Quiz: Module 09 Virtual Machine Forensics and Live Acquisitions Forensics

You can expect to find a type 1 hypervisor on what type of device? (Choose all that apply.)

a. Desktop

b. Smartphone

c. Bare metal

d. Network server

c. Bare metal

d. Network server

The number of VMs that can be supported per host by a type 1 hypervisor is generally determined by the amount of which of the following? (Choose all that apply.)

a. RAM

b. Storage

c. Network connections

d. Operating system

a. RAM

b. Storage

Which of the following sets of file extensions are all associated with VMware VMs?

a. .vmx, .log, and .nvram

b. .vdi, .ova, and .r0

c. .vmx, .r0, and .xml-prev

d. .vbox, .vdi, and .log

a. .vmx, .log, and .nvram

Which VMWare files store the virtual hard drive's contents?

a. Files with .ova extensions

b. Files with .vmx extensions

c. Files with .vmdk extensions

d. Files with .vmsd extensions

c. Files with .vmdk extensions

In order to be able to determine which websites were accessed by a VM, which of the following must be true?

a. The VM is on a NAT.

b. The VM is bridged.

c. The VM has its own virtual router.

d. The VM has its own virtual switch.

b. The VM is bridged.

In VirtualBox, a(n) _________ file contains settings for virtual hard drives.

a. .vbox-prev

b. .ovf

c. .vbox

d. .log

c. .vbox

To examine a .vdi virtual image file, what is required for it to be accessible using Autopsy or FTK Imager?

a. Autopsy and FTK Imager can automatically mount and access .vdi image files in the same way as a .E01 or a raw file.

b. FTK Imager has a converter utility that can change .vdi files into a raw .001 file format.

c. Autopsy can open .vdi files only through a remote network connection.

d. The .vdi file must be converted to a .vmdk, .vhd, or raw file format using a VirtualBox utility program.

d. The .vdi file must be converted to a .vmdk, .vhd, or raw file format using a VirtualBox utility program.

Which of the following Registry keys might contain information that a VM is installed on a computer?

a. HFILE_CLASSES_ROOT

b. HKEY_CLASSES_ROOT

c. HFILE_EXTENSIONS

d. HKEY_CLASSES_FILE

b. HKEY_CLASSES_ROOT

Which of the following is a clue that a VM has been installed on a host system?

a. Network logs

b. Virtual network adapter

c. Virtualization software

d. USB drive

b. Virtual network adapter

VM snapshots contain which of the following?

a. The entire VM

b. Changes made since the last update

c. All changes made since the initial installation

d. Just the current state of the VM

d. Just the current state of the VM

A critical part of live acquisitions is to capture which of the following?

a. Hard drive

b. RAM

c. BIOS

d. Network logs

b. RAM

For which of the following reasons might you need to perform a live acquisition of a computer? (Choose all that apply.)

a. For an ongoing known network intrusion

b. To capture RAM data before it might be lost

c. To perform an acquisition on a mission-critical computer that can't be shut down for a static acquisition

d. To capture unallocated drive space on an active system

a. For an ongoing known network intrusion

b. To capture RAM data before it might be lost

c. To perform an acquisition on a mission-critical computer that can't be shut down for a static acquisition

What types of acquisition tools can be used for selective live acquisitions? (Choose all that apply.)

a. The DOS xcopy command

b. The DOS robocopy command

c. FTK Imager

d. X-Ways Imager

a. The DOS xcopy command

b. The DOS robocopy command

c. FTK Imager

d. X-Ways Imager

The remote acquisition utility Belkasoft R refers to the digital forensics examiner's workstation as what?

a. Server

b. Agent

c. Endpoint

d. Master

a. Server

For Belkasoft R, what are the minimum requirements needed to perform a remote acquisition? (Choose all that apply.)

a. The server's local IP address

b. The server's external IP address

c. The TCP port numbers for the local and external IP addresses

d. The SSL certificates of the source and target computers

a. The server's local IP address

b. The server's external IP address

c. The TCP port numbers for the local and external IP addresses

What Windows NTFS system file logs file changes?

a. $Extend

b. $I30

c. $Secure

d. $UsnJrnl:$J

d. $UsnJrnl:$J

The fsutil command requires what type of privilege to run?

a. Standard login

b. Guest login

c. System administrator

d. Superuser

c. System administrator