Karten 15 Karten
Lernende 2 Lernende
Sprache English
Stufe Universität
Erstellt / Aktualisiert 20.06.2019 / 01.07.2020
Lizenzierung Keine Angabe
0 Exakte Antworten 15 Text Antworten 0 Multiple Choice Antworten
Fenster schliessen

What is important of "forensically sound" acquisition according to the NIST Computer Forensic Tool Testing (CFTT) standard:

  • completeness - every (accessible) sector of a drive
  • sector zero to sector n (last sector of drive)
  • no modification of evidence drive
  • report/log all I/O errors
  • tool user documentation must be correct
Fenster schliessen

What is done to preserver the integrity of evidence and why is it done

Can be a seperate step, or is built into forensic tools

Dataintegrity is guarantied through cryptographic hashes.

  • These can be validated at a later time
  • changing one single bit is detected
  • piece-wise hashing can also be done where the hash of individual files, data blobs, etc... is taken.
Fenster schliessen

What commands can you use to double check the evidence drive.

  • lshw -class disk
  • lspci
  • lsusb
  • lsscsi
  • lsblk
  • dmesg
Fenster schliessen

What information about an evidence drive is taken?

  • photograph of drive
  • S.M.A.R.T data
  • hdparm -l /dev/sda
  • smartctl -x /dev/sda



Smart data is digital information that is formatted so it can be acted upon at the collection point before being sent to a downstream analytics platform for further data consolidation and analytics.

Fenster schliessen

What should you always do when dealing with an evidence drive?

Always double-check source and destination devices!!!

Fenster schliessen

what does the dd command do?

The dd command:

  • copies data blocks from input to output
  • can be used to copy disk sectors to file
  • don't forget: no file copying, but sector copying

Basic syntax

  • dd if=myinputfile of=myoutputfile

Copying disk sectors:

  • dd if=/dev/sda of=myoutputfile

DD = "Dangerous and Deadly"

Fenster schliessen

What are some forensic variations of the dd command and what aditional features do they have?

Forensic acquisition tools based on dd:

  • dcfldd
  • dc3dd

Additional features they include:

  • cryptographic hashing
  • improved error handling
  • logging of errors and activity
  • performance optimization
  • hash verification checking
  • live progress monitoring
Fenster schliessen

What is done when forensic images are made?

Forensic images are HUGE

  • plan carefully, they can take hours or days
  • forensic file formatsn have compression
  • dd has no compression, but can be piped into gzip, there is no seeking

Seeking = searching