Page 834 - StudyBook.pdf
P. 834
818 Appendix • Self Test Appendix
7. You are at a crime scene working on a computer that was hacked over the Internet.You’re con-
cerned that a malicious program may have been installed on the machine that will result in data
being damaged or destroyed if the computer is shut down or restarted.Which of the following
tasks will you perform to deal with this possibility?
A. Photograph anything that is displayed on the screen
B. Open files and then save them to other media
C. Use disk imaging software to make a duplicate of the disk’s contents
D. Leave the system out of the forensic examination, and restore it to its previous state using
a backup.
Answer C. Use disk imaging software to make a duplicate of the disk’s contents. Disk imaging
creates a bitstream copy, where each physical sector of the original disk is duplicated.To make it
easier to store and analyze, the image is compressed into an image file, which is also called an
evidence file.
Answer A is incorrect, because photographing information on the screen won’t have any
impact on a possible malicious program on the hard disk.This will document volatile evidence,
and might provide clues at a later date. However, it will not help in preserving data on the hard
disk.Answer B is incorrect because opening files on the hard disk might modify the data, such
as the date/time stamp that indicates the last time it was opened.Answer D is incorrect, because
this will prevent you from obtaining evidence from the computer.
8.You have created an image of the contents of a hard disk to be used in a forensic investigation.
You want to ensure that this data will be accepted in court as evidence.Which of the following
tasks must be performed before it is submitted to the investigator and prosecutor?
A. Copies of data should be made on media that’s forensically sterile.
B. Copies of data should be copied to media containing documentation on findings relating
to the evidence.
C. Copies of data can be stored with evidence from other cases, so long as the media is read-
only.
D. Delete any previous data from media before copying over data from this case.
Answer A. Copies of data should be made on media that’s forensically sterile.This means that
the disk has no other data on it, and has no viruses or defects.This will prevent mistakes
involving data from one case mixing with other data, as can happen with cross-linked files or
when copies of files are mixed with others on a disk.When providing copies of data to investi-
gators, defense lawyers, or the prosecution, the media used to distribute copies of evidence
should also be forensically sterile.
Answer B is incorrect, because the copied data would reside with other documentation you’ve
created, so that it is no longer forensically sterile.Answer C is incorrect, because it would mix
the data with data from other cases, which could make the evidence inadmissible in court.
Answer D is incorrect, because deleting data only removes the pointers to the files from the
partition table, but does not erase the data itself.Thus, deleted data still resides on the media,
meaning that it is not forensically sterile.
www.syngress.com
