Term
Partitions 1 – 4 are primary partitions
Partitions 5 and above or extended Partitions |
|
Definition
| When previewing a physical drive with FTK Image, you observe 3 logical volumes numbered 1, 2 & 5. Explain the drive numbering system. |
|
|
Term
|
Definition
| True/False FTK Image includes write blocking software |
|
|
Term
FAT (12-16-32)
NTFS (NTFS Compressed)
DVD (UDF)
CD (ISO/Joliet/CDFS)
Ext (2 & 3)
HFS / HFS+ /HFSX |
|
Definition
| Name six file systems that can be read by FTK Imager. |
|
|
Term
Physical Driver
Logical Drive
Image File
Contents of a Folder |
|
Definition
| List the four types of evidence you can add to FTK Imager. |
|
|
Term
.e01
.s01
.001
.ad1
.gho (non-compressed)
.iso /.cue
.tar
.zip
Safeback (Before v3)
Snapback |
|
Definition
| Name five image formats that can be read by FTK Imager |
|
|
Term
Yes….
Although the E01 File contains metadata about the image file, only the data point is hashed. It will still be the same as the original dd image. |
|
Definition
If you convert a Raw (dd) image to an E01 image, will the hash values match?
Explain |
|
|
Term
|
Definition
| Name the three image files that can use compression. |
|
|
Term
Application Administrator
Case Administrator
Case Reviewer |
|
Definition
| What are the three types of user accounts in FTK 2? |
|
|
Term
Create Users
Assign rights to cases
Create cases
Add or remove evidence
Use the KFF Manager
Run Additional Analysis
Decrypt Files
Use Disk Viewer
Flag Items as Ignorable or Privileged
Manually Data Carve
Generate Reports
Create, Duplicate, Delete, Import, or Export Filters
Modify Preferences
Run Other Applications > Image, PRTK, and Registry Viewer |
|
Definition
| Case Reviewers can review cases but do not have the rights to: |
|
|
Term
|
Definition
| Name the two ways FTK2 and the KFF identify files |
|
|
Term
Files are identified by their header
Zip files are located in File Category > Archives
AVI or MPEG files are located in File Category > Multimedia > Video
Registry files are located in File Category > OS/File System Files > Windows NT Registry |
|
Definition
| All case items are listed in only one of the File Category containers. How does FTK2 determine file category? In which container would you find Zip files? AVI or MPEG files? Registry Files? |
|
|
Term
Email Tab
Explore Tab
Overview Tab > File Category > Graphics > Raster Graphics > JPEG
Overview Tab > File Status > From Email
Graphics Tab |
|
Definition
| A .jpg graphic is attached to an email message. In which FTK2 tabs and containers would you find this file? |
|
|
Term
| The examiner can see all of the files in the case or simultaneously see contents and descendants of all selected folders in the file list at once by clicking on the QuickPick arrow. |
|
Definition
| In the Explore Tab, how do you view all case files or selected directories and sub-directories? |
|
|
Term
Highlighted Items
Checked Items
All Currently Listed Items |
|
Definition
| Name three target items in FTK2. |
|
|
Term
Index Search
Export Word List |
|
Definition
| What are the benefits of using the FTK2 dtSearch® Index? |
|
|
Term
Acquired Image(s)
All Images in Directory
Contents of a Directory
Individual File(s)s
Physical Drive
Logical Drive
Mobile Phones |
|
Definition
| List seven types of evidence that can be added to FTK 2. |
|
|
Term
Hashing (MD5/SHA1/SHA256)
Fuzzy Hash
dtSearch® Index
Flag Duplicates
KFF Lookup
Decrypt EFS Files
Flag Bad Extensions
Data Carving and Meta Carving
Expand Compound Files
Generate Thumbnails for Graphics
Generate File Listing (HTML) |
|
Definition
| List three Additional Analysis Tools. |
|
|
Term
|
Definition
| What are the four types of views in the File Content pane? |
|
|
Term
File Items
File Extension
File Category
File Status
Bookmarks |
|
Definition
| In the Overview tab, the Case Overview is broken down into five primary containers. What are they? |
|
|
Term
| The examiner can add or remove panes to the current view by clicking View > Tab Layout > Add (or Remove). The new tab will reflect the currently selected pane as its default. |
|
Definition
| How can an examiner create or remove custom tabs? |
|
|
Term
Rename the bookmark
Enter a comment for the bookmark
Enter a comment for the individual bookmarked items
Add a supplementary file
Select a section of text in the bookmarked item
Add a comment to the selection |
|
Definition
| In the Bookmark tab, the examiner can add, remove, or modify what information for bookmarked files? |
|
|
Term
Copy Special – allows the examiner to copy specific properties of an item, such as dates and times, to a file or create a hash set.
Export File List – Writes the desired exported information directly to a file instead of to the Windows Clipboard. |
|
Definition
| Define Export File List and Copy Special. |
|
|
Term
| Marking files as privileged prevents them from being viewed by a user with Case Reviewer status. Only a Case Administrator or Application Administrator will see files with the privileged flag. |
|
Definition
| What is the purpose of marking files as privileged? |
|
|
Term
Case Information
Bookmarks
Graphics
File Paths
File Properties
Registry Selections |
|
Definition
| List the windows that make up the FTK2 Report Options. |
|
|
Term
| Data Carving looks through unallocated space and other locations for file headers and recovers files that are no longer referenced in the FAT or $MFT. Meta Carving looks for entries from the FAT (. and ..) and the $MFT which no longer exist in those areas and recovers them if possible. |
|
Definition
| What is the difference between the Data Carve and Meta Carve functions? |
|
|
Term
|
Definition
| In what two forms can an email message be exported? |
|
|
