Chapter 5

Previous page
Table of content
Next page

  1. Why do you need to be careful about the utilities you choose to use for disk imaging?

    Answer: Courts often accept evidence collected by tools that have been used in past trials. You should be prepared to testify to the authenticity and reliability of the tools that you use, otherwise the evidence may not be admissible .

  2. What is an HPA?

    Answer: Hardware-protected area. An area created on a hard disk specifically to allow manufacturers to hide diagnostic and recovery tools. It is a hidden portion of the disk that can't be used by the operating system.

  3. How does a mirror image differ from a forensic duplicate?

    Answer: A forensic duplicate contains the data in a raw bit stream format, whereas a mirror image does a bit-for-bit copy from one drive to another.

  4. How can you verify that in imaging the source media, the original media is unchanged?

    Answer: This is done by both CRC and MD5 confirmation. These methods ensure that the copy procedure did not corrupt the data.

  5. Name a tool that can be used to image the data in the memory of a PDA.

    Answer: Palm dd ( pdd ) is used for a Palm PDA. SAVEFS is used for a RIM Blackberry wireless PDA.

  6. What does the Netstat utility do?

    Answer: Netstat displays the active computer connections. This information provides the investigator with a list of what protocols are running and what ports are open .

  7. When collecting evidence, which do you want to extract first: the information in memory or on the hard drive?

    Answer: You should collect evidence on a system beginning with the volatile and proceeding to the less volatile; therefore, memory data should be collected before hard drive data.

  8. Why can choosing the method used to shut down a suspect computer be a difficult decision to make?

    Answer: If you disconnect the power cord, you risk losing data, especially on Unix computers. If you shut down the computer through the normal shutdown method, you risk running destructive programs that will delete data upon shutdown.

  9. If you need to boot a suspect computer to make an image copy, how should you do it?

    Answer: You should boot from a controlled boot disk and then create a bit stream of the hard disk using a disk-imaging utility.

  10. Name three programs or utilities that can be used to collect forensic images.

    Answer: The dd utility, EnCase, SafeBack, Access Data's Forensic Toolkit (FTK), ByteBack, ILook Investigator, Maresware, SnapBack DatArest, WinHex, Grave-Robber, Incident Response Collection Report (IRCR), and Legal Imager and reaSsembly Application (LISA)



Previous page
Table of content
Next page
Computer Forensics JumpStart
Computer Forensics JumpStart
ISBN: 0470931663
EAN: 2147483647
Year: 2004
Pages: 153
Authors: Michael G. Solomon, K Rudolph, Ed Tittel, Neil Broom, Diane Barrett
BUY ON AMAZON
Qshell for iSeries
Visual C# 2005 How to Program (2nd Edition)
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Java Concurrency in Practice
.NET-A Complete Development Cycle
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy