and even some Windows utilities are available that can help you to analyze live data on a Windows system. Use __________ to view process and thread statistics on a system.
PsList
____ has also been used to protect copyrighted material by inserting digital watermarks into a file.
Steganography
____ is the art of hiding information inside image files.
Steganography
The image format XIF is derived from the more common ____ file format.
TIFF
Which of the following statements is true regarding the categories into which P2 Commander has presorted files?
They make it easy to search for files in the evidence drive.
A mail server is like an electronic post office: It sends and receives electronic mail.
True
All versions of Windows support logging. The Applications and Services log is used to store events from a single application or component rather than events that might have system-wide impact.
True
GNOME, which is built on GTK+, is a cross-platform toolkit for creating graphical user interfaces.
True
Like Windows, Linux has a number of logs that can be very interesting for a forensic investigation.The /var/log/lpr.log logis the printer log. It can give you a record of any items that have been printed fromthis machine.
True
Snort is an open source intrusion detection system (IDS).
True
The Swap File is also referred to as virtual memory.
True
The Windows Registry is a repository of all the information on a Windows system.
True
____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
Vector graphics
__________ is a live-system forensic technique in which you collect a memory dump and perform analysis in an isolated environment.
Volatile memory analysis
The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03.
XIF
In the Linux boot process, the MBR loads up a(n)__________ program, such as LILO.
boot loader
In Linux, as with Windows, the first sector on any disk is called the __________.
boot sector
The information collected from tools that play back an entire TCP session to trace file transfers:
can be used as a starting point for continuing the investigation into the suspect's own computer.
Recovering pieces of a file is called ____.
carving
As you drill down within the file structure, the drives, directories, sub-directories, and folders of the evidence drive are added to the P2 Commander:
case file.
When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations.
copyright
Maintaining __________ is a problem with live system forensics in which data is not acquired at a unified moment.
data consistency
You can use the __________ shell command to make a physical image of what is live in memory.
dd
The process of converting raw picture data to another format is referred to as ____.
demosaicing
P2 Commander includes a(n) ___________ that enables the investigator to sort, search scan, and otherwise work with the e-mail data to find the data most relevant to the case.
e-mail analyzer
The __________ keeps a record of the message's journey as it travels through the communications network.
e-mail message header
The __________ keeps a record of an e-mail message's journey as it travels through the communications network.
header
If you can't open an image file in an image viewer, the next step is to examine the file's ____.
header data
The simplest way to access a file header is to use a(n) ____ editor
hexadecimal
What term is used to describe one of the five sections of the Windows Registry?
hive
SFTP (Secure FTP) is more secure than FTP because it used the SSH (Secure Shell) protocol to transfer files:
in an encrypted fashion.
A __________ is an expansion board you insert into a computer or a motherboard-mounted bit of hardware that enables network connectivity.
network interface card
Which Linux shell command lists all currently running processes that the user has started (any program or daemon is a process)?
ps
RFC 3864 describes message header field names. Message-ID of the message to which there is a reply refers to which of the following options?
references
What is meant by slurred image?
the result of acquiring a file as it is being updated
At a minimum, an e-mail message header must include:
the sender's account and the date.
When it comes to attempts to open an FTP connection, a low rate of attempts followed by a successful logon usually means:
the user has the password for the account.
Which of the following might indicate a brute force attack?
Multiple attempts to access the FTP server
P2 Commander includes the option to calculate hash codes for drives and partitions. When this option is selected:
P2 Commander automatically creates hash codes for the data on the evidence drive.
