Mac and Windows Exam Review

What was the first Apple computer and when?

It appeared in 1975 as an early microcomputer with basic functionality.

When was the Macintosh released and why important?

Released in 1985 with the first major GUI for user-friendly computing.

What is macOS built on?

On Darwin

Why is macOS related to FreeBSD important in forensics?

Many macOS tools and filesystem structures behave like BSD/Linux so Linux commands work.

What is MFS?

Macintosh File System used on early Macs like the Macintosh Plus.

What is HFS?

Hierarchical File System used on early Mac OS X with journaling quotas aliases links auto-defrag.

What is HFS+?

Improved file system with 32-bit allocation blocks Unicode long filenames journaling quotas links aliases per-file defrag.

Where are HFS+ boot blocks stored?

Sectors 0 and 1.

Where is the HFS+ volume header located?

Sector 2.

What does the HFS+ allocation file track?

Free allocation blocks.

What is GPT?

GUID Partition Table used on modern Macs supporting large disks.

What is APM?

Apple Partition Map used on old PowerPC Macs.

What is MBR?

Master Boot Record used on PCs with 2TB and four primary partition limits.

What does Boot Camp allow?

Installation of Windows alongside macOS in dual-boot.

Why must Boot Camp be analyzed in forensics?

Because the Mac may contain a Windows OS to analyze as well.

Where are macOS general logs?

/var/log/.

Where are macOS audit logs?

/private/var/audit/.

Where are macOS printer logs?

/var/spool/cups/.

Where are macOS swap and sleep images?

/private/var/vm/.

Where does macOS store update receipts?

/Library/Receipts/.

Where does macOS store iCloud documents?

/Library/Mobile Documents/.

Where is macOS bash history stored?

/Users//.bash_history.

Where are macOS app and user preferences stored?

/Users//Library/Preferences/.

Where are macOS user files stored?

/Users/.

What is macOS equivalent of Linux /mnt/?

/Volumes/.

What special directory exists only in macOS?

/private/.

What is the key forensic rule on evidence drives?

Never write to the original disk.

What is Target Disk Mode?

A Mac mode that makes it act as an external drive for forensic imaging.

What imaging tools work in Target Disk Mode?

dd netcat EnCase FTK.

Where are macOS swap files?

/var/vm/.

What commands help analyze macOS virtual memory?

ls ls -al grep.

What does macOS date command show?

Current date and timezone.

What does ls /dev/disk? show?

Disk devices and partitions.

What does hdiutil partition /dev/disk0 show?

Partition information.

What does system_profiler show?

Full hardware and software info.

Where are deleted macOS files moved first?

Trash (.Trash folder).

Can files be recovered after emptying Trash?

Yes from unallocated space.

What tools undelete Mac files?

Mac Undelete Free Undelete.

How to enter macOS Recovery Mode?

Hold Power+Command+R while booting.

Where are macOS user plist password files?

/var/db/dslocal/nodes/Default/users/.

What disables SIP?

csrutil disable.

How are modern macOS passwords cracked?

Extract plist use hashdump.py then Hashcat.

Why are Apple CPUs architecture-specific?

Different ISAs mean incompatible binaries.

Tools for reading APFS drives on Windows?

MacDrive 10 Pro APFS for Windows.

What is MacQuisition?

A forensic imaging tool for macOS requiring external drive.

What is safest way to examine a Mac?

Acquire forensic image and load read-only in VM.

What is core idea of Mac forensics?

Never touch original disk; analyze an image.

What OS introduced command-line only?

DOS in 1981.

Which Windows version first had a GUI?

Windows 3.x.

What Windows version introduced Start Menu?

Windows 95.

Which Windows version introduced Active Directory?

Windows 2000.

Which Windows version used unified NT kernel?

Windows XP.

Which versions added security improvements?

Vista Windows 7.

Which versions added touch UI?

Windows 8 and 8.1.

Which Windows version added biometrics and continuous updates?

Windows 10.

Which OS has AI integration?

Windows 11.

Why determine 32-bit vs 64-bit?

Tool compatibility and memory limits.

What is max RAM for 32-bit Windows?

4GB.

Why check Windows firewall?

Firewall logs show blocked or suspicious activity.

What encryption exists in NTFS?

EFS (Encrypted File System).

How many bytes in 1KB?

1024.

How many bytes in 1MB?

1024².

What does x86 mean?

32-bit Windows architecture.

What does x64 mean?

64-bit Windows architecture.

How much memory can 64-bit address?

Up to 16 exabytes.

What is first Windows boot stage?

POST.

What does MBR do?

Identifies partitions and boot loader.

What loads after boot sector?

NTLDR.

What happens if hiberfil.sys is found at boot?

System resumes from hibernation.

What mode does NTLDR switch?

Real mode to protected 32/64-bit mode.

What drivers load next?

FAT FAT32 NTFS drivers.

What file is the Windows kernel?

ntoskrnl.exe.

What file abstracts hardware?

hal.dll.

What loads the Windows system hive?

Registry initialization.

What displays login screen?

Win32 subsystem and winlogon.exe.

What is hibernation?

Saving RAM to disk and powering off.

What is sleep?

Low-power mode keeping RAM active.

What is a snapshot?

Saved system state.

What does ntdetect.com do?

Collects hardware info at boot.

What is ntbootdd.sys?

Storage controller driver.

What is hal.dll?

Hardware Abstraction Layer.

What is smss.exe?

Session Manager Subsystem.

What is winlogon.exe?

Controls login processes.

What is lsass.exe?

Local Security Authority for authentication.

What is explorer.exe?

Windows desktop shell.

What is csrss.exe?

Client/Server Runtime Subsystem managing console.

What does $attrdef do?

Defines NTFS attribute types.

What does $badclus do?

Tracks bad disk sectors.

What does $bitmap do?

Tracks used and free clusters.

What does $boot contain?

Volume boot information.

What is $mft?

Master File Table.

What is $mftmirr?

Mirror of first four MFT entries.

What does $quota store?

User disk quota info.

What does $volume store?

Volume name and version.

What does fsutil do?

Displays filesystem info.

What are the steps of volatile memory analysis?

1. Start trusted command shell.

2. Prepare data collection system.

3. Capture memory dump.

4. Compute hash.

5. Analyze memory offline.

What is stack memory?

LIFO storage for function calls and local variables.

What is heap memory?

Dynamically allocated memory persistent between functions.

What does pslist do?

Lists processes.

What does psinfo show?

System uptime and details.