15 - Digital Forensics Flashcards

Question 18 has been omitted for clarity. Be able to explain the key aspects of digital forensics

1
Q

Cynthia wants to make an exact copy of a drive using a Linux command-line tool. What command should she use?

A

dd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Greg wants to use a tool that can directly edit disks for forensic purposes. What commercial tool could he select from this list?

  • dd
  • memdump
  • WinHex
  • df
A

WinHex

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Gabby wants to capture the pagefile for a system. Where will she find the pagefile stored?

A

On Disk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is a memory forensics toolkit that includes memdump?

  • FTK Imager
  • WinHex
  • dd
  • Volatility
A

The Volatility Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Charles wants to obtain a forensic copy of a running virtual machine. What technique should he use to capture the image?

A

Use the VM host to create a snapshot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Melissa wants to capture network traffic for forensic purposes. What tool should she use to capture it?

A

Wireshark

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Frank is concerned about the admissibility of his forensic data. What are elements he should be concerned about?

A

Whether the forensic source data has remain unaltered; whether practices and procedures would survive review by experts; and whether the evidence is relevant to a case.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a document that tracks the custody or control of a piece of evidence called?

A

Chain of Custody

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Isaac is performing a forensic analysis on two systems that were compromised at the SAME TIME. As he performs his analysis, he notices that the event appears to have happened almost exactly one hour earlier on one system compared to the other. What is MOST LIKELY the issue he has encountered?

A

One system is set to an incorrect time zone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What legal concept determines which law enforcement agency or agencies will be involved in a case based on its location?

A

Jurisdiction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Michael wants to acquire the firmware from a running device for analysis. What method is most likely to succeed?

A

Use forensic MEMORY acquisition techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Charles need to know about actions an individuals performed on a PC. What is the best STARTING point to help him identify those actions?

A

Interview the Individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Maria has acquired a disk image from a hard drive using [dd], and she wants to ensure that her process is forensically sound. What should her next step be after completing the copy?

A

Compare the hashes of the source and target drives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Alex has been handed a flash media device that was quick-formatted and has been asked to recover any data. What data might remain on the drive?

A

Files will remain, but files indexes will not - (Gee-whiz: Recovery tools look for those files on the drive and piece them back together using meta-data, headers, and other clues that help to recover the data)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Naomi is preparing to migrate her org to a cloud service and wants to ensure that she has the appropriate contractual language in place. What are common items she should include?

A

Contracts commonly include a right to audit, choice of jurisdiction, and data-breach notification timeframe clauses - they do not normally include a right to examine a vendor’s system or devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Alaina wants to maintain a chain of custody documentation and has created a form. Which of the following is NOT a common element on a chain of custody form?

  • Item ID number
  • Signature of person transferring item
  • Signature of person receiving the item
  • Method of transport
A

Method of transport

17
Q

Henry wants to use an open source forensic suite. Which of the following tools should he select?

  • Autopsy
  • EnCase
  • FTK
  • WinHex
A

Autopsy is the only open source suite out of this list

18
Q

Gurvinder wants to follow the order of volatility to guide his forensic data acquisition. Which of the following is the least volatile?

  • RAM
  • Data on the hard drive
  • Backups
  • Remote Logs
A

Backups

19
Q

What is the key difference between hashing and checksums?

A

Both can validate integrity, but a hash also provides a unique digital fingerprint