SEC+ 601 Chapter 15: Digital Forensics
Henry wants to use an open source forensic suite. Which of the following tools should he select? A. Autopsy B. EnCase C. FTK D. WinHex
A. Autopsy Autopsy is the only open source forensic suite on this list. Both EnCase and FTK are commercial tools, and WinHex is also a commercial tool but isn't a forensic suite.
What is the key difference between hashing and checksums? A. Both can validate integrity, but a hash also provides a unique digital fingerprint. B. A hash can be reversed, and a checksum cannot be. C. Checksums provide greater security than hashing. D. Checksums have fewer message collisions than a hash.
A. Both can validate integrity, but a hash also provides a unique digital fingerprint. Although both a checksum and a hash can be used to validate message integrity, a hash has fewer collisions than a checksum and will also provide a unique fingerprint for a file. Checksums are primarily used as a quick means of checking that that integrity is maintained, whereas hashes are used for many other purposes such as secure password validation without retaining the original password. A checksum would not be useful for proving a forensic image was identical, but it could be used to ensure that your work had not changed the contents of the drive.
Michael wants to acquire the firmware from a running device for analysis. What method is most likely to succeed? A. Use forensic memory acquisition techniques. B. Use disk forensic acquisition techniques. C. Remove the firmware chip from the system. D. Shut down the system and boot to the firmware to copy it to a removable device.
A. Use forensic memory acquisition techniques. Firmware can be challenging to access, but both memory forensic techniques and direct hardware interface access are viable means in some cases. Firmware is not typically stored on the disk and instead is stored in a BIOS or UEFI chip. Removing the chip from the system will leave it unable to run and thus this is not a preferred method. Also, many chips are not removable. Shutting down the device and booting it to the firmware does not provide a means of copying the firmware for most devices. Although the firmware is likely to allow updates, most does not allow downloads or copying.
Maria has acquired a disk image from a hard drive using dd, and she wants to ensure that her process is forensically sound. What should her next step be after completing the copy? A. Securely wipe the source drive. B. Compare the hashes of the source and target drive. C. Securely wipe the target drive. D. Update her chain-of-custody document.
B. Compare the hashes of the source and target drive. Once a copy is made, hashes for the original and target drive should be compared to ensure that the copy was successful. After that, the chain-of-custody document can be updated to note that a copy was made and will be tracked as it is analyzed while the original is preserved. Wiping either drive after a copy is not part of the process, although a target drive may be wiped after a case is complete.
Alex has been handed a flash media device that was quick-formatted and has been asked to recover the data. What data will remain on the drive? A. No data will remain on the drive. B. Files will remain but file indexes will not. C. File indexes will remain, but the files will be gone. D. Files and file indexes will remain on the drive.
B. Files will remain but file indexes will not. Quick-formatting a drive removes the file indexes but leaves the file content on the drive. Recovery tools look for those files on the drive and piece them back together using metadata, headers, and other clues that help to recover the files.
Gabby wants to capture the pagefile for a system. Where will she find the pagefile stored? A. In memory B. On disk C. In a CPU register D. In device firmware
B. On disk The pagefile is disk space used to extend or expand memory. Thus, Gabby can find the pagefile on the disk and can capture it as she would other files on the disk.
Isaac is performing a forensic analysis on two systems that were compromised in the same event in the same facility. As he performs his analysis, he notices that the event appears to have happened almost exactly one hour earlier on one system than the other. What is the most likely issue he has encountered? A. The attacker took an hour to get to the second system. B. One system is set to an incorrect time zone. C. The attacker changed the system clock to throw off forensic practitioners. D. The forensic tool is reading the timestamps incorrectly.
B. One system is set to an incorrect time zone. The most common cause of an hour of difference between two systems in an environment is an incorrectly set time zone. Isaac should check the time zone settings, and then correct his findings based on the time zones set on the systems if necessary.
Naomi is preparing to migrate her organization to a cloud service and wants to ensure that she has the appropriate contractual language in place. Which of the following is not a common item she should include? A. Right-to-audit clauses B. Right to forensic examination C. Choice of jurisdiction D. Data breach notification timeframe
B. Right to forensic examination Contracts commonly include right to audit, choice of jurisdiction, and data breach notification timeframe clauses, but a right to forensically examine a vendor's systems or devices is rarely included. Naomi may want to ask about their incident response process and for examples of previous breach notification and incident documentation shared with customers instead.
Melissa wants to capture network traffic for forensic purposes. What tool should she use to capture it? A. A forensic suite B. Wireshark C. dd D. WinHex
B. Wireshark Even though Wireshark is not a dedicated network forensic tool, since network traffic is ephemeral, capturing it with a packet sniffer like Wireshark is Melissa's best option. Forensic suites are useful for analyzing captured images, not capturing network traffic, and dd and WinHex are both useful for packet capture, but not for network traffic analysis.
Gurvinder wants to follow the order of volatility to guide his forensic data acquisition. Which of the following it the least volatile? A. RAM B. Data on the hard drive C. Backups D. Remote logs
C. Backups Backups are the least volatile of these options according to the order of volatility. Backups will be kept until they are aged out, which may be days, weeks, or even months in some cases. From most to least volatile, these are RAM, data on the hard drive, remote logs, and then backups.
Theresa's organization has received a legal hold notice for their files and documents. Which of the following is not an action she needs to take? A. Ensure that changes to existing documents related to the case are tracked and that originals can be provided. B. Preserve all existing documents relevant to the case. C. Delete all sensitive documents related to the case. D. Prevent backups that contain files related to the case from being overwritten on their normal schedule.
C. Delete all sensitive documents related to the case. Removing information relevant to a legal hold is exactly what the hold is intended to prevent. Theresa's organization could be in serious legal trouble if they were to intentionally purge or change related information.
Charles needs to know about actions an individual performed on a PC. What is the best starting point to help him identify those actions? A. Review the system log. B. Review the event log. C. Interview the individual. D. Analyze the system's keystroke log.
C. Interview the individual. Although it may be tempting to use a technical answer, interviewing the individual involved is the best starting point when a person performed actions that need to be reviewed. Charles can interview the staff member, and then move on to technical means to validate their responses. System and event logs may have some clues to what occurred, but normal systems do not maintain a keystroke log. In fact, the closest normal element is the command log used by both Windows and Linux to allow command-line input to be recalled as needed.
What legal concept determines the law enforcement agency or agencies that will be involved in a case based on location? A. Nexus B. Nonrepudiation C. Jurisdiction D. Admissibility
C. Jurisdiction Jurisdiction is the legal authority over an area or individuals based on laws that create the jurisdiction. Nexus defines whether a relationship or connection exists, such as a local branch or business location. Admissibility determines whether evidence can be used in court. Nonrepudiation ensures that evidence or materials can be connected to their originator.
Charles wants to obtain a forensic copy of a running virtual machine. What technique should he use to capture the image? A. Run dd from within the running machine. B. Use FTK Imager from the virtual machine host. C. Use the VM host to create a snapshot. D. Use WinHex to create a copy from within the running machine.
C. Use the VM host to create a snapshot. Creating a snapshot will provide a complete copy of the system, including memory state that can then be analyzed for forensic purposes. Copying a running system from a program running within that system can be problematic, since the system itself will change while it is trying to copy itself. FTK Imager can copy drives and files, but it would not handle a running virtual machine.
Greg wants to use a tool that can directly edit disks for forensic purposes. What commercial tool could he select from this list? A. dd B. memdump C. WinHex D. df
C. WinHex WinHex is a commercial disk editor that provides a number of useful forensic tools that can help with investigations and data recovery. The other tools are open source tools.
Cynthia wants to make an exact copy of a drive using a Linux command-line tool. What command should she use? A. df B. cp C. dd D. ln
C. dd dd is a copying and conversion command for Linux and can be used to create a forensic image that can be validated using an MD5sum or SHA1 hash. The other commands are df for disk usage, cp for copying files, and ln to link files.
What is the document that tracks the custody or control of a piece of evidence called? A. Evidence log B. Audit log C. Event report D. Chain of custody
D. Chain of custody Chain-of-custody documentation tracks evidence throughout its lifecycle, with information about who has custody or control and when transfers happened, and continues until the evidence is removed from the legal process and disposed of. The other terms are not used for this practice.
Alaina wants to maintain chain of custody documentation and has created a form. Which of the following is not a common element on a chain of custody form? A. Item identifier number B. Signature of the person transferring the item C. Signature of the person receiving the item D. Method of transport
D. Method of transport Chain of custody tracks who has an item, how it is collected, where it is stored and how, how it is secured or protected, who collected it, and transfers, but it does not typically include how the items were transported because that is not relevant if the other data is provided.
Which of the following is a memory forensics toolkit that includes memdump? A. FTK Imager B. WinHex C. dd D. Volatility
D. Volatility The Volatility Framework is a memory forensics toolkit that includes memdump. FTK Imager does contain a capture memory function, WinHex can dump memory, and dd can be used in a limited fashion to capture memory, but none of these tools builds in a function called memdump.
Frank is concerned about the admissibility of his forensic data. Which of the following is not an element he should be concerned about? A. Whether the forensic source data has remained unaltered B. Whether the practices and procedures would survive review by experts C. Whether the evidence is relevant to the case D. Whether the forensic information includes a timestamp
D. Whether the forensic information includes a timestamp Forensic information does not have to include a timestamp to be admissible, but timestamps can help build a case that shows when events occurred. Files without a timestamp may still show other information that is useful to the case or may have other artifacts associated with them that can provide context about the time and date.