Computer Forensics 5-7 Quiz

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

List two features NTFS has that FAT does not.

Unicode characters, security, journaling.

Explain the differences in resource and data forks used in the Mac OS.

Both contain a file's resource map and header info, window locations, and icons. The data fork stores a files actual data, but the resource fork contains file metadata and application information.

List 3 items that are stored in the FAT database.

File and directory names, starting cluster numbers, file attributes, and date/time stamps.

EFS can encrypt which of the following?

Files, folders, and volumes.

What are hash values used for?

Filtering known good files from potentially suspicious data, and validating that the original data hasn't changed.

To recover a password on a Mac system, which tool do you use?

PRTK

The verification function does which of the following?

Proves that two sets of data are identical via hash values.

A log report in forensics tools does what?

Records an investigator's actions in examining a case.

What kind of information do device drivers contain?

Instructions for the OS on how to interface with hardware devices.

On a windows system, sectors typically contain how many bytes?

512 bytes

What is the space on a drive called when a file is deleted?

Unallocated space or Free space.

Hashing, filtering, and file header analysis make up which function of digital forensics tools?

Validation and verification.

What should you do when validating the results of a forensic analysis?

Calculate the hash values with two different tools.

What does CHS stand for?

Cylinders, Heads, Sectors

How does the Mac OS reduce file fragmentation?

By using clumps-groups of contiguous allocation blocks.

In FAT32, a 123 KB file uses how many sectors?

246 sectors.

How many sectors are typically in a cluster on a disk drive?

1

What does MFT stand for?

Master File Table.

Areal density

The number of bits per square inch of a disk platter.

List 3 sub functions of the extraction function.

data viewing, keyword searching, decompressing, carving, decrypting, and bookmarking.

What are the major improvements in the Linux Ext4 file system?

partitions greater than 16 GB, improved management of large files, flexible approach to adding file features.

What is the reconstruction function need for?

re-create a suspect drive to show what happened, create a copy of a drive for other investigators, re-create a drive compromised by malware.

In Linux, what is the home directory for the superuser?

root

Clusters in windows always begin with what number?

2

What's the advantage of write-blocking a device that connects to a computer through a FireWire or USB controller?

It enables you to remove and reconnect drives w/o having to shut down your workstation, which saves time in processing the evidence drive.

What is the main challenge in acquiring an image of a Mac system?

Macs are incompatible with most write-blockers and you need special tools to remove drives from a Mac system or open its case.

In windows 7 and later, how much data from RAM is loaded into RAM slack on a drive?

No data from RAM is copied to RAM slack on a disk drive.

Which of the following windows 8 files contains user-specific information?

Ntuser.dat

What describes the super-blocks function in the Linux file system?

Specifies the disk geometry and available space and manages the file system including configuration information.

According to ISO standard 27037, which of the following is an important factor in data acquisition?

The DEFR's competency and Use of Validated tools.

What happens when you copy an encrypted file from EFS-enabled NTFS disk to a non-EFS disk or folder?

The file is unencrypted automatically.

What is true of most drive-imaging tools?

They ensure that the original drive doesn't become corrupt and damage the digital evidence and they create a copy of the original drive.

What does the Ntuster.dat file contain?

This user-protected storage area contains the MRU files list and desktop configuration settings.

Why was EFI boot firmware developed?

To prove better protection against malware then BIOS does.

Virtual machines have which of the following limitations when running on a host computer?

Virtual machines are limited to the host computers peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.

Hard links are associated with which of the following?

a specific inode.


Ensembles d'études connexes

Chapter 3 People and Ideas on the move

View Set

physiology & anatomy chapter 9 practice exam

View Set

Accounting Chapter 11 Audit your Understanding

View Set

FINAL Chap 13 - Labor and Birth Process

View Set

ch 22 PP management/complications

View Set

EXAMPLES CFA Level 1, Section 1: Ethics & Standards

View Set

Unit 5: Worlds Entangled 1600-1750

View Set