Jennifer wants to perform memory analysis and forensics for Windows

Jennifer wants to perform memory analysis and forensics for Windows

1.    Which format does dd produce files in?

·         B. RAW

2.    Files remnants found in clusters that have been only partially rewritten by new files found are in what type of space?

·         B. Slack

Slack space is the space that remains when only a portion of a cluster
is used by a file.

3.    Mike is looking for information about files that were changed on a Windows system. Which of the following is least likely to contain useful information for his investigation?

·         C. Event logs do not typically contain significant amounts of information about file changes. The Master File Table and file indexes (INDX files) both have specific information about files, whereas volume shadow copies can help show differences between files and locations at a point in time.

4. Alice wants to copy a drive without any chance of it being modified by the copying process. What type of device should she use to ensure that
this does not happen?

C. A write blocker

·        

Write blockers ensure that no changes are made to a source drive
when creating a forensic copy

4.    Frederick wants to determine if a thumb drive was ever plugged into a Windows system. How can he test for this?

·         C. USB Historian provides a list of devices that are logged in the Windows Registry. Frederick can check the USB device's serial number and other identifying information against the Windows system's historical data. If the device isn't listed, it is not absolute proof, but if it is listed, it is reasonable to assume that it was used on the device.

5.    What two files may contain encryption keys normally stored only in memory on a Window system?

·         C. Core dumps and encryption logs

7. Jeff is investigating a system compromise and knows that the first event was reported on October 5th. What forensic tool capability should he use to map other events found in logs and files to this date?

·         A timeline

Timelines are one of the most useful tools when conducting an
investigation of a compromise or other event. F

8. During her forensic copy validation process Danielle received the following MD5 sums from her original drive and the cloned image after using dd. What is likely wrong?

·         D. An unknown change or problem occurred.

9. Jennifer wants to perform memory analysis and forensics for Windows, macOS, and Linux systems. Which of the following is best suited to her needs?

·         D. The Volatility Framework

The Volatility Framework is designed to work with Windows, macOS,
and Linux, and it provides in-depth memory forensics and analysis
capabilities

10. Alex is conducting a forensic examination of a Windows system and wants to determine if an application was installed. Where can he find the Windows installer log files for a user named Jim?

·         D. C:\Windows\Jim\AppData\Local\Temp

11. Kathleen needs to find data contained in memory but only has an image of an offline Windows system. Where does she have the best chance of recovering the information she needs?

·         D. %SystemRoot%/WinDBG

12. Carl does not have the ability to capture data from a cell phone using forensic or imaging software, and the phone does not have removable storage. Fortunately, the phone was not set up with a PIN or screen lock. What is his best option to ensure he can see email and other data stored
there?

·         D. Manual access

Manual access is used when phones cannot be forensically imaged
or accessed as a volume or filesystem