Digital Forensics 1 - Test 2
Where would you look to determine a cluster's allocation status in an NTFS volume?
$Bitmap
Where might you find boot code in an NTFS volume?
$Boot
How does your file system find the beginning of the master file table upon system startup? $Boot (file system metadata file) $MFT (MFT reserved entry #0) $Bitmap (file system metadata file) the root directory it's always in the same location (the middle cluster of the partition)
$Boot (file system metadata file)
Which of the following best explains why large (e.g., 10KB), deleted, fragmented files are often easier to recover on an NTFS partition than a FAT partition? $Bitmap file dynamic data structures $DATA attribute content remains after the file is deleted Everything isn't a file in FAT.
$DATA attribute content remains after the file is deleted
What was the original file renamed to when it was deleted?
$IZWVO4Z.txt -> $R equivalent
Where are the date/time deleted and original path data stored in Windows 7 (and later) pertaining to files sent to the "Recycle Bin?" $Recycle.Bin INFO2 file $R file for that specific file $I file for that specific file
$I file for that specific file
Which of the following "Recycle bin" file names could correspond to the first deleted file from the primary (C:\) partition of a WinXP hard drive, which happened to be a JPEG file? Dc1.jpg Dc1.txt $IABDK033.jpg $IABDK033.txt
$IABDK033.jpg
Where in the MFT record is the most reliable file date/time stamp info Stored?
$Standard information attribute
Where and what would you look for to determine a cluster's allocation status in a FAT32 volume?
1st byte of each directory entry
Where would you go to find the starting cluster for a particular file in a FAT 32 volume? a. The file's directory entry structure b. The root directory entry structure c. The file allocation table d. The Reserved area
A
What are the different possible FAT entries?
Allocated (along with the address of the next cluster associated with the file), unallocated, EOF, and bad sector
FAT/Cluster chain change
Cluster value changed from next value in cluster chain or EOF to ZERO - Indicates cluster is "free space" - available for data
Why would you find the string FF FF FF 0F in the FAT "cell" pertaining to cluster 2?
EOF
"Cell" corresponding to that cluster in the FAT - if the contents are \xFF FF FF 0F, then the cluster is unallocated False
False
Recycle Bin forensics in Windows Vista and later is the same as Windows XP. T/F
False
FAT directory change
First letter of file changed to 0xE5
Which of the following BEST describes the primary purpose of the $I files? Provide information about the Recycle bin configuration settings Provide info about where deleted files are stored (e.g allocated clusters used) keep track of what has been sent to and removed from the Recycle Bin Index file that keeps track of $Recycle.Bin file name, original file name, original parent directory, and date deleted
Index file that keeps track of $Recycle.Bin file name, original file name, original parent directory, and date deleted
Is the file with a sigma entry the new file or the old file?
Old - E5 means unallocated
How can you determine which user account was used to delete a file? Original path from where the file was deleted (i.e. User\John Doe\Documents) "deleted by" field in the INFO2 record and/or $I file SID sub-folder in which the INFO/INFO2 OR $I file is located Non of the above (you cannot correlate a user account with the file deletion activity)
Original path from where the file was deleted (i.e. User\John Doe\Documents)
If a file's content is less than one sector long (in size), what type of $DATA attribute content would it be stored as? Resident data non-resident data ADS or none of the above
Resident data
MBR - Contains information about how the storage device is logically partitioned Directory entry structures - where can they be located in a FAT32 volume
They can be located in the 'Data Area' of a FAT File System.
"Cell" corresponding to that cluster in the FAT - if the contents are \x00 00 00 00, then the cluster is unallocated True/False
True
Can deleted recycle bin "info" files (INFO/INFO2 (WinXP) files and $I (Win7) files) be recovered in the same way other deleted files can be recovered?
Yes
Is it possible to recover complete cluster chain info (locations/lengths of all fragments) after a file has been deleted on an NTFS volume? Y/N
Yes
Is it possible to recover complete cluster chain info after a file has been deleted on a FAT volume (at least through traditional software based forensics tools)? Yes/No
Yes
What type of data goes to the Recycle Bin when deleted? Deleted files from external media Files deleted from CMD prompt files deleted via explorer System deleted files all of the above
files deleted via explorer
