Computer Hacking Forensic Investigator (CHFI v10) — Question 391

A Computer Hacking Forensic Investigator (CHFI) is examining a compromised Macintosh computer. The system was found to be missing the pre-linked kernel at /System/Library/Caches/com.apple.kernelcaches. What is the next step that the Macintosh boot process will take to load the operating system in such a scenario?

Answer options

• A. The boot loader will attempt to load the mkext cache file containing a set of device drivers
• B. The system will initialize the I/O kit and link the loaded drivers to the kernel
• C. The boot loader will pass control to BootX (PowerPC) or boot.efi (Intel)
• D. The boot loader will search for drivers in the/System/Library/Extensions directory

Correct answer: A

Explanation

The correct answer is A because when the pre-linked kernel is missing, the boot loader's next action is to load the mkext cache file, which includes necessary device drivers. Options B, C, and D are incorrect as they pertain to different stages or conditions of the boot process that do not directly follow the absence of the pre-linked kernel.