Guide to Computer Forensics and Investigations 5th Ed Chapter 3 Review Questions

¡Supera tus tareas y exámenes ahora con Quizwiz!

2. Name the three formats for digital forensics data acquisitions.

Forensics data acquisitions are stored in three different formats: 1raw, 2proprietary, and 3AFF.

17. What's the maximum file size when writing data to a FAT32 drive?

2 GB

7. What does a logical acquisition collect for an investigation?

A logical acquisition captures only specific files of interest to the case or specific types of files.

8. What does a sparse acquisition collect for an investigation?

A sparse acquisition is similar but also collects fragments of unallocated (deleted) data; use this method only when you don't need to examine the entire drive.

3. What are two advantages and disadvantages of the raw format?

Advantages: faster data transfer speeds, ignores minor data errors, and most forensics analysis tools can read it. Disadvantages: requires equal or greater target disk space, doesn't contain hash values in the raw file (metadata), might have to run a separate hash program to validate raw format data, and might not collect marginal (bad) blocks. Message #ccq-chat

16. In the Linux dcfldd command, which three options are used for validating data?

Currently, several tools can do a byte-by-byte comparison of files. Programs such as X-Ways Forensics, X-Ways WinHex, and IDM Computing Solution's UltraCompare can analyze and compare data files.

20. How does ProDiscover Incident Response encrypt the connection between the examiner's and suspect's computers?

Encryption—All communication between PDServer on the suspect's and investigator's computers can be encrypted. ProDiscover provides 256-bit Advanced Encryption Standard (AES) or Twofish encryption for the connection.

24. FTK Imager can acquire data in a drive's host protected area.

False

6. Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.

If you don't have a target disk of comparable size, review alternatives for reducing the size of data to create a verifiable copy of the suspect drive. Older Microsoft disk compression tools, such as DoubleSpace or DriveSpace, eliminate only slack disk space between files. Other compression methods use an algorithm to reduce file size. Popular archiving tools, such as PKZip, WinZip, and WinRAR, use an algorithm referred to as "lossless compression."

15. What is a hashing algorithm?

Is which is designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or disk drive. This unique number is referred to as a "digital fingerprint."

5. Of all the proprietary formats, which one is the unofficial standard?

Of all the proprietary formats for image acquisitions, the Expert Witness format is currently the unofficial standard.

22. Which forensics tools can connect to a suspect's remote computer and run surreptitiously?

The remote access program in EnCase Enterprise is Servlet, a passive utility installed on the suspect computer. Servlet connects the suspect computer to the Examiner and SAFE workstations and can run in stealth mode on the suspect computer.

9. What should you consider when determining which data acquisition method to use?

To determine which acquisition method to use for an investigation, consider the size of the source (suspect) disk, whether you can retain the source disk as evidence or must return it to the owner, how much time you have to perform the acquisition, and where the evidence is located.

21. EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?

True

12. With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?

Windows can easily contaminate an evidence drive when it mounts it, you must protect it with a well-tested write-blocking hardware device. The automatic mounting process updates boot files by changing metadata, such as the most recent access time.

18. What are two concerns when acquiring data from a RAID server?

adequate data backup systems in case of a major failure of more than one drive and When planning a recovery procedure for RAID servers, consider whether the amount of downtime it takes to restore backup data is acceptable to the lab operation.

19. With remote acquisitions, what problems should you be aware of? (Choose all that apply.)

c. Antivirus, antispyware, and firewall programs

11. When you perform an acquisition at a remote location, what should you consider to prepare for this task?

determine whether there's enough electrical power and lighting and check the temperature and humidity at the location

10. Why is it a good practice to make two images of a suspect drive in a critical investigation?

if the first copy doesn't work correctly, having a duplicate is worth the effort and resources. Be sure you take steps to minimize the risk of failure in your investigation.

14. What's the most critical aspect of digital evidence?

most critical aspect of computer forensics is validating digital evidence.

1. What's the main goal of a static acquisition?

to preserve the digital evidence.


Conjuntos de estudio relacionados

Solving Quadratic Equations by Factoring

View Set

Praxis Art Ch. 4: Digital Photography Processes

View Set

GB311: Midterm 1- Quiz Questions

View Set

Chapter 30 (Assisting In Ophthalmology and Otolaryngology) & Chapter 31 (Assisting In Gastroenterology)

View Set