Chapter 3

Question 1

What’s the main goal of a static acquisition?

Answer 1

to preserve the digital evidence.

Question 2

Name three formats of digital forensics acquisitions.

Answer 2

Raw Format, Proprietary Formats, Advance Forensic Format

Question 3

What are two advantages and disadvantages of the raw format?

Answer 3

fast data transfers and capability to ignore minor data read errors on the source drive, Requires as much storage space as the original disk or that it might not collect marginal (bad) sectors on the source drive.

Question 4

List two features common with proprietary format acquisition files.

Answer 4

to compress or not to compress, Capability to split an image into smaller segmented files, Capability to integrate metadata into the image file ( date and time, hash values).

Question 5

Of all the proprietary formats, which one is the unofficial standard?

Answer 5

Expert Witness Format

Question 6

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.

Answer 6

EnCase, SafeBack, and SnapCopy

Question 7

What does a logical acquisition collect for an investigation?

Answer 7

only specific files of interest to the case

Question 8

What does a sparse acquisition collect for an investigation?

Answer 8

fragments of unallocated data in addition to the logical allocated data

Question 9

What should you consider when determining what data acquisition method to use?

Answer 9

size of the source drive, whether the source drive be retained as evidence, how long the acquisition will take, and where the disk evidence is located

Question 10

Why is it a good practice to make two images of a suspect drive in a critical investigation?

Answer 10

to ensure at least one good copy of the forensically collected data in case of any failures

Question 11

When you perform an acquisition at a remote location, what would you consider to prepare for this task?

Answer 11

determining whether there’s sufficient electrical power and lighting and checking the temperature and humidity at the location

Question 12

With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?

Answer 12

Newer Linux distributions automatically mount the USB device, which could alter data on it.

Question 13

n a Linux shell the fdisk -1 command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct?
dcfldd if=image_file.img of=/dev/sha1.

Answer 13

False
The correct command is dcfldd if=/dev/hda1 of=image_file.img. If performing the other command without a write blocker could alter the data and thus remove that evidence from existence in a case if no write blocker was used.

Question 14

What is the most critical aspect of computer evidence?

Answer 14

validation

Question 15

What is a hashing algorithm?

Answer 15

A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk

Question 16

The Linux dcfldd command, which tree options are used for validation data?

Answer 16

hash=, hashlog=, and vf=

Question 17

What’s the maximum file size when writing data to a FAT32 drive?

Answer 17

2 GB (a limitation of FAT file systems)

Question 18

What are two concerns when acquiring data from a RAID server?

Answer 18

1) amount of data storage needed.
2) the type of RAID server (0, 1, 5, etc.)
3) whether your acquisition tool can handle RAID acquisitions.
4) whether your analysis tool can handle RAID data
5) whether your analysis tool can split RAID data into separate drives

Question 19

With remote acquisitions, what problems should you be aware of?

Answer 19

a. Data transfer speeds
b. Access permissions over the network
c. Antivirus, antispyware, and firewall programs

Question 20

How does ProDiscover Investigation encrypt the connection between the examiners and suspect’s computers?

Answer 20

ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect’s workstation.

Question 21

What is the ProDiscover remote access program?

Answer 21

PDServer

Question 22

Which computer forensics tools can connect to suspect’s remote computer and run surreptitiously?

Answer 22

EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response

Question 23

EnCase, FTK, SMART, and ILook treat an image file as though it were the original disk.

Answer 23

T

Question 24

FTK Imager can acquire data in a drive’s host protected area.

Answer 24

F

Question 25

Advanced Forensic Format (AFF)

Answer 25

An open-source data acquisition format that stores image data and metadata.

Question 26

An open-source data acquisition format that stores image data and metadata.

Answer 26

Advanced Forensic Format (AFF)

Question 27

host protected area (HPA)

Answer 27

An area of a disk drive reserved for booting utilities and diagnostic programs. It is not visible to the computer’s OS.

Question 28

An area of a disk drive reserved for booting utilities and diagnostic programs. It is not visible to the computer’s OS.

Answer 28

host protected area (HPA)

Question 29

live acquisitions

Answer 29

A data acquisition method used when a suspect computer can’t be shut down to perform a static acquisition.

Question 30

A data acquisition method used when a suspect computer can’t be shut down to perform a static acquisition.

Answer 30

live acquisitions

Question 31

Logical Acquisition

Answer 31

This data acquisition method captures only specific files of interest to the case or specific types of files.

Question 32

This data acquisition method captures only specific files of interest to the case or specific types of files.

Answer 32

Logical Acquisition

Question 33

raw format

Answer 33

A data acquisition format that creates simple sequential flat files of a suspect drive or data set

Question 34

A data acquisition format that creates simple sequential flat files of a suspect drive or data set

Answer 34

raw format

Question 35

redundant array of independent disks (RAID)

Answer 35

Two or more disks combined into one large drive in several configurations for special needs.

Question 36

Two or more disks combined into one large drive in several configurations for special needs.

Answer 36

redundant array of independent disks (RAID)

Question 37

sparse acquisition

Answer 37

This data acquisition method captures only specific files of interest to the case, but also collects fragments of unallocated (deleted) data.

Question 38

This data acquisition method captures only specific files of interest to the case, but also collects fragments of unallocated (deleted) data.

Answer 38

sparse acquisition

Question 39

Static Acquisitions

Answer 39

A data acquisition method used when a suspect drive is write-protected and can’t be altered.

Question 40

A data acquisition method used when a suspect drive is write-protected and can’t be altered.

Answer 40

Static Acquisitions

Question 41

Whole Disk Encryption

Answer 41

An encryption technique that performs a sector-by-sector encryption of an entire drive. Each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method.

Question 42

An encryption technique that performs a sector-by-sector encryption of an entire drive. Each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method.

Answer 42

Whole Disk Encryption