©Themoon EXAM SOLUTIONS
27/11/2024 11:35AM
BFOR 201 Final Exam Questions and
Answers
Hardware forensic tools - Answers✓✓Range from single-purpose components to complete
computer systems and servers
Software forensic tools - Answers✓✓Types:
Command-line applications
GUI applications
Commonly used to copy data from a suspect's disk drive to an image file
Five major categories: - Answers✓✓Acquisition
Validation and verification
Extraction
Reconstruction
Reporting
Acquisition - Answers✓✓Making a copy of the original drive
Two types of data-copying methods are used in software acquisitions:
Physical copying of the entire drive
Logical copying of a disk partition
, ©Themoon EXAM SOLUTIONS
27/11/2024 11:35AM
The formats for disk acquisitions vary
From raw data to vendor-specific proprietary
Creating smaller segmented files is a typical feature in vendor acquisition tools
Remote acquisition of files is common in larger organizations
You can view the contents of a raw image file with - Answers✓✓any hexadecimal editor
Validation & Verification - Answers✓✓Validation: A way to confirm that a tool is functioning
as intended
Verification: Proves that two sets of data are identical by calculating hash values or using
another similar method
(A related process is filtering, which involves sorting and searching through investigation
findings to separate good data and suspicious data)
Sub functions:
Hashing
Filtering
Analyzing file headers
Extraction - Answers✓✓Recovery task in a digital investigation
Most challenging of all tasks to master
Recovering data is the first step in analyzing an investigation's data
, ©Themoon EXAM SOLUTIONS
27/11/2024 11:35AM
subfunctions: Keyword search speeds up analysis for investigators
From an investigation perspective, encrypted files and systems are a problem
Many password recovery tools have a feature for generating potential password lists- a
password dictionary attack
If a password dictionary attack fails, you can run a brute-force attack
Reconstruction - Answers✓✓Re-create a suspect drive to show what happened during a crime
or an incident
Re-create a victim drive to return property and minimize inconvenience or re-victimization
(Except illegal contraband)
Methods of reconstruction:
Disk-to-disk copy
Partition-to-partition copy
Image-to-disk copy
Image-to-partition copy
Rebuilding files from data runs and carving
To re-create an image of a suspect drive: - Answers✓✓Copy an image to another location, such
as a partition, a physical disk, or a virtual machine
Simplest method is to use a tool that makes a direct disk-to-image copy
Examples of disk-to-image copy tools: - Answers✓✓EnCase
27/11/2024 11:35AM
BFOR 201 Final Exam Questions and
Answers
Hardware forensic tools - Answers✓✓Range from single-purpose components to complete
computer systems and servers
Software forensic tools - Answers✓✓Types:
Command-line applications
GUI applications
Commonly used to copy data from a suspect's disk drive to an image file
Five major categories: - Answers✓✓Acquisition
Validation and verification
Extraction
Reconstruction
Reporting
Acquisition - Answers✓✓Making a copy of the original drive
Two types of data-copying methods are used in software acquisitions:
Physical copying of the entire drive
Logical copying of a disk partition
, ©Themoon EXAM SOLUTIONS
27/11/2024 11:35AM
The formats for disk acquisitions vary
From raw data to vendor-specific proprietary
Creating smaller segmented files is a typical feature in vendor acquisition tools
Remote acquisition of files is common in larger organizations
You can view the contents of a raw image file with - Answers✓✓any hexadecimal editor
Validation & Verification - Answers✓✓Validation: A way to confirm that a tool is functioning
as intended
Verification: Proves that two sets of data are identical by calculating hash values or using
another similar method
(A related process is filtering, which involves sorting and searching through investigation
findings to separate good data and suspicious data)
Sub functions:
Hashing
Filtering
Analyzing file headers
Extraction - Answers✓✓Recovery task in a digital investigation
Most challenging of all tasks to master
Recovering data is the first step in analyzing an investigation's data
, ©Themoon EXAM SOLUTIONS
27/11/2024 11:35AM
subfunctions: Keyword search speeds up analysis for investigators
From an investigation perspective, encrypted files and systems are a problem
Many password recovery tools have a feature for generating potential password lists- a
password dictionary attack
If a password dictionary attack fails, you can run a brute-force attack
Reconstruction - Answers✓✓Re-create a suspect drive to show what happened during a crime
or an incident
Re-create a victim drive to return property and minimize inconvenience or re-victimization
(Except illegal contraband)
Methods of reconstruction:
Disk-to-disk copy
Partition-to-partition copy
Image-to-disk copy
Image-to-partition copy
Rebuilding files from data runs and carving
To re-create an image of a suspect drive: - Answers✓✓Copy an image to another location, such
as a partition, a physical disk, or a virtual machine
Simplest method is to use a tool that makes a direct disk-to-image copy
Examples of disk-to-image copy tools: - Answers✓✓EnCase
