Explore all topics
Start Free Trial
Need Help? Contact us
back arrowfull exam logo
search
ai logoChat with AI
Servicesarrow
Discoverarrow

Topics

Explore all topics
Discover more topics

Deck 19: Digital Evidence on Macintosh Systems

Full screen (f)
exit full mode
Question
Examination of a Mac computer must be done manually - no automated tools exist.
Use Space or
up arrow
down arrow
to flip the card.
Question
Keychains (~/Library/Keychains) are files that store:

A) Usernames and passwords
B) Private encryption keys
C) Favorite websites
D) Recent documents
Question
Macintosh disks can only be examined on a Macintosh system.
Question
The boot sector and additional details about the volume are stored in:

A) The first sector of the volume
B) At offset 0x300 from the beginning of the drive
C) The last sector of the volume
D) CMOS
Question
It may not be possible to recover the file names and date-time stamps from an HFS volume with forensic tools because:

A) That information is overwritten when a file is deleted.
B) The inode table is deleted.
C) That information is only held in memory.
D) The B-tree data structure frequently rebalances.
Question
The most common approach to salvaging deleted data on Macintosh systems is to:

A) Use EnCase to recover the files.
B) Use the Catalog utility.
C) Use file carving techniques.
D) There is currently no solution to recovering deleted files from a Macintosh.
Question
The HFS equivalent to the NTFS MFT is:

A) Lister file
B) Files.db
C) Catalog file
D) Seeker.db
Question
A difference between HFS and other file systems studied is that folders:

A) Are listed in a separate Extents Overflow file
B) Do not contain lists of their contents
C) Do not show when they were last backed up
D) Are stored in two places on the disk
Question
HFS Plus stores file and folder names in Unicode format.
Question
When a file is deleted, its Catalog entry may be deleted as well. If this occurs,

A) A backup of the Catalog file will still contain the information.
B) All references to the data are removed from the disk.
C) The file information is moved to the Extent Overflow file.
D) The file information is moved to ".Trash," with the same name as the file, and an extent of ".info."
Question
HFS represents time as:

A) The number of nanoseconds since January 1, 1601 00:00:00 GMT
B) The number of milliseconds since January 1, 1980 00:00:00 GMT
C) The number of seconds since January 1, 1601 00:00:00 GMT
D) The number of seconds since January 1, 1904 00:00:00 GMT
Question
Macintosh stores its partition table in:

A) The last sector of the drive
B) Non-volatile memory
C) The first sector of the drive
D) At offset 1024
Question
The default browser used on Mac OS X is:

A) Internet Explorer
B) Safari
C) Firefox
D) Opera
Question
The folder ~/Library/Mail Downloads contains:

A) Internet downloads
B) E-mails that contain attachments
C) Unread e-mails
D) E-mail attachments that have been opened
Question
There is a wide selection of forensic tools available for exploiting Macs.
Question
On Mac OS X, when a file is deleted, it is copied to the:

A) Recycler folder
B) .Trash folder
C) [orphans]
D) None of the above
Question
The last access times of files copied from a Mac running OS 9 onto a FAT-formatted disk are meaningless because HFS does not maintain:

A) Access time
B) Modified time
C) Created time
D) Ctime
Question
Recently accessed files and applications are listed in:

A) ~/Library/Recent
B) Catalog:Recent
C) ~/Library/Preferences/com.apple.recent.items
D) com.apple.TextEdit.plist
Question
By default, when Mac OS X boots up, it will attempt to mount an evidence disk.
Question
HFS supports a maximum of__________ clusters.

A) 28
B) 216
C) 232
D) 264
Question
Typically, the degree of e-mail logging is dependent on the application.
Question
On a Macintosh, when a file is deleted, its key length is set to zero.
Question
Due to the design of the Macintosh Catalog file, it is easy to recover deleted files manually, using forensic tools.
Question
In each volume of a Macintosh system, there is a database named "Desktop DB" that contains information about activities on the system including programs that were run and files and websites that were accessed.
Question
All ".plist" files are in plaintext.
Question
Mac OS X has logging capabilities, but OS9 did not.
Question
Internet Explorer cookies are always found in System
Folder:Preferences:Explorer:Cookies.txt.
Question
Digital evidence examiners can use The Sleuth Kit on Mac OS X to examine NTFS, FAT, UFS, EXT, and HFS file systems.
Question
By default, Eudora for Macintosh records more information than Eudora for Windows.
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/29
auto play flashcards
Play
simple tutorial
Full screen (f)
exit full mode
Deck 19: Digital Evidence on Macintosh Systems
1
Examination of a Mac computer must be done manually - no automated tools exist.
False
2
Keychains (~/Library/Keychains) are files that store:

A) Usernames and passwords
B) Private encryption keys
C) Favorite websites
D) Recent documents
A
3
Macintosh disks can only be examined on a Macintosh system.
False
4
The boot sector and additional details about the volume are stored in:

A) The first sector of the volume
B) At offset 0x300 from the beginning of the drive
C) The last sector of the volume
D) CMOS
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
5
It may not be possible to recover the file names and date-time stamps from an HFS volume with forensic tools because:

A) That information is overwritten when a file is deleted.
B) The inode table is deleted.
C) That information is only held in memory.
D) The B-tree data structure frequently rebalances.
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
6
The most common approach to salvaging deleted data on Macintosh systems is to:

A) Use EnCase to recover the files.
B) Use the Catalog utility.
C) Use file carving techniques.
D) There is currently no solution to recovering deleted files from a Macintosh.
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
7
The HFS equivalent to the NTFS MFT is:

A) Lister file
B) Files.db
C) Catalog file
D) Seeker.db
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
8
A difference between HFS and other file systems studied is that folders:

A) Are listed in a separate Extents Overflow file
B) Do not contain lists of their contents
C) Do not show when they were last backed up
D) Are stored in two places on the disk
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
9
HFS Plus stores file and folder names in Unicode format.
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
10
When a file is deleted, its Catalog entry may be deleted as well. If this occurs,

A) A backup of the Catalog file will still contain the information.
B) All references to the data are removed from the disk.
C) The file information is moved to the Extent Overflow file.
D) The file information is moved to ".Trash," with the same name as the file, and an extent of ".info."
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
11
HFS represents time as:

A) The number of nanoseconds since January 1, 1601 00:00:00 GMT
B) The number of milliseconds since January 1, 1980 00:00:00 GMT
C) The number of seconds since January 1, 1601 00:00:00 GMT
D) The number of seconds since January 1, 1904 00:00:00 GMT
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
12
Macintosh stores its partition table in:

A) The last sector of the drive
B) Non-volatile memory
C) The first sector of the drive
D) At offset 1024
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
13
The default browser used on Mac OS X is:

A) Internet Explorer
B) Safari
C) Firefox
D) Opera
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
14
The folder ~/Library/Mail Downloads contains:

A) Internet downloads
B) E-mails that contain attachments
C) Unread e-mails
D) E-mail attachments that have been opened
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
15
There is a wide selection of forensic tools available for exploiting Macs.
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
16
On Mac OS X, when a file is deleted, it is copied to the:

A) Recycler folder
B) .Trash folder
C) [orphans]
D) None of the above
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
17
The last access times of files copied from a Mac running OS 9 onto a FAT-formatted disk are meaningless because HFS does not maintain:

A) Access time
B) Modified time
C) Created time
D) Ctime
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
18
Recently accessed files and applications are listed in:

A) ~/Library/Recent
B) Catalog:Recent
C) ~/Library/Preferences/com.apple.recent.items
D) com.apple.TextEdit.plist
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
19
By default, when Mac OS X boots up, it will attempt to mount an evidence disk.
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
20
HFS supports a maximum of__________ clusters.

A) 28
B) 216
C) 232
D) 264
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
21
Typically, the degree of e-mail logging is dependent on the application.
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
22
On a Macintosh, when a file is deleted, its key length is set to zero.
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
23
Due to the design of the Macintosh Catalog file, it is easy to recover deleted files manually, using forensic tools.
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
24
In each volume of a Macintosh system, there is a database named "Desktop DB" that contains information about activities on the system including programs that were run and files and websites that were accessed.
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
25
All ".plist" files are in plaintext.
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
26
Mac OS X has logging capabilities, but OS9 did not.
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
27
Internet Explorer cookies are always found in System
Folder:Preferences:Explorer:Cookies.txt.
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
28
Digital evidence examiners can use The Sleuth Kit on Mac OS X to examine NTFS, FAT, UFS, EXT, and HFS file systems.
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
29
By default, Eudora for Macintosh records more information than Eudora for Windows.
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Unlock Deck
k this deck
locked card icon
Unlock Deck
Unlock for access to all 29 flashcards in this deck.
Examlex
Examlex
Work With Us
Policies
Download the App
Scan to downloadDownload the App
qr-code
Links
Links
Work With Us
Download the App

Scan to downloadDownload the App
qr-code

Copyright © 2025 Examlex LLC.
  • facebook-footer
  • instagram-footer
  • x-footer
  • tiktok
  • Linktree