Eric Gibson Jr.
Forensics
Labs 1 and 2
1.1
1.
2.
3.
4.
5.
C – Help computer forensics investigators locate potential digital evidence.
C – All of the above
A – Hexadecimal value mathematically obtained from a file.
B – The KFF stores file signatures and hashes of popular software products
A – Allows investigators to concentrate on files changed by the suspect.
1.
2.
3.
4.
5.
D – Encrypted files
A – Hard disk images that can be analyzed by forensic software.
C – The image file can be examined without damaging the original evidence.
B – FTK maintains the “chain of custody.”
C – Duplicating original data on storage devices for forensic analysis.
1.
2.
3.
4.
5.
B – HFS+
C – The camera manufacturer
B – RAID disk data
C – ProDiscover can create images that will run in VMware virtual machine
A – Running a guest operating system within another host operating system
1.
2.
3.
4.
5.
C – Booting the computer into the Windows environment
A – Account user names and passwords
D – A history of Internet sites visited
C – The registry does not contain password information
C–5
1.2
1.3
1.4
2
1. D – The MFT is not updated until all the file remnants have been overwritten with new data.
2. A – Recovering files that have been deleted but not overwritten.
3. D – 7
4. B – The MFT is updated to indicate free space when files are deleted.
5. B – Writing 0s and 1s to the file remnant locations.
2.2
1.
2.
3.
4.
D - .mft
B – Maintaining the original storage device integrity by preventing any changes to the evidence.
A – The ProDiscover image does not copy the MFT because it is not needed during analysis.
A – It is used to prevent any data or changes to be written to the original storage device
violating the “chain of custody.”
5. C
2.3
1.
2.
3.
4.
5.
A - .dd
C – CD or DVD
C - .eve images to ISO
D - .dd
C
1.
2.
3.
4.
5.
D - .eve
B – Is not optimized to search large volumes of data
A – Be small enough to fit on a floppy disk as a portable imaging tool
A – MD5
B
1.
2.
3.
4.
5.
B–7
3
C – Qtr 1 Emp
B - Online
B–2
2.4
2.5