TU Wien:Digital Forensics VU (Weippl)/Midterm Exam 2017-11-13

At least 1 answer is correct, up to 4 - for all 25 questions. The questions and answers were given in English and German as well.

Some questions of exam A:

1. Which of these attributes are mandatory for all MFT entries?
   • $DATA
   • $STANDARD_INFORMATION
   • $FILE_NAME
   • ..
2. Which job is a good prequisite to easily become a forensics expert?
   • Dentist
   • System administrator
   • Teacher
   • Network engineer
3. What statements are true about UserAssist?
   • Stores each program execution date
   • Stores the last program execution date
   • Stores the number of program executions
   • Is saved in the registry
4. What sizes are currently used in the NTFS file system?
   • 4096 bytes sector size (used to be 512 bytes) and 4096 bytes cluster size
   • 4096 bytes sector size and 4096 bytes cluster size (used to be 512 bytes)
   • 512 bytes sector size and 512 bytes cluster size
   • 512 bytes sector size and 4096 bytes cluster size
5. Was besagt der Überwälzungsgrundsatz?
   • bezahlt werden muss zuerst vom Auftraggeber
   • der Auftraggeber kann das bezahlte Geld auch an den Verlierer eines Prozesses überwälzen
6. What statements are correct concerning forensics in companies?
   • There is es gibt einen fixen ablauf dem jeder folgen muss
   • Guides by NIST have to be applied 1:1
   • Guides by NIST can be applied mixed
   • Guides have to be adjusted to fit the company
7. What is the advantage of looking into data of previous incidents?
   • Data can be restored like in a backup 1:1
   • Previous incident data can help and recure work enormously when analyzing the current incident
8. What statements are true concerning the Gutachten and Befund?
   • Der Befund stellt alle relevanten Tatsachen, aus denen die spaeteren Schlussfolgerungen gezogen werden, dar
   • Der Befund ist die Grundlage fuer das Gutachten im engeren Sinn. Alle Schluesse und Aeusserungen, die sich darin befinden, muessen auf im Befund dokumentierten Tatsachen fundieren
9. What statements are true concerning evidence
   • A judge has to acknowledge all evidences
   • Evicence consisting of reports by laypersons has to be acknowledged
   • Evicence consisting of reports has to be acknowledged
10. What are the disadvantages of using DMA?
    • DMA changes the RAM state
    • One has to carry a DMA tool with him
    • DMA depends on the OS
    • DMA influences paging
11. What are the advantages of using DMA?
    • see previous question, all answers were just the same or inverted...
12. What about documentation?
    • is the most important thing
    • is a hard thing that is easy to be done wrong
    • saves a forensics guy from being accused to have manipulated the data
13. Software vs hardware RAM aquisition?
    • Software is cheaper
    • Software is OS-independent
14. What statements are true concerning Vtypes in Volatility?
    • Maps C types to Python
    • Supports as many data types as C provides
    • Are used to model a specific OS/hardware architecture
    • Is needed to execute the main Python script (vol.py)
15. You see a locked PC that has no port to use DMA (Firewire, etc.). What do you do?
    • Use a cold boot attack
    • Turn the PC off and analyze the HDD in the lab
    • Use FTK3
    • Use Volatility
16. Which cryptographical functions are used to achieve integrity?
    • AES with ECB
    • AES with CBC
    • Cryptographical hash functions
    • Fuzzy hashing
17. Which techniques did Max Butler (from the book Kingpin) in the example use? He...
    • hacked into WiFis
    • did stack based buffer overflows
    • captured RAM
    • used Tor for hacking
18. Concerning HDD analysis, which statements are true?
    • Using hardware write blockers is mandatory
    • Using hardware write blockers is optional
    • Using software write blockers is sufficient
    • There exists a hardware write blocker which can handle RAID
19. Which of those file attributes exist?
    • Modified
    • Updated
    • Created
    • Moved
20. When a file is deleted on hard disk, what does change?
    • The file is overwritten multiple times
    • The MFT entry is marked as deleted
    • The bitmap of the corresponding sectors is set to 1
    • The bitmap of the corresponding sectors is set to 0
21. Welche dieser Punkte sind in einem Gutachten unzulässig?
    • Rechtsbelehrungen anzubieten
    • Unüberprüfbare Behauptungen
22. Which statements are true about aquisition?
    • Acquisition is not repeatable
    • May provoke paging
    • Is invasive (RAM regions get overwritten)
23. ?
24. ?
25. ?

Some questions of exam B:

1. Which commands do you use to analyse processes, when doing an forensic analysis?
   • psscan
   • pstree
   • pslist
2. ?