Windows Forensics Analysis: Acquisition and Memory Acquisition

Questions and Answers

What is the purpose of creating a custom content image in FTK Imager?

To extract registry hives and backup registry hives

To create a disk-to-image copy of the entire hard drive

To analyze the RECENT folder and subfolders

To image a live system, a dead system, or an image file (correct)

What type of files can be found in the User's Home folder of 'APPDATA'?

Registry hives and backup registry hives

Cache, history, cookies files, and more (correct)

Event Log files

Prefetch files

What is the purpose of using a hardware write-blocker in the imaging process?

To connect the evidence disk to the forensic workstation

To create a quick triage image

To boot to Windows

To prevent changes to the original evidence drive (correct)

What is the term for creating a copy of the entire hard drive at the logical partition and physical drive level?

Disk-to-image copy

What is the purpose of the RECENT folder and subfolders?

Not mentioned in the text

What is the tool used to create a disk image in the imaging process?

FTK Imager Lite

What is the purpose of the 'APPDATA' folder?

To store cache, history, cookies files, and more

What is the term for the process of creating a copy of the RAM?

Image Ram

What is the purpose of creating a triage image?

To perform a quick analysis of the evidence

What is RAID?

Not specified in the text