Module 04 - Data Acquisition Fundamentals

What is the first proactive step in the forensic investigation process?

Data acquisition

Through ___________, investigators aim to extract every bit of information present in the victim system’s memory and storage, in order to create a forensic copy of this information.

Forensic data acquisition

To perform a forensic examination on a potential source of evidence, the first step is to _________________________

Create a replica of the data residing on the media found in the crime scene such as a hard disk or any other digital storage device.

What is a process of imaging or collecting (acquiring) information using established methods from various media according to certain standards for their forensic value?

Forensic data acquisition

What is the use of established methods to extract (acquire) Electronically Stored Information (ESI) from suspect computer or storage media to gain insight into a crime or an incident?

Forensic data acquisition

True or False: Investigators need to ensure that the acquisition methodology used is forensically sound. Specifically, the acquisition methodology adopted must be verifiable and repeatable.

True

True or False: A fundamental factor to consider in the acquisition of forensic data is time.

True

While data in some sources such hard drives remain unaltered and can be collected even after the system is shut down, data in some sources such as the RAM are highly volatile and dynamic and must therefore be collected in _________

Real-time

True or False: Data acquisition can be either categorized as live data acquisition or dead data acquisition.

True

What data is acquired from a computer that is already powered on (either locked or in sleep mode)? This enables the collection of volatile data that are fragile and lost when the system loses power or is switched off. Such data reside in registries, caches, and RAM.

Live data acquisition

_________ such as that in RAM are dynamic and change rapidly, and therefore must be collected in real-time.

Volatile data

_________ nonvolatile data that remains unaltered in the system even after shutdown is collected.

Dead or static data acquisition

What allows Investigators to recover such data from hard drives as well as from slack space, swap files, and unallocated drive space?

Dead or static data acquisition

True or False: Other sources of non-volatile data include CDROMs, USB thumb drives, smartphones, and PDAs.

True

Investigators must be able to verify the accuracy of acquired data, and the complete ______________

Process should be auditable and acceptable in the court

What involves the collection of volatile data from devices when they are live or powered on. Volatile information, as present in the contents of RAM, cache, DLLs, etc. is dynamic, and is likely to be lost if the device to be investigated is turned off. It must therefore be acquired in real time?

Live data acquisition

Examination of _________ assists in determining the logical timeline of a security incident and the users that are likely to be responsible for it.

Volatile information

What can then be followed by static/dead acquisition, where the investigator shuts down the suspect machine, removes the hard disk, and then acquires its forensic image?

Live acquisition

What can help investigators obtain information even if the data of evidentiary value is stored on the cloud using a service such as Dropbox or Google Drive?

Live data acquisition

True or False: Investigators can also acquire data from unencrypted containers or disks that are open on the system and are automatically encrypted when the system shuts down.

True

True or False: If the suspect has attempted to overwrite data on the physical hard disk to avoid detection, there is a possibility that investigators can find traces of such overwritten data by examining the RAM content.

True

Volatile has two types. Which of the following is one of the two types?

System data

Volatile has two types. Which of the following is one of the two types?

Network data

What is the information related to a system, which can serve as evidence in a security incident?

System data

What information includes the current configuration and running state of the suspect computer?

System data

What includes system profile (details about configuration), login activity, current system date and time, command history, current system uptime, running processes, open files, startup files, clipboard data, users logged in, DLLs, and shared libraries?

System data

What includes critical data stored in the slack spaces of the hard disk drive?

System data

What is the network-related information stored in the suspect system and connected network devices?

Network data

What includes open connections and ports, routing information and configuration, ARP cache, shared files, and services accessed?

Network data

What can help investigators obtain data from unencrypted containers or disks that are open on the system, which are automatically encrypted when the system shuts down?

Live acquisition

What can help investigators find private browsing history and data from remote storage services such as Dropbox (cloud service) by examining the random-access memory (RAM)?

Live acquisition

When collecting evidence, an investigator needs to evaluate the _________ of data depending on the suspect machine and the situation.

Order of volatility

According to the RFC 3227, which of the following is the Guidelines for Evidence Collection and Archiving?

1.) Registers and processor cache, 2). Routing table, process table, kernel statistics, and memory, 3). Temporary system files, 4). Disk or other storage media, 5). Remote logging and monitoring data related to the target system, 6). Physical configuration and network topology, 7). Archival media

Per the RFC 3227 Guidelines for Evidence Collection and Archiving, which of the following information in the registers or the processor cache on the computer exists for nanoseconds and is constantly changing and can be classified as the most volatile data?

Registers, processor cache

Per the RFC 3227 Guidelines for Evidence Collection and Archiving, which of the following has the routing table, ARP cache, and kernel statistics reside in the ordinary memory of the computer? These are slightly less volatile than the information in the registers, with a life span of about ten nanoseconds

Routing table, process table, kernel statistics, and memory

Per the RFC 3227 Guidelines for Evidence Collection and Archiving, which of the following tend to persist for a longer time on the computer compared to routing tables and ARP caches? These systems are eventually overwritten or changed, sometimes in seconds or minutes later.

Temporary system files

Per the RFC 3227 Guidelines for Evidence Collection and Archiving, which of the following consists of anything stored on a disk stays for a while. However, sometimes due to unforeseen events, these data can be erased or overwritten. Therefore, disk data may also be considered somewhat volatile, with a lifespan of some minutes.

Disk or other storage media

Per the RFC 3227 Guidelines for Evidence Collection and Archiving, which of the following involves data that passes through a firewall cause a router or switch to generate logs? The system might store these logs elsewhere. These logs may overwrite themselves within an hour, a day, or a week. However, these are generally less volatile data.

Remote logging and monitoring data related to the target system

Per the RFC 3227 Guidelines for Evidence Collection and Archiving, which of the following are less volatile and have a longer life span than some other logs?

Physical configuration and network topology

Per the RFC 3227 Guidelines for Evidence Collection and Archiving, which of the following involves a DVD-ROM, a CD-ROM, or a tape contains the least volatile data because the digital information does not change in such data sources automatically unless damaged under a physical force?

Archival media

What refers to nonvolatile data, which does not change its state even after the system is shut down?

Static data

What refers to the process of extracting and gathering these data in an unaltered manner from storage media?

Dead acquisition

Which of the following are sources of nonvolatile data?

Hard drives, DVD-ROMs, USB drives, flashcards, smart-phones, and external hard drives.

What type of data exists in the form of emails, word processing documents, web activity, spreadsheets, slack space, swap files, unallocated drive space, and various deleted files?

Dead acquisition

Which of the following allows investigators to repeat the dead acquisition process on well-preserved disk evidence?

Temporary (temp) files

Which of the following allows investigators to repeat the dead acquisition process on well-preserved disk evidence?

System registries

Which of the following allows investigators to repeat the dead acquisition process on well-preserved disk evidence?

Event/system logs

Which of the following allows investigators to repeat the dead acquisition process on well-preserved disk evidence?

Boot sectors

Which of the following allows investigators to repeat the dead acquisition process on well-preserved disk evidence?

Web browser cache

Which of the following allows investigators to repeat the dead acquisition process on well-preserved disk evidence?

Cookies and hidden files

True or False: Investigators must never perform a forensic investigation or any other process on the original evidence or source of evidence, as it may alter the data and render the evidence inadmissible in the court of law.

True

Investigators can create a ________ of a suspicious drive or file to view the static data and analyze it. This practice not only preserves the original evidence, but also provides the option to recreate a duplicate if something goes wrong.

Duplicate bit-stream image

Why is it essential to produce two copies of the original media before starting the investigation process?

One copy is used as a working copy for analysis

Why is it essential to produce two copies of the original media before starting the investigation process?

The second copy is the library/control copy stored for disclosure purposes or, to be used if the working copy becomes corrupted.

Why is it essential to produce two copies of the original media before starting the investigation process?

If the investigators need to perform drive-to-drive imaging, they can use blank media to copy into shrink-wrapped new drives.

Why is it essential to produce two copies of the original media before starting the investigation process?

After duplicating the original media, investigators must verify the integrity of copies by comparing them to the original using hash values such as MD5.