Review Questions - SYS701 - 15 - Digital Forensics

Questions and Answers

Felix wants to make an exact copy of a drive using a Linux command-line tool as part of a forensic acquisition process. What command should he use?

• df
• cp
• dd (correct)
• ln

Greg is preparing a forensic report and needs to describe the tools that were used. What should he report about the tools in addition to their names?

• The type of system the tools were installed or run on
• The training level or certifications of the team that uses the tools
• Any known limitations or issues with the tools (correct)
• The patch level or installed version of the tools

Gabby is preparing chain-of-custody documentation and identifies a gap in hand-off documentation for an original source forensic drive. What issue should she expect to encounter due to this gap?

• The evidence may not be admissible in court. (correct)
• The forensic activities may need to be repeated.
• The staff involved may have to re-create the missed log.
• The chain of custody may need to be edited to note the problem.

Mike's organization has recently moved to a SaaS cloud service and needs to collect forensic data from the cloud service. What process can Mike use to gather the information he needs?

Identify the log information available and request any other desired information from the cloud service provider. (B)

Charles wants to obtain a forensic copy of a running virtual machine. What technique should he use to capture the image?

Use the VM host to create a snapshot. (C)

Melissa wants to capture network traffic for forensic purposes. What tool should she use to capture it?

Wireshark (B)

Frank is concerned about the admissibility of his forensic data. Which of the following is not an element he should be concerned about?

Whether the forensic information includes a time stamp (D)

What is the document that tracks the custody or control of a piece of evidence called?

Chain of custody (D)

Isaac is performing a forensic analysis on two systems that were compromised in the same event in the same facility. As he performs his analysis, he notices that the event appears to have happened almost exactly one hour earlier on one system than the other. What is the most likely issue he has encountered?

One system is set to an incorrect time zone. (B)

What legal concept determines the law enforcement agency or agencies that will be involved in a case based on location?

Jurisdiction (C)

Michael wants to acquire the firmware from a running device for analysis. What method is most likely to succeed?

Use forensic memory acquisition techniques. (A)

Charles needs to know about actions an individual performed on a PC. What is the best starting point to help him identify those actions?

Interview the individual. (C)

Maria has acquired a disk image from a hard drive using dd, and she wants to ensure that her process is forensically sound. What should her next step be after completing the copy?

Compare the hashes of the source and target drive. (C)

Alex has been handed a flash media device that was quick-formatted and has been asked to recover the data. What data will remain on the drive?

Files will remain but file indexes will not. (B)

Naomi is preparing to migrate her organization to a cloud service and wants to ensure that she has the appropriate contractual language in place. Which of the following is not a common item she should include?

Right to forensic examination (B)

Alaina wants to maintain chain-of-custody documentation and has created a form. Which of the following is not a common element on a chain-of-custody form?

Method of transport (D)

Henry is following the EDRM model and is preparing to review data. What two key tasks occur during this stage?

Validating that the desired data is included and that information that should not be shared is not included (C)

Theresa's organization has received a legal hold notice for their files and documents. Which of the following is not an action she needs to take?

Delete all sensitive documents related to the case. (C)

Gurvinder wants to follow the order of volatility to guide his forensic data acquisition. Which of the following is the least volatile?

Backups (C)

What is the key difference between hashing and checksums?

Both can validate integrity, but a hash also provides a unique digital fingerprint. (A)

Flashcards

What is 'dd'?

A Linux command-line tool used to create an exact copy of a drive.

Tool Reporting

Report any known limitations or issues associated with the tools.

Chain-of-Custody Gap Implication

The evidence may not be admissible in court.

Cloud Forensic Data Collection

Request available logs and other needed info from the provider.

Forensic Copy of a VM

Use the VM host to create a snapshot of the running virtual machine.

Network Traffic Capture Tool

Wireshark is a tool used to capture network traffic.

Chain of Custody

A document that tracks the custody and control of evidence.

Time Zone Issue

One system is likely set to an incorrect time zone.

Jurisdiction

Legal concept determining which agencies handle a case by location.

Acquiring Firmware from Running Device

Use forensic memory acquisition techniques.

Best Starting Point for PC Actions

Interview the individual.

Verify Forensic Soundness

Compare the hashes of the source and target drive.

Quick-Formatted Drive Data

Files will remain but file indexes will not.

Hashing vs. Checksums

Hashing validates integrity and provides a unique digital fingerprint.

Data Review Key Tasks

Validating data inclusion/exclusion occurs during data review.

Least Volatile Data

Backups are the least volatile.

Uncommon Cloud Contract Item

Right to forensic examination is NOT common.

Uncommon Chain-of-Custody Element

Method of transport is NOT a common element.

Action to NOT take after Legal Hold Notice

Do not delete sensitive documents related to the case.

Element NOT of Concern for Forensic Data Admissibility

Whether the forensic information includes a time stamp