Module 04 - Data Acquisition Methodology

What must be performed as per departmental or organizational policies and in compliance with applicable standards, rules, and laws?

Data acquisition

What is the first step in the data acquisition methodology?

Determining the data acquisition method

What is the second step in the data acquisition methodology?

Determining the data acquisition tool

What is the third step in the data acquisition methodology?

Sanitizing the target media

What is the fourth step in the data acquisition methodology?

Acquiring volatile data

What is the fifth step in the data acquisition methodology?

Enabling write protection on the evidence media

What is the sixth step in the data acquisition methodology?

Acquiring non-volatile data

What is the seventh step in the data acquisition methodology?

Planning for contingency

What is the eighth step in the data acquisition methodology?

Validating data acquisition

Which of the following must be considered in determining the data acquisition method?

Size of the suspect drive: If the suspect drive is large in size, the investigator must opt for disk-to-image copying.

If the size of the target disk is significantly smaller than that of the suspect drive, investigators need to adopt methods to reduce the data size such as the following:

Using Microsoft disk compression tools such as DriveSpace and DoubleSpace, which exclude slack disk space between the files

If the size of the target disk is significantly smaller than that of the suspect drive, investigators need to adopt methods to reduce the data size such as the following:

Using compression methods that use an algorithm to reduce the file size. Archiving tools like PKZip, WinZip, and WinRAR can help to compress files.

If the size of the target disk is significantly smaller than that of the suspect drive, investigators need to adopt methods to reduce the data size such as the following:

Testing lossless compression by applying an MD5, SHA-2, or SHA- 3 hash on a file before and after compression. The compression is successful only if the hash values match.

When the suspect drive is too large, forensic investigators can utilize the following techniques:

Use tape backup systems like Super Digital Linear Tape (SDLT) or Digital Audio Tape/Digital Data Storage (DAT/DDS)

When the suspect drive is too large, forensic investigators can utilize the following techniques:

Use SnapBack and SafeBack, which have software drivers to write data to a tape backup system from a suspect drive through the standard PCI/SCSI

Which of the following must be considered in determining the data acquisition method?

Time required to acquire the image: The time required for data acquisition increases with increasing sizes of the suspect drives.

Which of the following must be considered in determining the data acquisition method?

Whether the suspect drive can be retained

Which of the following falls in line with whether the suspect drive can be retained?

If the investigator cannot retain the original drive, as in a discovery demand for a civil litigation case, they should check whether logical acquisition is acceptable in court.

Which of the following falls in line with whether the suspect drive can be retained?

If the investigators can retain the drive, they must create a copy of it using a reliable data acquisition tool, as most discovery demands provide only one opportunity to capture data.

Which of the following are mandatory requirements for selecting every data acquisition tool used for the disk imaging process?

The tool must not alter or make any changes to the original content

Which of the following are mandatory requirements for selecting every data acquisition tool used for the disk imaging process?

The tool must log I/O errors in an accessible and readable form, including the type and location of the error

Which of the following are mandatory requirements for selecting every data acquisition tool used for the disk imaging process?

The tool must be able to compare the source and destination, and alert the user if the destination is smaller than the source

Which of the following are mandatory requirements for selecting every data acquisition tool used for the disk imaging process?

The tool must have the ability to pass scientific and peer review. Results must be repeatable and verifiable by a third party, if necessary

Which of the following are mandatory requirements for selecting every data acquisition tool used for the disk imaging process?

The tool must completely acquire all visible and hidden data sectors from the digital source

Which of the following are mandatory requirements for selecting every data acquisition tool used for the disk imaging process?

The tool must create a bit-stream copy of the original content when there are no errors in accessing the source media

Which of the following are mandatory requirements for selecting every data acquisition tool used for the disk imaging process?

The tool must create a qualified bit-stream copy (a qualified bitstream copy is defined as a duplicate except in identified areas of the bit-stream) when I/O errors occur while accessing the source media

Which of the following are mandatory requirements for selecting every data acquisition tool used for the disk imaging process?

The tool must copy a file only when the destination is larger or equal to the size of the source, and document the contents on the destination that are not a part of the copy

Which of the following are mandatory requirements for selecting every data acquisition tool used for the disk imaging process?

Tool documentation must be correct, i.e., the user should get expected results by executing it as per the tool’s documented procedures

Which of the following are optional requirements for selecting every data acquisition tool used for the disk imaging process?

The tool should compute a hash value for the complete bit-stream copy generated from a source image file, compare it with the source hash value computed at the time of image creation, and display the result on a disk file

Which of the following are optional requirements for selecting every data acquisition tool used for the disk imaging process?

The tool should divide the bit-stream copy into blocks, compute hash values for each block, compare them with the hash value of original block data computed at the time of image creation, and display the result on a disk file

Which of the following are optional requirements for selecting every data acquisition tool used for the disk imaging process?

The tool should log one or more items on a disk file (items include tool version, subject disk identification, any errors encountered, tool actions, start and finish run times, tool settings, and user comments)

Which of the following are optional requirements for selecting every data acquisition tool used for the disk imaging process?

The tool should create a qualified bit-stream duplicate and adjust the alignment of cylinders to cylinder boundaries of disk partitions when the destination is of a different physical geometry

Which of the following are optional requirements for selecting every data acquisition tool used for the disk imaging process?

The tool should create a bit-stream copy of individual partitions as per user direction

Which of the following are optional requirements for selecting every data acquisition tool used for the disk imaging process?

The tool should make the source disk partition table visible to users, and record its contents

Which of the following are optional requirements for selecting every data acquisition tool used for the disk imaging process?

The tool should create an image file on a fixed or removable magnetic or electronic media that is used to create a bit-stream copy of the original

Which of the following are optional requirements for selecting every data acquisition tool used for the disk imaging process?

The tool should create a bit-stream copy on a platform that is connected through a communications link to a different platform containing the source disk

Before data acquisition and duplication, an appropriate _________ method must be used to permanently erase any previous information stored on the target media.

Data sanitization

True or False: Destruction of data using industry standard data destruction methods is essential for sensitive data that one does not want falling into the wrong hands.

True

What on electronic devices is only virtual, but physically it remains, posing a security threat?

Data deletion and disposal

True or False: Methods like hard drive formatting or deleting partitions cannot delete the file data completely.

True

True or False: It is important to destroy the data and protect it from retrieval, after the collection of evidence from the computer.

True

What is the only way to erase the data completely and protect it from recovery?

Overwrite the data by applying a code of sequential zeroes or ones.

True or False: Once the target data is collected and analyzed, the media must be appropriately disposed to prevent data retrieval and protect its confidentiality.

True

Which of the following standards do investigators follow to sanitize target media?

Russian Standard, GOST P50739-95 (6 passes)

Which of the following standards do investigators follow to sanitize target media?

(German) VSITR (7 passes)

Which of the following standards do investigators follow to sanitize target media?

(American) NAVSO P-5239-26 (MFM) (3 passes)

Which of the following standards do investigators follow to sanitize target media?

(American) DoD 5220.22-M (7 passes)

Which of the following standards do investigators follow to sanitize target media?

(American) NAVSO P-5239-26 (RLL) (3 passes)

Which of the following standards do investigators follow to sanitize target media?

NIST SP 800-88

The proposed NIST SP 800-88 guidance explains three sanitization methods. Which of the following is one of the three sanitization methods?

Clear

The proposed NIST SP 800-88 guidance explains three sanitization methods. Which of the following is one of the three sanitization methods?

Purge

The proposed NIST SP 800-88 guidance explains three sanitization methods. Which of the following is one of the three sanitization methods?

Destroy

The National Institute of Standards and Technology has issued a set of guidelines to help organizations sanitize data to preserve the confidentiality of the information. Which of the following is one of those guidelines?

The application of complex access controls and encryption can reduce the chances for an attacker to gain direct access to sensitive information

The National Institute of Standards and Technology has issued a set of guidelines to help organizations sanitize data to preserve the confidentiality of the information. Which of the following is one of those guidelines?

An organization can dispose of the not so useful media data by internal or external transfer or by recycling to fulfill data sanitization

The National Institute of Standards and Technology has issued a set of guidelines to help organizations sanitize data to preserve the confidentiality of the information. Which of the following is one of those guidelines?

Effective sanitization techniques and tracking of storage media are crucial to ensure protection of sensitive data by organizations against attackers

The National Institute of Standards and Technology has issued a set of guidelines to help organizations sanitize data to preserve the confidentiality of the information. Which of the following is one of those guidelines?

All organizations and intermediaries are responsible for effective information management and data sanitization

What is a wiping method that writes zeros in the first pass and then random bytes in the next pass?

Russian Standard, GOST P50739-95 (6 passes)

What method overwrites in 6 passes with alternate sequences of 0x00 and 0xFF, and with 00xAA in the last (7th) pass?

(German) VSITR (7 passes)

What is a three-pass overwriting algorithm that verifies in the last pass?

(American) NAVSO P-5239-26 (MFM) (3 passes)

What standard destroys the data on the drive’s required area by overwriting with 010101 in the first pass, 101010 in the second pass and repeating this process thrice? This method then overwrites that area with random characters which is the 7th pass.

(American) DoD 5220.22-M (7 passes)

What is a three-pass overwriting algorithm that verifies in the last pass?

(American) NAVSO P-5239-26 (RLL) (3 passes)

What NIST SP 800-88 guidance involves logical techniques applied to sanitize data in all storage areas using the standard read and write commands?

Clear

What NIST SP 800-88 guidance involves physical or logical techniques to make the target data recovery infeasible by using state-of-the-art laboratory techniques?

Purge

What NIST SP 800-88 guidance enables target data recovery to be infeasible with the use of state-of-the-art laboratory techniques, which result in an inability to use the media for data storage?

Destroy

Physical destruction of media involves techniques, such as_________

Cross-cut shredding

True or False: Investigators must consider the type of target media they are using for copying or duplicating the data and select an appropriate sanitization method to ensure that no part of previous data remains on the target media that will store the evidence files. The previous media may alter the properties or changes the data and its structure.

True

What involves collecting data that is lost when the computer is shut down or restarted?

Volatile data

What type of data usually corresponds to running processes; logged on users, registries, DLLs, clipboard data, open files, etc.

Volatile data

True or False: As the contents of RAM and other volatile data are dynamic, investigators need to be careful while acquiring such data. Working on a live system may alter the contents of the RAM or processes running on the system. Any involuntary action may change file access dates and times, use shared libraries or DLLs, trigger the execution of malware, or —in the worst case — force a reboot, thus making the system inaccessible.

True

True or False: While most volatile data are recovered by examining the live system, approximately the same amount of data can be obtained by examining the image acquired from the memory of the system.

True

How would you acquire volatile data from a Windows machine?

Forensic tools such as Belkasoft Live RAM Capturer can be used to extract the entire contents of the computer’s volatile memory.

What tool saves the image files in .mem format?

Belkasoft Live RAM Capturer

What is an open-source forensic tool that enables reliable extraction of the entire contents of the computer’s volatile memory, even if protected by an active anti-debugging or anti-dumping system?

Belkasoft Live RAM Capturer

True or False: Belkasoft Live RAM Capturer is compatible with all versions and editions of Windows including XP, Vista, Windows 7, 8, and 10, 2003, and 2008 Server.

True

True or False: While performing live acquisition, an investigator must be aware of the fact that working on a live system may alter the contents of RAM or processes running on the system. Any involuntary action performed on the system may potentially make the system inaccessible.

True

It is necessary to write protect the suspect drive using write blockers to _________________in it

preserve and protect the evidence contained

What is a hardware device or software application that allows data acquisition from the storage media without altering its contents?

Write blocker

True or False: Enabling write protection allows the data to be read but prohibits writing or modification.

True

True or False: In the context of forensic data acquisition, the evidence media — which refers to the storage in the original device from which data must be copied onto a separate storage device — must be write protected to safeguard it from modifications.

True

What is important because forensic investigators should be confident about the integrity of the evidence they obtain during acquisition, analysis, and management?

Write protection

True or False: The evidence should be legitimate in order for it to be accepted by the authorities of the court. Therefore, the investigator needs to implement a set of procedures to prevent the execution of any program that can alter the disk contents.

True

Which of the following are some measures that provide defense mechanisms against alterations?

Set a hardware jumper to make the disk read-only

Which of the following are some measures that provide defense mechanisms against alterations?

Use operating system and software that cannot write to the disk unless instructed

Which of the following are some measures that provide defense mechanisms against alterations?

Employ a hard disk write block tool to protect against disk writes

What provides read-only access to hard disks and other storage devices without compromising their security?

Hardware and software write blocker tools

Which of the following would arise if hardware write blocker is used?

Install a write blocker device

Which of the following would arise if hardware write blocker is used?

Boot the system with the examiner-controlled operating system

Which of the following would arise if hardware write blocker is used?

Examples of hardware devices: CRU® WiebeTech® USB WriteBlocker™, Tableau Forensic USB Bridge, etc.

Which of the following would arise if software write blocker is used?

Boot the system with the examiner-controlled operating system

Which of the following would arise if software write blocker is used?

Activate write protection

Which of the following would arise if software write blocker is used?

Examples of software applications: SAFE Block, MacForensicsLab Write Controller, etc.

What can be acquired from a hard disk both during live and dead acquisition processes?

Non-volatile data

Which of the following remote acquisition tool can investigators use to perform live acquisition of a hard disk?

Netcat

Which of the following bootable CDs or USBs tools allows investigators to perform live acquisition of a hard disk?

CAINE

Which of the following is the dead acquisition process that can be performed?

Remove the hard drive from the suspect drive

Which of the following is the dead acquisition process that can be performed?

Connect it to a forensic workstation to perform the acquisition

Which of the following is the dead acquisition process that can be performed?

Write-block the hard disk to ensure that it provides only read-only access to the hard drive and prevents any modification or tampering of its contents

Which of the following is the dead acquisition process that can be performed?

Run any forensic acquisition tool suitable for the purpose of acquiring/collecting data

To acquire a forensic image of a hard disk during dead acquisition, investigators need to remove the hard disk, connect it to a forensic workstation, enable a write-blocker, and run a forensic imaging tool such as __________

AccessData FTK Imager on the workstation

What is a data preview and imaging tool. It can also create perfect copies (forensic images) of computer data without making changes to the original evidence?

FTK Imager