The process of copying data, in general. - answer-Data acquisition
The task of collecting digital evidence from electronic media, for digital forensics. - answer-Data acquisition
The two types of data acquisition are: - answer-static and live
Why are data acquisitions shifting towards live...
Guide to Computer Forensics & Investigations
The process of copying data, in general. - answer-Data acquisition
The task of collecting digital evidence from electronic media, for digital forensics. - answer-Data
acquisition
The two types of data acquisition are: - answer-static and live
Why are data acquisitions shifting towards live acquisitions? - answer-Because of the increased use of
whole disk encryption
The type of acquisition that can change file metadata, like date and time values. - answer-live
acquisitions
The type of acquisition that should produce the same results no matter how many times the data is
acquired - answer-static acquisitions
ISO/IEC for digital evidence handling and documenting - answer-ISO/IEC 27037
an older, open-source disk-to-image file format - answer-raw format
new, open-source disk-to-image file format - answer-Advanced Forensic Format (AFF)
AFF - answer-Advanced Forensic Format
Advantages of raw format - answer-1. Fast data transfers
2. Capability to ignore minor data read errors on the source drive.
3. Most forensic tools can read the raw format, for a near universal acquisition format for most tools.
The output of flat simple sequential flat files from writing bit-stream data from a suspect drive or data
set - answer-raw format
Disadvantages of raw format - answer-1. Requires as much storage space as the original disk or data set.
2. Some raw format tools (typically freeware) might not collect marginal (bad) sectors on the source
drive so they have a low threshold of retry reads on weak media spots on the drive. Many commercial
tools are better at this....
CRC32 - answer-Cyclic Redundancy Check, hashing function for validation checks, usually creates a
separate file
validation checks several commercial acquisition tools can perform - answer-Cyclic Redundancy Check
(CRC32), Message Digest 5 (MD5), and Secure Hash Algorithm (SHA-1 or later) hashing functions
MD5 - answer-Message Digest 5, hashing function for validation checks, usually creates a separate file
, SHA-1 or later - answer-Secure Hash Algorithm, hashing function for validation checks, usually creates a
separate file
Features of proprietary formats in commercial forensic tools - answer-1. options to compress or not
image files
2. ability to split an image into smaller segmented files for archiving purposes, with integrity checks for
each segment
3. ability to integrate metadata into the image file (date/time/hash value/examiner name/case details)
Several terms for copying evide data to files - answer-1. bit-stream copy
2. bit-stream image
3. image
4. mirror
5. sector copy
Disadvantages of proprietary format acquisitions - answer-1. Major: inability to share an image between
different vendor's computer forensics analysis tools.
2. file size limitation for each segmented volume, typically 650 MB, no more than 2 GB adjusted (for FAT
formats typically, which max out at 2 GB)
The three proprietary formats of ILookIX imaging tool: - answer-IDIF, IRBF, and IEIF (all can be copied
into a raw format, however)
the unofficial standard of all proprietary formats for image acquisitions - answer-Expert Witness format
the default format for Guidance Software EnCase - answer-Expert Witness format
Features of the Expert Witness format: - answer-1. produces compressed/uncompressed image files
2. writes an extension starting with .e01 and adds increments for each additional segmented image
volume created
Several forensics analysis tools that can generate generic version of Expert Witness format: - answer-X-
Ways Forensics
AccessData Forensic Toolket (FTK)
SMART
The developer of AFF - answer-Dr. Simson L. Garfinkel
Some design goals of AFF - answer-1. Capable of producing compressed or uncompressed image files
2. No size restrictions for disk 2 image files
3. space in the image file or segmented files for metadata
4. simple design with extensibility
5. open source for multi computing platofrms and OSs
6. internal consistency checks for self-authentication
file extensions for AFF - answer-afd for segmented image files
afm for AFF metadata
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller TOPDOCTOR. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $12.49. You're not tied to anything after your purchase.
