True/False
Indicate whether the statement is true or false.
True 1. If a file contains information, it always occupies at least one allocation block.
False 2. Older Macintosh computers use the same type of BIOS firmware commonly found in PC-based systems.
True 3. GPL and BSD variations are examples of open-source software.
Fals 4. A UNIX or Linux computer has two boot blocks, which are located on the main hard disk.
False 5. Under ISO 9660 for DVDs, the Micro-UDF (M-UDF) function has been added to allow for long file names.
Multiple Choice
Identify the choice that best completes the statement or answers the question.
6. Macintosh OS X is built on a core called Darwin.
a. Phantom c. Darwin
b. Panther d. Tiger
7. In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a resource fork, where file metadata and application information are stored.
a. resource c. blocks
b. node d. inodes
8. The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is 65,535
a. 32,768 c. 58,745
b. 45,353 d. 65,535
.
9. On older Macintosh OSs all information about the volume is stored in the Master Directory Block (MDB) .
a. Master Directory Block (MDB) c. Extents Overflow File (EOF)
b. Volume Control Block (VCB) d. Volume Bitmap (VB)
10. With Mac OSs, a system application called Volume Bitmap tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.
a. Extents overflow file c. Master Directory Block
b. Volume Bitmap d. Volume Control Block
11. On Mac OSs, File Manager uses the extents overflow file to store any information not in the MDB or Volume Control Block (VCB).
a. volume information block c. catalog
b. extents overflow file d. master directory block
12. Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the GPL agreement.
a. AIX c. GPL
b. BSD d. GRUB
13. The standard Linux file system is Ext2fs .
a. NTFS c. HFS+
b. Ext3fs d. Ext2fs
14. Ext2fs can support disks as large as 4TB and files as large as 2 GB.
a. 4 c. 10
b. 8 d. 12
15. Linux is unique in that it uses inodes, or information nodes, that contain descriptive information about each file or directory.
a. xnodes c. infNodes
b. extnodes d. inodes
16. To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of 0 .
a. -1 c. 1
b. 0 d. 2
17. 4 components define the file system on UNIX.
a. 2 c. 4
b. 3 d. 5
18. The final component in the UNIX and Linux file system is a(n) data block, which is where directories and files are stored on a disk drive.
a. superblock c. boot block
b. data block d. inode block
19. LILO uses a configuration file named Lilo.conf located in the /Etc directory.
a. Lilo.conf c. Lilo.config
b. Boot.conf d. Boot.config
20. Erich Boleyn created GRUB in 1995 to deal with multiboot processes and a variety of OSs.
a. 1989 c. 1994
b. 1991 d. 1995
21. On a Linux computer, /dev/hda1 is the path for the first partition on the primary master IDE disk drive.
a. /dev/sda1 c. /dev/hda1
b. /dev/hdb1 d. /dev/ide1
22. There are 99 tracks available for the program area on a CD.
a. 45 c. 99
b. 50 d. 100
23. The Advanced SCSI Programming Interface (ASPI) provides several software drivers that allow communication between the OS and the SCSI component.
a. International Organization of Standardization (ISO)
b. Advanced SCSI Programming Interface (ASPI)
c. CLV
d. EIDE
24. All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard 40-pin ribbon or shielded cable.
a. 40-pin c. 80-pin
b. 60-pin d. 120-pin
25. ATA-66,ATA-100, and ATA-133 can use the newer 40-pin/80-wire cable.
a. 70 c. 96
b. 83 d. 100
26. IDE ATA controller on an old 486 PC doesn’t recognize disk drives larger than 8.4GB.
a. KB c. GB
b. MB d. TB
Completion
Complete each statement.
27. Before OS X, Macintosh uses the , in which files are stored in directories, or folders, that can be nested in other folders. Answer: Hierarchical File System (HFS).
28. The Macintosh file system has descriptors for the end of file (EOF). Answer: Two, HFS and HFS+ file systems
29. is a journaling version of Ext2fs that reduces file recovery time after a crash.
Answer: Ext3fs
30. When you turn on the power to a UNIX workstation, instruction code located in firmware on the system’s CPU loads into RAM. This firmware is called code because it’s located in ROM.
Answer: memory-resident code
31. CD players that are 12X or faster read discs by using a(n) system. Answer: constant angular
velocity (CAV).
Matching
Match each item with a statement below
a. File Manager f. Volume
b. Inode blocks g. ls
c. ISO 9660 h. Catalog
d. LILO i. Finder
d 32. older Linux boot manager utility
i 33. Macintosh tool that works with the OS to keep track of files and maintain users’ desktops
f 34. any storage medium used to store files
g 35. the list command on Linux
h 36. maintains relationships between files and directories on a volume on a Mac OS
b 37. the first data after the superblock on a UNIX or Linux file system
c 38. ISO standard for CDs
a 39. Mac OS utility that handles reading, writing, and storing data to physical media
e 40. groups of contiguous allocation blocks
Short Answer
41. Explain the relation between allocation blocks and logical block on a Mac OS file system.
Volumes have allocation blocks and logical blocks. A logical block is a collection of data
that can’t exceed 512 bytes. When you save a file, File Manager assigns the file to an allocation block,
which is a group of consecutive logical blocks. On a floppy disk, an allocation
block is usually one logical block. As volumes increase in size, one allocation block might be
composed of three or more logical blocks.
42. Explain the use of B*-trees on Mac OS 9 file system.
File Manager stores file-mapping information in two locations: the extents overflow file and
the file’s catalog entry. Mac OS 9 also uses the B*-tree file system to organize the directory
hierarchy and file block mapping for File Manager. In this file system, files are nodes (records
or objects) containing file data. Each node is 512 bytes. The nodes containing actual file data
are called leaf nodes; they’re the bottom level of the B*-tree. The B*-tree also has the follow-
ing nodes that handle file information:
• The header node stores information about the B*-tree file.
• The index node stores link information to previous and next nodes.
• The map node stores a node descriptor and map record.
43. Explain the use of forensic tools for Macintosh systems.
To examine a Macintosh computer, you need to make an image of the drive, There are
some exceptions you should be aware of, however, because of Macintosh design and engineering. For example, a static acquisition of the suspect drive is preferable to a live acquisition. In addition, removing the drive from a Macintosh Mini’s CPU case is difficult, and attempting to do so without Apple factory training could damage the computer. You need a Macintosh-compatible forensic boot CD to make an image, which then must be written to an external drive, such as a FireWire or USB drive. Larger Macintoshes are constructed similarly to desktop PCs, making it much easier to remove the hard drive
44. What are the functions of the super block on a UNIX or Linux file system?
The super block contains vital information about the system and is considered part of the
metadata. It indicates the disk geometry, available space, and location of the first inode and
keeps track of all inodes. The super block also manages the UNIX/Linux file system, including
configuration information, such as block size for the drive, file system names, blocks reserved
for inodes, free inode list, free block starting chain, volume name, and inodes for last update
time and backup time. Multiple copies of the super block are kept in various locations on the
disk to prevent losing such important information
45. What is a bad block inode on Linux?
All disks have more storage capacity than the manufacturer states. For example, a 20 GB
disk might actually have 20.5 GB free space because disks always have bad sectors despite
the most careful procedures. DOS and Windows don’t keep track of bad sectors, but Linux
does in an inode called the bad block inode. The root inode is inode 2, and the bad block
inode is inode 1. Some forensics tools ignore inode 1 and fail to recover valuable data for cases.
Someone trying to mislead an investigator can access the bad block inode, list good
sectors in it, and then hide information in these supposedly “bad” sectors.
To find bad blocks on your Linux computer, you can use the badblocks command, although
you must log on as root to do so. Linux includes two other commands that provide bad
block information: mke2fs and e2fsck. The badblocks command can destroy valuable data,
but the mke2fs and e2fsck commands include safeguards that prevent them from overwriting
important information.
46. What is a continuation inode?
continuation inode has more room for detailed information. This information includes
the mode and file type, the quantity of links in the file or directory, the file’s or directory’s
access control list (ACL), the least and most significant bytes of the ACL UID and GID, and
the file or directory status flag. The status flag is a bit, usually expressed in octal format, con-
taining unique information about how Linux handles permissions for a file or directory
.
47. Describe the CD creation process.
To create a CD, a laser burns flat areas (lands) on the top side of the CD (the side without the label). Lower
areas not burned by the laser are called pits. The transitions from lands to pits have the
binary value of 1, or on. On the surface of a CD, data is configured into three regions: the lead-in area, the program area, and the lead-out area. The lead-in area contains the table of contents in the subcode
Q-channel. Subcode channels are additional data channels that provide start and end markers
for tracks, time codes for each frame, the table of contents in the lead-in area, and graphics codes. Up to 99 tracks are available for the table of contents. The lead-in area also synchronizes the CD as it’s spinning.
The program area of the CD stores data and, like the lead-in area, has up to 99 tracks available. The lead-out area is the end-of-CD marker for the storage area.
48. Write a brief history of SCSI.
Small computer system interface (SCSI) is an input/output standard protocol device that
allows a computer to access devices such as hard drives, tape drives, scanners, CD-ROM
drives, and printers. Shugart Systems created SCSI in 1979 to provide a common bus
communication device for all computer vendors. As SCSI evolved, it became a standard for PCs,
Macintosh, and many UNIX workstations. Older Macintosh systems, such as the Mac SE,
shipped with only a SCSI port
49. Explain the problems you can encounter with pre-ATA-33 devices when connecting them to current PCs.
A pre-ATA-33 IDE drive might not work correctly or be accessible to your workstation,
although PCs are usually backward compatible with older IDE drives. When you must access
an older IDE drive, you might need to locate an older Pentium I or 486 PC and rely on your
technical skills and those of other experts to investigate the diskThe CMOS on current PCs uses logical block addressing (LBA) and enhanced cylinder, head, and sector (CHS) configurations. When you connect an ATA-33 or newer drive to a PC, the CMOS identifies the disk’s correct setting automatically, which is convenient when you’re installing hard disks on your workstation. However, this feature can pose problems during an investigation. If you need to make a copy of a pre-ATA-33 256 MB drive, for example,
you need its CHS configuration. Suppose you have a spare 4.0 GB drive where you plan to store a copy of the 256 MB drive. When you connect the two drives and power on your workstation, you enter CMOS and manually set it to match the CHS of the 256 MB drive. When you restart your workstation and access CMOS, you find that the CHS setting you changed didn’t take effect. To solve this problem, use a disk-imaging tool, such as NTI SafeBack or Guidance Software EnCase. These tools force the correct CHS configuration onto the target drive so that you can copy evidence data correctly.
50. What problems can hidden partitions on IDE devices cause to forensic investigators?
Another trick suspects use to conceal evidence is hiding disk partitions. Older tools, such as Norton DiskEdit, can be used to change the disk partition table so that when the drive is viewed from the operating system, as in Windows Explorer, there’s no indication that the deactivated partition exists.
Because the hard disk you’re investigating migh thave a hidden partition, use imaging tools that can
access unpartitioned areas of a drive. Modern computer forensics tools can identify hidden partitions on most drives.
Sources:
Bradley Sean Susser
Dr. Narayan Murthy
Guide To Computer Forensics and Investigations Nelson, Phillips and Steuart 4E
