Traceable systems and forensics

1) Hard drive imaging is done usually during the _______________ evidence acquisition: Live Dead both 2) QUESTION 2 first step when you connect your usb drive to parrot is to: fdisk –l scalpel dcfldd 3) QUESTION 3 A disk image with extension ____________ means it is a raw image: dd E01 Aff 4) QUESTION 4 Mutexes are not usually associated with malware: T F 5) QUESTION 5 Using little Endian model for addressing, the MSB of the hex number 22 45 8a cd: (addresses increase from left to right) 22 cd we cannot tell QUESTION 6 Scalpel need ___________ and ____________to run: Conf file input data both QUESTION 7 Files can have their _______________ included in them: Size header footer All QUESTION 8 For automatic computerized file carving, we can use: Scalpel hex editor both QUESTION 9 The detective is interested in finding the MAC addresses from the output of bulk_extractor. She can do that by looking into the file: url.txt ether.txt domain.txt ip.txt QUESTION 11 TD2u is a ______________ device used for disk ___________: Write-blocker, cloning reaD.blocker, imaging QUESTION 12 When you delete a file, the file can still have traces on the system because of: File data could be still there The MFT Both QUESTION 13 (S-1-5-21-842925246-725345543-1844994965-1003) is the __________ as it shows in the metadata of a file in Autopsy: user id security id account id QUESTION 14 Imaging a disk is basically copying the files from that disk: T F QUESTION 15 An OS can find out the bad parts of the hdd because of the file _________ that it keeps: BadSect BadClus BadBloc QUESTION 16 WAV files _______________size of the file : can be carved beyond the can only be carved to the QUESTION 17 When fully acquiring the memory of a laptop, we should have__________: Memory dump paging file both QUESTION 18 Some disk imaging formats will add _________________ to the created image: Hashing CRC Case info. All QUESTION 19 A forensics tool XZX has been tested, but it does not confirm with some procedures and laws. It can still be used in an investigation: T F QUESTION 20 To get the memory dump of a virtual machine, you need to ___________the machine: Shutdown restart suspend QUESTION 21 FTK imager has only can be accessed via: GUI CLI both QUESTION 22 FTK imager can be used for: Creating a disk image mounting a disk image memory dump All QUESTION 23 The command dcfldd pattern=FF of=/dev/sdx is used for_____________: Imaging sdx copying FF to sdx wiping sdx with FF QUESTION 24 To turn off the machine of a suspect, you should: Start->turn off unplug the power cable never turn off a machine QUESTION 25 To extract textual information from the memory dump, you can use the command: grep strings ls QUESTION 26 Memory acquisition can be done remotely: T F QUESTION 28 _________ is used by the OS and ____________used by CPU to manage memory addresses: VAD, Page Table Page Table, VAD Not applicable QUESTION 29 Sign/s that can increase the suspensions about a memory region is/are: MZ Protection level jumps in the assembly code All QUESTION 30 In Autopsy, there is a way to extract the MFT file: T F