1. Which utility, originally created for the UNIX platform, copies and converts files using two basic arguments (if and of)?
Answer: The dd utility was originally written as part of UNIX and uses two basic arguments, if and of.
2. Which software suite provides an enterprise edition that specifically supports volatile data analysis on a live Windows system?
Answer: EnCase Enterprise Edition specifically supports volatile data analysis (live RAM analysis).
3. Which disk imaging software operates as an extended DOS command shell?
Answer: The DriveSpy utility operates as an extended DOS command shell. Other disk imaging utilities operate as stand-alone programs with their own user interface. While many other utilities have graphical user interfaces (GUI), DriveSpy presents a user interface that operates much like the DOS command shell.
4. What are MD5 and SHA-1?
Answer: MD5 and SHA-1 are two common algorithms for calculating hash values that are used to verify that the original media is unchanged when imaging source media.
5. Which forensic software suite integrates the dtSearch Engine in its searching function?
Answer: Forensic Toolkit (FTK) integrates the dtSearch Engine in its searching function.
6. What two software suites are free?
Answer: SIFT and TSK are open source forensic software suites that are freely available.
7. Name two vendors of forensic hardware.
Answer: Cellebrite and Intelligent Computer Solutions (ICS) were two hardware vendors discussed in this chapter. Paraben and Guidance Software also sell forensic hardware.
8. After creating an image of a drive, what must you do to ensure that the copy matches the original?
Answer: After the image is created, compare the copy to the original. This is commonly accomplished by comparing CRC or hash values calculated on the original and the copy.
9. You have many factors to consider when choosing appropriate forensic software. Name two.
Answer: Factors include:
- Operating system(s) supported
- User interface preference
- Budget
- Functionality/capabilities
- Vendor loyalty
10. Which two forensic products can extract both active and deleted text messages from a mobile phone?
Answer: Both Cellebrite UFED and Paraben Device Seizure support extracting complete data from mobile devices (including phones).