Computer Forensics Principles and

Practices 1st Edition Volonino Test

Bank
Visit to download the full and correct content document: https://testbankdeal.com/dow
nload/computer-forensics-principles-and-practices-1st-edition-volonino-test-bank/
 CHAPTER 7: INVESTIGATING WINDOWS, LINUX,
AND GRAPHIC FILES

Multiple Choice:

1. Examples of user data include all of the following EXCEPT

A. User passwords

B. User profiles

C. Program files

D. Temp files

Answer: A Reference: Investigating Windows Systems Difficulty: Easy

2. In an NTFS system, by default, which of the following have access to files and folders not uniquely theirs?

A. Each user in the Group folder

B. Only those users in the Users folder

C. Each user who successfully logs in

D. Only the user assigned to those resources

Answer: D Reference: Separation of Duties Difficulty: Moderate

3. All of the following are key differences in identifying an operating system EXCEPT

A. The Recycle Bin folder

B. Operating system folder names

C. User root folder construction

D. Folders containing group userids

Answer: D Reference: Identifying the Operating System Difficulty: Moderate

of a Target Hard Drive
4. Which of the following is the primary default folder in Windows 2000 and XP?

A. Documents and Settings

B. My Documents

C. User Root

D. My Computer

Answer: A Reference: Documents and Settings Folder Difficulty: Moderate

5. The user root folder may contain all of the following EXCEPT

A. Internet data

B. Application parameters

C. Wallpaper

D. Registry settings

Answer: D Reference: User Root Folder Difficulty: Difficult

6. Sources of e-evidence within Windows subfolders can include all of the following EXCEPT

A. Pointers to Office files

B. Listing of programs on the Quick Launch bar

C. Pointers to Internet Favorites

D. The user’s address book

Answer: C Reference: Application Data Folder Difficulty: Moderate

7. In a forensics context, hidden information about files and folders is called

A. Artifact data

B. Metadata

C. Archive data

D. Read-only data

Answer: B Reference: Metadata Difficulty: Moderate

8. All configuration information needed by the operating may be located in which of the following?

A. System folder

B. Configuration file

C. Autoexec.bat file

D. Registry hives

Answer: D Reference: Registry Difficulty: Moderate

9. When you send a job to the printer, Windows creates a(n)

A. Enhanced metafile (EMF)

B. Enhanced image file (IMF)

C. Temporary print file (TPF)

D. Tagged image format file (TIFF)

Answer: A Reference: Print Spool Difficulty: Moderate

10. Which of the following is NOT one of the file types available within Linux?

A. Block devices

B. Directories

C. Named pipes

D. Superblock

Answer: D Reference: File Systems Difficulty: Moderate

11. Which of the following is one of the default directories created when installing Linux?

A. /setup

B. /default

C. /bin

D. /swap

Answer: C Reference: System Directories Difficulty: Moderate

12. Which of the following is considered an excellent source to obtain information on when passwords were
last changed within a Linux system?

A. /etc/sysconfig

B. /etc/shadow/passwd

C. /etc/shadow

D. /etc

Answer: C Reference: Key Linux Files and Directories to Investigate Difficulty: Moderate

13. If you change a file extension by renaming the file,

A. You also change the data in the file

B. You will not be able to open the file

C. Windows will change the icon that represents the file

D. You also change the data header

Answer: C Reference: File Signatures Difficulty: Moderate

14. In steganography, the original file that contains the hidden information is the

A. Steganographic carrier

B. Carrier medium

C. Hiding medium

D. Concealing medium

Answer: B Reference: Steganography Difficulty: Moderate

15. Clues that may indicate stego use include all of the following EXCEPT

A. The sophistication of the computer’s owner

B. Software clues on the computer

C. Type of crime being investigated

D. Large number of files in the Recycle Bin

Answer: D Reference: Steganography Difficulty: Moderate

Fill in the Blank:

16. System data and artifacts are files generated by the ________.

Answer: operating system Reference: Investigating Windows Systems Difficulty: Moderate

17. Files are first loaded into a(n) ________ before being printed.

Answer: buffer Reference: Investigating Windows Systems Difficulty: Difficult

18. A(n) ________ is created by the computer for each user.

Answer: userid Reference: Data and User Authentication Weaknesses of FAT Difficulty: Moderate

19. A(n) ________ is designed as a hierarchical listing of folders and files.

Answer: directory tree structure Reference: Identifying the Operating System Difficulty: Moderate
of a Target Hard Drive

20. The ________ folder is used by Internet sites to store information about the user.

Answer: Cookies Reference: Cookies Folder Difficulty: Moderate

21. The ________ subfolder lists the files that the user has accessed over several time periods.

Answer: History Reference: Local Settings Folder Difficulty: Moderate

22. The ________ folder generally contains information concerning the programs the user typically works with.

Answer: Start Menu Reference: Start Menu Folder Difficulty: Moderate

23. One application of metadata used by Windows is an uncommon storage concept called ________.

Answer: alternate data streams Reference: Metadata Difficulty: Difficult

24. Windows NT and higher changed the registry to a mixture of several files referred to as ________.

Answer: hives Reference: Registry Difficulty: Moderate

25. The ________ tracks those actions deemed as events by the software application.

Answer: application log Reference: Event Logs Difficulty: Easy

26. By default, the ________ is used as virtual memory.

Answer: swap file (or page file) Reference: Swap File/Page File Difficulty: Moderate

27. The ________ command gives Linux users the ability to perform administrative duties, which require a
separate password for each user.

Answer: sudo Reference: Investigating Linux Systems Difficulty: Moderate

28. In Linux, everything—including all devices, partitions, and folders—is seen as a unified ________.

Answer: file system Reference: Investigating Linux Systems Difficulty: Moderate

29. ________ are used to determine where data starts and ends when graphic files are located in unallocated or
slack space.

Answer: File signatures Reference: Graphic File Forensics Difficulty: Moderate

30. The process of retrieving image data from unallocated or slack space is called ________.

Answer: data carving (or salvaging) Reference: Data Carving Difficulty: Moderate

Matching:

31. Match the following to their definitions.

I. User profiles A. Internet history files

II. Program files B. Installed applications

III. Temp files C. Though used only briefly, they are not deleted

IV. Application-level files D. Data created by a user

Answer: D B C A Reference: Terms throughout the chapter Difficulty: Moderate

32. Match the following keys to their hive file.

I. HKEY_CLASSES_ROOT A. Default

II. HKEY_USERS\.Default B. System

III. HKEY_LOCAL_MACHINE\SAM C. SAM

IV. HKEY_CURRENT_CONFIG D. Software

Answer: D A C B Reference: Registry Difficulty: Difficult

33. Match the following to their data structures.

I. Data block A. Contain metadata for each file

II. Inodes B. Unit of allocation for storage

III. Dentry object C. Created for every file system mounted

IV. Superblock D. Contains information about the directory structure

Answer: B A D C Reference: File Systems Difficulty: Moderate

34. Match the following file types to their description.

I. Sockets A. Unbuffered files used to exchange data

II. Character devices B. Virtual connections between two processes

III. Named pipes C. Provide a FIFO mechanism

IV. Block devices D. Buffered files used to exchange data

Answer: B A C D Reference: File Systems Difficulty: Difficult

35. Match the type of directory to its definition.

I. /lib A. Where files with no names are placed

II. /etc B. Contains information on printers, log files, and transient data

III. /lost+found C. Could be a rich source of evidence if not recently cleaned

IV. /var D. Library files

V. /tmp E. Contains shadow password files

Answer: D E A B C Reference: System Directories Difficulty: Difficult

36. Match the following GREP tokens with their related functions.

I. * A. Used to match the ASCII hexadecimal representation of a single character

II. \xHH B. Implements an OR situation

III. [] C. When placed after a character, matches any number of occurrences of that character

IV. . D. Matches a single character

Answer: C A B D Reference: Using Grep to Search File Contents Difficulty: Difficult

37. Match the hex signature with its file extension.

I. 00 00 01 00 A. BMP

II. FF D8 FF E1 xx xx 45 78 69 66 00 B. ICO

III. 42 4D C. PNG

IV. 89 50 4E 47 0D 0A 1A 0A D. JPEG

Answer: B D A C Reference: File Signatures Difficulty: Difficult