forensic computing final

Question 1

What are the types of file systems mentioned?

Answer 1

• NTFS
• FAT
• exFAT
• EXT
• HFS
• HFS+
• APFS

These file systems are used to organize and store data on storage devices.

Question 2

What is the purpose of file systems?

Answer 2

To organize and store data on storage services

They define how files are named, stored, and retrieved, and are applied when formatting a drive or partitioning it.

Question 3

What does FAT stand for?

Answer 3

File Allocation Table

It is the original file system in Windows, with FAT32 being commonly used today.

Question 4

What is the maximum file size supported by FAT32?

Answer 4

4GB

Question 5

What is exFAT commonly used for?

Answer 5

Large storage media, up to 256TB

It is often used in external devices like flash drives.

Question 6

What does NTFS stand for?

Answer 6

New Technology File System

It is the default file system for Windows and supports large partition sizes and file sizes.

Question 7

What are some features of NTFS?

Answer 7

• File permissions
• Encryption
• Compression
• Journaling

Question 8

What are Alternate Data Streams (ADS)?

Answer 8

Used in NTFS to store additional data with files

This can include metadata, malware, or other hidden data.

Question 9

What is EXT in the context of file systems?

Answer 9

Extended File System

Versions include ext2, ext3, and ext4, with ext4 being the most modern.

Question 10

What storage capacity does ext4 support?

Answer 10

1 exabyte (EB)

Question 11

What is the purpose of journaling in ext3 and ext4?

Answer 11

Helps protect against file corruption

Question 12

What is HFS+?

Answer 12

Apple’s file system used until 2017

It supports up to 8 exabytes of file size and volume size.

Question 13

What is APFS?

Answer 13

A newer file system introduced for SSDs

It supports 9 quintillion files.

Question 14

What happens to files when they are deleted?

Answer 14

They are not fully removed; space is marked as available for overwriting.

Question 15

What is data carving?

Answer 15

Recovering deleted files from unallocated space on a disk.

Question 16

What is the impact of wear leveling in SSDs?

Answer 16

Ensures even usage of memory cells, making data recovery harder over time.

Question 17

What is the recommended action for forensic imaging of SSDs?

Answer 17

Should be done as soon as possible to avoid data being overwritten.

Question 18

What does the Windows Registry store?

Answer 18

Configuration settings and options on Windows operating systems.

Question 19

What information does the Windows Registry contain?

Answer 19

• System hardware
• Installed software
• System settings
• User preferences

Question 20

Why is analyzing the Windows Registry important?

Answer 20

It helps identify timelines for system usage and evidence of deleted or modified files.

Question 21

What are some encryption tools mentioned?

Answer 21

• BitLocker (Windows)
• FileVault (Mac)
• VeraCrypt

Question 22

What is pre-boot authentication?

Answer 22

Prevents unauthorized access by requiring user authentication before the OS can boot.

Question 23

What do full disk encryption tools ensure?

Answer 23

The data on the entire disk is protected.

Question 24

What are advanced encryption algorithms used for?

Answer 24

For high security in encryption tools.

Question 25

What is a virtual machine (VM)?

Answer 25

Software implementations of physical machines that allow for running one OS within another.

Question 26

What are the types of hypervisors?

Answer 26

* Type 1 (bare metal) * Type 2 (hosted)

Question 27

What should forensic tools be evaluated on?

Answer 27

* Compatibility * Scripting support * Automation * Hashing capabilities

Question 28

What are some forensic tools mentioned?

Answer 28

* Autopsy * Encase * FTK

Question 29

What defines bitmap images?

Answer 29

Made up of pixels, with quality determined by resolution and color depth.

Question 30

What are examples of bitmap images?

Answer 30

* JPEG * PNG * GIF * BMP

Question 31

How do vector graphics differ from bitmap images?

Answer 31

Use mathematical formulas to describe shapes and lines, scalable without loss of quality.

Question 32

What are examples of vector graphics?

Answer 32

* SVG * AI (Adobe Illustrator)

Question 33

What is file compression?

Answer 33

* Lossless * Lossy

Question 34

What is lossless compression?

Answer 34

Preserves the original file without losing data. ## Footnote Example: PNG

Question 35

What is lossy compression?

Answer 35

Reduces file size by removing less important data. ## Footnote Example: JPEG

Question 36

What is file carving?

Answer 36

Forensic technique to recover deleted files even when file system metadata is damaged or missing.

Question 37

What does EXIF metadata store?

Answer 37

* Camera settings * Timestamp * GPS location

Question 38

What forensic tools can extract EXIF metadata?

Answer 38

* ExifReader * Magnet AXIOM

Question 39

What is steganography?

Answer 39

Practice of hiding information within files to avoid detection.

Question 40

What is steganalysis?

Answer 40

Refers to detecting and analyzing hidden data.

Question 41

What is digital watermarking?

Answer 41

Used to embed copyright information within images to identify the owner or source.

Question 42

What are examples of hashing algorithms?

Answer 42

* MD5 * SHA-1

Question 43

Why is hashing important in forensic computing?

Answer 43

Crucial for verifying the integrity of evidence and ensuring that no data has been altered during the forensic process.

Question 44

What is the effect of changing file extensions?

Answer 44

Alters the extension to mislead forensic tools.

Question 45

What is partition hiding?

Answer 45

Using tools like diskpart or EaseUS to hide partitions.

Question 46

What does bit-shifting do?

Answer 46

Changes the order of binary data to obscure it.

Question 47

What are live acquisitions?

Answer 47

Capture volatile data from a running system such as RAM, process lists, or active network connections.

Question 48

What tools are used for live acquisitions?

Answer 48

* FTK Imager * Memoryze * Belkasoft

Question 49

What are the steps for live acquisition?

Answer 49

* Capture RAM * Log actions * Ensure hash integrity of all files recovered

Question 50

What does network forensics involve?

Answer 50

Analyzing network traffic to detect intrusions or monitor suspicious activity.

Question 51

What are packet analyzers used for?

Answer 51

Capture and decode network packets to analyze network behavior. ## Footnote Examples: Wireshark, tcpdump

Question 52

What is a Type 1 hypervisor?

Answer 52

Runs directly on physical hardware. ## Footnote Example: VMware vSphere

Question 53

What is a Type 2 hypervisor?

Answer 53

Runs on top of an OS. ## Footnote Example: VirtualBox

Question 54

What should investigators acquire for VM forensics?

Answer 54

Forensic images of both the host and guest VMs.

Question 55

What are snapshots used for in VM forensics?

Answer 55

Capturing the state of a VM at a given point in time.

Question 56

What is Defense in Depth (DiD)?

Answer 56

A strategy involving multiple layers of security to protect data.

Question 57

What do investigators analyze to detect network intrusions?

Answer 57

Logs and network traffic.