Digital Forensics 2

Question 1

Email Provider Extensions :

(Outlook) = ???
(Offline Outlook Storage) = ???
(Outlook Express) = ??? or ???
(Eudora) = ???
(common to several e-mail clients) = ???

Answer 1

(Outlook) .pst
(Offline Outlook Storage) .ost
(Outlook Express) .mbx or .dbx
(Eudora) .mbx
(common to several e-mail clients) .emi

Question 2

RFC 3864 describes message header field names. The header field used commonly with values “bulk,” “junk,” or “list”; and that indicate that automated “vacation” or “out of office” responses should not be returned for this mail refers to which of the following options?

Answer 2

precedence

Question 3

the core of the OS

Answer 3

Ntoskrnl.exe

Question 4

A program that handles services on your system

Answer 4

Smss.exe

Question 5

program that logs you on

Answer 5

Winlogon.exe

Question 6

The interface the user interacts with, such as the desktop, Windows Explorer, and so on …

Answer 6

Explorer.exe

Question 7

The ForwardedEvents log is used to store events collected from remote computers. This has data in it only if event forwarding has been configured.

Answer 7

The ForwardEvents Log

Question 8

Even if the suspect’s browsing history has been erased, it is still possible to retrieve it if he or she was using Internet Explorer. Index.dat is a file used by Microsoft Internet Explorer to store Web addresses, search queries, and recently opened files. So if a file is on a universal serial bus (USB) device but was opened on the suspect machine, index.dat would contain a record of that file.

Answer 8

index.dat

Question 9

Windows has a number of files. A program that queries the computer for basic device/configuration data like time/date from CMOS, system bus types, disk drives, ports, and so on is __________.

Answer 9

ntdetect.com

Question 10

Dynamic memory for a program comes from the heap segment; a process may use a memory allocator such as malloc to request dynamic memory.

Answer 10

definition of a heap?