Chapter 06: Current Digital Forensics Tools
Many password recovery tools have a feature for generating potential password lists for which type of attack?
Password dictionary
A bit-for-bit copy of a data file, a disk partition, or an entire drive
Raw data
What type of disk is commonly used with Sun Solaris systems?
SPARC
Which digital forensics tool is categorized as a single-purpose hardware component?
Tableau T35es-R2 SATA/IDE eSATA bridge
Describe some of the problems you may encounter if you decide to build your own forensics workstation.
To decide whether you want to build your own workstation, first ask "How much do I have to spend?" Building a forensic workstation isn't as difficult as it sounds but can quickly become expensive if you aren't careful. If you have the time and skill to build your own forensic workstation, you can customize it to your needs and save money, although you might have trouble finding support for problems that develop. For example, peripheral devices might conflict with one another, or components might fail. If you build your own forensic workstation, you should be able to support the hardware. You also need to identify what you intend to analyze. If you're analyzing SPARC disks from workstations in a company network, for example, you need to include a SPARC drive with a write-protector on your forensic workstation.
To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.
True
When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.
True
Devices used to prevent data from being written to a disk can connect to a computer through FireWire, SATA, PATA, and SCSI controllers as well as which other type of controller?
USB 2.0 and 3.0
What is the general term for software or hardware that is used to protect evidence disks by preventing data from being written to them?
Write-blockers
What Linux command is used to create the raw data format?
dd
In Windows 2000 and later, which command shows you the file owner if you have multiple users on the system or network?
dir
Building your own forensics workstation:
requires the time and skills necessary to support the chosen hardware.
Explain the difference between repeatable results and reproducible results.
"Repeatable results" means that if you work in the same lab on the same machine, you generate the same results. "Reproducible results" means that if you're in a different lab and working on a different machine, the tool still retrieves the same information.
Which type of tool can be used to compare results and verify a new tool by viewing data in its raw format?
A disk editor
What do you call a forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation?
A portable workstation
What must be created to complete a forensic disk analysis and examination?
A report
What are the five major function categories of any digital forensics tool?
All digital forensic tools, both hardware and software, perform specific functions. These functions are grouped into five major categories, each with subfunctions for refining data analysis and recovery and ensuring data quality: Acquisition Validation and discrimination Extraction Reconstruction Reporting
Where do software forensics tools copy data from a suspect's disk drive?
An image file
Which NIST project manages research on forensics tools?
CFTT
Which type of copy from the suspect disk to the target location does the simplest method of duplicating a disk drive make?
Disk-to-image
A standard indicator for graphics files
FF D8
Because there are a number of different versions of UNIX and Linux, these OSs are referred to as CLI platforms.
False
Hardware manufacturers have designed most computer components to last about 36 months between failures.
False
In software acquisition, there are three types of data-copying methods.
False
The validation function is the most challenging of all tasks for computer investigators to master.
False
Which activity involves sorting and searching through investigation findings to separate good data and suspicious data?
Filtering
Explain the advantages and disadvantages of GUI forensics tools.
GUI tools have several advantages, such as ease of use, the capability to perform multiple tasks, and no requirement to learn older OSs. Their disadvantages range from excessive resource requirements (such as needing large amounts of RAM) and producing inconsistent results because of the type of OS used. Another concern with using GUI tools is that they create investigators' dependence on using only one tool. In some situations, GUI tools don't work and a command-line tool is required.
The first MS-DOS tools that analyzed and extracted data from floppy disks and hard disks were used with which type of PC file systems?
IBM
States that Digital Evidence First Responders (DEFRs) should use validated tools
ISO 27037
Which standards document demands accuracy for all aspects of the testing process?
ISO 5725
Illustrate the use of a write-blocker on a Windows environment.
In the Windows environment, when a write-blocker is installed on an attached disk drive, the drive appears as any other attached disk. You can navigate to the blocked drive with any Windows application, such as File Explorer, to view files or use Word to read files. When you copy data to the blocked drive or write updates to a file with Word, Windows shows that the data copy is successful. However, the write-blocker actually discards the written data—in other words, data is written to null. When you restart the workstation and examine the blocked disk, you won't see the data or files you copied to it previously.
Usually a laptop computer built into a carrying case with a small selection of peripheral options
Lightweight workstation
Which tool enables the investigator to acquire the forensic image and process it in the same step?
Magnet AXIOM
Which entity publishes articles, provides tools, and creates procedures for testing and validating computer forensics software?
NIST
Briefly explain the NIST general approach for testing computer forensics tools.
NIST has created criteria for testing computer forensics tools, which are included in the article "General Test Methodology for Computer Forensic Tools" (version 1.9, November 7, 2001), available at www.cftt.nist.gov/testdocs.html. This article addresses the lack of specifications for what forensics tools should do and the importance of tools meeting judicial scrutiny. The criteria are based on standard testing methods and ISO 17025 criteria for testing when no current standards are available.
One of the first MS-DOS tools used for digital investigations
Norton DiskEdit
What are some of the advantages of using command-line forensics tools?
One advantage of using command-line tools for an investigation is that they require few system resources because they're designed to run in minimal configurations. In fact, most tools fit on bootable media (USB drives, CDs, and DVDs). Conducting an initial inquiry or a complete investigation with bootable media can save time and effort. Most tools also produce a text report that fits on a USB drive or other removable media.
Software-enabled write-blocker
PDBlock
System file where passwords may have been written temporarily
Pagefile.sys
What is the primary hash algorithm used by the NIST project created to collect all known hash values for commercial software and OS files?
SHA-1
Command-line disk acquisition tool from New Technologies, Inc.
SafeBack
European term for carving
Salvaging
A tower with several bays and many peripheral devices
Stationary workstation
Briefly explain the purpose of the NIST NSRL project.
The purpose of the NSRL project is to reduce the number of known files, such as OS or program files, included in a forensics examination of a drive, so that only unknown files are left. You can also use the RDS to locate and identify known bad files, such as illegal images and malware, on a suspect drive.
After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.
True
Although a disk editor gives you the most flexibility in testing, it might not be capable of examining a compressed file's contents.
True
Computers used several OSs before Windows and MS-DOS dominated the market.
True
Software forensic tools are grouped into command-line applications and GUI applications.
True
Explain the validation of evidence data process.
Validation and verification functions work hand in hand. Validation is a way to confirm that a tool is functioning as intended, and verification proves that two sets of data are identical by calculating hash values or using another similar method. How data hashing is used depends on the investigation, but using a hashing algorithm on the entire suspect drive and all its files is a standard practice. This method produces a unique hexadecimal value for ensuring that the original data hasn't changed and copies are of the same unchanged data or image.
Illustrate how to consider hardware needs when planning your lab budget.
You should plan your hardware needs carefully, especially if you have budget limitations. Include in your planning the amount of time you expect the forensic workstation to be running, how often you expect hardware failures, consultant and vendor fees to support the hardware, and how often to anticipate replacing forensic workstations. The longer you expect the forensic workstation to be running, the more you need to anticipate physical equipment failure and the expense of replacement equipment.
