Data Acquisition & Duplication

Question 1

What is Data Acquisition?

Answer 1

The process of imaging or otherwise obtaining information from a digital device and its peripheral equipment and media.

Question 2

Static

Answer 2

Non-Volatile

Question 3

Live

Answer 3

Volatile

Question 4

Order of Volatility

Answer 4

1. Registers/Caches
2. Routing tables/process table/memory
3. Temporary files
4. Disk and storage media
5. Remote logging and monitoring data
6. System configuration / topology
7. Archival media

Question 5

First step in data collection?

Answer 5

Record the time, date, and command history of the system to establish an audit trail generate dates and times while executing each forensic tool or command.

Question 6

Static Data Collection:

Bit Stream vs. Backups (What’s the big difference?)

Answer 6

1. Bit-stream disk to image

2. Bit-stream disk to disk

Question 7

NIST SP 800-88 R1 guidance defines three sanitization methods:

Answer 7

1. Clear: Logical techniques applied to sanitize data in all storage areas using the standard read and write commands.
2. Purge: Involves physical or logical techniques to make the target data recovery infeasible by using state-of-the-art laboratory techniques.
3. Destroy: Enables target data recovery to be infeasible with the use of state- of-the-art laboratory techniques, which result in an inability to use the media for data storage.

Question 8

Data Acquisition Formats

Answer 8

1. Raw - understood by everything
2. Proprietary - (by tool vendor)
3. Advanced Forensics Format (AFF) - open source; file extensions include .afm for AFF metadata and .afd for segmented image files. Supports two compression formats: zlib and LZMA
4. Advanced Forensics Framework 4 (AFF4) - AFF4 supports image signing and cryptography. Adopts a scheme of globally unique identifiers for identifying and referring to all evidence.

Question 9

Basic AFF4 object types include:

Answer 9

Volumes: They store segments, which are indivisible blocks of data
Streams: These data objects can help in reading or writing
Graphs: Collections of RDF statements

Question 10

Generic Forensic Zip (gfzip)

Answer 10

provides an open file format for compressed, forensically complete, and signed disk image data files. It is a set of tools and libraries that can help in creating and accessing randomly accessible zip files. It uses multi-level SHA256 digests to safeguard the files. It also embeds the user’s metadata within the file metadata. This file format focuses on signed data and metadata sections using x509 certificates.

Question 11

Logical vs. Sparse

Answer 11

Logical - Only specific types of files or specific files of interest to the case are captured
Sparse - Similar to logical, but also captures fragments of unallocated (deleted) data.

Question 12

CRC-32 - Cyclic Redundancy Code algorithm-32 (CRC-32)

Answer 12

is a hash function based on the idea of polynomial division.

Question 13

MD5 - Message Digest 5

Answer 13

is an algorithm used to check data integrity by creating a 128-bit message digest from data input of any length.

Question 14

SHA-1 - Secure Hash Algorithm-160

Answer 14

is a cryptographic hash function developed by the United States National Security Agency (NSA), and it is a US Federal Information Processing Standard (FIPS) issued by NIST. It creates a 160-bit (20-byte) hash value called a message digest. This hash value is a hexadecimal number, 40 digits long.

Question 15

SHA-256

Answer 15

A cryptographic hash algorithm that creates a unique and fixed-size 256-bit (32-byte) hash.