Forensics Chapter 6
Hardware acquisition tools typically have built-in software for data analysis. True or False?
False
In testing tools, the term "reproduceable results" means that if you work in the same lab, on the same machine, you generate the same results. T or F?
False
The primary hash the NSRL project uses is SHA-1. True or False?
False
Forensic software tools are grouped into _____ and _____ applications
GUI and Command Line
The verification function does which of the following?
Proves that two set of data are identical via hash values
Which of the following is true of most drive-imaging tools?
They ensure the original drive doesn't become corrupt and damage the digital evidence, they create a copy of the original drive
A live acquisition is considered an accepted practice in digital forensics. True or False?
True
One reason to choose a logical acquisition is an encrypted drive. True or False?
True, because you can still read and analyze the files. Requires a live acquisition because you need to log onto the system
Hash values are used for which of the following purposes?
Validating that original data hasn't changed and Filtering known good files from potentially suspicious data
Hashing, filtering, and file header analysis make up which function of computer forensics tools?
Validation and verification?
Data can't be written to the disk with a command-line tool. True or False?
False
Building a forensic workstation is more expensive than purchasing one. True or False?
Can be.. yes?
According to ISO standard 27037, which of the following is an important factor in data acquisition?
DEFR's competency, the use of validated tools.
List three subfunctions of the extraction function
Data viewing, keyword searching, decompressing or uncompressing, carving, decrypting, bookmarking or tagging
What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?
Enables you to remove and reconnect drives without having to shut down your workstation
The reconstruction function is needed for which of the following purposes?
Re-create a suspect drive to show what happened, create a copy of a drive for other investigators, re-create a drive compromised by malware
A log report in forensics tools does which of the following?
Records an Investigator's actions in examining a case
The standards for testing forensics tools are based on which criteria?
Standard testing methods and ISO 17025 criteria for when no current standards are available. 271-272