CySA+ Final - Study Guide Questions and Answers
(Verified Answers) 2023 - 2024
1.Which format does dd produce files in?
A.ddf
B.RAW
C.EN01
D.OVF>>>>. dd creates files in RAW, bit-by-bit format. EN01 is the EnCase forensic file format, OVF is virtualization file format, and ddf is a made-up answer.
2.Files remnants found in clusters that have been only partially rewritten
by new files found are in what type of space?
A.Outer
B.Slack
C.Unallocated space
D.Non-Euclidean >>>>. Slack space is the space that remains when only a portion of a cluster is used by a file. Data from previous files may remain in the slack space since it is typically not wiped or overwritten. Unallocated space is space on a drive that has not been made into part of a partition. Outer space and non-Euclidean space are
not terms used for filesystems or forensics.
3.Mike is looking for information about files that were changed on a Windows system. Which of the following is least likely to contain useful
information for his investigation?
A.The MFT
B.INDX files
C.Event logs
D.Volume shadow copies >>>>. Event logs do not typically contain significant amounts of information about file changes. The Master File Table and file indexes (INDX files) both have specific information about
files, whereas volume shadow copies can help show differences between files and locations at a point in time.
4.Alice wants to copy a drive without any chance of it being modified by the copying process. What type of device should she use to ensure that this does not happen?
A.read blocker
B.drive cloner
C.write blocker
D.hash validator>>>>. Write blockers ensure that no changes are made to a source drive when creating a forensic copy. Preventing reads would stop you from copying the drive, drive cloners may or may not have write blocking capabilities built in, and hash validation is
useful to ensure contents match but don't stop changes to the source drive from occurring. .Frederick wants to determine if a thumb drive was ever plugged into a Windows system. How can he test for this?
A.Review the MFT
B.Check the system's live memory
C.Use USB Historian
D.Create a forensic image of the drive >>>>. USB Historian provides a
list of devices that are logged in the Windows Registry. Frederick can check the USB device's serial number and other identifying information against the Windows system's historical data. If the device isn't listed, it is not absolute proof, but if it is listed, it is reasonable to assume that it was used on the device.
6.What two files may contain encryption keys normally stored only in mem- ory on a Window system?
A.The MFT and the hash file
B.The Registry and hibernation files
C.Core dumps and encryption logs
D.Core dumps and hibernation files>>>>. Core dumps and hibernation files both contain an image of the live memory of a system, potentially
allowing encryption keys to be retrieved from the stored file. The MFT provides information about file layout, and the Registry contains system information but shouldn't have encryption keys stored in it. There is no hash file or encryption log stored as a Windows default file.
7.Jeff is investigating a system compromise and knows that the first event was reported on October 5th. What forensic tool capability should he
use to map other events found in logs and files to this date? A.timeline
B.log viewer
C.Registry analysis
D.Timestamp validator>>>>. Timelines are one of the most useful tools when conducting an investigation of a compromise or other event. Forensic tools provide built-in timeline capabilities to allow this type of analysis.
8.During her forensic copy validation process Danielle received the
follow- ing MD5 sums from her original drive and the cloned image after
using dd. What is likely wrong?
b49794e007e909c00a51ae208cacb169 original.img
d9ff8a0cf6bc0ab066b6416e7e7abf35 clone.img
A.The original was modified.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller LectWilson. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $10.09. You're not tied to anything after your purchase.