4_5_2 Section 5 – Operations and Incident Response - 4.5 – Digital Forensics- Forensics Data Acquisition

Questions and Answers

Why is it important to prioritize collecting data from a system based on its volatility?

Because more volatile data may only be available for a short time (correct)

Because it's easier to collect data from the CPU

Because all data is equally important

Because less volatile data is more important

What type of data is considered the most volatile and should be collected first?

Information in your backups and archival media

Data in temporary file systems

Process tables and memory information

Data in your CPU registers or CPU cache (correct)

What type of data is likely to be stored on a system for an extended period of time?

Data in your CPU registers or CPU cache

Temporary file systems

Information in your backups and archival media (correct)

Router tables and ARP cache

What is the next step in collecting data after gathering CPU information?

Collecting information from router tables, ARP cache, process tables, and memory

Why is it important to collect data from remote logging facilities?

Because it may be stored for an extended period of time

What type of data rarely changes on a system?

The physical configuration of the device or the typology of the network

What type of data might be captured over the network?

Raw data that was sent over the network

What can be done with extensive packet captures in larger environments?

Rewind back in time and see the raw data that was transferred

Where can smaller packet captures be found?

On security devices such as firewalls and intrusion prevention systems

What are the bits of data stored in different places in memory or on the storage drive referred to as?

Artifacts

What type of information might be stored in an artifact?

Information from various sources such as logs, cache files, and browser bookmarks

Why are artifacts useful in analyzing network activity?

Because they can help fill gaps in network activity analysis

What can be used to gather information from a mobile device?

Either a previously made backup file or a direct connection to the device over USB

What type of information can be found on a mobile device?

Phone calls, contact information, text messages, email data, images, and more

Why might an attacker modify the firmware of a device?

To gain access to the device and install malware

What is a snapshot of a virtual machine?

A way to image a virtual machine

What is the purpose of a cache?

To temporarily store data for faster access

What type of data is typically stored in a CPU cache?

Data specific to the operation of a single CPU

What happens to the data in a cache over time?

The data times out or is erased when the cache is full

What can be found in a browser cache?

URLs, text, and images from visited pages

Why is a cache used in a system?

To speed up the process of querying data

What can be done with a snapshot of a virtual machine?

It can be used to recreate the virtual machine

What is the primary reason for removing the storage drive from the system during forensic analysis?

To ensure nothing is written to the drive during analysis

What type of data is preserved during a bit-for-bit copy of a storage drive?

All data, including deleted files and marked for deletion

What is the purpose of a swap or pagefile in modern operating systems?

To free up memory for other applications

What is the benefit of capturing information from memory during forensic analysis?

To gather information that may not be written to the storage drive

Why is it important to gather information from the swap or pagefile during forensic analysis?

To gather information that may not be in active memory

What is the purpose of comparing operating system files and libraries to a known-good version during forensic analysis?

To understand the security event being investigated

What type of information can be gathered from the operating system itself during forensic analysis?

Information about logged-in users, open ports, running processes, and attached devices

What is the benefit of using a handheld imaging device during forensic analysis?

To ensure nothing is written to the drive during analysis

What is the purpose of a memory dump in forensic analysis?

To capture the entire contents of active memory

Why is it important to analyze data from multiple sources during forensic analysis?

To gather a complete and accurate picture of the security event