Test 2 (5-8)

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

In the Master File Table (MFT), the first _____ records are reserved for system files.

15

In general, forensics workstations can be divided into ____ categories.

3

____ components define the file system on UNIX.

4

A Mac file that organizes the directory hierarchy and file block mapping for File Manager.

B*-tree

A ____ contains programs that perform input and output at the hardware level.

Basic Input/Output System (BIOS)

The _____ file in a virtual machine contains hardware settings such as RAM, network configurations, and port settings.

Configuration

The majority of digital cameras use the ____ format to store digital pictures.

EXIF

​A file format the Japan Electronics and Informatuin Technology Industries Association (JEITA) developed as a standard for storing metadata in JPEG or TIF files.

Exchangeable Image File

___________ is a journaling version of Ext2fs that reduces file recovery time after a crash.

Ext3fs

____ is the most challenging of all tasks to master.

Extraction

A UNIX or Linux computer has two boot blocks, which are located on the main hard disk.

False

A portable workstation is a laptop computer built into a carrying case with a small selection of peripheral options.

False

Both the resource fork and the data fork contain essential information, such as filename, file size, and date modified, for each file.

False

Directory file structures in Mac have made major changes with each new OS update.

False

For older HFS-formatted drives, the last two logical blocks, 0 and 1, on the volume (or disk) are the boot blocks containing system startup instructions.

False

Imperceptible watermarks are usually an image, such as the copyright symbol or a company logo, layered on top of a photo.

False

Linux is a certified UNIX operating system.​

False

Metafile graphics are vector images with metadata.

False

Most graphics file formats, including GIF and JPEG, rarely compress data to save disk space or to reduce the file's transmission time.

False

Older Macintosh computers use the same type of BIOS firmware commonly found in PC-based systems.

False

Our human eye can see 8 bits of color.

False

Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.

False

The File Manager can have access to only the resource fork.

False

The General Public License (GPL) agreement stipulates that source code for hardware distributed under the GPL must be publicly available, and any works derived from GPL code must also be licensed under the GPL.

False

The biggest advantage of the raw file format is that it is proprietary.

False

The data fork contains additional information from the applications, such as menus, dialog boxes, icons, executable code, and controls.

False

The difference between lossless and lossy compression is the way data is represented before it has been uncompressed.

False

The insertion form of steganography replaces bits of the host file with other bits of data.

False

The reconstruction function is the recovery task in a computing investigation.

False

When you uncompress a graphics file that uses lossless compression, you lose information and the image quality is affected.

False

You must use older computer forensics tools to identify hidden partitions on most drives.

False

Mac OS utility that handles reading, writing, and storing data to physical media

File Manager

Mac tool that works with the OS to keep track of files and maintain users' desktops

Finder

Usually bridge devices between a drive and the forensic workstation.

Hardware write-blocker

The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.

ISO 5725

letters embedded near the beginning of all JPEG files

JFIF

A compression method where a large file can be compressed to take up less space and then uncompressed without any loss of information

Lossless compression

________ compression is the method where bits of information are permanently discarded, thereby reduces the image quality.

Lossy

A compression method that permanently discards bits of information in a file

Lossy compression

On older Mac systems, the location where all volume information is stored.

Master Directory Block

The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.

NSRL

Less common graphics file formats, including proprietary formats, newer formats, formats that most image viewers don't recognize, and old or obsolete formats

Nonstandard graphic files

​Less common graphic file formats, including proprietary formats, newer formats, formats that most image viewers don't recognize, and old or obsolete formats.

Nonstandard graphic files

What tool below was written for MS-DOS and was commonly used for manual digital investigations?​

Norton DiskEdit

____ controls the microprocessor after hardware initialization and diagnostics take place before control is passed to the OS.

Open Firmware

a direct copy of a disk drive

Raw data

This format maintains the best picture quality, but because of its proprietary format, not all image viewers can display it

Raw file format

The _____ is a database that stores hardware and software configuration information, network connections, user preferences, and setup information

Registry

A _____ is a Windows utility for viewing and modifying data in the Registry.

Registry Editor

European term for carving

Salvaging

A log report can be used to confirm the activities that were performed and the results that were found in the original analysis and examination.

True

A one-time passphrase generated by the key management function can be used to decrypt a whole encrypted drive.

True

All information about a volume is stored in the Master Directory Block (MDB) and written to the MDB when the volume is initialized.

True

Copyrightable works include literary works, pantomimes and choreographic works, and sound recordings.

True

Data streams can obscure valuable evidentiary data, intentionally or by coincidence.

True

For third-party compressed data, we need to uncompress it with the utility that created it.

True

Hidden partitions or voids are sometimes created to hide large data on a hard disk.

True

Hidden partitions or voids refer to large unused gaps between partitions on a disk drive.

True

If a graphics file has been renamed, a steg tools can identify the file format from the file header and indicate whether the file contains an image.

True

Image quality can be affected by the software package used to open the images.

True

In Mac OS 9 or earlier, a volume on a floppy disk is always the entire floppy.

True

In the NTFS MFT, all files and folders are stored in separate records of 1024 bytes each.

True

Logical copy of a disk partition can be acquired only via a live acquisition.

True

The data discrimination function can be improved by searching and comparing file headers instead of focusing on the extension of the file's name.

True

The images created by EnCase, FTK, or X-Ways Forensics have an Expert Witness .e01 extension.

True

Vector quantization is a form of lossy compression that uses complex algorithms to determine what data to discard based on vectors in the graphics file.

True

Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers.

USB

Which of the following is not a valid configuration of Unicode?​

UTF-64

________ is a compression method that uses complex algorithms to determine what data to discard based on vectors in the graphics file.

Vector quantization

The FAT database contains all of the following information, EXCEPT _____.

a journal

The process of creating a duplicate image of a data disk is called the._____ phase.

acquisition

​Collection of dots, or pixels, in a grid format that form a graphic.

bitmap images

Storage allocation units composed of groups of sectors.

cluster

A column of tracks on two or more disk platters.

cylinder

One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.

disk editor

​The results of keyword searches that contain the correct match but aren't relevant to the investigation.

false positives

You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.

graphics editors

All of the following are subfunctions in the extraction category, EXCEPT____.

hashing

Each HKEY contains folders referred to as a _____

hive

Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.

image file

In a B*-tree file system, what node stores link information to previous and next nodes?​

index node

The two major forms of steganography are __________ and substitution.

insertion

The ____ node contains actual file data.

leaf

Under copyright laws, computer programs may be registered as ____.

literary works

When using the Encrypting File System (EFS), the owner or user who encrypted the data holds the _____ key.

private

A section on a track, typically made up of 512 bytes.

sector

Concentric circles on a disk platter where data is stored.

track

All of the following are subfunctions in the acquisition category, EXCEPT____.

validation

The _____ file in a virtual machine contains the boot loader program, OS files, and users' data files.

virtual hard disk

Any storage media, such as floppy disk, a partition on a hard drive, the entire drive, or several drives.

volume

What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume?​

​$LogFile

In general, what would a lightweight forensics workstation consist of?​

​A laptop computer built into a carrying case with a small selection of peripheral options

What hex value is the standard indicator for jpeg graphics files?​

​FF D8

_______________ proves that two sets of data are identical by calculating hash values or using another similar method.​

​Verification

Addresses that allow the MFT to link to nonresident files are known as _______________.​

​logical cluster numbers


Ensembles d'études connexes

Lesson 6: What grade are you in?

View Set

AP Comparative Government - Iran

View Set

intro to matter - isabella sandoval

View Set

Combo with "unit 15" and 17 others

View Set

Chapter 20 - Energy and Its Applications

View Set

4. Financial statements and accounting

View Set

Chapter 34: The Immune System CONNECT

View Set

Physical Fitness : 3. CARDIOVASCULAR FITNESS

View Set