ITN 276 chapter 10
In Mac OS X, the __________ shell command lists the current device files that are in use.
ls /dev/disk?
On a Macintosh, the __________ folder contains information about system and software updates.
/Library/Receipts
On a Macintosh, the __________ directory contains information about servers, network libraries, and network properties.
/Network
On a Macintosh, the __________ folder maintains the preferences of programs that have been deleted.
/Users/<user>/Library/Preferences/
On a Macintosh, the _________ directory contains information about mounted devices
/Volumes
On a Macintosh, the __________ directory is where configuration files are located.
/etc
If you need to know what documents have been printed from a Macintosh, the __________ folder can give you that information.
/var/spool/cups
In__________, Steve Wozniak and Steve Jobs finished the prototype of the first Apple computer.
1975
The Apple I had a built-in video terminal and sockets for __________ kilobytes of onboard random access memory (RAM
8
When Apple released the Macintosh in 1984, it had a __________ megahertz Motorola processor.
8
The _________ is used with any PowerPC-based Mac. Intel-based Macs can mount and use a drive formatted with this, but cannot boot from the device. PowerPC-based Macs can both mount and use a drive formatted with this, and can also use it as a start-up device
Apple Partition Map
ISO9660 is Macintosh specific.
False
Intel-based Macs cannot mount and use a drive formatted with the Apple Partition Map, but can boot from the device
False
NTFS is the preferred file system on Mac OS X.
False
On a Macintosh, the ls /dev/disk? command returns the hardware information for the host system.
False
The /Users/ directory folder maintains the preferences of programs that have been deleted.
False
The /Volumes directory contains all the user accounts and associated files.
False
The Macintosh /var/spool/cups folder contains information about system and software updates.
False
The __________ is used primarily with computers that have an Intel-based processor. It requires Mac OS X v10.4 or later.
GUID Partition Table
__________ is the process whereby the file system keeps a record of what file transactions take place so that in the event of a hard drive crash, the files can be recovered.
Journaling
The release of __________, was meant to be more in synch with the style of other Apple systems, such as iOS and WatchOS.
Mac OS X 10.7 in 2011, called Lion
The release of _____________, had over 300 new features, support for Intel x86 chips, and support for the new G3 processor.
Mac OS X v10.5 in 2007, called Leopard
Priyanka is a forensic investigator. She is at an office where a Macintosh computer was used in a suspected crime. The computer is still running. Priyanka wants to image the disk before transporting the computer to the forensic lab. She also wants to avoid accidentally altering information on the computer's hard disk. What should she do first?
Put the computer in Target Disk Mode.
Apple Computer's three founders were Steve Jobs, Steve Wozniak, and __________ .
Ronald Wayne
A volume in the HFS+ file system routinely defragments itself.
True
Disk quotas allow the administrator to limit the amount of disk space a given user can use.
True
In the HFS+ file system, aliases allow you to have multiple references to a single file or directory.
True
Journaling file systems in Mac OS X are fault tolerant because the file system logs all changes to files, directories, or file structures.
True
Mac OS X supports the FAT32 file system.
True
The /Library/Preferences/SystemConfiguration/dom.apple.preferences.plist file contains the network configuration data for each network card.
True
The Apple master boot record (MBR) contains a partition table, bootstrap code, and other information.
True
The HFS+ file system is an enhancement to HFS.
True
The HFS+ file system uses Unicode rather than ASCII.
True
The HFS+ file system uses aliases, which are like symbolic links.
True
The command prompt in Mac OS X is a Bash shell, so you can execute Linux commands.
True
When a file is deleted on an HFS or HFS+ volume, the references to the file are gone and the clusters may be used and overwritten.
True
You can use the ls and grep commands to search the virtual memory folder in Mac OS X.
True
In Mac OS X, the __________ shell command returns the hardware information for the host system. This provides information useful for the basic documentation of the system prior to beginning your forensic examination.
system_profiler SPHardwareDataType
In Mac OS X, the __________ shell command returns information about the operating system
system_profiler SPSoftwareDataType
On a Macintosh, in the __________ folder, you will find a subfolder named app profile. This contains lists of recently opened applications as well as temporary data used by applications.
var/vm