Definitions

Question 1

What is a byte

Answer 1

8 bits

Question 2

What is a nibble

Answer 2

half of a byte or 4 bits

Question 3

What is a bit

Answer 3

1 or 0

Question 4

What is a CPU

Answer 4

central processing unit acts as the brain of machine. All information processed by the computer is processed by the CPU

Question 5

What is RAM

Answer 5

Random access memory is volatile data, which stores data before its processed by the CPU. RAM only contains information when there is power

Question 6

What is ROM

Answer 6

Read only memory (ROM) is non-volatile data, usually boot information, boot strap code, or code loading the operating system

Question 7

What are peripheral devices

Answer 7

Hard drives (HDs), CDs, USBs, and other long term storage devices that are used to store and exchange files

Question 8

What is the motherboard

Answer 8

The motherboard connects various components in the computer. It is a printed circuit with connectors (graphics cards, USBs, network devices, etc.)

Question 9

What are the stages of the forensic process

Answer 9

• Seizure - Gathering of digital devices
• Imaging & Verification: Taking a forensic copy and validating the copy.
• Analysis: Analyzing the image to discover evidence
• Reporting: Reporting on evidence discovered and methods used to discover this evidence.

Question 10

What is Image verification

Answer 10

hashing is used to validate image is same as source data / hasn’t been altered. A hash is a one‐way mathematical function that provides a representation of data

MD5 hash collision is 1 in 2^128 chance of happening

Md5 hash is 16 bytes (128 bits)

Question 11

What is a File Signature

Answer 11

magic value found at beginning (and sometimes end) of a files content that indicates the file type

Question 12

What is Data Carving

Answer 12

involves matching signatures in raw disk contents to see if they match a file signature

Question 13

What is File Recovery

Answer 13

File recovery techniques make use of the file system information that remains after deletion of a file.

Question 14

What is File Carving

Answer 14

Carving deals with the raw data on the media and doesn’t use the file system structure during its process

Question 15

What is the difference between File Recovery and File Carving

Answer 15

File recovery techniques make use of the file system information that remains after deletion of a file.

Carving deals with the raw data on the media and doesn’t use the file system structure during its process. Identifies files in file system in unallocated and file slack

Disadvantage of file carving is false positives, slow process

Question 16

What is Live Data Forensics (LDF)

Answer 16

forensics conducted against a running machine to account for situations in which dead box forensics would be an issue (encryption, cloud storage, passwords, can’t take offline (server) etc)

Question 17

What are risks associated with Live Data Forensics

Answer 17

• Altering of data
• Be aware of potential data loss, scheduled wiping/remote wiping

Question 18

What are benefits of Live Data Forensics

Answer 18

-Identify encryption / get access to unencrypted data
-Identify cloud storage / internet storage contents (No local copies)
- LDF on servers allows information to be gathered / images to be taken without shutting down
- RAM can contain passwords, chat history, malware
- LDF can be faster to analyze data

Question 19

What is a structure of a HDD

Answer 19

Platter, Read/Write Head, Spindle, Actuator

Question 20

What is in the structure of a platter

Answer 20

Track
Geometric Sector
Sector
Cluster

Question 21

What are the components of the sector structure

Answer 21

• Synchronization - timing (make sure R/W head is positioned correctly)
• Header (CHS address) - used so controller is certain its reading the right sector
• CRC - checks to see information has not become corrupt

Question 22

What is a cluster

Answer 22

A number of sectors (usually 512 sectors per cluster)

Question 23

What is Disk Addressing

Answer 23

• Initially used CHS - Cylinder, Head, and Sector
• Specified the track number, R/W head to use, and sector
• Replaced with LBA (logical block addressing)
  ○ Linear index scheme
  ○ First block is LBA 0, second is LBA 1, etc.
  ○ 48 bits used for addressing (248 blocks can be addressed)

Question 23

What is the logical structure of a Disk

Answer 23

Master Boot Record
Unallocated Space
Partitions

Question 24

What is the Master Boot Record

Answer 24

Master Boot Record (MBR) is one sector in size (512 bytes) and first sector (LBA 0) of HDD
○ 446 byte boot code
○ 64 byte partition table
○ 2 byte signature

Question 25

What are the three types of partitions

Answer 25

Primary, Extended, Logical

Question 26

What is a Primary Partition

Answer 26

A primary partition stores a single file system. The information on these is stored in the MBR’s Partition table.

Question 27

What is an Extended Partition

Answer 27

Extended partitions contain logical partitions. They are used to overcome the four partition limit for primary partitions.

Question 28

What is a Logical Partition

Answer 28

Each logical partition stores a file system, however, logical partitions are not found in the MBR, but the EBR (Extended Boot Record)

Question 29

What is the Partition Table Structure

Answer 29

Partition table starts at 0x1BE
Partition table entries
○ One entry per partition
○ Multi-byte values are in Little endian format***
○ Max 4 entries per partition table
○ Extended boot records (EBR) for more than 4 partitions
○ MBR can contain four primary partitions or three primary partitions and one extended partition

Question 30

What is difference between post-mortem imaging and live imaging

Answer 30

Post mortem - imaging while computer is off / physical disk image / no changes likely made to hard drive

Live imaging - access to live data / check for encryption / changes will definitely be made during imaging / faster analysis than post mortem

Question 31

How can you recover a file from NTFS

Answer 31

• Information about file contents are stored in $DATA attribute
• This may be resident or non-resident
• If resident, the actual file contents will be found in the MFT Record – there are no other
  clusters occupied by this file on disk!
• If non-resident a run list will point us to the cluster locations

A resident $DATA attribute is only used for very small files. These are most likely simple text
files. For most file types $DATA is non-resident. Non-resident data is stored in regular clusters
on the file system. A Run List tells how many clusters are in it and where they are located. The run list is found by finding the two bytes at 0x20 in the Non-Resident Attribute

Question 32

What is forensic imaging

Answer 32

A forensic image is a bit-by-bit copy of the device. Every single bit is copied from the physical device and stored in the image.

Question 33

Convert hex located at 0x0E in LE to FAT time

Example: 44455242592020204C4F472018A54C5E285129510000376628518801912A0000

Answer 33

Time: 0x4C5E
0x5E 4C

11:50

Question 34

Convert hex located at 0x10 in LE to FAT date

Example: 44455242592020204C4F472018A54C5E285129510000376628518801912A0000

Answer 34

Date: 0x2851

08/09/2020

Question 35

Convery 0xF1 6A to FAT Date

Answer 35

0xF1 6A
1111 0001 0110 1010
Year = 1111000 = 120 (+1980) = 2100
Month = 1011 = 11
Day = 01010 = 10

Question 36

Convery 0x84DA to FAT Time

Answer 36

0x84 DA
1000 0100 1101 1010
Hour = 10000 = 16
Minute = 100110 = 38
Seconds = 11010 = 26 (*2) = 52 or 53

Question 37

Convert 10001110 2’s compliment to decimal

Answer 37

01110010
=-114