Review Questions Ch. 7
When considering new forensics software, you should do which of the following? a. Uninstall other forensics software. b. Reinstall the OS. c. Test and validate the software. d. None of the above.
c. Test and validate the software.
When validating the results of a forensics analysis, you should do which of the following? a. Calculate the hash value with two different tools. b. Use a different tool to compare the results of evidence you find. c. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. d. Do both a and b. e. Do both b and c. f. Do both a and c. g. Do none of the above.
d. Do both a and b.
List four subfunctions of reconstructing drives.
disk-to-disk copy, image-to-disk copy, partition-to-partition copy, mage-to-partition copy
NIST testing procedures are valid only for government agencies. True or False?
False
Sleuth Kit is used to access Autopsy' s tools. True or False?
False (Autopsy is the front end to Sleuth Kit.)
What' s the name of the NIST project established to collect all known hash values for commercial software and OS files?
National Software Reference Library (NSRL)
Many of the newer GUI tools use a lot of system resources. True or False?
True
Which of the following tools can examine files created by WinZip? a. FTK, b. Hex Workshop, c. Registry Viewer, d. SMART
a. FTK
Hashing, filtering, and file header analysis make up which function of computer forensics tools? a. Validation and discrimination, b. Acquisition, c. Extraction, d. Reporting
a. Validation and discrimination
What are the five required functions for computer forensics tools?
acquisition, validation and discrimination, extraction, reconstruction, and reporting
Hash values are used for which of the following purposes? (Choose all that apply.) a. Determining file size, b. Filtering known good files from potentially suspicious data, c. Reconstructing file fragments, d. Validating that the original data hasn' t changed
b. Filtering known good files from potentially suspicious data d. Validating that the original data hasn't changed
Which of the following is true of most drive-imaging tools? (Choose all that apply.) a. They perform the same function as a backup. b. They ensure that the original drive doesn' t become corrupt and damage the digital evidence. c. They create a copy of the original drive. d. They must be run from the command line.
b. They ensure that the original drive doesn't become corrupt and damage the digital evidence. c. They create a copy of the original drive.
The standards for testing forensics tools are based on which criteria? a. U.S. Title 18, b. ISO 5725, c. ISO 17025, d. All of the above
c. ISO 17025
What two data-copying methods are used in software data acquisitions? a. Remote and local, b. Local and logical, c. Logical and physical, d. Physical and compact
c. Logical and physical,
During a remote acquisition of a suspect drive, RAM data is lost. True or False?
False
Building a forensic workstation is more expensive than purchasing one. True or False?
False
Data can' t be written to the disk with a command-line tool. True or False?
False
A live acquisition is considered an accepted forensics practice. True or False?
False
What are the subfunctions of the extraction function?
Data viewing, Keyword searching, Decompressing, Carving, Decrypting, and Bookmarking
A disk partition can be copied only with a command-line acquisition tool. True or False?
False