Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Chapter 1- Cyber Forensics > Chapter 3- Data Aquisition > Flashcards

Chapter 3- Data Aquisition Flashcards

1
Q

Advanced Forensic Format (AFF)

A

A file format designed for the storage and exchange of forensic evidence. It is a flexible format that allows for the inclusion of metadata and can handle multiple images and data types. An example of its use would be a digital forensic investigator using AFF to create a forensic image of a hard drive during an investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Host protected area (HPA)

A

A hidden area on a hard drive that can be used to store data or software. It can be used by manufacturers to store firmware or diagnostic tools, but it can also be used by attackers to hide malicious code. An example of its use would be a manufacturer using HPA to store diagnostic tools on a hard drive to make it easier to service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Live acquisitions

A

The process of collecting evidence from a running system or device, while it is still operational. This can include collecting data from memory, network connections, and running processes. An example of its use would be a digital forensic investigator collecting data from a computer that is still turned on and in use during an investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Logical acquisition

A

The process of collecting data from a device or system based on its logical structure, such as files and directories. This can include data recovery from deleted files or partitions. An example of its use would be a digital forensic investigator recovering data from a deleted file on a hard drive during an investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Raw format

A

A file format that contains the entire contents of a disk or other storage device, including any unused space. It can be used for forensic imaging, but is not suitable for data recovery or analysis. An example of its use would be a digital forensic investigator creating a raw image of a hard drive during an investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Redundant array of independent disks (RAID)

A

A storage system that uses multiple disks to improve performance and reliability. RAID can be challenging to image and analyze, as data can be distributed across multiple disks. An example of its use would be a company using RAID to store important data and files on their server to improve performance and reliability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Sparse acquisition

A

A type of forensic imaging that only captures the used portions of a disk or other storage device, rather than imaging the entire device. This can be useful for reducing the time and storage space required for forensic imaging. An example of its use would be a digital forensic investigator capturing only the used portions of a hard drive during an investigation to reduce the amount of data that needs to be analyzed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Static acquisitions

A

The process of collecting evidence from a device or system that is turned off or disconnected. This can include removing hard drives or other storage devices for forensic analysis. An example of its use would be a digital forensic investigator removing a hard drive from a computer for analysis during an investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Whole disk encryption

A

A security measure that encrypts the entire contents of a disk or other storage device, rather than individual files or directories. It can make data recovery and forensic analysis more challenging, as the data is inaccessible without the encryption key. An example of its use would be a company encrypting their hard drives to protect sensitive data from unauthorized access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The main goal of a static acquisition is to

A

collect evidence from a device or system that is turned off or disconnected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The three formats for digital forensics data acquisitions are

A

raw format, proprietary format, and logical format.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Two advantages of the raw format are that it

A

captures the entire contents of a disk and can be used for forensic imaging. Two disadvantages are that it can be large in size and is not suitable for data recovery or analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Two features common with proprietary format acquisition files are that they

A

may include encryption and may require specialized software for analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The unofficial standard for proprietary formats is

A

EnCase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive are

A

FTK Imager and EnCase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A logical acquisition collects data based

A

on the logical structure of the device or system, such as files and directories.

17
Q

A sparse acquisition collects only the

A

used portions of a disk or storage device, rather than imaging the entire device.

18
Q

When determining which data acquisition method to use, you should consider factors such as

A

the type of device or system, the size of the storage media, and the type of data being collected.

19
Q

It is a good practice to make two images of a suspect drive in

A

a critical investigation in case one image becomes corrupted or compromised.

20
Q

When performing an acquisition at a remote location,

A

you should consider factors such as network bandwidth, access permissions, and security measures such as encryption.

21
Q

With newer Linux kernel distributions, a hot-swappable device containing evidence may

A

automatically mount, potentially altering or compromising the evidence.

22
Q

The dcfldd command may not be correct as it assumes the suspect drive is located at

A

/dev/hda1, which may not always be the case.

23
Q

The most critical aspect of digital evidence is maintaining its

A

integrity to ensure it is admissible in court.

24
Q

A hashing algorithm is a mathematical function that generates

A

a unique digital signature or hash value for a given set of data.

25
Q

The three options used for validating data in the dcfldd command

A

are hash, md5, and sha1.

26
Q

The maximum file size when writing data to a FAT32 drive

A

is 4 GB.

27
Q

Two concerns when acquiring data from a RAID server are that

A

the data may be distributed across multiple disks and that RAID configurations can be complex and may require specialized tools for analysis.

28
Q

Problems to be aware of with remote acquisitions

A

include data transfer speeds, access permissions over the network, and security measures such as antivirus and firewall programs.

29
Q

Forensic tools that can connect to a

A

suspect’s remote computer and run surreptitiously include RATs (Remote Access Trojans) and backdoors.

30
Q

EnCase, FTK, SMART, and ILookIX treat an image file as a separate file, not as the original disk.

A

False.

31
Q

FTK Imager can acquire data from a drive’s host protected area.

A

True.

Chapter 1- Cyber Forensics (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions