WGU C702 - Forensics and Network Intrusion-Exam 88
Questions and Answers
Criminal Case - ANSWER-A type of case that involve actions that go against
the interests of society, the burden of proving that the accused is guilty lies
entirely with the prosecution.
Administrative Investigation - ANSWER-An internal investigation by an
organization to discover if its employees, clients, and partners are complying
with the rules or policies.
Linux Boot Process - ANSWER-1. BIOS Stage: First stage. It initializes the
system hardware during the booting process. The BIOS retrieves the
information stored in the complementary metal-oxide semiconductor (CMOS)
chip, which is a battery-operated memory chip on the motherboard that
contains information about the system's hardware configuration. During the
boot process, the BIOS performs a POST to ensure that all the hardware
components of the system are operational.
2. Bootloader Stage: Second stage. The bootloader stage includes the task
of loading the Linux kernel and optional initial RAM disk. The kernel enables
the CPU to access RAM and the disk.
3. Kernel Stage: Third stage. Once the control shifts from the bootloader
stage to the kernel stage, the virtual root file system created by the initrd
image executes the Linuxrc program. This program generates the real file
system for the kernel and later removes the initrd image.
42 4D - ANSWER-BMP
FF D8 FF - ANSWER-JPEG (Joint Photographic Experts Group)
47 49 46 - ANSWER-GIF
49 49
4D4D - ANSWER-
TIF TIFF
, Virtual File System (VFS) - ANSWER-a common software interface that sits
between the kernel and real file systems.
We can mount multiple different types of file systems on the same Linux
installation, and they will appear uniform to the user and to all other
applications; examples include
/proc/, /sys/,/boot/initramfs, devtmpfs, and debugfs
Superblock - Magic number - ANSWER-Allows the mounting software to verify
the Superblock for the ext2 file system. For the present ext2 version, it is
0xEF53.
Superblock - Revision Level - ANSWER-The major and minor revision levels
allow the mounting code to determine whether a file system supports
features that are only available in particular revisions of the file system.
Superblock - Mount count - ANSWER-These allow the system to determine if
it needs to fully check the file system. The mount count is incremented each
time the system mounts the file system.
Sector - ANSWER-Section of the platter holding data. Shaped like a slice of
pizza.
Tracks - ANSWER-The tracks are the thin concentric circular strips of sectors.
At least one head is required to read a single track.
Cylinders - ANSWER-A cylinder is a division of data in a disk drive, as used in
the CHS addressing mode of a Fixed Block Architecture disk or the cylinder-
head-record (CCHHR) addressing mode of a CKD disk.
Head - ANSWER-Reads and writes data in a hard drive by manipulating the
magnetic medium that composes the surface of an associated disk platter.
Clusters - ANSWER-These are the smallest accessible storage units on a
hard disk. File systems divide the volume of data stored on the disk into
discreet chunks of data for optimal performance and efficient disk usage.
Clusters are formed by combining sectors to ease the process of handling
files. Also called allocation units, clusters are sets of tracks and sectors
ranging from cluster number 2 to 32 or higher, depending on the formatting
scheme. File allocation systems must be flexible to allocate the required
sectors to files. The allocation can be of the size of one sector per cluster.
Any read or write process consumes a minimum space of one cluster.
Program Packers - ANSWER-Used by attackers to hide their data. In this
regard, the technique is similar to cryptography. The packers compress the
files using various algorithms. Hence, unless the investigators know the tool
that has been used to pack the file and have a tool to unpack it, they will
not be able to access it.
Questions and Answers
Criminal Case - ANSWER-A type of case that involve actions that go against
the interests of society, the burden of proving that the accused is guilty lies
entirely with the prosecution.
Administrative Investigation - ANSWER-An internal investigation by an
organization to discover if its employees, clients, and partners are complying
with the rules or policies.
Linux Boot Process - ANSWER-1. BIOS Stage: First stage. It initializes the
system hardware during the booting process. The BIOS retrieves the
information stored in the complementary metal-oxide semiconductor (CMOS)
chip, which is a battery-operated memory chip on the motherboard that
contains information about the system's hardware configuration. During the
boot process, the BIOS performs a POST to ensure that all the hardware
components of the system are operational.
2. Bootloader Stage: Second stage. The bootloader stage includes the task
of loading the Linux kernel and optional initial RAM disk. The kernel enables
the CPU to access RAM and the disk.
3. Kernel Stage: Third stage. Once the control shifts from the bootloader
stage to the kernel stage, the virtual root file system created by the initrd
image executes the Linuxrc program. This program generates the real file
system for the kernel and later removes the initrd image.
42 4D - ANSWER-BMP
FF D8 FF - ANSWER-JPEG (Joint Photographic Experts Group)
47 49 46 - ANSWER-GIF
49 49
4D4D - ANSWER-
TIF TIFF
, Virtual File System (VFS) - ANSWER-a common software interface that sits
between the kernel and real file systems.
We can mount multiple different types of file systems on the same Linux
installation, and they will appear uniform to the user and to all other
applications; examples include
/proc/, /sys/,/boot/initramfs, devtmpfs, and debugfs
Superblock - Magic number - ANSWER-Allows the mounting software to verify
the Superblock for the ext2 file system. For the present ext2 version, it is
0xEF53.
Superblock - Revision Level - ANSWER-The major and minor revision levels
allow the mounting code to determine whether a file system supports
features that are only available in particular revisions of the file system.
Superblock - Mount count - ANSWER-These allow the system to determine if
it needs to fully check the file system. The mount count is incremented each
time the system mounts the file system.
Sector - ANSWER-Section of the platter holding data. Shaped like a slice of
pizza.
Tracks - ANSWER-The tracks are the thin concentric circular strips of sectors.
At least one head is required to read a single track.
Cylinders - ANSWER-A cylinder is a division of data in a disk drive, as used in
the CHS addressing mode of a Fixed Block Architecture disk or the cylinder-
head-record (CCHHR) addressing mode of a CKD disk.
Head - ANSWER-Reads and writes data in a hard drive by manipulating the
magnetic medium that composes the surface of an associated disk platter.
Clusters - ANSWER-These are the smallest accessible storage units on a
hard disk. File systems divide the volume of data stored on the disk into
discreet chunks of data for optimal performance and efficient disk usage.
Clusters are formed by combining sectors to ease the process of handling
files. Also called allocation units, clusters are sets of tracks and sectors
ranging from cluster number 2 to 32 or higher, depending on the formatting
scheme. File allocation systems must be flexible to allocate the required
sectors to files. The allocation can be of the size of one sector per cluster.
Any read or write process consumes a minimum space of one cluster.
Program Packers - ANSWER-Used by attackers to hide their data. In this
regard, the technique is similar to cryptography. The packers compress the
files using various algorithms. Hence, unless the investigators know the tool
that has been used to pack the file and have a tool to unpack it, they will
not be able to access it.
