________ is the preferred file system of Windows 2000 and later operating systems.

a)FAT16

b)FAT32

c) NTFS

d)Ext3

Question 2 0.1 Points In FAT and NTFS file systems, a __________ is used to map files to specific clusters where they are stored on the disk.

a)cluster

b)table

c)partition

d)node

Question 3 0.1 Points What is the purpose of overwriting data on a hard disk with random characters seven times?

a)To forensically scrub a file or folder

b)To verify that the file is consistent and will not cause disk errors

c)To test the file allocation table (FAT) update process

d)To prepare to shred the hard disk

Question 4 0.1 Points The ________ and the ________ are the two NTFS files of most interest to forensics efforts.

a)inode, cluster bitmap

b)Master File Table (MFT), cluster bitmap

c)file allocation table (FAT), Master File Table (MFT)

d)file allocation table (FAT), inode

Question 5 0.1 Points Which operating system commonly uses the Ext file system?

a)UNIX

b)Windows

c)Mac OS

d)Linux

Question 6 0.1 Points A(n) __________ is a data structure in the Linux file system that stores all the information about a file except its name and actual data.

a)inode

b)cluster

c)partition

d)table

Question 7 0.1 Points If a hard disk is damaged and the data is deemed "lost," what is the recommended next step?

a)Attempt a local repair.

b)Shred the hard disk.

c)Create a bit-by-bit image.

d)Install the drive on a new computer as a final test.

Question 8 0.1 Points Darien is performing analysis on an image of a seized machine. A power outage causes the computer to power off and back on again. When he attempts to boot up the machine to continue his work, the Windows operating system begins to initialize. However, it does not proceed past the loading screen. What type of damage is likely to have occurred?

a)Logical damage

b)File carving

c)Master Boot Record virus infection

d)Deletion of some critical files by the chkdsk utility

Question 9 0.1 Points Devaki is a new forensic investigator. She is examining a recently seized hard drive. She was told by the individuals who collected the device that the owner indicated that it did not work. Devaki notices some damage on the case of the hard drive, agrees that it likely does not work, and processes the disk as if it is "lost" or inaccessible. What mistake did Devaki make?

a)She should have verified with the hard drive owner that the hard disk did not work.

b)She should have fully evaluated the disk by leveraging multiple techniques to attempt to retrieve the data.

c)She should have shredded the disk because it was damaged.

d)She should have processed the disk as damaged instead of as inaccessible.

Question 10 0.1 Points Consistency checking protects against:

a)physical damage to a hard disk.

b)software bugs and storage hardware design compatibilities.

c)disk fragmentation.

d)improper scanning.

Question 11 0.1 Points You are a forensic examiner. The logical structure of a hard disk that you are analyzing appears almost destroyed. You are not able to get the system to boot up despite your best efforts. You choose to perform a zero-knowledge analysis. Is this an appropriate choice for the next step?

a)Yes. Using this technique, the file system is rebuilt from scratch using knowledge of an undamaged file system structure. It should allow for data retrieval.

b)Yes. This process includes searching memory in real time, typically for working with compromised hosts or to identify system abuse.

c)No. This is a file system repair technique that involves scanning a disk's logical structure and ensuring that it is consistent with its specification. It will not help in this case.

d)No. This approach includes the process of searching for specific text in binary files even if the file has a reference count of zero. It does not apply in this case.

Question 12 0.1 Points A symbolic link is ________ another file.

a)a pointer to

b)a copy of

c)the decommissioning of

d)the deletion of

Question 13 0.1 Points When performing a manual recovery on a Linux system, what is the first step to recovering manually deleted files?

a)Install the Linux recovery toolkit.

b)Move the system to single-user mode.

c)Boot into the recovery menu and select to run diagnostics.

d)Log in with root.

Question 14 0.1 Points Which of the following is not true of file carving? a)You can perform file carving on the NTFS and FAT32 files systems but not Ext4.

b)Most file carving utilities look for file headers or footers and then pull out data that is found between these two boundaries.

c)File carving is often used to recover data from a disk where there has been some damage or where the file itself is corrupt.

d)File carving is a common method of data recovery, particularly when the file metadata has been damaged.

Question 15 0.1 Points Paige is attempting to recover data from a failed hard disk. She removed the failed drive from the system on which it was installed and then connected it to a test system. She made the connection by simply connecting the data and power cables but did not actually install the failed drive. What step should she perform next? a)Install the failed drive.

b)Boot the test system from its own internal drive.

c)Determine whether the failed drive is recognized and can be installed as an additional disk on the test system.

d)Listen to the failed drive to determine whether the internal disks are spinning.

Question 16 0.1 Points ______ is the basic repair tool in Windows. Chkdsk Fsck Disk Utility The TestDisk utility Question 17 0.1 Points ______ is the basic repair tool in Mac OS.

a)Chkdsk

b)Fsck

c)Disk Utility

d)The TestDisk utility

Question 18 0.1 Points You are successful in recovering data files from a damaged disk. You attempt to open a few files and receive a message that the files have been corrupted. What is the best approach to take to gain access to the data?

a)Perform file carving.

b)Open the files in a text editor.

c)Perform a second recovery.

d)Perform consistency checking.

Question 19 0.1 Points In Windows, what does the file allocation table (FAT) store?

a)The mapping between files and their cluster location on the hard drive

b)The data types stored on the disk

c)The list of applications installed and their corresponding files

d)A view of disk overages that are available

Question 20 0.1 Points You are attempting to recover deleted files from a storage device. The device's operating system uses the FAT32 file system. What is the most important advantage you have when attempting to recover specific deleted files?

a)Time; files that were deleted relatively recently are more likely to be recovered

b)Commercial tools rather than open source tools

c)Open source tools rather than commercial tools

d)Read permissions to the files