In a forensic ISO image, which artifact is most likely to indicate the source medium type?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Computer Hacking Forensic Investigator v11 exam. Study with flashcards and multiple choice questions. Each question includes hints and explanations. Get exam-ready efficiently!

Multiple Choice

In a forensic ISO image, which artifact is most likely to indicate the source medium type?

Explanation:
In an ISO 9660 image, the metadata stored in the volume descriptors describes the disc as it was created, including information about the medium. The disc descriptor within the ISO9660 volume descriptor directly encodes the type of medium (for example, CD-ROM, CD-R, DVD-ROM) and related characteristics. This makes it the most reliable artifact for inferring the source medium type when analyzing the image, because it is specifically designed to capture the nature of the physical disc that was used. Other artifacts don’t serve this purpose as directly. NTFS file creation times pertain to a Windows file system and may not even be present in a standard ISO9660 image. The Master Boot Record on the host disk is outside the ISO image itself, so it won’t reveal the image’s source medium. Slack space on a FAT32 partition relates to a particular partition’s unused space and isn’t indicative of the medium that produced the ISO.

In an ISO 9660 image, the metadata stored in the volume descriptors describes the disc as it was created, including information about the medium. The disc descriptor within the ISO9660 volume descriptor directly encodes the type of medium (for example, CD-ROM, CD-R, DVD-ROM) and related characteristics. This makes it the most reliable artifact for inferring the source medium type when analyzing the image, because it is specifically designed to capture the nature of the physical disc that was used.

Other artifacts don’t serve this purpose as directly. NTFS file creation times pertain to a Windows file system and may not even be present in a standard ISO9660 image. The Master Boot Record on the host disk is outside the ISO image itself, so it won’t reveal the image’s source medium. Slack space on a FAT32 partition relates to a particular partition’s unused space and isn’t indicative of the medium that produced the ISO.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy