hash value. If the hashes don’t match, that means something corrupted the compressed file, suchas a hardware or software error. As an added precaution, perform two separate hashes withdifferent algorithms, such as MD5 and SHA-1. This step isn’t mandatory; however, it’s a goodway to establish that nothing has changed during data processing.PTS:1REF:1087.What are the advantages and disadvantages of using Windows acquisition tools? Show Get answer to your question and much more PTS:1REF:1108.What are the steps to update the Registry for Windows XP SP2 to enable write-protection with USB devices? Get answer to your question and much more Recommended textbook solutions
 The Language of Composition: Reading, Writing, Rhetoric2nd EditionLawrence Scanlon, Renee H. Shea, Robin Dissin Aufses 661 solutions
Technical Writing for Success3rd EditionDarlene Smith-Worthington, Sue Jefferson 468 solutions Technical Writing for Success3rd EditionDarlene Smith-Worthington, Sue Jefferson 468 solutions Technical Writing for Success3rd EditionDarlene Smith-Worthington, Sue Jefferson 468 solutions
Chapter 3: Data Acquisition Terms in this set (62)If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available. (T/F) False The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file. (T/F) True Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive. (T/F) True FTK Imager requires that you use a device such as a USB dongle for licensing. (T/F) True Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume. (T/F) False One major disadvantage of _________ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools. proprietary Typically, a(n) __________ acquisition is done on a computer seized during a police raid, for example. static If the computer has an encrypted drive, a ________ acquisition is done if he password or passphrase is available. live The most common and flexible data-acquisition method is _________. disk-to-image file Older Microsoft disk compression tools, such as DoubleSpace or ______________, eliminate only slack disk space between files. DriveSpace If your time is limited, consider using a logical acquisition or ______________ acquisition data copy method. Sparse Image files can be reduced by as much as __________ % of the original when using lossless compression. 50% Microsoft has added ____________ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult. whole disk encryption Linux ISO images that can be burned to a CD or DVD are referred to as __________. Linux Live CDs The ___________ command displays pages from the online help manual for information on Linux commands and their options. man The _________ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions. dd The _________ command, works similiarly to the dd command but has many featured designed for computer forensics acquisitions. dcfldd Current distributions of Linux include two hashing algorithm utilities: md5sum and ________. sha1sum You use the ________ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512. hash Autopsy uses ___________ to validate an image. MD5 In Autopsy and many other forensics tools raw format image files don't contain metadata. (T/F) True Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics. (T/F) False A separate manual validation is recommended for all raw acquisitions at the time of analysis. (T/F) True Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized. (T/F) True For Windows XP, 2000, and NT servers and workstations, RAID 0 or ___________ is available. RAID 1 In _______________, two or more disk drives become one large volume, so the computer views the disks as a single disk. RAID 0
_______________, or mirrored striping, is a combination of RAID 1 and RAID 0. RAID 10 ____________, or mirrored striping with parity, is a combination of RAID 1 and RAID 5. RAID 15 There's no simple method for getting an image of a RAID server's disks. (T/F) True Most remote acquisitions have to be done as _______ acquisitions. live What's the main goal of a static acquisition? Preservation of digital evidence Name the three formats for digital forensics data acquisitions. Raw format What are two advantages and disadvantages of the raw format? Advantages: Disadvantages: List two features common with proprietary format acquisition files. Can compress or not compress the acquisition data Of all the proprietary formats, which one is the unofficial standard? Expert Witness, used by Guidance Software EnCase Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive. EnCase What does a logical acquisition collect for an investigation? only specific files of interest to the case What does a sparse acquisition collect for an investigation? fragments of unallocated data in addition to the logical allocated data What should you consider when determining which data acquisition method to use? size of the source drive, whether the source drive is retained as evidence, how long the acquisition will take, and where the disk evidence is located Why is it good practice to make two images of a suspect drive in a critical investigation? to ensure at least one good copy of the forensically collected data in case of any failures When you perform an acquisition at a remote location, what should you consider to prepare for this task? determine whether there's enough electrical power and lighting and check the temperature and humidity at the location With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence? Newer Linux distros automatically mount the USB device, which could alter data on it. In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1 Wrong. The command reads the image_file.img file and writes it to the evidence drive's /dev/hda1 partition. The correct command is dcfldd if=/dev/hda1 of=image_file.img. What's the most critical aspect of digital evidence? validation What's a hashing algorithm? a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk In the Linux dcfldd command, which three options are used for validating data? hash What's the maximum file size when writing data to a FAT32 drive? 2 GB (a limitation of FAT file systems) What are two concerns when acquiring data from a RAID server? Amount of data storage needed, type of RAID server (0,1,5 and so on), whether the acquisition tool can handle RAID acquisitions, whether the acquisition tool can handle RAID data, and whether the analysis tool can split RAID data into separate disk drives, making it easier to distribute large data sets. With remote acquisitions, what problems should you be aware of? a. Data transfer speeds a. data transfer
speeds Which forensics tools can connect to a suspect's remote computer and run surreptitiously? EnCase Enterprise and ProDiscover Incident Response EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False? True FTK Imager can acquire data in a drive's host protected area. True or False? False What are the advantages and disadvantages of using raw data acquisition format? faster data transfer speeds, ignores minor data errors, and most forensics analysis tools can read it. What are some features offered by proprietary data acquisition formats? Can compress or not compress the acquisition data What are some of the design goals of AFF? Capable of producing compressed or uncompressed image files No size restriction for disk-to-image files Space in the image file or segmented files for metadata simple design with extensibility Open source for multiple computing platforms and OSs Internal consistency checks for self-authentication Explain the sparse data copy method for acquiring digital evidence. is similar but also collects fragments of unallocated (deleted) data; use this method only when you don't need to examine the entire drive. What are the considerations you should have when deciding what data-acquisition method to use on your investigation? Considerations you should have are the following: the size of the source (suspect) disk whether you can retain the source disk as evidence or must return it to the owner How much time you have to perform the acquisition And where the evidence is located Explain the use of hash algorithms to verify the integrity of lossless compressed data. It is designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or disk drive. This unique number is referred to as "digital fingerprint" if you alter one thin in the file no matter how big or small it produces a different hash value What are the advantages and disadvantages of using Windows acquisition tools? ... What are some of the main characteristics of Linux ISO images designed for computer forensics? ... What are the requirements for acquiring data on a suspect computer using Linux? To perform a data acquisition on a suspect computer, al you need are the following: a forensics Linux Live CD A USB, FireWire, or SATA external drive with cables Knowledge of how to alter the suspect computer's BIOS to boot from the Linux Live CD Knowledge of which shell commands to use for the data acquisition Briefly describe ILookIX IXImager. It is a stand-alone proprietary format acquisition tool designed to work only with ILookIX. It can acquire single drives and RAID drives. IT supports IDE, (PATA), SCSI,
USB and FireWire devices. Sets with similar termsComputer Forensics Chapter 434 terms Wade_Dotson Computer Forensics Chapter 434 terms pixleplayer Computer Forensics - Chapter 3 Review Questions24 terms Kciardiello 4. Data Acquisition34 terms Frank_B_ Sets found in the same folderChapter 03: Data Acquisition33 terms Rosalinda2126 Chapter 4 Quiz12 terms larryrei Quiz 1-479 terms Morgan_Elder Ch. 515 terms emmacwyatt Other sets by this creator1-Guide to Computer Forensics and Investigations70 terms Miriam_Chavez115 Chapter 1 - An Overview of Computers and Programmi…57 terms
Miriam_Chavez115 Hands On Ethical Hacking And Network Defense24 terms Miriam_Chavez115 Hands-On Ethical Hacking And Network Defense60 terms Miriam_Chavez115 Verified questions
COMPUTER SCIENCE What number does a bit that is turned on represent? What number does a bit that is turned off represent? Verified answer
COMPUTER SCIENCE A __________ is a sequence of characters. a. char sequence b. character collection c. string d. text block Verified answer
COMPUTER SCIENCE Could you simulate a multilevel directory structure with a single-level directory structure in which arbitrarily long names can be used? If your answer is yes, explain how you can do so, and contrast this scheme with the multilevel directory scheme. If your answer is no, explain what prevents your simulation’s success. How would your answer change if file names were limited to seven characters? Verified answer COMPUTER SCIENCE The “small world effect” states that the average degree of separation in an acquaintanceship graph of the whole world is 6. In other words, a path of acquaintance relationships from you to any other person on earth exists with, on the average, a path length of 6 (5 intermediate persons). Experiments in delivering hard-copy letters and e-mail messages have empirically confirmed this theory. a. What are the potential implications for e-mail traffic if the small world effect holds for computer networks? b. What are the potential implications for epidemiology if the small world effect holds for physical contact between humans? Verified answer Recommended textbook solutionsIntroduction to Algorithms3rd EditionCharles E. Leiserson, Clifford Stein, Ronald L. Rivest, Thomas H. Cormen 726 solutions Computer Organization and Design MIPS Edition: The Hardware/Software Interface5th EditionDavid A. Patterson, John L. Hennessy 220 solutions Information Technology Project Management: Providing Measurable Organizational Value5th EditionJack T. Marchewka 346 solutions Information Technology Project Management: Providing Measurable Organizational Value5th EditionJack T. Marchewka 346 solutions Other Quizlet setsDiscovery Cermony13 terms elizabethsturgis6 DWC Final Short Answers35 terms laurboen Photosynthesis34 terms Ava_Santilli Related questionsQUESTION Java will automatically call the superclass's default or no-arg constructor JUST BEFORE the code in the subclass's constructor executes 4 answers QUESTION True/False: In a variable length parameter list, the parameters are automatically put into an array with a specified variable name? 4 answers QUESTION which intent action opens a web browser on the Android? 9 answers QUESTION Browsers will display items from an ordered list alongside a marker such as a bullet point. 13 answers What are the acquisition methods in digital forensics?The four methods of acquiring data for forensics analysis are disk- to- image file, disk-to- disk copy, logical disk- to- disk or disk- to- data file, or sparse data copy of a folder or file. Large disks might require using tape backup devices.
What is the difference between static data acquisition and live data acquisition?Static analysis is a traditional approach in which system is analyzed forensically after taking the memory dump and shut- ting down the system, while on the other hand in live digital forensic analysis the evidentiary data is gathered, analyzed and is presented by using different kind of forensic tools, and the victim ...
What are the three types of write blocking methods that are used for data acquisition?Types of Write Blockers. Hardware write blockers.. Software write blockers.. What is data acquisition in research?Data acquisition is the process of collecting data, including what data is acquired, how, and why.
|
