Verified Answers
Plaso's pinfo command (choose all that apply):
Is a command-line interface (CLI) tool.
Filters, sorts and conducts analysis on the plaso database file.
Extracts and processes events in a single step.
Displays infromation about the plaso database file.
Exports file content from a device, media image, or forensic image. - ✔✔a, d
The regular expression CO*IS will return (instances separated by spaces):
SIOC ISOC SICO COSI
CIS COIS COOIS COOOIS
IS COIS COCOIS COCOCOIS
COAIS COBIS COCIS CODIS
CO IS COI OIS - ✔✔b
Timeline analysis:
Places the artefact within the context of user and system activity.
Requires an accurate stopwatch.
Is independent of the context of user and system activity.
Is an unimportant component of digital forensic investigations.
, Is best used when you are looking to exonerate the suspect. - ✔✔a
MAC times refer to:
Modified, accessed and created times that are records created by the filesystem as files are
created, edited, or accessed.
Times found on an Apple device.
Modified, accessed and created times that are records created by the operating system as files
are created, edited, or accessed.
Modified, accessed and corrupted times that are records created by the filesystem as files are
created, edited, or accessed.
Made, accessed and created times that are records created by the operating system as files are
created, edited, or accessed. - ✔✔a
Brian Carrier's progression of media analysis, in order, is:
Disk, volume, filesystem, data unit, metadata.
Filesystem, volume, disk, data unit, metadata.
Disk, volume, data unit, filesystem, metadata.
Filesystem, disk, volume, data unit, metadata.
Disk, volume, data unit, metadata, filesystem. - ✔✔a
Bad blocks, sectors, or clusters are (choose all that apply):
The same as unallocated space.
Unavailable to forensic examination.
The space on a disk that has been marked as bad by the filesystem because of a defect.