Computer Forensics Chapter 6
A symbolic link is an inode that links directly to a specific file.
False
An inode is a data structure in the Macintosh file system that stores all the information about a file except its name and its actual data.
False
Consistency checking analysis is usually much slower than zero-knowledge analysis.
False
Damage to how the data is stored, for example file system corruption, is the definition of physical damage.
False
Grep describes a data structure in the Linux file system that stores all the information about a file except its name and its actual data.
False
Logical damage control is a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification.
False
The term inode describes a popular Linux/UNIX search tool.
False
Two techniques are common for recovering data after physical damage: consistency checking and zero-knowledge analysis.
False
When a file is deleted, the data is removed from the drive.
False
With the consistency checking file system repair technique, the computer's file system is rebuilt from scratch using knowledge of an undamaged file system structure.
False
Hard drives that run __________ address blocks, or integer multiples of blocks, at a time.
Linux
Windows 2000 and newer operating systems' file systems utilize __________.
NTFS
A test system is a functional system compatible with the hard drive from which someone is trying to recover data.
True
A test system, simply put, is a compatible system that is functional.
True
An environment that has a controlled level of contamination from dust, microbes, and other particles is the definition of clean room.
True
Consistency checking means a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification.
True
Infinitely recursing directories and drives reporting negative free space remaining are symptoms of logical damage to a file system.
True
Just as with FAT systems, clusters in an NTFS system are more likely to be overwritten as more time elapses after deletion.
True
Logical damage is damage to how the data is stored, for example file system corruption.
True
Logical damage to a file system is more common than physical damage.
True
The term inode refers to a data structure in the file system that stores all the information about a file except its name and its actual data.
True
The term zero-knowledge analysis describes a technique for file system repair that involves recovering data from a damaged partition with limited knowledge of the file system.
True
The zero-knowledge analysis file system repair technique is usually much slower than consistency checking.
True
Turning off a computer while it is booting or shutting down can lead to logical damage of its file system.
True
Which of the following is the definition of inode?
a data structure in the file system that stores all the information about a file except its name and its actual data
What isgrep
a popular Linux/UNIX search tool
What is meant by zero-knowledge analysis?
a technique for file system repair that involves recovering data from a damaged partition with limited knowledge of the file system
An environment that has a controlled level of contamination, such as from dust, microbes, and other particles is the definition of a __________.
clean room
The file allocation table is really a list of entries that map to each __________ on the disk partition.
cluster
There are two fundamental files that are part of NTFS that are of most interest. These are the Master File Table (MFT), and the __________.
cluster bitmap
What name is given to a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification?
consistency checking
Most operating systems provide a basic repair tool for their native file systems. Linux comes with:
fsck utility
A popular Linux UNIx search too is:
grep
The Linux/UNIX command __________ can be used to search for files, contents of files, and just about anything else.
grep
A(n) __________ is a data structure in the Linux file system that stores all the information about a file except its name and actual data.
inode
What term is used to describe a data structure in the file system that stores all the information about a file except its name and its actual data?
inode
In FAT and NTFS file systems, a __________ is used to map files to specific clusters where they are stored on the disk.
table
A technique for file system repair that involves recovering data from a damaged partition with limited knowledge of the file system is the definition of:
zero-knowledge analysis
