Computer Forensics Quiz 6

If a hard disk is damaged and the data is deemed "lost," what is the recommended next step? A. Install the drive on a new computer as a final test. B. Create a bit-by-bit image. C. Shred the hard disk. D. Attempt a local repair.

Attempt a local repair.

______ is the basic repair tool in Windows. A. Fsck B. The TestDisk utility C. Chkdsk D. Disk Utility

Chkdsk

Which operating system commonly uses the Ext file system? A. Linux B. Mac OS C. Windows D. UNIX

Linux

The ________ and the ________ are the two NTFS files of most interest to forensics efforts. A. Master File Table (MFT), cluster bitmap B. inode, cluster bitmap C. file allocation table (FAT), inode D. file allocation table (FAT), Master File Table (MFT)

Master File Table (MFT), cluster bitmap

When performing a manual recovery on a Linux system, what is the first step to recovering manually deleted files? A. Boot into the recovery menu and select to run diagnostics. B. Log in with root. C. Install the Linux recovery toolkit. D. Move the system to single-user mode.

Move the system to single-user mode.

________ is the preferred file system of Windows 2000 and later operating systems. A. FAT32 B. FAT16 C. NTFS D. Ext3

NTFS

______ is the basic repair tool in Mac OS. A. Fsck B. The TestDisk utility C. Chkdsk D. Disk Utility

Disk Utility

You are attempting to recover deleted files from a storage device. The device's operating system uses the FAT32 file system. What is the most important advantage you have when attempting to recover specific deleted files? A. Open source tools rather than commercial tools B. Read permissions to the files C. Time; files that were deleted relatively recently are more likely to be recovered D. Commercial tools rather than open source tools

Time; files that were deleted relatively recently are more likely to be recovered

What is the purpose of overwriting data on a hard disk with random characters seven times? A. To forensically scrub a file or folder B. To test the file allocation table (FAT) update process C. To prepare to shred the hard disk D. To verify that the file is consistent and will not cause disk errors

To forensically scrub a file or folder

You are successful in recovering data files from a damaged disk. You attempt to open a few files and receive a message that the files have been corrupted. What is the best approach to take to gain access to the data? A. Perform consistency checking. B. Perform file carving. C. Perform a second recovery. D. Open the files in a text editor.

Perform file carving.

You are a forensic examiner. The logical structure of a hard disk that you are analyzing appears almost destroyed. You are not able to get the system to boot up despite your best efforts. You choose to perform a zero-knowledge analysis. Is this an appropriate choice for the next step? A. Yes. This process includes searching memory in real time, typically for working with compromised hosts or to identify system abuse. B. No. This is a file system repair technique that involves scanning a disk's logical structure and ensuring that it is consistent with its specification. It will not help in this case. C. Yes. Using this technique, the file system is rebuilt from scratch using knowledge of an undamaged file system structure. It should allow for data retrieval. D. No. This approach includes the process of searching for specific text in binary files even if the file has a reference count of zero. It does not apply in this case.

Yes. Using this technique, the file system is rebuilt from scratch using knowledge of an undamaged file system structure. It should allow for data retrieval.

Which of the following is not true of file carving? A. You can perform file carving on the NTFS and FAT32 files systems but not Ext4. B. File carving is often used to recover data from a disk where there has been some damage or where the file itself is corrupt. C. Most file carving utilities look for file headers or footers and then pull out data that is found between these two boundaries. D. File carving is a common method of data recovery, particularly when the file metadata has been damaged.

You can perform file carving on the NTFS and FAT32 files systems but not Ext4.

A symbolic link is ________ another file. A. the deletion of B. the decommissioning of C. a pointer to D. a copy of

a pointer to

A(n) __________ is a data structure in the Linux file system that stores all the information about a file except its name and actual data. A. inode B. table C. cluster D. partition

inode

Consistency checking protects against: A. improper scanning. B. disk fragmentation. C. software bugs and storage hardware design compatibilities. D. physical damage to a hard disk.

software bugs and storage hardware design compatibilities.

In FAT and NTFS file systems, a __________ is used to map files to specific clusters where they are stored on the disk. A. node B. table C. cluster D. partition

table

Paige is attempting to recover data from a failed hard disk. She removed the failed drive from the system on which it was installed and then connected it to a test system. She made the connection by simply connecting the data and power cables but did not actually install the failed drive. What step should she perform next? A. Determine whether the failed drive is recognized and can be installed as an additional disk on the test system. B. Listen to the failed drive to determine whether the internal disks are spinning. C. Install the failed drive. D. Boot the test system from its own internal drive.

Boot the test system from its own internal drive.

Darien is performing analysis on an image of a seized machine. A power outage causes the computer to power off and back on again. When he attempts to boot up the machine to continue his work, the Windows operating system begins to initialize. However, it does not proceed past the loading screen. What type of damage is likely to have occurred? A. Logical damage B. Deletion of some critical files by the chkdsk utility C. Master Boot Record virus infection D. File carving

Logical damage

Devaki is a new forensic investigator. She is examining a recently seized hard drive. She was told by the individuals who collected the device that the owner indicated that it did not work. Devaki notices some damage on the case of the hard drive, agrees that it likely does not work, and processes the disk as if it is "lost" or inaccessible. What mistake did Devaki make? A. She should have processed the disk as damaged instead of as inaccessible. B. She should have shredded the disk because it was damaged. C. She should have verified with the hard drive owner that the hard disk did not work. D. She should have fully evaluated the disk by leveraging multiple techniques to attempt to retrieve the data.

She should have fully evaluated the disk by leveraging multiple techniques to attempt to retrieve the data.

In Windows, what does the file allocation table (FAT) store? A. The mapping between files and their cluster location on the hard drive B. The list of applications installed and their corresponding files C. A view of disk overages that are available D. The data types stored on the disk

The mapping between files and their cluster location on the hard drive