Computer Forensics
What is the little endian representation of the hexadecimal value 0x22FE03BA?
0xBA03FE22
Which of the following scenarios is most likely to result in the creation of orphan files in an NTFS-formatted file system?
A directory with files is deleted before adding new files to the system
Which of the following can be used as a forensic acquisition tool?
All of the above: FTK Imager, DCFLDD, and X-Ways Forensics
Logical/targeted acquisitions may be best suited under which of the following circumstances?
All of the above: limited time, only granted access to certain files, and only need specific files/folders
Which of the following is an advantage of file carving?
Can utilize if a file's MFT record has been overwritten
Which of the following is NOT likely to yield relevant information regarding specific files and folders a user has been accessing?
EMDMgmt
If you wanted to determine the last time a user opened a target file, which of the following jump list attributes would you be most interested in?
Emdedded DestList stream
A static set of bytes at the beginning of a particular file type is often referred to as the file's "footer".
False
Cluster allocation status is tracked via directory entries in FAT file systems.
False
Computer investigations and forensics fall into one category: private investigations.
False
Data recovery differs from computer forensics in that data recovery yields information about how an attacker gained access to a network.
False
If a webmail provider blocks the originating IP address from being displayed in the email header, it is impossible to track the sending IP address.
False
MBR-partitioned disks have an advantage over GPT-partitioned disks in that they can create larger partition sizes.
False
Once deleted, registry keys, subkeys, and values are not recoverable.
False
The SOFTWARE registry hive contains the "TimeZoneInformation" key, which identifies the time zone observed by the system.
False
The VBR gives the layout of the disk, while the MBR gives the layout of the file system.
False
The most common and recommended method of collecting enterprise RAID servers is through dead/static acquisitions.
False
You should conduct investigations on the original disk (as opposed to a copy) whenever possible.
False
Which of the following events does NOT happen when a file is deleted in NTFS?
File pointers are overwritten
How many partitions can be defined in the master boot record?
Four
Which of the following webmail providers is known to block the originating IP address of some emails?
Gmail
Shellbags are useful for which of the following reasons?
Identifying accessed directories
If you wanted to determine the last time a user opened a target file, which of the following LNK file attributes would you be most interested in?
LNK file last modified time
Which of the timestamps in a FAT file system does not maintain a time (i.e. this timestamp stores its value to the granularity of one day)?
Last Access
Which type of forensic acquisition is recommended if the target system is powered on, full-disk encryption is in use, and you do not have access to the decryption key?
Live
Which of the following is not generally stored as internal metadata to LNK files?
MD5 hash of the target file
Which of the following registry hives is associated with a particular user (i.e. instead of the system as a whole)?
NTUSER.DAT
Which of the following is NOT a common step in tracing an email?
None of the above: Determine originating IP address, Contact ISP, Contact admin if email was sent within a controlled network
Which of the following is an option for dealing with file fragmentation during file carving?
Only carve unallocated clusters
Which of the following email header fields would you be most interested in when attempting to identify the IP address from which an email was sent?
Received
The _____________ hive contains multiple "control sets", which detail the hardware settings and configuration used by the system.
SYSTEM
Which of the following would you NOT expect to find within a 2 GB video file's MFT record?
The content of the video
In NTFS, if a deleted file's name and creation/modified/accessed timestamps are recoverable but its content (i.e. non-resident $DATA attribute) has been overwritten, what data structure must be intact?
The file's MFT record
If you open four files in Microsoft Excel, six files in Microsoft Word, and one file in Adobe Acrobat on a Windows 7 system, how many jump lists would you expect to find related to these actions?
Three
A bit-stream image is a file containing the bit-stream copy of all data on a disk or partition.
True
A bootable forensic environment such as DEFT can be used during forensic acquisitions because it runs entirely in RAM and by default does not make changes to the target hard drive.
True
A deleted file's content and metadata may be fully recoverable in NTFS if its MFT record has not been reused and the file's clusters have not been reused.
True
After obtaining the originating IP address of an email, the next step to track down the original sender should be to identify the ISP that owns the IP address.
True
Both the NTUSER.DAT and SOFTWARE registry hives contain autostart keys, which identify programs to be started at boot or user logon.
True
Directory entries in FAT file systems contain the name of a file.
True
EML and MBOX emails are two examples of text-based emails that can be opened and viewed in a text-editor.
True
File slack can be defined as the unused space created when a file is saved.
True
One advantage with live acquisitions is that you are able to collect the contents of encrypted containers that are mounted on the system.
True
One of the reasons case law is important in computer forensics is because technology is evolving at a faster rate than regulations and statutes.
True
Registry values do not have a Last Write time associated with them.
True
The NTFS master file table includes a record for every file and directory stored in the file system. Selected
True
The SAM registry hive stores information about local user accounts on the system.
True
The process of file carving uses known file signatures (otherwise known as headers and footers) to attempt to recover deleted files from a file system's unallocated space.
True
Verifying a forensic image involves ensuring that the bit-stream image created is exactly the same as the original evidence and is often carried out via cryptographic hashes.
True
Found in the SYSTEM registry hive, the ______________ key records information about USB storage devices that have been connected to the system.
USBSTOR
The forensic ____ is an important part of the computer forensics process because it preserves digital evidence by making a complete copy of the original evidence device.
acquisition
In Microsoft file systems, sectors are grouped to form ____________________, which are storage allocation units of one or more sectors.
clusters
In a ____ case, a suspect is tried for a criminal offense, such as burglary, murder, or molestation.
criminal
For computer forensics, ____ is the task of collecting digital evidence from electronic media.
data acquisition
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are referred to as ____.
data runs
A non-resident attribute is stored completely within the master file table.
false
An alternate data stream refers to files that have previously existing file data within their MFT record.
false
Deleted email recovery is not possible in a forensic investigation.
false
The $STANDARD_INFORMATION attribute contains a total of three timestamps associated with a file or directory: creation, last modified, and last accessed.
false
The artifacts available to a forensic examiner from a Windows system have remained the same since Windows XP.
false
You should generally attempt file carving before recovering deleted files using the master file table due to the complexity of MFT-based recovery methods.
false
A bit-stream image is an exact copy of a disk written to a _________.
file
Which of the following is NOT one of the steps in a computer forensics investigation discussed during class?
forensic data deletion
Your ____ as a computer investigation and forensics analyst is critical because it determines your credibility.
professional conduct
One potential disadvantage of ____ format acquisitions is the potential inability to share an image between different vendors' computer forensics analysis tools.
proprietary
Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses
right of privacy
Which of the following is not a common trait found in spear phishing emails?
targets many individuals with the identical email
Email server logs such as transaction logs can include crucial information for an email investigation.
true
In contrast to FAT file systems, file system data structures such as the volume boot record are stored as files in NTFS.
true
Jump lists were a new addition to Windows 7 that can provide computer forensic examiners with similar information that is found in LNK files.
true
LNK files can be found in Windows XP, Windows Vista, Windows 7, and Windows 8 systems.
true
The "C:\Documents and Settings" directory on a Windows 7 system is an example of a reparse point.
true
The $BITMAP file in NTFS tracks cluster allocation status for the file system.
true
The embedded streams of a jump list are stored in the same format as LNK files and are tracked by either most recently used or most frequently used.
true
The process of file carving can be employed across multiple file systems and is not specific to NTFS.
true
The two most common methods of sending an email are via the Internet and via controlled network.
true
WinHex, FTK Imager, and most other forensic or data recovery tools will usually alert the user of deleted files that have been identified by representing these files with a different icon (often a red "X")
true
