Data Representation and Files Examination Flashcards
(38 cards)
1
Q
Bit
A
- smallest unit in the binary system
- either 0 or 1
2
Q
Byte
A
- equals 8 bits
3
Q
Kilobyte
A
- 1024 byte
4
Q
Megabyte
A
- 1024 kilobyte
5
Q
Gigabyte
A
- 1024 megabyte
6
Q
Terabyte
A
- 1024 gigabyte
7
Q
What is the difference between a Kilobyte and Kilobit?
A
- Kilobyte = 1024 bytes; 8192 bits (1024 * 8)
- Kilobit = 1024 bits
8
Q
When is byte used? When is bit used?
A
- byte is used when measuring the size of a file
- bit is used when measuring the speed of a connection
9
Q
How many values does the Hex system have?
A
- 16
- 0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- A
- B
- C
- D
- E
- F
10
Q
ASCII
A
- a system used by computers to represent characters and symbols in a numerical form
- Each symbol is given a number/code
11
Q
What are the 3 primary locations of metadata?
A
- MFT records
- File header
- Magic number
12
Q
MFT
A
- Master File Table
- used by the NTFS file system to store metadata
- necessary to retrieve files from the NTFS partitions
- each file has one or more MFT records
13
Q
Why is a tool need to view MFT records?
A
- MFT records are not visible to users through Windows Explorer
14
Q
What is a tool for viewing MFT records?
A
- Directory Snoop
- Allows the examination of NTFS and FAT32 disks
15
Q
File Header
A
- unique identification found at the beginning/head of every file
- usually contains data used by the application that opens the file
- contains attributes like: name, author, date of creation, size, error detection/correction data
16
Q
How can file headers/trailers by checked?
A
- Hex editor
17
Q
Magic Number
A
- unique string, at the beginning of the file, used to identify the type of file
- method used by Unix/Linux systems to ID a file without reading the whole header
- /usr/share/file/magic
18
Q
What are the 3 types of Metadata
A
- system
- substantive
- embedded and external
19
Q
Substantive Metadata
A
- contains information on the modifications of a document
20
Q
System Metadata
A
- created/edited/used by the system
- OS file system relies heavily on metadata to keep track of files
- Storage devices use system metadata to track addresses of the contained files and how they are stored
21
Q
How can System Metadata be used in an investigation?
A
- system metadata can be used to track a file that doesn’t exist anymore (removed, deleted, moved)
- can also be used to construct a timeline for the events that occurred on that file
- CANNOT be used to retrieve the contents of a file
22
Q
What are the 4 components primarily interested in for System Metadata?
A
- MAC: modified, accessed, created entries
- EM: stores last time MFT was modified
- Create: when FILE was created (not data)
- Access: when file was last opened, moved, or copied
- Modify: when the content was last changed
23
Q
How can system metadata of a file be viewed?
A
- Properties > General and Details tabs
24
Q
DMS
A
- Directory Management System
- systems used to log, manage, and organize the storage of digital documents
- keeps track of stored documents and users who own, modify, or view documents
- Example: OpenKM
25
Cashing
- Creation of temporary files and data by OS utilities, such as an Internet browser
- Ex. most recently viewed web pages for easy loading
26
Where are common places to "hide" files?
- Metadata
- Windows registry
- ADS (Alternative Data Stream)
27
Windows Registry
- big directory containing many configuration files
| - used by the OS and applications to store configurations related to how the application behaves
28
Where does Windows store which applications should run at Startup?
- HKML\software\microsoft\windows\currentversion\run
29
How is the registry organized?
- Organized into directories called Keys
- Each Key contains Values
- Registry Values can be viewed, edited, or created
- Regedit is the most common tool for registry modification and viewing
30
Where are most Linux configuration files stored?
/etc
31
ADS
- Alternative Data Stream
- NTFS only
- allows a user to store data within a file without affecting its size or view
- accessed using the ':' character
- Ex: file.txt:hidden.txt
32
What are some tools that can be used to inspect a file's ADS?
- Streams.exe (sysinternals)
| - ADS Detector
33
DOCX
- the extension and format used by Word 2007 and later editions
- Word 2003 and earlier versions used DOC
34
Executable Files
- text file that contains instructions which the processor reads and executes
- Windows: Portable Executables (EXE)
- Linux: ELF (Executable Linkable Format) or Binary files
35
EXE Files
- produced with compilers
- written in code (C, C++, C#, JAVA) then compiled
- the compiler takes code and translates it into machine code
- the compiler also adds a header to the code before putting it together in the final EXE
- EXE file content is arranged into Sections
36
EXE Header
- contains the following information:
- - Exports: the functions within that executable which other executables can call
- - Imports: imported DDL files
- - Exporting: allowing other programs to import and run a code from a .DLL file
- code w/in a DLL file is usually separated into segments (functions)
- when an EXE wants to import code from a DLL file, it usually links to a specific function
37
rundll32
- system EXE file which takes a DLL file name and function and executes them
38
What is a tool that can be used to view functions linked to an EXE?
- Dependency Walker
| - allows you to view imported DLLs within the EXE and the functions that the EXE imports from each DLL
