Digital Forensics Acquisition

Questions and Answers

Which forensic acquisition method is limited in capturing deleted files?

• Cloud Acquisition
• Logical Acquisition (correct)
• Physical Acquisition
• Network Acquisition

Which of the following describes a key challenge specific to cloud forensic acquisitions compared to traditional digital forensics?

• The requirement for physical access to the cloud servers.
• The high cost of specialized forensic software.
• The need to develop new hashing algorithms.
• The limited access due to security restrictions imposed by the cloud provider. (correct)

In NTFS, what is the role of the $LogFile?

• Storing a backup of the MFT.
• Keeping track of drive usage statistics.
• Providing journaling for crash recovery. (correct)
• Storing user permission settings.

Why is end-to-end encryption considered controversial in the context of law enforcement?

It makes it impossible for law enforcement to access user messages without consent. (D)

Which statement accurately describes how .java files are processed in an Android application?

The .java files are compiled into .dex files for execution in the Java runtime environment. (D)

In NTFS, how can small files be stored directly within the Master File Table (MFT)?

Resident Storage (B)

Consider an Android app developer who wants their app to be able to make phone calls. Which permission must they request in the AndroidManifest.xml file?

android.permission.CALL_PHONE (D)

You are examining an Android application package (APK) file. Which of the following would you expect to find within the META-INF directory?

Signature and cryptographic information (C)

In the context of NTFS, what information is tracked by the $Bitmap file?

Free and allocated clusters. (C)

What is the function of the Android Debug Bridge (ADB) in reverse engineering mobile applications?

It allows interaction with an Android device via command line. (D)

Flashcards

Logical Acquisition

Captures only files and metadata from a file system.

FTK Imager

A tool commonly used for logical acquisition.

Deleted files

Logical acquisition doesn't capture these.

Physical Acquisition

Creates a bit-by-bit exact copy of a storage device.

Challenge in cloud forensics

Limited access due to security restrictions.

Fourth Amendment (US)

Requires law enforcement to obtain a warrant before searching a suspect's mobile phone.

Security risks for all users

Apple argued breaking encryption would create these.

Long-term tracking of mobile phone location data

A warrant is required for this.

Ethical Issue

Extracting too much personal data without proper authorization

End-to-end encryption

It makes it impossible for law enforcement to access user messages without consent.

Study Notes

• Logical acquisition captures only files and metadata from a file system.
• FTK Imager is commonly used for logical acquisition.
• A main disadvantage of logical acquisition is that it does not capture deleted files.
• Physical acquisition creates a bit-by-bit copy of the storage device.
• The primary challenge in cloud forensic acquisition is limited access due to security restrictions.
• Physical acquisition allows forensic investigators to recover deleted files.
• Cloud forensic acquisition does not require legal authorization.
• Logical acquisition is faster than physical acquisition.
• Hashing (e.g., MD5, SHA-256) is used to verify the integrity of forensic images.
• Forensic acquisition techniques should be documented to prevent tampering.
• The Fourth Amendment (US) requires law enforcement to obtain a warrant before searching a suspect's mobile phone.
• Apple argued that breaking encryption would create security risks for all users in the Apple vs. FBI case.
• In Carpenter v. United States, the Supreme Court ruled that a warrant is required for long-term tracking of mobile phone location data.
• Extracting too much personal data without proper authorization is an ethical concern in mobile forensics investigations.
• End-to-end encryption is controversial because it makes it impossible for law enforcement to access user messages without consent.
• Managing network bandwidth is NOT a primary function of a file system.
• In NTFS, the Master File Table (MFT) is responsible for storing file metadata and attributes.
• An advantage of NTFS over FAT32 is that NTFS supports journaling for reliability.
• The $LogFile in NTFS provides journaling for crash recovery.
• A primary reason for using journaling in file systems is that it helps prevent file system corruption.
• A B+ tree file system structure is commonly used for large directories in NTFS.
• In NTFS, small files can be stored directly in the MFT entry, which is called resident storage.
• The $Bitmap file in NTFS tracks free and allocated clusters.
• The NTFS Boot Sector contains the boot code and file system structure information.
• The typical size of an MFT entry in NTFS is 1,024 bytes.
• The main purpose of reverse engineering in the context of mobile applications is to analyze and understand an application's behavior.
• ApkTool is primarily used to decompile an APK file.
• The AndroidManifest.xml file contains app version information and permissions.
• Dalvik bytecode is stored inside the classes.dex file in an APK.
• dex2jar is used to convert DEX files into Java source code.
• The main function of R.java in an Android application is that it holds resource identifiers such as strings, layouts, and images.
• The android.permission.CALL_PHONE Android permission would be required for an app that needs to make phone calls.
• Modifying if-eqz to if-nez in a smali file reverses a logical condition.
• The META-INF folder inside an APK contains signature and cryptographic information.
• The purpose of the Android Debug Bridge (ADB) in reverse engineering is that it allows interaction with an Android device via command line.
• MANIFEST.MF, CERT.SF and CERT.RSA are the files that belong to META-INF.
• The .java files are compiled into .dex files so they can be executed by the java run-time environment.