CF Test 2

Which uppercase letter has a hexadecimal value 41?

"A"

In Linux, in which directory are most system configuration files stored?

/etc

On a Linux computer, by what are file systems exported to remote hosts represented?

/etc/exports

On a Linux computer, what contains group memberships for the local system?

/etc/group

In Linux, in which directory are most applications and commands stored?

/usr

At what hard link count is a file effectively deleted?

0

What is the largest disk partition Ext4f can support?

16 TB

Which type of tool can be used to compare results and verify a new tool by viewing data in its raw format?

A disk editor

What do you call a forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation?

A portable workstation

What must be created to complete a forensic disk analysis and examination?

A report

Where do software forensics tools copy data from a suspect's disk drive?

An image file

What should be created in order to begin a digital forensics case?

An investigation plan

How may computer programs be registered under copyright laws?

As literary works

Which program has an indexed version of the NIST NSRL of MD5 hashes that can be imported to enhance searching for and eliminating known OS and application files?

Autopsy

Which program incorporates an advanced encryption technique that can be used to hide data?

BestCrypt

Which data-hiding technique changes data from readable code to data that looks like binary executable code?

Bit-shifting

Which images store graphics information as grids of pixels?

Bitmap

What type of attacks use every possible letter, number, and character found on a keyboard when cracking a password?

Brute-force

Which NIST project manages research on forensics tools?

CFTT

What term refers to recovering fragments of a file?

Carving

What type of laws should computer investigators be especially aware of when working with image files in order to avoid infringement violations?

Copyright

Which activity involves changing or manipulating a file to conceal information?

Data hiding

What is the process of converting raw picture data to another format called?

Demosaicing

Which type of copy from the suspect disk to the target location does the simplest method of duplicating a disk drive make?

Disk-to-image

In which format are most digital photographs stored?

EXIF

If a graphics file cannot be opened in an image viewer, what should the next step be?

Examining the file's header data

What was the early standard Linux file system?

Ext2

The data-hiding technique involving marking bad clusters is more commonly used with what type of file system?

FAT

Autopsy for Windows cannot perform forensics analysis on FAT file systems.

False

Hardware manufacturers have designed most computer components to last about 36 months between failures.

False

Most organizations keep e-mail for longer than 90 days.

False

Windows OSs do not have a kernel.

False

Which activity involves sorting and searching through investigation findings to separate good data and suspicious data?

Filtering

How many components define the file system on UNIX/Linux?

Four

What tools are used to create, modify, and save bitmap, vector, and metafile graphics?

Graphics editors

Because digital forensics tools have limitations in performing hashing, what tools should be used to ensure data integrity?

Hexadecimal editors

The first MS-DOS tools that analyzed and extracted data from floppy disks and hard disks were used with which type of PC file systems?

IBM

Which standards document demands accuracy for all aspects of the testing process?

ISO 5725

What does scope creep typically do?

Increases the time and resources needed to extract, analyze, and present data

In a file's inode, what are the first 10 pointers called?

Indirect pointers

What contains file and directory metadata and provides a mechanism for linking data stored in data blocks?

Inodes

Which data-hiding technique places data from the secret file into the host file without displaying the secret data when the host file is viewed in its associated program?

Insertion

Which JFIF format has a hexadecimal value of FFD8 FFE0 in the first four bytes?

JPEG

Which AccessData feature compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data?

KFF

Which term is often used when discussing Linux because technically, Linux is only the core of the OS?

Kernel

What technology is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure?

Key escrow

When both the original file with no hidden message and the converted file with the hidden message are available, what analysis method is recommended by Johnson and Jajodia?

Known cover attack

In macOS, in addition to allocation blocks, what kind of blocks do volumes have?

Logical blocks

Which type of compression compresses data permanently by discarding bits of information in the file?

Lossy

Many password-protected OSs and applications store passwords in the form of which type of hash values?

MD5

Which tool enables the investigator to acquire the forensic image and process it in the same step?

Magnet AXIOM

Many password recovery tools have a feature for generating potential password lists for which type of attack?

Password dictionary

In older versions of macOS, in which fork are file metadata and application information stored?

Resource

What is the primary hash algorithm used by the NIST project created to collect all known hash values for commercial software and OS files?

SHA-1

Which hashing algorithm is provided by WinHex?

SHA-1

What type of disk is commonly used with Sun Solaris systems?

SPARC

Which action alters hash values, making cracking passwords more difficult?

Salting passwords

What is another term for steganalysis tools?

Steg tools

What technique has been used to protect copyrighted material by inserting digital watermarks into a file?

Steganography

Which term comes from the Greek word for "hidden writing "?

Steganography

Which term refers to a data-hiding technique that uses host files to cover the contents of a secret message?

Steganography

In addition to search warrants, what defines the scope of civil and criminal cases?

Subpoenas

Which data-hiding technique replaces bits of the host file with other bits of data?

Substitution

From which file format is the image format XIF derived?

TIF

Which digital forensics tool is categorized as a single-purpose hardware component?

Tableau T35es-R2 SATA/IDE eSATA bridge

In macOS, what stores any file information not in the Master Directory Block or Volume Control Block?

The Extents Overflow File

In older versions of macOS, where is all information about the volume stored?

The Master Directory Block (MDB)

What macOS system application tracks each block on a volume to determine which blocks are in use and which ones are available to receive data?

The Volume Bitmap

Where are directories and files stored on a disk drive?

The data block

In macOS, which fork typically contains data the user creates?

The data fork

In macOS, when working with an application file, which fork contains additional information, such as menus, dialog boxes, icons, executable code, and controls?

The resource fork

What limits the data that can be sought in a criminal investigation?

The search warrant

After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.

True

Bitmap images are collections of dots, or pixels, in a grid format that form a graphic.

True

Ext3 is a journaling version of Ext2 that has a built-in file recovery mechanism used after a crash.

True

For static acquisitions, remove the original drive from the computer, if practical, and then check the date and time values in the system's CMOS.

True

If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file.

True

The two major forms of steganography are insertion and substitution.

True

Devices used to prevent data from being written to a disk can connect to a computer through FireWire, SATA, PATA, and SCSI controllers as well as which other type of controller?

USB2.0 and 3.0

What is the simplest way to access a file header?

Use a hexadecimal editor

What kinds of images are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes?

Vector graphics

What is the general term for software or hardware that is used to protect evidence disks by preventing data from being written to them?

Write-blockers

Which header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03?

XIF

What Linux command is used to create the raw data format?

dd

In Windows 2000 and later, which command shows you the file owner if you have multiple users on the system or network?

dir

Which Windows disk partition utility can be used to hide partitions?

diskpart

Building your own forensics workstation:

requires the time and skills necessary to support the chosen hardware.

Which type of recovery is becoming more common in digital forensic analysis?

Password

Which entity publishes articles, provides tools, and creates procedures for testing and validating computer forensics software?

NIST

Macintosh moved to the Intel processor and became UNIX based with which operating system?

OS X