MidTerm-Quiz104

Which file systems can OSForensics Analyze

Microsoft
Fat12
Fat32
Fat 16
NTFS
MAC
HFS+
HFSX
Linux
Ext2fs
Ext4fs

True or False: OSForensics can analyze data from several sources

True: Including image files from other vendors

What is Validating Forensic Data

Ensuring the integrity of data collected is essential for presenting evidence in court

What is a tool used to ensure valid data

Hashing of image files
Advanced hexadecimal editors

What do advanced hex editors offer (in the way of validation) that are not
available in most forensic tools
Hashing specific files and/or sectors

What are two popular programs that provide MD5 and SHA-1 hashing algorithms?
WinHex and HxD

What is the advantage of recording hash values?

You can determine if the data has been changed

What is block-wise hashing?

A process that builds a data set of hashes of sectors from the original file. Then
examines sectors on the suspects drive to see whether any other sectors match.

In block-wise hashing, what happens when sectors on the suspect's drive match
part of the data set of hashes?
You confirm that the file was stored on the suspect's drive

What is Known File Filter (KFF)?

Access Data's Hashing Database

How does Known File Filter work?

KFF filters through program files from view and contains hash values of illegal files.

It compares known file hash values with files on your evidence drive to see if they
contain suspicious data.

Other digital forensics tools can import the NSRL database and run has
comparisons.

What is data hidding?

Changing or manipulating a file to conceal information

List 3 data hiding techniques

Valid Answers include:

Hiding entire partitions

Changing file extensions
Setting file attributes to hidden
Bit-shifting
Using encryption
Setting up password protection

What happens when you use the "diskpart remove letter" command in windows?
It unassign the partition's letter which hides it form view in the File Explorer

What command do you use to unhide a partition after you removed the letter?
"diskpart assign letter"

List some disk management tools

Partition magic
partition master
Linux Grand Unified Bootloader (GRUB)

How do you detect whether a partition has been hidden?

Make sure all disk space on an evidence drive is accounted for and analyze
unaccounted for space.

What is a modern use for Norton DiskEdit?

Data-hiding by using the free slack space on a disk partition cluster

What is the mark bad clusters technique used for?

Marking normal data clusters as bad clusters in the FAT table so that the OS
considers them unusable.

What are limitation of DiskEdit?

runs only in MS-DOS and can access only FAT-formatted disk media

How is bit-shifting done?

Use a low level encryption program that changes the order of binary data

makes altered data unreadable. The user runs an assembler program to scramble
bits and runs another to unscramble them

What is a macro?
An assembler that is used to scramble data in bit-shifting.

What does bit-shifted data look like?

Binary Executable Code