Similar to linux, windows also has built-in hashing algorithm tools for digital forensics.

No size limitations, simple design, open source and other metadata features thatproprietary tools useExplain ways to determine the best acquisition methodFour methods of data collection – creating a disk-to-image file, creating a disk-to-disk,creating a logical disk-to-disk or disk-to-data file, creating a sparse data copy of a file orfolderTo determine which acquisition method to use, consider the size of the source disk,whether you can retain the source disk, how much time needed to perform theacquisition and where the evidence is located.

Excplain how to use acquisition toolsFor Mini-WinFE Boot CDs and USB drives, connect your target drive and after Mini-WinFE is booted, you can list all connected drives and alter your target USB drive toread-write mode so you can run an acquisition programIf using Linux Boot CD, using the dd (data dump) command, you can read and writefrom media device and data file. It creates raw format file that most computer forensicsanalysis tools can read.Explain how to validate data acquisitionsValidating digital evidence requires using a hashing algorithm utility, which is designedto create a binary or hexadecimal number that represents the uniqueness of a data set.Windows has no built-in hashing algorithm tools for digital forensics. However, thereare many third-party programs with a variety of built-in tools. These tools rangehexadecimal editor like WinHex to forensics programs like ProDiscover and EnCase.For Linux, the two Linux shell commands dd and dcfldd have several options that can becombined with other commands to validate data.Calculate the hash of the original drive and save the computed MD5 hash value in a textfile. Then compute the MD5 hash value for the segmented volumes and append theoutput to the text file. Examine the text file to see if both hashes match. If the dataacquisition is successful, the two hash numbers should be the same.Because dcfldd is designed for forensics data acquisition, it has validation optionsintegrated: hash and hashlog. You use the hash option to designate a hashing algorithmof md5, sha1, sha256, sha384 or sha512. The hashlog option outputs hash results to atext file that can be stored with image files.Describe RAID acquisition methodsRaid is a computer configuration involving two or more physical disks. Raid 0 providesrapid access and increased storage however; the disadvantages is lack of redundancy.Raid 1 is designed for data recovery but more expensive than RAID 0.This question has two parts, all relating to the topic of data acquisition.a) What are two advantages and two disadvantages of theraw format?

Get answer to your question and much more

Upload your study docs or become a

Course Hero member to access this document

Upload your study docs or become a

Course Hero member to access this document

End of preview. Want to read all 23 pages?

Upload your study docs or become a

Course Hero member to access this document

Chapter 4 Overview

�         Forensics data acquisitions are stored in three different formats: raw, proprietary, and AFF. Most proprietary formats and AFF store metadata about the acquired data in the image file.

�         The four methods of acquiring data for forensics analysis are disk- to- image file, disk-to- disk copy, logical disk- to- disk or disk- to- data file, or sparse data copy of a folder or file.

�         Large disks might require using tape backup devices. With enough tapes, any size drive or RAID drive can be backed up. Tape backups run more slowly but are a reliable method for forensics acquisitions.

�         Lossless compression for forensics acquisitions doesn�t alter the data when it�s restored, unlike lossy compression. Lossless compression can compress up to 50% for most data. If data is already compressed on a drive, lossless compression might not save much more space.

�         If there are time restrictions or too much data to acquire from large drives or RAID drives, a logical or sparse acquisition might be necessary. Consult with your lead attorney or supervisor first to let them know that collecting all the data might not be possible.

�         You should have a contingency plan to ensure that you have a forensically sound acquisition and make two acquisitions if you have enough data storage. The first acquisition should be compressed, and the second should be uncompressed. If one acquisition becomes corrupt, the other one is available for analysis.

�         Write- blocking devices or utilities must be used with GUI acquisition tools in both Windows and Linux. Practice with a test drive rather than suspect drive, and use a hashing tool on the test drive to verify that no data was altered.

�         Always validate your acquisition with built- in tools from a forensics acquisition pro-gram, a hexadecimal editor with MD5 or SHA- 1 hashing functions, or the Linux md5sum or sha1sum commands.

�         A Linux Live CD provides many useful tools for computer forensics acquisitions.

�         The preferred Linux acquisition tool is dcfldd instead of dd because it was designed for forensics acquisition. Always validate the acquisition with the hashing features of dcfldd and md5sum or sha1sum.

�         When using the Linux dd or dcfldd commands, remember that reversing the output field ( of=) and input field ( if=) of suspect and target drives could write data to the wrong drive, thus destroying your evidence. If available, you should always use a physical write- blocker device for acquisitions.

�         To acquire RAID disks, you need to determine the type of RAID and then which acquisition tool to use. With a firmware- hardware RAID, acquiring data directly from the RAID server might be necessary.

�         Remote network acquisition tools require installing a remote agent on the suspect�s computer. The remote agent can be detected if suspects install their own security programs, such as a firewall.

Does Windows have built in hashing algorithm tools for digital forensics?

Which hashing algorithm is provided by WinHex?

Which type of data acquisition method is performed if the computer is on and has an encrypted drive?

What term refers to Linux ISO images that can be burned to a CD or DVD?