Final 2

Question 1

APFS

Answer 1

A new file system for MAC that offers more option when turning a partition into a volume

Question 2

What is alternative data stream:

Answer 2

ADS is the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing.

Question 3

With FAT

Answer 3

To find names /dates, we look for directories entries. Allocation table is the FAT table

Question 4

With NTFS,

Answer 4

To find names and dates, we look for the Master Table file Records. Allocation table is $Bitmap

Question 5

With HFS,

Answer 5

we look for the CNID catalog the CNID does not get reused. Allocation table is catalog/allocation

Question 6

Where is a partition table?

Answer 6

A partition table is found on a MBR

Question 7

File System Tunneling:

Answer 7

deleting a file and immediately recreating a file with the same name in the same directory. The new file will inherit its creation date from the original file

Question 8

Hacker methodology :

Answer 8

a- Reconnaissance: obtaining info on the target
b- Attack : Applying technique against target
c- Entrenchment : continue hidden the attack
d- Abuse: Conducting further activities on target.

Question 9

File carving:

Answer 9

Data carving is the process of extracting a collection of data from a larger data set. Data carving is done on a disk when the unallocated file system space is analyzed to extract files because data cannot be identified due to missing of allocation info.

Question 10

Page file:

Answer 10

Are reserved portion of a hard drive disk that is used as an extension of RAM for data..

Question 11

Internal metadata:

Answer 11

Metadata that is stored internally to the file. They find on EXIF file (photographs, and media file), on pdf file

Question 12

File system metadata.

Answer 12

Information about file stored by the filesystem. It contains the create, modified, access, record update. They constitute file system metadata.

Question 13

OST File:

Answer 13

Offline stored file – Makes possible to work offline, and synchronize changes with the extend server once online.

Question 14

PST file :

Answer 14

Outlook data file used for most mail accounts. Used by POP3, IMAP and web based mail accounts. It’s a personal folder that store messages and other items on the computer.

Question 15

Gmail takeout

Answer 15

Allows google user to export their data to a downloadable zip. would do a dump of the user Gmail account.

Question 16

What is data obfuscation:

Answer 16

Form of data masking that helps in concealing data. Example: Stenography, changing data extension, compressing data, write data into file or volume slack, create a small partition on a disk, populating it, then delete it., blurring data, shuffling data.

Question 17

Virus

Answer 17

Malicious software that self-replicate

Question 18

.

Alternate data stream in window where to found it:

Answer 18

It’s a Zone identifier which is created when a file is downloaded on the internet. It helps window to determine if a downloaded data on the internet is from a trusted zone.

Question 19

Hard link:

Answer 19

A label or names associated to a file i.e. Created multiple names that refer to a single file.

Question 20

Registry hive:

Answer 20

logical group of keys, sub keys, and values in the registry that has a set of supporting files containing backups of its data. All keys that are considered hives begin with “HKEYUser profiles hives are located in HkeyUSERS

Question 21

ADS in Mac

Answer 21

Data Force and Resource force :

Question 22

Forensics Soundness:

Answer 22

Any forensics method or technique of evidence collection that is verifiable and repeatable.

Question 23

What are link files:

Answer 23

are windows shortcut files that link to an application or file commonly found on a user’s desktop. Each link file has its own Created, Modified and Accessed dates and within each link file there are Created, Modified and Accessed dates which belong to the target file.

Question 24

Backup volume boot record (where it’s is found )

Answer 24

• In NTFS, It’s the sector at the very end of the volume

- For FAT 32, it’s 6 sectors beyond the primary volume.