475 Final (Chapters 6-14)

FFD9

For all JPEG files, the ending hexadecimal marker, also known as the end of image (EOI), is ____________.​

16,777,216

How many different colors can be displayed by a 24 bit colored pixel?​

the logical EOF

If a file has 510 bytes of data, what is byte 510?​

6

In VirtualBox, ____________ different types of virtual network adapters are possible, such as AMD and Intel Pro adapters.​

​Get-VMNetworkAdapter

In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM​ to display a virtual machine's network adapters?

index node

In a B*-tree file system, what node stores link information to previous and next nodes?​

SYN flood

In a __________ attack, the attacker keeps asking your server to establish a connection, with the intent of overloading a server with established connections.​

d

In general, what would a lightweight forensics workstation consist of?​ a. ​A tablet with peripherals and forensics apps b. ​A laptop computer with almost as many bays and peripherals as a tower c. ​A tower with several bays and many peripheral devices d. ​A laptop computer built into a carrying case with a small selection of peripheral options

​Vector Quantization

In simple terms, _____________ compression ​discards bits in much the same way rounding off decimal values discards numbers.

shell mode

In what mode do most write-blockers run?​

pagefile.sys

In what temporary location below might passwords be stored? ​

key escrow

Many commercial encryption programs use a technology called _____________, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure.​

Known File Filter (KFF)

The AccessData program has a hashing database, ________________, which is available only with FTK, and can be used to filter known program files from view and contains the hash values of known illegal files.​

lossless

The Lempel-Ziv-Welch (LZW) algorithm is used in _____________ compression.​

clumps

The Mac OS reduces file fragmentation by using _______________.

Kali

The __________ Linux Live CD includes tools such as Autopsy and Sleuth Kit, ophcrack, ​dcfldd, MemFetch, and MBoxGrep, and utilizes a KDE interface.​

ifconfig

The ______________ command can be used to see network interfaces.​

National Software Reference Library

The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but does not list hash values of known illegal files.​

scope creep

The goal of recovering as much information as possible can result in ________________, in which an investigation expands beyond the original description because of unexpected evidence found.​

acquistition

The physical data copy subfunction exists under the ______________ function.​

demosaicing

The process of converting raw picture data to another format is called _________________.​

steganalysis

The term for detecting and analyzing steganography files is _________________.​

bit shifting

Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses ________________ as a way to hide its malicious code from antivirus tools.​

BMP

Which graphics file format below is rarely compressed?

XFS

Which of the following file systems can't be analyzed by OSForensics?

raster graphics

Which of the following is not a type of graphic file that is created by a graphics program?​

.dxf

Which of the following is not considered to be a non-standard graphics file format?​

d

Which of the following is stated within the ISO 27037 standard?​ a. ​Software forensics tools must use the Windows OS. b. ​Hardware acquisition tools can only use CRC-32 hashing. c. ​Software forensics tools must provide a GUI interface. d. ​Digital Evidence First Responders should use validated tools.

logical data copy

Which of the following options is not a subfunction of extraction?​

HexEdit

Which option below is not a disk management tool?​

brute force attack

Which password recovery method uses every possible letter, number, and character found on a keyboard?​

Linus Torvalds

Who is the current maintainer of the Linux kernel?​

2nd field

Within the /etc/shadow file, what field contains the password hash for a user account if one exists?​

verification

_______________ proves that two sets of data are identical by calculating hash values or using another similar method.​

Foremost

________________ is a specialized carving tool that can read many image file formats, such as RAW and Expert Witness.​

FFE1

​For EXIF JPEG files, the hexadecimal value starting at offset 2 is _____________.

16 bits

​How many bits are required to create a pixel capable of displaying 65,536 different colors?

diskpart

​In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer.

keylogger

​In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes remotely.

FAT

​In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters?

FileVault

​On Mac OS X systems, what utility can be used to encrypt / decrypt a user's home directory?

OSForensics

​Select the tool below that does not use dictionary attacks or brute force attacks to crack passwords:

.eve

​The ProDiscover utility makes use of the proprietary _______________ file format.

.psd

​The _____________ format is a proprietary format used by Adobe Photoshop.

tcpdump

​The _______________ command line program is a common way of examining network traffic, which provides records of network activity while it is running, and produce hundreds or thousands of records.

Lempel Ziv

​What algorithm is used to decompress Windows files?

ln -s

​What command below will create a symbolic link to a file?

.exif

​What format was developed as a standard for storing metadata in image files?

a

​What is the purpose of the reconstruction function in a forensics investigation? a. ​Re-create a suspect's drive to show what happened during a crime or incident. b. ​Copy all information from a suspect's drive, including information that may have been hidden. c. ​Prove that two sets of data are identical. d. ​Generate reports or logs that detail the processes undertaken by a forensics investigator.

dd

​When performing disk acquisition, the raw data format is typically created with the UNIX/Linux _____________ command.

tga

​Which of the following formats is not considered to be a standard graphics file format?

128

​Within Windows Vista and later, partition gaps are _____________ bytes in length.

inodes

​________________ contain file and directory metadata and provide a mechanism for linking data stored in data blocks.

Oracle VirtualBox

Select below the option that is not a common type 1 hypervisor:​

Lzip

Select below the utility that is not a lossless compression utility:​

dd

A ____________ image file containing software is intended to be bit-stream copied to floppy disks or other external media.​

MD5

A hash that begins with "$6" in the shadow file indicates that it is a hash from what hashing algorithm? ​

extraction

A keyword search is part of the ​analysis process within what forensic function?

macro

A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in order to secure the information contained inside.​

-a

Adding the _____________ flag to the ​ls -l command has the effect of of showing all files beginning with the "." character in addition to other files.

49 49 2A

All TIF files start at offset 0 with what 6 hexadecimal characters?​

/var/log/wtmp

As part of a forensics investigation, you need to recover the logon and logoff history information on a Linux based OS. Where can this information be found?​

Layer 2 or 3

At what layers of the OSI model do most packet analyzers function?​

File manipulation (file name and extension, hidden property) Encryption (bit shifting, steganography) Disk manipulation (hidden partition, bad cluster)

Participation please list the three main aspects for data hiding. For each aspect, please give at least two aspects or example.

data compression - coding of data from larger to smaller form lossless - reduces file size without removing data lossy - permanently discards bits of information

Participation What is data compression and the two kind of compression

command line forensics tools UNIX/Linux forensics tools GUI tools

Participation 3 kinds of Forensics Software Tools

repair image headers reconstruct fragmented image files while carving

Participation Explain how to repair an image

BlackBag Technologies Guidance EnCase X-Ways Forensics

Participation List at least 3 examples of Mac forensics software

return path recipient's e-mail address type of sending e-mail service IP address of sending server name of the e-mail server unique message number date and time e-mail was sent attachment files information

Participation Please explain how to exam E-mail headers

systematic tracking of incoming and outgoing traffic intruders leave trail behind determine the cause of the abnormal traffic

Participation Please explain what is network forensics

Computer Forensics Tool Testing (CFTT) program National Software Reference Library (NSRL) project using validation protocols

Participation Please list at least three main ways for evaluating the forensics tools

BitPalm AccessData FTK Imager MacLockPick 3.0

Participation Please list the main tools for mobile forensics (at least 3)

key escrow cracking password persuade suspect to reveal password

Participation Please list the thee methods for examining encrypted files

bitmap images vector graphics metafile graphics

Participation Please list the three main Graphics File Formats

boot block superblock inode block data block

Participation What are the four blocks component in UNIX

abstract table of contents body of report conclusion references glossary acknowledgements appendixes

Participation What is the report structure

variables

Passwords are typically stored as one-way _____________ rather than in plaintext.​

/etc/sendmail.cf /etc/syslog.conf /var/log/maillog

Please explain how to exam UNIX e-mail server logs

carving

Reconstructing fragments of files that have been deleted from a suspect drive, is known as ____________ in North America.​

raw file format

Referred to as a digital negative, the _______ is typically used on many higher-end digital cameras.​

badblocks

Select below the command that can be used to display bad block information on a Linux file system, but also has the capability to destroy valuable information.​

1976 Copyright Act

What act defines precisely how copyright laws pertain to graphics?

extents overflow file

What file is used to store any file information that is not in the MDB or a VCB?​

jpeg

What file type starts at offset 0 with a hexidecimal value of FFD8?​

shadow

What file under the /etc folder contains the hashed passwords for a local system?​

.vmdk

What format below is used for VMware images?

FF D8

What hex value is the standard indicator for jpeg graphics files?​

the file's or directory's path

What information below is not included within an inode?​

b

What is the goal of the NSRL project, created by NIST?​ a. ​Search for collisions in hash values, and contribute to fixing hashing programs. b. ​Collect known hash values for commercial software and OS files using SHA hashes. c. ​Create hash values for illegal files and distribute the information to law enforcement. d. ​Collect known hash values for commercial software and OS files using MD5 hashes.

512 bytes

What is the minimum size of a block in UNIX/Linux filesystems?​

metafile

What kind of graphics file combines bitmap and vector graphics types?​

B

What letter should be typed into DiskEdit in order to mark a good sector as bad?​

BitLocker

What option below is an example of a platform specific encryption tool?

Autopsy

What program serves as the GUI front end for accessing Sleuth Kit's tools?​

salted passwords

What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords?​

Norton DiskEdit

What tool below was written for MS-DOS and was commonly used for manual digital investigations?​

boot block

What type of block does a UNIX/Linux computer only have one of?​

most significant bit (MSB)

When looking at a byte of information in binary, such as 11101100, what is the first bit on the left referred to as?​

The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.​

When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and documented?​

/private/var/root

Where is the root user's home directory located on a Mac OS X file system?​