Question 1: ________ can point to items on other drives or other parts of the network.
A. Full links
B. Half links
C. Soft links
D. Hard links
Solution: Soft links
Question 2: To acquire RAID disks, you need to determine the _____ of RAID and which acquisition _____ to use.
A. location; size
B. location; type
C. type; tool
D. size; tool
Solution: type; tool
Question 3:In Windows 8 and later versions, a USB’s last insertion and removal timestamps are stored in the registry hive:
A. SYSTEM
B. SOFTWARE
C. SAM
D. SECURITY
Solution: SYSTEM
Question 4: A deleted file is any file that has been ________ erased from the file system but may still remain ________ on storage media.
A. logically; physically
B. logically; forensically
C. physically; logically
D. physically; forensically
Solution: logically; physically
Question 5: A _______ is a data acquisition method is similar to logical acquisition but also collects fragments of unallocated (deleted) data.
A. sparse acquisition
B. disk-to-disk copy
C. disk-to-image file
D. logical acquisition
Solution: sparse acquisition
Question 6: Which of the following is NOT the expected technology used in Data Centre?
A. Server uses Linux or Unix operating system.
B. Database may be on a separate server.
C. May use virtualization technology.
D. May use Windows 98 as email server.
Solution: May use Windows 98 as email server.
Question 7: Forensics acquisition can be done in static and live modes.
a) Describe the concept of live acquisition in digital forensics.
b) Discuss TWO (2) cases in which live acquisition should be considered in finding potential crime evidence.
Solution: A-The acquisition of live device is manily of concern to digital investigator and incident responds,
Who must normally follow protocols and policies that produce forensically sound duplicates.
When gathering data from a live device for analysis,we are most concerned with volatile data,which is irretievable until the system is turned off.
In an ideal process each stage of the acquired by previous stage.
Its difficult to find optimal procedures however we should try .
Computer data is classified intp two types:Volatile data and permanent data.
When computer is turned off All volatile data is lost changed or made unavaliable.
Anything else is premanent data can be accessed even after the power is turned off.
The passing of time or the acquisition process itself can further alter volatile data .
Ram is the best example of data volatile because loses it contants very easily after machine is turned off.
B-some of the cases in which the The live acquisition is good that when the user who committed the crime has a device running and there has been crime committed fairly recently and evidence can be flound in the ram.
Another case could be when the device is password protected and the criminal is not cooerative than the ram can give hints about the password and sometimes password information for the true cryot and other encryption programs can be found in Ram.
Question 8: In an event of a forensics investigation, Windows Event Logs serve as the primary source of evidence as the operating system logs every system's activities. Explain how Windows Event Logs can help in forensics investigation and list TWO (2) types of events that are recorded in Windows event logs.
Solution: Based on the logging details and the discoverd objects, windows event log revuew will assist an investigator in creating timeline.
The windows case logs assist in reconstructiong the sequence of events to aid in an investigation.
any incident that has an impact on the system may be registered as an event:
<Incorrect login attempt><Hack breach>
<system settings change><application failure>
<system failure and so on.
consider the following scenario:
A hacher attempts to remptely break into the device, first the hacker can brute force the system and those logs would be found in security when the user is successful in breaking into the device.
another log is created in protection excepts IP address which may aid in the investigation.
Question 9:
No comments:
Post a Comment