Test 5 Flashcards
EnCase provides the means to create a Windows Evidence Acquisition Boot Disk to allow for network acquisition of an evidence drive.
1) True 2) False
1) True
As UNIX was never designed to work on networks, there are very few native utilities designed to access the Internet.
1) True 2) False
2) False
When requesting a search warrant, remotely connected systems cannot be considered part of the target system, so it may be necessary to obtain proper authorization before examining them.
1) True 2) False
1) True
Why is it important to determine the level of network connectivity on a UNIX system as soon as possible?
1)
As UNIX Systems may be configured to store critical evidence on remote systems, network connections must be determined and exploited before any evidence stored remotely is destroyed.
2)
To keep suspects and spectators from accessing the target system during the investigation.
3)
To determine if the system administrator is a suspect.
4)
None of the above.
1)
As UNIX Systems may be configured to store critical evidence on remote systems, network connections must be determined and exploited before any evidence stored remotely is destroyed.
NTFS time represents time as the number of 100-nanosecond intervals since January 1, 1601 00:00:00 UTC.
1) True 2) False
1) True
Internet traces may be found in which of the following categories?
1)
Web browser cache
2)
Instant messenger cache
3)
Cookies
4)
All of the above
4)
All of the above
When examining the Windows registry key, the “Last Write Time” indicates:
1)
The last time RegEdit was run
2)
When a value in that Registry key was altered or added
3)
The current system time
4)
The number of allowable changes has been exceeded
2)
When a value in that Registry key was altered or added
One of the difficulties in examining UNIX systems is that the file system is extremely complex, making it difficult for the examiner to recover data.
1) True 2) False
2) False
Given their widespread use and simple structure, FAT file systems are a good starting point for forensic analysts to understand file systems and recovery of deleted data.
1) True 2) False
1) True
The file system mount table shows local and remote file systems that are automatically mounted when the system is booted. This information is stored in:
1)
/etc/fstab
2)
/etc/mount/mtab
3)
/etc/hosts
4)
None of the above
1)
/etc/fstab
“File carving” is an examination technique where the beginning and end of a file are located, and the block of data spanning the two locations is copied to a new file, with the appropriate extension.
1) True 2) False
1) True
The Windows NT Event log Secevent.evt:
1)
Contains a log of application usage
2)
Records activities that have security implications, such as logins
3)
Notes system events such as shutdowns
4)
None of the above
2)
Records activities that have security implications, such as logins
When examining a UNIX system, searching for network traces is not usually necessary.
1) True 2) False
2) False
FireFox stores potentially notable information in:
1)
DBF format databases
2)
ASCII text files
3)
SQLite databases
4)
Proprietary format files
3)
SQLite databases
File system traces include all of the following EXCEPT:
1)
Metadata
2)
CMOS settings
3)
Swap file contents
4)
Data object date-time stamps
CMOS settings
