Computer Forensics, Chapter 6, 6th edition
Forensics software tools are grouped into ______ and ______ applications.
command line, GUI
Most drive-imaging tools ensure that the original drive doesn't become corrupt and damage the digital evidence, and _______________________.
create a copy of the original drive
Why are hash values used?
filtering known good files from potentially suspicious data and validating that the original has not been changed
What does the verification function do?
proves that two sets of data are identical via hash values
What is the purpose of the reconstruction function?
recreate a suspect drive to show what happened
data viewing, keyword searching, decompressing, carving, decrypting, and bookmarking
subfunctions of the extraction function
According to ISO standard 27037, the DEFR's competency and __________ are important factors in data acquisition
use of validated tools
Hashing, filtering, and file header analysis make up which function of computer forensics tools?
validation and verification
National Software Reference Library (NSRL)
A NIST project with the goal of collecting all known hash values for commercial software and OS files.
True or False? "Reproducible Results" means that if you work in the same lab on the same machine, you will generate the same results.
False
True or False? Building a forensic workstation is more expensive than purchasing one.
False
True or False? Data can't be written to disk with a command-line tool.
False
True or False? Hardware acquisition tools typically have built-in software for data analysis.
False
The standards for testing forensics tools are based on which criteria?
ISO 17025
What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?
It enables you to remove and reconnect drives without having to shut down your workstation
True or False? An encrypted drive is one reason to choose a logical acquisition.
True
True or False? The primary hashing algorithm the NSRL project uses is SHA-1.
True
When validating the results of a forensics analysis, you should calculate the hash value with two different tools and ____________.
Use a different tool to compare the results of evidence you find
write-blocker
A hardware device or software program that prevents a computer from writing data to an evidence drive. Software write-blockers typically alter interrupt-13 write functions to a drive in a PC's BIOS. Hardware write-blockers are usually bridging devices between a drive and the forensic workstation.
keyword search
A method of finding files or other information by entering relevant characters, words, or phrases in a search tool.
Computer Forensics Tool Testing (CFTT)
A project sponsored by the National Institute of Standards and Technology to manage research on digital forensics tools.
Validation
A way to confirm that a tool is functioning as intended; one of the functions of digital forensics tools.
password dictionary attack
An attack that uses a collection of words or phrases that might be passwords for an encrypted file. Password recovery programs can use a password dictionary to compare potential passwords to an encrypted file's password or passphrase hash values.
A log report in forensics tools does what?
Records an investigator's actions in examining a case
Acquisition
The process of creating a duplicate image of data; one of the required functions of digital forensics tools.
verification
The process of proving that two sets of data are identical by calculating hash values or using another similar method.
extraction
The process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the required functions of digital forensics tools.
reconstruction
The process of rebuilding data files; one of the required functions of digital forensics tools.
brute-force attack
The process of trying every combination of characters—letters, numbers, and special characters typically found on a keyboard—to find a matching password or passphrase value for an encrypted file.
