Download macOS and Linux File Systems, Forensics Tools, and Disk Storage and more Exams Forensics in PDF only on Docsity!
NWIT 263 Midterm (Chapters 5-7) 100% Verified
Explain the differences in resource and data forks used in macOS. - ANSWER The data fork stores a file's actual data and the resource fork contains file metadata and application information.
Which of the following is the main challenge in acquiring an image of a system running macOS? (Choose all that apply.) - ANSWER b. Vendor training is needed.
d. You need special tools to remove drives from a system running macOS or open its case.
To recover a password in macOS, which tool do you use? - ANSWER c. Keychain Access
What are the major improvements in the Linux Ext4 file system? - ANSWER It added support for partitions larger than 16 TB, improved management of large files, and offered a more flexible approach to adding file system features.
How does macOS reduce file fragmentation? - ANSWER By using clumps, which are groups of contiguous allocation blocks
Linux is the only OS that has a kernel. True or False? - ANSWER False
Hard links work in only one partition or volume. True or False? - ANSWER True
Which of the following Linux system files contains hashed passwords for the local system? - ANSWER d. /etc/shadow
Which of the following describes the superblock's function in the Linux file system? (Choose all that apply.) - ANSWER b. Specifies the disk geometry and available space
c. Manages the file system, including configuration information
What's the Disk Arbitration feature used for in macOS? - ANSWER It's used to disable and enable automatic mounting when a drive is connected via a USB or FireWire device.
In Linux, which of the following is the home directory for the superuser? - ANSWER b. root
Which of the following certifies when an OS meets UNIX requirements? - ANSWER c. The Open Group
On most Linux systems, current user login information is in which of the following locations? - ANSWER d. /var/log/utmp
Hard links are associated with which of the following? - ANSWER b. A specific inode
Which of the following describes plist files? (Choose all that apply.) - ANSWER a. You must have a special editor to view them.
c. They're preference files for applications.
Data blocks contain actual files and directories and are linked directly to inodes. True or False? - ANSWER True
Which of the following is a new file added in macOS? (Choose all that apply.) - ANSWER c. /var/db/diagnostics
d. /var/db/uuid.text
Forensics software tools are grouped into _________ and _______________ applications. - ANSWER GUI, command-line
The verification function does which of the following? - ANSWER c. Proves that two sets of data are identical via hash values
What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller? - ANSWER It enables you to remove and reconnect drives without having to shut down your workstation, which saves time in processing the evidence drive.
Building a forensic workstation is more expensive than purchasing one. True or False? - ANSWER False
A live acquisition can be replicated. True or False? - ANSWER False
Which of the following is true of most drive-imaging tools? (Choose all that apply.) - ANSWER b. They ensure that the original drive doesn't become corrupt and damage the digital evidence.
c. They create a copy of the original drive.
The standards for testing forensics tools are based on which criteria? - ANSWER c. ISO 17025
A log report in forensics tools does which of the following? - ANSWER c. Records an investigator's actions in examining a case
When validating the results of a forensics analysis, you should do which of the following? (Choose all that apply.) - ANSWER a. Calculate the hash value with two different tools.
b. Use a different tool to compare the results of evidence you find.
The primary hashing algorithm the NSRL project uses is SHA-1. True or False? - ANSWER True
On a Windows system, sectors typically contain how many bytes? - ANSWER b. 512
What does CHS stand for? - ANSWER cylinders, heads, sectors
Zone bit recording is how manufacturers ensure that the outer tracks store as much data as possible. True or False? - ANSWER False
Areal density refers to which of the following? - ANSWER c. Number of bits per square inch of a disk platter
Clusters in Windows always begin numbering at what number? - ANSWER 2
How many sectors are typically in a cluster on a disk drive? - ANSWER c. 4 or more
List three items stored in the FAT database. - ANSWER Answers can include file and directory names, starting cluster numbers, file attributes, and date and time stamps.
What does the Ntuser.dat file contain? - ANSWER This user-protected storage area contains the MRU files list and desktop configuration settings.
In FAT32, a 123 KB file uses how many sectors? - ANSWER The answer is 246 sectors. 123 x 1024 bytes per KB = 125,952 total bytes in the file. 125,952 bytes / 512 sectors per cluster = 246 sectors
What is the space on a drive called when a file is deleted? (Choose all that apply.) - ANSWER b. Unallocated space
d. Free space
List two features NTFS has that FAT does not. - ANSWER Answers can include Unicode characters, security, and journaling.
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? - ANSWER c. The file is unencrypted automatically.
What are the functions of a data run's field components in an MFT record? - ANSWER Declares how many bytes are required in the attribute field to store the number of bytes needed for the second and third components. The second component stores the number of clusters assigned to the data run, and the third component contains the starting cluster address value (the LCN or the VCN).
