3-Guide to Computer Forensics and Investigations

¡Supera tus tareas y exámenes ahora con Quizwiz!

What's the maximum file size when writing data to a FAT32 drive?

2 GB (a limitation of FAT file systems)

Image files can be reduced by as much as __________ % of the original when using lossless compression.

50%

What are two advantages and disadvantages of the raw format?

Advantages: faster data transfer speeds, ignores minor data errors, and most forensics analysis tools can read it. Disadvantages: requires equal or greater target disk space, doesn't contain hash values in the raw file (metadata), might have to run a separate has program to validate raw format data, and might not collect marginal (bad) blocks.

What are two concerns when acquiring data from a RAID server?

Amount of data storage needed, type of RAID server (0,1,5 and so on), whether the acquisition tool can handle RAID acquisitions, whether the acquisition tool can handle RAID data, and whether the analysis tool can split RAID data into separate disk drives, making it easier to distribute large data sets.

List two features common with proprietary format acquisition files.

Can compress or not compress the acquisition data Can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD Case Metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or files

What are some features offered by proprietary data acquisition formats?

Can compress or not compress the acquisition data Can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD Case Metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or files

What are some of the design goals of AFF?

Capable of producing compressed or uncompressed image files No size restriction for disk-to-image files Space in the image file or segmented files for metadata simple design with extensibility Open source for multiple computing platforms and OSs Internal consistency checks for self-authentication

What are the considerations you should have when deciding what data-acquisition method to use on your investigation?

Considerations you should have are the following: the size of the source (suspect) disk whether you can retain the source disk as evidence or must return it to the owner How much time you have to perform the acquisition And where the evidence is located

Older Microsoft disk compression tools, such as DoubleSpace or ______________, eliminate only slack disk space between files.

DriveSpace

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.

EnCase SafeBack SnapCopy

Which forensics tools can connect to a suspect's remote computer and run surreptitiously?

EnCase Enterprise and ProDiscover Incident Response

Of all the proprietary formats, which one is the unofficial standard?

Expert Witness, used by Guidance Software EnCase

FTK Imager can acquire data in a drive's host protected area. True or False?

False

If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available. (T/F)

False

Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics. (T/F)

False

Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume. (T/F)

False

Briefly describe ILookIX IXImager.

It is a stand-alone proprietary format acquisition tool designed to work only with ILookIX. It can acquire single drives and RAID drives. IT supports IDE, (PATA), SCSI, USB and FireWire devices. The IXImager proprietary format can be converted to a raw format if other analysis tools are used.

Explain the use of hash algorithms to verify the integrity of lossless compressed data.

It is designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or disk drive. This unique number is referred to as "digital fingerprint" if you alter one thin in the file no matter how big or small it produces a different hash value

Linux ISO images that can be burned to a CD or DVD are referred to as __________.

Linux Live CDs

Autopsy uses ___________ to validate an image.

MD5

With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?

Newer Linux distros automatically mount the USB device, which could alter data on it.

What's the main goal of a static acquisition?

Preservation of digital evidence

In _______________, two or more disk drives become one large volume, so the computer views the disks as a single disk.

RAID 0

For Windows XP, 2000, and NT servers and workstations, RAID 0 or ___________ is available.

RAID 1

_______________, or mirrored striping, is a combination of RAID 1 and RAID 0.

RAID 10

____________, or mirrored striping with parity, is a combination of RAID 1 and RAID 5.

RAID 15

Name the three formats for digital forensics data acquisitions.

Raw format Proprietary formats Advanced Forensic Format (AFF)

If your time is limited, consider using a logical acquisition or ______________ acquisition data copy method.

Sparse

What are the requirements for acquiring data on a suspect computer using Linux?

To perform a data acquisition on a suspect computer, al you need are the following: a forensics Linux Live CD A USB, FireWire, or SATA external drive with cables Knowledge of how to alter the suspect computer's BIOS to boot from the Linux Live CD Knowledge of which shell commands to use for the data acquisition

A separate manual validation is recommended for all raw acquisitions at the time of analysis. (T/F)

True

Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized. (T/F)

True

EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?

True

FTK Imager requires that you use a device such as a USB dongle for licensing. (T/F)

True

In Autopsy and many other forensics tools raw format image files don't contain metadata. (T/F)

True

Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive. (T/F)

True

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file. (T/F)

True

There's no simple method for getting an image of a RAID server's disks. (T/F)

True

In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1

Wrong. The command reads the image_file.img file and writes it to the evidence drive's /dev/hda1 partition. The correct command is dcfldd if=/dev/hda1 of=image_file.img.

What's a hashing algorithm?

a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk

With remote acquisitions, what problems should you be aware of? a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. All of the above e. the password of the remote computer's user

a. data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs

The _________ command, works similiarly to the dd command but has many featured designed for computer forensics acquisitions.

dcfldd

The _________ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.

dd

When you perform an acquisition at a remote location, what should you consider to prepare for this task?

determine whether there's enough electrical power and lighting and check the temperature and humidity at the location

The most common and flexible data-acquisition method is _________.

disk-to-image file

What are the advantages and disadvantages of using raw data acquisition format?

faster data transfer speeds, ignores minor data errors, and most forensics analysis tools can read it. Disadvantages: requires equal or greater target disk space, doesn't contain hash values in the raw file (metadata), might have to run a separate has program to validate raw format data, and might not collect marginal (bad) blocks.

What does a sparse acquisition collect for an investigation?

fragments of unallocated data in addition to the logical allocated data

You use the ________ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512.

hash

In the Linux dcfldd command, which three options are used for validating data?

hash hashlog vf

Explain the sparse data copy method for acquiring digital evidence.

is similar but also collects fragments of unallocated (deleted) data; use this method only when you don't need to examine the entire drive.

If the computer has an encrypted drive, a ________ acquisition is done if he password or passphrase is available.

live

Most remote acquisitions have to be done as _______ acquisitions.

live

The ___________ command displays pages from the online help manual for information on Linux commands and their options.

man

What does a logical acquisition collect for an investigation?

only specific files of interest to the case

One major disadvantage of _________ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.

proprietary

Current distributions of Linux include two hashing algorithm utilities: md5sum and ________.

sha1sum

What should you consider when determining which data acquisition method to use?

size of the source drive, whether the source drive is retained as evidence, how long the acquisition will take, and where the disk evidence is located

Typically, a(n) __________ acquisition is done on a computer seized during a police raid, for example.

static

Why is it good practice to make two images of a suspect drive in a critical investigation?

to ensure at least one good copy of the forensically collected data in case of any failures

What's the most critical aspect of digital evidence?

validation

Microsoft has added ____________ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.

whole disk encryption


Conjuntos de estudio relacionados

Chemical Equations & Reactions - chpt 8

View Set

How monetary policy works and tools used

View Set

ABI 103 Notes + clickers + discussions

View Set

Accounting Changes and Error Corrections

View Set

Ch 48 Intestinal & Rectal Disorders

View Set

Chapter 18: Society and Politics in the Gilded Age, 1865-1900

View Set

Personal Financial Literacy - Chapter 12

View Set

Contraindication for Postural Drainage

View Set