Final Exam

Question 1

List 4 File Systems

Answer 1

a. FAT32
b. NTFS
c. HFS
d. EXT4

Question 2

List 4 requirement of all file systems

Answer 2

a. Object Name
b. Starting cluster
c. Allocation
d. Fragmentation

Question 3

What is a MBR and where is it found (assume a windows system) and what does it do?

Answer 3

Master Boot Record. It’s found at Sector 0. It contains partition table which consist of 4 sixteen Byte records

Question 4

What is a sector?

Answer 4

A smallest physical storage.

Question 5

What is Plist

Answer 5

The preferred way to store property lists on OS X and and IOS. They are in the format XML.

Question 6

What is a cluster or block?

Answer 6

A combination of one or more sectors allocated to store data

Question 7

Value of Volume boot record:

Answer 7

The number of sector per clusters

Question 8

Volume shadow copy:

Answer 8

Allows to recover disk or volume at some point. Hacker likely to turn off this for ransom.

Question 9

Volatile data :

Answer 9

Data that is lost when a computer is turned off. Volatile storage is a form of temporary memory. It contains the most update activities of the user, it also help determine if an external drive had been used
Volatile data provides useful information during network intrusion investigation.

Question 10

Differentiate between a physical file and a logical file

Answer 10

Logical : The actual size of the file

Physical : The size of the cluster reserved for the file.

Question 11

What is the difference between a physical disk image and a logical disk image?

Answer 11

Logical disk is the volume

Physical Disk: Has the volume

Question 12

12. What is file slack, why does a data persist there and how long it stay?

Answer 12

Unused space of a cluster. It persist there because not all sectors allocated hold the file. It will stay there until a new file larger than the original file is written on that cluster.

Question 13

9. Define Allocated vs unallocated disk space?

Answer 13

Allocated is the space contained data. Unallocated is the free space

Question 14

What is a bit stream image? Can I bit stream the acquisition of a logical drive?

Answer 14

Copy-by-copy, byte-by-byte of the hard drive without altering the original drive. Yes I can bit stream a logical drive.

Question 15

What is the difference between a “partition” and a “volume”?

Answer 15

When a partition is formatted, it’s becomes a volume.

Question 16

What is fragmentation and why should we care?

Answer 16

Involves splitting data into smaller fragment and distributing them across a larger number of machine. Fragmentation can hold slack file.

Question 17

What is hash collision:

Answer 17

When the content of data is altered, but its hash is still the same as the original.

Question 18

When imaging an iPhone,

Answer 18

we get a recent database which may have some emails. MAC is always changing. MAC is moving away from PList to SQLite data base.

Question 19

SQLite data base

Answer 19

SQLite data base use for SMS, address book in phones, internet history in phones and in computer, setting been stored

Question 20

What is Plist

Answer 20

The preferred way to store property lists on OS X and and IOS. They are in the format XML.

Question 21

What is a VBR and where is it found (assume a windows system) and what does it do?

Answer 21

Volume Boot Record. It’s found at the First sector of a volume. In windows, it’s found at sector 63 or 2048 for the first volume.

VBR contains the sector per cluster as well as volume serial number. It’s used to identify the file system of the volume.