Quizzes
4. Which selection keeps track of a fragmented file in a FAT (not exFAT) file system? A. File Allocation Table B. Directory structure C. Volume boot record D. Master file table
A. File Allocation Table
Can information stored in the BIOS ever be changed? A. Yes B. No
A. Yes
1. What is the first consideration when responding to a scene? A. Your safety B. The safety of others C. The preservation of evidence D. Documentation
A. Your safety
When shutting down a computer, what information is typically lost?
All of the above
Which item/s would you take to an investigation of a home?
All of the above
Is the information stored on a computers RAM chip accessible after a proper shutdown? A. Yes B. No
B. No
Is the information stored on a computers ROM chip lost during a proper shutdown? A. Yes BIs the information stored on a computers ROM chip lost during a proper shutdown? A. Yes B. No
B. No
BCD
Boot configuration data
IDE, SCSI, and SATA are different types of interfaces describing what device? A. RAM chips B. Flash Memory C. CPUs D. Hard Drives
D. Hard Drives
Name the two (2) hidden areas that are typically on a hard drive explained in chapter 4.
DCO & HPA
What does FAT consist of?
Directory entries, file allocation tables
What are the 2 kind of security incidents
Examining computers used in committing a crime Examining computer targeted in a crime
What does FIM stand for?
Field Intelligence Model
Where is the partition table located? What info is in it?
In the master boot record.
NTFS and advantages
New Technology File System More robust Stronger Security Faster read, write and search capabilities Support for long file names
4th amendment
Protects against unlawful search and seizure
MBR
Reads VBR to find active partition and loads it into memory.
What is slack space
The space at the end of a logical file and the end of a cluster, or between clusters. Generally, this is unused space.
RAM is volatile digital evidence
True
Which type of cable do you use when performing a network acquisition?
crossover cable
What is a file system?
method of storing files and data that is retrievable.
What makes a partition active?
08 at sector 446
What is Fat 1 and FAT 2?
2 different file allocation tables, fat 1 starts after the reserved sectors, fat 2 is an exact duplicate of FAT 1
Each directory entry for FAT is ___ bytes long?
32
Max number of clusters supported by FAT
32,768 bytes
13. A directory entry in a FAT file system has a logical size of which of the following? A. 0 bytes B. 8 bytes C. 16 bytes D. One sector
A. 0 bytes
What is the BIOS? A. BIOS stands for the Basic Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and it's operating system B. BIOS stands for Bootstrap Initialization Operating System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and it's operating system C. BIOS stands for Boot-level Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and it's operating system D. BIOS stands for Boot Initialization Operating System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and it's operating system
A. BIOS stands for the Basic Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and it's operating system
The electrical pathway used to transport data from one computer component to another is called what? A. Bus B. RAM C. CMOS D. BIOS
A. Bus-(USB)
20. Which of the following is not true regarding the exFAT file system? A. Cluster allocation is tracked in the File Allocation Table (FAT). B. When a file is deleted, the corresponding entries in the File Allocation Table (FAT) are reset or zeroed out. C. Cluster allocation is tracked in an allocation bitmap. D. An entry in the FAT of 00 00 00 00 means that the FAT is not tracking allocation for this file.
A. Cluster allocation is tracked in the File Allocation Table (FAT).
What can you assume about a hard drive that is pinned as CS? A. Its an IDE drive B. Its a SATA drive C. Its an SCSI drive D. All of the above
A. Its an IDE drive
What is the purpose or function of a computer's ROM chip? A. Long-term or permanent storage of information and instructions B. Temporary storage area to run applications C. Permanent storage area for programs and files D. A portable storage device
A. Long-term or permanent storage of information and instructions
What is found at cylinder 0, Head 0, Sector 1, on the hard drive? A. Master Boot record B. Master file table C. Volume boot record D. Volume boot sector
A. Master Boot record
5. Generally speaking, if you encounter a computer running Windows 2008 Server, how should you take down the machine? A. Shut down using its operating system. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the plug from the computer box. D. All of the above.
A. Shut down using its operating system.
6. Generally speaking, if you encounter a Unix/Linux machine, how should you take down the machine? A. Shut down using its operating system. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the plug from the computer box. D. All of the above.
A. Shut down using its operating system.
7. When unplugging a desktop computer, from where is it best to pull the plug? A. The back of the computer B. The wall outlet C. A or B
A. The back of the computer
17. What three things occur when a file is created in a FAT32 file system? A. The directory entry for the file is created, the FAT assigns the necessary clusters to the file, and the file's data is filled in to the assigned clusters. B. The filename is entered in to the FAT, the directory structure assigns the number of clusters, and the file's data is filled in to the assigned clusters. C. The directory entry for the file is created, the number of clusters is assigned by the directory structure, and the file's data is filled in to the FAT. D. The directory structure maintains the amount of clusters needed, the filename is recorded in the FAT, and the file's data is filled in to the assigned clusters.
A. The directory entry for the file is created, the FAT assigns the necessary clusters to the file, and the file's data is filled in to the assigned clusters.
Information contained in RAM memory (system's main memory), which is located on the motherboard, is _________ A. volatile B. Nonvolatile
A. volatile
5 rules of evidence
Admissible-collected in accordance with laws and regulations Authentic-without the possibility of tampering Complete- Reliable-must not cast any doubt of authenticity Believable-understandable by a jury and judge
What are directory entries?
An entry for every file and directory within a partition. 32 bytes long regardeless of what version of FAT is used. Entry will state the name of file, starting cluster, length, other metadata.
On a FAT file system, FAT is defined as which of the following? A. a table consisting of master boot record and logical partitions B. A table created during the format that the operating system reads to locate data on a drive C. A table consisting of filenames and file attributes D. A table consisting of filenames, deleted filenames, and other attributes
B. A table created during the format that the operating system reads to locate data on a drive
What is the main component of a computer to which essential internal devices such as CPU, memory chips, and other chipsets are attached? A. BIOS B. Motherboard C. Expansion Card D. Processor
B. Motherboard
15. By default, what color does EnCase use to display directory entries within a directory structure? A. Black B. Red C. Gray D. Yellow
B. Red
12. A file's physical size is which of the following? A. Always greater than the file's logical size B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster C. Both A and B D. None of the above
B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster
10. How many copies of the FAT does each FAT32 volume maintain in its default configuration? A. One B. Two C. Three D. Four
B. Two
What is the first sector on a volume called? A. File allocation table B. Volume boot record or sector C. Master boot record D. Volume boot device
B. Volume boot record or sector
The smallest area on a drive that data can be written to is a _____________, while the smallest area on a drive that a file can be written to is a _________________. A. bit and byte B. sector and cluster C. volume and drive D. memory and disk
B. sector and cluster
What is the maximum number of drive letters assigned to hard drive(s) partitions on a system? A. 4 B. 16 C. 24 D. Infinity
C. 24
What is the definition of a CPU? A. The physical computer case that contains all its internal components B. The computer's internal hard drive C. A part of the computer whose function is to perform data processing D. A part of the computer that stores and manages memory
C. A part of the computer whose function is to perform data processing
Which is not considered exclusively and output device? A. Monitor B. Printer C. CD-RW drive D. Speaker
C. CD-RW drive
19. What does EnCase do when a deleted file's starting cluster number is assigned to another file? A. EnCase reads the entire existing data as belonging to the deleted file. B. EnCase reads the amount of data only from the existing file that is associated with the deleted file. C. EnCase marks the deleted file as being overwritten. D. EnCase does not display a deleted filename when the data has been overwritten.
C. EnCase marks the deleted file as being overwritten.
18. How does EnCase recover a deleted file in a FAT file system? A. It reads the deleted filename in the FAT and searches for the file by its starting cluster number and logical size. B. It reads the deleted filename in the directory entry and searches for the corresponding filename in unallocated clusters. C. It obtains the deleted file's starting cluster number and size from the directory entry to obtain the data's starting location and number of clusters required. D. It obtains the deleted file's starting cluster number and size from the FAT to locate the starting location and amount of clusters needed.
C. It obtains the deleted file's starting cluster number and size from the directory entry to obtain the data's starting location and number of clusters required.
What do the terms master, slave, and cable select refer to? A. External SCSI devices B. Cable types for external hardware C. Jumper settings for internal hardware such as IDE hard drives and CD drives D. Jumper settings for internal expansion cards
C. Jumper settings for internal hardware such as IDE hard drives and CD drives
12. Which of the following is not acceptable for "bagging" a computer workstation? A. Large paper bag. B. Brown wrapping paper. C. Plastic garbage bag. D. Large antistatic plastic bag. E. All of the above are acceptable for bagging a workstation.
C. Plastic garbage bag.
4. Generally speaking, if you encounter a desktop computer running Windows 7, how should you take down the machine? A. Shut down using Windows 7. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the plug from the computer box. D. All of the above.
C. Shut down by pulling the plug from the computer box.
9. Generally speaking, if you encounter a Macintosh computer, how should you take down the machine? A. Shut down using the operating system. B. Shut down by pulling the power cord from the outlet. C. Shut down by pulling the plug from the computer box. D. All of the above.
C. Shut down by pulling the plug from the computer box.
9. In a FAT file system, the FAT tracks the _____________ while the directory entry tracks the _____________ . A. The filename and file size B. The file's starting cluster and file's last cluster (EOF) C. The file's last cluster (EOF) and file's starting cluster D. The file size and file fragmentation
C. The file's last cluster (EOF) and file's starting cluster
What are ISO 9660, Joilete, UDF?
CD file systems
Computer Forensics vs Network Forensics
Computer Forensics-analyzing data from computer storage media to be used in court Network Forensics-uses log files to determine how users logged into a network, when, from what location
What is reserved area on a disk?
Consists of volume boot sector
8. How many clusters can a FAT32 file system manage? A. 2 × 32 = 64 clusters B. 232 = 4,294,967,296 clusters C. 2 × 28 = 56 clusters D. 228 = 268,435,456 clusters
D. 228 = 268,435,456 clusters
14. Each directory entry in a FAT file system is ____ bytes in length. A. 0 B. 8 C. 16 D. 32
D. 32
What is the definition of POST? A. A set of computer sequences the operating system executes upon a proper shutdown. B. A diagnostic test of the computer's hardware and software for presence and operability during the boot sequence prior to running the operating system C. A diagnostic test of the computer's software for presence and operability during the boot sequence prior to running the operating system D. A diagnostic test of the computer's hardware for presence and operability during the boot sequence prior to running the operating system
D. A diagnostic test of the computer's hardware for presence and operability during the boot sequence prior to running the operating system POWER ON SELF TEST
7. The NTFS file system does which of the following? A. Supports long filenames B. Compresses individual files and directories C. Supports large file sizes in excess of 4 GB D. All of the above
D. All of the above
3. Which of the following describes a partition table? A. It is located at cylinder 0, head 0, sector 1. B. Is located in the master boot record. C. It keeps track of the partitions on a hard drive. D. All of the above.
D. All of the above.
6. Which of the following is true about a volume boot record? A. It is always located at the first sector of its logical partition. B. It immediately follows the master boot record. C. It contains BIOS parameter block and volume boot code. D. Both A and C.
D. Both A and C.
8. What is the best method to shut down a notebook computer? A. Unplug from the back of the computer. B. Unplug from the wall. C. Remove the battery. D. Both A and C.
D. Both A and C.
11. Which of the following is not true regarding the NTFS file system? A. Data for very small files can be stored in the MFT itself and is referred to as resident data. B. Cluster allocation is tracked in the $Bitmap file. C. Data that is stored in clusters is called nonresident data. D. Cluster allocation is tracked in the File Allocation Table (FAT).
D. Cluster allocation is tracked in the File Allocation Table (FAT).
2. How does a corrupted sector located in the data area of a hard drive affect the corresponding cluster number on a FAT in a FAT file system? A. It does not affect the corresponding cluster number on a FAT; therefore, the rest of the sectors associated with the assigned cluster can still be written to. B. It does not affect the corresponding cluster number on a FAT; only the corrupted portion of the sector is prevented from being written to. C. It does affect the FAT. The corresponding cluster number is marked as bad; however, only the corrupted sector within the cluster is prevented from being written to. D. It does affect the FAT. The corresponding cluster number is marked as bad, and the entire cluster is prevented from being written to.
D. It does affect the FAT. The corresponding cluster number is marked as bad, and the entire cluster is prevented from being written to.
5. If the FAT, in a FAT file system, lists cluster number 2749 with a value of 0, what does this mean about this specific cluster? A. It is blank and contains no data. B. It is marked as bad and cannot be written to. C. It is allocated to a file. D. It is unallocated and is available to store data.
D. It is unallocated and is available to store data.
10. Which selection displays the incorrect method for shutting down a computer? A. DOS: Pull the plug. B. Windows 7: Pull the plug. C. Windows XP: Pull the plug. D. Linux: Pull the plug.
D. Linux: Pull the plug.
16. What is the area between the end of a file's logical size and the file's physical size called? A. Unused disk area B. Unallocated clusters C. Unallocated sectors D. Slack space
D. Slack space
Which of the following is incorrect? A. The MBR is typically written when the drive is partitioned with FDISK or DISKPART B. A file system or method of storing and retrieveing data on a computer system that allows for a hierarchy of directories, subdirectories, and files C. The VBR is typically written when the drive is high-level formatted with a utility such as format D. The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to 4 partitions using 4 bytes each to do so.
D. The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to 4 partitions using 4 bytes each to do so.
11. When shutting down a computer, what information is typically lost? A. Data in RAM memory B. Running processes C. Current network connections D. Current logged-in users E. All of the above
E. All of the above
3. What are some variables regarding items to be seized that you should consider prior to responding to a scene? A. Location(s) of computers B. Type of operating system C. Workstations or mainframes D. System-critical or auxiliary machine E. All of the above
E. All of the above
2. What are some variables regarding a facility that you should consider prior to responding to a scene? A. What type of structure is it? B. How large is the structure? C. What are the hours of operation? D. Is there a helpful person present to aid in your task? E. All of the above.
E. All of the above.
The size of a physical hard drive can be determined by which of the following? A. The cylinder x head x sector B. The cylinder x head x sector x 512 bytes C. The total LBA sectors x 512 bytes D. Adding the total size of patitions E. Both B and C
E. Both B and C
13. In which circumstance is pulling the plug to shut down a computer system considered the best practice? A. When the OS is Linux/Unix B. When the OS is Windows 7 and known to be running a large business database application C. When the OS is Windows (NT/2000/2003/2008) Server D. When Mac OS X Server is running as a web server E. None of the above
E. None of the above
What is one major difference between a FAT file system and an NTFS file system?
FAT is more secure
The VBR is read first, then the MBR, and then executes code and runs the OS
False-MBR is the main grouping that we look at. Inside the MBR is the VBR and tells you which partition to boot to. MBR is read first and then the VBR is read.
Fat 16
File Allocation Table-16 bit cluster addresses
Fat 32
File Allocation Table-32 bit cluster addresses Can become slow Drive size up to 8 terabytes w/ 32 kb clusters
Fat 12
File Allocation table-12 bit cluster addresses Designed for floppy diskettes file system
What are allocation units?
Groups of reserved sectors on a computer hard drive. Come in clusters, blocks, metadata, volume, partition. Clusters-512,1024,2048,4096 or more bytes
Which file is used in a normal DOS boot floppy disk that makes calls to the C drive POST.EXE IO.SYS DRIVESPACE.BIN CMD.EXE
IO.SYS
What happens when you delete your file?
It becomes unallocated
What are the 4 distinct segment of boot sector?
Jump instructions to the boot code Bios Parameter block Code and Error Messages Signature
VBR
Looks for operating system on bootable partition and loads when computer is booted
Which is not a file system?
MBT (random letters)
How NTFS is different from FAT
NTFS stores its backup copy in the last sector of the partition All important file system data is contained in the actual file rather than Allocation tables
A _______ is a collection of consecutive sectors within a volume.
Partition (dividing the hard disk into logical sections
Power up Sequence
The BIOS immediately runs the POST and then prepares the system for the first program to run.
What does bookmarking do?
This saves files you need to have saved and other items of interest.
The MFT is only used in NTFS
True-The master file table is only used in the new technology filing system
Which of the following file systems is used on CDs?
UDF
Methods of Computer Investigation
Vulnerability Assessment and Risk Management Ex: Network Intrusion detection and incident response Ex: Computer Investigations Ex:
FAT tracks bad clusters, marking them as such so they will not be used.
Yes
What is the first consideration when responding to a scene?
Your Safety