Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Cyber_4ens_final
Chapter 6-13 multiple choice
| Question | Answer |
|---|---|
| Data streams can obscure valuable evidentiary data, intentionally or by coincidence | true |
| A ____ is a column of tracks on two or more disk platters. | cylinder |
| ____ is how most manufacturers deal with a platter’s inner tracks being shorter than its outer tracks. | ZBR |
| ____ is the file structure database that Microsoft originally designed for floppy disks. | FAT |
| ____ was introduced when Microsoft created Windows NT and is the primary file system for Windows Vista | NTFS |
| On an NTFS disk, immediately after the Partition Boot Sector is the ____. | MFT |
| Records in the MFT are referred to as ____. | metadata |
| In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each | 1024 |
| The file or folder’s MFT record provides cluster addresses where the file is stored on the drive’s partition. These cluster addresses are referred to as ____. | data runs |
| When Microsoft introduced Windows 2000, it added built-in encryption to NTFS called ____. | EFS |
| The purpose of the ____ is to provide a mechanism for recovering encrypted files under EFS if there’s a problem with the user’s original private key. | recovery certificate |
| When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____. | Registry |
| ____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to NTLDR. | NTDetect.com |
| ____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS. | NTBootdd.sys |
| ____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the %system-root%\Windows\System32\Drivers folder. | Device drivers |
| ____ is a hidden text file containing startup options for Windows 9x. | Msdos.sys |
| The ____ file provides a command prompt when booting to MS-DOS mode (DPMI). | Command.com |
| ____ is a text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration. | Config.sys |
| ____ is a batch file containing customized settings for MS-DOS that runs automatically. | Autoexec.bat |
| A ____ allows you to create a representation of another computer on an existing physical computer. | virtual machine |
| In software acquisition, there are three types of data-copying methods. | false |
| To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. | true |
| The Windows platforms have long been the primary command-line interface OSs. | false |
| After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools. | true |
| Computer forensics tools are divided into ____ major categories. | 2 |
| Software forensics tools are commonly used to copy data from a suspect’s disk drive to a(n) ____. | image file |
| To make a disk acquisition with En.exe requires only a PC running ____ with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable. | ms-dos |
| Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command. | dd |
| ____ of data involves sorting and searching through all investigation data. | Discrimination |
| Many password recovery tools have a feature that allows generating potential lists for a ____ attack. | password dictionary |
| The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk. | disk-to-disk |
| To complete a forensic disk analysis and examination, you need to create a ____. | report |
| The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems. | IBM |
| In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network. | Dir |
| In general, forensics workstations can be divided into ____ categories. | 3 |
| A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____. | portable workstation |
| ____ is a simple drive-imaging station. | FIRE IDE |
| ____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk. | Write-blockers |
| Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers. | USB |
| The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software. | NIST |
| The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible. | ISO 5725 |
| The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____. | NSRL |
| The primary hash algorithm used by the NSRL project is ____. | SHA-1 |
| One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex. | disk editor |
| Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file’s contents | testing, compressed |
| Macintosh OS X is built on a core called ____. | Darwin |
| In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored. | resource |
| The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is ____. | 65,535 |
| On older Macintosh OSs all information about the volume is stored in the ____. | Master Directory Block (MDB) |
| With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data. | Volume Bitmap |
| On Mac OSs, File Manager uses the ____ to store any information not in the MDB or Volume Control Block (VCB). | extents overflow file |
| Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement. | GPL |
| The standard Linux file system is ____. | Ext2fs |
| Ext2fs can support disks as large as ____ TB and files as large as 2 GB. | 4 |
| Linux is unique in that it uses ____, or information nodes, that contain descriptive information about each file or directory. | inodes |
| To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of ____. | 0 |
| ____ components define the file system on UNIX. | 4 |
| The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive. | data block |
| LILO uses a configuration file named ____ located in the /Etc directory. | Lilo.conf |
| Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of OSs. | 1995 |
| On a Linux computer, ____ is the path for the first partition on the primary master IDE disk drive. | /dev/hda1 |
| There are ____ tracks available for the program area on a CD. | 99 |
| The ____ provides several software drivers that allow communication between the OS and the SCSI component. | Advanced SCSI Programming Interface (ASPI) |
| All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard ____ ribbon or shielded cable. | 40-pin |
| ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable. | 100 |
| IDE ATA controller on an old 486 PC doesn’t recognize disk drives larger than 8.4 ____. | GB |
| FTK cannot analyze data from image files from other vendors. | false |
| A nonsteganographic graphics file has a different size than an identical steganographic graphics file. | false |
| ____ increases the time and resources needed to extract,analyze,and present evidence. | scope creep |
| You begin any computer forensics case by creating a(n) ____. | investigation plan |
| In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover. | subpoenas |
| There are ____ searching options for keywords which FTK offers. | 2 |
| ____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search. | Live |
| The ____ search feature allows you to look for words with extensions such as “ing,”“ed,” and so forth. | stemming |
| In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period. | indexed |
| FTK and other computer forensics programs use ____ to tag and document digital evidence. | bookmarks |
| Getting a hash value with a ____ is much faster and easier than with a(n) ____. | hexadecimal editor, computer forensics tool |
| AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data. | KFF |
| Data ____ involves changing or manipulating a file to conceal information. | hiding |
| One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it. | Norton DiskEdit |
| Marking bad clusters data-hiding technique is more common with ____ file systems. | FAT |
| The term ____ comes from the Greek word for“hidden writing.” | steganography |
| ____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there. | Steganography |
| Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure. | key escrow |
| People who want to hide data can also use advanced encryption programs, such as PGP or ____. | BestCrypt |
| ____ recovery is a fairly easy task in computer forensic analysis. | Password |
| ____ attacks use every possible letter, number, and character found on a keyboard when cracking a password. | Brute-force |
| ____ are handy when you need to image the drive of a computer far away from your location or when you don’t want a suspect to be aware of an ongoing investigation. | Remote acquisitions |
| ____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer’s file system. | HDHOST |
| With many computer forensics tools, you can open files with external viewers. | true |
| Steganography cannot be used with file formats other than image files. | false |
| ____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. | Vector graphics |
| You use ____ to create, modify, and save bitmap, vector, and metafile graphics files. | graphics editors |
| ____ images store graphics information as grids of individual pixels. | Bitmap |
| The process of converting raw picture data to another format is referred to as ____. | demosaicing |
| The majority of digital cameras use the ____ format to store digital pictures | EXIF |
| ____ compression compresses data by permanently discarding bits of information in the file. | Lossy |
| Recovering pieces of a file is called ____. | carving |
| A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10. | JPEG |
| If you can’t open an image file in an image viewer, the next step is to examine the file’s ____. | header data |
| The uppercase letter ____ has a hexadecimal value of 41. | "A" |
| The image format XIF is derived from the more common ____ file format. | TIFF |
| The simplest way to access a file header is to use a(n) ____ editor | hexadecimal |
| The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03. | XIF |
| ____ is the art of hiding information inside image files. | Steganography |
| ____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program. | Insertion |
| ____ steganography replaces bits of the host file with other bits of data. | Substitution |
| In the following list, ____ is the only steg tool. | Outguess |
| ____ has also been used to protect copyrighted material by inserting digital watermarks into a file. | Steganography |
| When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations. | copyright |
| Under copyright laws, computer programs may be registered as ____. | literary works |
| Under copyright laws, maps and architectural plans may be registered as ____. | pictorial, graphic, and sculptural works |
| A graphics program creates and saves one of three types of image files: bitmap, vector, or ____________________. | metafile |
| ____________________ is the process of coding of data from a larger form to a smaller form. | Data compression |
| The ____________________ is the best source for learning more about file formats and their associated extensions. | internet |
| All ____________________ files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 2A. | TIFF |
| The two major forms of steganography are ____________________ and substitution. | insertion |
| ____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program. | Network forensics |
| ____ forensics is the systematic tracking of incoming and outgoing traffic on your network. | Network |
| A common way of examining network traffic is by running the ____ program. | Tcpdump |
| ____ is a popular network intrusion detection system that performs packet capture and analysis in real time. | Snort |
| ____ is the U.S. DoD computer forensics lab’s version of the dd command that comes with Knoppix-STD. | dcfldd |
| ____ are devices and/or software placed on a network to monitor traffic. | Packet sniffers |
| Most packet sniffers operate on layer 2 or ____ of the OSI model. | 3 |
| ____ is the text version of Ethereal, a packet sniffer tool. | Tethereal |
| The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers. | Honeynet |
| Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack. | zombies |
| E-mail messages are distributed from one central server to many connected client computers, a configuration called ____. | client/server architecture |
| With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk. | GUI |
| When working on a Windows environment you can press ____ to copy the selected text to the clipboard. | Ctrl+C |
| To retrieve an Outlook Express e-mail header right-click the message, and then click ____ to open a dialog box showing general information about the message. | Properties |
| In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____. | .pst |
| ____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names. | www.freeality.com |
| ____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside. | /etc/sendmail.cf |
| Typically, UNIX installations are set to store logs such as maillog in the ____ directory. | /var/log |
| In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk. | checkpoint |
| The Novell e-mail server software is called ____. | GroupWise |
| Developed during WWII, this technology,____, was patented by Qualcomm after the war. | CDMA |
| The ____ digital network divides a radio frequency into time slots. | TDMA |
| TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life. | IS-136 |
| Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips. | EEPROM |
| ____ cards are found most commonly in GSM devices and consist of a microprocessor and from 16 KB to 4 MB of EEPROM. | SIM |
| ____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth. | PDAs |
| The file system for a SIM card is a ____ structure. | hierarchical |
| The SIM file structure begins with the root of the system (____). | MF |
| Paraben Software is a leader in mobile forensics software and offers several tools, including ____, which can be used to acquire data from a variety of phone models. | Device Seizure |
| In a Windows environment, BitPim stores files in ____ by default. | My Documents\BitPim |
Created by:
ITSec_guy
Popular Computers sets