DFIR questions with accurate answers
/proc/ Ans✓✓✓Linux process files directory. Uses tmpfs
5W1H Ans✓✓✓Documentation outline for how evidence was obtained.
Who, What, When, Where, Why, How
Advanced Static Analysis Ans✓✓✓
AFF image format Ans✓✓✓Image format that stores the imaged disk
as compresses segments for better saving and metadata of the image
Alternate data stream Ans✓✓✓Method of loading more than one data
sector into a single file. Used to hide files. dir /r to display ADS
Alternate Data Streams (ADS) Ans✓✓✓Method of loading more than
one data sector into single file (hiding data within data). Only works
with NTFS
ASCII code Ans✓✓✓a code for representing English characters as
numbers, with each letter assigned a number from 0 to 127
Attrition Ans✓✓✓a wearing down over time
Autopsy tool Ans✓✓✓Forensic Tool kit includes hash lookup, file
carving, metadata extraction, and more
,Autoruns Ans✓✓✓Checks Autorun Registry locations
Autoruns Ans✓✓✓program allows users to see exactly what is starting
up when the computer boots
BAT file Ans✓✓✓contains a series of line commands in plain text that
are executed to perform various tasks, such as starting programs or
running maintenance utilities within Windows
Binary pattern Ans✓✓✓
Binwalk Ans✓✓✓Tool for identifying files and code embedded inside
of firmware images. Windows/Linux
Black holing Ans✓✓✓a place in the network where incoming or
outgoing traffic is silently discarded (or "dropped"), without informing
the source that the data did not reach its intended recipient
BTRFS filesystem Ans✓✓✓Linux file system, space-efficient file
system. Supports compression and snapshots
Bulk Extractor tool Ans✓✓✓Data carver - ignores the file system
structure, the tool can process different parts of a disk in parallel.
, Business Continuity Plan (BCP) Ans✓✓✓A plan that specifies how to
resume not only IT operations but all business processes in the event of a
major calamity
Certutil Ans✓✓✓Enables generation of multiple hash signatures for a
file. Windows OS
Certutil.exe Ans✓✓✓is an extremely flexible command-line utility for
administering Active Directory Certificate Services
CSIRT Ans✓✓✓computer security incident response team - a
formalized or ad-hod team you can call upon to respond to an incident
after it arises
CSV (comma-separated values) Ans✓✓✓File format for transferring
data, which stores fields and records in a plain text file, separated by
commas
Cuckoo Ans✓✓✓A tool that creates a sandbox useful for analyzing
files, especially malware inspection.
Data carving Ans✓✓✓Reassembling files from pieces of raw data,
when no file system metadata is available. Deleted or partially
overwritten files
/proc/ Ans✓✓✓Linux process files directory. Uses tmpfs
5W1H Ans✓✓✓Documentation outline for how evidence was obtained.
Who, What, When, Where, Why, How
Advanced Static Analysis Ans✓✓✓
AFF image format Ans✓✓✓Image format that stores the imaged disk
as compresses segments for better saving and metadata of the image
Alternate data stream Ans✓✓✓Method of loading more than one data
sector into a single file. Used to hide files. dir /r to display ADS
Alternate Data Streams (ADS) Ans✓✓✓Method of loading more than
one data sector into single file (hiding data within data). Only works
with NTFS
ASCII code Ans✓✓✓a code for representing English characters as
numbers, with each letter assigned a number from 0 to 127
Attrition Ans✓✓✓a wearing down over time
Autopsy tool Ans✓✓✓Forensic Tool kit includes hash lookup, file
carving, metadata extraction, and more
,Autoruns Ans✓✓✓Checks Autorun Registry locations
Autoruns Ans✓✓✓program allows users to see exactly what is starting
up when the computer boots
BAT file Ans✓✓✓contains a series of line commands in plain text that
are executed to perform various tasks, such as starting programs or
running maintenance utilities within Windows
Binary pattern Ans✓✓✓
Binwalk Ans✓✓✓Tool for identifying files and code embedded inside
of firmware images. Windows/Linux
Black holing Ans✓✓✓a place in the network where incoming or
outgoing traffic is silently discarded (or "dropped"), without informing
the source that the data did not reach its intended recipient
BTRFS filesystem Ans✓✓✓Linux file system, space-efficient file
system. Supports compression and snapshots
Bulk Extractor tool Ans✓✓✓Data carver - ignores the file system
structure, the tool can process different parts of a disk in parallel.
, Business Continuity Plan (BCP) Ans✓✓✓A plan that specifies how to
resume not only IT operations but all business processes in the event of a
major calamity
Certutil Ans✓✓✓Enables generation of multiple hash signatures for a
file. Windows OS
Certutil.exe Ans✓✓✓is an extremely flexible command-line utility for
administering Active Directory Certificate Services
CSIRT Ans✓✓✓computer security incident response team - a
formalized or ad-hod team you can call upon to respond to an incident
after it arises
CSV (comma-separated values) Ans✓✓✓File format for transferring
data, which stores fields and records in a plain text file, separated by
commas
Cuckoo Ans✓✓✓A tool that creates a sandbox useful for analyzing
files, especially malware inspection.
Data carving Ans✓✓✓Reassembling files from pieces of raw data,
when no file system metadata is available. Deleted or partially
overwritten files
