Data Representation and Files Examination

Question 1

Bit

Answer 1

• smallest unit in the binary system

- either 0 or 1

Question 2

Byte

Answer 2

• equals 8 bits

Question 3

Kilobyte

Answer 3

• 1024 byte

Question 4

Megabyte

Answer 4

• 1024 kilobyte

Question 5

Gigabyte

Answer 5

• 1024 megabyte

Question 6

Terabyte

Answer 6

• 1024 gigabyte

Question 7

What is the difference between a Kilobyte and Kilobit?

Answer 7

• Kilobyte = 1024 bytes; 8192 bits (1024 * 8)

- Kilobit = 1024 bits

Question 8

When is byte used? When is bit used?

Answer 8

• byte is used when measuring the size of a file

- bit is used when measuring the speed of a connection

Question 9

How many values does the Hex system have?

Answer 9

• 16
• • 0
• • 1
• • 2
• • 3
• • 4
• • 5
• • 6
• • 7
• • 8
• • 9
• • A
• • B
• • C
• • D
• • E
• • F

Question 10

ASCII

Answer 10

• a system used by computers to represent characters and symbols in a numerical form
• Each symbol is given a number/code

Question 11

What are the 3 primary locations of metadata?

Answer 11

• MFT records
• File header
• Magic number

Question 12

MFT

Answer 12

• Master File Table
• used by the NTFS file system to store metadata
• necessary to retrieve files from the NTFS partitions
• each file has one or more MFT records

Question 13

Why is a tool need to view MFT records?

Answer 13

• MFT records are not visible to users through Windows Explorer

Question 14

What is a tool for viewing MFT records?

Answer 14

• Directory Snoop

- Allows the examination of NTFS and FAT32 disks

Question 15

File Header

Answer 15

• unique identification found at the beginning/head of every file
• usually contains data used by the application that opens the file
• contains attributes like: name, author, date of creation, size, error detection/correction data

Question 16

How can file headers/trailers by checked?

Answer 16

• Hex editor

Question 17

Magic Number

Answer 17

• unique string, at the beginning of the file, used to identify the type of file
• method used by Unix/Linux systems to ID a file without reading the whole header
• /usr/share/file/magic

Question 18

What are the 3 types of Metadata

Answer 18

• system
• substantive
• embedded and external

Question 19

Substantive Metadata

Answer 19

• contains information on the modifications of a document

Question 20

System Metadata

Answer 20

• created/edited/used by the system
• OS file system relies heavily on metadata to keep track of files
• Storage devices use system metadata to track addresses of the contained files and how they are stored

Question 21

How can System Metadata be used in an investigation?

Answer 21

• system metadata can be used to track a file that doesn’t exist anymore (removed, deleted, moved)
• can also be used to construct a timeline for the events that occurred on that file
• CANNOT be used to retrieve the contents of a file

Question 22

What are the 4 components primarily interested in for System Metadata?

Answer 22

• MAC: modified, accessed, created entries
• EM: stores last time MFT was modified
• Create: when FILE was created (not data)
• Access: when file was last opened, moved, or copied
• Modify: when the content was last changed

Question 23

How can system metadata of a file be viewed?

Answer 23

• Properties > General and Details tabs

Question 24

DMS

Answer 24

• Directory Management System
• systems used to log, manage, and organize the storage of digital documents
• keeps track of stored documents and users who own, modify, or view documents
• Example: OpenKM

Question 25

Cashing

Answer 25

• Creation of temporary files and data by OS utilities, such as an Internet browser
• Ex. most recently viewed web pages for easy loading

Question 26

Where are common places to “hide” files?

Answer 26

• Metadata
• Windows registry
• ADS (Alternative Data Stream)

Question 27

Windows Registry

Answer 27

• big directory containing many configuration files

- used by the OS and applications to store configurations related to how the application behaves

Question 28

Where does Windows store which applications should run at Startup?

Answer 28

• HKML\software\microsoft\windows\currentversion\run

Question 29

How is the registry organized?

Answer 29

• Organized into directories called Keys
• Each Key contains Values
• Registry Values can be viewed, edited, or created
• Regedit is the most common tool for registry modification and viewing

Question 30

Where are most Linux configuration files stored?

Answer 30

/etc

Question 31

ADS

Answer 31

• Alternative Data Stream
• NTFS only
• allows a user to store data within a file without affecting its size or view
• accessed using the ‘:’ character
• Ex: file.txt:hidden.txt

Question 32

What are some tools that can be used to inspect a file’s ADS?

Answer 32

• Streams.exe (sysinternals)

- ADS Detector

Question 33

DOCX

Answer 33

• the extension and format used by Word 2007 and later editions
• Word 2003 and earlier versions used DOC

Question 34

Executable Files

Answer 34

• text file that contains instructions which the processor reads and executes
• Windows: Portable Executables (EXE)
• Linux: ELF (Executable Linkable Format) or Binary files

Question 35

EXE Files

Answer 35

• produced with compilers
• written in code (C, C++, C#, JAVA) then compiled
• the compiler takes code and translates it into machine code
• the compiler also adds a header to the code before putting it together in the final EXE
• EXE file content is arranged into Sections

Question 36

EXE Header

Answer 36

• contains the following information:
• • Exports: the functions within that executable which other executables can call
• • Imports: imported DDL files
• • Exporting: allowing other programs to import and run a code from a .DLL file
• code w/in a DLL file is usually separated into segments (functions)
• when an EXE wants to import code from a DLL file, it usually links to a specific function

Question 37

rundll32

Answer 37

• system EXE file which takes a DLL file name and function and executes them

Question 38

What is a tool that can be used to view functions linked to an EXE?

Answer 38

• Dependency Walker

- allows you to view imported DLLs within the EXE and the functions that the EXE imports from each DLL