Networking Chapter 3 Raw Format Sparse Acquisition Whole Disk Encryption

subject Type Homework Help
subject Pages 8
subject Words 1497
subject Textbook Guide to Computer Forensics and Investigations 5th Edition
subject Authors Amelia Phillips, Bill Nelson, Christopher Steuart
search this document

Unlock document.

This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
page-pf1
Name:
Class:
Date:
Indicate whether the statement is true or false.
1. Hardware and software errors or incompatibilities are a common problem when dealing with older hard drives.
a.
True
b.
False
2. The ImageUSB utility can be used to create a bootable flash drive.
a.
True
b.
False
3. A forensics investigator should verify that acquisition tools can copy data in the HPA of a disk drive.
a.
True
b.
False
4. FTK Imager software can acquire a drive's host protected area.
a.
True
b.
False
5. A RAID 3 array uses distributed data and distributed parity in a manner similar to a RAID 5 array.
a.
True
b.
False
Indicate the answer choice that best completes the statement or answers the question.
6. _______ is the utility used by the ProDiscover program for remote access.
a.
SubSe7en
b.
l0pht
c.
PDServer
d.
VNCServer
7. The _______ switch can be used with the split command to adjust the size of segmented volumes created by the dd
command.
a.
-p
b.
-s
c.
-b
d.
-S
8. The _______ copies evidence of intrusions to an investigation workstation automatically for further analysis over the
network.
a.
intrusion detection system
b.
active defense mechanism
c.
total awareness system
d.
intrusion monitoring system
9. _______ can be used with the dcfldd command to compare an image file to the original medium.
page-pf2
Name:
Class:
Date:
a.
compare
b.
cmp
c.
vf
d.
imgcheck
10. Which RAID type utilizes mirrored striping, providing fast access and redundancy?
a.
RAID 1
b.
RAID 3
c.
RAID 5
d.
RAID 10
11. _______ creates a virtual volume of a RAID image file, and then makes repairs on the virtual volume, which can then
be restored to the original RAID.
a.
Runtime Software
b.
RaidRestore
c.
R-Tools R-Studio
d.
FixitRaid
12. The Linux command _______ can be used to list the current disk devices connected to the computer.
a.
ls -l
b.
fdisk -l
c.
show drives
d.
geom
13. Which option below is not a hashing function used for validation checks?
a.
RC4
b.
MD5
c.
SHA-1
d.
CRC32
14. Which RAID type utilizes a parity bit and allows for the failure of one drive without losing data?
a.
RAID 1
b.
RAID 2
c.
RAID 3
d.
RAID 5
15. What is the name of the Microsoft solution for whole disk encryption?
a.
DriveCrypt
b.
TrueCrypt
c.
BitLocker
d.
SecureDrive
16. The Linux command _____ can be used to write bit-stream data to files.
a.
write
page-pf3
Name:
Class:
Date:
b.
dd
c.
cat
d.
dump
17. An investigator wants to capture all data on a SATA drive connected to a Linux system. What should the investigator
use for the "if=" portion of the dcfldd command?
a.
/dev/hda
b.
/dev/hda1
c.
/dev/sda
d.
/dev/sda1
18. When using a target drive that is FAT32 formatted, what is the maximum size limitation for split files?
a.
512 MB
b.
2 GB
c.
1 TB
d.
1 PB
19. Which technology below is not a hot-swappable technology?
a.
USB-3
b.
FireWire 1394A
c.
SATA
d.
IDE
20. Which option below is not a Linux Live CD meant for use as a digital forensics tool?
a.
Penguin Sleuth
b.
Kali Linux
c.
Ubuntu
d.
CAINE
21. Which RAID type provides increased speed and data storage capability, but lacks redundancy?
a.
RAID 0
b.
RAID 1
c.
RAID 0+1
d.
RAID 5
22. Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the
.afd extension for segmented image files?
a.
Advanced Forensics Disk
b.
Advanced Forensic Format
c.
Advanced Capture Image
d.
Advanced Open Capture
23. The _______ command was developed by Nicholas Harbour of the Defense Computer Forensics Laboratory.
a.
dd
page-pf4
Name:
Class:
Date:
b.
split
c.
dcfldd
d.
echo
24. Within the fdisk interactive menu, what character should be entered to view existing partitions?
a.
l
b.
p
c.
o
d.
d
25. To create a new primary partition within the fdisk interactive utility, which letter should be typed?
a.
c
b.
p
c.
l
d.
n
Enter the appropriate word(s) to complete the statement.
26. The ___________ file type uses lossy compression to reduce file size and doesn't affect image quality when the file is
restored and viewed.
27. _____________ software is used in a Linux environment to mount and write data only to NTFS partitions.
28. The ______________ imaging tool produces three proprietary formats: IDIF, IRBF, and IEIF.
29. When two files with different contents generate the same digital fingerprint using a hashing function, a(n)
____________ has occurred.
30. ________________ software can sometimes be used to decrypt a drive that is utilizing whole disk encryption.
a.
Advanced Forensic Format (AFF)
b.
Host protected area (HPA)
c.
Live acquisitions
d.
Logical acquisitions
e.
Raw format
f.
Redundant array of independent disks (RAID)
g.
Sparse acquisition
h.
Static acquisitions
i.
Whole disk encryption
j.
.pdg extension
31. A data acquisition method used when a suspect computer can't be shut down to perform a static acquisition
32. A data acquisition method that captures only specific files of interest to a case, but also collects fragments of
unallocated (deleted) data
33. An encryption technique that performs a sector-by-sector encryption of an entire drive; each sector is encrypted in its
entirety, making it unreadable when copied with a static acquisition method
34. A data acquisition method that captures only specific files of interest to the case or specific types of files, such as
page-pf5
Name:
Class:
Date:
Outlook .pst files
35. Two or more disks combined into one large drive in several configurations for special needs
36. A data acquisition method used when a suspect drive is write-protected and can't be altered
37. A data acquisition format that creates simple sequential flat files of a suspect drive or data set
38. A ProDiscover Group file, which includes instructions for how ProDiscover should load each physical disk's image
data
39. An open-source data acquisition format that stores image data and metadata
40. An area of a disk drive reserved for booting utilities and diagnostic programs; it is not visible to the computer's OS
41. In Linux, how is a specific partition acquired, as opposed to an entire drive?
42. How can lossless compression be tested?
43. What is lossless compression?
44. What is a hashing collision?
45. Describe a RAID 6 configuration.
46. How does remote access work in EnCase Enterprise software?
47. What is the dd command?
48. How can data acquisition be performed on an encrypted drive?
49. Describe RAID 3.
50. What two command line utilities are available on Linux for validating files?
page-pf6
Name:
Class:
Date:
page-pf7
Name:
Class:
Date:
page-pf8
Name:
Class:
Date:

Trusted by Thousands of
Students

Here are what students say about us.

Resources
Company
Legal

Copyright ©2022 All rights reserved. | CoursePaper is not sponsored or endorsed by any college or university.