forensics-chapter 7
Which of these are subfunctions of reconstructing drives? (Choose all that apply)
disk-to-disk copy, image-to-partition copy, partition-to-partition copy
NIST testing procedures are valid only for government agencies. True or False?False
False
Sleuth Kit is used to access Autopsy's tools. True or False?
False
Hash values are used for which of the following purposes? (Choose all that apply.)
Filtering, Validating
The standards for testing forensics tools are based on which criteria?
ISO 17025
What two data-copying methods are used in software data acquisitions?
Logical and physical
What's the name of the NIST project established to collect all known hash values for commercial software and OS files?
National Software Reference Library
Many of the newer GUI tools use a lot of system resources. True or False?
True
Hashing, filtering, and file header analysis make up which function of computer forensics tools?
Validation and discrimination
When validating the results of a forensic analysis, you should do which of the following?
a.Calculate the hash value b.Use a different tool to compare the results
Data can't be written to the disk with a command-line tool. True or False?
False
During a remote acquisition of a suspect drive, RAM data is lost. True or False?
False
Building a forensic workstation is more expensive than purchasing one. True or False?
False
A live acquisition is considered an accepted forensics practice. True or False?
False
Which of these are required functions for computer forensics tools?
Acquisition, Validation and discrimination, Extraction
Of the six functions of computer forensics tools, which of these are subfunctions of the Extraction function?
Decompressing, Decrypting, Bookmarking
Which of the following tools can examine files created by WinZip?
FTK
A disk partition can be copied only with a command-line acquisition tool. True or False?
False
When considering new forensics software tools, you should do which of the following?
Test and validate the software.
Which of the following is true of most drive-imaging tools? (Choose all that apply.)
They ensure that the original drive doesn't become corrupt , They create a copy of the original drive.
