Digital Forensics

Question 1

Main file system used by Windows Vista/7/8/10

Answer 1

New Technology File System (NTFS)

Question 2

File system natively supports (read and write) by all OS’s

Answer 2

File Allocation Table - 32 (FAT32)

Question 3

RAID 0

Answer 3

Striped Array:
Provides rapid access and increased storage but lacks redundancy
Min. num of drives: 2

I.e. Disk0 = A1 A3 A5 A7
Disk1 = A2 A4 A6 A8

Question 4

RAID 1

Answer 4

Mirrored Array:
Designed for data recovery but more expensive than RAID 0
Min. num of drives: 2

I.e. Disk0 = A1 A2 A3 A4
Disk1 = A1 A2 A3 A4

Question 5

RAID 5

Answer 5

Places parity recovery data on each disk
Min. num of drives: 3

I.e. Disk0 = A1 B1 C1 Dp
Disk1 = A2 B2 Cp D1
Disk2 = A3 Bp C2 D2
Disk3 = Ap B3 C3 D3

Question 6

RAID 6

Answer 6

Redundant parity on each disk
Min. num of drives: 4

I.e. Disk0 = A1 B1 C1 Dp Eq
Disk1 = A2 B2 Cp Dq E1
Disk2 = A3 Bp Cq D1 E2
Disk3 = Ap Bq C2 D2 E3
Disk4 = Aq B3 C3 D3 Ep

Question 7

RAID 10

Answer 7

Mirrored striping:
Aka RAID 1+0, combo of RAID 1/0
Min. num of drives: 4

I.e. 
RAID0= (
RAID1 =
Disk0 = A1 A3 A5 A7
Disk1 = A1 A3 A5 A7

RAID1 =
Disk2 = A2 A4 A6 A8
Disk3 = A2 A4 A6 A8
)

Question 8

NFTS Organization

Answer 8

NTFS Boot Sector ->
Master File Table ($MFT) ->
File System Data ->
Master File Table Copy ($MFTMirr)

Question 9

of bytes in a sector?

Answer 9

512 bytes

Question 10

Size of every MFT data record?

Answer 10

Two sectors or 1024 bytes

Question 11

How many date and time stamps can you examine in on MFT entry? (Small/Med/Large)

Answer 11

Small: 4
Med: 8
Large: 12

Question 12

4th amendment of the US Constitution?

Answer 12

Protects against unreasonable search and seizure

Question 13

5th amendment of the US constitution?

Answer 13

Protects against self-incrimination

Question 14

What is a sector?

Answer 14

The smallest physical unit in which data is stored on a spinning hard drive

Question 15

File header and signature for JPEG?

Answer 15

Header: FF D8 (ÿøÿá)
Signature: “FILE”

Question 16

What is a cluster?

Answer 16

A group of sectors, commonly 8 sectors per cluster

Question 17

Advantages and disadvantages of a hard shutdown during digital evidence seizure

Answer 17

Advantages:
Simple, Effective, no software traps, no passwords needed
Disadvantages:
File system corruption, volatile data is lost, encryption

Question 18

Advantages and disadvantages of using RAW data acquisition format

Answer 18

Advantages:
Fast data transfers, Flat format, can split images into smaller segmented files, computer forensics tools can read raw format
Disadvantages:
No compression

Question 19

Features offered by proprietary formats?

Answer 19

Option to compress or not compress image files, can integrate metadata into the image file, offers encryption/password protection options

Question 20

Two implementations methods used by hardware write-blockers

Answer 20

Write Failure, write success

Question 21

Benefits of hardware and software write protection?

Answer 21

Hardware: Independent of OS, portable, scalable
Software: Easy to install, easy to implement

Question 22

File deletion process for FAT32?

Answer 22

1. The first character of the file name is changed to 0xE5

2. The clusters assigned to the file are marked as I allocated (0x00000000)

Question 23

File deletion process for NTFS?

Answer 23

1. The index for the entry is removed after searched for, and entries in the node are moved and overwrite the original entry
2. Flag within the files MFT entry is changed from 0x01 to 0x00

Question 24

Four possible entries used by FAT32 to represent a cluster’s status?

Answer 24

1. Unallocated (0x0000 0000)
2. Next Cluster in Run
3. Bad Cluster (0x0FFF FFF7)
4. Last Cluster in File (0x0FFF FFF8)

Question 25

Three possible attributes within an MFT Entry

Answer 25

1. $STANDARD_INFORMATION (0x10)
2. $FILE_NAME (0x30)
3. $DATA (0x80)

Question 27

What are the four date and time stamps used in NTFS?

Answer 27

Access: last date and time the file was open
Modified: last date and time when the file’s data was changed
Entry: last date and time when the file’s attributes (MFT entry) were changed
Creation (Birth): Date and time when the file was created on the volume

Question 28

How to convert 16-bit FAT32 hex value to date? (Ex. 0x4393)

Answer 28

1. Convert to binary
2. Year is first 7 bits added to 1980, month is middle 4 bits, day is last 5 bits

010001 1100 10011 = 12/19/2013

Question 29

Difference between resident and non-resident data?

Answer 29

Resident data is contained within the MFT entry

Question 30

Four types of deleted data?

Answer 30

1. Recycle Bin
2. Deleted file/folder
3. Data Carving
4. File Slack

Question 31

Why are carved files difficult to use as evidence?

Answer 31

Their metadata is not recoverable

Question 32

Forensic implications of SSD wear-leveling technologies?

Answer 32

Wear-leveling destroys metadata used in forensics and data-recovery