Practice Test 2 (cyber forensics)
What is the minimum size of a block in UNIX/Linux filesystems?
512 Bytes
In general, what would a lightweight forensics workstation consist of?
A laptop computer built into a carrying case with a small selection of peripheral options
Magnet ____ enables you to acquire the forensic image and process it in the same step
AXIOM
Ways data can be appended to existing files
Alternate Data Streams
The number of bits per square inch of a disk platter.
Areal Density
Sleuth Kit's Web browser interface
Autopsy
In the Linux file system, the inode that tracks bad sectors on a drive.
Bad Block Inode
A ____ contains programs that perform input and output at the hardware level.
Basic Input/Output System (BIOS)
System file where passwords may have been written temporarily
Pagefile.sys
The unused space between partitions
Partition Gap
A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____.
Portable Workstation
When using the Encrypting File System (EFS), the owner or user who encrypted the data holds the _____ key.
Private
The key used to decrypt a file.
Private Key
The key used to encrypt a file.
Public Key
A method NTFS uses so that a network administrator can recover encrypted files.
Recovery Certificate
The purpose of the ____ is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key.
Recovery Certificate
All the documents are assembled and put together during the ____ phase to complete a forensics disk analysis and examination.
Reporting
In older versions of macOS, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored.
Resource
Command-line disk acquisition tool from New Technologies, Inc.
SafeBack
A free Linux forensics tool
Sleuth Kit
Software forensics tools are grouped into command-line applications and GUI applications
True
T/F A volume can be all or part of the storage media for hard disks.
True
T/F After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.
True
T/F Before OS X, the Hierarchical File System (HFS) was used, in which files are stored in directories (folders) that can be nested in other directories.
True
T/F If a graphics file has been renamed, a steg tools can identify the file format from the file header and indicate whether the file contains an image.
True
T/F In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.
True
T/F In a bitmap file, you can replace bits used for pixels and colors with hidden data.
True
T/F Most digital cameras produce digital photos in raw or EXIF format.
True
T/F Most graphics file formats, including GIF and JPEG, compress data to save disk space and reduce the file's transmission time.
True
T/F Steg tools can be used to detect, decode, and record hidden data, even in files that have been renamed to protect their contents.
True
T/F Steganography has been used to protect copyrighted material by inserting digital watermarks into a file.
True
T/F The U.S. Copyright Office Web site defines precisely how copyright laws pertain to graphics.
True
T/F The pipe (|) character redirects the output of the command preceding it.
True
T/F When data is deleted on a hard drive, only references to it are removed, which leaves the original data on unallocated disk space.
True
T/F When maintaining a computer forensics lab, it is important to create a software library containing older versions of forensics utilities, OS, and other programs.
True
T/F When you save a bitmap or raster file, the resolution and color might change, depending on the colors in the original file and whether the file format supports these colors.
True
T/F With many computer forensics tools, you can open files with external viewers.
True
T/F You repair damaged headers by comparing the hexadecimal values of known graphics file formats to the pattern of the damaged file header.
True
Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0 and 3.0, SATA, PATA, and SCSI controllers.
USB
NTFS uses the ___ data format.
Unicode
____ is a core Win32 subsystem DLL file
User32.sys
_____________ proves that two sets of data are identical by calculating hash values or using another similar method.
Verification
With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.
Volume Bitmap
A password used to access special accounts or programs requiring a high level of security.
One-time passphrase
Software-enabled write-blocker
PDBlock
The space between tracks on a disk.
Track Density
When the hard link count drops to ____, the file is effectively deleted.
0
In the NTFS MFT, all files and folders are stored in separate records of _____ bytes each.
1024
In Linux most system configuration files are stored in the ____ directory.
/etc
In Linux, most applications and commands are in the ____ directory or its subdirectories bin and sbin.
/usr
What type of block does a UNIX/Linux computer only have one of?
Boot block
A key and its contents, including subkeys, make up a _____ in the Registry.
Branch
An inode containing more detailed information.
Continuation Inode
A ____ is a column of tracks on two or more disk platters.
Cylinder
The raw data format, typically created with the Linux ____ command, is a simple bit-for-bit copy of a data file, a disk partition, or an entire drive.
DD
In macOS, the ____ fork typically contains data the user creates.
Data
The process of converting raw picture data to another format is called
Demosaicing
The simplest method of duplicating a disk drive is using a tool that makes a direct ____ copy from the suspect disk to the target location.
Disk-to-image
The early standard Linux file system was ____.
Ext2
On Mac OSs, the ____ stores any file information not in the MDB or Volume Control Block (VCB).
Extends Overflow File
T/F The first 5 bytes (characters) for all MFT records are FILE.
False
Each MFT record starts with a _____ identifying it as a resident or nonresident attribute.
Header
The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.
ISO 5725
Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.
Image File
A key part of the Linus file system.
Inode
The first data after the superblock on a UNIX or Linux file system
Inode Blocks
______ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.
Insertion
Linux distribution that contains several forensics tools
Kali Linux
Who is the current maintainer of the Linux kernel?
Linus Torvalds
Addresses that allow the MFT to link to nonresident files are known as ____.
Logical Cluster Numbers
________ compression is the method in which no data is lost.
Lossless
On older Mac OSs all information about the volume is stored in the ____.
Master Directory Block (MDB)
Software should be verified with the _____ to improve evidence admissibility in judicial proceedings.
NIST
Microsoft's move toward a journaling file system
NTFS
One of the first MS-DOS tools used for a computer investigation
Norton DiskEdit
With ____, Macintosh moved to the Intel processor and became UNIX based.
OS X
Commercial forensics for analyzing UNIX and Linux file systems
OSForensics
Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file's contents.
Testing, compressed
Describes how most manufacturers deal with a platter's inner tracks being shorter than its outer tracks
Zoned Bit Recording