Chapter 13

Question 1

What are the components of a forensic toolkit?

Answer 1

Workstation
Cables and adapters
Forensic software
Write blockers
Duplicators and clones
Removable media (USB)
Camera
Labeling supplies

Question 2

What are the 3 types of carving?

Answer 2

File based
Content
Header and footer

Question 3

What is it called when a set of tools look at data in sections or block by block?

Answer 3

Carving

Question 4

How can you validate files and images?

Answer 4

Hashing

Question 5

Which hashing algorithm is used because it’s fast and available everywhere?

Answer 5

MD 5

Question 6

Which hashing algorithm is used because it’s low risk

Answer 6

Sha-1

Question 7

What is a method used by Linux to pull human readable text

Answer 7

Strings

Question 8

What is it called when attackers use A method that makes code difficulty to read and is apart of a malware package?

Answer 8

Packers

Question 9

What is built in forensics toolkits to look up similar information to compare?

Answer 9

Log viewers

Question 10

What is wireShark’s nickname?

Answer 10

Packet sniffer

Question 11

Which Linux utilities tools are used to sort and analyze packet data?

Answer 11

Topdump and prep

Question 12

. What are disadvantages of using containers in forensics?

Answer 12

Don’t last long in the system
Designed to be disposable
May cause you to lose your forensic evidence

Question 13

Name the 3 areas that are focused on in the post-incident Analysis phase?

Answer 13

Root cause analysis
Forensic analysis
Lessons learned

Question 14

Is the post-incident analysis phase during or after the incident?

Answer 14

During (despite post means after)

Question 15

Name the 2 output by using forensic analysis?.
Forensic analysis = x+y

Answer 15

Root cause
Lessons learned

Question 16

Also known as litigation holds
Requires companies to hold onto (preserve) data for a set period of time

Answer 16

Legal holds

Question 17

Describe in your own words what bit by bit copying means?

Answer 17

Everything is copied to include deleted files, old, old data that has not been overwritten and any leftover space

Question 18

Which Linux utility command is used to clone drives for in raw format to ensure imaging is done right and quickly.

Answer 18

Dd utility

Question 19

What information does a chain of custody include?

Answer 19

. What was collected
Who collected it
When it was collected
What devices were used

Question 20

. What does using write blockers do for people like the FBI?

Answer 20

. Allows agents to clone the targeted drive to ensure no data is altered and all forensic evidence is collected

Question 21

. Name the disadvantages live imaging

Answer 21

May leave leftover data from the imaging process
Contents may change
Malware may detect the imaging
Does not copy the unallocated space

Question 22

What type of capture collects all of the systems before it shuts off because it will be lost

Answer 22

Memory capture

Question 23

Which tools are used for memory capture

Answer 23

Dump it
F mem
Lime
Encase
FTK

Question 24

What ave the 4 primary modes of data acquisition from a mobile device?

Answer 24

Physical- SIM card
Logical
Manual access- looking at all of the phone’s data if it’s unlocked
File system - looks at existing and deleted files