File Systems
This file system type added journaling to ext2 to help with recovery.
What is ext3?
This command displays how long the system has been running since the last restart.
What is uptime?
A collection of command-line tools used to analyze disk images, including fsstat.
What is The Sleuth Kit (TSK)?
This log file, located at /var/log/auth.log, tracks user logins and sudo usage.
What is the Authentication Log?
This Apple file system uses an epoch timestamp that begins on January 1st, 1904
What is HFS+?
This command is used in Linux to generate a report on the current status of disk quotas for a specific file system.
What is repquota?
This specific limit in disk quotas allows a user to temporarily exceed their space before a grace period expires.
What is a Soft Limit
These two types of "areas" and "partitions" contain volatile data lost when power is cut.
What are Swap areas and Disk partitions?
Use this TSK command to list files and directories, including recently deleted ones.
What is fls?
This command with the -tulpn flag shows which PID is associated with an open port.
What is netstat?
This macOS feature creates a .store.db file containing metadata for every file on a partition.
What is Spotlight?
In Linux, this specific partition is used by the OS as virtual memory.
What is a Swap file/partition
This mode allows a NIC to view all network packets; attackers use it to sniff traffic.
What is Promiscuous mode?
This command displays metadata for a specific file, such as MAC times, using its inode number.
What is istat?
This specific directory/file contains kernel initialization and error messages.
What is /var/log/kern.log?
This Apple epoch, used in Cocoa, begins on January 1st of this year.
What is 2001?
This command-line utility (ext2fsck) is used to find unallocated files and write data to lost+found.
What is e2fsck?
To view all Network Interface Controllers and their IP addresses, you use this "ip" command.
What is ip addr show?
This open-source framework is the industry standard for performing RAM dump/memory forensics.
What is Volatility?
To view the kernel IP routing table in numerical addresses, use netstat with these two flags.
What are -rn?
This Python-based tool is used to parse the Spotlight database into a CSV format.
What is spotlight_parser.py?
This type of quota limits the number of files a user can create, rather than the size of those files.
What is an Inode usage quota?
Volatile data collection is essential for constructing this "chronological" map of an incident.
What is a Timeline Analysis?
This tool, mentioned alongside Volatility, is often used for recovering files from memory dumps.
What is PhotoRec?
To find specific "sudo" entries within the authentication log, you would pipe cat into this command.
What is grep?
This specific hidden folder path (beginning with a dot) is where the Spotlight V100 Store is kept.
What is /.Spotlight-V100?