Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

qa cert in digital forensics > D2_3 Vid > Flashcards

D2_3 Vid Flashcards

1
Q
A

Starts at Ex 13: viewing Deleted Data - Pg 132
From this exercise, it seems whatever FTK Imager can do, hxd can also do.

03:31 One of the things we can do with FTK Imager is that we can mount the image of the drive as if it was a physical drive. After mounting it, you can have a look at it in file explorer.

After mounting, what it’s gonna have us to is to export the MFT file.
11:37 He also used Active Disk Editor to access the exported $MFT file.
12:12 Right-click on ‘file’ which is first entry in $MFT.
An offset basically means a logical number of blocks it is from the beginning of the file.

The whole point of this exercise is to show the difference between reality and the view that Windows gives us.

In Windows, we’ve also got the added complexity of the recycle bin.

Windows also tries to keep things efficient and it tries to second-guess what we’re going to do. As part of this, if we open up an application, and the application uses 2 or 3 different programs and maybe some DLLs as well. The next time you start to do that same process, Windows may say….he’s gonna do that same process again…..I know what he wants. And it does this thing called prefetch, and it gets a small amount of information ready…….this is what you did last time, and by the time I come to click on it, it’s got some of the processes running already for me. So this can really help speed up the launch of our applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

User Profiles

A

If I create a user called ‘Emma’, she automatically gets a folder structure called ‘Emma’.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Temporary Files

A

Temporary files store information temporarily. They can be used for undo files in Word for example.
Temp files live in %system root%\Windows\Temp. And often start with a tilda. And they have a file extension of ‘tmp’.
When we switch off the machine, these files will get deleted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Recycle Bin

A

Windows knows that our users will accidentally delete files. So it basically gives you a second chance. it puts files directly in a folder call ‘recycle bin’. It’s called recycle bin but it really is just a folder. However, it does do a bit of messing around with your files;
First of all, it takes the contents from the MFT i.e the page of the book in my analogy and puts an I in front of it, that is for information…..$I is for information.
The file itself is given a $R and then it’s in the recycle bin.
So if i was a user, I can undelete my file by clicking on undelete.
Restore uses the information from the $I with the actual file itself with $R and basically puts it back into the live file system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

qa cert in digital forensics (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions