CySA+ Final - Study Guide 2022 (Complete Solution)
Which format does dd produce files in?
A. ddf
B. RAW
C. EN01
D. OVF - B. dd creates files in RAW,
... [Show More] bit-by-bit format. EN01 is the EnCase forensic file format, OVF is virtualization file format, and ddf is a made-up answer.
Files remnants found in clusters that have been only partially rewritten by new files found are in what type of space?
A. Outer
B. Slack
C. Unallocated space
D. Non-Euclidean - B. Slack space is the space that remains when only a portion of a cluster is used by a file. Data from previous files may remain in the slack space since it is typically not wiped or overwritten. Unallocated space is space on a drive that has not been made into part of a partition. Outer space and non-Euclidean space are not terms used for filesystems or forensics.
Mike is looking for information about files that were changed on a Windows system. Which of the following is least likely to contain useful information for his investigation?
A. The MFT
B. INDX files
C. Event logs
D. Volume shadow copies - C. Event logs do not typically contain significant amounts of information about file changes. The Master File Table and file indexes (INDX files) both have specific information about files, whereas volume shadow copies can help show differences between files and locations at a point in time.
Alice wants to copy a drive without any chance of it being modified by the copying process. What type of device should she use to ensure that this does not happen?
A. read blocker
B. drive cloner
C. write blocker
D. hash validator - C. Write blockers ensure that no changes are made to a source drive when creating a forensic copy. Preventing reads would stop you from copying the drive, drive cloners may or may not have write blocking capabilities built in, and hash validation is useful to ensure contents match but don't stop changes to the source drive from occurring.
Frederick wants to determine if a thumb drive was ever plugged into a Windows system. How can he test for this? [Show Less]