CCNA Storage Forensics and File System Analysis Questions

22 of 172 questions · Page 3/3 · Storage Forensics and File System Analysis · Answers revealed

151
MCQmedium

During a forensic examination of an NTFS drive, an investigator finds that a file 'notes.txt' has an additional data stream named 'hidden.txt' attached. Which feature of NTFS allows this?

A.USN Journal
B.MFT
C.Alternate Data Streams (ADS)
D.Slack space
AnswerC

ADS allows hiding data in separate streams attached to a file.

Why this answer

C is correct because NTFS supports Alternate Data Streams (ADS), a feature that allows multiple data streams to be associated with a single file. The 'hidden.txt' stream attached to 'notes.txt' is a classic example of ADS, which can be used to hide data or store metadata without affecting the file's primary content.

Exam trap

The trap here is that candidates confuse ADS with slack space or the MFT, thinking that any hidden data in NTFS must be in slack space or metadata, when ADS is the specific feature for named additional streams.

How to eliminate wrong answers

Option A is wrong because the USN Journal (Update Sequence Number Journal) is a log of changes to files on an NTFS volume, not a mechanism for attaching additional data streams. Option B is wrong because the Master File Table (MFT) is a database that stores metadata about files and directories, but it does not directly enable the attachment of extra data streams; ADS is a separate NTFS feature. Option D is wrong because slack space refers to unused bytes at the end of a file's allocated cluster, which can store hidden data but is not a feature for attaching named data streams like ADS.

152
MCQmedium

An analyst is recovering deleted files from a FAT32 file system. The file system uses a cluster size of 4096 bytes. The first cluster of a deleted file is cluster 100. Which structure contains the chain of clusters for this file?

A.Volume boot record
B.Directory entry
C.File Allocation Table (FAT)
D.Boot sector
AnswerC

Why this answer

The FAT contains entries for each cluster, indicating whether a cluster is free, bad, or part of a file chain. The directory entry points to the first cluster, and the FAT provides the chain.

153
MCQhard

An investigator recovers a file from unallocated space on an NTFS drive using file carving. The file appears to contain alternate data streams (ADS). Which tool can be used to list all ADS associated with a file on a live Windows system?

A.dir /r
B.ls -la
C.attrib
D.fsutil
AnswerA

dir /r lists all streams including ADS.

Why this answer

The `dir /r` command in Windows displays alternate data streams. `streams.exe` from Sysinternals is also commonly used, but among the options, `dir /r` is the native method.

154
MCQmedium

An analyst is investigating a Linux server running ext4 and needs to recover deleted files that may have been overwritten partially. Which technique is BEST suited for recovering fragments of known file types when the inode metadata is lost?

A.Perform file carving using 'foremost' with custom signatures
B.Use 'dd' to extract the partition and then 'grep' for strings
C.Manually reconstruct the inode table using 'debugfs'
D.Use 'extundelete' to recover files from the journal
AnswerA

File carving does not need metadata; it scans raw data for file signatures.

Why this answer

File carving recovers files based on headers and footers without relying on file system metadata. Foremost and PhotoRec are common carving tools. Inode recovery fails if metadata is overwritten.

155
MCQhard

An analyst is examining an NTFS volume and finds that a file's $MFT record indicates it is resident. What does this imply about the file's data?

A.The file is compressed and stored across multiple clusters
B.The file uses alternate data streams to hide data
C.The file's data is stored within the $MFT record itself, suitable for small files
D.The file is a directory junction point
AnswerC

Why this answer

Resident files have their data stored directly in the $MFT record, typically for files smaller than about 900 bytes.

156
Multi-Selectmedium

Which TWO of the following are valid methods for hiding data on an NTFS volume without using third-party tools? (Select 2)

Select 2 answers
A.Creating a symbolic link to a hidden file
B.Encrypting the file with EFS
C.Slack space (file slack or volume slack)
D.Alternate Data Streams (ADS)
E.Using the $Recycle.bin folder
AnswersC, D

Slack space can be used to hide data without affecting the file's apparent size.

Why this answer

Alternate Data Streams (ADS) and slack space are native NTFS features that can be used to conceal data.

157
MCQhard

During a forensic examination of an NTFS drive, an analyst runs 'fsutil usn readjournal C:' and observes a large number of USN journal entries for a specific file after a certain date. The file's $MFT record shows a last modified timestamp far earlier than the journal entries. What does this discrepancy suggest?

A.The file's metadata was modified without changing its content, possibly using timestomping or ADS manipulation
B.The file is a system file that is excluded from USN journaling
C.The file system is corrupted and the MFT is not updating correctly
D.The file was accessed via a mounted volume shadow copy, which does not update MFT
AnswerA

USN journal records metadata changes; if timestamps are not updated, it suggests intentional manipulation.

Why this answer

The USN journal records changes to files. If the journal shows many entries after the last modified timestamp, it indicates that the file was accessed or modified in ways that did not update the $MFT timestamps (e.g., via alternate data streams, timestomping, or changes to metadata). This could be evidence of anti-forensics.

158
MCQmedium

A forensic investigator is analyzing a Linux ext4 file system. They suspect a file was deleted but its inode may still be intact. Which tool can be used to recover the file by referencing the inode?

A.dd
B.scalpel
C.foremost
D.debugfs
AnswerD

debugfs can be used to inspect and recover files from ext file systems by inode.

Why this answer

The 'debugfs' tool can access ext2/3/4 file systems directly and recover files from inodes. 'extundelete' also works, but debugfs is more versatile.

159
Multi-Selecthard

Which THREE of the following are challenges specific to forensic analysis of solid-state drives (SSDs) compared to traditional hard disk drives (HDDs)? (Select three.)

Select 3 answers
A.The TRIM command can permanently erase deleted data
B.SSDs have higher latency for read operations
C.Wear leveling algorithms move data unpredictably
D.Built-in hardware encryption may prevent data access
E.Bad block remapping is more frequent on SSDs
AnswersA, C, D

Correct. TRIM can make recovery impossible.

Why this answer

TRIM causes deleted data to be erased. Wear leveling moves data and complicates recovery. Encryption (e.g., built-in) can lock access.

Bad block remapping is common in HDDs too. Fragmentation is less relevant.

160
MCQhard

An investigator notes that a file on an NTFS volume has a resident data size of 900 bytes, but the $DATA attribute lists an allocated size of 1024 bytes. What does this indicate?

A.The file is compressed using NTFS compression
B.The file has slack space that may contain remnants of previously deleted data
C.The file's data is stored in the MFT as a resident attribute
D.The file is stored in an alternate data stream
AnswerB

The difference is slack space; could contain old data.

Why this answer

The difference between actual data size and allocated size is slack space. The file was allocated a cluster of 1024 bytes, but only 900 bytes are used, leaving 124 bytes of slack space that could contain residual data.

161
MCQmedium

During an investigation of a compromised system, the analyst discovers that the suspect used steganography to hide data within image files. Which forensic tool is BEST suited for detecting hidden data in images through statistical analysis?

A.Binwalk
B.Wireshark
C.Foremost
D.Stegdetect
AnswerD

Stegdetect performs statistical analysis to detect steganography in JPEG images.

Why this answer

Stegdetect is a tool that uses statistical analysis to detect steganography in JPEG images. Autopsy has steganography detection modules but Stegdetect is specialized.

162
MCQmedium

A forensic analyst is examining an SSD that may have had deleted files. The analyst is concerned about the TRIM command. What effect does TRIM have on forensic recovery of deleted files?

A.TRIM increases the chance of recovering deleted files
B.TRIM causes wear leveling that spreads data across blocks, aiding recovery
C.TRIM invalidates deleted data blocks, making them unreadable and unrecoverable
D.TRIM has no effect on forensic analysis
AnswerC

TRIM immediately erases blocks, reducing forensic recovery potential.

Why this answer

TRIM allows the SSD to erase data blocks immediately after deletion, making recovery nearly impossible because the data is actually zeroed out.

163
MCQmedium

In a memory forensics investigation using Volatility, an analyst wants to see a list of processes that were active at the time of acquisition, including hidden processes. Which Volatility command should be used?

A.pslist
B.pstree
C.netscan
D.psscan
AnswerD

psscan uses pool tag scanning to find processes, including hidden.

Why this answer

The `pslist` command lists processes from the doubly linked list, but `psscan` uses pool scanning to find processes, including hidden ones.

164
MCQeasy

Which of the following partition table types uses a protective MBR and a GPT header, and is recommended for disks larger than 2 TB?

A.MBR
B.Dynamic disk
C.GPT
D.APM (Apple Partition Map)
AnswerC

GPT supports large disks and uses protective MBR.

Why this answer

GPT (GUID Partition Table) uses a protective MBR for compatibility and supports disks larger than 2 TB. MBR is limited to 2 TB.

165
MCQeasy

During a forensic investigation, an analyst examines a hard disk and notices that the partition table uses a 64-bit scheme with a maximum of 128 partitions. Which partition table type is in use?

A.MBR
B.LDM
C.APM
D.GPT
AnswerD

GPT uses a 64-bit scheme and supports up to 128 partitions.

Why this answer

GPT (GUID Partition Table) uses a 64-bit scheme and supports up to 128 partitions by default. MBR uses 32-bit and supports only 4 primary partitions.

166
MCQeasy

In FAT32, the File Allocation Table (FAT) is used to track which clusters are allocated to files. If a file is deleted, what happens to the FAT entries for that file?

A.The FAT entries are encrypted
B.The FAT entries are preserved intact
C.The FAT entries are overwritten with zeros
D.The FAT entries are moved to a journal
AnswerC

FAT entries are set to 0 (free).

Why this answer

When a file is deleted in FAT32, the directory entry is marked as deleted (first byte set to 0xE5) and the FAT entries are set to 0, marking clusters as free.

167
MCQhard

An investigator acquires an SSD from a laptop that has been turned off for 24 hours. The suspect recently deleted several incriminating files. Using a forensic imager, the investigator creates a bit-for-bit copy. However, when analyzing the image, the deleted files' data appears to be zeros. What is the MOST likely cause?

A.The files were stored in the paging file, which is volatile
B.The SSD controller performed wear leveling, moving data to unallocated blocks
C.The imaging tool incorrectly interpreted the data due to encryption
D.The TRIM command was issued, causing the SSD to erase the freed blocks
AnswerD

Correct. TRIM can cause permanent loss of deleted data on SSDs.

Why this answer

Many SSDs implement TRIM, which instructs the controller to erase blocks that are no longer in use. If the OS issued TRIM commands before shutdown, the deleted data may have been physically erased.

168
MCQmedium

A security analyst receives an image of a hard drive with a GPT partition table. Which of the following is a key difference between GPT and MBR that the analyst should consider?

A.GPT stores partition information only in the first sector of the disk
B.GPT uses a protective MBR to prevent legacy tools from misinterpreting the disk
C.GPT supports up to 4 primary partitions; MBR supports up to 128
D.MBR uses a GUID partition table; GPT uses a simple table at sector 0
AnswerB

Why this answer

GPT includes a protective MBR (Legacy MBR) at sector 0 to prevent older disk utilities from overwriting the GPT data.

169
MCQhard

A forensic analyst is examining a RAID 5 array consisting of three disks. One disk has failed and has been replaced. The array is rebuilt automatically. However, the analyst needs to recover deleted files that existed before the rebuild. What is the MOST significant challenge in this scenario?

A.File carving techniques do not work on RAID volumes
B.The rebuild process may overwrite data in slack space and previously unallocated clusters
C.The file system becomes corrupted after rebuild
D.The RAID controller encrypts data, preventing direct disk access
AnswerB

Rebuilding RAID 5 writes new parity and data, overwriting free space and slack.

Why this answer

RAID rebuild writes parity and data across disks, potentially overwriting slack space and previously deleted file data. The rebuilt array may have altered the original data layout, complicating recovery.

170
Multi-Selectmedium

Which TWO of the following tools are commonly used for file carving during forensic investigations?

Select 2 answers
A.Sleuth Kit
B.WinPmem
C.Foremost
D.Volatility
E.PhotoRec
AnswersC, E

Foremost is a file carver.

Why this answer

Foremost and PhotoRec are popular file carving tools that recover files based on headers and footers.

171
MCQmedium

During a forensic examination of a Windows 10 system, an investigator runs the following command: 'fsutil usn readjournal C: > usn_output.txt'. What is the primary purpose of this action?

A.To recover deleted files from the Recycle Bin
B.To analyze the Update Sequence Number (USN) journal for file system activity
C.To check the integrity of the NTFS file system
D.To extract the Master File Table ($MFT) from the volume
AnswerB

The USN journal tracks changes; reading it helps identify file operations.

Why this answer

The USN journal records changes to files and directories. This command reads the journal, which can reveal file creation, deletion, and modification timestamps, even if the MFT entry is modified.

172
MCQeasy

An analyst is examining an Apple Mac system and needs to recover deleted files from an APFS volume. Which tool is most appropriate for this task?

A.Foremost
B.LiME
C.FTK Imager
D.Volatility
AnswerC

FTK Imager supports APFS and can recover deleted files.

Why this answer

APFS is the default file system on modern Macs. Tools like 'foremost' or 'photorec' can carve files from the raw device, but file system aware tools like 'apfs-fuse' or 'disk drill' are more appropriate. Among forensic suites, FTK and EnCase support APFS.

← PreviousPage 3 of 3 · 172 questions total

Ready to test yourself?

Try a timed practice session using only Storage Forensics and File System Analysis questions.