Chapter 3 Review Questions

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

What's the maximum file size when writing data to a FAT32 drive?

2 GB (a limitation of FAT file systems)

What are two advantages and disadvantages of the raw format?

Advantages: faster data transfer speeds, ignores minor data errors, and most forensics analysis tools can read it. Disadvantages: requires equal or greater target disk space, doesn't contain hash values in the raw file (metadata), might have to run a separate hash program to validate raw format data, and might not collect marginal (bad) blocks.

Which forensics tools can connect to a suspect's remote computer and run surreptitiously?

EnCase Enterprise and ProDiscover Incident Response

FTK Imager can acquire data in a drive's host protected area. True or False?

False

In a Linux shell, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1

Wrong. This command reads the image_file.img file and writes it to the evidence drive's /dev/hda1 partition. The correct command is dcfldd if=/dev/hda1 of=image_file.img.

What is a hashing algorithm?

A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk

List two features common with proprietary format acquisition files

Can compress or not compress the acquisition data; can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD; case metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or files.

With remote acquisitions, what problems should you be aware of? a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. All of the above

D. All of the above

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive

EnCase, SafeBack, and SnapCopy

Of all the proprietary formats, which one is the unofficial standard?

Expert Witness, used by Guidance Software EnCase

With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?

Newer Linux distributions automatically mount the USB device, which could alter data on it.

What's the ProDiscover remote access utility?

PDServer

What's the main goal of a static acquisition?

Preservation of digital evidence

How does ProDiscover Incident Response encrypt the connection between the examiner's and suspect's computers?

ProDiscover provides 256-bit AES or Twofish encryption with GUIDs and encrypts the password on the suspect's workstation.

EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?

True

What are two concerns when acquiring data from a RAID server?

amount of data storage needed, type of RAID server (0, 1, 5, and so on), whether the acquisition tool can handle RAID acquisitions, whether the analysis tool can handle RAID data, and whether the analysis tool can split RAID data into separate disk drives, making it easier to distribute large data sets

When you perform an acquisition at a remote location, what should you consider to prepare for this task?

determine whether there's enough electrical power and lighting and check the temperature and humidity at the location

What does a sparse acquisition collect for an investigation?

fragments of unallocated data in addition to the logical allocated data

In the Linux dcfldd command, which three options are used for validating data?

hash, hashlog, and vf

What does a logical acquisition collect for an investigation?

only specific files of interest to the investigation

Name the three formats for computer forensics data acquisitions.

raw format, proprietary formats, and AFF

What should you consider when determining which data acquisition method to use?

size of the source drive, whether the source drive is retained as evidence, how long the acquisition will take, and where the disk evidence is located

Why is it a good practice to make two images of a suspect drive in a critical investigation?

to ensure at least one good copy of the forensically collected data in case of any failures

What's the most critical aspect of digital evidence?

validation


Set pelajaran terkait

Offentlige myndigheders erstatningsansvar

View Set

Historical issues in psy. (100%)

View Set

Real Estate Unit 8 (Underwriting Residential Property

View Set

Protein Energy Malnutrition (Dr. Low)

View Set

Unit 15:12 Applying Dressings and Bandages

View Set