hash value. If the hashes don’t match, that means something corrupted the compressed file, suchas a hardware or software error. As an added precaution, perform two separate hashes withdifferent algorithms, such as MD5 and SHA-1. This step isn’t mandatory; however, it’s a goodway to establish that nothing has changed during data processing.PTS:1REF:1087.What are the advantages and disadvantages of using Windows acquisition tools?
Get answer to your question and much more
PTS:1REF:1108.What are the steps to update the Registry for Windows XP SP2 to enable write-protection with USB devices?
Get answer to your question and much more
Recommended textbook solutions
The Language of Composition: Reading, Writing, Rhetoric
2nd EditionLawrence Scanlon, Renee H. Shea, Robin Dissin Aufses
661 solutions
Technical Writing for Success
3rd EditionDarlene Smith-Worthington, Sue Jefferson
468 solutions
Technical Writing for Success
3rd EditionDarlene Smith-Worthington, Sue Jefferson
468 solutions
Technical Writing for Success
3rd EditionDarlene Smith-Worthington, Sue Jefferson
468 solutions
-
Flashcards
-
Learn
-
Test
-
Match
-
Flashcards
-
Learn
-
Test
-
Match
Chapter 3: Data Acquisition
Terms in this set (62)
If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available. (T/F)
False
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file. (T/F)
True
Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive. (T/F)
True
FTK Imager requires that you use a device such as a USB dongle for licensing. (T/F)
True
Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume. (T/F)
False
One major disadvantage of _________ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.
proprietary
Typically, a(n) __________ acquisition is done on a computer seized during a police raid, for example.
static
If the computer has an encrypted drive, a ________ acquisition is done if he password or passphrase is available.
live
The most common and flexible data-acquisition method is _________.
disk-to-image file
Older Microsoft disk compression tools, such as DoubleSpace or ______________, eliminate only slack disk space between files.
DriveSpace
If your time is limited, consider using a logical acquisition or ______________ acquisition data copy method.
Sparse
Image files can be reduced by as much as __________ % of the original when using lossless compression.
50%
Microsoft has added ____________ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.
whole disk encryption
Linux ISO images that can be burned to a CD or DVD are referred to as __________.
Linux Live CDs
The ___________ command displays pages from the online help manual for information on Linux commands and their options.
man
The _________ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.
dd
The _________ command, works similiarly to the dd command but has many featured designed for computer forensics acquisitions.
dcfldd
Current distributions of Linux include two hashing algorithm utilities: md5sum and ________.
sha1sum
You use the ________ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512.
hash
Autopsy uses ___________ to validate an image.
MD5
In Autopsy and many other forensics tools raw format image files don't contain metadata. (T/F)
True
Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics. (T/F)
False
A separate manual validation is recommended for all raw acquisitions at the time of analysis. (T/F)
True
Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized. (T/F)
True
For Windows XP, 2000, and NT servers and workstations, RAID 0 or ___________ is available.
RAID 1
In _______________, two or more disk drives become one large volume, so the computer views the disks as a single disk.
RAID 0
_______________, or mirrored striping, is a combination of RAID 1 and RAID 0.
RAID 10
____________, or mirrored striping with parity, is a combination of RAID 1 and RAID 5.
RAID 15
There's no simple method for getting an image of a RAID server's disks. (T/F)
True
Most remote acquisitions have to be done as _______ acquisitions.
live
What's the main goal of a static acquisition?
Preservation of digital evidence
Name the three formats for digital forensics data acquisitions.
Raw format
Proprietary
formats
Advanced Forensic Format (AFF)
What are two advantages and disadvantages of the raw format?
Advantages:
faster data transfer speeds, ignores minor data errors, and most forensics analysis tools can read it.
Disadvantages:
requires equal or greater target disk space, doesn't contain hash values in the raw file (metadata), might have to run a separate has program to validate raw format data, and
might not collect marginal (bad) blocks.
List two features common with proprietary format acquisition files.
Can compress or not compress the acquisition data
Can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD
Case Metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or
files
Of all the proprietary formats, which one is the unofficial standard?
Expert Witness, used by Guidance Software EnCase
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.
EnCase
SafeBack
SnapCopy
What does a logical acquisition collect for an investigation?
only specific files of interest to the case
What does a sparse acquisition collect for an investigation?
fragments of unallocated data in addition to the logical allocated data
What should you consider when determining which data acquisition method to use?
size of the source drive, whether the source drive is retained as evidence, how long the acquisition will take, and where the disk evidence is located
Why is it good practice to make two images of a suspect drive in a critical investigation?
to ensure at least one good copy of the forensically collected data in case of any failures
When you perform an acquisition at a remote location, what should you consider to prepare for this task?
determine whether there's enough electrical power and lighting and check the temperature and humidity at the location
With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?
Newer Linux distros automatically mount the USB device, which could alter data on it.
In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct?
dcfldd if=image_file.img of=/dev/hda1
Wrong. The command reads the image_file.img file and writes it to the evidence drive's /dev/hda1 partition.
The correct command is dcfldd if=/dev/hda1 of=image_file.img.
What's the most critical aspect of digital evidence?
validation
What's a hashing algorithm?
a program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk
In the Linux dcfldd command, which three options are used for validating data?
hash
hashlog
vf
What's the maximum file size when writing data to a FAT32 drive?
2 GB (a limitation of FAT file systems)
What are two concerns when acquiring data from a RAID server?
Amount of data storage needed, type of RAID server (0,1,5 and so on), whether the acquisition tool can handle RAID acquisitions, whether the acquisition tool can handle RAID data, and whether the analysis tool can split RAID data into separate disk drives, making it easier to distribute large data sets.
With remote acquisitions, what problems should you be aware of?
a. Data transfer speeds
b. Access permissions over the network
c. Antivirus, antispyware, and firewall programs
d. All of the above
e. the password of the remote computer's user
a. data transfer
speeds
b. Access permissions over the network
c. Antivirus, antispyware, and firewall programs
Which forensics tools can connect to a suspect's remote computer and run surreptitiously?
EnCase Enterprise and ProDiscover Incident Response
EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?
True
FTK Imager can acquire data in a drive's host protected area. True or False?
False
What are the advantages and disadvantages of using raw data acquisition format?
faster data transfer speeds, ignores minor data errors, and most forensics analysis tools can read it.
Disadvantages:
requires equal or
greater target disk space, doesn't contain hash values in the raw file (metadata), might have to run a separate has program to validate raw format data, and might not collect marginal (bad) blocks.
What are some features offered by proprietary data acquisition formats?
Can compress or not compress the acquisition data
Can segment acquisition output files into smaller volumes, allowing them to be archived to
CD or DVD
Case Metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or files
What are some of the design goals of AFF?
Capable of producing compressed or uncompressed image files
No size restriction for disk-to-image files
Space in the image file or segmented files for metadata
simple design with extensibility
Open source for multiple computing platforms and OSs
Internal consistency checks for self-authentication
Explain the sparse data copy method for acquiring digital evidence.
is similar but also collects fragments of unallocated (deleted) data; use this method only when you don't need to examine the entire drive.
What are the considerations you should have when deciding what data-acquisition method to use on your investigation?
Considerations you should have are the following:
the size of the source (suspect) disk
whether you can retain the source disk as evidence or must return it to the owner
How much time you have to perform the acquisition
And where the evidence is located
Explain the use of hash algorithms to verify the integrity of lossless compressed data.
It is designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or disk drive. This unique number is referred to as "digital fingerprint"
if you alter one thin in the file no matter how big or small it produces a different hash value
What are the advantages and disadvantages of using Windows acquisition tools?
...
What are some of the main characteristics of Linux ISO images designed for computer forensics?
...
What are the requirements for acquiring data on a suspect computer using Linux?
To perform a data acquisition on a suspect computer, al you need are the following:
a forensics Linux Live CD
A USB, FireWire, or SATA external drive with cables
Knowledge of how to alter the suspect computer's BIOS to boot from the Linux Live CD
Knowledge of which shell commands to use for the data acquisition
Briefly describe ILookIX IXImager.
It is a stand-alone proprietary format acquisition tool designed to work only with ILookIX. It can acquire single drives and RAID drives. IT supports IDE, (PATA), SCSI,
USB and FireWire devices.
The IXImager proprietary format can be converted to a raw format if other analysis tools are used.
Computer Forensics Chapter 4
34 terms
Wade_Dotson
Computer Forensics Chapter 4
34 terms
pixleplayer
Computer Forensics - Chapter 3 Review Questions
24 terms
Kciardiello
4. Data Acquisition
34 terms
Frank_B_
Sets found in the same folderChapter 03: Data Acquisition
33 terms
Rosalinda2126
Chapter 4 Quiz
12 terms
larryrei
Quiz 1-4
79 terms
Morgan_Elder
Ch. 5
15 terms
emmacwyatt
Other sets by this creator1-Guide to Computer Forensics and Investigations
70 terms
Miriam_Chavez115
Chapter 1 - An Overview of Computers and Programmi…
57 terms
Miriam_Chavez115
Hands On Ethical Hacking And Network Defense
24 terms
Miriam_Chavez115
Hands-On Ethical Hacking And Network Defense
60 terms
Miriam_Chavez115
Verified questions
COMPUTER SCIENCE
What number does a bit that is turned on represent? What number does a bit that is turned off represent?
Verified answer
COMPUTER SCIENCE
A __________ is a sequence of characters. a. char sequence b. character collection c. string d. text block
Verified answer
COMPUTER SCIENCE
Could you simulate a multilevel directory structure with a single-level directory structure in which arbitrarily long names can be used? If your answer is yes, explain how you can do so, and contrast this scheme with the multilevel directory scheme. If your answer is no, explain what prevents your simulation’s success. How would your answer change if file names were limited to seven characters?
Verified answer
COMPUTER SCIENCE
The “small world effect” states that the average degree of separation in an acquaintanceship graph of the whole world is 6. In other words, a path of acquaintance relationships from you to any other person on earth exists with, on the average, a path length of 6 (5 intermediate persons). Experiments in delivering hard-copy letters and e-mail messages have empirically confirmed this theory. a. What are the potential implications for e-mail traffic if the small world effect holds for computer networks? b. What are the potential implications for epidemiology if the small world effect holds for physical contact between humans?
Verified answer
Recommended textbook solutionsIntroduction to Algorithms
3rd EditionCharles E. Leiserson, Clifford Stein, Ronald L. Rivest, Thomas H. Cormen
726 solutions
Computer Organization and Design MIPS Edition: The Hardware/Software Interface
5th EditionDavid A. Patterson, John L. Hennessy
220 solutions
Information Technology Project Management: Providing Measurable Organizational Value
5th EditionJack T. Marchewka
346 solutions
Information Technology Project Management: Providing Measurable Organizational Value
5th EditionJack T. Marchewka
346 solutions
Other Quizlet setsDiscovery Cermony
13 terms
elizabethsturgis6
DWC Final Short Answers
35 terms
laurboen
Photosynthesis
34 terms
Ava_Santilli
Related questionsQUESTION
Java will automatically call the superclass's default or no-arg constructor JUST BEFORE the code in the subclass's constructor executes
4 answers
QUESTION
True/False: In a variable length parameter list, the parameters are automatically put into an array with a specified variable name?
4 answers
QUESTION
which intent action opens a web browser on the Android?
9 answers
QUESTION
Browsers will display items from an ordered list alongside a marker such as a bullet point.
13 answers