Computer Forensic Methods 2 - Chapter 3 Review Questions

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

When you perform an acquisition at a remote location, what should you consider to prepare for this task?

Determining whether's there's sufficient electrical power and lighting, and checking the temperature and humidity at the location

Which forensics tools can connect to a suspect's remote computer and run surreptitiously?

EnCase Enterprise ProDiscover Investigator ProDiscover Incident Response

FTK Imager can acquire data in a drive's host protected area. True or False?

False

What does a logical acquisition collect for an investigation?

Only specific files of interest to the case

What should you consider when determining which data acquisition method to use?

Size of the source drive, whether the source drive should be retained as evidence, how long the acquisition will take, and where the disk evidence is located

List two features common with proprietary format acquisition files

To compress or not to compress, capability to split an image into smaller segmented files, capability to integrate metadata into the image file (Date and time, hash values)

Why is it a good practice to make two images of a suspect drive in a critical investigation?

To ensure at least one good copy of the forensically collected data in case of any failures

What's the main goal of static acquisition?

To preserve digital evidence

What's the most critical aspect of digital evidence?

Validation

What's the maximum file size when writing data to a FAT32 drive?

2GB (limitation of FAT file systems)

With remote acquisitions, what problems should you be aware of? a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. The password of the remote computer's user

A B C and D

What is a hashing algorithm?

A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file or entire disk

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive

EnCase, SafeBack, SnapCopy

Of all the proprietary formats, which one is the unofficial standard?

Expert Witness Format

In a Linux shell, the fdisk -1 command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1

False, the correct command is dcfldd if=/dev/hda1 of=image_file.img

What are two advantages and disadvantages of the raw format?

Fast data transfers and capability to ignore minor data read errors on the source drive. Requires as much storage space as the original disk or that it might not collect marginal (bad) sectors on the source drive.

With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?

Newer Linux distros automatically mount the USB device, which could alter data on it.

What's the ProDiscover remote access utility?

PDServer

How does ProDiscover Incident Response encrypt the connection between the examiner's and suspect's computers?

ProDiscover provides 256-bit AES or Twofish encryption with GUIDS and encrypts the password on the suspect's workstation.

Name the three formats for digital forensics data acquisitions.

Raw format, Proprietary Formats, Advance Forensic Format

EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?

True

What does a sparse acquisition collect for an investigation?

fragments of unallocated data in addition to the logical allocated data

In the Linux dcfldd command, which three options are used for validating data?

hash= hashlog= vf=


Ensembles d'études connexes

Mean, mode, median, range, frequency.

View Set