Data Acquisition

Question 1

If your time is limited, what type of acquisition data copy method should you consider?

Answer 1

Sparse

Question 2

What command works similarly to the dd command but has many features designed for computer forensics acquisitions?

Answer 2

dcfldd

Question 3

What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?

Answer 3

Live

Question 4

What did Microsoft add to its newer operating systems that make performing static acquisitions more difficult?

Answer 4

Whole disk encryption

Question 5

Which RAID configuration offers the greatest access speed and the most robust data recovery capability?

Answer 5

RAID 15

Question 6

What option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512?

Answer 6

hash

Question 7

If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available?

Answer 7

False

Question 8

In addition to RAID 0, what type of RAID configuration is available for Windows XP, 2000, and NT servers and workstations?

Answer 8

RAID 1

Question 9

What type of acquisition is used for most remote acquisitions?

Answer 9

Live

Question 10

What term refers to the Linux ISO images that can be burned to a CD or DVD?

Answer 10

Linux Live CDs

Question 11

By what percentage can lossless compression reduce image file size?

Answer 11

50 percent

Question 12

A separate manual validation is recommended for all raw acquisitions at the time of analysis.

Answer 12

True

Question 13

What does Autopsy use to validate an image?

Answer 13

MD5

Question 14

In Autopsy and many other forensics tools, raw format image files don’t contain metadata.

Answer 14

True

Question 15

There’s no simple method for getting an image of a RAID server’s disks

Answer 15

True

Question 16

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.

Answer 16

True

Question 17

FTK Imager requires that you use a device such as a USB dongle for licensing.

Answer 17

True

Question 18

Unlike RAID 0, RAID 3 stripes track across all disks that make up one volume.

Answer 18

False

Question 19

What older Microsoft disk compression tool eliminates only slack disk space between files?

Answer 19

DriveSpace

Question 20

What command displays pages from the online help manual for information on Linux commands and their options?

Answer 20

man

Question 21

Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.

Answer 21

False

Question 22

Some acquisition tools don’t copy data in the host protected area (HPA) of a disk drive.

Answer 22

True

Question 23

Which type of format acquisition leaves the investigator unable to share an image between different vendors’ computer forensics analysis tools?

Answer 23

Proprietary

Question 24

In addition to md5sum, which hashing algorithm utility is included with current distributions of Linux?

Answer 24

sha1sum

Question 25

Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized.

Answer 25

True

Question 26

What’s the most critical aspect of digital evidence?

Answer 26

Validation

Question 27

Name the three formats for digital forensics data acquisitions

Answer 27

Raw, Proprietary formats, and AFF

Question 28

Name the three formats for digital forensics data acquisitions

Answer 28

Raw, Proprietary formats, and AFF

Question 29

With remote acquisitions, what problems should you be aware of?

Answer 29

Antivirus, antispyware, and firewall programs

Question 30

Why is it a good practice to make two images of a suspect drive in a critical investigation?

Answer 30

To ensure at least one good copy of the forensically collected data in case of any failures

Question 31

What’s the maximum file size when writing data to a FAT32 drive?

Answer 31

2 GB

Question 32

In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. So, is the following dcfldd command correct? ddfldd if+image_file.img of=/dev/hda1

Answer 32

False

Question 33

Of all the proprietary formats, which one is the unofficial standard?

Answer 33

Expert Witness

Question 34

What are two concerns when acquiring data from a RAID server?

Answer 34

Amount of data storage needed and type of RAID

Question 35

With newer Linux kernel distributions, USB devices are automatically mounted, which can alter data on it.

Answer 35

True

Question 36

Which forensics tools can connect to a suspect’s remote computer and run surreptitiously?

Answer 36

EnCase Enterprise and ProDiscover Incident Response

Question 37

A hashing algorithm is a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk

Answer 37

True

Question 38

A logical acquisition collects only specific files of interest to the case

Answer 38

True

Question 39

What does a sparse acquisition collect for an investigation?

Answer 39

Fragments of unallocated data in addition to the logical allocated data

Question 40

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive

Answer 40

EnCase and X-ways Forensics

Question 41

FTK Imager can acquire data in a drive’s host protected area

Answer 41

False

Question 42

Commonly, proprietary format acquisition files can compress the acquisition data and segment acquisition output files into smaller volumes

Answer 42

True

Question 43

The main goal of a static acquisition is the preservation of digital evidence.

Answer 43

True

Question 44

Slower data transfer speeds and dealing with minor data errors are two disadvantages of the raw format

Answer 44

False

Question 45

In the Linux dcfldd command, which three options are used for validating data?

Answer 45

hash, hashlog, and vf