Ch. 4

Question 1

Investigators need to ensure that an acquisition methodology used is forensically sound. Specifically, the acquisition methodology adopted must be _________.

Answer 1

verifiable and repeatable

Question 2

What are the freeware tools that support Raw Format?

Answer 2

• dd
• dc3dd
• dcfldd

Question 3

Because they are always changing, the information in the registers or the processor cache are the most volatile data. True/False.

Answer 3

True. The information in the registers or the processor cache on computers exists for nanoseconds. They are constantly changing and are the most volatile data.

Question 4

What is the process of permanently deleting or destroying data from storage media?

Answer 4

Media sanitization

Question 5

The process of acquiring volatile data from working computers (locked or in sleep condition) that are already powered on is ________.

Answer 5

live data acquisition

Question 6

What is the data called that is stored in the registries, cache, and RAM of digital devices?

Answer 6

Volatile information

Question 7

What are some measures that provide defense mechanisms against evidence alterations?

Answer 7

• Set a hardware jumper to make the disk read-only
• Use operating system and software that cannot write to the disk unless instructed
• Employ a hard disk write block tool to protect against disk writes

Question 8

Investigators can copy smaller redundant array of independent disks (RAID) systems into a single large disk if large storage disks are available and can be used immediately. True/False.

Answer 8

True

Question 9

Hash value calculations generate a unique numerical value for files, which is often considered a digital footprint that represents the uniqueness of a file or disk drive. What are some hashing algorithms?

Answer 9

• MD5
• SHA-1
• CRC-32