Digi Forensics M5 - M6

What is the purpose of the Windows Thumbcache?

To provide quick access to thumbnail previews of images and videos

What is the function of Redline in Windows forensics?

To analyze memory and gather data from a running system

What does the Windows Registry store?

Configuration settings and preferences for the operating system and applications

Which of the following is an advantage of using The Sleuth Kit?

Comprehensive analysis of disk and file system images

How can deleted files be recovered in Linux forensics?

Analyzing slack space in the file system

What is a common indicator of a Distributed Denial of Service (DDoS) attack?

A sudden spike in network traffic from multiple sources

What is the main function of network forensics tools like Zeek (formerly Bro)?

Analyzing and monitoring network traffic for security threats

What does "deep packet inspection" (DPI) analyze?

Both the packet headers and payloads for content analysis

What information can be obtained from network logs?

Details about IP addresses, protocols, and timestamps

Which log file format is commonly used in network forensics?

PCAP

What is packet sniffing?

Capturing and analyzing network packets to monitor traffic

What type of information can be found in Event Logs?

User login attempts and system errors

What is a Master File Table (MFT) in NTFS?

A database that contains information about every file and directory on the volume

Which of the following tools can analyze browser artifacts?

SQLite Browser

Which of the following can be recovered from a Windows memory dump?

Temporary data from running processes

What tool is commonly used for analyzing the Windows Registry?

Registry Viewer

What is the main purpose of Pagefile in Windows forensics?

To act as virtual memory and store data that cannot fit in RAM

What is the primary role of metadata in Windows files?

To store creation, modification, and access details of files

Which command is used to view active network connections in Windows?

netstat

What is the default partition scheme used by macOS?

GUID Partition Table (GPT)

What does the ifconfig command in Linux display?

Network interface configurations

What does the inode in Linux file systems store?

Metadata about a file, such as permissions and timestamps

What is the primary focus of Linux forensics?

Analyzing log files and recovering deleted data

Which Linux command is used to display open files by a process?

lsof

Which tool is useful for parsing Spotlight databases on macOS?

SQLite Browser

Which command in Linux retrieves the hostname of the system?

hostname

What is the purpose of journaling in file systems like HFS+?

To log changes for data recovery in case of a system crash

What is the purpose of Linux memory forensics?

To analyze live system data stored in memory

Which network protocol is used to transfer files securely?

SFTP

What is the importance of timestamp synchronization in network forensics?

To ensure accurate correlation of events across different devices

Which of the following is a challenge in network forensics?

Analyzing large volumes of data in real time

What is the primary purpose of network traffic baselining?

To establish normal traffic patterns for detecting anomalies

What is a key purpose of a SIEM system in network forensics?

Collecting, analyzing, and correlating log data from multiple sources

Which protocol is used to resolve domain names to IP addresses?

DNS

Which tool is commonly used for network traffic analysis?

Wireshark

Which of the following tools is used for investigating network-related compromises?

Wireshark

What is the purpose of intrusion detection systems (IDS) in network forensics?

Monitoring and alerting on malicious network activity

Where are Windows Prefetch files located?

C:\Windows\Prefetch

Why is the Recycle Bin useful in forensic investigations?

It may contain deleted files that are still recoverable

What does volatile data collection focus on?

Capturing data that will be lost when the system is shut down

What is a significant challenge in Windows forensics?

Dealing with extensive amounts of data

What is the purpose of metadata analysis in forensics?

To verify file integrity and examine usage patterns

Which command is used to capture memory in a Windows forensic investigation?

memdump

How can browser artifacts, such as cookies and cache, aid in a forensic investigation?

By providing information about user online activity

What is the purpose of plists in macOS forensics?

To analyze preferences and configurations for applications

Where are system logs stored on a Mac?

/var/log

Which of the following is a key feature of APFS, the macOS file system?

Data encryption and space sharing

Which Linux command is used to analyze network routing tables?

ip route

Which feature distinguishes APFS from HFS+?

Faster indexing and enhanced encryption

What is the main role of the Linux grep command in forensics?

Searching for specific patterns in text files

Which file system is commonly used by macOS?

HFS+

What is the primary goal of network forensics?

To monitor and analyze network traffic for evidence of cybercrimes

What is the role of firewalls in network forensics?

Monitoring and logging network activity for suspicious behavior

Which protocol is primarily used for secure web browsing?

HTTPS

How can network forensic investigators identify malicious insider activity?

By analyzing unusual login times and file access patterns

What type of data is considered volatile in Windows forensics?

Data stored in RAM

Which file contains information about deleted files in the Recycle Bin?

INFO2

Which of the following is an example of non-volatile data?

Deleted files on a hard drive

Which registry key contains startup applications?

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Which command in Linux displays active processes in a hierarchical format?

pstree

What is the purpose of the /var/log directory in Linux?

To store system and application log files

Which protocol is commonly targeted during man-in-the-middle attacks?

DNS

Which technique is used to bypass network firewalls?

DNS tunneling

How can an IoC be identified from network traffic?

By detecting anomalies such as unusual traffic spikes

What type of network traffic is commonly associated with DNS tunneling attacks?

Abnormally frequent DNS queries

What is the main goal of Windows forensics?

To analyze and recover digital evidence from Windows systems

Which Mac utility provides detailed insights into system performance and resource usage?

Activity Monitor

What is the significance of plists in macOS forensics?

They store application and user preference settings

Where are user preferences typically stored on macOS?

/Library/Preferences

What is the role of Spotlight in macOS forensics?

Indexing and searching files, including deleted metadata

Which command in Linux displays the system's IP address?

ip addr

Which protocol is commonly used in email traffic?

IMAP

What does the NTUSER.DAT file store?

User-specific settings and preferences

What is the significance of Prefetch files in Windows forensics?

They store information about recently executed programs

What does the Pagefile.sys file primarily store?

Swapped data from RAM

How does the Mac feature "Time Machine" assist forensic investigators?

By storing periodic backups of the system

What is the primary focus of memory forensics in Linux?

Analyzing RAM data to detect malware and active processes

How can a forensic investigator detect malicious activity in Mac logs?

By analyzing login attempts and application activity logs

What is the significance of MAC addresses in network forensics?

They uniquely identify devices on a network

What does the term "port scanning" refer to in network forensics?

Searching for open ports on a network to identify vulnerabilities

What type of attack involves redirecting traffic to malicious websites?

DNS spoofing

How can volatile memory be captured in Windows?

Using tools like Volatility or FTK Imager

Which tool is commonly used to analyze filesystem images in Linux?

The Sleuth Kit

Where are system logs stored on a Mac?

/Library/Logs

What is a honeypot used for in network forensics?

To divert and monitor potential attackers

What is the primary purpose of event correlation in network forensics?

Identifying patterns and relationships between network events

Which Registry hive stores information about the hardware profile?

HKEY_LOCAL_MACHINE

What is the primary use of the Windows Task Scheduler in forensics?

To identify scheduled tasks that may indicate malicious activity

Where are Windows Event Logs stored by default?

C:\Windows\System32\Config