Forensics CIT 430 Test 2 Exam 33 Questions with Answers
List two commercial computer forensic duplication and analysis tool. - CORRECT ANSWER 1.
... [Show More] Encase
2. FTK ( Forensic tool kit)
What is write blocker? - CORRECT ANSWER Devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents.
What is driver adapter? - CORRECT ANSWER A device that is used as a forensic bridge to connect notebook IDE hard disk.
What does DD stand for? - CORRECT ANSWER Data Dump
How to list the partition info (size, starting address, etc.) of a hard disk? - CORRECT ANSWER fdisk -l
How to create an ext2/ext3 file system on a hard disk? - CORRECT ANSWER mkfs.ext2 /dev/xxx1
mkfs.ext3 /dev/xxx1
How to copy suspect's hard disk into one file? - CORRECT ANSWER dd if=/dev/xxx of=/tmp/file-name
How to restore the image of a hard disk stored in a file back to a hard disk if needed? - CORRECT ANSWER dd if=/tmp/file-name of=/dev/xxx
How to copy just one partition of the suspect's disk into one file? - CORRECT ANSWER dd if=/dev/xxx1 of=/tmp/file-name
How to restore the image of a partition back to a hard disk if needed? - CORRECT ANSWER dd if=/tmp/file-name of=/dev/xxx
How to do question 4 and 5 over the network? - CORRECT ANSWER The destination computer:
nc -l -p 9999 | dd of=/dev/yyy bs=32k
The source computer:
dd if=/dev/xxx bs=32k | nc ip_address_of_destination_computer 999
How to wipe a disk with zeros? - CORRECT ANSWER dd if=/dev/zero of=/dev/xxx
What is Qualified Forensic Duplicate? - CORRECT ANSWER A qualified forensic duplicate is a file that contains every bit of information from the source, but may be stored in an altered form
What is inode? - CORRECT ANSWER An inode (index node) is a data structure that contains properties of a file and doesn't contain data content and file name
What info does an inode contain? - CORRECT ANSWER -The size of the file in bytes.
-The file's physical location (the -addresses of the blocks of
storage containing the file's data on a HDD)
-The file's permissions.
-The Device ID
-The User ID of the file's owner.
-The Group ID of the file.
-Timestamps (ctime,mtime and atime).
-A reference count telling how many hard links point to the inode.
Directories are implemented as a special type of files in Linux. What is in the directory entry? - CORRECT ANSWER It's an entry in a directory that contains an inode number and a file name.
What is the command in Linux to find the inode number of a file? - CORRECT ANSWER ls -i
How to use debugfs to recover deleted files? - CORRECT ANSWER debugfs -w file.name , the -w switch to open the file in read-write mode, after that you can use mi with the inode number to change the link count number from 0 to 1 and deleation time to 0.
What is Link Count in an inode? - CORRECT ANSWER It's a reference count telling how many hard links point to the inode isnt pointing to hard and symbolic links.
What are symbolic links? - CORRECT ANSWER A symbolic path indicating the abstract location of another file.
How to find the type of a file regardless of the file extension? - CORRECT ANSWER /target file * , to see all the file extension of files under /target.
DD Parameter
"IF" - CORRECT ANSWER Designates designates the input file
DD Parameter
"OF" - CORRECT ANSWER Designates the output file
DD Parameter
"with conv =" - CORRECT ANSWER We can pass
DD Parameter
"notrunc" - CORRECT ANSWER Tells dd not to truncate the output if an error is encountered
DD Parameter
"noerror" - CORRECT ANSWER Tells dd not to stop duplicating when an error is encountered.
DD Parameter
"sync" - CORRECT ANSWER Tells dd to place zeros in any blocks in the output when an error is encountered
DD Parameter
"bs" - CORRECT ANSWER Specifies the block size, by default it is 512 bytes.
How to wipe a disk with random numbers? - CORRECT ANSWER dd if=/dev/urandom of=/dev/xxx
How to wipe a disk with patterns? - CORRECT ANSWER yes | dd of=/dev/xxx
What are hard links? - CORRECT ANSWER The specific location of physical data.
The difference between dd_rescue and DD : - CORRECT ANSWER dd_rescue can read the hard disk the normal way for duplication and read the reverse way.In the other hand, dd can't read the reverse way. DD Rescue is also a better (faster) tool for cleansing drive you may recycle.
The difference between dcfldd with DD : - CORRECT ANSWER -It provides a built-in MD5 hashing algorithm for authentication.
-It has two additional switches than the traditional dd :
----Hashwindow : Indicates the number of bytes to be calculated and checked with md5
----Hashlog : Indicates the log files where the md5 hash is stored [Show Less]