©BRIGHSTARS 2024/2025 ALL RIGHTS RESERVED.
NWIT263 Midterm (Chapters 5-7) Exam
Questions With Correct Answers.
Explain the differences in resource and data forks used in macOS. - Answer✔The data fork
stores a file's actual data and the resource fork contains file metadata and application
information.
Which of the following is the main challenge in acquiring an image of a system running macOS?
(Choose all that apply.) - Answer✔b. Vendor training is needed.
d. You need special tools to remove drives from a system running macOS or open its case.
To recover a password in macOS, which tool do you use? - Answer✔c. Keychain Access
What are the major improvements in the Linux Ext4 file system? - Answer✔It added support for
partitions larger than 16 TB, improved management of large files, and offered a more flexible
approach to adding file system features.
How does macOS reduce file fragmentation? - Answer✔By using clumps, which are groups of
contiguous allocation blocks
Linux is the only OS that has a kernel. True or False? - Answer✔False
Hard links work in only one partition or volume. True or False? - Answer✔True
Which of the following Linux system files contains hashed passwords for the local system? -
Answer✔d. /etc/shadow
Which of the following describes the superblock's function in the Linux file system? (Choose all
that apply.) - Answer✔b. Specifies the disk geometry and available space
c. Manages the file system, including configuration information
What's the Disk Arbitration feature used for in macOS? - Answer✔It's used to disable and enable
automatic mounting when a drive is connected via a USB or FireWire device.
In Linux, which of the following is the home directory for the superuser? - Answer✔b. root
1|Page
, ©BRIGHSTARS 2024/2025 ALL RIGHTS RESERVED.
Which of the following certifies when an OS meets UNIX requirements? - Answer✔c. The Open
Group
On most Linux systems, current user login information is in which of the following locations? -
Answer✔d. /var/log/utmp
Hard links are associated with which of the following? - Answer✔b. A specific inode
Which of the following describes plist files? (Choose all that apply.) - Answer✔a. You must
have a special editor to view them.
c. They're preference files for applications.
Data blocks contain actual files and directories and are linked directly to inodes. True or False? -
Answer✔True
Which of the following is a new file added in macOS? (Choose all that apply.) - Answer✔c.
/var/db/diagnostics
d. /var/db/uuid.text
Forensics software tools are grouped into _________ and _______________ applications. -
Answer✔GUI, command-line
According to ISO standard 27037, which of the following is an important factor in data
acquisition? (Choose all that apply.) - Answer✔a. The DEFR's competency
c. Use of validated tools
An encrypted drive is one reason to choose a logical acquisition. True or False? - Answer✔True
Hashing, filtering, and file header analysis make up which function of computer forensics tools?
- Answer✔a. Validation and verification
Hardware acquisition tools typically have built-in software for data analysis. True or False? -
Answer✔False; most are used only for acquisition.
The reconstruction function is needed for which of the following purposes? (Choose all that
apply.) - Answer✔a. Re-create a suspect drive to show what happened.
b. Create a copy of a drive for other investigators.
d. Re-create a drive compromised by malware.
List three subfunctions of the extraction function. - Answer✔Answers can include data viewing,
keyword searching, decompressing, carving, decrypting, and bookmarking.
Data can't be written to disk with a command-line tool. True or False? - Answer✔False
2|Page
NWIT263 Midterm (Chapters 5-7) Exam
Questions With Correct Answers.
Explain the differences in resource and data forks used in macOS. - Answer✔The data fork
stores a file's actual data and the resource fork contains file metadata and application
information.
Which of the following is the main challenge in acquiring an image of a system running macOS?
(Choose all that apply.) - Answer✔b. Vendor training is needed.
d. You need special tools to remove drives from a system running macOS or open its case.
To recover a password in macOS, which tool do you use? - Answer✔c. Keychain Access
What are the major improvements in the Linux Ext4 file system? - Answer✔It added support for
partitions larger than 16 TB, improved management of large files, and offered a more flexible
approach to adding file system features.
How does macOS reduce file fragmentation? - Answer✔By using clumps, which are groups of
contiguous allocation blocks
Linux is the only OS that has a kernel. True or False? - Answer✔False
Hard links work in only one partition or volume. True or False? - Answer✔True
Which of the following Linux system files contains hashed passwords for the local system? -
Answer✔d. /etc/shadow
Which of the following describes the superblock's function in the Linux file system? (Choose all
that apply.) - Answer✔b. Specifies the disk geometry and available space
c. Manages the file system, including configuration information
What's the Disk Arbitration feature used for in macOS? - Answer✔It's used to disable and enable
automatic mounting when a drive is connected via a USB or FireWire device.
In Linux, which of the following is the home directory for the superuser? - Answer✔b. root
1|Page
, ©BRIGHSTARS 2024/2025 ALL RIGHTS RESERVED.
Which of the following certifies when an OS meets UNIX requirements? - Answer✔c. The Open
Group
On most Linux systems, current user login information is in which of the following locations? -
Answer✔d. /var/log/utmp
Hard links are associated with which of the following? - Answer✔b. A specific inode
Which of the following describes plist files? (Choose all that apply.) - Answer✔a. You must
have a special editor to view them.
c. They're preference files for applications.
Data blocks contain actual files and directories and are linked directly to inodes. True or False? -
Answer✔True
Which of the following is a new file added in macOS? (Choose all that apply.) - Answer✔c.
/var/db/diagnostics
d. /var/db/uuid.text
Forensics software tools are grouped into _________ and _______________ applications. -
Answer✔GUI, command-line
According to ISO standard 27037, which of the following is an important factor in data
acquisition? (Choose all that apply.) - Answer✔a. The DEFR's competency
c. Use of validated tools
An encrypted drive is one reason to choose a logical acquisition. True or False? - Answer✔True
Hashing, filtering, and file header analysis make up which function of computer forensics tools?
- Answer✔a. Validation and verification
Hardware acquisition tools typically have built-in software for data analysis. True or False? -
Answer✔False; most are used only for acquisition.
The reconstruction function is needed for which of the following purposes? (Choose all that
apply.) - Answer✔a. Re-create a suspect drive to show what happened.
b. Create a copy of a drive for other investigators.
d. Re-create a drive compromised by malware.
List three subfunctions of the extraction function. - Answer✔Answers can include data viewing,
keyword searching, decompressing, carving, decrypting, and bookmarking.
Data can't be written to disk with a command-line tool. True or False? - Answer✔False
2|Page
