Data Acquisition
Discuss one advantage and one disadvantage of the raw format?
Advantages: Faster data transfer speeds, Ignore minor data errors and most forensics can be used
to read it
Disadvantages: Requires equal or greater target disk space, Might have to run a separate hash
program to validate raw formatted and might not collect marginal (bad) blocks
Advantages and Disadvantages of Proprietary format:
A: Intelligent acquisition saves space, features to manipulate the image, e.g. splitting it and can
include metadata and case details
D: Locked in to using only 1 tool (ILookIX) and Software limitations, like file size limits of up
to 2GB
With remote acquisitions, what problems should you be aware of?
1. Antivirus
2. Antispyware
3. Firewall programs
- Antivirus, antispyware, and firewall tools can be configured to ignore remote access programs
- Suspects could easily install their own security tools that trigger an alarm to notify them of
remote access intrusions
Compare and contrast the terms BITSTREAM COPY and FILE BACKUP COPY.
File backup copy: Backup software only copies known files (active data), also modifies the
timestamps of data, contaminating the timeline
Bitstream copy: Backup software cannot copy deleted files, email messages or recover file
fragments, but a bitstream copy is able to.
c) Describe a Linux command line tool that would enable you to create a raw image of a
drive, and highlight a key advantage of using this particular tool.
, File System
The following questions all refer to the topic of File Systems:
a) What is the role of a file system?
Gives OS a road map to data on a disk
Component of the operating system charged with managing files
b) What are some of the most commonly used file systems utilized on a modern Windows based
PC?
1. NTFS
2. FAT
c) Explain what the initials FAT and MFT stand for and how these relate to the two file systems
respectively
d) List two features NTFS has that FAT does not.
1. Unicode characters
2. Security
3. Journaling
e) In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?
No data from RAM is copied to the RAM slack on a disk drive.
f) List two items stored in the FAT database
1. File and directory names
2. Starting cluster numbers
Discuss one advantage and one disadvantage of the raw format?
Advantages: Faster data transfer speeds, Ignore minor data errors and most forensics can be used
to read it
Disadvantages: Requires equal or greater target disk space, Might have to run a separate hash
program to validate raw formatted and might not collect marginal (bad) blocks
Advantages and Disadvantages of Proprietary format:
A: Intelligent acquisition saves space, features to manipulate the image, e.g. splitting it and can
include metadata and case details
D: Locked in to using only 1 tool (ILookIX) and Software limitations, like file size limits of up
to 2GB
With remote acquisitions, what problems should you be aware of?
1. Antivirus
2. Antispyware
3. Firewall programs
- Antivirus, antispyware, and firewall tools can be configured to ignore remote access programs
- Suspects could easily install their own security tools that trigger an alarm to notify them of
remote access intrusions
Compare and contrast the terms BITSTREAM COPY and FILE BACKUP COPY.
File backup copy: Backup software only copies known files (active data), also modifies the
timestamps of data, contaminating the timeline
Bitstream copy: Backup software cannot copy deleted files, email messages or recover file
fragments, but a bitstream copy is able to.
c) Describe a Linux command line tool that would enable you to create a raw image of a
drive, and highlight a key advantage of using this particular tool.
, File System
The following questions all refer to the topic of File Systems:
a) What is the role of a file system?
Gives OS a road map to data on a disk
Component of the operating system charged with managing files
b) What are some of the most commonly used file systems utilized on a modern Windows based
PC?
1. NTFS
2. FAT
c) Explain what the initials FAT and MFT stand for and how these relate to the two file systems
respectively
d) List two features NTFS has that FAT does not.
1. Unicode characters
2. Security
3. Journaling
e) In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?
No data from RAM is copied to the RAM slack on a disk drive.
f) List two items stored in the FAT database
1. File and directory names
2. Starting cluster numbers
