Chapter 5

Question 1

Sanitization Methods

Answer 1

Clear: overwrite storage space on the media with non-sensitive data

Destroy: Disintegrate, pulverize, melt, shred, shoot

Question 2

Aftermath of an Incident

Answer 2

Identify shortcomings in risk assessment, policy, or implementation. repair the problems caused by the incident. Hold the person accountable if it was caused by a malicious act, collect evidence to clearly tie them to the event

Question 3

Digital Forensics

Answer 3

What data shoudl we collect before an incident occurs? What data are we allowed to collect from an individuals personal computer? What data can we retrieve from persistent memories like USBs, and hard drives?

Question 4

Fault and due diligence

Answer 4

In the US parties involved in an incident may be blamed for what they do or don’t do EG if a party should have prevented the incident but they failed to do so. There are customary acts to take for safety and security, parties are less at fault if they show due diligence.

Question 5

Types of legal disputes

Answer 5

Private action: one aprty acts against another based on a shared relationship

Mediation: Two parties rely on a third party to negotiate a settlement

Civil complaint: A party files a lawsuit against another. settled in court unless settled informally ahead of time.

Criminal Compliant: A person is charged for breaking specific laws.

Question 6

Admissible evidence

Answer 6

In private actions and mediation we can use informal evidence but mediators might demand admissable evidence. Civil and criminal we can only use admissible evidence.

Question 7

Collecting digital evidence

Answer 7

Must yield admissible evidence. There must be no modifications since collection.

Question 8

Process of collecting digital evidence

Answer 8

1) securing the scene
2) documenting the scene
3) Collecting the evidence

Question 9

Digital evidence procedures

Answer 9

take pictures of powered on devices. for most devices simply remove power source. If we reboot the OS we may modify or destroy evidence. Using CoC document all serial numbers, cords, and connections before removal, seal each item in an evidence bag

Question 10

Forensic Hard Drive Analysis

Answer 10

Do not use native OS to analyze contents. 1) do an integrity check (md5,sha)
2)copy the hard drive and do the integrity check again.
analyze the copy, not the original, after you collect the evidence recalculate the integrity check.

Question 11

Sectors and Clusters

Answer 11

sectors are independent data blocks on the hard drive, each can be read or written individually. Clusters are a series of sectors treated as a single block by the file system.

Question 12

Partitions

Answer 12

breaking up the overall drive into smaller, individual drives.

Question 13

FAT File System

Answer 13

Intorduced in MSDOS, widely used, used in cameras and flash drives and many other digital devices. Supports modern features like Long, mixed case filenames, hierarchical directories, and individual file sized up to 4GB.

Question 14

FAT Volume Layout

Answer 14

bootblocks, file allocation table, root, clusters

Question 15

Boot Blocks

Answer 15

contain bootstrap program on bootable drive, contains details on the volume format like how large the clusters are, FAT, root directory.

Question 16

FAT file deletion

Answer 16

locate the file’s directory entry and mark it as empty, if the file has a large name mark those entries empty as well. For each cluster in file retrieve the FAT entry and change the entry to show the cluster is free. You can undelete files because deletion doesn’t erase data it just modifies the FAT and directory

Question 17

Shortcomings of FAT

Answer 17

File sizes are limited to 4GB, small FAT systems can’t recover if errors strike the root directory, searches are slow on really large directories, FAT files can’t identify an owner, FAT files can’t support access restrictions beyond very simple ones.

Question 18

Modern File systems

Answer 18

HFS+ (apple), NTFS (Microsoft), UFS (unix)

Question 19

API

Answer 19

Application Programming Interface, simple and standard way for programs to use IO devices and files.

Question 20

Device Independence

Answer 20

Converts API operations into specific commands to individual devices. The file system converts file operations into API operations performed on the hard drive.