1. Why do you need to be careful about the utilities you choose to use for disk imaging?
Answer: Courts often accept evidence collected by tools that have been used in past trials. You should be prepared to testify to the authenticity and reliability of the tools that you use, otherwise the evidence may not be admissible.
2. What is an HPA?
Answer: HPA stands for host protected area, an area created on a hard disk specifically to allow manufacturers to hide diagnostic and recovery tools. It is a hidden portion of the disk that can’t be used by the operating system. (HPA is sometimes referred to as hidden protected area or hardware protected area.)
3. Name some limitations of virtual environments when used for forensics.
Answer: Virtual environments are often considerably different from the original computer image, which limits the admissibility in court of evidence gathered (or at the very least makes it subject to challenges by opposing counsel). In addition, some of the installed software products may refuse to start, installed services may not work, and the computer itself might not boot.
4. How can you verify that in imaging the source media, the original media is unchanged?
Answer: Verification is done by Secure Hash Algorithm (SHA-1) and SHA-2, CRC, or MD5 confirmation. These methods ensure that the copy procedure did not corrupt the original data.
5. Name a tool that can be used to image the data in the memory of a cell phone.
Answer: Several tools are available to image data in the memory of cell phones, such as Device Seizure from Paraben, Palm dd (pdd) (for Palm OS), BitPim (for use with CDMA phones), Oxygen Forensic Suite 2010 (for use with cell phones, smartphones, and PDAs), Mobilyze (for use with iPhones, iPod Touch, and iPad devices), and Zdziarski’s Forensics Guide for the iPhone.
6. What does the Netstat utility do?
Answer: Netstat displays the active computer connections. This information provides the investigator with a list of what protocols are running and what ports are open.
7. When collecting evidence, which do you want to extract first: the information in memory or on the hard drive?
Answer: You should collect evidence on a system beginning with the more volatile and proceeding to the less volatile; therefore, memory data should be collected before hard drive data.
8. Why can choosing the method used to shut down a suspect computer be a difficult decision to make?
Answer: If you disconnect the power cord, you risk losing data, especially on UNIX computers. If you shut down the computer through the normal shutdown method, you risk running destructive programs that will delete data upon shutdown.
9. If you need to boot a suspect computer to make an image copy, how should you do it?
Answer: You should boot from a controlled boot disk and then create a bit stream of the hard disk using a disk-imaging utility.
10. Name three programs or utilities that can be used to collect forensic images.
Answer: EnCase, Access Data’s Forensic Toolkit (FTK), Technology Pathways’ ProDiscover Incident Response (IR), X-Ways Forensics (XWF), the dd utility, WinHex, Grave-Robber, and Incident Response Collection Report (IRCR).