Computer Forensics - Chapter 3 Review Questions

¡Supera tus tareas y exámenes ahora con Quizwiz!

What are some concerns when acquiring data from a RAID server?

1) amount of data storage needed. 2) the type of RAID server (0, 1, 5, etc.) 3) whether your acquisition tool can handle RAID acquisitions. 4) whether your analysis tool can handle RAID data 5) whether your analysis tool can split RAID data into separate drives

What's the maximum file size when writing data to a FAT32 drive?

2 GB

What is a hashing algorithm?

A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk

With remote acquisitions, what problems should you be aware of?

Data transfer speeds, Access permissions over the network, Antivirus, antispyware, and firewall programs

Which computer forensics tools can connect to suspect's remote computer and run surreptitiously?

EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response

Name commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.

EnCase, SafeBack, and SnapCopy.

Of all the proprietary formats, which one is the unofficial standard?

Expert Witness Format

True or False: FTK Imager can acquire data in a drive's host protected area.

False

In a Linux shell the fdisk -1 command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/sha1

False The correct command is dcfldd if=/dev/hda1 of=image_file.img.

What are two advantages of the raw format?

Faster data transfer speeds, ignores minor data errors, and most forensic analysis tools can read it.

With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?

Newer Linux distributions automatically mount the USB device, which could alter data on it.

Name the three formats for computer forensics data acquisitions

Raw Format, Proprietary Formats, Advance Forensic Format

What are two disadvantages of the raw format?

Requires as much storage as the original disk or data set, freeware versions might have a low threshold of retry reads on weak media spots on a drive.

List two features common with proprietary format acquisition files.

The option to compress or not compress image files. The capability to split an image into smaller segmented files for archiving purposes. The capability to integrate metadata into the image file.

True or False: EnCase, FTK, SMART, and ILook treat an image file as though it were the original disk.

True

When you perform an acquisition at a remote location, what would you consider to prepare for this task?

determining whether there's sufficient electrical power and lighting and checking the temperature and humidity at the location

What does a sparse acquisition collect for an investigation?

fragments of unallocated data in addition to the logical allocated data

The Linux dcfldd command, which tree options are used for validation data?

hash=, hashlog=, and vf=

What does a logical acquisition collect for an investigation?

only specific files of interest to the case

What should you consider when determining what data acquisition method to use?

size of the source drive, whether you can retain the source drive as evidence, how long the acquisition will take, and where the disk evidence is located

Why is it a good practice to make two images of a suspect drive in a critical investigation?

to ensure at least one good copy of the forensically collected data in case of any failures

What is the primary goal of static acquisition?

to preserve the digital evidence.

What is the most critical aspect of computer evidence?

validation


Conjuntos de estudio relacionados

الرياضيات ثاني متوسط الفصل الثاني

View Set

China: The World's Most Populous Country

View Set

Insurance: Protect What You Have

View Set

A&P 11th Edition "Checkpoint" - Chapter 13

View Set

Ch. 7, 8, 9 Anatomy and physiology

View Set

CHAPTER 6: UNDERSTANDING AND ASSESSING HARDWARE: EVALUATING YOUR SYSTEM

View Set

Biology SAC 2 - Homeostasis (glucose regulation)

View Set