lab 25

Question 1

How many formattable partitions are displayed by fdisk for this drive image?

1
3
5
6

Answer 1

5

Question 2

What are possible explanations of the unaccounted for sectors from the extended partition? (Select two)

Unused space not allocated to a logical drive
Bad sectors on the original storage device
A hidden logical drive
The image is not in raw format

Answer 2

Unused space not allocated to a logical drive
A hidden logical drive

Question 3

What are the names of the recovered files that are in sub-directories?

frag1.dat
frag3.dat
mult2.dat
sing1.dat

Answer 3

frag3.dat
mult2.dat

Question 4

Which recovered image file includes cats?

haxor2.jpg
paul.jpg
pumpkin.jpg
shark.jpg

Answer 4

pumpkin.jpg

Question 5

What is the maximum number of primary partitions that can be defined on an MBR drive if logical drives are in use?

1
2
3
4

Answer 5

3

Question 6

Which of the following are tools from The Sleuth Kit (TSK)? (select all that apply)

tsk_recover
fsstat
fls
istat
mmls

Answer 6

tsk_recover
fsstat
fls
istat
mmls

Question 7

What is the forensic process of recovering access to files that are otherwise inaccessible due to corruption, partial data loss (especially headers), deletion, or partition structure damage?

Data exfiltration
File carving
Acquisition
Evidence seizure

Answer 7

File carving

Question 8

What is an IoC that reveals the presence of a hidden partition?

Unused space in an extended partition
Corrupted MBR
Use of a GPT header
Only having 4 primary partitions

Answer 8

Unused space in an extended partition

Question 9

What is a file system metadata structure that is used to store and organize file object information, such as file size, owner user, group IDs, permissions, and timestamps?

partition
sector
inode
MBR

Answer 9

inode