Chp 5-9 Computer forensics and Investigations
In NTFS, files smaller than 512 bytes are stored in the MFT. True or False
True
List two features NTFS has that FAT does not.
Unicode characters, security, journaling.
Building a forensic workstation is more expensive than purchasing one. True or False?
False
Device drivers contain what kind of information?
Instructions for the OS on how to interface with hardware devices.
Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or False?
True
The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False?
True
When recovering a file with ProDiscover, your first objective is to recover cluster values. True or False?
True
When viewing a file header, you need to include hexadecimal information to view the image. True or False?
True
Hashing, filtering, and file header analysis make up which function of digital forensics tools?
Validation and verification
A live acquisition can be replicated. True or False?
False
Clusters in Windows always begin numbering at what number?
2
In FAT32, a 123 KB file uses how many sectors?
246 Sectors. 123 x 1024 bytes per KB = 125,925 total bytes in the file. 125,952 bytes / 512 sectors per cluster = 246 sectors
How many sectors are typically in a cluster on a disk drive?
4 or more
On a Windows system, sectors typically contain how many bytes?
512
What methods do steganography programs use to hide data in graphics files? (Choose all that apply.) A. Insertion B. Substitution C. Masking D. Carving
A. Insertion and B. Substitution
Rainbow tables serve what purpose for digital forensics examinations? a. Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords. b. Rainbow tables are a supplement to the NIST NSRL library of hash tables. c. Rainbow tables are designed to enhance the search capability of many digital forensics examination tools. d. Rainbow tables provide a scoring system for probable search terms.
A. Rainbow tables contain computed hashes of possible passwords that some password recovery programs can use to crack passwords
Digital pictures use data compression to accomplish which of the following goals? (Choose all that apply.) A. Save space on a hard drive. B. Provide a crisp and clear image. C. Eliminate redundant data. D. Produce a file that can be e-mailed or posted on the Internet.
A. Save space on a hard drive and D.Produce a file that can be e-mailed or posted on the internet
The National Software Reference Library provides what type of resource for digital forensics examiners? a. A list of digital forensics tools that make examinations easier b. A list of MD5 and SHA1 hash values for all known OSs and applications c. Reference books and materials for digital forensics d. A repository for software vendors to register their developed applications
B. A list of MD5 and SHA1 hash values for all known Os's and applications
Which of the following represents known files you can eliminate from an investigation? (Choose all that apply.) A. Any graphics files B. Files associated with an application C. System files the OS uses D. Any files pertaining to the company
B. Files associated with an application and C. System files the OS uses
Some clues left on a drive that might indicate steganography include which of the following? (Choose all that apply.) A. Multiple copies of a graphics file B. Graphics files with the same name but different file sizes C. Steganography programs in the suspect's All Programs list D. Graphics files with different timestamps
B. Graphics files with the same name but different file sizes C. Stegonography programs in the suspect's All Programs list and A. Multiple copies of a graphics file
Steganography is used for which of the following purposes? A. Validating data B. Hiding data C. Accessing remote computers D. Creating strong passwords
B. Hiding data
What methods are used for digital watermarking? (Choose all that apply.) A. Implanted subroutines that link to a central Web server automatically when the watermarked file is accessed B. Invisible modification of the LSBs in the file C. Layering visible symbols on top of the image D. Using a hex editor to alter the image data
B. Invisible modification of the LSB's in the file and C. Layering visible symbols on top of the image
A JPEG file uses which type of compression? A. WinZip B. Lossy C. Lzip D. Lossless
B. Lossy
If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords? a. There are no concerns because salting doesn't affect password-recovery tools. b. Salting can make password recovery extremely difficult and time consuming. c. Salting applies only to OS startup passwords, so there are no serious concerns for examiners. d. The effect on the computer's CMOS clock could alter files' date and time values.
B. Salting can make password recovery extremely difficult and time consuming
You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information? A. The disk is corrupted. B. There's a hidden partition. C. Nothing; this is what you'd expect to see. D. The drive is formatted incorrectly.
B. There's a hidden partition
Which of the following is true of most drive-imaging tools? (Choose all that apply.) A. They perform the same function as a backup. B. They ensure that the original drive doesn't become corrupt and damage the digital evidence. C. They create a copy of the original drive. D. They must be run from the command line.
B. They ensure that the original drive doesn't become corrupt and damage the digital evidence and C. They create a copy of the original drive
Which of the following is true about JPEG and TIF files? A. They have identical values for the first 2 bytes of their file headers. B. They have different values for the first 2 bytes of their file headers. C. They differ from other graphics files because their file headers contain more bits. D. They differ from other graphics files because their file headers contain fewer bits.
B. They have different values for the first 2 bytes of their file headers
When validating the results of a forensic analysis, you should do which of the following? (Choose all that apply.) A. Calculate the hash value with two different tools. B. Use a different tool to compare the results of evidence you find. C. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. D. Use a command-line tool and then a GUI tool.
B. Use a different tool to compare the results of evidence you find and A. Calculate the hash value with two different tools
Virtual machines have which of the following limitations when running on a host computer? a. Internet connectivity is restricted to virtual Web sites b. Applications can be run on the virtual machine only if they're resident on the physical machine c. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices d. Virtual machines can run only OS's that are older than the physical machine's OS
B. and C.
Which forensic image file format creates or incorporates a validation hash value in the image file? (Choose all that apply.) a. Expert Witness b. SMART c. AFF d. dd
C. AFF A. Expert Witness and B. SMART
The standards for testing forensics tools are based on which criteria? A. U.S. Title 18 B. ASTD 1975 C. ISO 17025 D. All of the above
C. ISO 17025
Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation? A. Criminal investigation because subpoenas can be issued to acquire any needed evidence quickly B. Criminal investigation because law enforcement agencies have more resources at their disposal C. Internal corporate investigation because corporate investigators typically have ready access to company records D. Internal corporate investigation because ISPs almost always turn over e-mail and access logs when requested by a large corporation
C. Internal corporate investigation because corporate investigators typically have ready access to company records
In JPEG files, what's the starting offset position for the JFIF label? A. Offset 0 B. Offset 2 C. Offset 6 D. Offset 4
C. Offset 6
The verification function does which of the following? A. Proves that a tool performs as intended B. Creates segmented files C. Proves that two sets of data are identical via hash values D. Verifies hex editors
C. Proves that two sets of data are identical via hash values
When you carve a graphics file, recovering the image depends on which of the following skills? A. Recovering the image from a tape backup B. Recognizing the pattern of the data content C. Recognizing the pattern of the file header content D. Recognizing the pattern of a corrupt file
C. Recognizing the pattern of a corrupt file.
A log report in forensics tools does which of the following? A. Tracks file types B. Monitors network intrusion attempts C. Records an investigator's actions in examining a case D. Lists known good files
C. Records an investigator's actions in examining a case
In steganalysis, cover-media is which of the following? A. The content of a file used for a steganography message B. The type of steganographic method used to conceal a message C. The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file D. A specific type of graphics file used only for hashing steganographic files
C. The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file
According to ISO standard 27037, which of the following is an important factor in data acquisitions? A. The DEFR's competency B. The DEFT's skils in using the command line C. Use of validated tools D. Conditions at the acquisition setting
C. Use of validated tools and A. The DEFR's competency
Forensics software tools are grouped into what categories?
Command line and GUI applications
What does CHS stand for?
Cylinders, Heads, Sectors
For which of the following reasons should you wipe a target drive? A. To ensure the quality of digital evidence you acquire B. To make sure unwanted data isn't retained on the drive C. Neither of the above D. Both a and b
D. Both a and b
Bitmap (.bmp) files use which of the following types of compression? A. WinZip B. Lossy C. Lzip D. Lossless
D. Lossless
Block-wise hashing has which of the following benefits for forensics examiners? A. Allows validating sector comparisons between known files B. Provides a faster way to shift bits in a block or sector of data C. Verifies the quality of OS files D. Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive
D. Provides a method for hashing sectors of a knwon good file that can be used to search for data remnants on a suspect's drive
The reconstruciton function is needed for which of the following purposes? A. Re-create a suspect drive to show what happened. B. Create a copy of a drive for other investigators. C. Recover file headers. D. Re-create a drive compromised by malware.
D. Re-create a drive compromised by Malware and B. Create a copy of a drive for other investigators
Hash values are used for which of the following purposes? A. Determining file size B. Filtering known good files from potentially suspicious data C. Reconstructing file fragments D. Validating that the original data hasn't changed
D. Validating that the original data hasn't changed and B. Filtering known good files from potentially suspicious data
The process of converting raw images to another format is called which of the following? A. Data conversion B. Transmogrification C. Transfiguring D. Demosaicing
D.Demosaicing
List three subfunctions of the extraction function
Data viewing, keyword searching, bookmarking, decompressing, decryption, and carving
4. Password recovery is included in all forensics tools. True or False?
False
A JPEG file is an example of a vector graphic. True or False?
False
Copyright laws don't apply to Web sites. True or False?
False
Data can't be written to the disk with a command-line tool. True or False?
False
Graphics files stored on a computer can't be recovered after they are deleted. True or False?
False
Hardware acquisition tools typically have built-in software for data analysis. True or False?
False
In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True or False?
False
Only one file format can compress graphics files. True or False?
False
The primary hashing algorithm the NSRL project uses is SHA-1. True or False?
False
When investigating graphics files, you should convert them into one standard format. True or False?
False
Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. True or False?
False
List three items stored in FAT database.
File attribute, date and time stamps, and starting cluster numbers
What is the space on a drive called when a file is deleted?
Free space and unallocated space
What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?
It can be removed
What's a virtual cluster number?
It represents the assigned clusters of files that are nonresident in the MFT.
Commercial encryption programs often rely on technology to recover files if a password or passphrase is lost.
Key Estro
Explain how to identify an unknown graphics file format that your digital forensics tool doesn't recognize.
Look up hex values, google it, or see if similar he values are found on another file on the computer
What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?
Lossless
What does MFT stand for?
Master File Table
In windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?
No data is located into RAM slack
Which of the following windows files contains user specific information? a. User.dat b. Ntuser.dat c. System.dat d. SAM.dat
Ntuser.dat
Areal density refers to which of the following?
Number of bits per square inch of a disk platter
_______ happens when an investigation goes beyond the bounds of its original description.
Scope Creep
Why was EFI boot firmware developed?
To provide better protection against malware than the bios
An encrypted drive is one reason to choose a logical acquisition. True or False?
True
An image of a suspect drive can be loaded on a virtual machine. True or false?
True
What does the Ntuser.dat file contain?
a user protected storage area that contains an mru file and user settings.
EFS can encrypt which of the following? a. Files, folders, and volumes b. Certificates and private keys c. The global Registry d. Network Servers
a. Files, folders, and volumes