Guide to Computer Forensics and Investigations, 4e, 1435498836
Ch. 7
Solutions-1
Chapter 7 Solutions
Review Questions
1.
What are the five required functions for computer forensics tools?
acquisition, validation and discrimination, extraction, reconstruction, and reporting
2.
A disk partition can be copied only with a command-line acquisition tool. True or
False?
False
3.
What two data-copying methods are used in software data acquisitions?
c. Logical and physical
4.
During a remote acquisition of a suspect drive, RAM data is lost. True or False?
False
5.
Hashing, filtering, and file header analysis make up which function of computer
forensics tools?
a. Validation and discrimination
6.
Sleuth Kit is used to access Autopsy’s tools. True or False?
False (Autopsy is the front end to Sleuth Kit.)
7.
When considering new forensics software tools, you should do which of the
following?
c. Test and validate the software.
8.
Of the six functions of computer forensics tools, what are the subfunctions of the
Extraction function?
Data viewing, Keyword searching, Decompressing, Carving, Decrypting, and Bookmarking
9.
Data can’t be written to the disk with a command-line tool. True or False?
False
10. Hash values are used for which of the following purposes? (Choose all that apply.)
b. Filtering known good files from potentially suspicious data
d. Validating that the original data hasn’t changed
11. What’s the name of the NIST project established to collect all known hash values for
commercial software and OS files?
Guide to Computer Forensics and Investigations, 4e, 1435498836
Ch. 7
Solutions-2
National Software Reference Library (NSRL)
12. Many of the newer GUI tools use a lot of system resources. True or False?
True
13. Building a forensic workstation is more expensive than purchasing one. True or
False?
False
14. A live acquisition is considered an accepted forensics practice. True or False?
False
15. Which of the following is true of most drive-imaging tools? (Choose all that apply.)
b. They ensure that the original drive doesn’t become corrupt and damage the digital
evidence.
c. They create a copy of the original drive.
16. The standards for testing forensics tools are based on which criteria?
c. ISO 17025
17.
Which of the following tools can examine files created by WinZip?
a. FTK
18. List four subfunctions of reconstructing drives.
disk-to-disk copy, image-to-disk copy, partition-to-partition copy, image-to-partition copy
19. When validating the results of a forensic analysis, you should do which of the
following?
d. Do both a and b.
20. NIST testing procedures are valid only for government agencies. True or False?
False
Hands-On Projects
Hands-On Project 7-1
The purpose of this project is to show students how to prepare media for a computer investigation.
The target media for copying data from an original suspect drive must be clean of all other data.
Hands-On Project 7-2
This project shows how to eliminate data from storage media permanently.
Guide to Computer Forensics and Investigations, 4e, 1435498836
Ch. 7
Solutions-3
Hands-On Project 7-3
The purpose of this project is to show students how data can be inserted in a drive in places where
it can’t normally be seen in operating systems.
Hands-On Project 7-4
Students learn how to use FTK to locate and identify hidden data on the test drive and see how a
GUI tool analyzes drive data for investigation purposes.
Hands-On Project 7-5
Students should have search results similar to the following files provided with instructor
resources:

Chap07-05_Report_FTK_Index-Search.pdf

Chap07-05_Report_FTK_Live-Search.pdf

Chap07-05_Report_FTK_May52005.pdf

Chap07-05_Report_FTK_report.zip

Chap07-05_Report_ProDiscover.pdf

Chap07-05_Report_ProDiscover.rtf
Student reports, if assigned, should list results of the comparison test and state which tool can
perform these functions better, such as live versus indexed searching.
Case Projects
Case Project 7-1
Students should specify what tool they have chosen, based on their resources. As mentioned in
Chapter 3, students should list current computer forensics tools, such as ProDiscover, FTK, or
EnCase, along with hardware such as a forensic workstation, storage media, such as USB drives,
and so on.
Case Project 7-2
Students’ responses will vary, depending on the tools they selected and the available versions.
Using Table 7-1, students should be able to determine whether a tool has similar, better, or worse
capabilities than the software suites they’re examining.
Case Project 7-3
Students should find tools such as BlackBag, SubRosaSoft, Runtime, F.I.R.E., SMART, and
Sleuth Kit/Autopsy. They should note that the validation process remains the same, no matter
what tool is used.
Case Project 7-4
Guide to Computer Forensics and Investigations, 4e, 1435498836
Ch. 7
Solutions-4
Students should be able to answer this question by using the information in this chapter and by
working through Hands-On Project 7-5. Encourage students to think of new ideas for developing
test drives with hidden data so that they gain experience in determining criteria for testing new
forensics products.