Question 1

Many acquisition tools don't copy data in the host protected area (HPA) of a disk drive.

Accepted Answer

The host protected area (HPA) is a portion of a disk drive that is typically reserved for firmware or diagnostic tools. Many acquisition tools do not copy data from this area, as it may contain sensitive information or proprietary code.

Question 2

FTK Imager requires that you use a device such as a USB or parallel port dongle for licensing.

Accepted Answer

FTK Imager requires a physical dongle for licensing verification. This ensures that only licensed users have access to the software.

Question 3

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file.

Accepted Answer

Creating a duplicate copy of the evidence image file is indeed the most common and time-consuming technique for preserving evidence. This helps in ensuring that the original evidence is not tampered with and is available for further analysis if needed.

Question 4

Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.&#10;A) live&#10;B) online&#10;C) real-time&#10;D) static

Accepted Answer

A static acquisition is done on a computer that is shut down and not in use, which is typical in a police raid scenario where the computer is seized. This type of acquisition ensures that the data is not altered or destroyed during the collection process. A live acquisition involves collecting data from a computer while it is still running, whereas an online acquisition involves collecting data from a computer while it is connected to the internet. Real-time acquisition is a more general term that could refer to any type of data collection as it happens.

Question 5

For computer forensics, ____ is the task of collecting digital evidence from electronic media.&#10;A) hashing&#10;B) data acquisition&#10;C) lossy compression&#10;D) lossless compression

Accepted Answer

Data acquisition is the process of collecting digital evidence from electronic media such as hard drives, USB drives, and mobile devices. Hashing is a method of verifying the integrity of collected data, while lossy and lossless compression are methods of reducing the size of data for storage or transmission.

Question 6

One advantage with live acquisitions is that you are able to perform repeatable processes.

Accepted Answer

Live acquisitions, while necessary in certain scenarios to capture volatile data, do not guarantee repeatability due to the dynamic nature of live systems where data is constantly changing.

Question 7

One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.&#10;A) proprietary&#10;B) raw&#10;C) AFF&#10;D) AFD

Accepted Answer

Proprietary formats are often designed to work with specific software or systems, making it difficult to share images between different vendors' computer forensics analysis tools without compatibility issues or the need for conversion.

Question 8

SafeBack and SnapCopy must run from a(n) ____ system.&#10;A) UNIX&#10;B) MS-DOS&#10;C) Linux&#10;D) Solaris

Accepted Answer

SafeBack and SnapCopy are tools designed to run on MS-DOS systems. SafeBack is used for creating forensic backups of hard drives, and SnapCopy is similar in function, both requiring an MS-DOS environment to operate.

Question 9

The most common and flexible data-acquisition method is ____.&#10;A) Disk-to-disk copy&#10;B) Disk-to-network copy&#10;C) Disk-to-image file copy&#10;D) Sparse data copy

Accepted Answer

Disk-to-image file copy is the most common and flexible data-acquisition method because it allows for the creation of an exact bitstream copy of the original disk, which can be analyzed and stored efficiently without the need for the original hardware.

Question 10

Linux ISO images are referred to as ____.&#10;A) ISO CDs&#10;B) Live CDs&#10;C) Forensic Linux&#10;D) Linux in a Box

Accepted Answer

Linux ISO images are commonly referred to as Live CDs, as they allow users to run a complete Linux operating system from a disk without having to install it on their system. ISO CDs and Linux in a Box are not common terms used to refer to Linux ISO images, and Forensic Linux is typically a specific distribution of Linux tailored for digital forensics purposes.

Question 11

Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.&#10;A) rcsum&#10;B) shasum&#10;C) hashsum&#10;D) sha1sum

Accepted Answer

The answer of Current distributions of Linux include two hashing...

Question 12

The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.&#10;A) fdisk&#10;B) dd&#10;C) man&#10;D) raw

Accepted Answer

The answer of The ____ command creates a raw format...

Question 13

The ____ command displays pages from the online help manual for information on Linux commands and their options.&#10;A) cmd&#10;B) hlp&#10;C) inst&#10;D) man

Accepted Answer

The answer of The ____ command displays pages from the...

Question 14

Microsoft has recently added ____ in its Vista Ultimate and Enterprise editions, which makes performing static acquisitions more difficult.&#10;A) whole disk encryption&#10;B) backup utilities&#10;C) recovery wizards&#10;D) NTFS

Accepted Answer

The answer of Microsoft has recently added ____ in its...

Question 15

Image files can be reduced by as much as ____% of the original.&#10;A) 15&#10;B) 25&#10;C) 30&#10;D) 50

Accepted Answer

The answer of Image files can be reduced by as...

Question 16

If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.&#10;A) lossless&#10;B) disk-to-disk&#10;C) sparse&#10;D) disk-to-image

Accepted Answer

The answer of If your time is limited, consider using...

Question 17

If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.&#10;A) passive&#10;B) static&#10;C) live&#10;D) local

Accepted Answer

The answer of If the computer has an encrypted drive,...

Question 18

The ____ DOS program En.exe requires using a forensic MS-DOS boot floppy or CD and a network crossover cable.&#10;A) ProDiscover&#10;B) ILook&#10;C) DIBS USA&#10;D) EnCase

Accepted Answer

The answer of The ____ DOS program En.exe requires using...

Question 19

The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.&#10;A) raw&#10;B) bitcopy&#10;C) dcfldd&#10;D) man

Accepted Answer

The answer of The ____ command, works similarly to the...

Question 20

Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.

Accepted Answer

The answer of Unlike RAID 0, RAID 3 stripes tracks...

Question 21

____ is the only automated disk-to-disk tool that allows you to copy data to a slightly smaller target drive than the original suspect's drive.&#10;A) SafeBack&#10;B) EnCase&#10;C) SnapCopy&#10;D) SMART

Accepted Answer

The answer of ____ is the only automated disk-to-disk tool...

Question 22

Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk -l&#10;b.WinZip&#10;g.Lossy compression&#10;c.Data acquisition&#10;h.Jaz disk&#10;d.AFF&#10;i.EnCase&#10;e.IXimager&#10;process of copying data

Accepted Answer

The answer of Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk...

Question 23

Bit-stream data to files copy technique creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a(n) ____________________ format.

Accepted Answer

The answer of Bit-stream data to files copy technique creates...

Question 24

SnapBack DatArrest can perform a data copy of an evidence drive in ____ ways.&#10;A) two&#10;B) three&#10;C) four&#10;D) five

Accepted Answer

The answer of SnapBack DatArrest can perform a data copy...

Question 25

Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk -l&#10;b.WinZip&#10;g.Lossy compression&#10;c.Data acquisition&#10;h.Jaz disk&#10;d.AFF&#10;i.EnCase&#10;e.IXimager&#10;open source data acquisition format

Accepted Answer

The answer of Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk...

Question 26

SnapBack DatArrest runs from a true ____ boot floppy.&#10;A) UNIX&#10;B) Linux&#10;C) Mac OS X&#10;D) MS-DOS

Accepted Answer

The answer of SnapBack DatArrest runs from a true ____...

Question 27

Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk -l&#10;b.WinZip&#10;g.Lossy compression&#10;c.Data acquisition&#10;h.Jaz disk&#10;d.AFF&#10;i.EnCase&#10;e.IXimager&#10;type of SCSI drive

Accepted Answer

The answer of Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk...

Question 28

____________________ is the default format for acquisitions for Guidance Software EnCase.

Accepted Answer

The answer of ____________________ is the default format for acquisitions...

Question 29

Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk -l&#10;b.WinZip&#10;g.Lossy compression&#10;c.Data acquisition&#10;h.Jaz disk&#10;d.AFF&#10;i.EnCase&#10;e.IXimager&#10;example of a lossless compression tool

Accepted Answer

The answer of Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk...

Question 30

Popular archiving tools, such as PKZip and WinZip, use an algorithm referred to as ____________________ compression.

Accepted Answer

The answer of Popular archiving tools, such as PKZip and...

Question 31

Dr. Simson L. Garfinkel of Basis Technology Corporation recently developed a new open-source acquisition format called ____________________.

Accepted Answer

The answer of Dr. Simson L. Garfinkel of Basis Technology...

Question 32

Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk -l&#10;b.WinZip&#10;g.Lossy compression&#10;c.Data acquisition&#10;h.Jaz disk&#10;d.AFF&#10;i.EnCase&#10;e.IXimager&#10;example of a disk-to-disk copy maker tool

Accepted Answer

The answer of Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk...

Question 33

There are two types of acquisitions: static acquisitions and ____________________ acquisitions.

Accepted Answer

The answer of There are two types of acquisitions: static...

Question 34

SafeBack performs a(n) ____ calculation for each sector copied to ensure data integrity&#10;A) SHA-1&#10;B) MC5&#10;C) SHA-256&#10;D) MC4

Accepted Answer

The answer of SafeBack performs a(n) ____ calculation for each...

Question 35

Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk -l&#10;b.WinZip&#10;g.Lossy compression&#10;c.Data acquisition&#10;h.Jaz disk&#10;d.AFF&#10;i.EnCase&#10;e.IXimager&#10;shows the known drives connected to your computer

Accepted Answer

The answer of Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk...

Question 36

Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk -l&#10;b.WinZip&#10;g.Lossy compression&#10;c.Data acquisition&#10;h.Jaz disk&#10;d.AFF&#10;i.EnCase&#10;e.IXimager&#10;forensic tool developed by Guidance Software

Accepted Answer

The answer of Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk...

Question 37

____ has developed the Rapid Action Imaging Device (RAID) to make forensically sound disk copies.&#10;A) DIBS USA&#10;B) EnCase&#10;C) ProDiscover&#10;D) ILook

Accepted Answer

The answer of ____ has developed the Rapid Action Imaging...

Question 38

Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk -l&#10;b.WinZip&#10;g.Lossy compression&#10;c.Data acquisition&#10;h.Jaz disk&#10;d.AFF&#10;i.EnCase&#10;e.IXimager&#10;used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed

Accepted Answer

The answer of Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk...

Question 39

Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk -l&#10;b.WinZip&#10;g.Lossy compression&#10;c.Data acquisition&#10;h.Jaz disk&#10;d.AFF&#10;i.EnCase&#10;e.IXimager&#10;ILook imaging tool

Accepted Answer

The answer of Match each item with a statement below&#10;a.SafeBack&#10;f.fdisk...

Question 40

EnCase Enterprise is set up with an Examiner workstation and a Secure Authentication for EnCase (____) workstation&#10;A) ILook&#10;B) SAFE&#10;C) Incident Response&#10;D) Investigator

Accepted Answer

The answer of EnCase Enterprise is set up with an...

Question 41

What are the considerations you should have when deciding what data-acquisition method to use on your investigation?

Accepted Answer

The answer of What are the considerations you should have...

Question 42

What are the advantages and disadvantages of using raw data acquisition format?

Accepted Answer

The answer of What are the advantages and disadvantages of...

Question 43

What are the requirements for acquiring data on a suspect computer using Linux?

Accepted Answer

The answer of What are the requirements for acquiring data...

Question 44

What are some of the main characteristics of Linux ISO images designed for computer forensics?

Accepted Answer

The answer of What are some of the main characteristics...

Question 45

What are some of the features offered by proprietary data acquisition formats?

Accepted Answer

The answer of What are some of the features offered...

Question 46

Explain the sparse data copy method for acquiring digital evidence.

Accepted Answer

The answer of Explain the sparse data copy method for...

Question 47

Explain the use of hash algorithms to verify the integrity of lossless compressed data.

Accepted Answer

The answer of Explain the use of hash algorithms to...

Question 48

What are the steps to update the Registry for Windows XP SP2 to enable write-protection with USB devices?

Accepted Answer

The answer of What are the steps to update the...

Question 49

What are some of the design goals of AFF?

Accepted Answer

The answer of What are some of the design goals...

Question 50

What are the advantages and disadvantages of using Windows acquisition tools?

Accepted Answer

The answer of What are the advantages and disadvantages of...

Deck 4: Data Acquisition