Question

1. Types of volatile information that can be recovered during a live response are:

		Command history
		Process memory
		Cloud storage
		Jump lists
		Network connections

2. Mike informs you that he visited one website, then immediately thereafter was put onto an entirely different website. What HTTP response is most likely?

		500 HTTP Response
		100 HTTP Response
		300 HTTP Response
		400 HTTP Response

3. Android and iOS devices store app data in _________ format. This evidence can be viewed with the Firefox SQL Developer add-on.

4. Why are Property list (plist) important to a forensic examiner when analyzing a Mac device?

5. Identify the full path to the file that will display the deleted users of the Mac computer. What evidentiary value can be found there?

Answer 1

1.

• Process memory and network connections are the volatile information that can be captured.
• Network connections help in getting the information of the systems that are connected and the users that are connected to the network.
• Process memory also gives information that is shared between the two computers.

2.

• 300 HTTP response.
• The response sent by the HTTP when there is a redirection required because of the change in location of the website is the code that starts with 3.

3.

• These are generally in XML or DAT format and it uses SQLite format to save the data.

4.

• Plist is important as it contains the data that are related to the settings of the program. Each time, a program is run there is an update on the data stored for the program.
• Plist contain the information related to the settings that are used to run the program at login time, the most recently used programs and files, the network, SSID information in case the wireless network is used.
• So, all this information can be collected with the help of Plist.

Friend, this was a really nice question to answer. As per the Chegg policy, I am obliged to answer the first four questions. If you find my answer helpful, please like it. Thanks.