Chapter 3 Review Questions
What's the maximum file size when writing data to a FAT32 drive?
2 GB (a limitation of FAT file systems)
What are two advantages and disadvantages of the raw format?
Advantages: faster data transfer speeds, ignores minor data errors, and most forensics analysis tools can read it. Disadvantages: requires equal or greater target disk space, doesn't contain hash values in the raw file (metadata), might have to run a separate hash program to validate raw format data, and might not collect marginal (bad) blocks.
Which forensics tools can connect to a suspect's remote computer and run surreptitiously?
EnCase Enterprise and ProDiscover Incident Response
FTK Imager can acquire data in a drive's host protected area. True or False?
False
In a Linux shell, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1
Wrong. This command reads the image_file.img file and writes it to the evidence drive's /dev/hda1 partition. The correct command is dcfldd if=/dev/hda1 of=image_file.img.
What is a hashing algorithm?
A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk
List two features common with proprietary format acquisition files
Can compress or not compress the acquisition data; can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD; case metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or files.
With remote acquisitions, what problems should you be aware of? a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. All of the above
D. All of the above
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive
EnCase, SafeBack, and SnapCopy
Of all the proprietary formats, which one is the unofficial standard?
Expert Witness, used by Guidance Software EnCase
With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?
Newer Linux distributions automatically mount the USB device, which could alter data on it.
What's the ProDiscover remote access utility?
PDServer
What's the main goal of a static acquisition?
Preservation of digital evidence
How does ProDiscover Incident Response encrypt the connection between the examiner's and suspect's computers?
ProDiscover provides 256-bit AES or Twofish encryption with GUIDs and encrypts the password on the suspect's workstation.
EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?
True
What are two concerns when acquiring data from a RAID server?
amount of data storage needed, type of RAID server (0, 1, 5, and so on), whether the acquisition tool can handle RAID acquisitions, whether the analysis tool can handle RAID data, and whether the analysis tool can split RAID data into separate disk drives, making it easier to distribute large data sets
When you perform an acquisition at a remote location, what should you consider to prepare for this task?
determine whether there's enough electrical power and lighting and check the temperature and humidity at the location
What does a sparse acquisition collect for an investigation?
fragments of unallocated data in addition to the logical allocated data
In the Linux dcfldd command, which three options are used for validating data?
hash, hashlog, and vf
What does a logical acquisition collect for an investigation?
only specific files of interest to the investigation
Name the three formats for computer forensics data acquisitions.
raw format, proprietary formats, and AFF
What should you consider when determining which data acquisition method to use?
size of the source drive, whether the source drive is retained as evidence, how long the acquisition will take, and where the disk evidence is located
Why is it a good practice to make two images of a suspect drive in a critical investigation?
to ensure at least one good copy of the forensically collected data in case of any failures
What's the most critical aspect of digital evidence?
validation