Final Exam Terms

Question 1

Raw Format

Answer 1

refers to capturing the entire content of a storage device, sector by sector, without any interpretation or alteration

Question 2

Bit Stream Copy

Answer 2

This is a bit-by-bit duplication of the original storage medium, including all data, metadata, and slack space

Question 3

Sparse Acquisition

Answer 3

Sparse acquisition involves capturing only allocated data, skipping unallocated or free space. This can be useful to reduce the time and storage space required for acquisition, especially when dealing with large storage devices.

Question 4

Handling Encryption

Answer 4

Encryption poses a challenge in forensic imaging because encrypted data cannot be accessed without the correct decryption key

Question 5

Handling Encryption

Answer 5

Countermeasures involve obtaining passwords or encryption keys through legal means, using specialized forensic tools to bypass encryption, or conducting memory forensics to extract encryption keys from volatile memory

Question 6

Server RAID Set Acquisition

Answer 6

Issues in acquiring data from a RAID set include ensuring that all drives in the array are imaged correctly, handling complex RAID configurations, and dealing with failed or degraded drives

Question 7

Server RAID Set Acquisition

Answer 7

Countermeasures involve using specialized RAID controllers or software to reconstruct RAID arrays, ensuring data integrity during the acquisition process

Question 8

Computer-Generated Records

Answer 8

Those records that are created by a computer system as part of its normal operation, such as logs, system files, or database records. These records are typically automatically generated by software or hardware.

Question 9

Computer-Stored Records

Answer 9

Files or data that are stored on a computer system, including documents, images, emails, etc. These records are created by users and stored on the computer’s storage medium.

Question 10

Computer-Generated Records and Computer-Stored Records

Answer 10

To be usable as evidence, both types of records must be collected and preserved in a forensically sound manner to ensure their integrity and admissibility in court. This involves using forensic imaging techniques to capture the data without altering it, maintaining chain of custody, and documenting the process thoroughly.

Question 11

Explain Geometry of a Hard Drive

Answer 11

Refers to the physical layout of data on a hard drive, including sectors, tracks, and cylinders.

Question 12

Why it is critical to image an SSD drive as quickly as possible compared to other non-SSD disk?

Answer 12

SSDs have wear-leveling algorithms that can dynamically move data around to ensure even wear on the memory cells. Imaging an SSD quickly helps to capture the current state of the wear-leveling algorithm before it redistributes data, which can affect the forensic analysis.

Question 13

HPA (Host Protected Area) and DCO (Device Configuration Overlay)

Answer 13

These are hidden areas on hard drives used for system recovery, diagnostics, or vendor-specific purposes. They can contain data hidden from the operating system and standard forensic tools.

Question 14

Partition Gap

Answer 14

Unused space between partitions on a storage device.

Question 15

Drive slack

Answer 15

Drive slack refers to the leftover space between the end of a file and the end of the last sector allocated to it, which can contain remnants of deleted files or data.

Question 16

RAM Slack

Answer 16

Refers to data remaining in memory after it’s been allocated to a process

Question 17

File slack

Answer 17

refers to the space between the end of a file and the end of the last sector allocated to it

Question 18

Why are partition gaps and drive slack important to an investigation?

Answer 18

Both partition gaps and drive slack can contain valuable forensic evidence, including fragments of deleted files, metadata, or remnants of previous activities.

Question 19

Metadata

Answer 19

Data that provides information about other data, such as file creation date, author, permissions, etc.

Question 20

File signature

Answer 20

Unique identifying pattern or sequence of bytes used to identify the file type or format. “Magic numbers”

Question 21

File analysis

Answer 21

Examination of file content, structure, and metadata to extract information relevant to an investigation.

Question 22

Exif image format

Answer 22

Exchangeable Image File Format, which includes metadata tags such as camera settings, GPS coordinates, and timestamps

Question 23

File carving

Answer 23

Process of extracting files or data from raw disk images or unallocated space based on file signatures and structure, even if file system metadata is missing or corrupted

Question 24

Lossy compression

Answer 24

Compression technique that reduces file size by removing redundant or unnecessary information, resulting in a loss of quality. Example: JPEG compression for images

Question 25

Lossless compression

Answer 25

Compression technique that reduces file size without losing any data or quality. Example: ZIP compression for files

Question 26

Steganography

Answer 26

Technique of hiding secret messages or data within another file, such as an image or audio file, to avoid detection

Question 27

Substitution

Answer 27

In forensic context, refers to the replacement of original data with different data, often to hide or alter incriminating evidence

Question 28

What are the two primary goals of registry forensics?

Question 29

Hive

Answer 29

Logical group of keys, subkeys, and values in the Windows registry, stored as separate files

Question 30

Subkey

Answer 30

Subdivision of a registry key, containing additional keys or values

Question 31

Artifacts

Answer 31

Traces or remnants of past activities or events left behind in the registry, which can be used as evidence in forensic investigations

Question 32

Static Acquisition

Answer 32

Capturing a snapshot of the entire storage device in a forensically sound manner without modifying its contents

Question 33

Live Acquisition

Answer 33

Collecting data from a running system, including volatile memory (RAM), to capture the current state of the system.

Question 34

Transit Acquisition

Answer 34

Collecting data while it’s in transit over a network or between devices.

Question 35

Type 1 Hypervisor

Answer 35

Runs directly on the host’s hardware to manage virtual machines. Examples include VMware ESXi, Microsoft Hyper-V Server.

Question 36

Type 2 Hypervisor

Answer 36

Runs on a conventional operating system and hosts virtual machines as application software. Examples include VMware Workstation, Virtual Box

Question 37

Explain the order of volatility

Answer 37

Principle guiding the collection of volatile data in forensic investigations, starting from the most volatile (e.g., RAM) to the least volatile (e.g., disk storage)

Question 38

Explain how to handle VMDK Files (forensically)

Answer 38

Virtual Machine Disk files used by VMware. These files can be analyzed using forensic tools capable of interpreting virtual disk formats and extracting relevant data.

Question 39

Anti-forensics and example

Answer 39

Techniques used to evade or thwart forensic investigation efforts. Example: Overwriting data multiple times to prevent recovery.

Question 40

Link/shortcut analysis

Answer 40

Examination of symbolic links, shortcuts, or aliases to trace relationships between files or directories.

Question 41

Actions to prove anti-forensics

Answer 41

Evidence of data wiping, file deletion, encryption, or use of anti-forensic tools.

Question 42

Defense against anti-forenics

Answer 42

Employing proactive security measures, monitoring for suspicious activities, and using advanced forensic techniques to detect and counter anti-forensic tactics.