Guide to Computer Forensics and Investigations: Linux and Macintosh File Systems

A comprehensive set of 1000 flashcards reviewing important concepts and definitions related to Linux and Macintosh file systems, tailored for examination preparation.

What are the objectives of Chapter 7 in the guide?

Describe Linux file structures, Describe Macintosh file structures, Use Linux forensics tools.

What was the early file system standard for Linux?

Second Extended File System (Ext2).

Which file system replaced Ext2 in most Linux distributions?

Third Extended File System (Ext3).

What does the Fourth Extended File System (Ext4) provide support for?

Partitions larger than 16 TB and improved management of large files.

What command do you use to create a hard link in Linux?

ln command.

What does the superblock in a UNIX/Linux file system specify?

Disk geometry, available space, and it keeps track of all inodes.

What is contained in the inode block?

First data after the superblock, assigned to every file allocation unit.

What is the function of data blocks?

They store directories and files on a disk drive.

What do pointers 1 to 10 in an inode do?

They are direct pointers to data storage blocks.

What type of inode pointer links to 128 pointer inodes?

Pointer 11, which is an indirect pointer.

What is a bad block inode?

It keeps track of the disk’s bad sectors.

What are symbolic links also known as?

Soft links or symlinks.

What is the main function of the volume in Mac OS?

It is any storage medium used to store files.

What files store application settings in macOS?

Plaintext, plist files, and the SQLite database.

How are deleted files handled at the command line in macOS?

They do not show up in the trash.

What does FileVault do in macOS?

It is used to encrypt and decrypt a user’s /users directory.

What format did files use before OS X in macOS?

Hierarchical File System (HFS).

What is the catalog in macOS?

It is a listing of all files and directories on the volume.

What does an inode contain for a file?

Mode and type of file, number of links, UID and GID, file size, last access time, and last modified time.

What are clumps in the context of Mac file structures?

Groups of contiguous allocation blocks that reduce fragmentation.

What are allocation blocks in macOS?

A set of consecutive logical blocks.

What is the function of a Master Directory Block (MDB)?

It stores all information about a volume.

What does unified logging in macOS record?

Log files for applications and system activities.

What is the role of the Volume Control Block (VCB)?

It stores information from the MDB when OS mounts.

Which command can be used to find bad blocks on a Linux computer?

badblocks command, must be logged in as root.

What is a file's data fork?

It typically contains data the user creates, such as text or spreadsheets.

What is an inode's last status change time?

It indicates when the attributes of the file were last changed.

What does the bad block inode help in identifying?

It helps in identifying sectors on a disk that are corrupted or unusable.

How many pointers does the first inode have?

13 pointers.

What is the indirect pointer in an inode used for?

To link to additional blocks that contain file data.

What is the purpose of the file system in UNIX/Linux?

To manage files, directories, and their metadata.

How does macOS handle deleted files when they are deleted through the command line?

They bypass the Trash and are not recoverable directly.

What is the Apple File System (APFS)?

A file system introduced in macOS High Sierra that helps with crash protection.

What kind of access do macOS users have to other user accounts' files?

Limited access.

What is the format of plist files?

Preference files for installed applications on a macOS system.

What does the second and third extended file systems (Ext3 and Ext4) improve compared to Ext2?

Improved file recovery and management, along with larger partition support.

What is the role of the data block in a filesystem?

Where directories and files are stored.

In Linux, what does everything represent?

Everything is a file.

What is contained within the resource fork of a file in macOS?

Additional information such as menus and dialog boxes.

How do symbolic links differ from hard links?

Symbolic links point to other files and can exist across storage devices, while hard links point to the same inode.

What are utilities for macOS forensic analysis mentioned in the guide?

BlackBag Technologies, MacQuisition, EnCase, X-Ways Forensics.

What constitutes a hard link in Linux?

A pointer that allows accessing the same file with different filenames.

What kind of operating system is UNIX described in the lecture?

Multiuser, multithreaded, and secure OS.

What is the primary function of the allocation block in macOS?

To allocate storage for files.

What are the pointers 12 and 13 in an inode?

A double-indirect pointer and a triple-indirect pointer respectively.

What does 'everything is a file' imply in UNIX/Linux?

All resources, including devices and processes, are treated as files.

What challenge do examiners face when acquiring images from macOS systems?

Physical access to the drive.

What component defines the file system along with boot block, superblock, and data block in UNIX/Linux?

Inode block.

What role did the Extended Format File System (HFS+) play in macOS?

Supports smaller file sizes on larger volumes for efficient disk use.

What type of blocks do logical blocks in macOS not exceed in size?

512 bytes.

What tool can be used to create an image of a macOS drive?

MacQuisition or forensic boot CD/DVD.

How do bad blocks affect a file system?

They can cause data loss and corruption in the file system.

What type of files does the user typically create in the data fork?

User-generated content such as documents and spreadsheets.

How many logical EOF descriptors are there and what do they represent?

Two: Logical EOF represents the actual end of the file, and Physical EOF represents bytes allotted.

What does the inode block do in a UNIX/Linux filesystem?

Holds metadata for files.

Which tools are mentioned for forensic analysis of Linux filesystems?

Sleuth Kit, Autopsy, Foremost.

In the context of file structures, what is fragmentation?

The condition when files are divided into non-contiguous blocks.

What is the significance of the boot block in UNIX/Linux systems?

Contains the bootstrap code needed to start the operating system.

What is the relationship between files and directories in macOS file systems?

Files are stored within directories which organize them hierarchically.

What metadata is contained in an inode for each file?

Size, ownership (UID and GID), permissions, timestamps.

What process must users follow to use the Sleuth Kit and Autopsy efficiently?

They need to have root privileges.

What do users need to know for forensics procedures in macOS?

Where file system components are located and how files are stored.

What is the purpose of the End of File (EOF) descriptors in macOS?

To indicate the end of a file's data.

What type of files contains file metadata in macOS?

Files in the resource fork.

What is a volume in macOS?

Any storage medium used to store files.

What is the function of the B*-tree file system in earlier Mac versions?

It organizes files and directories for efficient access.

What do you need to consider when creating hard links in Linux?

That they point to the same file and share the same inode.

How does macOS's Unix-based system enhance security?

Through improved access controls and encryption capabilities.

What command should be used to check the file system for errors in Linux?

e2fsck command.

How does the presence of bad blocks impact data integrity in UNIX/Linux?

They may cause data loss or file corruption.

What does a logical block consist of in macOS?

It cannot exceed a set size, usually 512 bytes.

What must a forensic examiner do to examine a case with the Sleuth Kit?

Follow instructions to use the tool properly.

What characterizes the ownership of a file in UNIX/Linux?

It is characterized by UID (user ID) and GID (group ID).

What is the volume control block (VCB) used for in macOS?

It stores information when the operating system mounts a volume.

What challenges do forensic investigators face with macOS file systems?

Limited access and physical constraints related to drive removal.

What is a utility available for macOS forensic analysis?

BlackBag Technologies.

What aspects do UNIX-like operating systems share with Windows OSs?

They all have a kernel.

What does Ext4 add in terms of file management?

More flexibility and improved management for large files.

What is the core purpose of the inode in UNIX/Linux filesystems?

To hold metadata about a file.

What kind of applications may read and write data in the data fork of a Mac file?

Applications that create user content.

What practices should you follow while using Linux commands?

Be aware that commands are case-sensitive.

Which format does the Master Directory Block (MDB) use to organize information?

Stores information about the volume including file allocations.

What can the inode's generation number indicate?

Versioning information of the file.

What does the command 'badblocks' require in terms of permissions?

Must be executed with root privileges.

What type of pointer is described as a triple-indirect pointer?

Pointer 13 in the inode structure.

What file format is used for configuration in the Foremost data recovery tool?

foremost.conf.

What can happen if you attempt to create links on a case-insensitive file system?

There may be unexpected results due to name conflicts.

What is essential for maintaining file system integrity?

Using tools like e2fsck and ensuring no overwriting of important data.

How many components define the file system in UNIX and Linux?

Four components: boot block, superblock, inode block, and data block.

Which system allowed Apple to enhance macOS with better security?

The transition to being Unix-based.

What system structure allows for the organization of file systems?

Hierarchical File System that nests directories.