Guide to Computer Forensics and Investigations, 5th Edition, xxxxxxx
Ch. 3 Solutions-1
1
Chapter 3 Solutions
Review Questions
1. What’s the main goal of a static acquisition?
2. Name the three formats for digital forensics data acquisitions.
3. What are two advantages and disadvantages of the raw format?
Advantages: faster data transfer speeds, ignores minor data errors, and most forensics analysis
4. List two features common with proprietary format acquisition files.
Can compress or not compress the acquisition data; can segment acquisition output files into
5. Of all the proprietary formats, which one is the unofficial standard?
6. Name two commercial tools that can make a forensic sector-by-sector duplicate of a
drive to a larger drive.
7. What does a logical acquisition collect for an investigation?
8. What does a sparse acquisition collect for an investigation?
9. What should you consider when determining which data acquisition method to use?
10. Why is it a good practice to make two images of a suspect drive in a critical
investigation?
11. When you perform an acquisition at a remote location, what should you consider to
prepare for this task?
12. With newer Linux kernel distributions, what happens if you connect a hot-swappable
device, such a USB thumb drive, containing evidence?
Guide to Computer Forensics and Investigations, 5th Edition, xxxxxxx
Ch. 3 Solutions-2
2
13. In a Linux shell, the fdisk -l command lists the suspect drive as /dev/hda1. Is
the following dcfldd command correct?
14. What’s the most critical aspect of digital evidence?
15. What is a hashing algorithm?
16. In the Linux dcfldd command, which three options are used for validating data?
17. What’s the maximum file size when writing data to a FAT32 drive?
18. What are two concerns when acquiring data from a RAID server?
19. With remote acquisitions, what problems should you be aware of? (Choose all that
apply.)
20. How does ProDiscover Incident Response encrypt the connection between the
examiner’s and suspect’s computers?
21. What’s the ProDiscover remote access utility?
22. Which forensics tools can connect to a suspect’s remote computer and run
surreptitiously?
23. EnCase, FTK, SMART, and iLookIX treat the image file as though it were the
original disk. True or False?
24. FTK Imager can acquire data in a drive’s host protected area. True or False?
Hands-On Projects
Guide to Computer Forensics and Investigations, 5th Edition, xxxxxxx
Ch. 3 Solutions-3
3
Hands-On Project 3-1
Students learn how to use ProDiscover Basic to write previously saved data in a ProDiscover
Hands-On Project 3-2
Hands-On Project 3-3
Hands-On Project 3-4
Students use the dd command to make a bit-stream disk–to-image copy of the thumb drive or
Case Projects
Case Project 3-1
Students’ papers should list features of a variety of acquisition tools and include the information
specified in the project description.
Case Project 3-2
Students’ reactions to a crisis will vary, but they should list personal safety and then preservation
of evidence as top priorities. Personal safety is the top concern in any life-threatening situation.
Case Project 3-3
For an acquisition at a remote location, students’ answers should at least include hardware and
Case Project 3-4
Students’ answers may vary, but their acquisition plans should include the following elements:
• What tools listed in the chapter are available?
Guide to Computer Forensics and Investigations, 5th Edition, xxxxxxx
Ch. 3 Solutions-4
4
• How do they plan to acquire the data? Why did they choose a certain acquisition method?
Case Project 3-5
Students’ answers may vary, but their investigation plans should include resources and methods of