ITN 276 FINAL REVIEW
__________ is the data to be covertly communicated. In other words, it is the message you want to hide.
Payload
Which of the following files are stored in the /bin directory in Linux?
Programs that are essential for the system to boot and run
Devaki is a new forensic investigator. She is examining a recently seized hard drive. She was told by the individuals who collected the device that the owner indicated that it did not work. Devaki notices some damage on the case of the hard drive, agrees that it likely does not work, and processes the disk as if it is "lost" or inaccessible. What mistake did Devaki make?
She should have fully evaluated the disk by leveraging multiple techniques to attempt to retrieve the data.
What E3 feature should you use to search for files on a suspect's drive image using hash values?
Sorted Files Search
Which of the following steganalysis applications is used in detecting LSB (lease significant bit) steganography in a bulk of image files?
StegExpose
__________is the process of analyzing a file or files for hidden content.
Steganalysis
__________is a term that refers to hiding messages in sound files.
Steganophony
Multiple servers and storage devices all connected in a high-speed small network that appears to a user as a single storage device best describes:
Storage area networking
Which of the following files are stored in the /etc directory in Linux?
System-wide configuration files
Which of the following browsers can be used for enabling anonymous communications on the Internet?
TOR
Which of the following is the correct sequence for displaying a list of ports that are actively listening in Windows?
Task Manager > Performance tab > Open Resource Monitor link > Network tab > Expand Listening Ports header
In Windows, what does the file allocation table (FAT) store?
The mapping between files and their cluster location on the hard drive
Which of the following is the most accurate definition of steganography?
The practice of hiding private or sensitive information within something that appears to be nothing out of the usual.
The basis of Moore's law found that the number of components in integrated circuits doubled every __________ and each doubling of capacity was done at half the cost.
18 to 24 months
In Windows, what is the Virtual Store?
A hidden folder for allowing old programs to continue working in new versions of Windows.
If a hard disk is damaged and the data is deemed "lost," what is the recommended next step?
Attempt a local repair.
In Paraben's E3, which of the following is the correct sequence for finding user-created links and automatically-created links that appear as a user works with files?
Case Content pane > expand Data Triage header > expand Link Files
The following are characteristics of the __________ certification: Only law enforcement personnel and government employees working as system forensics examiners may join. Students learn to interpret and trace e-mail, acquire evidence properly, identify operating systems, recover data, and understand encryption theory and other topics. Students must pass a written exam before continuing to the next level. There are multiple levels.
Certified Forensic Computer Examiner (CFCE)
______ is the basic repair tool in Windows.
Chkdsk
Which Windows process handles tasks like creating threads and console windows?
Client Server Runtime Process
Which forensic tool provider offers Professional and Forensic Examiner? Professional is an automated search tool that allows an examiner to immediately find electronic evidence for trial, used bymany supervision officers to monitor probationers' and parolees' computer use.
ComputerCOP
What does the following formula calculate: Total Clusters minus Free Clusters minus Total Reserved?
The total number of clusters used by a system
Which software is a general-purpose suite of forensic tools that can be used to create a forensic image of a drive, verify that image, and analyze the image? The analysis includes discovering malware, examining the Windows Registry, and breaking passwords in commonly used software, such as Excel spreadsheets or Adobe PDF documents.
Forensic Toolkit (FTK) produced by AccessData
Which utility can obtain drive lists for a computer, obtain the drive type, display some general volume information, and determine the amount of free space on a drive?
Fsutil
Which Windows Registry Key Hive contains configurations for installed applications and Windows itself?
HKEY_LOCAL_MACHINE
What is one use of steganography in the digital age?
Hiding data within images
Which two basic components make up the Windows Registry?
Keys and Values
What phrase represents the left-most or right-most bit (depending on the computer architecture) of a given byte?
Least Significant Bit
Which of the following tools can detect the use of steganography in image and audio files using drag and drop functionality?
McAfee's Steganography Analysis
When performing a manual recovery on a Linux system, what is the first step to recovering manually deleted files?
Move the system to single-user mode.
You are attempting to recover deleted files from a storage device. The device's operating system uses the FAT32 file system. What is the most important advantage you have when attempting to recover specific deleted files?
Time; files that were deleted relatively recently are more likely to be recovered
If two files have the same audio, but the file size differs, this might indicate a file contains steganographically-concealed data.
True
It is very common for criminal enterprises to intentionally construct their own clouds with data stored in jurisdictions with rules and laws that make data retrieval for the purpose of forensics difficult or impossible.
True
True or False? A hard drive failure, accidental data deletion, or similar small-scale incident will not prevent a redundant network server or storage area network from continuing to provide data and services to end users.
True
True or False? Attempting to determine an individual's location by which cell towers they were connected to for criminal and civil investigations is scientifically invalid because cell phone tower logs are for the cell, not for the individual phone.
True
True or False? End users generally cannot repair most physical damage to storage media, such as a hard disk.
True
True or False? Forensic labs should use the highest-capacity cabling available, such as optical cable, to efficiently move drive images across a network to storage.
True
True or False? Forensically scrubbing a file or folder may involve overwriting data with random characters seven times.
True
True or False? In the case of civil litigation, it is usually necessary to hire private forensic labs to process evidence.
True
True or False? Linux stores file content in blocks, which are similar to clusters in Windows NTFS.
True
True or False? When an organization needs to store far more data than any single server can accommodate, one solution is to deploy a storage area network.
True
True or False? When imaging a disk, the larger the drive being imaged, the more bandwidth will be required.
True
True or False? When two files claim to share the same allocation unit (or cluster), one of the files is almost certain to lose data.
True
Which of the following OpenPuff functions should you use to retrieve a hidden file concealed with an image?
UnHide Data
Which of the following provides visibility into filesystem activity over several days or even weeks?
Update Sequence Number (USN) change journal
A symbolic link is ________ another file.
a pointer to
Which of the following Linux commands installs a new package on the Linux system?
apt-get install
__________ is cryptography wherein two keys are used: one to encrypt the message and another to decrypt it.
asymmetric cryptography
Which log file helps track password entries (and failed entries)?
auth.log
What Linux command allows you to view all the messages displayed during the boot process?
dmseg
Most operating systems provide a basic repair tool for their native file systems. Linux comes with:
fsck utility
A(n) __________ is a data structure in the Linux file system that stores all the information about a file except its name and actual data.
inode
Which Linux log file has records of recent drive attachments?
kern.log
Which log file may help you rule out malware?
kern.log
What Linux command lists all files in the current directory in a long listing format?
ls -l
If a server fails, the organization simply uses the other server, often called the mirror server. In the simplest configuration, there are two servers that are connected. They are complete mirrors of each other. Should one server fail for any reason, all traffic is diverted to the other server. This organization utilizes __________.
multiple redundant servers
Which Linux command shows processes that are running for the current user?
ps -aux
Consistency checking protects against:
software bugs and storage hardware design compatibilities.
Which Linux command is used to assign temporary privileges to users performing administrative tasks?
sudo
True or False? Following national laws that are least restrictive to your investigation will typically satisfy the legal requirements of more restrictive jurisdictions.
False
True or False? Logical damage control is a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification.
False
True or False? On-premises data storage is usually less expensive than storage as a service (STaaS).
False
True or False? You can perform file carving on a PDF file but not on image files.
False
What other technique is often used in conjunction with digital steganography to prevent unwanted access to sensitive information?
Cryptography
