Digital Forensics

Question 1

The process of gathering and submitting computer evidence to trial and
interpreting that evidence by providing expert analysis

Answer 1

Digital Forensics

Question 2

Written procedures ensure that personnel handle forensics properly, effectively, and in
compliance with required regulations

Answer 2

Forensic Procedures

Question 3

Ensure the scene is safe, secure the scene to prevent evidence
contamination, and identify the scope of evidence to be collected

Answer 3

Identification

Question 4

Ensure authorization to collect evidence is obtained, and then
document and prove the integrity of evidence as it is collected

Answer 4

Collection

Question 5

Create a copy of evidence for analysis and use repeatable methods and
tools during analysis

Answer 5

Analysis

Question 6

Create a report of the methods and tools used in the investigation and
present detailed findings and conclusions based on the analysis

Answer 6

Reporting

Question 7

A process designed to preserve all relevant information when litigation is
reasonably expected to occur

Answer 7

Legal Hold

Question 8

Contractual method of retaining (hiring) forensics investigators so that their analysis is
protected from disclosure by the work product doctrine

Answer 8

Work Product Retention

Question 9

The method and tools used to create a forensically sound copy of data from a
source device, such as system memory or a hard disk

Answer 9

Data Acquisition

Question 10

A kit containing the software and hardware tools required to acquire and analyze
evidence from system memory dumps and mass storage file systems

Answer 10

Digital Forensics Kit

Question 11

A digital forensics case management product created by Guidance
Software with built-in pathways or workflow templates that show the
key steps in many types of investigations

Answer 11

EnCase

Question 12

A digital forensics investigation suite by AccessData that runs on
Windows Server or server clusters for faster searching and analysis due
to data indexing when importing evidence

Answer 12

The Forensic Toolkit (FTK)

Question 13

An open-source digital forensics collection of command line tools and
programming libraries for disk imaging and file analysis that interfaces
with Autopsy as a graphical user front-end interface

Answer 13

The Sleuth Kit

Question 14

A process that creates an image file of the system memory that can be analyzed
to identify the processes that are running, the contents of temporary file systems,
Registry data, network connections, cryptographic keys, and more

Answer 14

System Memory Image Acquisition

Question 15

Capturing the contents of memory while the computer is running using a
specialist hardware or software tool

Answer 15

Live Acquisition

Question 16

The contents of memory are written to a dump file when Windows encounters an
unrecoverable kernel error

Answer 16

Crash Dump

Question 17

A file that is written to the disk when the workstation is put into a sleep state

Answer 17

Hibernation File

Question 18

A file that stores pages of memory in use that exceed the capacity of the host’s
physical RAM modules

Answer 18

Pagefile

Question 19

A process that creates an image file of the system’s disks that can be analyzed to
identify current, deleted, and hidden files on a given disk

Answer 19

Disk Image Acquisition

Question 20

Capturing the contents of the disk drive while the computer is still running

Answer 20

Live Acquisition

Question 21

The computer is shut down through the operating system properly and then the
disk is acquired

Answer 21

Static Acquisition by Shutting Down

Question 22

The system’s power is disconnected by removing the power plug from the wall
socket

Answer 22

Static Acquisition by Pulling the Plug

Question 23

Bit-by-bit copy of a disk that includes every non-bad sector on the
target disk including deleted or hidden data

Answer 23

Physical Acquisition

Question 24

Copies files and folders from partitions using the file system table
stored on the media

Answer 24

Logical Acquisition

Question 25

Forensic tool to prevent the capture or analysis device or workstation from
changing data on a target disk or media

Answer 25

Write Blockers

Question 26

A software utility that conducts the disk imaging of a target

Answer 26

Imaging Utilities

Question 27

A Unix/Linux/macOS command that can perform disk image acquisition

Answer 27

dd

Question 28

A function that converts an arbitrary length string input to a fixed length string
output

Answer 28

Hash

Question 29

A cryptographic hashing algorithm created to address possible weaknesses in the
older MD5 hashing algorithm
▪ SHA-1 uses a 160-bit hash digest, but isn’t considered strong
▪ SHA-2 uses a 256-bit or 512-bit hash digest and is the current version in
used in modern forensics

Answer 29

Secure Hash Algorithm (SHA)

Question 30

A cryptographic hashing algorithm created in 1990 with the most commonly used
variant being MD-5
▪ MD-5 uses a 128-bit hash digest, but is susceptible to collisions should
only be used as a second-factor of integrity checking

Answer 30

Message Digest Algorithm (MD5)

Question 31

A type of software that reviews system files to ensure that they have not been
tampered with

Answer 31

File Integrity Monitoring (FIM)

Question 32

A tool that shows the sequence of file system events within a source image in a
graphical format

Answer 32

Timeline

Question 33

HDDs and SSDs are divided into sectors of either 512 bytes (standard) or 4096 bytes
(advanced)

Answer 33

Carving

Question 34

The smallest unit the file system can address (default is 4096 bytes)

Answer 34

Block/Cluster

Question 35

A table that contains metadata with the location of each file in terms of
blocks/clusters for disks formatted as NTFS

Answer 35

Master File Table (MFT)

Question 36

The process of extracting data from a computer when that data has no associated
file system metadata

Answer 36

A table that contains metadata with the location of each file in terms of
blocks/clusters for disks formatted as NTFS

Question 37

An open-source command line tool that is part of The Sleuth Kit that is used to
conduct file carving on Linux and Windows systems

Answer 37

Scalpel

Question 38

The record of evidence history from collection, to presentation in court, to
disposal

Answer 38

Chain of Custody