Final Exam Terms Flashcards
Study for Final Exam
Raw Format
refers to capturing the entire content of a storage device, sector by sector, without any interpretation or alteration
Bit Stream Copy
This is a bit-by-bit duplication of the original storage medium, including all data, metadata, and slack space
Sparse Acquisition
Sparse acquisition involves capturing only allocated data, skipping unallocated or free space. This can be useful to reduce the time and storage space required for acquisition, especially when dealing with large storage devices.
Handling Encryption
Encryption poses a challenge in forensic imaging because encrypted data cannot be accessed without the correct decryption key
Handling Encryption
Countermeasures involve obtaining passwords or encryption keys through legal means, using specialized forensic tools to bypass encryption, or conducting memory forensics to extract encryption keys from volatile memory
Server RAID Set Acquisition
Issues in acquiring data from a RAID set include ensuring that all drives in the array are imaged correctly, handling complex RAID configurations, and dealing with failed or degraded drives
Server RAID Set Acquisition
Countermeasures involve using specialized RAID controllers or software to reconstruct RAID arrays, ensuring data integrity during the acquisition process
Computer-Generated Records
Those records that are created by a computer system as part of its normal operation, such as logs, system files, or database records. These records are typically automatically generated by software or hardware.
Computer-Stored Records
Files or data that are stored on a computer system, including documents, images, emails, etc. These records are created by users and stored on the computer’s storage medium.
Computer-Generated Records and Computer-Stored Records
To be usable as evidence, both types of records must be collected and preserved in a forensically sound manner to ensure their integrity and admissibility in court. This involves using forensic imaging techniques to capture the data without altering it, maintaining chain of custody, and documenting the process thoroughly.
Explain Geometry of a Hard Drive
Refers to the physical layout of data on a hard drive, including sectors, tracks, and cylinders.
Why it is critical to image an SSD drive as quickly as possible compared to other non-SSD disk?
SSDs have wear-leveling algorithms that can dynamically move data around to ensure even wear on the memory cells. Imaging an SSD quickly helps to capture the current state of the wear-leveling algorithm before it redistributes data, which can affect the forensic analysis.
HPA (Host Protected Area) and DCO (Device Configuration Overlay)
These are hidden areas on hard drives used for system recovery, diagnostics, or vendor-specific purposes. They can contain data hidden from the operating system and standard forensic tools.
Partition Gap
Unused space between partitions on a storage device.
Drive slack
Drive slack refers to the leftover space between the end of a file and the end of the last sector allocated to it, which can contain remnants of deleted files or data.
RAM Slack
Refers to data remaining in memory after it’s been allocated to a process
File slack
refers to the space between the end of a file and the end of the last sector allocated to it
Why are partition gaps and drive slack important to an investigation?
Both partition gaps and drive slack can contain valuable forensic evidence, including fragments of deleted files, metadata, or remnants of previous activities.
Metadata
Data that provides information about other data, such as file creation date, author, permissions, etc.
File signature
Unique identifying pattern or sequence of bytes used to identify the file type or format. “Magic numbers”
File analysis
Examination of file content, structure, and metadata to extract information relevant to an investigation.
Exif image format
Exchangeable Image File Format, which includes metadata tags such as camera settings, GPS coordinates, and timestamps
File carving
Process of extracting files or data from raw disk images or unallocated space based on file signatures and structure, even if file system metadata is missing or corrupted
Lossy compression
Compression technique that reduces file size by removing redundant or unnecessary information, resulting in a loss of quality. Example: JPEG compression for images
Lossless compression
Compression technique that reduces file size without losing any data or quality. Example: ZIP compression for files
Steganography
Technique of hiding secret messages or data within another file, such as an image or audio file, to avoid detection
Substitution
In forensic context, refers to the replacement of original data with different data, often to hide or alter incriminating evidence
What are the two primary goals of registry forensics?
Hive
Logical group of keys, subkeys, and values in the Windows registry, stored as separate files
Subkey
Subdivision of a registry key, containing additional keys or values
Artifacts
Traces or remnants of past activities or events left behind in the registry, which can be used as evidence in forensic investigations
Static Acquisition
Capturing a snapshot of the entire storage device in a forensically sound manner without modifying its contents
Live Acquisition
Collecting data from a running system, including volatile memory (RAM), to capture the current state of the system.
Transit Acquisition
Collecting data while it’s in transit over a network or between devices.
Type 1 Hypervisor
Runs directly on the host’s hardware to manage virtual machines. Examples include VMware ESXi, Microsoft Hyper-V Server.
Type 2 Hypervisor
Runs on a conventional operating system and hosts virtual machines as application software. Examples include VMware Workstation, Virtual Box
Explain the order of volatility
Principle guiding the collection of volatile data in forensic investigations, starting from the most volatile (e.g., RAM) to the least volatile (e.g., disk storage)
Explain how to handle VMDK Files (forensically)
Virtual Machine Disk files used by VMware. These files can be analyzed using forensic tools capable of interpreting virtual disk formats and extracting relevant data.
Anti-forensics and example
Techniques used to evade or thwart forensic investigation efforts. Example: Overwriting data multiple times to prevent recovery.
Link/shortcut analysis
Examination of symbolic links, shortcuts, or aliases to trace relationships between files or directories.
Actions to prove anti-forensics
Evidence of data wiping, file deletion, encryption, or use of anti-forensic tools.
Defense against anti-forenics
Employing proactive security measures, monitoring for suspicious activities, and using advanced forensic techniques to detect and counter anti-forensic tactics.
