Forensics CIT 430 Test 2 Exam 33 Questions with Answers,100% CORRECT

Document Content and Description Below

Forensics CIT 430 Test 2 Exam 33 Questions with Answers List two commercial computer forensic duplication and analysis tool. - CORRECT ANSWER 1. Encase 2. FTK ( Forensic tool kit) What is writ... e blocker? - CORRECT ANSWER Devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. What is driver adapter? - CORRECT ANSWER A device that is used as a forensic bridge to connect notebook IDE hard disk. What does DD stand for? - CORRECT ANSWER Data Dump How to list the partition info (size, starting address, etc.) of a hard disk? - CORRECT ANSWER fdisk -l How to create an ext2/ext3 file system on a hard disk? - CORRECT ANSWER mkfs.ext2 /dev/xxx1 mkfs.ext3 /dev/xxx1 How to copy suspect's hard disk into one file? - CORRECT ANSWER dd if=/dev/xxx of=/tmp/file-name How to restore the image of a hard disk stored in a file back to a hard disk if needed? - CORRECT ANSWER dd if=/tmp/file-name of=/dev/xxx How to copy just one partition of the suspect's disk into one file? - CORRECT ANSWER dd if=/dev/xxx1 of=/tmp/file-name How to restore the image of a partition back to a hard disk if needed? - CORRECT ANSWER dd if=/tmp/file-name of=/dev/xxx How to do question 4 and 5 over the network? - CORRECT ANSWER The destination computer: nc -l -p 9999 | dd of=/dev/yyy bs=32k The source computer: dd if=/dev/xxx bs=32k | nc ip_address_of_destination_computer 999 How to wipe a disk with zeros? - CORRECT ANSWER dd if=/dev/zero of=/dev/xxx What is Qualified Forensic Duplicate? - CORRECT ANSWER A qualified forensic duplicate is a file that contains every bit of information from the source, but may be stored in an altered form What is inode? - CORRECT ANSWER An inode (index node) is a data structure that contains properties of a file and doesn't contain data content and file name What info does an inode contain? - CORRECT ANSWER -The size of the file in bytes. -The file's physical location (the -addresses of the blocks of storage containing the file's data on a HDD) -The file's permissions. -The Device ID -The User ID of the file's owner. -The Group ID of the file. -Timestamps (ctime,mtime and atime). -A reference count telling how many hard links point to the inode. Directories are implemented as a special type of files in Linux. What is in the directory entry? - CORRECT ANSWER It's an entry in a directory that contains an inode number and a file name. What is the command in Linux to find the inode number of a file? - CORRECT ANSWER ls -i <file_name> How to use debugfs to recover deleted files? - CORRECT ANSWER debugfs -w file.name , the -w switch to open the file in read-write mode, after that you can use mi with the inode number to change the link count number from 0 to 1 and deleation time to 0. What is Link Count in an inode? - CORRECT ANSWER It's a reference count telling how many hard links point to the inode isnt pointing to hard and symbolic links. What are symbolic links? - CORRECT ANSWER A symbolic path indicating the abstract location of another file. How to find the type of a file regardless of the file extension? - CORRECT ANSWER /target file * , to see all the file extension of files under /target. DD Parameter "IF" - CORRECT ANSWER Designates designates the input file DD Parameter "OF" - CORRECT ANSWER Designates the output file DD Parameter "with conv =" - CORRECT ANSWER We can pass DD Parameter "notrunc" - CORRECT ANSWER Tells dd not to truncate the output if an error is encountered DD Parameter "noerror" - CORRECT ANSWER Tells dd not to stop duplicating when an error is encountered. DD Parameter "sync" - CORRECT ANSWER Tells dd to place zeros in any blocks in the output when an error is encountered DD Parameter "bs" - CORRECT ANSWER Specifies the block size, by default it is 512 bytes. How to wipe a disk with random numbers? - CORRECT ANSWER dd if=/dev/urandom of=/dev/xxx How to wipe a disk with patterns? - CORRECT ANSWER yes <your_name> | dd of=/dev/xxx What are hard links? - CORRECT ANSWER The specific location of physical data. The difference between dd_rescue and DD : - CORRECT ANSWER dd_rescue can read the hard disk the normal way for duplication and read the reverse way.In the other hand, dd can't read the reverse way. DD Rescue is also a better (faster) tool for cleansing drive you may recycle. The difference between dcfldd with DD : - CORRECT ANSWER -It provides a built-in MD5 hashing algorithm for authentication. -It has two additional switches than the traditional dd : ----Hashwindow : Indicates the number of bytes to be calculated and checked with md5 ----Hashlog : Indicates the log files where the md5 hash is stored [Show More]

Last updated: 11 months ago

Preview 1 out of 4 pages