Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

6. eCDFP: Certified Digital Forensics Professional > Data Acquisition > Flashcards

Data Acquisition Flashcards

1
Q

Data Acquisition

A
  • making a forensic copy of evidence, which could be any type of media
    • hard disk drive, USB, CD/DVD, etc
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why do we Acquire?

A
  • NEVER work directly on a suspected machine
  • 1st: you might end up damaging evidence
  • 2nd: the client likely cannot afford to not have the machine to keep working on
  • 3rd: with only one copy, there is no way for multiple teams or investigators to work on the same case in parallel
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is important to remember about the first image taken?

A
  • You’re not supposed to work on the first image you take

- The original image needs to be saved, and copies are made to do the actual work on

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Order of Volatility?

A
  • registers
  • cpu cache
  • RAM
  • HDD
  • External and Secondary storage devices
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the two types of data acquisition?

A
  • static

- dynamic/live

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Static Acquisition

A
  • gathering non-volatile data
  • gathering the data that remains intact after the system reboots or goes down
  • hard disks, flash discs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Dynamic Acquisition

A
  • gathering volatile data while the system is still running
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which type of acquisition is typically done first?

A
  • dynamic; higher risk of losing live data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Raw Format

A
  • simplest format to save an image
  • data is read from the source device’s disk and written on a file
  • the image file can be mounted later and analyzed for evidence
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the benefits of Raw Format?

A
  • offers a faster transfer rate

- popular on most forensic tools; gives flexibility to move between different frameworks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are some things to be aware of with Raw Format?

A
  • takes up the same space as the original target device drive’s size
  • neglects small errors on the source disk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What tool allows a disk to be imaged and split into multiple smaller files?

A
  • DD tool
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Proprietary Format

A
  • commercial tools implement their own file format

- compress the data for space efficiency, but makes the imaging and analysis process slower

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the advantages of using proprietary formats?

A
  • space efficiency
  • all the case related metadata
  • data are on a single file
  • allows investigator to do all work on a single framework (imaging, analysis, and reporting modules are all on the same tool)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the disadvantages of using proprietary formats?

A
  • slower due to the compression/decompression and encoding/decoding processes
  • binds the investigator to the framework since the proprietary format cannot cross platforms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the most notable proprietary formats?

A
  • EWF (Expert Witness Format) from Encase
  • IDIF, IRBF, IEIF from ILook Iinvestigator
  • sgzip from PyFlag
17
Q

Open Source Format

A
  • AFF (Advanced Forensics Format)
18
Q

Data Acquisition vs. Copying

A
  • Imaging IS NOT copying
  • Imaging mirrors the device’s entire storage on a file
  • Copying mirrors only the “useful” data from the source device
19
Q

What needs to be considered when copying an image?

A
  • Make sure that the copy is an exact replica of the original image
  • make sure the original image is safe from tampering
  • make sure the copying process will not alter the original image
20
Q

What are the two acquisition methods?

A
  • from disk drive to image file (imaging)

- from disk drive to disk drive (cloning)

21
Q

Imaging

A
  • mirrors the suspect’s hard drive content into an image file
  • imaging a drive creates what is called a “forensic image”
  • the advantage of this method is scalability and efficiency
  • a forensic image does not have to be for a full disk drive; you may only copy a particular partition
22
Q

Cloning

A
  • disk drive to disk drive
  • mirrors the suspect’s hard disk content into another hard disk
  • this result is a second disk that is exactly similar to the source disk (clone)
23
Q

Live Acquisition

A
  • used to collect data while the machine is running
  • usually looking for volatile data
  • volatile data resides in a memory that can’t hold the data after a reboot
  • usually resides in RAM and cache
24
Q

Why is volatile data so fragile?

A
  • the data is not JUST lost on reboot
  • processes running on the machine use the RAM and cache continually
  • any move made on the machine will have an impact on the device’s RAM
25
Q

Why is volatile data so important?

A
  • it is very likely to hold passwords, messages, domain names, and IP addresses belonging to those processes
  • very important in cases such as malware analysis and hunting
26
Q

What tool may allow an investigator to extract and decrypt traffic going between malware and it’s operator?

A
  • encryption key
27
Q

SYS info

A
  • generic term that describes basic system information about the machine, the running OS, its configuration, and the installed applications
  • EX: OS version, build, product key, computer name, accounts, CPU model, RAM size, etc.
28
Q

OS Configuration

A
  • installed languages
  • time zones
  • uptime
  • installed updates and hotfixes
29
Q

RAM Dump and Running Processes

A
  • knowing what processes were running at the time of the acquisition might be crucial for the investigation
  • it should help the investigator know what to look for when analyzing the RAM dump acquired
30
Q

Time Stamps

A
  • play a major role in crime reconstruction
31
Q

Network Configurations

A
  • important when there is a network attack

- details such as: number of NICs, MAC and IP addresses

32
Q

Write Blockers

A
  • device that allow data acquisition to take place, while eliminating the chance of damaging or altering the disk’s contents
  • blocks the hard disk from writing by filtering out write commands and preventing them from being executed
33
Q

Bootable Disks

A
  • usually hold a self-contained fully functioning, bootable OS
  • this allows the investigator to launch an OS on the suspect’s machine without touching and modifying the device’s main disk
34
Q

How is write protect on Windows 7 and later enabled?

A
  • Regedit
  • Access HKLM /SYSTEM/CurrentControlSet/Control
  • New > Key named “StorageDevicePolicies”
  • Create a new Value (DWORD 32-bit) inside the Key called “WriteProtect”
  • Double click the newly created Key and change value to ‘1’
35
Q

Volatility Framework

A
  • completely open collection of tools, implemented in Python under GNU General Public License
  • allows for the extraction of digital artifacts from volatile memory (RAM) samples
  • support memory dumps in raw format, Microsoft crash dump, hibernation file, and virtual machine snapshot
  • pre-installed with Kali Linux
  • also comes as an exe to run on Windows

6. eCDFP: Certified Digital Forensics Professional (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions