Chapter 3 Review Questions

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

List two features common with proprietary format acquisition files

1) Ability to compress or not compress image files of a suspect drive, thus saving target space. 2) The capability to split an image into smaller segmented files for archiving purposes such as to CDs or DVDs, with data integrity checks integrated into each segment

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.

1) EnCase 2) SafeBack

What's the maximum file size when writing data to a FAT32 drive?

2 GB (a limitation of FAT file systems)

What is a hashing algorithm?

A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk

What are two advantages and disadvantages of the raw format?

Advantages: fast data transfers + the capability to ignore minor data read errors on the source drive. Disadvantages: Requires as much storage space as the original disk + some raw format tools might not collect marginal (bad) sectors on the source drive.

What should you consider when determining which data acquisition method to use?

Consider the size of the source (suspect) disk, whether you can retain the source disk as evidence or must return it to the owner.

When you perform an acquisition at a remote location, what should you consider to prepare for this task?

Determining whether there's sufficient electrical power, sufficient lighting, and checking the temperature and humidity at the location.

Which forensics tools can connect to a suspect's remote computer and run surreptitiously?

EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response

Of all the proprietary formats, which one is the unofficial standard?

Expert Witness Format

FTK Imager can acquire data in a drive's host protected area. T/F

False

In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/sha1

False The correct command is dcfldd if=/dev/hda1 of=image_file.img.

With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?

Newer Linux distributions automatically mount the USB device, which could alter data on it.

Name the three formats for computer forensics data acquisitions

Raw format, proprietary format, and advanced forensic format

What's the main goal of a static acquisition?

To preserve digital evidence.

EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. T/F

True

What's the most critical aspect of digital evidence?

Validation

With remote acquisitions, what problems should you be aware of? (Choose all that apply.) Data transfer speeds Access permissions over the network Antivirus, antispyware, and firewall programs The password of the remote computer's user

a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs

What are two concerns when acquiring data from a RAID server?

amount of data storage needed, and the type of RAID server (0, 1, 5, etc.)

What does a sparse acquisition collect for an investigation?

fragments of unallocated (detected) data + the logical allocated data

In the Linux dcfldd command, which three options are used for validating data?

hash=, hashlog=, and vf=

What does a logical acquisition collect for an investigation?

only specific files of interest to the case

Why is it a good practice to make two images of a suspect drive in a critical investigation?

to ensure at least one good copy of the forensically collected data in case of any failures


Ensembles d'études connexes

Econ 101 Ch. 2-3 Demand & Supply

View Set

Microbiology Chapter 13 Problem Set

View Set

Managing and Behavior Chapters 1

View Set

McCance Chapter 2 - Altered Cellular and Tissue Biology

View Set

Adult Health Exam 4 Arthritis and Connective Tissue Diseases Ch. 69

View Set