Topic 4 Flashcards
Name 3 different types of storage formats for digital evidence
Raw Format
Propietary Formats
Advanced Forensic Format
Define the Raw Format
Raw format is a bit by bit copy of the suspect drive. It uses a bit stream to write a series of of sequential flat files.
Name 2 advantages and 2 disadvantages of the Raw format
Advantages:
Readable by most tools
Fast data transfers
Ability to ignore minor data read errors on source drive
Disadvantages:
Takes up same storage as the original disk or data set
My not collect marginal sectors on source drive
Name 2 advantages and disadvantages of Proprietary Formats
Advantages
option to compress
option to split an image into smaller segments
option to integrate metadata into the image file
Disadvantages
cannot share between different tools
some have maximum file sizes per segment
Name 4 types of acquisitions
Static acquisitions, live acquisitions
logical acquisitions
sparse acquisitions
Name 4 acquisition methods
disk-to-image file
disk-to-disk copy
logical disk-to-disk or disk-to-data file
sparse copy of a folder or file
Why would you use a disk-to-disk copy?
If you can’t make a disk to image file because of hardware or software errors or incompatibilities. More common in older drives
Why would you use a logical acquisition or sparse acquisition?
When you
are only interested in specific files
do not have time/space to copy the whole drive
Why would you use a hardware write blocker and not a software write blocker?
Software write blockers will change data on the target drive. They use an automatic mounting process that updates boot files by changing metadata such as the most recent access time
What do you do if you cannot access the target drive (physically)?
Use a boot CD - such as
Mini-WinFE
Linux Live
What does RAID stand for?
Redundant Array of Independent Disks
Name 4 issues in acquiring a RAID?
How much storage is necessary?
What type of RAID is used? 0-5, 10, 15
Appropriate acquisition tool
Can acquisition tool combine images for 1 virtual RAID?
What 4 steps do you take in performing an acquisition?
Use a target drive that has been recently wiped and reformatted and inspected for virus
Inventory the hardware
For static acquisitions remove the hard-drive. Check date and time values in the system’s CMOS
Record how you aquired data from the suspect drive
What steps do you take in performing an analysis?
If possible examine the contents of all data files in all folders, starting at the root folder, unless only certain files are of interest
Make best effort to recover password protected files
identify the function of every executable file that doesn’t match known hash values. Make a note of any files or folders that are out of place
Maintain control of all evidence and findings and document everything as you progress through your examination
How can you use hash values of known files to speed up analysis?
1 By eliminating known innocuous files like system files and
2 By searching for known nefarious files such as child exploitation images
