Module 3

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

What's the maximum file size when writing data to a FAT32 drive? 2 GB 3 GB 4 GB 6 GB

2GB

By what percentage can lossless compression reduce image file size? 15% 50% 30% 25%

50%

What are two concerns when acquiring data from a RAID server? Data transfer speeds and type of RAID Type of RAID and antivirus software Amount of data storage needed and type of RAID Split RAID and Redundant RAID

Amount of data storage needed and type of RAID

With remote acquisitions, what problems should you be aware of? Data transfer speeds Access permissions over the network Antivirus, antispyware, and firewall programs The password of the remote computer's user

Antivirus, antispyware, and firewall programs

What older Microsoft disk compression tool eliminates only slack disk space between files? PKZip WinZip WinRAR DriveSpace

DriveSpace

Which forensics tools can connect to a suspect's remote computer and run surreptitiously? ddfldd and ProDiscover Incident Response EnCase Enterprise and ProDiscover Incident Response dd and ddfldd dd and EnCase Enterprise

EnCase Enterprise and ProDiscover Incident Response

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive. dd and Expert Witness dd and EnCase X-Ways Forensics and dd EnCase and X-Ways Forensics

EnCase and X-Ways Forensics

Of all the proprietary formats, which one is the unofficial standard? Expert Witness AFF Uncompress dd Segmented dd

Expert Witness

FTK Imager can acquire data in a drive's host protected area. True False

False

If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available. True False

False

Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics. True False

False

Slower data transfer speeds and dealing with minor data errors are two disadvantages of the raw format True False

False

Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume. True False

False

When determining which data acquisition method to use you should not consider how long the acquisition will take. True False

False

What does a sparse acquisition collect for an investigation? Only specific files of interest to the case Fragments of unallocated data in addition to the logical allocated data Only the logical allocated data Only fragments of unallocated data

Fragments of unallocated data in addition to the logical allocated data

What term refers to Linux ISO images that can be burned to a CD or DVD? Forensic Linux Linux in a Box Linux Live CDs ISO CDs

Linux Live CDs

What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available? Local Live Passive Static

Live

What type of acquisition is used for most remote acquisitions? Sparse Live Hot Static

Live

What does Autopsy use to validate an image? RC4 MD5 AFD AFF

MD5

Which type of format acquisition leaves the investigator unable to share an image between different vendors' computer forensics analysis tools? Raw AFD AFF Proprietary

Proprietary

In addition to RAID 0, what type of RAID configuration is available for Windows XP, 2000, and NT servers and workstations? RAID 4 RAID 5 RAID 1 RAID 2

RAID 1

Which RAID configuration offers the greatest access speed and most robust data recovery capability? RAID 16 RAID 0 RAID 15 RAID 10

RAID 15

Name the three formats for digital forensics data acquisitions. Raw, AICIS, and AFF EnCase format, Raw, and dd Raw format, proprietary formats, and AFF dd, Raw, and AFF

Raw format, proprietary formats, and AFF

If your time is limited, what type of acquisition data copy method should you consider? Sparse Disk-to-disk Lossless Disk-to-image

Sparse

Why is it a good practice to make two images of a suspect drive in a critical investigation? To speed up the process To have one compressed and one uncompressed copy To ensure at least one good copy of the forensically collected data in case of any failures None of the above

To ensure at least one good copy of the forensically collected data in case of any failures

A hashing algorithm is a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk. True False

True

A logical acquisition collects only specific files of interest to the case. True False

True

A separate manual validation is recommended for all raw acquisitions at the time of analysis. True False

True

Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized. True False

True

Commonly, proprietary format acquisition files can compress the acquisition data and segment acquisition output files into smaller volumes. True False

True

FTK Imager requires that you use a device such as a USB dongle for licensing. True False

True

In Autopsy and many other forensics tools raw format image files don't contain metadata. True False

True

In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. So, the following dcfldd is command correct. dcfldd if=image_file.img of=/dev/hda1 True False

True

Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive. True False

True

The main goal of a static acquisition is the preservation of digital evidence. True False

True

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file. True False

True

There's no simple method for getting an image of a RAID server's disks. True False

True

With newer Linux kernel distributions, USB devices are automatically mounted, which can alter data on it. True False

True

What's the most critical aspect of digital evidence? Compression Redundancy Contingency Validation

Validation

What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult? Backup utilities Whole disk encryption Recovery wizards NTFS

Whole disk encryption

What command works similarly to the dd command but has many features designed for computer forensics acquisitions? raw dcfldd bitcopy man

dcfldd

What option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512? md5sum hashlog checksum hash

hash

In the Linux dcfldd command, which three options are used for validating data? hash, hashlog, and vf h, hl, and vf hash, log, and hashlog vf, of, and vv

hash, hashlog, and vf

What command displays pages from the online help manual for information on Linux commands and their options? cmd inst hlp man

man

In addition to md5sum, which hashing algorithm utility is included with current distributions of Linux? SHAKE sha1sum sha386sum md1deep

sha1sum


Ensembles d'études connexes

Transgenic plants and applications

View Set

CMU Genetics Week 2: Chapter 3 & 4

View Set

Chapter 5: Key Employees and Top-Heavy Plans

View Set

Public Speaking Final 2500 Clemson University

View Set

Series 7 - Bonds Practice Questions

View Set

Chapt. 3 & 4 Hospitality financial management

View Set