Forensics - Chapters 3/14

¡Supera tus tareas y exámenes ahora con Quizwiz!

1. Which of the following rules or laws requires an expert to prepare and submit a report?

. FRCP 26

17. What's the maximum file size when writing data to a FAT32 drive?

2 GB (a limitation of FAT file systems)

3. What are two advantages and disadvantages of the raw format?

Advantages: faster data transfer speeds, ignores minor data errors, and most forensics analysis tools can read it. Disadvantages: requires equal or greater target disk space, doesn't contain hash values in the raw file (metadata), might have to run a separate hash program to validate raw format data, and might not collect marginal (bad) blocks.

4. Which of the following is an example of a written report?

An affidavit

22. Which forensics tools can connect to a suspect's remote computer and run surreptitiously?

EnCase Enterprise and ProDiscover Incident Response

24. FTK Imager can acquire data in a drive's host protected area. True or False?

False

2. For what purpose have hypothetical questions traditionally been used in litigation?

To frame the factual context of rendering an expert witness's opinion

23. EnCase, FTK, SMART, and iLookIX treat the image file as though it were the original disk. True or False?

True

13. In a Linux shell, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1

Wrong. This command reads the image_file.img file and writes it to the evidence drive's /dev/hda1 partition. The correct command is dcfldd if=/dev/hda1 of=image_file.img.

11. When you perform an acquisition at a remote location, what should you consider to prepare for this task?

determine whether there's enough electrical power and lighting and check the temperature and humidity at the location

8. What does a sparse acquisition collect for an investigation?

fragments of unallocated data in addition to the logical allocated data

15. What is a hashing algorithm?

A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk

18. What are two concerns when acquiring data from a RAID server?

Amount of data storage needed, type of RAID server (0, 1, 5, and so on), whether the acquisition tool can handle RAID acquisitions, whether the analysis tool can handle RAID data, and whether the analysis tool can split RAID data into separate disk drives, making it easier to distribute large data sets

10. What can be included in report appendixes?

Answers can include additional resource material not included in the text, raw data, figures not used in the body of the report, and anticipated exhibits.

4. List two features common with proprietary format acquisition files.

Can compress or not compress the acquisition data; can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD; case metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or files.

8. When writing a report, what's the most important aspect of formatting?

Consistency

6. Name two commercial tools that can make a forensic sector-by-sector duplicate of a drive to a larger drive.

EnCase, SafeBack, and SnapCopy

5. Of all the proprietary formats, which one is the unofficial standard?

Expert Witness, used by Guidance Software EnCase

9. Automated tools help you collect and report evidence, but you're responsible for doing which of the following?

Explaining the significance of the evidence

11. Which of the following statements about the legal-sequential numbering system in report writing is true?

It doesn't indicate the relative importance of information.

12. With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB thumb drive, containing evidence?

Newer Linux distributions automatically mount the USB device, which could alter data on it.

7. Which of the following is the standard format for reports filed electronically in federal courts?

PDF

21. What's the ProDiscover remote access utility?

PDServer

20. How does ProDiscover Incident Response encrypt the connection between the examiner's and suspect's computers?

ProDiscover provides 256-bit AES or Twofish encryption with GUIDs and encrypts the password on the suspect's workstation.

12. What is a major advantage of automated forensics tools in report writing?

You can incorporate the log files and reports these tools generate into your written reports. Generally, these generated files are in a format that's easy to incorporate into an electronic document.

19. With remote acquisitions, what problems should you be aware of? (Choose all that apply.)

a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs

16. In the Linux dcfldd command, which three options are used for validating data?

hash, hashlog, and vf

7. What does a logical acquisition collect for an investigation?

only specific files of interest to the case

1. What's the main goal of a static acquisition?

preservation of digital evidence

2. Name the three formats for digital forensics data acquisitions.

raw format, proprietary formats, and Advanced Forensic Format (AFF)

9. What should you consider when determining which data acquisition method to use?

size of the source drive, whether the source drive is retained as evidence, how long the acquisition will take, and where the disk evidence is located

5. What is destroying a report before the final resolution of a case called?

spoliation

10. Why is it a good practice to make two images of a suspect drive in a critical investigation?

to ensure at least one good copy of the forensically collected data in case of any failures

3. If you were a lay witness at a previous trial, you shouldn't list that case in your written report. True or False?

true

14. What's the most critical aspect of digital evidence?

validation


Conjuntos de estudio relacionados

Inheritance and Populations Test

View Set

Topic 5 : Biochemical activity of the thyroid and parathyroid hormones

View Set

Fundamentals ATI - missed practice questions

View Set

Constitution AP Classroom Questions

View Set

Chapter 12: Postpartum Physiological Assessments and Nursing Care

View Set

Final Study Guide- Select All That Apply

View Set