15 Digital Forensics

Question 1

What drives forensic activities in organizations?

Answer 1

Legal holds and e-discovery processes

Legal holds require organizations to preserve and protect relevant information for active or pending cases, while e-discovery involves providing forensic data as part of legal cases.

Question 2

What must organizations build to respond to legal holds and e-discovery requirements?

Answer 2

Capability and technology to respond appropriately

This is essential to avoid losing cases in court and to support incident response processes.

Question 3

What is the principle of order of volatility?

Answer 3

A principle used to determine the most and least volatile system components

Forensic practitioners use this to decide what to capture first during an acquisition.

Question 4

What do acquisition techniques and procedures ensure?

Answer 4

Usable and admissible forensic data

They are crucial since different system components may change or be lost during the forensic acquisition process.

Question 5

What is a key aspect of the forensic acquisition process?

Answer 5

Taking into account the order of volatility and acquisition circumstances

This is vital as part of incident response or legal holds.

Question 6

What do image acquisition tools do?

Answer 6

Copy disks and volumes using a bit-by-bit method

This captures the complete image including unused or slack space.

Question 7

What must incident responders maintain while capturing data?

Answer 7

A chain of custody

This is critical alongside the technical requirements of the systems or devices.

Question 8

What is hashing used for in the forensic process?

Answer 8

To ensure acquired data matches its source

Commonly used hashing methods include MD5 and SHA1.

Question 9

What is a limitation of checksums in forensic data validation?

Answer 9

They do not create unique fingerprints like hashes

Checksums can ensure data is unchanged but lack the specificity of hashes.

Question 10

What must forensic reports summarize?

Answer 10

Key findings of the forensic analysis

They should also explain the processes, procedures, tools, and any limitations impacting the investigation.

Question 11

What do forensic reports conclude with?

Answer 11

Recommendations or overall conclusions

These conclusions should be more detailed than the summary provided.

Question 12

Fill in the blank: Forensic practitioners use _______ to ensure data integrity.

Answer 12

Hashing

Hashing helps verify that the acquired data has not been altered.

Question 13

True or False: The forensic analysis ends when the technical examination is complete.

Answer 13

False

Forensic analysis continues with the creation of detailed reports outlining findings and methodologies.