CIS-402 Final

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.

1024

Ext4f can support disk partitions as large as ____ TB.

16

Briefly describe the Exchangeable Image File (EXIF) format.

A standard for storing metadata in JPEG and TIF files

What are the advantages and disadvantages of using raw data acquisition format?

Advantages: -universal, everyone can read the data -fast data transfers Disadvantages: -very high storage, has to have the capacity of the entire disk under acquisition -cannot read minor errors or correct corrupted data no tools or anything to help analyze the data

____ refers to the number of bits in one square inch of a disk platter.

Areal density

____ images store graphics information as grids of pixels.

Bitmap

The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidenc

Computer Analysis and Response Team (CART)

____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.

Data recovery

The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are called ____.

Data runs

The most common and flexible data-acquisition method is ____.

Disk-to-image file copy

When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____.

EFS

Most digital photographs are stored in the ____ format.

EXIF

What are some of the most common types of private-sector computer crime?

Espionage, Using company resources for personal use, Using the network for inappropriate use, Sabotage

The early standard Linux file system was ____.

Ext2

How are disk clusters numbered by Microsoft file structures (Please specify the differences in FAT and NTFS structures)?

FAT is a more primitive form of storing disk cluster numbers, it was designed for floppy disks. The information is stored in a table, storing time of access, date, information and etc. However, NTFS provided a more efficient means as it improved on the FAT. It can hold more information fields like security and etc. Also, it has smaller cluster sizes so that more data can be stored more efficiently.In NTFS, starting at 0 Address; in FAT, starting at 2 Address

Computer investigations and forensics fall into the same category: public investigations.

False

If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available.

False

Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.

False

The first 5 bytes (characters) for all MFT records are FILE.

False

The law of search and seizure protects the rights of all people, excluding people suspected of crimes.

False

Windows OSs do not have a kernel.

False

What are some of the components of a disk drive?

Geometry-logical make-up of disk Header-read/write IO Tracks-stores data Cylinders -two or more columns tracks Sectors-collection of cylinders and tracks

Briefly describe the differences between hard links and soft links in Linux systems.

Hard links are where a direct link created for another file on the same drive. It is an exact replica of the file and is created with the command "ln". It is a link that when accessed, goes directly to that file on the same drive. A soft link is where a symbolic link is created to access another file on a completely different partition/drive. This isn't an "exact replica" but more of a pointer to where that file is stored and this can be across different drives, unlike a hard link.In addition, each symbolic link has an inode of their own while in hard links, multiple files point the same inode.

Explain the use of hash algorithms to verify the integrity of lossless compressed data.

Hash algorithms translate the text into a hash language like md5 or sha1. How it can verify data is that whenever a change occurs within the file whether it be deletion, modification, or access the hash algorithm will change. Any difference between the two hashes of different times can show that there has been some form of manipulation or change to the data.

By the early 1990s, the ____ introduced training on software for forensics investigations.

IACIS

____ contain file and directory metadata and provide a mechanism for linking data stored in data blocks.

Inodes

Linux ISO images that can be burned to a CD or DVD are referred to as ____.

Linux Live CDs

Explain the relation between allocation blocks and logical block on a Mac OS file system.

Logical block is defined based on a size of block (cannot exceed 512 bytes) while Allocation block is a set of consecutive logical blocks to store one file.

What are logical cluster numbers (LCNs)?

Logical cluster numbers are when the data is all stored physically in that location. It acts as a resident-type file. All data is available and present, unlike VCNs where it points to another location on the partition where it is stored.

Autopsy uses ____ to validate an image.

MD5

On an NTFS disk, immediately after the Partition Boot Sector is the ____.

MFT

On older Mac OSs all information about the volume is stored in the ____.

Master Directory Block (MDB)

What are the four factors that affect the quality of image?

Number of pixels Screen resolution Graphics card Software

If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.

Sparse

What is a bad block inode on Linux?

The bad block inode keeps track of space that is unavailable. Whether it is corrupted or filled or marked as unusable, the bad block inode keeps track of where data cannot be stored and what blocks cannot be filled/used.

What are the functions of the superblock on a UNIX or Linux file system?

The superblock is in charge of the geometry of the spaces on the disk. It manages the data allocation of where the information is stored. It pushed the information out of the "outer ring" where there is space to utilize storag

A separate manual validation is recommended for all raw acquisitions at the time of analysis.

True

After a judge approves and signs a search warrant, it is ready to be executed, meaning you can collect evidence as defined by the warrant.

True

Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.

True

Before OS X, the Hierarchical File System (HFS) was used, in which files are stored in directories (folders) that can be nested in other directories.

True

Bitmap images are collections of dots, or pixels, in a grid format that form a graphic.

True

By the 1970s, electronic crimes were increasing, especially in the financial sector.

True

Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.

True

If a file contains information, it always occupies at least one allocation block.

True

If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file.

True

In Autopsy and many other forensics tools raw format image files don't contain metadata.

True

In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.

True

It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.

True

Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive.

True

The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.

True

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.

True

The pipe (|) character redirects the output of the command preceding it.

True

The type of file system an OS uses determines how data is stored on the disk.

True

To be a successful computer forensics investigator, you must be familiar with more than one computing platform.

True

What are virtual cluster numbers (VCNs)?

VCNs act as a pointer to where the cluster/data is stored. Unlike LCNs, the information is non-resident and not physically present. The VCN has an address that points to where in the partition that file/data information is stored.VCNS are for nonresident files only

____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.

Vector graphics

With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.

Volume Bitmap

Briefly describe the triad that makes up computer security.

Vulnerability/Threat Assessment and Risk management, Network Intrusion Detection and Incident Response, Digital Forensics

In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____.

affidavit

Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.

allegation

In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations.

authorized requester

Recovering fragments of a file is called ____.

carving

A ____ is a column of tracks on two or more disk platters.

cylinder

The ____ is where directories and files are stored on a disk drive.

data block

The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.

dd

The process of converting raw picture data to another format is referred to as ____.

demosaicing

On Mac OSs, the ____ stores any file information not in the MDB or Volume Control Block (VCB).

extents overflow file

You use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512.

hash

In a files's inode, the first 10 pointers are called ____ pointers.

indirect

Published company policies provide a(n) ____ for a business to conduct internal investigations.

line of authority

Most remote acquisitions have to be done as ____ acquisitions.

live

In macOS, volumes have allocation blocks and ____ blocks.

logical

____ compression compresses data by permanently discarding bits of information in the file.

lossy

______________ Used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed

lossy compression

The ____ command displays pages from the online help manual for information on Linux commands and their options.

man

The information about the first data run that is stored in the MFT record is '32 B1 07 8C 8C 00' and the information about the second data run is '22 63 07 95 ED'. What is the LCN address of the second data run?

need to go over this, 31265

The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.

notarized

One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.

proprietary

In general, a criminal case follows three stages: the complaint, the investigation, and the ____.

prosecution

In older versions of macOS, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored.

resource

Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.

sha1sum

A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment.

virtual machine

A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.

warning banner

Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.

whole disk encryption


Ensembles d'études connexes

Chem Exam 2 Intext questions (ch 4-6)

View Set

Biology: Reporting Category 3- Biological Evolution and Classification Answers

View Set

Introduction to Health: Chapter 1, sec. 1-4

View Set

Body Mechanics and Mobility Aides

View Set

Environmental Science study Guide

View Set

Nursing Care of Children ATI Practice A

View Set