Computer Forensics - Part 2

On a Linux computer, ____ contains group memberships for the local system.

/etc/group

____ contains configuration information for Sendmail, helping the investigator to determine where the log files reside.

/etc/sendmail.cf

Typically, UNIX installations are set to store logs in the ____ directory.

/var/log

When the hard link count drops to ____, the file is effectively deleted.

0

The abstract should be one or two paragraphs totaling about 150 to ____ words.

200

Drawing program that creates vector files

Adobe Illustrator

A written report is frequently a(n) ____ or a declaration.

Affidavit

____ images store graphics information as grids of pixels.

Bitmap

Where is the snapshot database created by Google Drive located in Windows?

C:\Users\username\AppData\Local\Google\Drive\user_default

Recovering fragments of a file is called ____.

Carving

____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size.

Circular Logging

Process of coding of data from a larger form to a smaller form

Data Compression

The process of converting raw picture data to another format is referred to as ____.

Demosaicing

____ is a tool for viewing network traffic graphically.

Etherape

A search warrant can be used in any kind of case, either civil or criminal T/F?

False

Investigating smartphones and other mobile devices is a relatively easy task in digital forensics T/F?

False

____ components define the file system on UNIX/Linux.

Four

Gnome graphics editor

GIMP

With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or drive.

GUI

You use ____ to create, modify, and save bitmap, vector, and metafile graphics.

Graphics Editors

A disk editor tool

Hex Workshop

A written preliminary report is considered a ____ document because opposing counsel can demand discovery on it.

High-risk

The software that runs virtual machines is called a ____.

Hypervisor

The method for expressing an opinion is to have an attorney frame a ____ question based on available factual evidence.

Hypothetical

____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.

Insertion

Graphics file format that uses lossy compression

JPEG

The JFIF ____ format has a hexadecimal value of FFD8 FFE0 in the first four bytes.

JPEG

Under copyright laws, computer programs may be registered as ____.

Literary Works

____ compression compresses data by permanently discarding bits of information in the file.

Lossy

Combinations of bitmap and vector images

Metafile Graphics

Most packet analyzer tools can read anything captured in ____ format.

PCAP

Graphics file format that uses lossless compression

PNG

____ are devices or software placed on a network to monitor traffic.

Packet Analyzers

____ recovery is becoming more common in digital forensic analysis.

Password

Short for "picture elements"

Pixels

collection of pixels stored in rows to make images easy to print

Raster Image

Determines the amount of detail that is displayed

Resolution

To view Gmail Web e-mail headers open the e-mail, click the down arrow next to the Reply circular arrow, and click ____.

Show Original

With cloud systems running in a virtual environment, ____ can give you valuable information before, during, and after an incident.

Snapshots

____ has been used to protect copyrighted material by inserting digital watermarks into a file.

Steganography

____ steganography replaces bits of the host file with other bits of data.

Substitution

The image format XIF is derived from the more common ____ file format.

TIF

The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03.

TIFF

Exchange logs information about changes to its data in a(n) ____ log.

Transaction

A challenge with using social media data in court is authenticating the author and the information T/F?

True

As with any research paper, write the report abstract last T/F?

True

Before OS X, the Hierarchical File System (HFS) was used, in which files are stored in directories (folders) that can be nested in other directories T/F?

True

Besides presenting facts, reports can communicate expert opinion T/F?

True

Bitmap images are collections of dots, or pixels, in a grid format that form a graphic T/F?

True

E-mail programs either save e-mail messages on the client computer or leave them on the server T/F?

True

Evidence artifacts vary depending on the social media channel and the device T/F?

True

Ext3 is a journaling version of Ext2 that has a built-in file recovery mechanism used after a crash T/F?

True

For digital investigators, tracking intranet e-mail is easier because accounts use standard names the administrator establishes T/F?

True

If a file contains information, it always occupies at least one allocation block T/F?

True

If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file T/F?

True

In 2010, both VMware and BlackBerry were thinking of developing type 2 hypervisors for mobile devices T/F?

True

In the United States, the Electronic Communications Privacy Act (ECPA) describes five mechanisms the government can use to get electronic information from a provider T/F?

True

Lawyers use services called deposition banks (libraries), which store examples of expert witnesses' previous testimony T/F?

True

Network logs record traffic in and out of a network T/F?

True

Private-sector cases, such as employee abuse investigations, might not specify limitations in recovering data T/F?

True

The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET) T/F?

True

The two major forms of steganography are insertion and substitution T/F?

True

Under copyright laws, maps and architectural plans may be registered as pictorial, graphic, and sculptural works T/F?

True

Virtual machines are now common for both personal and business use T/F?

True

You can send and receive e-mail in two environments: via the Internet or an intranet (an internal network) T/F?

True

____ hypervisors are typically, but not exclusively, loaded on servers or workstations with a lot of RAM and storage.

Type 1

____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.

Vector Graphics

Which of the following is NOT a service level for the cloud?

Virtualization as a service

With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.

Volume Bitmap

A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute).

Written report

If a report is long and complex, you should provide a(n) ____.

abstract

When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations.

copyright laws

A ____ is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities.

court order

In macOS, the ____ fork typically contains data the user creates.

data

One way to hide partitions is with the Windows disk partition utility, ____.

diskpart

You can use the ____ to help your attorney learn the terms and functions used in digital forensics.

examination plan

The ____ Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system.

filecache.dbx

Data ____ involves changing or manipulating a file to conceal information.

hiding

In a files's inode, the first 10 pointers are called ____ pointers.

indirect

The term ____ is often used when discussing Linux because technically, Linux is only the core of the OS.

kernel

A ____ is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it's accessed through the application's Web interface.

management plane

Which of the following is not one of the five mechanisms the government can use to get electronic information from a provider?

seizure order

The Google drive file ____ contains a detailed list of a user's cloud transactions.

sync_log.log