Overview

Question 1

What is digital forensics?

Answer 1

The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations [1].( Digital Forensics Research Workshop (DFRWS) in 2001)

Question 2

What is data recovery?

Answer 2

involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. In data recovery, typically you know what you’re looking for.

Question 3

What is slack space?

Answer 3

(or file slack): Unused space on a cluster that exists when the
logical file space is less than the physical file space. May hold the content of
files that previously occupied this space.

Question 4

What is ASCII?

Answer 4

American Standard Code for Information Interchange. a character-encoding scheme originally based on the English alphabet. ASCII codes represent text in computers, communications equipment, and other devices that use text. Most modern character-encoding schemes are based on ASCII, though they support many additional characters.
ASCII includes definitions for 128 characters: 33 are non-printing control characters (many now obsolete)that affect how text and space are processedand 95 printable characters, including the space.

Question 5

What is UNICODE?

Answer 5

Unicode is a computing industry standard for the consistent encoding, representation and handling of text expressed in most of the world’s writing systems. Unicode can be implemented by different character encodings. The most commonly used encodings are UTF-8, UTF-16 and the now-obsolete UCS-2. UTF-8 uses one byte for any ASCII characters, which have the same code values in both UTF-8 and ASCII encoding, and up to four bytes for other characters. UTF-16 uses two 16-bit units (4 × 8 bit) to handle each of the additional characters.

Question 6

What is a sector?

Answer 6

A sector is a contiguous group of bytes within a track and is the smallest number of bytes that can be addressed or written to on a drive. Although it can vary, the number of bytes per sector is nearly always 512. By contrast, a CD-ROM will have 2,048 bytes per sector.

Question 7

What is a cluster?

Answer 7

A group of sectors on a hard drive that represents the smallest
amount of data that can be allocated in a file system. Because sectors are
at the hardware level and clusters are at the operating system level, techies
often refer to sectors as physical address space and to clusters as logical
address space.

Question 8

What is CHS?

Answer 8

Cylinder-head-sector, also known as CHS, was an early method for giving addresses to each physical block of data on a hard disk drive

Question 9

What is a partition?

Answer 9

A partition is a collection of consecutive sectors within a volume, and those sectors are addressable by a single file system specific to and contained within that partition.

Question 10

What is a volume?

Answer 10

A volume, by subtle contrast, is a collection of addressable sectors that are used by an operating
system or an application to store data. The addressable sectors in a volume do not have to be consecutive—
and therein lies the difference. Rather, they need only give the appearance of being
consecutive. When a volume consists of a single partition, the two are functionally the same. When
a volume spans more than one partition or drive, the difference becomes self-evident.

Question 11

What is SCSI?

Answer 11

Small Computer Systems Interface -
an electronic interface that originated
with Apple Computer systems and migrated over to other systems. It is a high-speed, high-performance
interface, used on devices requiring high input/output such as scanners, hard
drives, and so forth.

Question 12

What is USB?

Answer 12

Universal Serial Bus (USB) is an industry standard developed in the mid-1990s that defines the cables, connectors and communications protocols used in a bus for connection, communication and power supply between computers and electronic devices.
USB 1 - 1.5 - 12 Mbit/s
USB 2 - 480 Mbit/s
USB 3 - 5 Gbits/s

Question 13

What is Chain of Custod?

Answer 13

The chain of custody requires that from the moment the evidence is collected, every transfer of evidence from person to person be documented and that it be provable that nobody else could have accessed that evidence. It is best to keep the number of transfers as low as possible.

Question 14

What is CDMA?

Answer 14

Code division multiple access (CDMA) is a channel access method used by various radio communication technologies.

Question 15

What is CRC?

Answer 15

A cyclic redundancy check (CRC) is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to raw data. Blocks of data entering these systems get a short check value attached

Question 16

What is drive slack?

Answer 16

Same as file slack or a subset of File slack - What about the remaining sectors which are a part of the last cluster assigned to the file but not filled with any file data. The OS doesnt take further pains like it did with the last sector to be written with file data. Instead it doesnt write anything to the remaining sectors of the cluster. The result? Whatever was stored on that area of the disk remains there and could contain remnants of previously deleted files or the pattern which should be there if the disk is fresh and being used for the first time or even the data which existed before the last format!

Question 17

What is EFS?

Answer 17

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

EFS is available in all versions of Windows developed for business environments from Windows 2000 onwards. By default, no files are encrypted, but encryption can be enabled by users on a per-file, per-directory, or per-drive basis. Some EFS settings can also be mandated via Group Policy in Windows domain environments.

Question 18

What is EDGE?

Answer 18

Enhanced Data rates for GSM Evolution (EDGE). A digital mobile phone technology that allows improved data transmission rates as a backward-compatible extension of GSM. EDGE is considered a pre-3G radio technology.
Through the introduction of sophisticated methods of coding and transmitting data, EDGE delivers higher bit-rates per radio channel, resulting in a threefold increase in capacity and performance compared with an ordinary GSM/GPRS connection

Question 19

What is SMTP?

Answer 19

Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission across Internet Protocol (IP) networks. Port 25.

While electronic mail servers and other mail transfer agents use SMTP to send and receive mail messages, user-level client mail applications typically use SMTP only for sending messages to a mail server for relaying. For receiving messages, client applications usually use either the Post Office Protocol (POP) or the Internet Message Access Protocol (IMAP) or a proprietary system (such as Microsoft Exchange or Lotus Notes/Domino) to access their mail box accounts on a mail server.

Question 20

What is EXIF?

Answer 20

Exchangeable image file format (Exif) is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (including smartphones), scanners and other systems handling image and sound files recorded by digital cameras.

The metadata tags defined in the Exif standard cover a broad spectrum:

• Date and time information.
• Camera settings.
• A thumbnail for previewing the picture
• Descriptions
• Copyright information.

Question 21

What is disk geometry?

Answer 21

Description of physical layout of hard disk drive in terms of cylinder, heads and sectors.

Question 22

What is LBA?

Answer 22

Logical block addressing (LBA) is a common scheme used for specifying the location of blocks of data stored on computer storage devices, generally secondary storage systems such as hard disks.

LBA is a particularly simple linear addressing scheme; blocks are located by an integer index, with the first block being LBA 0, the second LBA 1, and so on.

The LBA scheme replaces earlier schemes which exposed the physical details of the storage device to the software of the operating system. Chief among these was the cylinder-head-sector (CHS) scheme, where blocks were addressed by means of a tuple which defined the cylinder, head, and sector at which they appeared on the hard disk.

Question 23

What is the info2 file?

Answer 23

Windows XP automatically keep an index of what was deleted and when. It is kept in the Recycle Bin and and it containes entries, identified by index number, which described the original files size, full path/name, and size.

Question 24

What are inodes?

Answer 24

an inode (index node) is a data structure found in many Unix file systems. Each inode stores all the information about a file system object (file, device node, socket, pipe, etc.), except data content and file name.
eg. file ownership, access mode (read, write, execute permissions), and file type.

Question 25

What is KFF?

Answer 25

Known File Filter, or KFF, can be used to eliminate or highlight known files using MD5 hashes generated by user or by a publisher such as NIST or Hashkeeper.

Question 26

What is the MBR?

Answer 26

Master Boot Record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives.
The MBR holds the information on how the logical partitions, containing file systems, are organized on that mediumw

Question 27

What is the MFT?

Answer 27

In NTFS, all file, directory and metafile data —file name, creation date, access permissions (by the use of access control lists), and size— are stored as metadata in the Master File Table

Question 28

What is mbox?

Answer 28

mbox is a generic term for a family of related file formats used for holding collections of electronic mail messages. All messages in an mbox mailbox are concatenated and stored as plain text in a single file. The beginning of each message is indicated by a line whose first five characters consist of “From” followed by a space (the so named “From_ line” or “‘From ‘ line” or simply “From line”) and the sender’s e-mail address. A blank line is appended to the end of each message. For a while, the mbox format was popular because text processing tools can be readily used on the plain text files used to store the e-mail messages.

Question 29

What is MD5?

Answer 29

The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit (16-byte) hash value

Question 30

What is a hash?

Answer 30

A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.

Question 31

What is MIME?

Answer 31

Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of email to support:

Text in character sets other than ASCII
Non-text attachments
Message bodies with multiple parts
Header information in non-ASCII character sets

Question 32

What is POP3?

Answer 32

Post Office Protocol (POP) is an application-layer Internet standard protocol used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection. POP and IMAP (Internet Message Access Protocol) are the two most prevalent Internet standard protocols for e-mail retrieval

Question 33

What is RAID?

Answer 33

RAID (redundant array of independent disks, originally redundant array of inexpensive disks) is a storage technology that combines multiple disk drive components into a logical unit. Data is distributed across the drives in one of several ways called “RAID levels”, depending on the level of redundancy and performance required.

Question 34

What is the Registry?

Answer 34

The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components and for applications running on the platform that have opted to use the registry. The kernel, device drivers, services, SAM, user interface and third party applications can all make use of the registry. The registry also provides a means to access counters for profiling system performance.

Question 35

What is ext3?

Answer 35

ext3, or third extended filesystem, is a journaled file system that is commonly used by the Linux kernel. It is the default file system for many popular Linux distributions,

Question 36

What is steganography?

Answer 36

writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. Embedding messages within image, video, audio files for example.

Question 37

What is unallocated disk space?

Answer 37

The space created when a file is deleted that can be reused to store new information. Until unallocated space is used for new
data storage, in most instances, the old data remains and can be retrieved by
using forensic techniques.

Question 38

What is VCN?

Answer 38

Virtual Cluster Number.
The starting and ending VCN numbers are used when multiple MFT entries are needed to describe a single attribute. For example, if a $DATA attribute was very fragmented and its runs could not fit into a single MFT entry, it would allocate a second MFT entry. The second entry would contain a $DATA attribute with a starting VCN equal to the VCN after the ending VCN of the first entry.

Question 39

What are virtual machines?

Answer 39

A virtual machine (VM) is a software implementation of a machine (i.e. a computer) that executes programs like a physical machine.

Question 40

What is BIOS?

Answer 40

Basic Input/Output System. BIOS software is built into the PC, and is the first software run by a PC when powered on. The fundamental purposes of the BIOS are to initialize and test the system hardware components, and to load an operating system or other programs from a mass memory device.

Question 41

What is CMOS?

Answer 41

complementary metal-oxide-semiconductor memory component which used to store BIOS settings

Question 42

What is Firewire?

Answer 42

The IEEE 1394 interface is a serial bus interface standard for high-speed communications / real-time data transfer. It was developed in the late 1980s and early 1990s by Apple. The 1394 interface is comparable to USB, and often those two technologies are considered together, though USB has more market share.

Apple first included FireWire in some of its 1999 models, and most Apple computers since the year 2000 have included FireWire ports, though, as of 2013, nothing beyond the 800 version.

FireWire (IEEE 1394) 100 98.304 Mbit/s
FireWire (IEEE 1394) 200 196.608 Mbit/s
FireWire (IEEE 1394) 400 393.216 Mbit/s
FireWire (IEEE 1394b) 800 - 786.432 Mbit/s
FireWire (IEEE 1394b) 1600 1.573 Gbit/s
FireWire (IEEE 1394b) 3200 3,145.7 Mbit/s

Question 43

What is HPA?

Answer 43

The Host Protected Area (HPA) is a special area of the disk that can be used to save data, and a casual observer might not see it. The size of this area is configurable using ATA commands
HPA can be used by various booting and diagnostic utilities, normally in conjunction with the BIOS.
Computer manufacturers may use the area to contain a preloaded OS for install and recovery purposes (instead of providing DVD or CD media).
HPA can also be used to store data that is deemed illegal and is thus of interest to government and police computer forensics teams.
Rootkits

Question 44

What is DCO?

Answer 44

Device configuration overlay (DCO) is a hidden area on many of today’s hard disk drives (HDDs). Usually when information is stored in either the DCO or host protected area (HPA), it is not accessible by the BIOS, OS, or the user.

DCO, which was first introduced in the ATA-6 standard, “allows system vendors to purchase HDDs from different manufacturers with potentially different sizes, and then configure all HDDs to have the same number of sectors. An example of this would be using DCO to make an 80-gigabyte HDD appear as a 60-gigabyte HDD to both the (OS) and the BIOS…. Given the potential to place data in these hidden areas, this is an area of concern for computer forensics investigators. An additional issue for forensic investigators is imaging the HDD that has the HPA and or DCO on it

Question 45

What is IDE?

Answer 45

Integrated Drive Electronics (IDE) interface is an interface standard for the connection of storage devices such as hard disks, floppy drives, and optical disc drives in computers. Evolved into PATA

Question 46

What is SATA?

Answer 46

Serial Advanced Technology Attachment - replaced
IDE (ATA) hard drives
have been around for a long time, but the electronic circuitry by which the data was sent had
reached its upper limit (133MB/s), as it moved in parallel. In August 2001 a new standard,
known as SATA 1.0, was finalized and approved. SATA uses serial circuitry and data can
be sent, initially, at 150MB/s, with 300 or more on the near horizon as SATA II standards
(released in October 2002) find their way into the market. SATA drives require no “pinning”
as do IDE drives. SATA ports can be found on most modern motherboards and often have
RAID support available to them.

Question 47

What is POST?

Answer 47

Power-On Self-Test (POST) refers to routines which run by BIOSimmediately after a computer is powered on to test for faulty or misconfigured hardware. The routines are part of a device’s pre-boot sequence. Once POST completes successfully, bootstrap loader code is invoked.

Question 48

What is RAM?

Answer 48

A computer’s short-term memory. Provides
memory space for the computer to work with data. Information stored in
RAM is lost when the computer is turned off.

Question 49

What is ROM?

Answer 49

Read-only memory (ROM) is a class of storage medium used in computers and other electronic devices. Data stored in ROM cannot be modified, or can be modified only slowly or with difficulty, so it is mainly used to distribute firmware (software that is very closely tied to specific hardware, and unlikely to need frequent updates).

Question 50

What is freespace?

Answer 50

Clusters marked by the file system as not in use.

Question 51

What is the file signature for JPEG files?

Answer 51

Header - FF D8 FF E0 xx xx 4A 46
49 46 00

Footer - FF D9

Question 52

What is the file header for MS Office files?

Answer 52

D0 CF 11 E0 A1 B1 1A E1

Question 53

What is the file header for PST files?

Answer 53

21 42 44 4E

Question 54

What is a PST?

Answer 54

Personal Storage Table (PST) is an open, proprietary file format used to store messages, calendar events, and other items within Microsoft software such as Microsoft Exchange Client, Windows Messaging, and Microsoft Outlook

Question 55

What is an OST?

Answer 55

When a PST When functioning in its capacity as a cache for Outlook’s Cached Exchange Mode feature, it may be called an Offline Storage Table (.ost)

Question 56

What is a dbx?

Answer 56

DBX files (files with *.dbx extension) are the files where Outlook Express stores email messages. They can be found in so-called Outlook Express Store Folder.

When you open Store Folder in Windows Explorer, you will see a set of DBX files. Every file contains messages from the appropriate message folder in Outlook Express. For example, Inbox.dbx contains emails from Inbox folder and so on. Folders.dbx is an index of all Outlook Express message folders. It contains a structure of all news groups, mail folders and some synchronization data.

Question 57

What is base64?

Answer 57

Base64 encoding schemes are commonly used when there is a need to encode binary data that needs to be stored and transferred over media that are designed to deal with textual data. This is to ensure that the data remain intact without modification during transport. Base64 is commonly used in a number of applications including email via MIME, and storing complex data in XML.

Question 58

What is a plist?

Answer 58

In the Mac OS X, iOS, NeXTSTEP, and GNUstep programming frameworks, property list files are files that store serialized objects. Property list files use the filename extension .plist, and thus are often referred to as p-list files.

Property list files are often used to store a user’s settings. They are also used to store information about bundles and applications, a task served by the resource fork in the old Mac OS.

Question 59

What is sqlite3?

Answer 59

SQLite is a popular relational database management system used as embedded database for local/client storage in application software such as web browsers. It is arguably the most widely deployed database engine, as it is used today by several widespread browsers, operating systems, and embedded systems, among others. Used in Firefox, Chrome, iOS, Symbian, Windows Phone 8, Android etc

Question 60

What is bitlocker?

Answer 60

BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Microsoft’s Windows Vista, Windows 7, and with Pro and Enterprise editions of Windows 8 desktop operating systems, as well as the server platforms. It is designed to protect data by providing encryption for entire volumes. By default it uses the AES encryption algorithm in CBC mode with a 128 bit key. Also, if configured, BitLocker is able to encrypt using a 256 bit key.

Question 61

What is the cd files system?

Answer 61

ISO 9660 (also known as ECMA-119), also referred to as CDFS (Compact Disc File System) by some hardware and software providers, is a file system standard published by the International Organization for Standardization (ISO) for optical disc media. It aims at supporting different computer operating systems such as Windows, classic Mac OS, and Unix-like systems, so that data may be exchanged.

Question 62

What are the sector sizes of CDs?

Answer 62

2,048 bytes

Question 63

What are link files?

Answer 63

A pointer that’s created whenever a file is stored or copied so that
the operating system knows where the file is located. The link file is used to
establish a trail (or link) from one computing device to another and can show
the connection between where the e-evidence was found in relation to where
it resided earlier.

Question 64

What are shellbags?

Answer 64

Windows uses the Shellbag keys to store user preferences for GUI folder display within Windows Explorer. Everything from visible columns to display mode (icons, details, list, etc.) to sort order are tracked. Can be used to demonsrate user access and knowledge as well as possible contents of deleted folders. Shellbags can be used to answer the difficult questions of data enumeration in intrusion cases, identify the contents of long gone removable devices, and show the contents of previously mounted encrypted volumes

Question 65

What are cache files?

Answer 65

A cache (pronounced CASH) is a place to store something temporarily. The files you automatically request by looking at a Web page are stored on your hard disk in a cache subdirectory under the directory for your browser (for example, Internet Explorer). When you return to a page you’ve recently looked at, the browser can get it from the cache rather than the original server, saving you time and the network the burden of some additional traffic.

Question 66

Best ways to get passwords?

Answer 66

Ask.

Question 67

What is UTC?

Answer 67

Coordinated Universal Time. UTC replaced Greenwich Mean Time (GMT)
in 1972 as the standard to determine time in
applications, such as computers or aviation,
that required a clear-cut time stamp

Question 68

What is GMT?

Answer 68

Greenwich Mean Time (GMT) originally referred to mean solar time at the Royal Observatory in Greenwich, London, which later became adopted as a global time standard. It is arguably the same as Coordinated Universal Time (UTC),

Question 69

What is the page file?

Answer 69

the page file is used by Windows to hold temporary data which is swapped in and out of physical memory in order to provide a larger virtual memory set

Question 70

What is hiberfil.sys?

Answer 70

when a PC goes into hibernate mode, the entire contents of RAM are written to a file named hiberfil.sys so that the contents of RAM can be restored from disk.

Question 71

What are prefetch files?

Answer 71

Windows Prefetch files, introduced in Windows XP, are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run.

Up to 128 Prefetch files are stored in the %SystemRoot%\Prefetch directory. Each file in that directory should contain the name of the application, a dash, and then an eight character hash of the location from which that application was run, and a .pf extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for md5deep would look like: MD5DEEP.EXE-4F89AB0C.pf. If an application is run from two different locations on the drive (i.e. the user runs C:\md5deep.exe and then C:\Apps\Hashing\md5deep.exe), there will be two different prefetch files in the Prefetch folder.

Question 72

What is metadata?

Answer 72

Data describing a file or its properties, such as creation date,
author, or last access date. Invisible information that programs such as
Microsoft Word, Excel, and Outlook attach to each file or e-mail.

Question 73

What is an edb?

Answer 73

The Microsoft Exchange database (.edb file) serves as the main repository for the mailbox data saved by Microsoft Exchange, and is associated with either a mailbox database or a public folder database. Each .edb file can contain multiple mailboxes or public folders.

Question 74

What is RAM slack?

Answer 74

Microsoft Windows based systems normally write in 512 byte blocks called Sectors. That means whenever the OS wishes to write to the file system, it would write in chunks of 512 bytes with a minimum of atleast 512 bytes. So, if there is not enough data to fill the last sector in the last cluster, the OS innocently writes random data from memory (RAM) to the unfilled area in the last sector.

Question 75

What is Volume slack?

Answer 75

Sectors at the end of the partition that are unused by the file system because they do not add to another cluster