Deck 19: Digital Evidence on Macintosh Systems

A) Usernames and passwords
B) Private encryption keys
C) Favorite websites
D) Recent documents

A) The first sector of the volume
B) At offset 0x300 from the beginning of the drive
C) The last sector of the volume
D) CMOS

A) That information is overwritten when a file is deleted.
B) The inode table is deleted.
C) That information is only held in memory.
D) The B-tree data structure frequently rebalances.

A) Use EnCase to recover the files.
B) Use the Catalog utility.
C) Use file carving techniques.
D) There is currently no solution to recovering deleted files from a Macintosh.

A) Lister file
B) Files.db
C) Catalog file
D) Seeker.db

A) Are listed in a separate Extents Overflow file
B) Do not contain lists of their contents
C) Do not show when they were last backed up
D) Are stored in two places on the disk

A) A backup of the Catalog file will still contain the information.
B) All references to the data are removed from the disk.
C) The file information is moved to the Extent Overflow file.
D) The file information is moved to ".Trash," with the same name as the file, and an extent of ".info."

A) The number of nanoseconds since January 1, 1601 00:00:00 GMT
B) The number of milliseconds since January 1, 1980 00:00:00 GMT
C) The number of seconds since January 1, 1601 00:00:00 GMT
D) The number of seconds since January 1, 1904 00:00:00 GMT

A) The last sector of the drive
B) Non-volatile memory
C) The first sector of the drive
D) At offset 1024

A) Internet Explorer
B) Safari
C) Firefox
D) Opera

A) Internet downloads
B) E-mails that contain attachments
C) Unread e-mails
D) E-mail attachments that have been opened

A) Recycler folder
B) .Trash folder
C) [orphans]
D) None of the above

A) Access time
B) Modified time
C) Created time
D) Ctime

A) ~/Library/Recent
B) Catalog:Recent
C) ~/Library/Preferences/com.apple.recent.items
D) com.apple.TextEdit.plist

A) 2⁸
B) 2¹⁶
C) 2³²
D) 2⁶⁴