Week 1 - Professionalism Flashcards
What is the standard procedure for shutting down most Windows-based workstations or laptops?
Pulling the power directly is the standard procedure, especially for systems like Windows 10, to avoid registry changes that occur with a normal shutdown.
Why is taking a live image or memory image important when dealing with full disk encryption (FDE)?
This might be the only opportunity to see the drive in its decrypted state, capturing valuable information for forensics from the memory.
What should you do before pulling the power on a server?
Servers should be shut down using the correct shutdown procedure to avoid data corruption.
What is the procedure for handling all-in-one units with no removable battery?
The only option is to force shut down or shut down through normal means, thoroughly documenting the shutdown process.
How should devices with mobile internet or WiFi connections be handled during forensic acquisition?
Put them in airplane mode to disable all radios and consider using a Faraday bag to block all incoming and outgoing signals.
What does the “Chain of Custody” refer to in digital forensics?
It refers to the chronological documentation that records the custody, control, transfer, analysis, and disposition of evidence.
What is the difference between physical acquisition and logical acquisition in digital forensics?
Physical acquisition is a bit-by-bit copy of the entire storage media including all data, while logical acquisition captures specific files or data that is easily accessible.
What is a write blocker and why is it important?
A write blocker is a device or software that allows read-only access to a storage medium, preventing data from being written or altered during forensic analysis.
What are the pros and cons of the DD format in forensic imaging?
Compatible with almost any tool, straightforward format. Cons: Images are large, and lack of features like automatic hash calculation.
What are the advantages of the Expert Witness Format (E01) over DD?
EWF allows for compression, includes hash calculation and error checking, and can store metadata about the imaging process.
What is the DD format in digital forensics?
DD is a raw image format that creates a sector-by-sector copy of the storage device, capturing all data exactly as it is on the original media, including unallocated space and deleted files.
What are the advantages and disadvantages of using the DD format?
Advantages: Highly compatible with various forensic tools, straightforward with no metadata or compression.
Disadvantages: Results in large image files equal in size to the original drive, lacks built-in features for managing and verifying hashes.
What is the Expert Witness Format (EWF)?
EWF, often known as E01, is an advanced forensic image format developed by EnCase that includes compression, error checking, and metadata support to facilitate forensic analysis.
