Forensic - Exam2

You are working on a business impact analysis. You are calculating the single loss expectancy (SLE) for a laptop computer. The laptop cost $2,500, which is its asset value (AV). You determined its exposure factor (EF) is 25%. What is the SLE?

$625

The Linux ________ file is where the boot-up process and operation are set. It contains entries such as label, run_level, process, and boot.

/etc/inittab

15. The __________ directory in Linux is not really stored on the hard disk. It is created in memory and keeps information about currently running processes.

/proc

You are investigating a criminal case. The suspect has been accused of stealing crucial industry data from his workplace after being fired. His Apple computer has been brought to you to see if the stolen data may have been transferred onto the machine. Which log directory is the most critical and should be reviewed first?

/var/log

If you need to know what documents have been printed from a Macintosh, the __________ folder can give you that information.

/var/spool/cups

You need to review the swap file on an Apple computer. Where is the swap file located?

/var/vm

A business impact analysis indicates an organization cannot operate without its web server for more than 5 days and still recover. The mean time to repair is 3 days. How many days do you have after a disaster to initiate repairs or the organization will not be able to recover?

2

The process whereby a disaster recovery team contemplates likely disasters and the impact each would have on an organization is called:

A business impact analysis

What is the best definition of "dump" in terms of computer memory?

A complete copy of every bit of memory or cache recorded in permanent storage or printed on paper

A ________ is a plan for returning the business to full normal operations.

A disaster recovery plan (DRP)

Within the HFS+ file system, what allows you to have multiple references to a single file or directory?

Aliases

NIST Special Publication 800-61 considers denial of service as:

An attacker crafting packets to cause network and/or computers to crash.

If a hard disk is damaged and the data is deemed "lost," what is the recommended next step?

Attempt a local repair

Steven is a forensic examiner. He is interested in examining the pictures across all user profiles to look for evidence of malicious activity. Where should he begin his search for these files?

C:\ Users

______ is the basic repair tool in Windows.

Chkdsk

__________ is a common method for scoring system vulnerabilities.

Common Vulnerability Scoring System (CVSS)

Which Linux graphical user interface is most widely used and can be found in Fedora, Debian, and other Linux distributions?

GNOME 3

What is a modern and widely used Linux boot loader?

GRUB

The Windows Registry is organized into five sections referred to as __________, each of which contains specific information.

Hives

You are the infrastructure manager for your company's IT department. You are preparing to add forensics to your incident response policies. Which is the absolute first step you must take?

Identify forensics resources

Jennifer sends a threatening email to Rachel, a classmate, to bully her. What type of computer security incident is being described?

Inappropriate usage

Many different kinds of computer disasters can disrupt normal operations for an organization's systems. What type of disaster is most likely to require a computer forensic expert?

Intrusion

A(n) ________ monitors network traffic, looking for suspicious activity.

Intrusion detection system (IDS)

You are a server technician for your organization. You are creating a backup routine for your server systems. You are considering hierarchical storage management (HSM) rather than traditional tape media. What is an advantage of HSM?

It has far more storage capacity than traditional tape media.

__________ is the process whereby the file system keeps a record of what file transactions take place so that in the event of a hard drive crash, the files can be recovered.

Journaling

A Mac OS user moves 12 critical files to their Trash folder and then empties the Trash folder. How can you recover these files for analysis?

Leverage third-party software to recover the files

Which operating system commonly uses the Ext file system?

Linux

The ________ and the ________ are the two NTFS files of most interest to forensics efforts.

Master File Table (MFT), cluster bitmap

The amount of time a system can be down before it is impossible for an organization to recover is addressed by:

Maximum tolerable downtime (MTD)

Company AtoZ hosts an e-commerce server with a large hard drive. The manufacturer claims the drive is guaranteed to perform properly for 100,000 hours. What is this measure most closely related to?

Mean time to failure (MTTF)

What is the definition of "stack (S)"?

Memory that is allocated based on last-in, first-out (LIFO) principle

When performing a manual recovery on a Linux system, what is the first step to recovering manually deleted files?

Move the system to single-user mode.

________ is the preferred file system of Windows 2000 and later operating systems.

NTFS

Miriam is a forensic investigator. She assisted in an investigation of a computer incident for a company that processes payment card information. She is writing the report on the breach and has been informed that all companies that process payment card data must issue a report if a breach violates which of the following?

PCI DSS

As applications are processing commands and data on a machine, they are in a constant state of change. This creates a problem when attempting to perform live system forensics in which data is not acquired at a unified moment. The collected data may have problems with which of the following?

Data consistency

______ is the basic repair tool in Mac OS.

Disk Utility

A suspect has erased their browsing history on their computer. The computer has Microsoft Internet Explorer installed. The forensic investigator must retrieve recently visited web addresses and recently opened files. What should the investigator do?

Download a tool that allows for retrieval and review of the index.dat file

15. Which Linux shell command lists various partitions?

Fdisk

The Windows __________ log contains successful and unsuccessful logon events.

Security

The _________ file is responsible for managing services on a Windows computer.

Smss.exe

Marty is investigating the computer of a cyberstalking suspect. He wanted to check the suspect's browsing history in Microsoft Internet Explorer, but it had already been erased. Where else can he look on the computer for browsing history information?

The index.dat file

In a Linux directory, what circumstance must occur for a file to be deleted?

The inode link count must reach zero.

There are two boot loaders in Linux. Which boot loader or portion of a boot loader displays the splash screen when loaded into random access memory (RAM)?

The second-stage boot loader

In a business impact analysis, which of the following best describes the recovery time objective (RTO)?

The target time to have a down system back up and running.

15. You are a Linux forensic investigator. You suspect that one of the hard disks in a server has been compromised by a malicious actor. You attempt to use some common forensic methods during your examination but they are not successful. You consider using the fsck command but hesitate. Why?

The use of a file system utility could erase some data and lose evidence

You are attempting to recover deleted files from a storage device. The device's operating system uses the FAT32 file system. What is the most important advantage you have when attempting to recover specific deleted files?

Time; files that were deleted relatively recently are more likely to be recovered

What is the purpose of overwriting data on a hard disk with random characters seven times?

To forensically scrub a file or folder

A __________is a software program that appears to be a physical computer and executes programs as if it were a physical computer.

Virtual machine

Carl is beginning a digital forensic investigation. He has been sent into the field to collect a machine. When he arrives, he sees that the computer is running Windows and has open applications. He decides to preserve as much data as possible by capturing data in memory. What should Carl perform?

Volatile memory analysis

A common approach for manually managed backups is the Grandfather-Father-Son scheme. Consider a server using traditional tape backup that is backed up daily. At the end of the week, a weekly backup is made. At the end of the month, there is a monthly backup made. Which of the following is not true of the Grandfather-Father-Son scheme?

Weekly backups are not reused, only sons and grandfathers.

You are successful in recovering data files from a damaged disk. You attempt to open a few files and receive a message that the files have been corrupted. What is the best approach to take to gain access to the data?

Perform file carving

Priyanka is a forensic investigator. She is at an office where a Macintosh computer was used in a suspected crime. The computer is still running. Priyanka wants to image the disk before transporting the computer to the forensic lab. She also wants to avoid accidentally altering information on the computer's hard disk. What should she do first?

Put the computer in Target Disk Mode.

In a business impact analysis, which of the following refers to how much data will be lost in a computer disaster?

RPO

What is the Windows swap file used to augment?

Random access memory (RAM)

During the Linux boot process, during the kernel stage, the system switches the CPU from __________ to _____________.

Real mode, protected mode

Regarding incident response, what step involves restoring software and data from a backup source that has been verified to be free from malware infection?

Recovery

Is it believed that a suspect has evidence in his possession in the form of image files. You have his Apple computer. Upon initial investigation, you do not find anything local on the machine. You suspect that he has uploaded the incriminating files to iCloud. How can you investigate if this has occurred?

Review the log files located at /Library/Mobile Documents

You are a forensic examiner. The logical structure of a hard disk that you are analyzing appears almost destroyed. You are not able to get the system to boot up despite your best efforts. You choose to perform a zero-knowledge analysis. Is this an appropriate choice for the next step?

Yes. Using this technique, the file system is rebuilt from scratch using knowledge of an undamaged file system structure. It should allow for data retrieval.

Which of the following is not true of file carving?

You can perform file carving on the NTFS and FAT32 file system but not Ext4

Which Linux shell command performs a textual comparison of two files and reports the difference between the two?

cmp

Stanley is a Linux administrator. He wants to copy a directory from one part of the system to another. He is going to issue the command in a shell. He wants the contents of the directory copied as well as the directory itself. What command must Stanley use?

cp -R

15. The Linux __________ shell command makes a physical image of what is live in memory.

dd

You are a Linux forensic investigator. You are running a series of advanced shell commands on what you believe is a compromised server. Which command do you use to list the contents of deleted disk blocks?

dls

22. You are a forensic specialist learning about the Linux operating system. As the system boots, messages display on the Linux boot screen. However, the messages scroll too quickly for you to read. What command can you use after the machine is completely booted to read the boot messages?

dmesg

Lin is a Linux administrator. She is performing routine maintenance on a server. She wants to view various disk partitions to see information such as the disk size, device, blocks, and file systems. Which command must Lin issue in the shell?

fdisk

A(n) __________ is a data structure in the Linux file system that stores all the information about a file except its name and actual data.

inode

In Mac OS, the __________ shell command lists the current device files that are in use.

ls /dev/disk?

15. Which Linux shell command lists all currently running processes (programs or daemons) that the user has started?

ps

15. Which Linux shell command deletes or removes a file?

rm

In FAT and NTFS file systems, a __________ is used to map files to specific clusters where they are stored on the disk.

table

In the __________ folder in Mac OS, you will find a subfolder named app profile. This contains lists of recently opened applications, as well as temporary data used by applications.

var/vm

15. If you type the __________ command at the Linux shell, you are asked for the root password. If you successfully supply it, you will then have root privileges.

Su

In Mac OS, the __________ shell command returns information about the operating system.

System_profiler SPSoftwareDataType

In Mac OS, the __________ directory contains information about servers, network libraries, and network properties.

/Network

In Mac OS, the _________ directory contains information about mounted devices.

/Volumes

What is the definition of business continuity plan (BCP)?

A plan for maintaining minimal operations until the business can return to full normal operations

A symbolic link is ________ another file.

A pointer to

In the Linux boot process, the master boot record (MBR) loads a(n) __________ program, such as GRUB or LILO.

Boot loader

22. In Linux, as with Windows, the __________ is the first sector on any disk.

Boot sector

Paige is attempting to recover data from a failed hard disk. She removed the failed drive from the system on which it was installed and then connected it to a test system. She made the connection by simply connecting the data and power cables but did not actually install the failed drive. What step should she perform next?

Boot the test system from its own internal drive

Linux is often used on embedded systems, such as smartphones and medical equipment. In such cases, when the system is first powered on, loading the __________ is the first step.

Bootstrap environment

What was the original default shell for UNIX, first released in 1977?

Bourne shell

You are the infrastructure manager. You are performing a business impact analysis (BIA) to consider the cost of likely disasters and the impact on your organization. How do you calculate the single loss expectancy (SLE)?

By multiplying the asset value (AV) times the exposure factor (EF)

Someone has attempted to gain unauthorized access to data files on Robert's machine. He would like to investigate if any forensic evidence has been left behind. Of the following, where should Robert start his search?

Event Viewer Security log

Melissa is beginning an investigation of an older Apple computer. She wants to determine when the system volumes were created. What is the best way for her to approach discovering this data?

Examine the volume header in the third section (section 2) of the volume

The Windows Registry is organized into five sections. The __________ section contains those settings common to the entire machine, regardless of the individual user.]

HKEY_LOCAL_MACHINE (HKLM)

The Windows Registry is organized into five sections. The __________ section is critical to forensic investigations. It has profiles for all the users, including their settings.

HKEY_USERS (HKU)

A hacker installed an application on a computer to recover deleted files, and then uninstalled the application to hide her tracks. Where would a forensic examiner most likely find evidence that the application was once installed?

HKLM\ SOFTWARE

__________ is a Windows file that is an interface for hardware.

Hal.dll

Darien is performing analysis on an image of a seized machine. A power outage causes the computer to power off and back on again. When he attempts to boot up the machine to continue his work, the Windows operating system begins to initialize. However, it does not proceed past the loading screen. What type of damage is likely to have occurred?

Logical damage

_______ is the Windows program that handles security and logon policies.

Lsass.exe

When performing forensics on an Apple computer, what operating system are you the most likely to encounter?

Mac OS

You are a cybersecurity technician. A computer worm has used open file shares to infect hundreds of systems in your company. What is this an example of?

Malicious code

__________ is a storage controller device driver in Windows.

Ntbootdd.sys

On a Windows-based machine, which file is considered the core of the operating system?

Ntoskrnl.exe

Devaki is a new forensic investigator. She is examining a recently seized hard drive. She was told by the individuals who collected the device that the owner indicated that it did not work. Devaki notices some damage on the case of the hard drive, agrees that it likely does not work, and processes the disk as if it is "lost" or inaccessible. What mistake did Devaki make?

She should have fully evaluated the disk by leveraging multiple techniques to attempt to retrieve the data.

Consistency checking protects against:

Software bugs and storage hardware design compatibilities

What is the repository of all information on a Windows system?

The Windows Registry

You boot up a machine to start a forensic investigation. You get a message on screen indicating that the "Master Boot Record Cannot Be Found." What step of the boot process has failed?

The computer has failed to read the master boot record (MBR).

In Windows, what does the file allocation table (FAT) store?

The mapping between files and their cluster location on the hard drive