15 - Digital Forensics Flashcards
Question 18 has been omitted for clarity. Be able to explain the key aspects of digital forensics
Cynthia wants to make an exact copy of a drive using a Linux command-line tool. What command should she use?
dd
Greg wants to use a tool that can directly edit disks for forensic purposes. What commercial tool could he select from this list?
- dd
- memdump
- WinHex
- df
WinHex
Gabby wants to capture the pagefile for a system. Where will she find the pagefile stored?
On Disk
Which of the following is a memory forensics toolkit that includes memdump?
- FTK Imager
- WinHex
- dd
- Volatility
The Volatility Framework
Charles wants to obtain a forensic copy of a running virtual machine. What technique should he use to capture the image?
Use the VM host to create a snapshot
Melissa wants to capture network traffic for forensic purposes. What tool should she use to capture it?
Wireshark
Frank is concerned about the admissibility of his forensic data. What are elements he should be concerned about?
Whether the forensic source data has remain unaltered; whether practices and procedures would survive review by experts; and whether the evidence is relevant to a case.
What is a document that tracks the custody or control of a piece of evidence called?
Chain of Custody
Isaac is performing a forensic analysis on two systems that were compromised at the SAME TIME. As he performs his analysis, he notices that the event appears to have happened almost exactly one hour earlier on one system compared to the other. What is MOST LIKELY the issue he has encountered?
One system is set to an incorrect time zone
What legal concept determines which law enforcement agency or agencies will be involved in a case based on its location?
Jurisdiction
Michael wants to acquire the firmware from a running device for analysis. What method is most likely to succeed?
Use forensic MEMORY acquisition techniques
Charles need to know about actions an individuals performed on a PC. What is the best STARTING point to help him identify those actions?
Interview the Individual
Maria has acquired a disk image from a hard drive using [dd], and she wants to ensure that her process is forensically sound. What should her next step be after completing the copy?
Compare the hashes of the source and target drives
Alex has been handed a flash media device that was quick-formatted and has been asked to recover any data. What data might remain on the drive?
Files will remain, but files indexes will not - (Gee-whiz: Recovery tools look for those files on the drive and piece them back together using meta-data, headers, and other clues that help to recover the data)
Naomi is preparing to migrate her org to a cloud service and wants to ensure that she has the appropriate contractual language in place. What are common items she should include?
Contracts commonly include a right to audit, choice of jurisdiction, and data-breach notification timeframe clauses - they do not normally include a right to examine a vendor’s system or devices