4 - Evidence acquisition

Question 1

Outer boxes/Inner boxes

Answer 1

Computers holding potential evidence/

Network components connecting outer boxes

Question 2

Properties of forensic tools

Answer 2

Usability - present data at a useful layer of abstraction
Comprehensiveness - reveal all relevant data
Accuracy
Determinism
Verifiability
Performance

Question 3

First responder forensic toolkit

Answer 3

Mobile forensic workstation
Bootable forensically sound OS and storage devices
Write blocker
Faraday bag

Question 4

Obstacles to evidence acquisition

Answer 4

Heterogeneity of technology
High dynamism of system state
Volatility of the system - tells how long data can survive in a system and depends on a consistent power supply and how fast data changes
Accessibility of digital artifacts
Potentially large amount of data

Question 5

Procedure for data extraction from device

Answer 5

Copy the data
Calculate the hash
Create at least another copy

Question 6

Methods for copying the data

Answer 6

Logical acquisition - select relevant files
Bit-stream copy - exact bit-by-bit copy
Over the network

Question 7

Computer is off

Answer 7

Leave it off, tape the power receptacle, bag the power cable. If it is a laptop bag the battery
If you cant bring the computer bring the hard disks, if you cant do that boot a trusted OS and perform a bit-stream copy

Question 8

Computer is on

Answer 8

Pull the plug and that may help preserve evidence but it can also loose evidence

Question 9

Unplug the network cable

Answer 9

Generally advisable
Destroys the opportunity to list the active connections and gather network traffic and it can seriously impact a business

Question 10

Password

Answer 10

Do live forensics if not protected, else turn off

Question 11

Useful data to collect

Answer 11

File and network connections
Processes
Users
Memory
Volumes and file systems
Applications
System specific structures