Chat with AI
Deck 3: Data Acquisition
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/50
Play
Full screen (f)
Deck 3: Data Acquisition
1
An investigator wants to capture all data on a SATA drive connected to a Linux system. What should the investigator use for the "if=" portion of the dcfldd command?
A)/ dev/ hda
B)/ dev/ hda1
C)/ dev/ sda
D)/ dev/ sda1
A)/ dev/ hda
B)/ dev/ hda1
C)/ dev/ sda
D)/ dev/ sda1
C
2
_______ creates a virtual volume of a RAID image file, and then makes repairs on the virtual volume, which can then be restored to the original RAID.
A)Runtime Software
B)RaidRestore
C)R-Tools R-Studio
D)FixitRaid
A)Runtime Software
B)RaidRestore
C)R-Tools R-Studio
D)FixitRaid
C
3
When using a target drive that is FAT32 formatted, what is the maximum size limitation for split files?
A)512 MB
B)2 GB
C)1 TB
D)1 PB
A)512 MB
B)2 GB
C)1 TB
D)1 PB
B
4
Hardware and software errors or incompatibilities are a common problem when dealing with older hard drives.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
5
Which option below is not a Linux Live CD meant for use as a digital forensics tool?
A)Penguin Sleuth
B)Kali Linux
C)Ubuntu
D)CAINE
A)Penguin Sleuth
B)Kali Linux
C)Ubuntu
D)CAINE
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
6
The Linux command _____ can be used to write bit-stream data to files.
A)write
B)dd
C)cat
D)dump
A)write
B)dd
C)cat
D)dump
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
7
The ImageUSB utility can be used to create a bootable flash drive.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
8
Which RAID type utilizes a parity bit and allows for the failure of one drive without losing data?
A)RAID 1
B)RAID 2
C)RAID 3
D)RAID 5
A)RAID 1
B)RAID 2
C)RAID 3
D)RAID 5
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
9
Which technology below is not a hot-swappable technology?
A)USB-3
B)FireWire 1394A
C)SATA
D)IDE
A)USB-3
B)FireWire 1394A
C)SATA
D)IDE
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
10
_______ can be used with the dcfldd command to compare an image file to the original medium.
A)compare
B)cmp
C)vf
D)imgcheck
A)compare
B)cmp
C)vf
D)imgcheck
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
11
A forensics investigator should verify that acquisition tools can copy data in the HPA of a disk drive.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
12
What is the name of the Microsoft solution for whole disk encryption?
A)DriveCrypt
B)TrueCrypt
C)BitLocker
D)SecureDrive
A)DriveCrypt
B)TrueCrypt
C)BitLocker
D)SecureDrive
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
13
_______ is the utility used by the ProDiscover program for remote access.
A)SubSe7en
B)l0pht
C)PDServer
D)VNCServer
A)SubSe7en
B)l0pht
C)PDServer
D)VNCServer
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
14
The _______ copies evidence of intrusions to an investigation workstation automatically for further analysis over the network.
A)intrusion detection system
B)active defense mechanism
C)total awareness system
D)intrusion monitoring system
A)intrusion detection system
B)active defense mechanism
C)total awareness system
D)intrusion monitoring system
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
15
Which option below is not a hashing function used for validation checks?
A)RC4
B)MD5
C)SHA-1
D)CRC32
A)RC4
B)MD5
C)SHA-1
D)CRC32
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
16
FTK Imager software can acquire a drive's host protected area.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
17
Which RAID type utilizes mirrored striping, providing fast access and redundancy?
A)RAID 1
B)RAID 3
C)RAID 5
D)RAID 10
A)RAID 1
B)RAID 3
C)RAID 5
D)RAID 10
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
18
The _______ switch can be used with the split command to adjust the size of segmented volumes created by the dd command.
A)-p
B)-s
C)-b
D)-S
A)-p
B)-s
C)-b
D)-S
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
19
A RAID 3 array uses distributed data and distributed parity in a manner similar to a RAID 5 array.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
20
The Linux command _______ can be used to list the current disk devices connected to the computer.
A)ls -l
B)fdisk -l
C)show drives
D)geom
A)ls -l
B)fdisk -l
C)show drives
D)geom
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
21
Match the terms with the correct definitions?.
-A data acquisition format that creates simple sequential flat files of a suspect drive or data set
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
-A data acquisition format that creates simple sequential flat files of a suspect drive or data set
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
22
Match the terms with the correct definitions?.
-?An open-source data acquisition format that stores image data and metadata
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
-?An open-source data acquisition format that stores image data and metadata
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
23
Match the terms with the correct definitions?.
-?A data acquisition method used when a suspect drive is write-protected and can't be altered
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
-?A data acquisition method used when a suspect drive is write-protected and can't be altered
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
24
Match the terms with the correct definitions?.
-Two or more disks combined into one large drive in several configurations for special needs
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
-Two or more disks combined into one large drive in several configurations for special needs
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
25
Match the terms with the correct definitions?.
-An encryption technique that performs a sector-by-sector encryption of an entire drive; each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
-An encryption technique that performs a sector-by-sector encryption of an entire drive; each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
26
Match the terms with the correct definitions?.
-?A data acquisition method used when a suspect computer can't be shut down to perform a static acquisition
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
-?A data acquisition method used when a suspect computer can't be shut down to perform a static acquisition
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
27
_____________ software is used in a Linux environment to mount and write data only to NTFS partitions.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
28
?To create a new primary partition within the fdisk interactive utility, which letter should be typed?
A)?c
B)?p
C)l
D)n
A)?c
B)?p
C)l
D)n
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
29
Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the .afd extension for segmented image files?
A)Advanced Forensics Disk
B)Advanced Forensic Format
C)Advanced Capture Image
D)Advanced Open Capture
A)Advanced Forensics Disk
B)Advanced Forensic Format
C)Advanced Capture Image
D)Advanced Open Capture
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
30
Match the terms with the correct definitions?.
-?A data acquisition method that captures only specific files of interest to the case or specific types of files, such as Outlook .pst files
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
-?A data acquisition method that captures only specific files of interest to the case or specific types of files, such as Outlook .pst files
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
31
Match the terms with the correct definitions?.
-?A data acquisition method that captures only specific files of interest to a case, but also collects fragments of unallocated (deleted) data
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
-?A data acquisition method that captures only specific files of interest to a case, but also collects fragments of unallocated (deleted) data
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
32
Match the terms with the correct definitions?.
-An area of a disk drive reserved for booting utilities and diagnostic programs; it is not visible to the computer's OS
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
-An area of a disk drive reserved for booting utilities and diagnostic programs; it is not visible to the computer's OS
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
33
Within the fdisk interactive menu, what character should be entered to view existing partitions?
A)l
B)p
C)o
D)d
A)l
B)p
C)o
D)d
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
34
The ______________ imaging tool produces three proprietary formats: IDIF, IRBF, and IEIF.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
35
Match the terms with the correct definitions?.
-?A ProDiscover Group file, which includes instructions for how ProDiscover should load each physical disk's image data
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
-?A ProDiscover Group file, which includes instructions for how ProDiscover should load each physical disk's image data
A)Advanced Forensic Format (AFF)
B)Host protected area (HPA)
C)Live acquisitions
D)Logical acquisitions
E)Raw format
F)Redundant array of independent disks (RAID)
G)Sparse acquisition
H)Static acquisitions
I)Whole disk encryption
J).pdg extension
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
36
The _______ command was developed by Nicholas Harbour of the Defense Computer Forensics Laboratory.
A)dd
B)split
C)dcfldd
D)echo
A)dd
B)split
C)dcfldd
D)echo
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
37
Which RAID type provides increased speed and data storage capability, but lacks redundancy?
A)RAID 0
B)RAID 1
C)RAID 0+1
D)RAID 5
A)RAID 0
B)RAID 1
C)RAID 0+1
D)RAID 5
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
38
________________ software can sometimes be used to decrypt a drive that is utilizing whole disk encryption.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
39
When two files with different contents generate the same digital fingerprint using a hashing function, a(n) ____________ has occurred.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
40
The ___________ file type uses lossy compression to reduce file size and doesn't affect image quality when the file is restored and viewed.?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
41
Describe RAID 3.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
42
In Linux, how is a specific partition acquired, as opposed to an entire drive?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
43
How does remote access work in EnCase Enterprise software?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
44
What is lossless compression?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
45
What two command line utilities are available on Linux for validating files?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
46
How can lossless compression be tested?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
47
What is a hashing collision?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
48
How can data acquisition be performed on an encrypted drive?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
49
Describe a RAID 6 configuration.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
50
What is the dd command?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
