BFOR 201 Final Exam With Complete Solutions (A+)
Hardware forensic tools - ANSWER Range from single-purpose components to complete
computer systems and servers
Software forensic tools - ANSWER Types:
Command-line applications
GUI applications
Commonly used to copy data from a suspect's disk drive to an image file
Five major categories: - ANSWER Acquisition
Validation and verification
Extraction
Reconstruction
Reporting
Acquisition - ANSWER Making a copy of the original drive
Two types of data-copying methods are used in software acquisitions:
Physical copying of the entire drive
Logical copying of a disk partition
The formats for disk acquisitions vary
From raw data to vendor-specific proprietary
,Creating smaller segmented files is a typical feature in vendor acquisition tools
Remote acquisition of files is common in larger organizations
You can view the contents of a raw image file with - ANSWER any hexadecimal editor
Validation & Verification - ANSWER Validation: A way to confirm that a tool is functioning
as intended
Verification: Proves that two sets of data are identical by calculating hash values or
using another similar method
(A related process is filtering, which involves sorting and searching through
investigation findings to separate good data and suspicious data)
Sub functions:
Hashing
Filtering
Analyzing file headers
Extraction - ANSWER Recovery task in a digital investigation
Most challenging of all tasks to master
Recovering data is the first step in analyzing an investigation's data
subfunctions: Keyword search speeds up analysis for investigators
From an investigation perspective, encrypted files and systems are a problem
Many password recovery tools have a feature for generating potential password lists- a
password dictionary attack
If a password dictionary attack fails, you can run a brute-force attack
, Reconstruction - ANSWER Re-create a suspect drive to show what happened during a
crime or an incident
Re-create a victim drive to return property and minimize inconvenience or
re-victimization (Except illegal contraband)
Methods of reconstruction:
Disk-to-disk copy
Partition-to-partition copy
Image-to-disk copy
Image-to-partition copy
Rebuilding files from data runs and carving
To re-create an image of a suspect drive: - ANSWER Copy an image to another location,
such as a partition, a physical disk, or a virtual machine
Simplest method is to use a tool that makes a direct disk-to-image copy
Examples of disk-to-image copy tools: - ANSWER EnCase
FTK
ProDiscover
Linux DD
Reporting - ANSWER To perform a forensics disk analysis and examination, you need to
create a report
Subfunctions of reporting
Bookmarking or tagging
Log reports
Hardware forensic tools - ANSWER Range from single-purpose components to complete
computer systems and servers
Software forensic tools - ANSWER Types:
Command-line applications
GUI applications
Commonly used to copy data from a suspect's disk drive to an image file
Five major categories: - ANSWER Acquisition
Validation and verification
Extraction
Reconstruction
Reporting
Acquisition - ANSWER Making a copy of the original drive
Two types of data-copying methods are used in software acquisitions:
Physical copying of the entire drive
Logical copying of a disk partition
The formats for disk acquisitions vary
From raw data to vendor-specific proprietary
,Creating smaller segmented files is a typical feature in vendor acquisition tools
Remote acquisition of files is common in larger organizations
You can view the contents of a raw image file with - ANSWER any hexadecimal editor
Validation & Verification - ANSWER Validation: A way to confirm that a tool is functioning
as intended
Verification: Proves that two sets of data are identical by calculating hash values or
using another similar method
(A related process is filtering, which involves sorting and searching through
investigation findings to separate good data and suspicious data)
Sub functions:
Hashing
Filtering
Analyzing file headers
Extraction - ANSWER Recovery task in a digital investigation
Most challenging of all tasks to master
Recovering data is the first step in analyzing an investigation's data
subfunctions: Keyword search speeds up analysis for investigators
From an investigation perspective, encrypted files and systems are a problem
Many password recovery tools have a feature for generating potential password lists- a
password dictionary attack
If a password dictionary attack fails, you can run a brute-force attack
, Reconstruction - ANSWER Re-create a suspect drive to show what happened during a
crime or an incident
Re-create a victim drive to return property and minimize inconvenience or
re-victimization (Except illegal contraband)
Methods of reconstruction:
Disk-to-disk copy
Partition-to-partition copy
Image-to-disk copy
Image-to-partition copy
Rebuilding files from data runs and carving
To re-create an image of a suspect drive: - ANSWER Copy an image to another location,
such as a partition, a physical disk, or a virtual machine
Simplest method is to use a tool that makes a direct disk-to-image copy
Examples of disk-to-image copy tools: - ANSWER EnCase
FTK
ProDiscover
Linux DD
Reporting - ANSWER To perform a forensics disk analysis and examination, you need to
create a report
Subfunctions of reporting
Bookmarking or tagging
Log reports
