4_5_2 Section 5 – Operations and Incident Response - 4.5 – Digital Forensics- Forensics Data Acquisition

Questions and Answers

Why is it important to prioritize collecting data from a system based on its volatility?

• Because more volatile data may only be available for a short time (correct)
• Because it's easier to collect data from the CPU
• Because all data is equally important
• Because less volatile data is more important

What type of data is considered the most volatile and should be collected first?

• Information in your backups and archival media
• Data in temporary file systems
• Process tables and memory information
• Data in your CPU registers or CPU cache (correct)

What type of data is likely to be stored on a system for an extended period of time?

• Data in your CPU registers or CPU cache
• Temporary file systems
• Information in your backups and archival media (correct)
• Router tables and ARP cache

What is the next step in collecting data after gathering CPU information?

Collecting information from router tables, ARP cache, process tables, and memory (B)

Why is it important to collect data from remote logging facilities?

Because it may be stored for an extended period of time (D)

What type of data rarely changes on a system?

The physical configuration of the device or the typology of the network (B)

What type of data might be captured over the network?

Raw data that was sent over the network (C)

What can be done with extensive packet captures in larger environments?

Rewind back in time and see the raw data that was transferred (C)

Where can smaller packet captures be found?

On security devices such as firewalls and intrusion prevention systems (C)

What are the bits of data stored in different places in memory or on the storage drive referred to as?

Artifacts (D)

What type of information might be stored in an artifact?

Information from various sources such as logs, cache files, and browser bookmarks (A)

Why are artifacts useful in analyzing network activity?

Because they can help fill gaps in network activity analysis (C)

What can be used to gather information from a mobile device?

Either a previously made backup file or a direct connection to the device over USB (A)

What type of information can be found on a mobile device?

Phone calls, contact information, text messages, email data, images, and more (B)

Why might an attacker modify the firmware of a device?

To gain access to the device and install malware (D)

What is a snapshot of a virtual machine?

A way to image a virtual machine (B)

What is the purpose of a cache?

To temporarily store data for faster access (B)

What type of data is typically stored in a CPU cache?

Data specific to the operation of a single CPU (C)

What happens to the data in a cache over time?

The data times out or is erased when the cache is full (C)

What can be found in a browser cache?

URLs, text, and images from visited pages (B)

Why is a cache used in a system?

To speed up the process of querying data (A)

What can be done with a snapshot of a virtual machine?

It can be used to recreate the virtual machine (D)

What is the primary reason for removing the storage drive from the system during forensic analysis?

To ensure nothing is written to the drive during analysis (D)

What type of data is preserved during a bit-for-bit copy of a storage drive?

All data, including deleted files and marked for deletion (D)

What is the purpose of a swap or pagefile in modern operating systems?

To free up memory for other applications (B)

What is the benefit of capturing information from memory during forensic analysis?

To gather information that may not be written to the storage drive (A)

Why is it important to gather information from the swap or pagefile during forensic analysis?

To gather information that may not be in active memory (C)

What is the purpose of comparing operating system files and libraries to a known-good version during forensic analysis?

To understand the security event being investigated (A)

What type of information can be gathered from the operating system itself during forensic analysis?

Information about logged-in users, open ports, running processes, and attached devices (C)

What is the benefit of using a handheld imaging device during forensic analysis?

To ensure nothing is written to the drive during analysis (D)

What is the purpose of a memory dump in forensic analysis?

To capture the entire contents of active memory (C)

Why is it important to analyze data from multiple sources during forensic analysis?

To gather a complete and accurate picture of the security event (D)