Windows Forensics Analysis: Acquisition and Memory Acquisition

Questions and Answers

What is the purpose of creating a custom content image in FTK Imager?

• To extract registry hives and backup registry hives
• To create a disk-to-image copy of the entire hard drive
• To analyze the RECENT folder and subfolders
• To image a live system, a dead system, or an image file (correct)

What type of files can be found in the User's Home folder of 'APPDATA'?

• Registry hives and backup registry hives
• Cache, history, cookies files, and more (correct)
• Event Log files
• Prefetch files

What is the purpose of using a hardware write-blocker in the imaging process?

• To connect the evidence disk to the forensic workstation
• To create a quick triage image
• To boot to Windows
• To prevent changes to the original evidence drive (correct)

What is the term for creating a copy of the entire hard drive at the logical partition and physical drive level?

Disk-to-image copy (D)

What is the purpose of the RECENT folder and subfolders?

Not mentioned in the text (A)

What is the tool used to create a disk image in the imaging process?

FTK Imager Lite (B)

What is the purpose of the 'APPDATA' folder?

To store cache, history, cookies files, and more (A)

What is the term for the process of creating a copy of the RAM?

Image Ram (D)

What is the purpose of creating a triage image?

To perform a quick analysis of the evidence (B)

What is RAID?

Not specified in the text (A)