Computer Forensics, Chapter 6, 6th edition

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Forensics software tools are grouped into ______ and ______ applications.

command line, GUI

Most drive-imaging tools ensure that the original drive doesn't become corrupt and damage the digital evidence, and _______________________.

create a copy of the original drive

Why are hash values used?

filtering known good files from potentially suspicious data and validating that the original has not been changed

What does the verification function do?

proves that two sets of data are identical via hash values

What is the purpose of the reconstruction function?

recreate a suspect drive to show what happened

data viewing, keyword searching, decompressing, carving, decrypting, and bookmarking

subfunctions of the extraction function

According to ISO standard 27037, the DEFR's competency and __________ are important factors in data acquisition

use of validated tools

Hashing, filtering, and file header analysis make up which function of computer forensics tools?

validation and verification

National Software Reference Library (NSRL)

A NIST project with the goal of collecting all known hash values for commercial software and OS files.

True or False? "Reproducible Results" means that if you work in the same lab on the same machine, you will generate the same results.

False

True or False? Building a forensic workstation is more expensive than purchasing one.

False

True or False? Data can't be written to disk with a command-line tool.

False

True or False? Hardware acquisition tools typically have built-in software for data analysis.

False

The standards for testing forensics tools are based on which criteria?

ISO 17025

What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?

It enables you to remove and reconnect drives without having to shut down your workstation

True or False? An encrypted drive is one reason to choose a logical acquisition.

True

True or False? The primary hashing algorithm the NSRL project uses is SHA-1.

True

When validating the results of a forensics analysis, you should calculate the hash value with two different tools and ____________.

Use a different tool to compare the results of evidence you find

write-blocker

A hardware device or software program that prevents a computer from writing data to an evidence drive. Software write-blockers typically alter interrupt-13 write functions to a drive in a PC's BIOS. Hardware write-blockers are usually bridging devices between a drive and the forensic workstation.

keyword search

A method of finding files or other information by entering relevant characters, words, or phrases in a search tool.

Computer Forensics Tool Testing (CFTT)

A project sponsored by the National Institute of Standards and Technology to manage research on digital forensics tools.

Validation

A way to confirm that a tool is functioning as intended; one of the functions of digital forensics tools.

password dictionary attack

An attack that uses a collection of words or phrases that might be passwords for an encrypted file. Password recovery programs can use a password dictionary to compare potential passwords to an encrypted file's password or passphrase hash values.

A log report in forensics tools does what?

Records an investigator's actions in examining a case

Acquisition

The process of creating a duplicate image of data; one of the required functions of digital forensics tools.

verification

The process of proving that two sets of data are identical by calculating hash values or using another similar method.

extraction

The process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the required functions of digital forensics tools.

reconstruction

The process of rebuilding data files; one of the required functions of digital forensics tools.

brute-force attack

The process of trying every combination of characters—letters, numbers, and special characters typically found on a keyboard—to find a matching password or passphrase value for an encrypted file.


Ensembles d'études connexes

Lietuva tarpukariu (Nepriklausomybės kovos)

View Set

PrepU Questions-- Week 14: Lifespan/Culture

View Set

Pediatrics: Growth & Development infant & toddlers

View Set

Text Chapter 10: Pay For Performance

View Set

Chapter 48: Diabetes Mellitus ANS

View Set

American Government Ch 10 Interest Groups and Lobbying

View Set