Busy. Please wait.

show password
Forgot Password?

Don't have an account?  Sign up 

Username is available taken
show password


Make sure to remember your password. If you forget it there is no way for StudyStack to send you a reset link. You would need to create a new account.
We do not share your email address with others. It is only used to allow you to reset your password. For details read our Privacy Policy and Terms of Service.

Already a StudyStack user? Log In

Reset Password
Enter the associated with your account, and we'll email you a link to reset your password.

Remove Ads
Don't know
remaining cards
To flip the current card, click it or press the Spacebar key.  To move the current card to one of the three colored boxes, click on the box.  You may also press the UP ARROW key to move the card to the "Know" box, the DOWN ARROW key to move the card to the "Don't know" box, or the RIGHT ARROW key to move the card to the Remaining box.  You may also click on the card displayed in any of the three boxes to bring that card back to the center.

Pass complete!

"Know" box contains:
Time elapsed:
restart all cards

Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

  Normal Size     Small Size show me how


Chapter 6-13 multiple choice

Data streams can obscure valuable evidentiary data, intentionally or by coincidence true
A ____ is a column of tracks on two or more disk platters. cylinder
____ is how most manufacturers deal with a platter’s inner tracks being shorter than its outer tracks. ZBR
____ is the file structure database that Microsoft originally designed for floppy disks. FAT
____ was introduced when Microsoft created Windows NT and is the primary file system for Windows Vista NTFS
On an NTFS disk, immediately after the Partition Boot Sector is the ____. MFT
Records in the MFT are referred to as ____. metadata
In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each 1024
The file or folder’s MFT record provides cluster addresses where the file is stored on the drive’s partition. These cluster addresses are referred to as ____. data runs
When Microsoft introduced Windows 2000, it added built-in encryption to NTFS called ____. EFS
The purpose of the ____ is to provide a mechanism for recovering encrypted files under EFS if there’s a problem with the user’s original private key. recovery certificate
When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____. Registry
____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to NTLDR. NTDetect.com
____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS. NTBootdd.sys
____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the %system-root%\Windows\System32\Drivers folder. Device drivers
____ is a hidden text file containing startup options for Windows 9x. Msdos.sys
The ____ file provides a command prompt when booting to MS-DOS mode (DPMI). Command.com
____ is a text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration. Config.sys
____ is a batch file containing customized settings for MS-DOS that runs automatically. Autoexec.bat
A ____ allows you to create a representation of another computer on an existing physical computer. virtual machine
In software acquisition, there are three types of data-copying methods. false
To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. true
The Windows platforms have long been the primary command-line interface OSs. false
After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools. true
Computer forensics tools are divided into ____ major categories. 2
Software forensics tools are commonly used to copy data from a suspect’s disk drive to a(n) ____. image file
To make a disk acquisition with En.exe requires only a PC running ____ with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable. ms-dos
Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command. dd
____ of data involves sorting and searching through all investigation data. Discrimination
Many password recovery tools have a feature that allows generating potential lists for a ____ attack. password dictionary
The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk. disk-to-disk
To complete a forensic disk analysis and examination, you need to create a ____. report
The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems. IBM
In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network. Dir
In general, forensics workstations can be divided into ____ categories. 3
A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____. portable workstation
____ is a simple drive-imaging station. FIRE IDE
____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk. Write-blockers
Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers. USB
The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software. NIST
The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible. ISO 5725
The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____. NSRL
The primary hash algorithm used by the NSRL project is ____. SHA-1
One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex. disk editor
Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file’s contents testing, compressed
Macintosh OS X is built on a core called ____. Darwin
In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored. resource
The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is ____. 65,535
On older Macintosh OSs all information about the volume is stored in the ____. Master Directory Block (MDB)
With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data. Volume Bitmap
On Mac OSs, File Manager uses the ____ to store any information not in the MDB or Volume Control Block (VCB). extents overflow file
Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement. GPL
The standard Linux file system is ____. Ext2fs
Ext2fs can support disks as large as ____ TB and files as large as 2 GB. 4
Linux is unique in that it uses ____, or information nodes, that contain descriptive information about each file or directory. inodes
To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of ____. 0
____ components define the file system on UNIX. 4
The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive. data block
LILO uses a configuration file named ____ located in the /Etc directory. Lilo.conf
Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of OSs. 1995
On a Linux computer, ____ is the path for the first partition on the primary master IDE disk drive. /dev/hda1
There are ____ tracks available for the program area on a CD. 99
The ____ provides several software drivers that allow communication between the OS and the SCSI component. Advanced SCSI Programming Interface (ASPI)
All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard ____ ribbon or shielded cable. 40-pin
ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable. 100
IDE ATA controller on an old 486 PC doesn’t recognize disk drives larger than 8.4 ____. GB
FTK cannot analyze data from image files from other vendors. false
A nonsteganographic graphics file has a different size than an identical steganographic graphics file. false
____ increases the time and resources needed to extract,analyze,and present evidence. scope creep
You begin any computer forensics case by creating a(n) ____. investigation plan
In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover. subpoenas
There are ____ searching options for keywords which FTK offers. 2
____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search. Live
The ____ search feature allows you to look for words with extensions such as “ing,”“ed,” and so forth. stemming
In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period. indexed
FTK and other computer forensics programs use ____ to tag and document digital evidence. bookmarks
Getting a hash value with a ____ is much faster and easier than with a(n) ____. hexadecimal editor, computer forensics tool
AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data. KFF
Data ____ involves changing or manipulating a file to conceal information. hiding
One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it. Norton DiskEdit
Marking bad clusters data-hiding technique is more common with ____ file systems. FAT
The term ____ comes from the Greek word for“hidden writing.” steganography
____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there. Steganography
Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure. key escrow
People who want to hide data can also use advanced encryption programs, such as PGP or ____. BestCrypt
____ recovery is a fairly easy task in computer forensic analysis. Password
____ attacks use every possible letter, number, and character found on a keyboard when cracking a password. Brute-force
____ are handy when you need to image the drive of a computer far away from your location or when you don’t want a suspect to be aware of an ongoing investigation. Remote acquisitions
____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer’s file system. HDHOST
With many computer forensics tools, you can open files with external viewers. true
Steganography cannot be used with file formats other than image files. false
____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. Vector graphics
You use ____ to create, modify, and save bitmap, vector, and metafile graphics files. graphics editors
____ images store graphics information as grids of individual pixels. Bitmap
The process of converting raw picture data to another format is referred to as ____. demosaicing
The majority of digital cameras use the ____ format to store digital pictures EXIF
____ compression compresses data by permanently discarding bits of information in the file. Lossy
Recovering pieces of a file is called ____. carving
A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10. JPEG
If you can’t open an image file in an image viewer, the next step is to examine the file’s ____. header data
The uppercase letter ____ has a hexadecimal value of 41. "A"
The image format XIF is derived from the more common ____ file format. TIFF
The simplest way to access a file header is to use a(n) ____ editor hexadecimal
The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03. XIF
____ is the art of hiding information inside image files. Steganography
____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program. Insertion
____ steganography replaces bits of the host file with other bits of data. Substitution
In the following list, ____ is the only steg tool. Outguess
____ has also been used to protect copyrighted material by inserting digital watermarks into a file. Steganography
When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations. copyright
Under copyright laws, computer programs may be registered as ____. literary works
Under copyright laws, maps and architectural plans may be registered as ____. pictorial, graphic, and sculptural works
A graphics program creates and saves one of three types of image files: bitmap, vector, or ____________________. metafile
____________________ is the process of coding of data from a larger form to a smaller form. Data compression
The ____________________ is the best source for learning more about file formats and their associated extensions. internet
All ____________________ files start at position zero (offset 0 is the first byte of a file) with hexadecimal 49 49 2A. TIFF
The two major forms of steganography are ____________________ and substitution. insertion
____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program. Network forensics
____ forensics is the systematic tracking of incoming and outgoing traffic on your network. Network
A common way of examining network traffic is by running the ____ program. Tcpdump
____ is a popular network intrusion detection system that performs packet capture and analysis in real time. Snort
____ is the U.S. DoD computer forensics lab’s version of the dd command that comes with Knoppix-STD. dcfldd
____ are devices and/or software placed on a network to monitor traffic. Packet sniffers
Most packet sniffers operate on layer 2 or ____ of the OSI model. 3
____ is the text version of Ethereal, a packet sniffer tool. Tethereal
The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers. Honeynet
Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack. zombies
E-mail messages are distributed from one central server to many connected client computers, a configuration called ____. client/server architecture
With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk. GUI
When working on a Windows environment you can press ____ to copy the selected text to the clipboard. Ctrl+C
To retrieve an Outlook Express e-mail header right-click the message, and then click ____ to open a dialog box showing general information about the message. Properties
In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____. .pst
____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names. www.freeality.com
____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside. /etc/sendmail.cf
Typically, UNIX installations are set to store logs such as maillog in the ____ directory. /var/log
In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk. checkpoint
The Novell e-mail server software is called ____. GroupWise
Developed during WWII, this technology,____, was patented by Qualcomm after the war. CDMA
The ____ digital network divides a radio frequency into time slots. TDMA
TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life. IS-136
Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips. EEPROM
____ cards are found most commonly in GSM devices and consist of a microprocessor and from 16 KB to 4 MB of EEPROM. SIM
____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth. PDAs
The file system for a SIM card is a ____ structure. hierarchical
The SIM file structure begins with the root of the system (____). MF
Paraben Software is a leader in mobile forensics software and offers several tools, including ____, which can be used to acquire data from a variety of phone models. Device Seizure
In a Windows environment, BitPim stores files in ____ by default. My Documents\BitPim
Created by: ITSec_guy