Ch.4: Collecting, seizing, and protecting Evidence
True or False? One benefit of using automated forensic systems is that you do not have to know how to perform all forensic processes manually.
false Even if you use automated forensic systems, it is critical that you know how to perform all forensic processes manually.
True or False? After imaging a drive, the purpose of creating a hash of the original and the copy is to label them for documentation.
false The purpose of creating a hash of the original and the copy is to verify that nothing was altered.
True or False? Exif data is associated with temporary internet files.
false; Exif stands for exchangeable image file format and is associated with image files.
True or False? When seizing a mobile phone at a crime scene, you must remove the SIM card before transporting the device to the lab.
false; It is not always required to remove the SIM card. Most modern phone forensic software allows you to simply dock the phone into the device.
True or False? You can recover data from a magnetic hard drive that has been demagnetized.
false; It is not possible to recover data from a hard drive that has been demagnetized.
True or False? Physical analysis is another term for live analysis.
false; Physical analysis looks at a copy of the hard drive's structures and file formats. Live analysis deals with volatile memory, network connections, and the like.
True or False? When seizing a suspect computer, you need to remove drives only if they are currently attached to cabling.
false; If the device you have seized is a computer, you need to remove the drive(s) from the suspect machine even if the drive(s) are not currently attached to any cabling.
There are three specific steps to follow to handle computer evidence. The first step is to ______ the evidence, followed by _______ the evidence, and finally ________ the evidence.
find, preserving, preparing
Hard drives are types of magnetic media that use high and low magnetization to store data on these devices, which is organized by: Hard drives are types of magnetic media that use high and low magnetization to store data on these devices, which is organized by: tables and charts. operating system. levels. sectors and clusters.
sectors and clusters. The data on magnetic media is organized by sectors and clusters, which are in turn organized in tracks around the platter.
True or False? A basic file system copy does not provide a bit-level copy and is therefore inadequate for forensic analysis.
true
True or False? After imaging a drive, you must always create a hash of the original and the copy.
true
True or False? Before removing any equipment from a crime scene, a forensic specialist should photograph the equipment in place and label wires and sockets so that computers and peripherals can be reassembled in a laboratory exactly as they were in the original location.
true
True or False? Forensic investigators should usually not attempt to decode encrypted files. Rather, investigators should look for evidence in a computer that tells them what is in the encrypted file.
true
True or False? Incriminating evidence shows, or tends to show, a person's involvement in an act, or evidence that can establish guilt.
true
True or False? Many USB drives come with a switch to put them in read-only mode.
true
True or False? RAID 0 is also referred to as disk striping.
true
True or False? The Linux dd command can be used to forensically wipe a drive.
true
True or False? The Linux netcat command reads and writes bits over a network connection.
true
True or False? Universal serial bus is a connectivity technology, not a storage technology.
true
True or False? Whereas physical imaging is making a bit-by-bit copy of a disk, logical imaging uses the target system's file system to copy data to an image for analysis.
true
rue or False? The term "scrubber" refers to software that writes over unallocated drive space.
true
True or False? The only way to clean volatile memory is with cleansing devices known as sweepers or scrubbers.
False; The only way to clean unallocated drive space is with cleansing devices known as sweepers or scrubbers.
What is the name of the unused space that is created between the end of a file and the end of the last data cluster assigned to the file? Unallocated space Host protected area File slack Volume slack
File slack
Which of the following are attributes of a solid-state drive (SSD)? Reflective pits and flash memory Microchips and magnetic storage Flash memory and fast startup time Tape storage and a read-only mode switch
Flash memory and fast startup time
What disk drive feature is most important for forensic consideration?
Good blocks marked as bad; Suppose that someone manipulates the file system metadata to mark unused blocks as bad. The operating system will no longer access these blocks. These blocks can then be used to hide data.
What version of RAID involves three or more striped disks with parity that protect data against the loss of any one disk? RAID 3 or 4 RAID 0 RAID 1 RAID 1+0
RAID 3 or 4
Windows uses __________ on each system as a "scratch pad" to write data when additional random access memory (RAM) is needed. an installed operating system a swap file a partition metadata
a swap file A swap file is a virtual memory extension of RAM
What is the definition of "hash"? The art and science of writing hidden messages A utility that cleans unallocated space A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions An analysis involving using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data
A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions
Joey is investigating an employer-owned computer, which may have been remotely compromised. The computer is still running. What is the correct course of action for Joey to take? Close all open windows and software, especially any malware, and then shut down the computer. Capture the current memory, running tasks, and live connections, and then shut the computer down. Shut down the computer. Use an external power supply to keep the computer running as it is transported to the lab.
Capture the current memory, running tasks, and live connections, and then shut the computer down.; t a minimum, he needs to see what is currently running on the computer before shutting down. He should also touch it as little as possible.
Which of the following is the best description of volatile data? Data that is lost when the system is used, such as the swap file and state of network connections Data that is stored in a hidden location on a disk drive Data that is sent across a network to another device Data that has been manually deleted by a user
Data that is lost when the system is used, such as the swap file and state of network connections Volatile data is lost whenever a system is used, so it should be collected first during a forensic investigation to minimize corruption or loss.
Mary has been asked to analyze a phone to search for texts related to a case. She attempts to take a physical image of a phone and determines that this will not be possible. Mary decides that she will take a logical image instead. What type of data is likely to be missing from the image that she captures?
Deleted files; logical image uses the target system's file system to copy data to an image for analysis. Deleted files are not always captured as a part of the image.
Jiang is a forensic specialist. He seized a suspect computer from a crime scene, removed the hard drive and bagged it, documented and labeled the equipment, took photographs, completed a chain of custody form, and locked the computer in his car. On the way to the lab, he stopped to purchase supplies to use at the next crime scene. What did Jiang do wrong? He made the drive susceptible to demagnetization by bagging it. He left the computer unattended while shopping for supplies. He should not have removed the hard drive at the scene. He should have performed drive analysis at the scene.
He left the computer unattended while shopping for supplies.
What was designed as an area where computer vendors could store data that is shielded from user activities and operating system utilities, such as delete and format? Master boot record (MBR) File slack Host protected area (HPA) Volume slack
Host protected area (HPA); To hide data in the HPA, a person would need to write a program to access the HPA and write the data.
Devaki used to work in a forensic examiner's office. She was responsible for processing evidence and documenting the chain of custody. The organization had specific policies regarding chain of custody forms, including the types of pictures required as part of the process......She is ready to remove the hard drive from the suspect machine. What should she do before starting the process? She should review the processes used by the police precinct to be sure she is using the correct forms and taking the required pictures. Because she knows what she is doing, she can begin immediately. She should be sure to use both an evidence form and a separate chain of custody form. She should verify that all cables are unplugged and then begin processing the machine.
She should review the processes used by the police precinct to be sure she is using the correct forms and taking the required pictures.
Which of the following uses microchips that retain data in nonvolatile memory chips and contains no moving parts? Solid-state drive (SSD) Serial Advanced Technology Attachment (SATA) Parallel Advanced Technology Attachment (PATA) Integrated Drive Electronics (IDE)
Solid-state drive (SSD)
_______ is an example of volatile data. A hash Steganized files The state of network connections A word processing file
The state of network connections; Some examples of volatile data are swap files, the state of network connections, and the state of running processes.
_______ is the area of a hard drive that has not been allocated for file storage. Temporary data Unallocated space Volume slack Basic input/output system (BIOS)
Unallocated space
What kind of data changes rapidly and may be lost when the machine that holds it is powered down? What kind of data changes rapidly and may be lost when the machine that holds it is powered down? Nonvolatile data Persistent data Volatile data A hash
Volatile data
Isabella is about to start a forensic investigation on a disk drive that was seized as part of a new case. Before she begins the investigation, she must create an image of the disk. To prepare a disk drive to be used as the target for the image, she must first: buy a new disk drive to use as a target drive. delete all the files on the target drive. burn the target drive to Blu-ray. forensically wipe the target drive by overwriting every single bit on the drive.
forensically wipe the target drive by overwriting every single bit on the drive; Before you can use a disk drive as the target for an image in a new investigation, you must forensically wipe the target drive (which is the drive to which you will copy the suspect drive contents) to ensure there is no residual data left from a previous case. Forensically wiping is not simply deleting files; it involves actually overwriting every single bit with some pattern.
Justin is investigating a digital forensic case. He is looking for incriminating evidence on a computer running Microsoft Windows. He first examines the computer's configuration and notices that a system setting identifies a swap file present on the C: drive. What file should Justin analyze to collect data from the swap file? mempgr.sys pagefile.sys swap.conf memext.inf
pagefile.sys Modern Windows operating systems leverage a pagefile.sys file as the designated page file by default. The file is used as a storage location for any memory overflow. This file should be analyzed when searching for incriminating evidence on a Windows machine.
