3-Guide to Computer Forensics and Investigations
What's the maximum file size when writing data to a FAT32 drive?
2 GB (a limitation of FAT file systems)
Image files can be reduced by as much as __________ % of the original when using lossless compression.
50%
What are two advantages and disadvantages of the raw format?
Advantages: faster data transfer speeds, ignores minor data errors, and most forensics analysis tools can read it. Disadvantages: requires equal or greater target disk space, doesn't contain hash values in the raw file (metadata), might have to run a separate has program to validate raw format data, and might not collect marginal (bad) blocks.
What are two concerns when acquiring data from a RAID server?
Amount of data storage needed, type of RAID server (0,1,5 and so on), whether the acquisition tool can handle RAID acquisitions, whether the acquisition tool can handle RAID data, and whether the analysis tool can split RAID data into separate disk drives, making it easier to distribute large data sets.
List two features common with proprietary format acquisition files.
Can compress or not compress the acquisition data Can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD Case Metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or files
What are some features offered by proprietary data acquisition formats?
Can compress or not compress the acquisition data Can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD Case Metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or files
What are some of the design goals of AFF?
Capable of producing compressed or uncompressed image files No size restriction for disk-to-image files Space in the image file or segmented files for metadata simple design with extensibility Open source for multiple computing platforms and OSs Internal consistency checks for self-authentication
What are the considerations you should have when deciding what data-acquisition method to use on your investigation?
Considerations you should have are the following: the size of the source (suspect) disk whether you can retain the source disk as evidence or must return it to the owner How much time you have to perform the acquisition And where the evidence is located
Older Microsoft disk compression tools, such as DoubleSpace or ______________, eliminate only slack disk space between files.
DriveSpace
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.
EnCase SafeBack SnapCopy
Which forensics tools can connect to a suspect's remote computer and run surreptitiously?
EnCase Enterprise and ProDiscover Incident Response
Of all the proprietary formats, which one is the unofficial standard?
Expert Witness, used by Guidance Software EnCase
FTK Imager can acquire data in a drive's host protected area. True or False?
False
If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available. (T/F)
False
Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics. (T/F)
False
Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume. (T/F)
False
Briefly describe ILookIX IXImager.
It is a stand-alone proprietary format acquisition tool designed to work only with ILookIX. It can acquire single drives and RAID drives. IT supports IDE, (PATA), SCSI, USB and FireWire devices. The IXImager proprietary format can be converted to a raw format if other analysis tools are used.
Explain the use of hash algorithms to verify the integrity of lossless compressed data.
It is designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or disk drive. This unique number is referred to as "digital fingerprint" if you alter one thin in the file no matter how big or small it produces a different hash value
Linux ISO images that can be burned to a CD or DVD are referred to as __________.
Linux Live CDs
Autopsy uses ___________ to validate an image.
MD5
With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?
Newer Linux distros automatically mount the USB device, which could alter data on it.
What's the main goal of a static acquisition?
Preservation of digital evidence
In _______________, two or more disk drives become one large volume, so the computer views the disks as a single disk.
RAID 0
For Windows XP, 2000, and NT servers and workstations, RAID 0 or ___________ is available.
RAID 1
_______________, or mirrored striping, is a combination of RAID 1 and RAID 0.
RAID 10
____________, or mirrored striping with parity, is a combination of RAID 1 and RAID 5.
RAID 15
Name the three formats for digital forensics data acquisitions.
Raw format Proprietary formats Advanced Forensic Format (AFF)
If your time is limited, consider using a logical acquisition or ______________ acquisition data copy method.
Sparse
What are the requirements for acquiring data on a suspect computer using Linux?
To perform a data acquisition on a suspect computer, al you need are the following: a forensics Linux Live CD A USB, FireWire, or SATA external drive with cables Knowledge of how to alter the suspect computer's BIOS to boot from the Linux Live CD Knowledge of which shell commands to use for the data acquisition
A separate manual validation is recommended for all raw acquisitions at the time of analysis. (T/F)
True
Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized. (T/F)
True
EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?
True
FTK Imager requires that you use a device such as a USB dongle for licensing. (T/F)
True
In Autopsy and many other forensics tools raw format image files don't contain metadata. (T/F)
True
Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive. (T/F)
True
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file. (T/F)
True
There's no simple method for getting an image of a RAID server's disks. (T/F)
True
In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1
Wrong. The command reads the image_file.img file and writes it to the evidence drive's /dev/hda1 partition. The correct command is dcfldd if=/dev/hda1 of=image_file.img.
What's a hashing algorithm?
a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk
With remote acquisitions, what problems should you be aware of? a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. All of the above e. the password of the remote computer's user
a. data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs
The _________ command, works similiarly to the dd command but has many featured designed for computer forensics acquisitions.
dcfldd
The _________ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.
dd
When you perform an acquisition at a remote location, what should you consider to prepare for this task?
determine whether there's enough electrical power and lighting and check the temperature and humidity at the location
The most common and flexible data-acquisition method is _________.
disk-to-image file
What are the advantages and disadvantages of using raw data acquisition format?
faster data transfer speeds, ignores minor data errors, and most forensics analysis tools can read it. Disadvantages: requires equal or greater target disk space, doesn't contain hash values in the raw file (metadata), might have to run a separate has program to validate raw format data, and might not collect marginal (bad) blocks.
What does a sparse acquisition collect for an investigation?
fragments of unallocated data in addition to the logical allocated data
You use the ________ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512.
hash
In the Linux dcfldd command, which three options are used for validating data?
hash hashlog vf
Explain the sparse data copy method for acquiring digital evidence.
is similar but also collects fragments of unallocated (deleted) data; use this method only when you don't need to examine the entire drive.
If the computer has an encrypted drive, a ________ acquisition is done if he password or passphrase is available.
live
Most remote acquisitions have to be done as _______ acquisitions.
live
The ___________ command displays pages from the online help manual for information on Linux commands and their options.
man
What does a logical acquisition collect for an investigation?
only specific files of interest to the case
One major disadvantage of _________ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.
proprietary
Current distributions of Linux include two hashing algorithm utilities: md5sum and ________.
sha1sum
What should you consider when determining which data acquisition method to use?
size of the source drive, whether the source drive is retained as evidence, how long the acquisition will take, and where the disk evidence is located
Typically, a(n) __________ acquisition is done on a computer seized during a police raid, for example.
static
Why is it good practice to make two images of a suspect drive in a critical investigation?
to ensure at least one good copy of the forensically collected data in case of any failures
What's the most critical aspect of digital evidence?
validation
Microsoft has added ____________ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.
whole disk encryption
