CIS-402 Final
In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.
1024
Ext4f can support disk partitions as large as ____ TB.
16
Briefly describe the Exchangeable Image File (EXIF) format.
A standard for storing metadata in JPEG and TIF files
What are the advantages and disadvantages of using raw data acquisition format?
Advantages: -universal, everyone can read the data -fast data transfers Disadvantages: -very high storage, has to have the capacity of the entire disk under acquisition -cannot read minor errors or correct corrupted data no tools or anything to help analyze the data
____ refers to the number of bits in one square inch of a disk platter.
Areal density
____ images store graphics information as grids of pixels.
Bitmap
The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidenc
Computer Analysis and Response Team (CART)
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
Data recovery
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are called ____.
Data runs
The most common and flexible data-acquisition method is ____.
Disk-to-image file copy
When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____.
EFS
Most digital photographs are stored in the ____ format.
EXIF
What are some of the most common types of private-sector computer crime?
Espionage, Using company resources for personal use, Using the network for inappropriate use, Sabotage
The early standard Linux file system was ____.
Ext2
How are disk clusters numbered by Microsoft file structures (Please specify the differences in FAT and NTFS structures)?
FAT is a more primitive form of storing disk cluster numbers, it was designed for floppy disks. The information is stored in a table, storing time of access, date, information and etc. However, NTFS provided a more efficient means as it improved on the FAT. It can hold more information fields like security and etc. Also, it has smaller cluster sizes so that more data can be stored more efficiently.In NTFS, starting at 0 Address; in FAT, starting at 2 Address
Computer investigations and forensics fall into the same category: public investigations.
False
If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available.
False
Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.
False
The first 5 bytes (characters) for all MFT records are FILE.
False
The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
False
Windows OSs do not have a kernel.
False
What are some of the components of a disk drive?
Geometry-logical make-up of disk Header-read/write IO Tracks-stores data Cylinders -two or more columns tracks Sectors-collection of cylinders and tracks
Briefly describe the differences between hard links and soft links in Linux systems.
Hard links are where a direct link created for another file on the same drive. It is an exact replica of the file and is created with the command "ln". It is a link that when accessed, goes directly to that file on the same drive. A soft link is where a symbolic link is created to access another file on a completely different partition/drive. This isn't an "exact replica" but more of a pointer to where that file is stored and this can be across different drives, unlike a hard link.In addition, each symbolic link has an inode of their own while in hard links, multiple files point the same inode.
Explain the use of hash algorithms to verify the integrity of lossless compressed data.
Hash algorithms translate the text into a hash language like md5 or sha1. How it can verify data is that whenever a change occurs within the file whether it be deletion, modification, or access the hash algorithm will change. Any difference between the two hashes of different times can show that there has been some form of manipulation or change to the data.
By the early 1990s, the ____ introduced training on software for forensics investigations.
IACIS
____ contain file and directory metadata and provide a mechanism for linking data stored in data blocks.
Inodes
Linux ISO images that can be burned to a CD or DVD are referred to as ____.
Linux Live CDs
Explain the relation between allocation blocks and logical block on a Mac OS file system.
Logical block is defined based on a size of block (cannot exceed 512 bytes) while Allocation block is a set of consecutive logical blocks to store one file.
What are logical cluster numbers (LCNs)?
Logical cluster numbers are when the data is all stored physically in that location. It acts as a resident-type file. All data is available and present, unlike VCNs where it points to another location on the partition where it is stored.
Autopsy uses ____ to validate an image.
MD5
On an NTFS disk, immediately after the Partition Boot Sector is the ____.
MFT
On older Mac OSs all information about the volume is stored in the ____.
Master Directory Block (MDB)
What are the four factors that affect the quality of image?
Number of pixels Screen resolution Graphics card Software
If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.
Sparse
What is a bad block inode on Linux?
The bad block inode keeps track of space that is unavailable. Whether it is corrupted or filled or marked as unusable, the bad block inode keeps track of where data cannot be stored and what blocks cannot be filled/used.
What are the functions of the superblock on a UNIX or Linux file system?
The superblock is in charge of the geometry of the spaces on the disk. It manages the data allocation of where the information is stored. It pushed the information out of the "outer ring" where there is space to utilize storag
A separate manual validation is recommended for all raw acquisitions at the time of analysis.
True
After a judge approves and signs a search warrant, it is ready to be executed, meaning you can collect evidence as defined by the warrant.
True
Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.
True
Before OS X, the Hierarchical File System (HFS) was used, in which files are stored in directories (folders) that can be nested in other directories.
True
Bitmap images are collections of dots, or pixels, in a grid format that form a graphic.
True
By the 1970s, electronic crimes were increasing, especially in the financial sector.
True
Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.
True
If a file contains information, it always occupies at least one allocation block.
True
If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file.
True
In Autopsy and many other forensics tools raw format image files don't contain metadata.
True
In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.
True
It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.
True
Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
True
The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.
True
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.
True
The pipe (|) character redirects the output of the command preceding it.
True
The type of file system an OS uses determines how data is stored on the disk.
True
To be a successful computer forensics investigator, you must be familiar with more than one computing platform.
True
What are virtual cluster numbers (VCNs)?
VCNs act as a pointer to where the cluster/data is stored. Unlike LCNs, the information is non-resident and not physically present. The VCN has an address that points to where in the partition that file/data information is stored.VCNS are for nonresident files only
____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
Vector graphics
With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.
Volume Bitmap
Briefly describe the triad that makes up computer security.
Vulnerability/Threat Assessment and Risk management, Network Intrusion Detection and Incident Response, Digital Forensics
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____.
affidavit
Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.
allegation
In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations.
authorized requester
Recovering fragments of a file is called ____.
carving
A ____ is a column of tracks on two or more disk platters.
cylinder
The ____ is where directories and files are stored on a disk drive.
data block
The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.
dd
The process of converting raw picture data to another format is referred to as ____.
demosaicing
On Mac OSs, the ____ stores any file information not in the MDB or Volume Control Block (VCB).
extents overflow file
You use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512.
hash
In a files's inode, the first 10 pointers are called ____ pointers.
indirect
Published company policies provide a(n) ____ for a business to conduct internal investigations.
line of authority
Most remote acquisitions have to be done as ____ acquisitions.
live
In macOS, volumes have allocation blocks and ____ blocks.
logical
____ compression compresses data by permanently discarding bits of information in the file.
lossy
______________ Used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed
lossy compression
The ____ command displays pages from the online help manual for information on Linux commands and their options.
man
The information about the first data run that is stored in the MFT record is '32 B1 07 8C 8C 00' and the information about the second data run is '22 63 07 95 ED'. What is the LCN address of the second data run?
need to go over this, 31265
The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.
notarized
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.
proprietary
In general, a criminal case follows three stages: the complaint, the investigation, and the ____.
prosecution
In older versions of macOS, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored.
resource
Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.
sha1sum
A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment.
virtual machine
A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.
warning banner
Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.
whole disk encryption