CIS 562 Week 11 Final Exam – Strayer New
Click On The Link Below To
Purchase A+ Graded Material
Instant Download
Chapters 7 Through 16
Chapter
7: Current Computer Forensics Tools
TRUE/FALSE
1. When you research for computer forensics
tools, strive for versatile, flexible, and robust tools that provide technical
support.
2. In software acquisition, there are three
types of data-copying methods.
3. To help determine what computer forensics
tool to purchase, a comparison table of functions, subfunctions, and vendor
products is useful.
4. The Windows platforms have long been the
primary command-line interface OSs.
5. After retrieving and examining evidence data
with one tool, you should verify your results by performing the same tasks with
other similar forensics tools.
MULTIPLE
CHOICE
1. Computer forensics tools are divided into
____ major categories.
|
a.
|
2
|
c.
|
4
|
|
b.
|
3
|
d.
|
5
|
2. Software forensics tools are commonly used to
copy data from a suspect’s disk drive to a(n) ____.
|
a.
|
backup
file
|
c.
|
image
file
|
|
b.
|
firmware
|
d.
|
recovery
copy
|
3. To make a disk acquisition with En.exe
requires only a PC running ____ with a 12-volt power connector and an IDE, a
SATA, or a SCSI connector cable.
|
a.
|
UNIX
|
c.
|
Linux
|
|
b.
|
MAC
OS X
|
d.
|
MS-DOS
|
4. Raw data is a direct copy of a disk drive. An
example of a Raw image is output from the UNIX/Linux ____ command.
|
a.
|
rawcp
|
c.
|
d2dump
|
|
b.
|
dd
|
d.
|
dhex
|
5. ____ of data involves sorting and searching
through all investigation data.
|
a.
|
Validation
|
c.
|
Acquisition
|
|
b.
|
Discrimination
|
d.
|
Reconstruction
|
6. Many password recovery tools have a feature
that allows generating potential lists for a ____attack.
|
a.
|
brute-force
|
c.
|
birthday
|
|
b.
|
password
dictionary
|
d.
|
salting
|
7. The simplest method of duplicating a disk
drive is using a tool that does a direct ____ copy from the original disk to
the target disk.
|
a.
|
partition-to-partition
|
c.
|
disk-to-disk
|
|
b.
|
image-to-partition
|
d.
|
image-to-disk
|
8. To complete a forensic disk analysis and
examination, you need to create a ____.
|
a.
|
forensic
disk copy
|
c.
|
budget
plan
|
|
b.
|
risk
assessment
|
d.
|
report
|
9. The first tools that analyzed and extracted
data from floppy disks and hard disks were MS-DOS tools for ____ PC file
systems.
|
a.
|
Apple
|
c.
|
Commodore
|
|
b.
|
Atari
|
d.
|
IBM
|
10. In Windows 2000 and XP, the ____ command
shows you the owner of a file if you have multiple users on the system or
network.
|
a.
|
Dir
|
c.
|
Copy
|
|
b.
|
ls
|
d.
|
owner
|
11. In general, forensics workstations can be
divided into ____ categories.
|
a.
|
2
|
c.
|
4
|
|
b.
|
3
|
d.
|
5
|
12. A forensics workstation consisting of a
laptop computer with a built-in LCD monitor and almost as many bays and
peripherals as a stationary workstation is also known as a ____.
|
a.
|
stationary
workstation
|
c.
|
lightweight
workstation
|
|
b.
|
field
workstation
|
d.
|
portable
workstation
|
13. ____ is a simple drive-imaging station.
|
a.
|
F.R.E.D.
|
c.
|
FIRE
IDE
|
|
b.
|
SPARC
|
d.
|
DiskSpy
|
14. ____ can be software or hardware and are used
to protect evidence disks by preventing you from writing any data to the
evidence disk.
|
a.
|
Drive-imaging
|
c.
|
Workstations
|
|
b.
|
Disk
editors
|
d.
|
Write-blockers
|
15. Many vendors have developed write-blocking
devices that connect to a computer through FireWire,____ 2.0,and SCSI
controllers.
|
a.
|
USB
|
c.
|
LCD
|
|
b.
|
IDE
|
d.
|
PCMCIA
|
16. The ____ publishes articles, provides
tools, and creates procedures for testing and validating computer forensics
software.
|
a.
|
CFTT
|
c.
|
FS-TST
|
|
b.
|
NIST
|
d.
|
NSRL
|
17. The standards document, ____, demands
accuracy for all aspects of the testing process, meaning that the results must
be repeatable and reproducible.
|
a.
|
ISO
3657
|
c.
|
ISO
5725
|
|
b.
|
ISO
5321
|
d.
|
ISO
17025
|
18. The NIST project that has as a goal to
collect all known hash values for commercial software applications and OS files
is ____.
|
a.
|
NSRL
|
c.
|
FS-TST
|
|
b.
|
CFTT
|
d.
|
PARTAB
|
19. The primary hash algorithm used by the NSRL
project is ____.
|
a.
|
MD5
|
c.
|
CRC-32
|
|
b.
|
SHA-1
|
d.
|
RC4
|
20. One way to compare your results and verify
your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.
|
a.
|
disk
imager
|
c.
|
bit-stream
copier
|
|
b.
|
write-blocker
|
d.
|
disk
editor
|
21. Although a disk editor gives you the most
flexibility in ____, it might not be capable of examining a ____ file’s
contents.
|
a.
|
testing,
compressed
|
c.
|
testing,
pdf
|
|
b.
|
scanning,
text
|
d.
|
testing,
doc
|
COMPLETION
1. Software forensic tools are grouped into
command-line applications and ____________________ applications.
2. The Windows application of EnCase requires
a(n) ____________________ device, such as FastBloc, to prevent Windows from
accessing and corrupting a suspect disk drive.
3. The ____________________ function is the most
demanding of all tasks for computer investigators to master.
4. Because there are a number of different
versions of UNIX and Linux, these platforms are referred to as
____________________ platforms.
5. Hardware manufacturers have designed most
computer components to last about ____________________ months between failures.
MATCHING
Match
each item with a statement below
|
a.
|
JFIF
|
f.
|
PDBlock
|
|
b.
|
Lightweight
workstation
|
g.
|
Norton
DiskEdit
|
|
c.
|
Pagefile.sys
|
h.
|
Stationary
workstation
|
|
d.
|
Salvaging
|
i.
|
SafeBack
|
|
e.
|
Raw
data
|
|
|
1. letters embedded near the beginning of all
JPEG files
2. European term for carving
3. a direct copy of a disk drive
4. usually a laptop computer built into a
carrying case with a small selection of peripheral options
5. one of the first MS-DOS tools used for a
computer investigation
6. software-enabled write-blocker
7. system file where passwords may have been
written temporarily
8. a tower with several bays and many peripheral
devices
9. command-line disk acquisition tool from New
Technologies, Inc.
SHORT
ANSWER
1. What are the five major function categories
of any computer forensics tool?
2. Explain the validation of evidence data
process.
3. What are some of the advantages of using
command-line forensics tools?
4. Explain the advantages and disadvantages of
GUI forensics tools.
5. Illustrate how to consider hardware needs
when planning your lab budget.
6. Describe some of the problems you may
encounter if you decide to build your own forensics workstation.
7. Illustrate the use of a write-blocker on a
Windows environment.
8. Briefly explain the NIST general approach for
testing computer forensics tools.
9. Explain the difference between repeatable
results and reproducible results.
10. Briefly explain the purpose of the NIST NSRL
project.
Chapter
8: Macintosh and Linux Boot Processes and File Systems
TRUE/FALSE
1. If a file contains information, it always
occupies at least one allocation block.
2. Older Macintosh computers use the same type
of BIOS firmware commonly found in PC-based systems.
3. GPL and BSD variations are examples of open-source
software.
4. A UNIX or Linux computer has two boot blocks,
which are located on the main hard disk.
5. Under ISO 9660 for DVDs, the Micro-UDF
(M-UDF) function has been added to allow for long filenames.
MULTIPLE
CHOICE
1. Macintosh OS X is built on a core called
____.
|
a.
|
Phantom
|
c.
|
Darwin
|
|
b.
|
Panther
|
d.
|
Tiger
|
2. In older Mac OSs, a file consists of two
parts: a data fork, where data is stored, and a ____ fork, where file metadata
and application information are stored.
|
a.
|
resource
|
c.
|
blocks
|
|
b.
|
node
|
d.
|
inodes
|
3. The maximum number of allocation blocks per
volume that File Manager can access on a Mac OS system is ____.
|
a.
|
32,768
|
c.
|
58,745
|
|
b.
|
45,353
|
d.
|
65,535
|
4. On older Macintosh OSs all information about
the volume is stored in the ____.
|
a.
|
Master
Directory Block (MDB)
|
c.
|
Extents
Overflow File (EOF)
|
|
b.
|
Volume
Control Block (VCB)
|
d.
|
Volume
Bitmap (VB)
|
5. With Mac OSs, a system application called
____ tracks each block on a volume to determine which blocks are in use and
which ones are available to receive data.
|
a.
|
Extents
overflow file
|
c.
|
Master
Directory Block
|
|
b.
|
Volume
Bitmap
|
d.
|
Volume
Control Block
|
6. On Mac OSs, File Manager uses the ____to
store any information not in the MDB or Volume Control Block (VCB).
|
a.
|
volume
information block
|
c.
|
catalog
|
|
b.
|
extents
overflow file
|
d.
|
master
directory block
|
7. Linux is probably the most consistent
UNIX-like OS because the Linux kernel is regulated under the ____ agreement.
|
a.
|
AIX
|
c.
|
GPL
|
|
b.
|
BSD
|
d.
|
GRUB
|
8. The standard Linux file system is ____.
|
a.
|
NTFS
|
c.
|
HFS+
|
|
b.
|
Ext3fs
|
d.
|
Ext2fs
|
9. Ext2fs can support disks as large as ____ TB
and files as large as 2 GB.
|
a.
|
4
|
c.
|
10
|
|
b.
|
8
|
d.
|
12
|
10. Linux is unique in that it uses ____, or
information nodes, that contain descriptive information about each file or
directory.
|
a.
|
xnodes
|
c.
|
infNodes
|
|
b.
|
extnodes
|
d.
|
inodes
|
11. To find deleted files during a forensic
investigation on a Linux computer, you search for inodes that contain some data
and have a link count of ____.
|
a.
|
-1
|
c.
|
1
|
|
b.
|
0
|
d.
|
2
|
12. ____ components define the file system on
UNIX.
|
a.
|
2
|
c.
|
4
|
|
b.
|
3
|
d.
|
5
|
13. The final component in the UNIX and Linux
file system is a(n) ____, which is where directories and files are stored on a
disk drive.
|
a.
|
superblock
|
c.
|
boot
block
|
|
b.
|
data
block
|
d.
|
inode
block
|
14. LILO uses a configuration file named ____
located in the /Etc directory.
|
a.
|
Lilo.conf
|
c.
|
Lilo.config
|
|
b.
|
Boot.conf
|
d.
|
Boot.config
|
15. Erich Boleyn created GRUB in ____ to deal with
multiboot processes and a variety of OSs.
|
a.
|
1989
|
c.
|
1994
|
|
b.
|
1991
|
d.
|
1995
|
16. On a Linux computer, ____ is the path for the first partition on the
primary master IDE disk drive.
|
a.
|
/dev/sda1
|
c.
|
/dev/hda1
|
|
b.
|
/dev/hdb1
|
d.
|
/dev/ide1
|
17. There are ____ tracks available for the program area on a
CD.
|
a.
|
45
|
c.
|
99
|
|
b.
|
50
|
d.
|
100
|
18. The ____provides several software drivers
that allow communication between the OS and the SCSI component.
|
a.
|
International
Organization of Standardization (ISO)
|
|
b.
|
Advanced
SCSI Programming Interface (ASPI)
|
|
c.
|
CLV
|
|
d.
|
EIDE
|
19. All Advanced Technology Attachment (ATA)
drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard
____ ribbon or shielded cable.
|
a.
|
40-pin
|
c.
|
80-pin
|
|
b.
|
60-pin
|
d.
|
120-pin
|
20. ATA-66,ATA-____, and ATA-133 can use the
newer 40-pin/80-wire cable.
|
a.
|
70
|
c.
|
96
|
|
b.
|
83
|
d.
|
100
|
21. IDE ATA controller on an old 486 PC doesn’t
recognize disk drives larger than 8.4 ____.
|
a.
|
KB
|
c.
|
GB
|
|
b.
|
MB
|
d.
|
TB
|
COMPLETION
1. Before OS X, Macintosh uses the
____________________, in which files are stored in directories, or folders,
that can be nested in other folders.
2. The Macintosh file system has
____________________ descriptors for the end of file (EOF).
3. ____________________ is a journaling version
of Ext2fs that reduces file recovery time after a crash.
4. When you turn on the power to a UNIX
workstation, instruction code located in firmware on the system’s CPU loads
into RAM. This firmware is called ____________________ code because it’s
located in ROM.
5. CD players that are 12X or faster read discs
by using a(n) _____________________ system.
MATCHING
Match
each item with a statement below
|
a.
|
File
Manager
|
f.
|
Volume
|
|
b.
|
Inode
blocks
|
g.
|
ls
|
|
c.
|
ISO
9660
|
h.
|
Catalog
|
|
d.
|
LILO
|
i.
|
Finder
|
|
e.
|
Clumps
|
|
|
1. older Linux boot manager utility
2. Macintosh tool that works with the OS to keep
track of files and maintain users’ desktops
3. any storage medium used to store files
4. the list command on Linux
5. maintains relationships between files and
directories on a volume on a Mac OS
6. the first data after the superblock on a UNIX
or Linux file system
7. ISO standard for CDs
8. Mac OS utility that handles reading, writing,
and storing data to physical media
9. groups of contiguous allocation blocks
SHORT
ANSWER
1. Explain the relation between allocation
blocks and logical block on a Mac OS file system.
2. Explain the use of B*-trees on Mac OS 9 file
system.
3. Explain the use of forensic tools for
Macintosh systems.
4. What are the functions of the superblock on a
UNIX or Linux file system?
Comments
Post a Comment