CPSC 333 Ch 6

What type of tools range from simple, single-purpose components to complete computer systems and servers?

Hardware forensic tools

What type of tools are commonly used to copy data from a suspect’s disk drive to an image file?

Software forensic tools

What are the two types of software forensic tools?

-Command-line applications

-GUI applications

What are the five major categories of tasks performed by digital forensic tools?

-Acquisition

-Validation and verification

-Extraction

-Reconstruction

-Reporting

AVERR

Making a copy of the original drive is performing an ________?

Acquisition

What are the two types of data copying methods used in software acquisitions?

-Physical copying of the entire drive

-Logical copying of a disk partition

True or false: Remote acquisitions are more common in larger organizations?

True

A way to confirm that a tool is function as intended is ______?

Validation

Proving that two sets of data are identical by calculating hash values or using another similar method is _______?

Verification

What are the subfunctions of validation and verification?

-Hashing

-Filtering

-Analyzing file headers

What task is known as the recovery task in a digital investigation, often the most challenging task to master?

Extraction

What is the first step in analyzing an investigation’s data?

Recovering data

What subfunction of extraction can speed up analysis for investigators?

Keyword searching

When an investigator has to deal with encrypted files and systems, password recovery tools have a feature to generate potential passwords known as ___________?

password dictionary attack

If a password dictonary attack fails during the attempt to recover encrypted files, a ___________ is ran instead.

Brute force attack

What task recreates a suspect drive to show what happened during a crime or an incident?

Reconstruction

Disk to disk copy, image to disk copy, image to partition copy, and disk to image copy are all methods of ______?

Reconstruction

What is the simplest method when reconstructing an image of a suspect drive?

Use a tool that makes a direct disk to image copy

Linux dd command, ProDiscover, and Voom Technologies Shadow Drive are all examples of ____?

disk to image copies

To perform a forensics disk analysis and examination, you need to create a ____?

Report

Bookmarking or tagging, log reports, timelines, and report generators are all subfunctions of the _______ task?

Reporting

What was one of the first MS-DOS tools used for computer investigations?

Norton DiskEdit

______ has been mostly replaced by Linux?

UNIX

What is the digital forensics tool that is built specifically for the Linux environment?

SMART

What is one of the easiest forensic suites to use that can be booted as a Linux OS or loaded directly onto a running system for live acquisition?

Helix 3

What was Kali Linux formally known as?

BackTrack

Sleuth Kit is a _____ forensics tool?

Linux

Forcepoint Threat Protection, formally known as Second Look, is a Linux ___ _____ tool, that can perform both onsite and remote memory acquisitions

Memory analysis

What are the advantages of using a GUI forensic tool?

-Ease of use

-Multitasking

-No need for learning older OS’s

What are the disadvantages to using GUI forensic tools?

-Excessive resource requirements

-Produce inconsistent results

-Creates tool dependencies

What factors should you consider when planning your budget?

-expected amount of time forensic workstation will run

-failures

-consultant and vendor fees

-anticipate equipment replacement

What are the three types of forensic workstations?

-stationary workstation

-portable workstation

-lightweight workstation

True or false: Private corporation labs only handle system types used in the organization?

True

What prevents data writes to a hard disk?

Write-blocker

Where to software enabled blockers usually run?

In shell mode (Windows CLI)

True or false: If there is a limited budget for a forensic workstation, a high end game PC would work?

True

Who plays a large role in the forensics field by publishing articles, providing tools, and creative procedures for testings and validating forensics software?

National Institute of Standards and Technology (NIST)

The National Software Reference Library, created by NIST, helps collect known ____ ____ for commercial software apps and OS files, helps filter ___ ____, and uses RDS to locate bad files

hash values, known information

True or false: You don’t need to perform the same tasks with different tools to verify your results?

False

_____ editors are reliable tools that can access raw data?

Disk

True or false: If you find a problem, you should report to the vendor and use it after you report the issue

False