95 Questions
What is the maximum number of primary partitions supported by the MBR system?
4
In the context of secondary storage media, what is the purpose of partitioning a hard drive?
Allocating sectors and clusters to files or partitions
Which system has a storage limit that can handle disks larger than 2TB?
GUID Partition Table (GPT)
What is the significance of understanding the physical size of storage media in forensic examination?
To consider potential data recovery
What property must a hash algorithm have to be considered secure?
Collision resistance
What is the main purpose of hashing in data security?
Ensuring data integrity and security
What is the role of acquired computer memory in forensic examination?
Storing detailed information related to the computer's recent activities
Why is RAM considered a good evidence source in forensic examination?
It is harder for a suspect to deny responsibility for the information found
In little-endian order of storage, where is the least significant byte of a word stored?
At the smallest memory address
Which operating system architecture typically runs on little-endian systems?
Windows
Which CPU architecture is widely used in smartphones, tablets, and personal computers and can operate in both big-endian and little-endian mode?
ARM
Which forensic tool can be used to extract and analyze Windows registry hives?
Exterro/FTK Reg Viewer
Which part of the Windows registry contains user-specific information such as browser settings and application data?
NTUSER.dat Hive (HKEY_CURRENT_USER)
Which cryptographic technique involves the use of same key to transform data into ciphertext and vice-versa?
Symmetric Encryption
What does hashing employ one-way functions for?
To produce hash values from plaintext
What is important about a hash function's property of being one-way?
It makes it impossible to derive plain text from ciphertext
Which HW architecture pairs both use big-endian architecture?
SPARC, PowerPC
What kind of network byte order is commonly used in TCP/IP networks?
Big-endian
What does the 'trim' technology do, particularly in SSDs?
It overwrites unallocated clusters,enhancing data deletion and allowing faster direct write operations in the future.
Where is the Master File Table (MFT) located?
In the partition boot sector
What happens when a file is deleted?
Its MFT record is removed, but the data in the clusters remains until overwritten
What does big-endian format refer to in terms of data ordering?
The most significant byte of a word is stored at the smallest memory address
What defines resident files in NTFS?
Files contained directly in the Master File Table (MFT)
What distinguishes non-resident files in NTFS from resident files?
Non-resident files are stored in allocated clusters and their addresses are mentioned in the MFT
What is significant about compound files when it comes to forensic examination?
They cannot be fully examined when they are in their 'packed' state
What does the hexadecimal representation of data signify?
Data represented in groups of bits for storage on storage media
Which is true for the GUID partitioning when it comes to compatibility?
It works with UEFI-based systems and has limited compatibility with older BIOS systems
What makes hard drives potentially recoverable even after being reformatted?
Only the partition table is removed, leaving data recoverable until overwritten
What type of information does EXIF data NOT provide for forensic examiners?
File last access and last modification details
What type of information is included in file system metadata?
File creation date and last modification details
What type of event is tracked by Event ID 4624?
User logons
Where can log files from applications be found for forensic examination?
ProgramData folder
What type of information can log files from applications provide for forensic examination?
User activities, messages and history
Which event tracks time changes and describes the name of the user account that changed the time settings?
Event ID 4116
Where are the log files located for Event Viewer on a computer used for analysis?
[SystemRoot]\Windows\System32\winevt\Logs
Where can USB device connection events be found apart from registry and event logs?
[SystemRoot]\Windows\INF
What is the purpose of examining the Windows registry key called 'MountedDevices'?
To reveal information about any connected USB devices
Which folder contains the log file setupapi.dev.log?
[SystemRoot]\Windows\INF
What type of event does Event ID 4634 track?
User logoffs
In which folder can log files from applications (that do not use the Windows event management system) be found?
[SystemRoot]\users\[user profile name]\AppData
Where is the prefetch data stored?
C:/Windows/Prefetch
Which tool is often used for inspecting Windows shellbags?
Shellbags explorer by Eric Zimmerman
What do .lnk files contain details about?
Location of the target file and time of access
What can MRU keys provide insights into?
User activities and events on the computer
Where are shellbags stored?
/AppData/Local/Microsoft/Windows
Which area does prefetching aim to enhance?
Application performance
What purpose do Prefetch files serve from a forensics perspective?
Identifying how many times an executable was run and when it was last run.
What can shellbags serve as evidence of?
Deleted folders and network shares information
Besides criminal forensics, where can shellbags be useful?
Intrusion detection and revealing user account compromise
What is the significance of .lnk files in forensic analysis?
Providing details about the location of the target file and time of access
What kind of information does the 'Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU' key track?
Most recent network drives that were mapped
What does the 'Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU' key record?
Recently opened files using file explorer
What type of data does the 'Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU' key track?
Recently used applications and folder paths used by these applications to open files
What type of data does the 'Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' key track?
Most recent stuff typed into the 'Run' dialogue
What is the primary functionality of Thumbcache in Windows folders?
Stores thumbnails of pictures to enable quicker previewing of images
What happens to Thumbcache entries when the actual images are deleted from the system?
They are not deleted
'MRUList' and 'MRUListEx' in MRU keys describe what aspect of the events?
The order in which the events first occurred
How are events recorded in 'MRUListEx' keys different from those in regular 'MRUList' keys?
They use hexadecimal data format and store numbers in DWORD format
What is the purpose of hashing in forensic examination?
To validate data integrity
What is the main focus of decryption attacks in forensic examination?
Targeting encryption or hashing algorithms' weaknesses
What is the purpose of creating a text index in digital forensics?
To allow for efficient searching using keywords or regular expressions
What is the primary advantage of live searches in digital forensics?
They provide flexibility without constraints by a precomputed index
What is the main challenge associated with index searches in digital forensics?
It may be challenging to find strings containing signs not considered letters during indexing
What role does the indexing and searching techniques play in digital forensic investigations?
They facilitate rapid keyword searches and utility in password cracking
What is the purpose of IOMMU and VT-d technologies?
To isolate virtual machines for better security and device control
How do cold boot attacks differ from other memory collection techniques?
They offer the potential to obtain the full contents of memory but require restarting the victim computer
What is the physical property of RAM modules that allows data remanence in cold boot attacks?
Their ability to retain data even after power is turned off
What is the function of the Inception FPGA?
To emulate hardware for DMA attacks
What are the limitations of most DMA attacks?
Inability to access modern computers with larger memory capacities
What does cooling RAM modules achieve in cold boot attacks?
It slows down the degradation of data held in memory cells
What is the purpose of GPUs in password cracking?
To quickly compare a large number of password candidates against a given hash
What is the purpose of Uncovering Patterns and Behaviors in Password Creation?
To categorize passwords based on strategies used for their creation, enabling easier guessing
What is the significance of Collecting Volatile Memory (RAM) Dumps?
It provides access to encryption keys and decrypted data for forensic analysis
What is the goal of DMA Attacks?
To gain Read/Write access to the computer's RAM using interfaces like Firewire and Thunderbolt
What is file carving in the context of computer forensics?
The process of extracting data from storage media without relying on the file system used in the creation of the file
What do JPEG files start with and end with, based on their file type characteristics?
Start with binary value Oxffd8 and end with binary value Oxffd9
What are the key components of a JPEG file's structure?
Sequence of data chunks and marker value in big endian byte format
What does the term 'JPEG' stand for?
Joint Photographic Experts Group
What is the primary purpose of the BMP file format?
To store images on Windows operating systems
Which version of the GIF format supports features like background transparency and delay times?
GIF 89a
What do PNG files support in terms of color and transparency?
24-bit true color with transparency in both normal and alpha channels
What is the main advantage of PDF files in terms of device independence?
They enable users to view, save, and print documents across different platforms and operating systems
Where does the hex value of a GIF image file start?
'47 49 46'
What type of compression does JPEG use?
Lossy compression for digital images
What is the purpose of the RGBQUAD array in BMP files?
To support bitmaps with 24 color bits
What do GIF files contain?
'Header', 'image data', 'optional metadata', and 'footer'
What does PNG stand for?
Portable Network Graphics
Which organization created the JPEG standard?
Joint Photographic Experts Group
What do BMP files always have as the first characters in a hexadecimal representation?
'42 4d'
What hexadecimal values represent the signature for a PDF file?
25 50 44 46
What does the xref table in a PDF file allow?
Random access to objects
What is the signature format for old MS Office document formats (1997-2003)?
D0 CF 11 E0 A1 B1 1A E1
What is the structure of the new MS Office document formats (2007-present)?
ZIP-compressed XML files
What does the hex signature starting with 50 4B 03 04 indicate in MS Office document formats?
ZIP file format
What does the old MS Office Excel Spreadsheet format (.xls) have in common with Word Document (.doc) and PowerPoint Presentation (.ppt) formats?
Similar hex signature D0 CF 11 E0 A1 B1 1A E1
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
