Storage and Forensic Gathering

Question 1

What types of write blockers are there?

Answer 1

Software and Hardware.

Question 2

What is a type of software blocker?

Answer 2

Caine

Question 3

What do you need to collect when examining physical media?

Answer 3

Collect the specs of each drive.
What the serial number is.
Any scratches or damage.
This size of the drive.
Other identifying features.

Question 4

Why is taking notes of the physical media important?

Answer 4

It is to make sure that any and all issues are spotted and so that drives arent switch ruining evidence.

Question 5

What is Hashing?

Answer 5

Its a unique signature or bit count of media.

Question 6

When should you check the hash?

Answer 6

You should check before and after ananlysis.

Question 7

What are common types of hashing algorithms

Answer 7

MD5 and SHA (256)

Question 8

What is the comand to collect a forensic image?

Answer 8

dd if=(input_file) of=(output_file) bs=(block_size)

Question 9

What does the “dd if=(input_file) of=(output_file) bs=(block_size)” comand do?

Answer 9

It is used to collect a foresic image.

Question 10

Explain this example “dd if=gptimage.raw of=/dev/loop0 bs=512 skip=2048 count=204800”.

Answer 10

get file gptimage from the location /dev/loop0 into a space of size 512 starting at 2048 and taking 204800 bits.