________ CD /DVD or USB drive gives you a way to acquire data from a suspect computer and write- protect the disk drive.
New cards
2
Runtime
________ has designed its tools to be file system specific, so DiskExplorer versions for both FAT and NTFS are available.
New cards
3
F Response
With ________, examiners can access remote drives at the physical level and view raw data.
New cards
4
static acquisition
A(n) ________ is done on a computer seized during a police raid.
New cards
5
Data acquisition
The process of copying data
New cards
6
Logical Acquisition
Captures only specific files of interest to the case or specific types of files
New cards
7
Sparse Acquisition
Collects fragments of unallocated (deleted) data; use this method only when you dont need to examine the entire drive
New cards
8
Mini-WinFE
It enables you to build a Windows forensic boot CD/DVD or USB drive with a modification in its Windows Registry file so that connected drives are mounted as read-only
New cards
9
FTK Imager
A data acquisition tool included with a licensed copy of AccessData Forensic Toolkit
New cards
10
Hexadecimal Editors
X-Ways WinHex or Breakpoint Software Hex Workshop
New cards
11
Forensic Programs
OSForensics, Autopsy, EnCase, and FTK
New cards
12
Redundant array of independent disks (RAID)
A computer configuration involving two or more physical disks
New cards
13
RAID 0
Provides rapid access and increased data storage
New cards
14
RAID 1
Made up of two disks for each volume and is designed for data recovery in the event of a disk failure
New cards
15
RAID 2
Provides rapid access and increased storage by configuring two or more disks as one large volume
New cards
16
RAID 3
Uses data striping and dedicated parity and requires at least three disks
New cards
17
RAID 4
Uses data striping and dedicated parity (block writing), except data is written in blocks rather than bytes
New cards
18
RAID 5
Uses distributed data and distributed parity and stripes data tracks across all disks in the RAID array
New cards
19
RAID 6
Distributed data and distributed parity (double parity) function the same way as RAID 5, except each disk in the RAID array has redundant parity
New cards
20
RAID 10
A combination of RAID 1 and RAID 0
New cards
21
RAID 15
A combination of RAID 1 and RAID 5
New cards
22
Data acquisition
The process of copying data. It’s the task of collecting digital evidence from electronic media.
New cards
23
raw format
As a practical way to preserve digital evidence, vendors made it possible to write bit-stream data to files. This copying technique creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a ____.
New cards
24
Advanced Forensic Format
Developed by *Dr. Simson L. Garfinkel*; an open-source acquisition format.
New cards
25
Static acquisition
It is done on a computer seized during a police raid.
New cards
26
live acquisition
If the computer has an encrypted drive, a ____ is done if the password or passphrase is available—meaning the computer is powered on and has been logged on to by the suspect.
New cards
27
Static acquisitions
These are always the preferred way to collect digital evidence.
New cards
28
Logical Acquisition
Captures only specific files of interest to the case or specific types of files.
New cards
29
Sparse Acquisition
Collects fragments of unallocated (deleted) data; use this method only when you don’t need to examine the entire drive.
New cards
30
Forensic boot CD/DVD or USB drive
_____ gives you a way to acquire data from a suspect computer and write-protect the disk drive.
New cards
31
Mini-WinFE
It enables you to build a Windows forensic boot CD/DVD or USB drive with a modification in its Windows Registry file so that connected drives are mounted as read-only.
New cards
32
FTK Imager
A data acquisition tool included with a licensed copy of AccessData Forensic Toolkit.
New cards
33
Hexadecimal Editors:
X-Ways WinHex or Breakpoint Software Hex Workshop
New cards
34
Forensic Programs
OSForensics, Autopsy, EnCase, and FTK
New cards
35
MD5
Autopsy use ____ to validate an image. It reads the metadata in Expert Witness Compression or AFF image files to get the original hash.
New cards
36
Redundant array of independent disks (RAID)
A computer configuration involving two or more physical disks.
New cards
37
Software RAID
It is typically implemented from the host computer’s OS.
New cards
38
Hardware RAID
____ uses its own controller as well as a processor and memory connected to the host computer.
New cards
39
RAID 0
Provides rapid access and increased data storage. Two or more disk drives become one large volume, so the computer views the disks as a single disk.
New cards
40
RAID 1
Made up of two disks for each volume and is designed for data recovery in the event of a disk failure.
New cards
41
RAID 2
Provides rapid access and increased storage by configuring two or more disks as one large volume.
New cards
42
Error-correcting code (ECC)
It is used to verify whether the write is successful.
New cards
43
RAID 3
Uses data striping and dedicated parity and requires at least three disks.
New cards
44
RAID 4
Uses data striping and dedicated parity (block writing), except data is written in blocks rather than bytes.
New cards
45
RAID 5
Uses distributed data and distributed parity and stripes data tracks across all disks in the RAID array. It places parity data on each disk.
New cards
46
RAID 6
Distributed data and distributed parity (double parity) function the same way as RAID 5, except each disk in the RAID array has redundant parity.
New cards
47
RAID 10
A combination of RAID 1 and RAID 0. It provides fast access and redundancy of data storage. Also known as *Mirrored Striping.*
New cards
48
RAID 15
A combination of RAID 1 and RAID 5. It offers the most robust data recovery capability and speed of access to all RAID configurations and is also more costly. Also known as *Mirrored Striping with Parity.*
New cards
49
ProDiscover Incident Response
It is designed to be integrated as a network intrusion analysis tool and is useful for performing remote acquisitions.
New cards
50
Guidance Software
It was the first forensics vendor to develop a remote acquisition and analysis tool based on its desktop tool EnCase.
New cards
51
R-Studio network
The _____ edition can remotely access networked computer systems.
New cards
52
R-Studio network edition
Data acquired with ________ creates raw format acquisitions, and it’s capable of recovering many different file systems.
New cards
53
US-LATT PRO
part of a suite of tools developed by WetStone, can connect to a networked computer remotely and perform a live acquisition of all drives connected to it.
New cards
54
F-Response
It is a vendor-neutral specialty remote access utility designed to work with any digital forensics program.
New cards
55
PassMark Software
It has an acquisition tool called ImageUSB for its OSForensics analysis product.
New cards
56
ASR Data SMART
It is a Linux forensics analysis tool that can make image files of a suspect drive. SMART can produce proprietary or raw format images and includes the following capabilities:
New cards
57
Runtime Software
It offers several compact shareware programs for data acquisition and recovery, including DiskExplorer for FAT and DiskExplorer for NTFS.
New cards
58
IXImager
It’s a stand-alone proprietary format acquisition tool designed to work only with ILookIX.
It can acquire single drives and RAID drives.
It supports IDE (PATA), SCSI, USB, and FireWire devices.
Studied by 3 people
