Chat with AI
Deck 4: Data Acquisition
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/50
Play
Full screen (f)
Deck 4: Data Acquisition
1
Many acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
True
2
FTK Imager requires that you use a device such as a USB or parallel port dongle for licensing.
True
3
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file.
True
4
Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.
A) live
B) online
C) real-time
D) static
A) live
B) online
C) real-time
D) static
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
5
For computer forensics, ____ is the task of collecting digital evidence from electronic media.
A) hashing
B) data acquisition
C) lossy compression
D) lossless compression
A) hashing
B) data acquisition
C) lossy compression
D) lossless compression
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
6
One advantage with live acquisitions is that you are able to perform repeatable processes.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
7
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.
A) proprietary
B) raw
C) AFF
D) AFD
A) proprietary
B) raw
C) AFF
D) AFD
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
8
SafeBack and SnapCopy must run from a(n) ____ system.
A) UNIX
B) MS-DOS
C) Linux
D) Solaris
A) UNIX
B) MS-DOS
C) Linux
D) Solaris
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
9
The most common and flexible data-acquisition method is ____.
A) Disk-to-disk copy
B) Disk-to-network copy
C) Disk-to-image file copy
D) Sparse data copy
A) Disk-to-disk copy
B) Disk-to-network copy
C) Disk-to-image file copy
D) Sparse data copy
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
10
Linux ISO images are referred to as ____.
A) ISO CDs
B) Live CDs
C) Forensic Linux
D) Linux in a Box
A) ISO CDs
B) Live CDs
C) Forensic Linux
D) Linux in a Box
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
11
Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.
A) rcsum
B) shasum
C) hashsum
D) sha1sum
A) rcsum
B) shasum
C) hashsum
D) sha1sum
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
12
The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.
A) fdisk
B) dd
C) man
D) raw
A) fdisk
B) dd
C) man
D) raw
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
13
The ____ command displays pages from the online help manual for information on Linux commands and their options.
A) cmd
B) hlp
C) inst
D) man
A) cmd
B) hlp
C) inst
D) man
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
14
Microsoft has recently added ____ in its Vista Ultimate and Enterprise editions, which makes performing static acquisitions more difficult.
A) whole disk encryption
B) backup utilities
C) recovery wizards
D) NTFS
A) whole disk encryption
B) backup utilities
C) recovery wizards
D) NTFS
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
15
Image files can be reduced by as much as ____% of the original.
A) 15
B) 25
C) 30
D) 50
A) 15
B) 25
C) 30
D) 50
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
16
If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.
A) lossless
B) disk-to-disk
C) sparse
D) disk-to-image
A) lossless
B) disk-to-disk
C) sparse
D) disk-to-image
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
17
If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.
A) passive
B) static
C) live
D) local
A) passive
B) static
C) live
D) local
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
18
The ____ DOS program En.exe requires using a forensic MS-DOS boot floppy or CD and a network crossover cable.
A) ProDiscover
B) ILook
C) DIBS USA
D) EnCase
A) ProDiscover
B) ILook
C) DIBS USA
D) EnCase
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
19
The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.
A) raw
B) bitcopy
C) dcfldd
D) man
A) raw
B) bitcopy
C) dcfldd
D) man
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
20
Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
21
____ is the only automated disk-to-disk tool that allows you to copy data to a slightly smaller target drive than the original suspect's drive.
A) SafeBack
B) EnCase
C) SnapCopy
D) SMART
A) SafeBack
B) EnCase
C) SnapCopy
D) SMART
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
22
Match each item with a statement below
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
process of copying data
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
process of copying data
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
23
Bit-stream data to files copy technique creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a(n) ____________________ format.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
24
SnapBack DatArrest can perform a data copy of an evidence drive in ____ ways.
A) two
B) three
C) four
D) five
A) two
B) three
C) four
D) five
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
25
Match each item with a statement below
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
open source data acquisition format
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
open source data acquisition format
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
26
SnapBack DatArrest runs from a true ____ boot floppy.
A) UNIX
B) Linux
C) Mac OS X
D) MS-DOS
A) UNIX
B) Linux
C) Mac OS X
D) MS-DOS
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
27
Match each item with a statement below
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
type of SCSI drive
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
type of SCSI drive
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
28
____________________ is the default format for acquisitions for Guidance Software EnCase.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
29
Match each item with a statement below
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
example of a lossless compression tool
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
example of a lossless compression tool
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
30
Popular archiving tools, such as PKZip and WinZip, use an algorithm referred to as ____________________ compression.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
31
Dr. Simson L. Garfinkel of Basis Technology Corporation recently developed a new open-source acquisition format called ____________________.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
32
Match each item with a statement below
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
example of a disk-to-disk copy maker tool
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
example of a disk-to-disk copy maker tool
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
33
There are two types of acquisitions: static acquisitions and ____________________ acquisitions.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
34
SafeBack performs a(n) ____ calculation for each sector copied to ensure data integrity
A) SHA-1
B) MC5
C) SHA-256
D) MC4
A) SHA-1
B) MC5
C) SHA-256
D) MC4
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
35
Match each item with a statement below
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
shows the known drives connected to your computer
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
shows the known drives connected to your computer
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
36
Match each item with a statement below
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
forensic tool developed by Guidance Software
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
forensic tool developed by Guidance Software
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
37
____ has developed the Rapid Action Imaging Device (RAID) to make forensically sound disk copies.
A) DIBS USA
B) EnCase
C) ProDiscover
D) ILook
A) DIBS USA
B) EnCase
C) ProDiscover
D) ILook
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
38
Match each item with a statement below
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
39
Match each item with a statement below
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
ILook imaging tool
a.SafeBack
f.fdisk -l
b.WinZip
g.Lossy compression
c.Data acquisition
h.Jaz disk
d.AFF
i.EnCase
e.IXimager
ILook imaging tool
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
40
EnCase Enterprise is set up with an Examiner workstation and a Secure Authentication for EnCase (____) workstation
A) ILook
B) SAFE
C) Incident Response
D) Investigator
A) ILook
B) SAFE
C) Incident Response
D) Investigator
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
41
What are the considerations you should have when deciding what data-acquisition method to use on your investigation?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
42
What are the advantages and disadvantages of using raw data acquisition format?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
43
What are the requirements for acquiring data on a suspect computer using Linux?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
44
What are some of the main characteristics of Linux ISO images designed for computer forensics?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
45
What are some of the features offered by proprietary data acquisition formats?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
46
Explain the sparse data copy method for acquiring digital evidence.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
47
Explain the use of hash algorithms to verify the integrity of lossless compressed data.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
48
What are the steps to update the Registry for Windows XP SP2 to enable write-protection with USB devices?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
49
What are some of the design goals of AFF?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
50
What are the advantages and disadvantages of using Windows acquisition tools?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
