Chapter 5.5

Question 1

order of volatility

Answer 1

The order of volatility serves as a guideline for determining what types of storage is more or less volatile than the other. Volatile storage (for example, system or cache RAM) is storage that is usually temporary and is easily erased or lost. Powering down a system will remove any potential evidence that is contained in volatile storage.

Question 2

rank of volatility

Answer 2

1. Cpu registers, CPU cache
2. Router Table, ARP cache, process table, kernel stats, memory
3. temporary file systems
4. Disk
5. Remote logging & monitoring data
6. Physical configurations, network topology
7. Archival media

Question 3

chain of custody

Answer 3

Chain of custody is a record of where, when, and who collected evidence, who subsequently handled it, and where it was stored. goes before imaging

Question 4

timeline

Answer 4

Preservation of evidence is focused on ensuring evidence remains credible. Keeping a valid timeline of events (such as a chain of custody) is a preservation of evidence practice.

Question 5

cryptographic hash

Answer 5

A cryptographic hash is a method that is used to ensure that an image of a system is valid. Hashes created on both source and destination are compared. Identical hashes means the data is identical.

Question 6

eDiscovery

Answer 6

eDiscovery is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial.

Question 7

Snapshots

Answer 7

Snapshots are a means of getting around the problem of open files encountered during a backup by using a point-in-time approach. Volume Shadow Copy Service (VSS) is an example of snapshot technology.

Question 8

continuous monitoring

Answer 8

Continuous monitoring is a method of checking a system for health. This type of monitoring is usually perfomed using an agent on a system with details reported to a main system. This may be used as a form of control, but is not obtrusive to system usability.

Question 9

image acquisition

Answer 9

System images are copies of entire computer systems or data. Such images are helpful during investiations as a backup copy. Image acquisition is a data backup/cloning technique, and is used in forensics.

Question 10

network logs

Answer 10

Network logs may be used as a security control to record traffic and other statistics and data. Logging can overwhelm a system if too much activity is being logged. This is true for both perfomance and disk use.

Question 11

timestamps

Answer 11

Different file systems use different methods to identify the time when something occurred. NTFS uses UTC “internally,” but many file systems record timestamps as the local system time. In forensics, it is vital to note the offset between the local system time and UTC.