Chapter 06: Current Digital Forensics Tools

When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support. T/F

True

In software acquisition, there are three types of data-copying methods. T/F

False

To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. T/F

True

Computers used several OSs before Windows and MS-DOS dominated the market. T/F

True

After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools. T/F

True

Software forensic tools are grouped into command-line applications and GUI applications. T/F

True

The validation function is the most challenging of all tasks for computer investigators to master. T/F

False

Although a disk editor gives you the most flexibility in testing, it might not be capable of examining a compressed file's contents. T/F

True

Because there are a number of different versions of UNIX and Linux, these OSs are referred to as CLI platforms. T/F

False

Hardware manufacturers have designed most computer components to last about 36 months between failures. T/F

False

Which digital forensics tool is categorized as a single-purpose hardware component?
a. Tableau T35es-R2 SATA/IDE eSATA bridge b. Safeback
c. Magnet Forensics AXIOM d. AccessData FTK

Tableau T35es-R2 SATA/IDE eSATA bridge

Where do software forensics tools copy data from a suspect's disk drive?
a. A backup file b. Firmware
c. An image file d. A recovery copy

An image file

Which tool enables the investigator to acquire the forensic image and process it in the same step?
a. Magnet DEFR b. Magnet FTK
c. Magnet dd d. Magnet AXIOM

Magnet AXIOM

What Linux command is used to create the raw data format?
a. rawcp b. dd
c. d2dump d. dhex

dd

Which activity involves sorting and searching through investigation findings to separate good data and suspicious data?
a. Validation b. Filtering
c. Acquisition d. Reconstruction

Filtering

Many password recovery tools have a feature for generating potential password lists for which type of attack?
a. Brute-force b. Password dictionary
c. Birthday d. Salting

Password dictionary

Which type of copy from the suspect disk to the target location does the simplest method of duplicating a disk drive make?
a. Partition-to-partition b. Image-to-partition
c. Disk-to-image d. Image-to-disk

Disk-to-image

What must be created to complete a forensic disk analysis and examination?
a. A forensic disk copy b. A risk assessment
c. A budget plan d. A report

A report

The first MS-DOS tools that analyzed and extracted data from floppy disks and hard disks were used with which type of PC file systems?
a. Apple b. Windows
c. UNIX d. IBM

IBM

In Windows 2000 and later, which command shows you the file owner if you have multiple users on the system or network?
a. dir b. ls
c. Copy d. owner

dir

Building your own forensics workstation:
a. is always less expensive than choosing a vendor-supplied workstation.
b. requires the time and skills necessary to support the chosen hardware.
c. is inappropriate in the private sector.
d. limits you to only one peripheral device per CPU because of potential conflicts.

requires the time and skills necessary to support the chosen hardware.

What do you call a forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation?
a. A quasi-workstation b. A field workstation
c. A lightweight workstation d. A portable workstation

A portable workstation

What type of disk is commonly used with Sun Solaris systems?
a. F.R.E.D. b. SPARC
c. FIRE IDE d. DiskSpy

SPARC

What is the general term for software or hardware that is used to protect evidence disks by preventing data from being written to them?
a. Drive-protectors b. Disk-blockers
c. Data-protectors d. Write-blockers

Write-blockers

Devices used to prevent data from being written to a disk can connect to a computer through FireWire, SATA, PATA, and SCSI controllers as well as which other type of controller?
a. USB 2.0 and 3.0 b. IDE
c. LCD d. PCMCIA

USB 2.0 and 3.0

Which entity publishes articles, provides tools, and creates procedures for testing and validating computer forensics software?
a. CFTT b. NIST
c. FS-TST d. NSRL

NIST

Which standards document demands accuracy for all aspects of the testing process?
a. ISO 3657 b. ISO 5321
c. ISO 5725 d. ISO 17025

ISO 5725

Which NIST project manages research on forensics tools?
a. NSRL b. CFTT
c. FS-TST d. PARTAB

CFTT

What is the primary hash algorithm used by the NIST project created to collect all known hash values for commercial software and OS files?
a. MD5 b. SHA-1
c. CRC-32 d. RC4

SHA-1

Which type of tool can be used to compare results and verify a new tool by viewing data in its raw format?
a. A disk imager b. A write-blocker
c. A bit-stream copier d. A disk editor

A disk editor