Test 2 (5-8)
In the Master File Table (MFT), the first _____ records are reserved for system files.
15
In general, forensics workstations can be divided into ____ categories.
3
____ components define the file system on UNIX.
4
A Mac file that organizes the directory hierarchy and file block mapping for File Manager.
B*-tree
A ____ contains programs that perform input and output at the hardware level.
Basic Input/Output System (BIOS)
The _____ file in a virtual machine contains hardware settings such as RAM, network configurations, and port settings.
Configuration
The majority of digital cameras use the ____ format to store digital pictures.
EXIF
A file format the Japan Electronics and Informatuin Technology Industries Association (JEITA) developed as a standard for storing metadata in JPEG or TIF files.
Exchangeable Image File
___________ is a journaling version of Ext2fs that reduces file recovery time after a crash.
Ext3fs
____ is the most challenging of all tasks to master.
Extraction
A UNIX or Linux computer has two boot blocks, which are located on the main hard disk.
False
A portable workstation is a laptop computer built into a carrying case with a small selection of peripheral options.
False
Both the resource fork and the data fork contain essential information, such as filename, file size, and date modified, for each file.
False
Directory file structures in Mac have made major changes with each new OS update.
False
For older HFS-formatted drives, the last two logical blocks, 0 and 1, on the volume (or disk) are the boot blocks containing system startup instructions.
False
Imperceptible watermarks are usually an image, such as the copyright symbol or a company logo, layered on top of a photo.
False
Linux is a certified UNIX operating system.
False
Metafile graphics are vector images with metadata.
False
Most graphics file formats, including GIF and JPEG, rarely compress data to save disk space or to reduce the file's transmission time.
False
Older Macintosh computers use the same type of BIOS firmware commonly found in PC-based systems.
False
Our human eye can see 8 bits of color.
False
Someone who wants to hide data can create hidden partitions or voids- large unused gaps between partitions on a disk drive. Data that is hidden in partition gaps cannot be retrieved by forensics utilities.
False
The File Manager can have access to only the resource fork.
False
The General Public License (GPL) agreement stipulates that source code for hardware distributed under the GPL must be publicly available, and any works derived from GPL code must also be licensed under the GPL.
False
The biggest advantage of the raw file format is that it is proprietary.
False
The data fork contains additional information from the applications, such as menus, dialog boxes, icons, executable code, and controls.
False
The difference between lossless and lossy compression is the way data is represented before it has been uncompressed.
False
The insertion form of steganography replaces bits of the host file with other bits of data.
False
The reconstruction function is the recovery task in a computing investigation.
False
When you uncompress a graphics file that uses lossless compression, you lose information and the image quality is affected.
False
You must use older computer forensics tools to identify hidden partitions on most drives.
False
Mac OS utility that handles reading, writing, and storing data to physical media
File Manager
Mac tool that works with the OS to keep track of files and maintain users' desktops
Finder
Usually bridge devices between a drive and the forensic workstation.
Hardware write-blocker
The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.
ISO 5725
letters embedded near the beginning of all JPEG files
JFIF
A compression method where a large file can be compressed to take up less space and then uncompressed without any loss of information
Lossless compression
________ compression is the method where bits of information are permanently discarded, thereby reduces the image quality.
Lossy
A compression method that permanently discards bits of information in a file
Lossy compression
On older Mac systems, the location where all volume information is stored.
Master Directory Block
The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.
NSRL
Less common graphics file formats, including proprietary formats, newer formats, formats that most image viewers don't recognize, and old or obsolete formats
Nonstandard graphic files
Less common graphic file formats, including proprietary formats, newer formats, formats that most image viewers don't recognize, and old or obsolete formats.
Nonstandard graphic files
What tool below was written for MS-DOS and was commonly used for manual digital investigations?
Norton DiskEdit
____ controls the microprocessor after hardware initialization and diagnostics take place before control is passed to the OS.
Open Firmware
a direct copy of a disk drive
Raw data
This format maintains the best picture quality, but because of its proprietary format, not all image viewers can display it
Raw file format
The _____ is a database that stores hardware and software configuration information, network connections, user preferences, and setup information
Registry
A _____ is a Windows utility for viewing and modifying data in the Registry.
Registry Editor
European term for carving
Salvaging
A log report can be used to confirm the activities that were performed and the results that were found in the original analysis and examination.
True
A one-time passphrase generated by the key management function can be used to decrypt a whole encrypted drive.
True
All information about a volume is stored in the Master Directory Block (MDB) and written to the MDB when the volume is initialized.
True
Copyrightable works include literary works, pantomimes and choreographic works, and sound recordings.
True
Data streams can obscure valuable evidentiary data, intentionally or by coincidence.
True
For third-party compressed data, we need to uncompress it with the utility that created it.
True
Hidden partitions or voids are sometimes created to hide large data on a hard disk.
True
Hidden partitions or voids refer to large unused gaps between partitions on a disk drive.
True
If a graphics file has been renamed, a steg tools can identify the file format from the file header and indicate whether the file contains an image.
True
Image quality can be affected by the software package used to open the images.
True
In Mac OS 9 or earlier, a volume on a floppy disk is always the entire floppy.
True
In the NTFS MFT, all files and folders are stored in separate records of 1024 bytes each.
True
Logical copy of a disk partition can be acquired only via a live acquisition.
True
The data discrimination function can be improved by searching and comparing file headers instead of focusing on the extension of the file's name.
True
The images created by EnCase, FTK, or X-Ways Forensics have an Expert Witness .e01 extension.
True
Vector quantization is a form of lossy compression that uses complex algorithms to determine what data to discard based on vectors in the graphics file.
True
Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers.
USB
Which of the following is not a valid configuration of Unicode?
UTF-64
________ is a compression method that uses complex algorithms to determine what data to discard based on vectors in the graphics file.
Vector quantization
The FAT database contains all of the following information, EXCEPT _____.
a journal
The process of creating a duplicate image of a data disk is called the._____ phase.
acquisition
Collection of dots, or pixels, in a grid format that form a graphic.
bitmap images
Storage allocation units composed of groups of sectors.
cluster
A column of tracks on two or more disk platters.
cylinder
One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.
disk editor
The results of keyword searches that contain the correct match but aren't relevant to the investigation.
false positives
You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.
graphics editors
All of the following are subfunctions in the extraction category, EXCEPT____.
hashing
Each HKEY contains folders referred to as a _____
hive
Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.
image file
In a B*-tree file system, what node stores link information to previous and next nodes?
index node
The two major forms of steganography are __________ and substitution.
insertion
The ____ node contains actual file data.
leaf
Under copyright laws, computer programs may be registered as ____.
literary works
When using the Encrypting File System (EFS), the owner or user who encrypted the data holds the _____ key.
private
A section on a track, typically made up of 512 bytes.
sector
Concentric circles on a disk platter where data is stored.
track
All of the following are subfunctions in the acquisition category, EXCEPT____.
validation
The _____ file in a virtual machine contains the boot loader program, OS files, and users' data files.
virtual hard disk
Any storage media, such as floppy disk, a partition on a hard drive, the entire drive, or several drives.
volume
What metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume?
$LogFile
In general, what would a lightweight forensics workstation consist of?
A laptop computer built into a carrying case with a small selection of peripheral options
What hex value is the standard indicator for jpeg graphics files?
FF D8
_______________ proves that two sets of data are identical by calculating hash values or using another similar method.
Verification
Addresses that allow the MFT to link to nonresident files are known as _______________.
logical cluster numbers
