Data Acquisition

Forensic boot

Forensic boot

________ CD /DVD or USB drive gives you a way to acquire data from a suspect computer and write- protect the disk drive.

Runtime

________ has designed its tools to be file system specific, so DiskExplorer versions for both FAT and NTFS are available.

F Response

With ________, examiners can access remote drives at the physical level and view raw data.

static acquisition

A(n) ________ is done on a computer seized during a police raid.

Data acquisition

The process of copying data

Logical Acquisition

Captures only specific files of interest to the case or specific types of files

Sparse Acquisition

Collects fragments of unallocated (deleted) data; use this method only when you dont need to examine the entire drive

Mini-WinFE

It enables you to build a Windows forensic boot CD/DVD or USB drive with a modification in its Windows Registry file so that connected drives are mounted as read-only

FTK Imager

A data acquisition tool included with a licensed copy of AccessData Forensic Toolkit

Hexadecimal Editors

X-Ways WinHex or Breakpoint Software Hex Workshop

Forensic Programs

OSForensics, Autopsy, EnCase, and FTK

Redundant array of independent disks (RAID)

A computer configuration involving two or more physical disks

RAID 0

Provides rapid access and increased data storage

RAID 1

Made up of two disks for each volume and is designed for data recovery in the event of a disk failure

RAID 2

Provides rapid access and increased storage by configuring two or more disks as one large volume

RAID 3

Uses data striping and dedicated parity and requires at least three disks

RAID 4

Uses data striping and dedicated parity (block writing), except data is written in blocks rather than bytes

RAID 5

Uses distributed data and distributed parity and stripes data tracks across all disks in the RAID array

RAID 6

Distributed data and distributed parity (double parity) function the same way as RAID 5, except each disk in the RAID array has redundant parity

RAID 10

A combination of RAID 1 and RAID 0

RAID 15

A combination of RAID 1 and RAID 5

Data acquisition

The process of copying data. It’s the task of collecting digital evidence from electronic media.

raw format

As a practical way to preserve digital evidence, vendors made it possible to write bit-stream data to files. This copying technique creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a ____.

Advanced Forensic Format

Developed by Dr. Simson L. Garfinkel; an open-source acquisition format.

Static acquisition

It is done on a computer seized during a police raid.

live acquisition

If the computer has an encrypted drive, a ____ is done if the password or passphrase is available—meaning the computer is powered on and has been logged on to by the suspect.

Static acquisitions

These are always the preferred way to collect digital evidence.

Logical Acquisition

Captures only specific files of interest to the case or specific types of files.

Sparse Acquisition

Collects fragments of unallocated (deleted) data; use this method only when you don’t need to examine the entire drive.

Forensic boot CD/DVD or USB drive

_____ gives you a way to acquire data from a suspect computer and write-protect the disk drive.

Mini-WinFE

It enables you to build a Windows forensic boot CD/DVD or USB drive with a modification in its Windows Registry file so that connected drives are mounted as read-only.

FTK Imager

A data acquisition tool included with a licensed copy of AccessData Forensic Toolkit.

Hexadecimal Editors:

X-Ways WinHex or Breakpoint Software Hex Workshop

Forensic Programs

OSForensics, Autopsy, EnCase, and FTK

MD5

Autopsy use ____ to validate an image. It reads the metadata in Expert Witness Compression or AFF image files to get the original hash.

Redundant array of independent disks (RAID)

A computer configuration involving two or more physical disks.

Software RAID

It is typically implemented from the host computer’s OS.

Hardware RAID

____ uses its own controller as well as a processor and memory connected to the host computer.

RAID 0

Provides rapid access and increased data storage. Two or more disk drives become one large volume, so the computer views the disks as a single disk.

RAID 1

Made up of two disks for each volume and is designed for data recovery in the event of a disk failure.

RAID 2

Provides rapid access and increased storage by configuring two or more disks as one large volume.

Error-correcting code (ECC)

It is used to verify whether the write is successful.

RAID 3

Uses data striping and dedicated parity and requires at least three disks.

RAID 4

Uses data striping and dedicated parity (block writing), except data is written in blocks rather than bytes.

RAID 5

Uses distributed data and distributed parity and stripes data tracks across all disks in the RAID array. It places parity data on each disk.

RAID 6

Distributed data and distributed parity (double parity) function the same way as RAID 5, except each disk in the RAID array has redundant parity.

RAID 10

A combination of RAID 1 and RAID 0. It provides fast access and redundancy of data storage. Also known as Mirrored Striping.

RAID 15

A combination of RAID 1 and RAID 5. It offers the most robust data recovery capability and speed of access to all RAID configurations and is also more costly. Also known as Mirrored Striping with Parity.

ProDiscover Incident Response

It is designed to be integrated as a network intrusion analysis tool and is useful for performing remote acquisitions.

Guidance Software

It was the first forensics vendor to develop a remote acquisition and analysis tool based on its desktop tool EnCase.

R-Studio network

The _____ edition can remotely access networked computer systems.

R-Studio network edition

Data acquired with ________ creates raw format acquisitions, and it’s capable of recovering many different file systems.

US-LATT PRO

part of a suite of tools developed by WetStone, can connect to a networked computer remotely and perform a live acquisition of all drives connected to it.

F-Response

It is a vendor-neutral specialty remote access utility designed to work with any digital forensics program.

PassMark Software

It has an acquisition tool called ImageUSB for its OSForensics analysis product.

ASR Data SMART

It is a Linux forensics analysis tool that can make image files of a suspect drive. SMART can produce proprietary or raw format images and includes the following capabilities:

Runtime Software

It offers several compact shareware programs for data acquisition and recovery, including DiskExplorer for FAT and DiskExplorer for NTFS.

IXImager

• It’s a stand-alone proprietary format acquisition tool designed to work only with ILookIX.

• It can acquire single drives and RAID drives.

• It supports IDE (PATA), SCSI, USB, and FireWire devices.