Chat with AI
Deck 18: Digital Evidence on Unix Systems
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/30
Play
Full screen (f)
Deck 18: Digital Evidence on Unix Systems
1
In a block group, file data is located in___________ .
A) The block bitmap
B) Data blocks
C) Inode bitmap
D) Directory entry
A) The block bitmap
B) Data blocks
C) Inode bitmap
D) Directory entry
Data blocks
2
The file system mount table shows local and remote file systems that are automatically mounted when the system is booted. This information is stored in:
A) /etc/fstab
B) /etc/mount/mtab
C) /etc/hosts
D) None of the above
A) /etc/fstab
B) /etc/mount/mtab
C) /etc/hosts
D) None of the above
A
3
FireFox 3 stores potentially notable information in:
A) DBF format databases
B) ASCII text files
C) SQLite databases
D) Proprietary format files
A) DBF format databases
B) ASCII text files
C) SQLite databases
D) Proprietary format files
C
4
One of the difficulties in examining UNIX systems is that the file system is extremely complex, making it difficult for the examiner to recover data.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
5
When a file is deleted on a UNIX System, the ctime of its parent directory is:
A) Unchanged
B) Updated
C) Set to epoch time
D) Set to last modified date-time
A) Unchanged
B) Updated
C) Set to epoch time
D) Set to last modified date-time
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
6
Why is it important to determine the level of network connectivity on a UNIX system as soon as possible?
A) As UNIX Systems may be configured to store critical evidence on remote systems, network connections must be determined and exploited before any evidence stored remotely is destroyed.
B) To keep suspects and spectators from accessing the target system during the investigation.
C) To determine if the system administrator is a suspect.
D) None of the above.
A) As UNIX Systems may be configured to store critical evidence on remote systems, network connections must be determined and exploited before any evidence stored remotely is destroyed.
B) To keep suspects and spectators from accessing the target system during the investigation.
C) To determine if the system administrator is a suspect.
D) None of the above.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
7
Unlike the standard DOS/Windows environments, the UNIX environment has the capability of_________ , thereby preventing the contents of evidentiary media from being changed.
A) Encrypting all data on the media
B) Copying the contents of the media
C) Warning the examiner of an impending write
D) Mounting storage media as Read-Only
A) Encrypting all data on the media
B) Copying the contents of the media
C) Warning the examiner of an impending write
D) Mounting storage media as Read-Only
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
8
The UNIX convention of "piping" the results of one command into another is a serious limitation and is detrimental to using the UNIX platform for forensic examinations.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
9
The inode table can be found in the ___________.
A) Block group
B) Superblock table
C) MBR
D) Partition table
A) Block group
B) Superblock table
C) MBR
D) Partition table
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
10
Most data-carving tools operate on the assumption that the operating system generally tries to save data in contiguous sectors.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
11
MAC times, which are found in the___________ , are an example of file system traces.
A) Inode table
B) MBR's partition table
C) Inode bitmap
D) Data blocks
A) Inode table
B) MBR's partition table
C) Inode bitmap
D) Data blocks
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
12
What is the most efficient method for a forensic examiner to confirm whether a particular tool or methodology works in a forensically acceptable manner?
A) Search the Internet for accounts of other examiners using the tool or methodology
B) Contact the author of the tool or methodology and have them provide confirmation
C) Test the tool under controlled conditions
D) Contact other forensic examiners to determine if they have any experience with the tool or methodology
A) Search the Internet for accounts of other examiners using the tool or methodology
B) Contact the author of the tool or methodology and have them provide confirmation
C) Test the tool under controlled conditions
D) Contact other forensic examiners to determine if they have any experience with the tool or methodology
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
13
One of the most common web browsers on UNIX systems is:
A) Internet Explorer
B) Safari
C) Opera
D) FireFox
A) Internet Explorer
B) Safari
C) Opera
D) FireFox
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
14
grep is a standard Linux tool that searches a specified file or region for a specified string.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
15
On UNIX systems that receive e-mail, incoming messages are held in , in separate files for each user account until a user accesses them.
A) /home//desktop/mail
B) /var/spool/mqueue/mail
C) /etc/mailbox/mail
D) None of the above
A) /home/
B) /var/spool/mqueue/mail
C) /etc/mailbox/mail
D) None of the above
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
16
The Coroner's Toolkit and The Sleuth Kit are examples of open source___________ .
A) Hard drive repair tools
B) System administrator tools
C) Forensic examination tools
D) Network management tools
A) Hard drive repair tools
B) System administrator tools
C) Forensic examination tools
D) Network management tools
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
17
In UNIX, when a file is moved within a volume, the inode change date-time (ctime) is:
A) Unchanged
B) Updated
C) Set to epoch time
D) Set to last modified date-time
A) Unchanged
B) Updated
C) Set to epoch time
D) Set to last modified date-time
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
18
___________, which is part of the standard Linux distribution, can be used to make a bitstream copy of evidentiary media to either image files or sterile media.
A) grep
B) icat
C) dd
D) sha1sum
A) grep
B) icat
C) dd
D) sha1sum
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
19
One of the most useful areas to search for notable data on a Linux system is in file slack.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
20
Deleting a file has the effect of preserving its inode until it is reused because:
A) The inode is flagged as deleted.
B) The inode table entry is moved to the recycle bin.
C) Deleted inodes are not accessible to the file system.
D) The inode number is added to a deleted files journal entry.
A) The inode is flagged as deleted.
B) The inode table entry is moved to the recycle bin.
C) Deleted inodes are not accessible to the file system.
D) The inode number is added to a deleted files journal entry.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
21
The mainstay of acquiring digital evidence using UNIX is the "icopy" command.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
22
As UNIX was never designed to work on networks, there are very few native utilities designed to access the Internet.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
23
When examining a UNIX system, searching for network traces is not usually necessary.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
24
When requesting a search warrant, remotely connected systems cannot be considered part of the target system, so it may be necessary to obtain proper authorization before examining them.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
25
On UNIX systems, e-mails and all attachments are stored as plaintext in
"/var/spool/mail," or "/var/mail," or in a directory under the user's account.
"/var/spool/mail," or "/var/mail," or in a directory under the user's account.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
26
A list of currently mounted drives, including those not listed in the file system mount table, is kept in "/etc/mtab."
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
27
Given a sufficiently powerful computer, even "strong" encryption can be broken in a short time.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
28
UNIX log files (or those of any operating system, for that matter) can provide a great deal of useful information to the examiner.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
29
The "istat" command, found in The Coroner's Toolkit, can be used to examine specific inode bitmaps.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
30
When a target system is connected to other systems in remote locations, it is expedient for the digital investigator to access these systems via remote access.
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 30 flashcards in this deck.
