Computer Forensics Chapter 4

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

What is the EnCase Enterprise remote access program?

ServLet

What are two concerns when acquiring data from a RAID server?

1) amount of data storage needed. 2) the type of RAID server (0, 1, 5, etc.) 3) whether your acquisition tool can handle RAID acquisitions. 4) whether your analysis tool can handle RAID data 5) whether your analysis tool can split RAID data into separate drives

What is the Runtime Software utility used to acquire data over a network connection?

DiskExplorer for NTFS or DiskExplorer for FAT

FTK Imager can acquire data in a drive's host protected area.

False

HDHost is automatically encrypted when connected to another computer

False

R-Studio and DiskExplorer are used primarily for computer Forensics.

False (They are designed as data recovery tools but are useful in rebuilding corrupt data when forensics tools fail.)

In a Linux shell the fdisk -1 command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/sha1

False The correct command is dcfldd if=/dev/hda1 of=image_file.img.

List two types of connections of HDHost.

TCP/IP and serial RS232 port

What is the advantage of using a tape back-up system for forensic acquisitions of large data sets?

There is no limit to the size of data you can write to magnetic tape.

When possible, you should make two copies of evidences.

True

What's the maximum file size when writing data to a FAT32 drive?

2 GB (a limitation of FAT file systems)

What is a hashing algorithm?

A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk

Which computer forensics tools can connect to suspect's remote computer and run surreptitiously?

EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.

EnCase, SafeBack, and SnapCopy.

Of all the proprietary formats, which one is the unofficial standard?

Expert Witness Format

What is the disadvantage of using the Windows XP/Vista USB write-protection registry method?

If the target drive is an external USB drive, the write-protect feature prevents data from being written to it.

Whit newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?

Newer Linux distributions automatically mount the USB device, which could alter data on it.

What is the ProDiscover remote access program?

PDServer

How does ProDiscover Investigation encrypt the connection between the examiners and suspect's computers?

ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect's workstation.

Name the three formats for computer forensics data acquisitions

Raw Format, Proprietary Formats, Advance Forensic Format

EnCase, FTK, SMART, and ILook treat an image file as though it were the original disk.

True

With remote acquisitions, what problems should you be aware of?

a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs

When you perform an acquisition at a remote location, what would you consider to prepare for this task?

determining whether there's sufficient electrical power and lighting and checking the temperature and humidity at the location

What are two advantages and disadvantages of the raw format?

fast data transfers and capability to ignore minor data read errors on the source drive, Requires as much storage space as the original disk or that it might not collect marginal (bad) sectors on the source drive.

What does a sparse acquisition collect for an investigation?

fragments of unallocated data in addition to the logical allocated data

The Linux dcfldd command, which tree options are used for validation data?

hash=, hashlog=, and vf=

Which hashing algorithm utilities can be run form a Linux shell prompt?

md5sum and sha1sum

What does a logical acquisition collect for an investigation?

only specific files of interest to the case

What should you consider when determining what data acquisition method to use?

size of the source drive, whether the source drive be retained as evidence, how long the acquisition will take, and where the disk evidence is located

List two features common with proprietary format acquisition files.

to compress or not to compress, Capability to split an image into smaller segmented files, Capability to integrate metadata into the image file ( date and time , hash values).

Why is it a good practice to make two images of a suspect drive in a critical investigation?

to ensure at least one good copy of the forensically collected data in case of any failures

What is the primary goal of static acquisition?

to preserve the digital evidence.

What is the most critical aspect of computer evidence?

validation

When is a standard data backup tool, such as Norton Ghost, used for computing investigation?

when the suspect computer can't be taken offline for several hours but can be shut down long enough to switch disks with a Ghost backup, allowing the investigator to take the original disk and preserve it as digital evidence


Kaugnay na mga set ng pag-aaral

FOI SU 5: Planning Instructional Activity

View Set

CCNA Final Exam Pt. 3 (78 - 117)

View Set

21.3 The Adaptive Immune Response: T lymphocytes and their functional types

View Set

Operator Overloading (Homework 11)

View Set

Ap Gov Unit 2 Test: Chapter 4 and 5

View Set

Banking and Financial Institution (Reviewer)

View Set

Leviticus 24 - Flashcard MC questions - Ted Hildebrandt

View Set