Chapter 3 - 2443
what are two concerns when acquiring data from a RAID server?
1) Amount of data storage needed 2) the type of RAID
list 2 features common with proprietary format acquisition files.
1. Can compress or not compress the acquisition data 2. can segment acquisition output files into smaller volumes, allowing them to be achieved to CD or DVD 3. case metadata can be added to the acquisition file; Eliminating the need to keep track of any additional validation documentation or files.
name the three formats for digital forensics data acquisition.
1. Raw format 2. proprietary formats 3. Advanced Forensic Format(AFF)
whats the maximum file size when writing data to a FAT32 drive?
2 GB (a limitation of FAT file systems)
How does ProDiscover Incident Response encrypt the connection between the examiner's and suspect's computers?
256-bit AES of Twofish encryption and encrypts the password on the suspect's computer
what is a hashing algorithm?
A utility designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or entire disk.
when you perform an acquisition at a remote location, what should you consider to prepare for this task?
Determing whether there's sufficient electrical power and lighting and checking the temperature and humidity at location.
name 2 commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.
EnCase, SafeHack, and SnapCopy
Which forensics tools can connect to a suspect's remote computer and run surreptitiously?
Encase Enterprise, ProDiscover Investigator , and ProDiscover Incident Response
of all the proprietary formats, which one is the unofficial standard?
Expert witness used by Guidance software EnCase
in the Linux dcfldd command, which three options are used for validating data?
Hash=, hashlog= and vf=
with newer Linux kernel distributions, what happens if you connect a hot-swappable device, such as a USB drive, containing evidence?
Newer Linux distribution mount the USB drive automatically, which could alter data on it.
what does a logical acquisition collect for an investigation?
Only specific files of interest to the case.
What's the ProDiscover remote access utility?
PDServer
what is the main goal of a static acquisition?
Preservation of digital evidence
what should you consider when determining which data acquisition method to use?
Size of the source drive, where the source drive be retained as evidence, how long the acquisition will take, and where the disk evidence is located.
what does a sparse acquisition collect for an investigation?
Specific files of interest to the case as well as arrangements of unallocated(deleted) data.
why is it a good practice to make two images of a suspect drive in a critical investigation?
To ensure at least one good copy of the data in case of any failures.
EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?
True
FTK Imager can acquire data in a drive's host protected area. True or False?
True
whats the most critical aspect of digital evidence?
Validation of digital evidence
in a Linux shell, the fdisk-1 command lists the suspects drive as /dev/hda1. is the following dcfldd command correct? dcfldd if=image_file.imgof=/dev/hda1
Wrong. This command read the imagine_file and writes it to the evidence drives /dev/hdal/ partition. The correct command is dcfldd if =/dev/hdal of=image_file.img.
with remote acquisitions, what problems should you be aware of? (choose all that apply.) a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. The password of the remote computer's user
d. All of the above
what are two advantages and disadvantages of the raw format?
• Advantages: Faster data transfer speeds, ignore minor data errors, and most forensics tools can read • Disadvantages: requires equal or greater target disk space, does not contain had values in the raw file(metadata), might have to run a separate hash program to validate raw formatted data and might not collect marginal (bad) blocks.