Computer Forensics Chapter 4
What is the EnCase Enterprise remote access program?
ServLet
What are two concerns when acquiring data from a RAID server?
1) amount of data storage needed. 2) the type of RAID server (0, 1, 5, etc.) 3) whether your acquisition tool can handle RAID acquisitions. 4) whether your analysis tool can handle RAID data 5) whether your analysis tool can split RAID data into separate drives
What is the Runtime Software utility used to acquire data over a network connection?
DiskExplorer for NTFS or DiskExplorer for FAT
FTK Imager can acquire data in a drive's host protected area.
False
HDHost is automatically encrypted when connected to another computer
False
R-Studio and DiskExplorer are used primarily for computer Forensics.
False (They are designed as data recovery tools but are useful in rebuilding corrupt data when forensics tools fail.)
In a Linux shell the fdisk -1 command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/sha1
False The correct command is dcfldd if=/dev/hda1 of=image_file.img.
List two types of connections of HDHost.
TCP/IP and serial RS232 port
What is the advantage of using a tape back-up system for forensic acquisitions of large data sets?
There is no limit to the size of data you can write to magnetic tape.
When possible, you should make two copies of evidences.
True
What's the maximum file size when writing data to a FAT32 drive?
2 GB (a limitation of FAT file systems)
What is a hashing algorithm?
A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk
Which computer forensics tools can connect to suspect's remote computer and run surreptitiously?
EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.
EnCase, SafeBack, and SnapCopy.
Of all the proprietary formats, which one is the unofficial standard?
Expert Witness Format
What is the disadvantage of using the Windows XP/Vista USB write-protection registry method?
If the target drive is an external USB drive, the write-protect feature prevents data from being written to it.
Whit newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?
Newer Linux distributions automatically mount the USB device, which could alter data on it.
What is the ProDiscover remote access program?
PDServer
How does ProDiscover Investigation encrypt the connection between the examiners and suspect's computers?
ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect's workstation.
Name the three formats for computer forensics data acquisitions
Raw Format, Proprietary Formats, Advance Forensic Format
EnCase, FTK, SMART, and ILook treat an image file as though it were the original disk.
True
With remote acquisitions, what problems should you be aware of?
a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs
When you perform an acquisition at a remote location, what would you consider to prepare for this task?
determining whether there's sufficient electrical power and lighting and checking the temperature and humidity at the location
What are two advantages and disadvantages of the raw format?
fast data transfers and capability to ignore minor data read errors on the source drive, Requires as much storage space as the original disk or that it might not collect marginal (bad) sectors on the source drive.
What does a sparse acquisition collect for an investigation?
fragments of unallocated data in addition to the logical allocated data
The Linux dcfldd command, which tree options are used for validation data?
hash=, hashlog=, and vf=
Which hashing algorithm utilities can be run form a Linux shell prompt?
md5sum and sha1sum
What does a logical acquisition collect for an investigation?
only specific files of interest to the case
What should you consider when determining what data acquisition method to use?
size of the source drive, whether the source drive be retained as evidence, how long the acquisition will take, and where the disk evidence is located
List two features common with proprietary format acquisition files.
to compress or not to compress, Capability to split an image into smaller segmented files, Capability to integrate metadata into the image file ( date and time , hash values).
Why is it a good practice to make two images of a suspect drive in a critical investigation?
to ensure at least one good copy of the forensically collected data in case of any failures
What is the primary goal of static acquisition?
to preserve the digital evidence.
What is the most critical aspect of computer evidence?
validation
When is a standard data backup tool, such as Norton Ghost, used for computing investigation?
when the suspect computer can't be taken offline for several hours but can be shut down long enough to switch disks with a Ghost backup, allowing the investigator to take the original disk and preserve it as digital evidence