Module 04 - Data Acquisition Format
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/35
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai |
|---|
No analytics yet
Send a link to your students to track their progress
36 Terms
What creates a bit-by-bit copy of the suspect drive?
Raw format
What images in this format are usually obtained by using the dd command?
Raw format
What are the advantages of raw format?
Fast data transfers
What are the advantages of raw format?
Minor data read errors on source drive are ignored
What are the advantages of raw format?
Read by most of the forensic tools
What are the disadvantages of raw format?
Requires same amount of storage as that of the original media
What are the disadvantages of raw format?
Tools (mostly open source) might fail to recognize/collect marginal (bad) sectors from the suspect drive
What has a low threshold of retry reads on weak media spots on a drive?
Freeware tools
What use more retries to ensure all data is collected?
Commercial acquisition tools
Which of the following explains proprietary format?
Commercial forensics tools acquire data from the suspect drive and save the image files in their own formats.
What features do proprietary format commercial forensics tools offer?
Option to compress the image files of the evidence disk/drive in order to save space on the target media
What features do proprietary format commercial forensics tools offer?
Ability to split an image into multiple segments, in order to save them to smaller target media such as CD/DVD, while maintaining their integrity
What features do proprietary format commercial forensics tools offer?
Ability to incorporate metadata into the image file, which includes date and time of acquisition, hash values of the files, case details, etc.
What is a disadvantage of proprietary format commercial forensics tools?
Image file format created by one tool may not be supported by other tool(s)
What is an open-source data acquisition format that stores disk images and related metadata?
Advanced Forensics Format (AFF)
What was the objective behind the development of Advanced Forensics Format (AFF)?
To create an open disk imaging format that provides users an alternative to being locked into a proprietary format.
What is the AFF file extensions for the AFF metadata?
.afm
What is the AFF file extensions for segmented image files?
.afd
True or False: There are no implementation restrictions imposed by AFF on forensic investigators, as it is an open-source format.
True
What has simple design and is accessible through multiple computing platforms and OSes?
Advanced Forensics Format (AFF)
What provides option to compress the image files and allocates space to record metadata of the image files or segmented files and provides internal consistency checks for self-authentication?
Advanced Forensics Format (AFF)
Advanced Forensics Format (AFF) supports two compression algorithms. Which of the following is one of them?
Zlib, which is faster but less efficient
Advanced Forensics Format (AFF) supports two compression algorithms. Which of the following is one of them?
LZMA, which is slower but more efficient
The actual disk image in AFF is a _______, which is composed of segments
with drive data and metadata.
Single file
True or False: AFF file contents can be compressed and uncompressed. AFFv3 supports AFF, AFD, and AFM file extensions.
True
Who created the Advanced Forensic Framework 4 (AFF4) as a redesigned and revamped version of the AFF format?
Michael Cohen, Simson Garfinkel, and Bradly Schatz
What was designed to support storage media with large capacities?
Advanced Forensic Framework 4 (AFF4)
What is referred to its design as being object-oriented as the format consists of generic objects (volumes, streams, and graphs) with externally accessible behavior?
Advanced Forensic Framework 4 (AFF4)
What is an abstract information model that allows storage of disk image data in one or more places while the information about the data is stored elsewhere and stores more kinds of organized information in the evidence file? It offers unified data model and naming scheme.
Advanced Forensic Framework 4 (AFF4)
What can support a vast number of images and offers a selection of container formats such as Zip and Zip64 for the binary files, and simple directories?
Advanced Forensic Framework 4 (AFF4)
What supports storage from the network and the use of WebDAV (an extension of the HTTP protocol) that enables imaging directly to a central HTTP server?
Advanced Forensic Framework 4 (AFF4)
What supports also maps, which are zero-copy transformations of data? Zero-copy transformations spare the CPU from having to perform the task of copying data from one memory area to another, thus increasing its efficiency.
Advanced Forensic Framework 4 (AFF4)
True or False: AFF4 supports image signing and cryptography
True
Advanced Forensic Framework 4 (AFF4) object types include which of the following?
Volumes: They store segments, which are indivisible blocks of data
Advanced Forensic Framework 4 (AFF4) object types include which of the following?
Streams: These are data objects that can help in reading or writing, for example, segments, images, and maps
Advanced Forensic Framework 4 (AFF4) object types include which of the following?
Graphs: Collections of RDF statements