Chapter 4 Flashcards
What is the first step in examining a suspect machine according to the text?
Check for running processes
What command is used to show network statistics and any current connections?
netstat
How is the net sessions command different from the netstat command?
Net sessions shows only established network communication sessions while netstat shows all connections
What are the two free tools mentioned in the text that can capture memory?
Magnet RAM Capture and DumpIt
What should be done before shutting down a suspect system?
Run certain commands and photograph the results
Why is it important to record BIOS information before dismantling a computer for forensic examination
To document the system’s hardware configuration
What hashing algorithm is most commonly used according to the text?
SHA1
What is the purpose of a swap file?
To optimize the use of random access memory (RAM)
What is the order of data collection in digital forensics?
Collect volatile data, then temporary data, then persistent data
What is steganized information?
Information concealed within other files or buried inside the 1s and 0s of a picture
What are the three techniques of forensic analysis?
Live analysis, physical analysis, logical analysis
What is the function of swap files?
They work on a queue system and store data that was live in memory and not stored on the suspect drive
What is a swap file?
A virtual memory extension of RAM
What does the TLN format stand for in a timeline?
Time, Source, System, User, Description
What is the Master Boot Record (MBR) in the context of digital forensics?
A single sector leaving 62 empty sectors for hiding data
