Question 1

On UNIX systems, e-mails and all attachments are stored as plaintext in
"/var/spool/mail," or "/var/mail," or in a directory under the user's account.

Accepted Answer

A) True 
 B)False

Question 2

Why is it important to determine the level of network connectivity on a UNIX system as soon as possible?

Accepted Answer

A)  As UNIX Systems may be configured to store critical evidence on remote systems, network connections must be determined and exploited before any evidence stored remotely is destroyed. 
B)  To keep suspects and spectators from accessing the target system during the investigation. 
C)  To determine if the system administrator is a suspect. 
D)  None of the above. 
A)  As UNIX Systems may be configured to store critical evidence on remote systems, network connections must be determined and exploited before any evidence stored remotely is destroyed. 
B)  To keep suspects and spectators from accessing the target system during the investigation. 
C)  To determine if the system administrator is a suspect. 
D)  None of the above.

Question 3

The "istat" command, found in The Coroner's Toolkit, can be used to examine specific inode bitmaps.

Accepted Answer

A) True 
 B)False

Question 4

FireFox 3 stores potentially notable information in:

Accepted Answer

A)  DBF format databases 
B)  ASCII text files 
C)  SQLite databases 
D)  Proprietary format files 
A)  DBF format databases 
B)  ASCII text files 
C)  SQLite databases 
D)  Proprietary format files

Question 5

When examining a UNIX system, searching for network traces is not usually necessary.

Accepted Answer

A) True 
 B)False

Question 6

Deleting a file has the effect of preserving its inode until it is reused because:

Accepted Answer

A)  The inode is flagged as deleted. 
B)  The inode table entry is moved to the recycle bin. 
C)  Deleted inodes are not accessible to the file system. 
D)  The inode number is added to a deleted files journal entry. 
A)  The inode is flagged as deleted. 
B)  The inode table entry is moved to the recycle bin. 
C)  Deleted inodes are not accessible to the file system. 
D)  The inode number is added to a deleted files journal entry.

Question 7

The mainstay of acquiring digital evidence using UNIX is the "icopy" command.

Accepted Answer

A) True 
 B)False

Question 8

The file system mount table shows local and remote file systems that are automatically mounted when the system is booted. This information is stored in:

Accepted Answer

A)  /etc/fstab 
B)  /etc/mount/mtab 
C)  /etc/hosts 
D)  None of the above 
A)  /etc/fstab 
B)  /etc/mount/mtab 
C)  /etc/hosts 
D)  None of the above

Question 9

UNIX log files (or those of any operating system, for that matter) can provide a great deal of useful information to the examiner.

Accepted Answer

A) True 
 B)False

Question 10

When a target system is connected to other systems in remote locations, it is expedient for the digital investigator to access these systems via remote access.

Accepted Answer

A) True 
 B)False

On UNIX systems, e-mails and all attachments are stored as plaintext in "/var/spool/mail," or "/var/mail," or in a directory under the user's account.

Why is it important to determine the level of network connectivity on a UNIX system as soon as possible?

The "istat" command, found in The Coroner's Toolkit, can be used to examine specific inode bitmaps.

FireFox 3 stores potentially notable information in:

When examining a UNIX system, searching for network traces is not usually necessary.

Deleting a file has the effect of preserving its inode until it is reused because:

The mainstay of acquiring digital evidence using UNIX is the "icopy" command.

The file system mount table shows local and remote file systems that are automatically mounted when the system is booted. This information is stored in:

UNIX log files (or those of any operating system, for that matter) can provide a great deal of useful information to the examiner.

When a target system is connected to other systems in remote locations, it is expedient for the digital investigator to access these systems via remote access.

Foundations of Digital Forensics

Language of Computer Crime Investigation

Digital Evidence in the Courtroom

Cybercrime Law: a United States Perspective

Cybercrime Law: a European Perspective

Conducting Digital Investigations

Handling a Digital Crime Scene

Investigative Reconstruction With Digital Evidence

Modus Operandi, Motive, and Technology

Violent Crime and Digital Evidence

Digital Evidence As Alibi

Sex Offenders on the Internet

Computer Intrusions

Cyberstalking

Computer Basics for Digital Investigators

Applying Forensic Science to Computers

Digital Evidence on Windows Systems

Digital Evidence on Macintosh Systems

Digital Evidence on Mobile Devices

Network Basics for Digital Investigators

Applying Forensic Science to Networks

Digital Evidence on the Internet

Digital Evidence at the Physical and Data-Link Layers

Digital Evidence at the Network and Transport Layers

Filters

Exam 18: Digital Evidence on Unix Systems

On UNIX systems, e-mails and all attachments are stored as plaintext in "/var/spool/mail," or "/var/mail," or in a directory under the user's account.

Why is it important to determine the level of network connectivity on a UNIX system as soon as possible?

The "istat" command, found in The Coroner's Toolkit, can be used to examine specific inode bitmaps.

FireFox 3 stores potentially notable information in:

When examining a UNIX system, searching for network traces is not usually necessary.

Deleting a file has the effect of preserving its inode until it is reused because:

The mainstay of acquiring digital evidence using UNIX is the "icopy" command.

The file system mount table shows local and remote file systems that are automatically mounted when the system is booted. This information is stored in:

UNIX log files (or those of any operating system, for that matter) can provide a great deal of useful information to the examiner.

When a target system is connected to other systems in remote locations, it is expedient for the digital investigator to access these systems via remote access.

Foundations of Digital Forensics

Language of Computer Crime Investigation

Digital Evidence in the Courtroom

Cybercrime Law: a United States Perspective

Cybercrime Law: a European Perspective

Conducting Digital Investigations

Handling a Digital Crime Scene

Investigative Reconstruction With Digital Evidence

Modus Operandi, Motive, and Technology

Violent Crime and Digital Evidence

Digital Evidence As Alibi

Sex Offenders on the Internet

Computer Intrusions

Cyberstalking

Computer Basics for Digital Investigators

Applying Forensic Science to Computers

Digital Evidence on Windows Systems

Digital Evidence on Macintosh Systems

Digital Evidence on Mobile Devices

Network Basics for Digital Investigators

Applying Forensic Science to Networks

Digital Evidence on the Internet

Digital Evidence at the Physical and Data-Link Layers

Digital Evidence at the Network and Transport Layers

Filters