Quiz Flashcards
(50 cards)
what is iptables used for
host based IP filtering
the following command tells you what?
grep ^$ file1.txt | wc-l
There are 30 blank lines in file1.txt
What is the expected output of the following command:
grep -v ‘^$’ message.txt
any line that is not a blank line in message.txt
Right now I can’t use ‘sudo’, what file needs to be updated to allow a regular user to run commands
/etc/sudoers
When working with a disk image containing an MBR, most Sleuthkit commands require information provided by what commands?
fdisk or mmls
In the following command what does the ‘.’ signify?
find . -name ‘myfile.txt’
start in current directory
What are the differences in systemd and BSD style init systems
systemd uses targets while BSD init uses runlevels
BSD runs linearly
systemd runs parallel
BSD uses text based
systemd uses binary system
Given the below forensic image containing two NTFS partitions, what will the following command display?
mmls suspect_image.raw
The offsets to each file system in the image
What is the sed command most often used for?
editing a stream of data, usually in ascii
What was Bash designed to be
A replacement to the original UNIX Bourne shell
In Regex, what symbol means “zero or one of the preceding characters?
?
- zero, one or more
+ - one or more
‘' - match previous or next character/group
- zero, one or more
What is the only linux distribution suitable for digital forensics?
all linux distributions can be configured to work for digital forensics, depending on the investigators needs
What file do you need to restart a ddrescue acquisition
map file
What information would you expect from the fls - Frd command
Example: fls -o 10260 -Frd able2.dd
-F (only files entries)
-d (deleted entries)
-r (recursive)
r/r - indicates the file type (r-regular, d-directory)
* - indicates the
file is deleted or unallocated,
Output:
r/r * 10063: var/log/xferlog.5
r/r * 10063: var/lock/makewhatis.lock
r/r * 2139: dev/ttYZ0/lrkn.tgz
d/r * 10071(realloc): dev/ttYZ0/lrk3
The first 10 characters of ‘ls -l’ are reserved for what information?
Example:
brw-rw—-
File type information and read(4)/write(2)/execute(1) permissions
the object is a block device file with permissions 660
True/False: lsblk will not show a flash based storage device because flash based devices are not recognized by the SCSI driver
False
Given a data block from a file system containing interesting text, I can determine the metadata entry (MFT entry, inode, etc.) that points to that data block using what command?
ifind with the -d option
What does the dd command do?
-can be used to restore a hard drive to a previous state, given a dd image previously collected from the same hd
-can be used to acquire disk images
-can be used to copy a file from one location to another
What information will be displayed when you add a metadata entry number to the fls command
display the contents of that directory / metadata entry number
What are the permissions for the octal value 774
rwxrwxr–
What does this command output:
xxd image.dd | grep ‘aad9bcf3’
it will output the occurrences of ascii ‘aad9bcf3’ if it is located in xxd output
what does the command ewfexport do
exports a virtual fuse mounted raw image
take an EWF file set and convert it to a bit stream image file, essentially removing the meta data and leaving us with the data in raw format, as with dd.
What command can be used to associate multiple partitions in the image to separate loop devices
losetup -Pr image.raw
losetup -P maps partitions within an image to separate loop devices that can then be mounted the same as any other volume
What command obtains a serial number from a USB flash drive
lsusb -v
