Ch. 6 Current Digital Forensics Tools

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

7. List three subfunctions of the extraction function.

data viewing, keyword searching, decompressing, carving, decrypting, and bookmarking.

5. Hardware acquisition tools typically have built-in software for data analysis. True or False?

most are used only for acquisition

14. A live acquisition is considered an accepted practice in digital forensics. True or False?

true

19. The primary hash the NSRL project uses is SHA-1. True or False?

true

write-blocker

A hardware device or software program that prevents a computer from writing data to an evidence drive. Software write-blockers typically alter interrupt-13 write functions to a drive in a PC's BIOS. Hardware write-blockers are usually bridging devices between a drive and the forensic workstation.

2. According to ISO standard 27037, which of the following is an important factor in data acquisition? (Choose all that apply.) a. The DEFR's competency b. The DEFR's skills in using the command line c. Use of validated tools d. Conditions at the acquisition setting

A & B

National Software Reference Library (NSRL)

A NIST project with the goal of collecting all known hash values for commercial software and OS files.

9. Hash values are used for which of the following purposes? (Choose all that apply.) a. Determining file size b. Filtering known good files from potentially suspicious data c. Reconstructing file fragments d. Validating that the original data hasn't changed

Filtering known good files from potentially suspicious data. Validating that the original data hasn't changed

16. The standards for testing forensics tools are based on which criteria? a. U.S. Title 18 b. ASTD 1975 c. ISO 17025 d. All of the above

ISO 17025

12. What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?

It enables you to remove and reconnect drives without having to shut down your workstation, which saves time in processing the evidence drive.

15. Which of the following is true of most drive-imaging tools? (Choose all that apply.) a. They perform the same function as a backup. b. They ensure that the original drive doesn't become corrupt and damage the digital evidence. c. They create a copy of the original drive. d. They must be run from the command line.

They ensure that the original drive doesn't become corrupt and damage the digital evidence. They create a copy of the original drive.

3. One reason to choose a logical acquisition is an encrypted drive. True or False?

True

4. Hashing, filtering, and file header analysis make up which function of digital forensics tools? a. Validation and verification b. Acquisition c. Extraction d. Reconstruction

Validation and verification

keyword search

A method of finding files or other information by entering relevant characters, words, or phrases in a search tool.

Computer Forensics Tool Testing (CFTT)

A project sponsored by the National Institute of Standards and Technology to manage research on digital forensics tools.

validation

A way to confirm that a tool is functioning as intended; one of the functions of digital forensics tools.

password dictionary attack

An attack that uses a collection of words or phrases that might be passwords for an encrypted file. Password recovery programs can use a password dictionary to compare potential passwords to an encrypted file's password or passphrase hash values.

1. Forensic software tools are grouped into ____________ and _______________ applications.

CL and GUI

18. When validating the results of a forensic analysis, you should do which of the following? (Choose all that apply.) a. Calculate the hash value with two different tools. b. Use a different tool to compare the results of evidence you find. c. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. d. Use a command-line tool and then a GUI tool.

Calculate the hash value with two different tools. Use a different tool to compare the results of evidence you find.

10. In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True or False?

False

13. Building a forensic workstation is more expensive than purchasing one. True or False?

False

8. Data can't be written to disk with a command-line tool. True or False?

False

11. The verification function does which of the following? a. Proves that a tool performs as intended b. Creates segmented files c. Proves that two sets of data are identical via hash values d. Verifies hex editors

Proves that two sets of data are identical via hash values

6. The reconstruction function is needed for which of the following purposes? (Choose all that apply.) a. Re-create a suspect drive to show what happened. b. Create a copy of a drive for other investigators. c. Recover file headers. d. Re-create a drive compromised by malware.

Re-create a suspect drive to show what happened.

17. A log report in forensics tools does which of the following? a. Tracks file types b. Monitors network intrusion attempts c. Records an investigator's actions in examining a case d. Lists known good files

Records an investigator's actions in examining a case

acquisition

The process of creating a duplicate image of data; one of the required functions of digital forensics tools.

verification

The process of proving that two sets of data are identical by calculating hash values or using another similar method.

extraction

The process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the required functions of digital forensics tools.

reconstruction

The process of rebuilding data files; one of the required functions of digital forensics tools.

brute-force attack

The process of trying every combination of characters—letters, numbers, and special characters typically found on a keyboard—to find a matching password or passphrase value for an encrypted file.


Set pelajaran terkait

Chapter 15: Structure and function of the Neurologic System

View Set

CP AMERICAN HISTORY: Chapter 20.1 Notes

View Set

MSII Prep U Ch. 65 Assessment of Neurologic Function

View Set

Urinary unit 10 --- hematological unit 11---105

View Set