Chapter 3 Review Questions
List two features common with proprietary format acquisition files
1) Ability to compress or not compress image files of a suspect drive, thus saving target space. 2) The capability to split an image into smaller segmented files for archiving purposes such as to CDs or DVDs, with data integrity checks integrated into each segment
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.
1) EnCase 2) SafeBack
What's the maximum file size when writing data to a FAT32 drive?
2 GB (a limitation of FAT file systems)
What is a hashing algorithm?
A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk
What are two advantages and disadvantages of the raw format?
Advantages: fast data transfers + the capability to ignore minor data read errors on the source drive. Disadvantages: Requires as much storage space as the original disk + some raw format tools might not collect marginal (bad) sectors on the source drive.
What should you consider when determining which data acquisition method to use?
Consider the size of the source (suspect) disk, whether you can retain the source disk as evidence or must return it to the owner.
When you perform an acquisition at a remote location, what should you consider to prepare for this task?
Determining whether there's sufficient electrical power, sufficient lighting, and checking the temperature and humidity at the location.
Which forensics tools can connect to a suspect's remote computer and run surreptitiously?
EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response
Of all the proprietary formats, which one is the unofficial standard?
Expert Witness Format
FTK Imager can acquire data in a drive's host protected area. T/F
False
In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/sha1
False The correct command is dcfldd if=/dev/hda1 of=image_file.img.
With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?
Newer Linux distributions automatically mount the USB device, which could alter data on it.
Name the three formats for computer forensics data acquisitions
Raw format, proprietary format, and advanced forensic format
What's the main goal of a static acquisition?
To preserve digital evidence.
EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. T/F
True
What's the most critical aspect of digital evidence?
Validation
With remote acquisitions, what problems should you be aware of? (Choose all that apply.) Data transfer speeds Access permissions over the network Antivirus, antispyware, and firewall programs The password of the remote computer's user
a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs
What are two concerns when acquiring data from a RAID server?
amount of data storage needed, and the type of RAID server (0, 1, 5, etc.)
What does a sparse acquisition collect for an investigation?
fragments of unallocated (detected) data + the logical allocated data
In the Linux dcfldd command, which three options are used for validating data?
hash=, hashlog=, and vf=
What does a logical acquisition collect for an investigation?
only specific files of interest to the case
Why is it a good practice to make two images of a suspect drive in a critical investigation?
to ensure at least one good copy of the forensically collected data in case of any failures