Making a copy of the original drive is extraction acquisition Validation verification
|
Running Header: IT 316 Unit 9 Assignment4Acquisition refers to the process of making a copy of the original drive. The sub functions of thisprocess are Physical data copy, Logical data copy, Data acquisition format, Command-lineacquisition, GUI acquisition, and Remote, live, and memory acquisitions. Two types of data-copying methods are used in software acquisitions are physical copying of the entire drive whichis a bit for bit copy, and Logical copying of a disk partition.Thelogical acquisitionis a bit by bitcopy of a givenlogicalstorage, the storage may refer to user data partition as well as system datapartition. This will normally produce a smaller more manageable copy.Validation and Verification:Verification ensures that the system or tools being used for forensic gathering is workingproperly, while Validation physically ensures that the system operates according to a plan byexecuting the functions through a series of tests that and evaluated. Under this function areprocesses likeHashing, filtering, and file head analysis.Hashingis like adigitalfingerprint for afile. For example, MD5 is a 128 bit 32-character algorithm. Filtering is a way to sort data so thatit is easily found when cataloged, and all data has a specific file type and header size that iscorrelated with a file extension.With this information, you can see whether a file extension isincorrect for the file type.Extraction: Show
CHAPTER 6 Review questions and words1. Forensic software tools are grouped into ____________ and _______________applications. Get answer to your question and much more 2. According to ISO standard 27037, which of the following is an important factor indataacquisition? (Choose all that apply.) Get answer to your question and much more 3. One reason to choose a logical acquisition is an encrypted drive. True or False? Get answer to your question and much more 4. Hashing, filtering, and file header analysis make up which function of digitalforensics tools? Get answer to your question and much more 5. Hardware acquisition tools typically have built-in software for data analysis. Trueor False? Get answer to your question and much more 6. The reconstruction function is needed for which of the following purposes?(Choose all that apply.) Get answer to your question and much more 7. List three subfunctions of the extraction function. Get answer to your question and much more We’ve updated our privacy policy so that we are compliant with changing global privacy regulations and to provide you with insight into the limited ways in which we use your data. Inhaltsverzeichnis Show
You can read the details below. By accepting, you agree to the updated privacy policy. Thank you! View updated privacy policy We've encountered a problem, please try again. CHAPTER 6 Review questions and words1. Forensic software tools are grouped into ____________ and _______________applications. Get answer to your question and much more 2. According to ISO standard 27037, which of the following is an important factor indataacquisition? (Choose all that apply.) Get answer to your question and much more 3. One reason to choose a logical acquisition is an encrypted drive. True or False? Get answer to your question and much more 4. Hashing, filtering, and file header analysis make up which function of digitalforensics tools? Get answer to your question and much more 5. Hardware acquisition tools typically have built-in software for data analysis. Trueor False? Get answer to your question and much more 6. The reconstruction function is needed for which of the following purposes?(Choose all that apply.) Get answer to your question and much more 7. List three subfunctions of the extraction function. Get answer to your question and much more What are the five required functions for computer forensics tools? acquisition, validation and discrimination, extraction, reconstruction, and reporting A disk partition can be copied only with a command-line acquisition tool. True or False?A) True What two data-copying methods are used in software data acquisitions?A) Remote and local During a remote acquisition of a suspect drive, RAM data is lost. True or False?A) True Hashing, filtering, and file header analysis make up which function of computer forensics tools?A) Validation and discrimination A) Validation and discrimination Sleuth Kit is used to access Autopsy’s tools. True or False?A) True When considering new forensics software tools, you should do which of the following? A) Uninstall other forensic software. C) Test and validate the software. Of the six functions of computer forensics tools, what are the subfunctions of the Extraction function? Data viewing, Keyword searching, Decompressing, Carving, Decrypting, and Bookmarking Data can’t be written to the disk with a command-line tool. True or False?A) True Hash values are used for which of the following purposes? (Choose all that apply.)A) Determining file size B) Filtering known good files from potentially suspicious data What’s the name of the NIST project established to collect all known hash values for commercial software and OS files? National Software Reference Library (NSRL) Many of the newer GUI tools use a lot
of system resources. True or False?A) True Building a forensic workstation is more expensive than purchasing one. True or False?A) True A live acquisition is considered an accepted forensics practice. True or False?A) True Which of the following is true of most drive-imaging tools? (Choose all that apply.)A) They perform the same function as a backup. B) They ensure that the original drive doesn’t become corrupt and damage the digital evidence. The standards for testing forensics tools are based on which criteria? A) U.S. Title 18 Which of the following tools can examine files created by WinZip?A) FTK List four subfunctions of reconstructing drives. disk-to-disk copy, image-to-disk copy, partition-to-partition copy, image-to-partition copy When validating the results of a forensic analysis, you should do which of the following?A) Calculate the hash value with two different tools. A) Calculate the hash value with two different tools. NIST testing procedures are valid only for government agencies. True or False?FalseA) True What two data copying methods are used in software data acquisitions?Two types of data-copying methods are used in software acquisitions: Physical copying of the entire drive. Logical copying of a disk partition. What is the data copying process referred to as?The process of copying data from the memory location is called Fetching. What is a forensic duplicate image?Digital Forensics A forensic clone is an exact bit-for-bit copy of a piece of digital evidence. Files, folders, hard drives, and more can be cloned. A forensic clone is also known as a bit-stream image or forensic image. Which of the following statements about most drive imaging tools is correct?Which of the following is true of most drive-imaging tools? They perform the same function as a backup. They ensure that the original drive doesn't become corrupt and damage the digital evidence. What two data copying methods are used in software data acquisitions?Two types of data-copying methods are used in software acquisitions: Physical copying of the entire drive. Logical copying of a disk partition.
What is a forensic image of a hard drive?Digital Forensics
A forensic image of a hard drive captures everything on the hard drive, from the physical beginning to the physical end. Performing a “copy and paste” via the operating system is not the same as a forensic clone. A true forensic image captures both the active and latent data.
What is a forensic copy?Share to Facebook Share to Twitter. Definition(s): An accurate bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm.
How do we verify the accuracy of a bit stream copy?To verify this, we can use a hash function to produce a type of “checksum” of the source data. As each bit of the original media is read and copied, that bit is also entered into a hashing algorithm.
|
