Networking Chapter 3 Raw Format Sparse Acquisition Whole Disk Encryption

Name:

Class:

Date:

chapter 3

Indicate whether the statement is true or false.

1. Hardware and software errors or incompatibilities are a common problem when dealing with older hard drives.

a.

True

b.

False

2. The ImageUSB utility can be used to create a bootable flash drive.

a.

True

b.

False

3. A forensics investigator should verify that acquisition tools can copy data in the HPA of a disk drive.

a.

True

b.

False

4. FTK Imager software can acquire a drive’s host protected area.

a.

True

b.

False

5. A RAID 3 array uses distributed data and distributed parity in a manner similar to a RAID 5 array.

a.

True

b.

False

Indicate the answer choice that best completes the statement or answers the question.

6. _______ is the utility used by the ProDiscover program for remote access.

a.

SubSe7en

b.

l0pht

c.

PDServer

d.

VNCServer

7. The _______ switch can be used with the split command to adjust the size of segmented volumes created by the dd

command.

a.

-p

b.

-s

c.

-b

d.

-S

8. The _______ copies evidence of intrusions to an investigation workstation automatically for further analysis over the

network.

a.

intrusion detection system

b.

active defense mechanism

c.

total awareness system

d.

intrusion monitoring system

9. _______ can be used with the dcfldd command to compare an image file to the original medium.

Name:

Class:

Date:

chapter 3

a.

compare

b.

cmp

c.

vf

d.

imgcheck

10. Which RAID type utilizes mirrored striping, providing fast access and redundancy?

a.

RAID 1

b.

RAID 3

c.

RAID 5

d.

RAID 10

11. _______ creates a virtual volume of a RAID image file, and then makes repairs on the virtual volume, which can then

be restored to the original RAID.

a.

Runtime Software

b.

RaidRestore

c.

R-Tools R-Studio

d.

FixitRaid

12. The Linux command _______ can be used to list the current disk devices connected to the computer.

a.

ls -l

b.

fdisk -l

c.

show drives

d.

geom

13. Which option below is not a hashing function used for validation checks?

a.

RC4

b.

MD5

c.

SHA-1

d.

CRC32

14. Which RAID type utilizes a parity bit and allows for the failure of one drive without losing data?

a.

RAID 1

b.

RAID 2

c.

RAID 3

d.

RAID 5

15. What is the name of the Microsoft solution for whole disk encryption?

a.

DriveCrypt

b.

TrueCrypt

c.

BitLocker

d.

SecureDrive

16. The Linux command _____ can be used to write bit-stream data to files.

a.

write

Name:

Class:

Date:

chapter 3

b.

dd

c.

cat

d.

dump

17. An investigator wants to capture all data on a SATA drive connected to a Linux system. What should the investigator

use for the “if=” portion of the dcfldd command?

a.

/dev/hda

b.

/dev/hda1

c.

/dev/sda

d.

/dev/sda1

18. When using a target drive that is FAT32 formatted, what is the maximum size limitation for split files?

a.

512 MB

b.

2 GB

c.

1 TB

d.

1 PB

19. Which technology below is not a hot-swappable technology?

a.

USB-3

b.

FireWire 1394A

c.

SATA

d.

IDE

20. Which option below is not a Linux Live CD meant for use as a digital forensics tool?

a.

Penguin Sleuth

b.

Kali Linux

c.

Ubuntu

d.

CAINE

21. Which RAID type provides increased speed and data storage capability, but lacks redundancy?

a.

RAID 0

b.

RAID 1

c.

RAID 0+1

d.

RAID 5

22. Which open-source acquisition format is capable of producing compressed or uncompressed image files, and uses the

.afd extension for segmented image files?

a.

Advanced Forensics Disk

b.

Advanced Forensic Format

c.

Advanced Capture Image

d.

Advanced Open Capture

23. The _______ command was developed by Nicholas Harbour of the Defense Computer Forensics Laboratory.

a.

dd

Name:

Class:

Date:

chapter 3

b.

split

c.

dcfldd

d.

echo

24. Within the fdisk interactive menu, what character should be entered to view existing partitions?

a.

l

b.

p

c.

o

d.

d

25. To create a new primary partition within the fdisk interactive utility, which letter should be typed?

a.

c

b.

p

c.

l

d.

n

Enter the appropriate word(s) to complete the statement.

26. The ___________ file type uses lossy compression to reduce file size and doesn’t affect image quality when the file is

restored and viewed.

27. _____________ software is used in a Linux environment to mount and write data only to NTFS partitions.

28. The ______________ imaging tool produces three proprietary formats: IDIF, IRBF, and IEIF.

29. When two files with different contents generate the same digital fingerprint using a hashing function, a(n)

____________ has occurred.

30. ________________ software can sometimes be used to decrypt a drive that is utilizing whole disk encryption.

a.

Advanced Forensic Format (AFF)

b.

Host protected area (HPA)

c.

Live acquisitions

d.

Logical acquisitions

e.

Raw format

f.

Redundant array of independent disks (RAID)

g.

Sparse acquisition

h.

Static acquisitions

i.

Whole disk encryption

j.

.pdg extension

31. A data acquisition method used when a suspect computer can’t be shut down to perform a static acquisition

32. A data acquisition method that captures only specific files of interest to a case, but also collects fragments of

unallocated (deleted) data

33. An encryption technique that performs a sector-by-sector encryption of an entire drive; each sector is encrypted in its

entirety, making it unreadable when copied with a static acquisition method

34. A data acquisition method that captures only specific files of interest to the case or specific types of files, such as

Name:

Class:

Date:

chapter 3

Outlook .pst files

35. Two or more disks combined into one large drive in several configurations for special needs

36. A data acquisition method used when a suspect drive is write-protected and can’t be altered

37. A data acquisition format that creates simple sequential flat files of a suspect drive or data set

38. A ProDiscover Group file, which includes instructions for how ProDiscover should load each physical disk’s image

data

39. An open-source data acquisition format that stores image data and metadata

40. An area of a disk drive reserved for booting utilities and diagnostic programs; it is not visible to the computer’s OS

41. In Linux, how is a specific partition acquired, as opposed to an entire drive?

42. How can lossless compression be tested?

43. What is lossless compression?

44. What is a hashing collision?

45. Describe a RAID 6 configuration.

46. How does remote access work in EnCase Enterprise software?

47. What is the dd command?

48. How can data acquisition be performed on an encrypted drive?

49. Describe RAID 3.

50. What two command line utilities are available on Linux for validating files?

Name:

Class:

Date:

chapter 3

Answer Key

Name:

Class:

Date:

chapter 3

Name:

Class:

Date:

chapter 3