Performing Forensic Analysis and Techniques Flashcards
Which format does dd produce files in while disk imaging?
A. ddf
B. RAW
C. EN01
D. OVF
Answer:
B. dd creates files in RAW, bit-by-bit format. EN01 is the EnCase forensic file format, OVF is virtualization file format, and ddf is a made-up answer.
File carving is used to find file remnants found in clusters on disks that have been only partially rewritten by new files. What is the technical term for where these files are found?
A. Outer
B. Slack
C. Unallocated space
D. Non-Euclidean
Answer:
B. Slack space is the space that remains when only a portion of a cluster is used by a file. Data from previous files may remain in the slack space since it is typically not wiped or overwritten. Unallocated space is space on a drive that has not been made into part of a partition. Outer space and non-Euclidean space are not terms used for filesystems or forensics.
Mike is looking for information about files that were changed on a Windows endpoint system. Which of the following is least likely to contain useful information for his investigation?
A. The MFT
B. INDX files
C. Event logs
D. Volume shadow copies
Answer:
C. Event logs do not typically contain significant amounts of information about file changes. The Master File Table and file indexes (INDX files) both have specific information about files, whereas volume shadow copies can help show differences between files and locations at a point in time.
Alice wants to copy a drive without any chance of it being modified by the copying process. What type of device should she use to ensure that this does not happen during her data acquisition process?
A. A read blocker
B. A drive cloner
C. A write blocker
D. A hash validator
Answer:
C. Write blockers ensure that no changes are made to a source drive when creating a forensic copy. Preventing reads would stop you from copying the drive, drive cloners may or may not have write blocking capabilities built in, and hash validation is useful to ensure contents match but don’t stop changes to the source drive from occurring.
Frederick’s organization has been informed that data must be preserved due to pending legal action. What is this type of requirement called?
A. A retainer
B. A legal hold
C. A data freeze
D. An extra-legal hold
Answer:
B. A legal hold is a process used to preserve all data related to pending legal action, or when legal action may be expected. A retainer is paid to a lawyer to keep them available for work. The other two terms were made up for this question.
What two files may contain encryption keys normally stored only in memory on a Window system?
A. The MFT and the hash file
B. The Registry and hibernation files
C. Core dumps and encryption logs
D. Core dumps and hibernation files
Answer:
D. Core dumps and hibernation files both contain an image of the live memory of a system, potentially allowing encryption keys to be retrieved from the stored file. The MFT provides information about file layout, and the Registry contains system information but shouldn’t have encryption keys stored in it. There is no hash file or encryption log stored as a Windows default file.
Jeff is investigating a system compromise and knows that the first event was reported on October 5th. What forensic tool capability should he use to map other events found in logs and files to this date?
A. A timeline
B. A log viewer
C. Registry analysis
D. Timestamp validator
Answer:
A. Timelines are one of the most useful tools when conducting an investigation of a compromise or other event. Forensic tools provide built-in timeline capabilities to allow this type of analysis.
During her forensic copy validation process, Danielle hashed the original, cloned the image files, and received the following MD5 sums. What is likely wrong?
b49794e007e909c00a51ae208cacb169 original.img
d9ff8a0cf6bc0ab066b6416e7e7abf35 clone.img
A. The original was modified.
B. The clone was modified.
C. dd failed.
D. An unknown change or problem occurred.
Answer:
D. Since Danielle did not hash her source drive prior to cloning, you cannot determine where the problem occurred. If she had run MD5sum prior to the cloning process as well as after, she could verify that the original disk had not changed.
Jennifer wants to perform memory analysis and forensics for Windows, MacOS, and Linux systems. Which of the following is best suited to her needs?
A. LiME
B. DumpIt
C. fmem
D. The Volatility Framework
Answer:
D. The Volatility Framework is designed to work with Windows, macOS, and Linux, and it provides in-depth memory forensics and analysis capabilities. LiME and fmem are Linux tools, whereas DumpIt is a Windows-only tool.
Alex is conducting a forensic examination of a Windows system and wants to determine if an application was installed. Where can he find the Windows installer log files for a user named Jim?
A. C:\Windows\System 32\Installers
B. C:\Windows\Install.log
C. C:\Windows\Jim\Install.log
D. C:\Windows\Jim\AppData\Local\Temp
Answer:
D. Windows installer logs are typically kept in the user’s temporary app data folder. Windows does not keep install log files, and System32 does not contain an Installers directory.
Kathleen needs to find data contained in memory but only has an image of an offline Windows system. Where does she have the best chance of recovering the information she needs?
A. The Registry
B. %SystemRoot%\MEMORY.DMP
C. A System Restore point file
D. %SystemRoot%/WinDbg
Answer:
B. Windows crash dumps are stored in %SystemRoot%\MEMORY.DMP and contain the memory state of the system when the system crash occurred. This is her best bet for gathering the information she needs without access to a live image. The Registry and System Restore point do not contain this information, and WinDbg is a Windows debugger, not an image of live memory.
Carl does not have the ability to capture data from a cell phone using mobile forensic or imaging software, and the phone does not have removable storage. Fortunately, the phone was not set up with a PIN or screen lock. What is his best option to ensure he can see email and other data stored there?
A. Physical acquisition
B. Logical access
C. Filesystem access
D. Manual access
Answer:
D. Manual access is used when phones cannot be forensically imaged or accessed as a volume or filesystem. Manual access requires that the phone be reviewed by hand, with pictures and notes preserved to document the contents of the phone.
What forensic issue might the presence of a program like CCleaner indicate?
A. Antiforensic activities
B. Full disk encryption
C. Malware packing
D. MAC time modifications
Answer:
A. CCleaner is a PC cleanup utility that wipes Internet history, destroys cookies and other cached data, and can impede forensic investigations. CCleaner may be an indication of intentional antiforensic activities on a system. It is not a full disk encryption tool or malware packer, nor will it modify MAC times.
Which of the following is not a potential issue with live imaging of a system?
A. Remnant data from the imaging tool
B. Unallocated space will be captured
C. Memory or drive contents may change during the imaging process
D. Malware may detect the imaging tool and work to avoid it
Answer:
B. Unallocated space is typically not captured during a live image, potentially resulting in data being missed. Remnant data from the tool, memory and drive contents changing while the image is occurring, and malware detecting the tool are all possible issues.
During his investigation, Jeff, a certified forensic examiner, is provided with a drive image created by an IT staff member and is asked to add it to his forensic case. What is the most important issue that Jeff could encounter if the case goes to court and his procedures are questioned?
A. Bad checksums
B. Hash mismatch
C. Antiforensic activities
D. Inability to certify chain of custody
Answer:
D. Jeff did not create the image and cannot validate chain of custody for the drive. This also means he cannot prove that the drive is a copy of the original. Since we do not know the checksum for the original drive, we do not have a bad checksum or a hash mismatch—there isn’t an original to compare it to. Anti-forensics activities may have occurred, but that is not able to be determined from the question.