Practice Quiz

 Bookmark this page

PRACTICE QUIZ

This ungraded quiz question is a great way to get familiar with quizzing on the edX platform and check
your understanding of the course syllabus. You are allowed multiple attempts the question in this practice
quiz, but you will only have one attempt per question in the graded quizzes at the end of each unit.

If you have any questions about how quizzes work within this course, please post them in the Questions
About the Course discussion.

Practice Quiz
2 points possible (ungraded)
Forensic Science means the ____________of crime using _________methods.
study; statistical
examination and investigation; scientific
demonstration; criminal research
unanswered
True or False: Digital forensics or computer forensics is a branch of forensic science
primarily focusing on digital evidence.
True
False
unanswered
 Introduction
 Bookmark this page

Unit 1: Computer Forensics Fundamentals

Upon completion of this unit, you will be able to:

 Define and state the purpose of digital forensics

 Explain the difference between a drive image and a drive copy

 State the key elements in a digital forensics report

This unit contains the following learning activities:

Video Lectures
(mm:ss) indicates the time for video lectures

 Computer Forensics Concepts and Types (8:19)

 Forensic Investigation Procedure (4:24)

 Data Acquisition (4:26)

 FTK Imager Demo (7:28)

 Data Preservation (10:48)

 Data Analysis and Report (5:46)

Additional Resources

 Computer Forensics Fundamentals

 Lecture Slides

Activity and Discussion

 Activity: Using FTK Imager

 Activity: Basic Hashing of Files in *nix Systems

 Discussion: Challenges to Digital Forensic Investigation

 For some ungraded activities in Units 2 and 3, you'll need to use a virtual Linux
workstation. If you'd like to set the virtual workstation up now, instructions are in the top
toolbar under Virtual Workstation.

Graded Unit Quiz

 Computer Forensics Fundamentals Quiz

Computer Forensics Concepts and Types

Check Your Understanding

2 points possible (ungraded)

The order of steps in the forensics process is:

Analyze, collect, preserve, report

Collect, analyze, report, preserve

Collect, preserve, analyze, report

Preserve, collect, analyze, report

Report, analyze, collect, preserve

unanswered

Which of the following are examples of Anti-Digital-Forensics (ADF)? (Select all that apply.)

Hiding data in image or audio files

Modifying file access time

Modifying file modification time

Overwriting data and metadata

Renaming files by changing file extensions

 Activity: Using FTK Imager
 Bookmark this page

ACTIVITY: USING FTK IMAGER

Time: This activity should take you approximately 30 minutes if you use a small USB drive.

SOFTWARE

To complete this activity, you will have to download software.

 FTK Imager Lite

USB DRIVE

For this activity, you will need a USB drive as described in the Downloads and Supplies page on the top
toolbar.

GOAL

We have learned that bitstream copies make a bit-for-bit copy of all sectors on a drive. In this activity, you
will use a well-known forensics imaging tool, FTK Imager, to create a bitstream image of your USB drive
and examine the results.

You may want to review the FTK Imager demonstration video before beginning this activity.
 NOTE: FTK Imager does not guarantee that data is not written to the drive during imaging. For this
reason, investigators will use a write blocker when using FTK Imager in a real case. To complete this
activity, you can assume that you have a USB write blocker.

INSTRUCTIONS

Launch FTK imager and insert your USB.

Following the steps from the FTK Imager demonstration video, create an image of your USB drive in Raw
(dd) format and save the copy to your desktop.

Summary of steps

 Select File -> Create Disk Image...

 Choose Physical Drive

 Choose your USB Device

 Press Finish.

 Add the image destination.

 Select Raw (dd) as format.

 Provide destination folder and image filename information.

 Press Start

Load the image you created to FTK imager, and examine the content.

Interested students can explore other features supported in FTK Imager.

Check Your Work

5 points possible (ungraded)

Answer these questions to check your results. 

After the imaging process was complete, what files did FTK Imager create? (Select all that
apply.)

An image file with an extension of .001

 Individual files as on the original drive

A text file for image summary

An image file with an extension of .ex01

unanswered

"Verify images after they are created" is checked by default. What is the result to have this
option checked?

FTK imager will compute the hash value of the image

FTK imager will compute the hash value of the USB drive

FTK imager will compute the MD5 and SHA1 hashes of the USB drive and the MD5 and
SHA1 hashes of the image, and verify the hashes match.

FTK imager will compute the MD5 hash of the USB drive and the MD5 hash of the image,
and verify the hashes match

unanswered

How many hash algorithms did FTK imager use to verify the image has not been
altered?

One hash algorithm

Two hash algorithms

Three hash algorithms

Four hash algorithms

unanswered

After loading your dd image to FTK Imager, do you see any deleted file(s) in FTK
Imager?

Yes
 No

unanswered

True or False: FTK Imager can also capture memory from the running machine.

True

False

Activity: Basic Hashing of Files in *nix Systems

 Bookmark this page

ACTIVITY: BASIC HASHING OF FILES IN *NIX SYSTEMS

This activity is ungraded

Time: This activity should take approximately 20 minutes

SOFTWARE

 Windows: hashcalc (www.slavasoft.com/hashcalc/)

 Linux/Unix: md5sum and shasum

 Mac: md5 and shasum

GOAL

In this activity, we will perform basic hashing of files, and examine how changes affect file hashes.

You may want to review the hash demonstration in Data Preservation before beginning this activity.

INSTRUCTIONS

1. Create or select a text file with some information in it.

2. Calculate and record the hash value of your text file

3. Make the following changes to your text file and calculate the hash value after each change:

 Change one character

 Change the filename, mv myText aNewName

 Change one of the rwx permissions (using chmod), for example chmod g+w yourText

 Create a symlink to your text file, and calculate the hash of you symlink, for example, ln  –
s  yourText

Check Your Work

4 points possible (ungraded)

Answer these questions to check your results

Which of these changes to the original file changed the file’s hash value?

Changing one character

Yes

No

unanswered

Changing the filename.

Yes

No
unanswered

Changing the file permission

Yes

No

unanswered

Creating a symlink

Yes

No

Unit 1 Quiz
 Bookmark this page

COMPUTER FORENSICS FUNDAMENTALS UNIT QUIZ

The result of this graded quiz is part of your final grade and you are only allowed one attempt per
question.
This quiz is open to all students. Students who are seeking a verified certificate must achieve a final
course grade average of at least 80%.

Unit 1: Question 1
1 point possible (graded)

Why would you wipe a hard disk of the forensics machine before data acquisition?

To make sure unwanted data is not retained on a disk

To remove finger prints

To ensure it has enough space

Data on a hard disk cannot be overwritten

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 1: Question 2
1 point possible (graded)

After acquiring the volatile data, how should you shut down a desktop computer for a non-
volatile data acquisition?

Performing a graceful shut down

Pulling the plug from the computer

Either of the above

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 1: Question 3
1 point possible (graded)

Which of these will create a bit-stream image?

cp

dump

FTK Imager

tar

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 1: Question 4
1 point possible (graded)

When calculating hashes on files and file systems, why should you use two different hashing
algorithms (for example: md5 and sha1)?

Using an alternate algorithm ensures the minimum number of bit-comparisons can be

performed.

Using a second hashing algorithm provides additional functions that enhance the perceived
file content

A second hashing algorithm can help the hash performance.

If one hash is questioned, the second can help provide an alternate data validation
mechanism.

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.
SaveSave Your Answer

Unit 1: Question 5
1 point possible (graded)

True or False: Changing a file's permission(s) will change the file's hash result.

True

False

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 1: Question 6
1 point possible (graded)

If a hard disk contains multiple partitions, a hash of this hard disk using a hash
algorithm________:

computes a hash of the first partition only

computes a hash of the entire hard disk

computes a hash of the existing files only

does not include deleted data

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 1: Question 7
1 point possible (graded)
When collecting evidence from a suspect machine for a forensic investigation, all output should
be directed to:

The internal hard disk of the suspect machine

An external disk or storage media that has been wiped clean

Either of the above

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 1: Question 8
1 point possible (graded)

Which of the fillowing is nonvolatile data?

Processes running in memory

Memory (RAM)

Open-files (The files that are currently being accessed by one or more processes)

Data stored on a USB flash drive

Network connections

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 1: Question 9
1 point possible (graded)
 True or false: Forensic Chain-of-custody maintains a record of how evidence has been handled
from the moment it was collected to the moment it is presented in a court.

True

False

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 1: Question 10
1 point possible (graded)

In 1999, Farmer and Venema presented the forensic process and the first computer forensics
suite called__________ that marked the beginning of the computer forensics field.

FTK Imager

Forensic Suite

The Coroner's Toolkit (TCT)

Sleuthikit

unanswered

Introduction
 Bookmark this page

Unit 2: Linux/Unix Acquisition

Upon completion of this unit, you will be able to:

 State the process for data acquisition from a Linux/Unix system

 Describe the challenges and process to capture volatile data from a Linux/Unix
system
 Use forensic tools to gather volatile data from a Linux/Unix system

 Use forensic tools to generate and validate a forensic device image from a
Linux/Unix system

Working in Linux
In the next two units, we will focus on obtaining and analyzing data from Linux systems.
If you are unfamiliar with Linux, please review these resources before starting this Unit's
lessons.

 Understanding Linux file permissions

 Linux commands man pages

 Linux Tutorial, Ryan's Tutorials

Instructions for downloading virtual Linux machines on Windows and Mac systems are
posted in Activity and Discussion Section.

This unit contains the following learning activities:

Video Lectures
(mm:ss) indicates the time for video lectures

 Acquisition Preparation and System Information Acquisition (10:39)

 Collect Information from a Live System Demo (12:00)

 Memory Acquisition (2:50)

 Demo: Linux Memory Dump (7:17)

 Forensic Imaging of Drives (6:05)

 Using dd Continued (7:49)

 Demo: dd and netcat (11:19)

Additional Resources

 Linux/Unix Acquisition

 Lecture Slides

Activity and Discussion

 Preparation: Linux Virtual Workstation

 Activity: Practicing Linux/Unix Commands

 Activity: Using dd to Copy and Compare Files

 Activity: Imaging with Netcat

 Discussion: Acquisition Tools

Graded Unit Quiz

Linux/Unix Acquisition Quiz

Preparation: Linux Virtual Workstation

 Bookmark this page

PREPARATION: LINUX VIRTUAL WORKSTATION

This activity is ungraded

The optional activities in Units 2 and 3 take place in a Linux system environment using SANS SIFT
Workstation, a collection of forensic tools.

WINDOWS AND LINUX USERS

 Download VMware Workstation Player

Windows and Linux users can download VMware Workstation Player, a free desktop application that
lets you run a virtual machine on a Windows or Linux PC.

VMware Workstation Player download

Follow the instructions at the website to install VMware Workstation Player.

Download SANS SIFT Workstation

You have to create an account in order to download the free SANS SIFT Workstation. 

SANS SIFT Workstation download

(If you cannot download from the SANS site after multiple attempts, please use this alternative.)

Extract the SIFT Workstation .zip file.

Create your SIFT virtual machine

1. Start the VMware Workstation Player, and use Open a Virtual Machine to open the SIFT virtual
machine. 

2. Navigate to the SIFT Workstation folder and open SIFT3xxx.ovf.

3. Import the SIFT Virtual machine to your desired location.

4. When you start SANS SIFT Workstation you will be prompted for a username and password:

 Default username: sansforensics

 Default password: forensics

You can now begin the activities.

MAC USERS

Download VirtualBox

VMware Workstation Player does not support Macintosh. Macintosh users can download VirtualBox to
run SANS SIFT workstation.
 VirtualBox download

Follow the instructions at the website to install the VirtualBox.

Download SANS SIFT Workstation

Download SANS SIFT Workstation. You have to create an account to download the free software as a
.zip file.

SANS SIFT Workstation download

Extract the .zip file.

Open and configure VirtualBox

1. Open VirtualBox from “Applications” or from “Search” (The magnifying glass present at the top
right side of desktop)

2. When prompted for Name and Operating System:

 Name: enter SANS_SIFT

 Type: select Linux

 Version: select Ubuntu (64-bit)

3. When prompted for Memory Size, at least 2GB (2048) is needed for optimum performance. 4GB
(4096) is recommended. Slide the slider to increase the memory and press Continue.

4. When prompted for Hard disk, select Use an existing virtual hard disk file.

5. Select the SANS appliance SIFT3_-_Distro_Version-disk1.vmdk from the drop-down

menu, then press Create.
6. VirtualBox will automatically create the virtual machine. Press Start.

7. Press Enter. Sometimes /cases drive will not be automatically mounted and the boot process
will halt. You can click S to skip it. It can be ignored

8. SIFT Workstation will open. You will be prompted for a username and password:

 Default username: sansforensics

 Default password: forensics

You can now begin the activities.

If you want to make the virtual machine full-screen:

1. Install the Virtualbox guest utils by entering the command sudo apt-get install
virtualbox-guest-utils.

2. When asked if you want to continue, enter y.

3. Reboot your SIFT virtual system.

You should now have significantly better screen with higher resolution.

Activity: Practicing Linux/Unix Commands

 Bookmark this page
 ACTIVITY: PRACTICING LINUX/UNIX COMMANDS

Time: This activity should take you approximately 60 minutes to complete.

SOFTWARE

If you are not using a Linux machine, you’ll need to download SIFT Workstation 3 for this exercise. Note
that you have to create your own account for this download.

GOAL

In this activity, you will practice a set of basic Linux/Unix commands commonly used by an incident
responder to identify security breaches from a live suspect system, as if you were examining a suspect
machine that has not been shut down.

You may want to review my demonstration Collect Information from a Live System before beginning this
activity.

INSTRUCTIONS

1. Launch SIFT Workstation 3. The default login username is sansforensics, and the default
password is forensics

2. Open a terminal and listen to the port 8888 by running: nc –l 8888 & .

3. Use command’s man page (for example, man ifconfig) to check each command’s description and
its main options before you practice the command.
4. Practice each command to understand how you can use the result for your investigation.

5. When you are finished, answer the Check Your Work questions.

To display

current system date and time date

when was the system rebooted uptime -p

system information uname –

whether a network interface is running in a promiscuous mode ifconfig

unusual and suspicious processes and services ps –eaf

network connections netstat

lsof -i

Open in memory, but unlinked files (requested for deletion) lsof +L1

files opened by the process PID lsof –p (P

 Currently logged in users (three options) w 
who 
users

all root-owned (uid=0) SUID files. find / -ui

logged general system activities tail –f /va

a list of all users with last logged in (and logged out) times stored in the log file /var/log/wtmp last

any regular files in /directory_path that has been modified within 1 day (24 hours) find /dire

free disk space df

amount of free and used physical and swap memory in system free

Check Your Work

4 points possible (ungraded)
Based on your results, answer these questions:

Which commands can be used to display TCP network connections? (Select all that
apply.)
netstat –at
netstat -au
lsof –i
 lsof +L1
ifconfig
unanswered
Using lsof –i, do you see the open port 8888 on SIFT system? Which process (program)
opened this port?
Yes; nc
Yes; do not know which process
No
unanswered
How can you identify the files opened by a specific process ID, PID?
ps –p PID
lsof –p PID
ls –l | find –p PID
it is not possible
unanswered
What command can you use to find all root-owned SUID files in the system?
find / -uid 0 -perm -2000 2>/dev/null
find / -uid 0 -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
find / -perm -1000 2>/dev/null

Activity: Using dd to Copy and Compare Files

 Bookmark this page
 ACTIVITY: USING DD TO COPY AND COMPARE FILES

Time: This activity should take you approximately 30 to 60 minutes to complete.

SOFTWARE

If you are not using a Linux machine, you’ll need to download SIFT Workstation 3 for this exercise.

USB DRIVE

For this activity, you will need a USB drive as described in the Software and Equipment page.

GOAL

After capturing volatile system information, the next step is to acquire nonvolatile data on the suspect
machine. In this activity, we will use the *nux dd utility and several of its options to copy a file, image a
drive, and also use hashes to check the integrity of the copies.

You may want to review my dd and nc Demo before beginning this activity.

INSTRUCTIONS

1. Launch SIFT Workstation 3 and open a terminal.

2. Use the command dd to copy an existing file on your computer. Name the new file copy.dd.

3. Using md5sum, create MD5 hashes of the original file and the copy.
4. Compare the hash of the copy to the hash of the original file; confirm that the hashes are the
same.

5. Repeat Steps 3 and 4 using shasum to generate SHA1 hashes.

6. Use dd to copy one block of zero from /dev/zero to a file called zero.dd. 

(Hint: use the dd option count).

7. Insert the USB drive and connect your USB to SIFT Workstation 3. The USB drive should auto-
mount. (NOTE: In a real investigation, you should use a write blocker to prevent the SIFT Workstation
from modifying the USB drive. )

8. Run the command mount to find the USB device file name. You will use the device file name in
command dd to make a full image of your USB.
For example, my USB’s device file is /dev/sdc1; it is mounted on /media/sansforensics/B86D-C764.

9. Use dd to make a full image of your USB flash drive. Name the image usb.dd. 
(Hint: dd if=/dev/sdc1 of=usb.dd)

10. Create both MD5 and SHA1 hashes of the USB flash. 
(Hint: md5sum /dev/sdc1; shasum /dev/sdc1)

11. Create both MD5 and SHA1 hashes of the USB image. 
(Hint: md5sum usb.dd; shasum usb.dd)

12. Make sure that:

The md5 hash of the USB flash matches with the md5 hash of the USB image
The sha1 hash of the USB flash matches with the sha1 hash of the USB image.

13. Answer the Check Your Work questions.

Activity: Imaging with netcat

 Bookmark this page
 ACTIVITY: IMAGING WITH NETCAT OVER A NETWORK (ADVANCED)

Time: This activity should take you approximately 20 minutes to complete.

SOFTWARE

If you are not using a Linux machine, you’ll need to download SIFT Workstation 3 for this exercise.

GOAL

In this activity, we will explore how netcat (nc) can be used for receiving data over a network.

Sometimes, investigators will capture data from a suspect machine and send data to another networked
computer (a forensic machine). In this activity, you will mimic this process by sending the capture data
from one terminal to another terminal on the same machine.

You may want to review my dd and nc Demo before beginning this activity.

INSTRUCTIONS

1. Launch SIFT Workstation 3.

2. Open two terminals on SIFT Workstation 3. One terminal represents a forensic machine; the
other represents the suspect machine.
3. On the forensic machine terminal, use nc –l to listen on port 8888 for the incoming data. Save the
received data as ncData.dd. 
(Hint: nc –l 8888 > ncData.dd)

4. On the suspect machine terminal, use dd to copy an existing file and pipe (|) to netcat (nc),
sending the copy of the file to the forensic machine terminal.
Since we are sending date to the same machine, we use local host’s IP address 127.0.0.1. If you send
data to a networked machine, replace 127.0.0.1 with the receiving machine’s IP address. 
(Hint: In our case, we run dd if=the-original-file | nc 127.0.0.1 8888)

5. Generate MD5 and SHA1 hashes of ncData.dd and compare them with the original file’s MD5
and SHA1 hashes.

6. Answer the Check Your Work questions.

Check Your Work

3 points possible (ungraded)
Please enter your answers carefully, including all spaces and pipes as you would when
entering commands to a system.

What nc command did you use on the forensic machine to receive data on port 8888
and save the received data as myData.dd?   unanswered 
What command did you use on the suspect machine to send a dd copy to the listening
forensic machine on a different terminal of the same machine?  
 unanswered 
What command did you use on the suspect machine to send the information of currently
logged in users to the same listening forensic machine?   unanswered 

Unit 2: Question 1
1 point possible (graded)

What information is typically lost when a computer is shut down? (Select all that apply.)

Current network connections

Data in RAM

/etc directory on disk

 Running processes

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 2: Question 2
1 point possible (graded)

To find out when a Linux machine was rebooted, a forensic investigator uses the command:

uname

uptime

date

ifconfig

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 2: Question 3
1 point possible (graded)

To find a root-owned SetUID (SUID) file, we use the command:

(Hint: watch the demonstration video Collect Information from a Live System)

egrep –uid 0 suid

find / -uid 0 –perm -4000 2>/dev/null

ls / | egrep suid
 which suid

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 2: Question 4
1 point possible (graded)

Which of these commands can transfer the retrieved data from one system to another?

transfer

pipe

nc

netstat

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 2: Question 5
1 point possible (graded)

When using netcat to transfer a dd image of an entire drive across a network to a machine with
the IP address 10.1.0.1 listening on port 9999, which command would be used to invoke netcat
on the receiving machine?

nc –l 9999 | hda.dd

dd if=/dev/hda | nc 10.1.0.1 9999

nc –l 9999 > hda.dd

 dd if=/dev/hda | nc –l 9999

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 2: Question 6
1 point possible (graded)

Which of these is not a forensic imaging tool?

dcfldd

dd

ldd

sdd

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 2: Question 7
1 point possible (graded)

Which of these tools can acquire memory remotely?

Fmem

F-Response

Linux Memory Extractor (LiME)

Memdump
unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 2: Question 8
1 point possible (graded)

True or False: When you use FTK Imager to acquire a disk image, you do not need to
use a write blocker.

True

False

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 2: Question 9
1 point possible (graded)

When using dd to carve out the data that belongs to a partition from a whole drive dd image, we
use dd with options ____.

bs and count

conv

seek and count

skip and count

unanswered

Submit
 You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 2: Question 10
1 point possible (graded)

Which of these Linux/Unix commands will show a list of network connections on a Linux/Unix
system? (Select two.)

netstat

uptime

lsof

ps

Unit 3: Unix/Linux File System

Upon completion of this unit, you will be able to:

 Describe the disk structure of Linux/Unix systems

 Explain how files are created and deleted in Linux/Unix systems

 Use Sleuthkit to analyze and uncover data

This unit contains the following learning activities:

Video Lectures
(mm:ss) indicates the time for video lectures

 Booting Process (11:11)

 Linux/Unix File Systems (9:38)

 Sleuthkit and Autopsy (5:45)

 Sleuthkit Continued (4:13)

 Sleuthkit Demo (27:15)
 Additional Resources

 Unix/Linux File System

 Lecture Slides

 Sleuthkit Slides

Activity and Discussion

 Activity: Using Sleuthkit Commandline

 Discussion: Recovering Deleted Files

Graded Unit Quiz

Unix/Linux File System Quiz

Activity: Using Sleuthkit Commandline

 Bookmark this page

ACTIVITY: USING SLEUTHKIT COMMANDLINE

Time: This activity should take you approximately 30 to 60 minutes to complete.

DOWNLOADS

SANS Investigative Forensic Toolkit (SIFT) Workstation

 Note: You have to create your own account for this SIFT workstation download.

Download the image file, Linux Financial Case.001. Extract the .zip file and validate its hash values for both
md5 and sha1.

 MD5 (Linux Financial Case.001) = 7b39de0ca146c89ad73d1d421c8f7a05

 SHA1 (Linux Financial Case.001) = c7b06f006ff79711e692bd2620aba4cc2a4426d2

GOAL

During this unit, we looked at Sleuthkit. In this exercise, we’ll practice using the Sleuthkit tools at data
layer, meta data layer, file system layer and file name layer.

The steps provided here are only guidelines. Please feel free to try a variety of Sleuthkit tools with
different options to fully understand this powerful toolkit.

You may want to review my demonstration video Sleuthkit Commandline Demo before beginning
this activity.

INSTRUCTIONS

Launch SIFT Workstation 3. The default login username is sansforensics, and the default password
is forensics

Use the Sleuthkit commandline tools to analyze the image file you are using. (If you are not using Linux
Financial Case.001 as the image file, replace Linux\ Financial\ Case.001 with the name of the file you are
using in the commands listed.)

1. Open the SANS Investigative Forensic Toolkit (SIFT) Workstation.

2. Find the offset of the starting sector for the partition.

Command: mmls imageName

3. Find the image’s file system information (use the offset you got from mmls in step 2).
 Command: fsstat –o offset imageName

4. Use fls to list all deleted files and directories. 

Command: fls -o offset -rf ext2 -d -m “/” Linux\ Financial\ Case.001 > flsBody

5. Use ils to list all deleted inodes information.

Command: ils -o offset -rf ext2 -m Linux\ Financial\ Case.001 > ilsBody
 Choose an inode from your fls list, for example, 46082. (If you use a different inode, replace 46082 with
the appropriate number in these exercises.)

6. Use istat to view the details of this inode number. 

Command: istat -o offset -f ext2 Linux\ Financial\ Case.001 46082

7. Use icat to dump out data.

Command: icat -o offset -f ext2 Linux\ Financial\ Case.001 46082

8. Find its filename.

Command: ffind -o offset -f ext2 Linux\ Financial\ Case.001 46082

Choose a datablock number from your istat result, for example, 197122. (If you use a different datablock
number, replace 197122 with the appropriate number in these exercises.)

9. Dump out the data content.

Command: blkcat -o offset -f ext2 Linux\ Financial\ Case.001 197122

10. Find the inode number that this datablock belongs to.
Command: ifind -o offset -f ext2 -d 197122 Linux\ Financial\ Case.001

11. Answer the Check Your Work questions.

Check Your Work

4 points possible (ungraded)
What type of file system is the image used in these exercises?
Ext 2
Ext 3
FAT 12
FAT 16
unanswered
In which senarios, you have to use the offset option –o for a Sleuthkit command?
when a given image is a partition image instead of a drive image
When analyzing a partition that starts an offset which is not 0 in a given drive image
You have to use this option in any scenarios
You need not use this option since Sleuthkit can figure it out
unanswered
True or False: Given an ext2 partition image, if inode 100 contains two block addresses,
block 1000 and block 1001, “icat -f ext2 image 100” will dump out the same content as
the command “blkcat –f ext2 image 1000”
 True
False
unanswered
True or False: In Sleuthkit Commandline Demo, I showed you the difference between a
hard link and a soft link. The statement of “a hard link and its original file share the same
inode” is:
True
False

Unit 3: Question 1
1 point possible (graded)

Which of the following is not an abstraction layer of the file system in Sleuthkit?

Data Layer

File System Layer

Meta-data Layer

Network Layer

Physical Layer

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 3: Question 2
1 point possible (graded)

In an ext2 filesystem, if a file is deleted and its inode content is still intact, are you able to
recover the file’s data block addresses?

You can recover the file's data block addresses

 You can nerver recover the file's data block addresses

Sometimes you can, sometimes you cannot.

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 3: Question 3
1 point possible (graded)

To list all of the inodes of deleted files, you can use: (Select two.)

blkcat

blkls

fls

ils

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 3: Question 4
1 point possible (graded)

Given a data block number, which tool will map the block number to its correspondent inode
number?

istat

icat
 ifind

ils

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 3: Question 5
1 point possible (graded)

Given an image file and the offset where a partition starts, which command is the best to get the
block size and the file system type of the partition?

fdisk

file

fsstat

strings

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 3: Question 6
1 point possible (graded)

Which of these commands will list all of the partition information of a hard drive defined in the
Master Boot Record? (Select two.)

fdisk

find
 fsstat

mmls

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 3: Question 7
1 point possible (graded)

In Linux ext file systems, a file’s data block addresses/numbers are stored in

the file’s parent directory

the superblock of the file system

the file's inode

the file's data content

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 3: Question 8
1 point possible (graded)

In Linux ext file systems, the mapping between a filename to its inode is stored in _______.

the file's inode

the superblock of the file system

the file's datablocks

 the file's parent directory's datablocks

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 3: Question 9
1 point possible (graded)

Superblock contains following information: (Select all that apply.)

Total number of inodes and blocks

What data is kept in each data block

Number of free disk blocks and number of free inodes

Block size

unanswered

Submit

You have used 0 of 1 attemptSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 3: Question 10
1 point possible (graded)

Which of the following is not a true statement about the master boot record (MBR)?

MBR is 512 bytes in total

MBR contains partition information

MBR identifies the active partition

MBR can support up to 128 primary petitions on a disk

Activity: Practicing Sleuthkit Mactime
 Bookmark this page

ACTIVITY: PRACTICING SLEUTHKIT MACTIME

Time: This activity should take you approximately 20 minutes to complete.

SOFTWARE

In this activity, you’ll again work with SANS SIFT Workstation and Sleuthkit in a virtual Linux machine. If
you didn’t set this up a virtual machine in Unit 2, please see Preparation: Linux Virtual Workstation.

GOAL

In Unit 3, you used ils and fls to list the files and directory names in ilsBody  and flsBody. Now you’ll create
a timeline of these files and also explore if and how this timeline can be changed using Linux
command touch.

You may want to review my demonstration video Mactime Demo before beginning this activity.

INSTRUCTIONS

1. Open SANS Investigative Forensic Toolkit (SIFT) Workstation and use the default login:
 username: sansforensics

 password: forensics

2. Use the Linux/Unix utility touch to create a file called myFile. Check the mac time using stat.

 Command: touch myFile; stat myFile

3. Change the access time of myFile to '2018-06-03 08:46:26’, and verify the change.

 Command: touch -a -d '2018-06-03 08:46:26’ myFile; stat myFile

4. Use Sleuthkit’s mactime to create a timeline of the files you created in Unit 3 as flsBody. Save the
timeline in a file called flsMactime and examine the timeline.

 Command: mactime -b flsBody -d > flsMactime.csv

5. Use mactime to create a timeline of the files you created in Unit 3 as ilsBody. Save the timeline in a file
called ilsMactime and examine the timeline.

 Command: mactime -b ilsBody -d > ilsMactime.csv

6. Answer the Check Your Work questions.

Check Your Work

4 points possible (ungraded)
The command to change the modification time of myFile to '2018-06-03 08:46:26’ is:
touch -a -d '2018-06-03 08:46:26’ myFile
touch -c -d '2018-06-03 08:46:26’ myFile
touch -m -d '2018-06-03 08:46:26’ myFile
You cannot change the time to a future time.
unanswered
True or false: Touch cannot change a file’s changing time.
True
False
unanswered
Mactime sorts the body file in ascending order by:
File size
 inodeNumber
Day Month date year hh:mm:ss
UID
unanswered
True or false: The number of entries in ilsMactime is the same as the number of entries
in flsMactime.
True
False

Activity: Practicing Autopsy

 Bookmark this page

ACTIVITY: PRACTICING AUTOPSY

Time: This activity should take you approximately 60 minutes to complete.

SOFTWARE

In this exercise, you will use Autopsy, a GUI-based front-end for Sleuthkit to analyze files. While
Sleuthkit/Autopsy supports multi-platforms, you will use Autopsy for Windows. Download  and install
Autopsy on your Windows system or virtual Windows machine.

 Autopsy download
 Autopsy User Guide

You will also use the data file image Linux Financial Case.001 used in Unit 3 activities. After you download
an extract the image .zip file, validate both its md5 and sha1 hash values:

 MD5 (Linux Financial Case.001) = 7b39de0ca146c89ad73d1d421c8f7a05

 SHA1 (Linux Financial Case.001) = c7b06f006ff79711e692bd2620aba4cc2a4426d2

GOAL

In this exercise, you will practice the forensic tool Autopsy and use it to examine files’ ownership and
permissions given a device image.

You may want to review my demonstration video Autopsy Demo to learn the Autopsy basics before
beginning this activity.

CASE SCENARIO

Mark Watson works as a Director of Finance at an advertising firm. He has been accused of illegally
providing the annual financial report (Earnings.xls) to a contractor, Frank Lewis, to influence his next
contract with the firm. Mark has denied sharing any document with Frank.

The IT administrator informed you that there is a Linux-based file server in the office where all employees
save the official documents. Mark and Frank each have their own folders on this server.

You have been given the image of the hard drive, Financial Case.001, to find the evidence to prove that
Frank has the permission to read the financial report Earnings.xls.

INSTRUCTIONS

Create the case

1. Launch Autopsy from the Toolbox folder on the desktop.

2. Select > Create New Case

3. Name the case Financial Case.

4. Use the default Base Directory (Desktop) where Autopsy will store the Case data
in Desktop\Financial Case.

5. Enter the Case Number as 1 and enter your name as Examiner.

6. Click Finish. You will see the "Add Data Source" window.

7. Select Data source type. Choose Disk Image or VM File. Browse and select the path to the
file Linux Financial Case.001.

8. Select your local time zone and click Next. You will see Ingest (processing) modules window.
NOTE: When you acquire a computer as evidence it is important to make note of the computer's time and
time zone, especially if you need to correlate evidence from different time zones. You should never
assume the time or time zone on a computer is correct.

9. Select the Ingest Modules. Leave all modules checked. Click Next, then click Finish.
NOTE: Ingest modules analyze the data in a data source. They perform all of the analysis of the files and
parse their contents.

You will see "Analyzing files from Financial Case.001" status at the lower right corner of the Autopsy
Screen.

NOTE: Once you have the case created, you can reopen it at any time in Autopsy using Open Existing
Case, then choose Desktop\Financial Case\Financial Case.aut file.

Explore the image contents and answer questions about the case

The Tree Viewer shows the discovered folders by the data sources they come from, as well as a list of
files in the folders. It is located on the left side of the Autopsy screen. Each folder in the tree on the left
shows how many items are contained within it in parenthesis after the directory name.

You can see the Autopsy UI layout here.

Explore the "Data Sources" tree on the left side of the Autopsy screen. When you select a directory in the
tree, the files in that directory are shown in the Table Viewer located on the top right of the Autopsy
screen. It displays the files and their corresponding attributes such as time, path, size, checksum, etc.

Use that information to answer the Case Questions.

Case Questions
8 points possible (ungraded)
Browse through Data Sources>Linux Financial Case.001>vol2, what is the Inode
number of Earning.xls? What is the data block number that contains Earning.xls file
content? (Hint: click the File Metadata tab at the bottom-right pane.)
23041, 43
 46082, 24
46082, 197122
unanswered
When was Earning.xls last modified?
2015-11-13 12:44:28 EST
2015-11-12 22:40:53 EST
2015-11-15 22:34:28 EST
2015-11-15 22:48:32 EST
unanswered
What are the user and group IDs associated with Earning.xls in the directory 'Mark >
Finance_Confidential'? Hint: check the Table Viewer on the top right pane.
1001, 1001
2002, 2002
1000, 1000
unanswered
What are the user and group IDs associated with files in the 'Frank' directory? Is it
different from the user and group ID for Earning.xls in Mark's directory?
2002, 2002, Yes
1001, 1001, Yes
100, 100, No
unanswered
What permissions do 'others' have for the Mark directory and Finance_Confidential
directory? Hint: click fold in the tree view, then click [current folder] in the Table view,
look for the information from File Metadata.
read, write, execute
read, write
write, execute
read, execute
unanswered
What access permission do 'others' have for Earning.xls file? Does this mean that Frank
could read this file?
Read, Yes
Read, No
Write, Yes
Write, No
unanswered
Do you see any deleted file in Frank’s directory that could be a soft link of Earning.xls?
Hint: The first character in the 'Mode' column will be 'l' and the deleted files are marked
by a red cross.
Frank > appointments4
Frank > documents > work.xls
Frank > bin.xls
unanswered
How can you change the permission to make 'Earning.xls' file inaccessible by Frank?
(Select two methods)
Remove the read permission of Earning.xls from 'others'
Remove the execute permission of Finance_Confidential (Earning.xls’ parent)
directory from ‘others’
Remove the read permission of Finance_Confidential (Earning.xls’ parent) directory
from ‘others’
unanswered

Unit 4: Question 1
1 point possible (graded)

Which of the following is a popular open-source forensic analysis tool in use today?

EnCase Forensic

FTK

FTK Imager

Sleuthkit/Autopsy

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 4: Question 2
1 point possible (graded)

The Unix command touch is able to modify a file's: (Select two.)

 access time

change time

creation time

modification time

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 4: Question 3
1 point possible (graded)

What command is designed to display partition information in the unit of a 512-byte sector?

mmls

fdisk

file

diskview

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 4: Question 4
1 point possible (graded)

Which of the following are data carving tools? (Select two)?

file
 foremost

find

scalpel

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 4: Question 5
1 point possible (graded)

True or False: foremost can recover a jpeg file along with its original filename from a given
image if the jpeg file type is specified in the file foremost.conf and the jpeg file content is not
overwritten.

True

False

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 4: Question 6
1 point possible (graded)

Recovering deleted files from ext3/ext4 filesystem is harder than recovering deleted files from
ext2 filesystem because after a file in an ext3/ext4 filesystem is deleted: (Select two.)

the file's data blocks content is cleaned

the file's data blocks information in its inode is cleared

 The file size in the inode is set to zero

The inode content is completely wiped

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 4: Question 7
1 point possible (graded)

When mounting an image file instead of a device file using mount in Linux, we use mount with
the option:

dev

device

file

image

loop

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 4: Question 8
1 point possible (graded)

Sat Feb. 12 2010 16:40:20 1234 .a. -rwxr-xr-x root root /bin/file_a from a mactime output means
that on Feb. 12, 2010 at 16:40:20, the file /bin/file_awas:

created
 last accessed

last changed

last modified

None of the above

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 4: Question 9
1 point possible (graded)

To identify and list all SUID / SGID files from a partition, forensic examiners use the command:

find

grep

ls –l

ps

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 4: Question 10
1 point possible (graded)

True or False: The command mactime creates a timeline of file activities by sorting file entries
based on files’ finenames.
 True

False

Activity: Practicing Volatility

 Bookmark this page

ACTIVITY: PRACTICING VOLATILITY

Time: This activity should take you approximately 30–60 minutes to complete.

SOFTWARE AND DOWNLOADS

SIFT Workstation 3

See Preparation: Linux Virtual Workstation in section 2.3. Volatility is installed on SIFT Workstation.

If you prefer to work on your own system, you can download the latest version of Volatility from The
Volatility Foundation. Volatility supports Windows, Mac OS X, and Linux platforms.

 Volatility download link

 Documentation, including a list of image types that Volatility can analyze

The Malware Analyst’s Cookbook DVD contains an image file you will use during the activity.
 Malware Analyst’s Cookbook DVD download link (.zip file)

 Extract the zip file and save it to your desktop. In the activity you will use the Zeus memory
sample in the folder named “17” and in the sub folder “1.”Zeus is a malware designed to steal
credentials.

GOAL

The open-source toolkit, Volatility framework, is one of the best memory forensic analysis tools to extract
valuable information from a memory dump or a .vmem file. In this activity, you will practice volatility’s
basic plugins for extracting valuable information from a memory image.

In my demonstration video Volatility for Memory Analysis Demo, I use the Zeus memory image from the
Malware Analyst’s Cookbook. You can use that file for the activities as well as your own memory images
or .vmem files.

INSTRUCTIONS

1. Launch SIFT Workstation 3.

2. Run vol.py –h to see volatility’s options and plugins.

3. Practice these basic plugins to understand how you can use the result for your investigation.

imageinfo Shows basic system information such as type of OS

pslist Lists the processes of a system

psscan Finds processes that previously terminated (inactive) and processes that have been hidden or unlinked by a roo

pstree Displays the process listing in tree form

 connections Shows the TCP connections that were active at the time of the memory acquisition

connscan Extracts TCP connections that were active at the time of the memory acquisition and previous connections tha

hivelist Locates the virtual addresses of registry hives in memory and the full paths to the corresponding hive on disk

hivescan Displays the physical addresses of registry hives in memory

printkey Displays the subkeys, values, data, and data types contained within a specified registry key

If you are interested in learning other plugins that are not covered in the lecture, you can refer to
the Volatility Command Reference.

Answer the Check Your Work questions.

Check Your Work

6 points possible (ungraded)
Run vol.py -f zeus.vmem imageinfo using volatility’s plugin "imageinfo." What is the
suggested type of OS of zeus.vmem and when was the sample was collected.
Win7SP0x64, 2010-08-15 15:17:56 UTC
Win7SP0x64, 2010-08-15 19:17:56 UTC
Win2003SP2x64, 2010-08-15 15:17:56 UTC
WinXPSP2x86, 2010-08-15 19:17:56 UTC
unanswered
Run vol.py –f zeus.vmem pslist which walks through the doubly-linked list of
EPROCESS pointed by PsActiveProcessHead. Does this plugin detect and list hidden
or unlinked processes?
Yes
No
unanswered
Which Volatility plugin does not rely on the doubly-list of EPROCESS and can detect
unlinked (hidden) processes? Run vol.py with this plugin; do you find any
unlinked/hidden processes in zeus.vmem taht requires further investigations?
pstree, no
psscan, no
pstree, yes
psscan, yes
unanswered
Run vol.py –f zeus.vmem connections and vol.py –f zeus.vmem connscan. Do you see
any active TCP connections or previous connections?
(Note: both connections and connscan do not work for Windows Vista and later version
memory image. You will use plugin netscan instead)
Previous established TCP connections
Active TCP connections at the time of the memory acquisition
unanswered

Run vol.py –f zeus.vmem hivelist, vol.py –f zeus.vmem hivescan, and vol.py -f

zeus.vmem printkey -K "Microsoft\Windows NT\CurrentVersion\Winlogon"to
answer the next two questions.

Which plugin displays the subkeys, values, and data types contained within a specified
registry key?
printkey
hivelist
hivescan
unanswered
Which plugin shows the virtual addresses of registry hives in memory, along with the full
paths to the corresponding hive on disk?
printkey
hivelist
hivescan
Activity: Running Helix in Live Mode
 Bookmark this page
 ACTIVITY: RUNNING HELIX IN LIVE MODE

Time: This activity should take you approximately 30-60 minutes to complete.

SOFTWARE

Helix3, from e-fense, is a collection of forensic tools for data acquisition, preservation and analysis. For
these activities, you will use a free version, Helix2009R1.

Helix 3 download link

1. Click "Helix 3" at the end of the sentence of "If you are looking for the free, original Helix
(2009R1) you need Helix 3".

2. Enter your information for the free download.

3. Confirm the MD5 Hash Value: 3ac2ca7d8d1dcc494ef5124c1cf37f7c

4. Right-click Helix2009R1.iso, and burn it to a CD.

GOAL

In this activity, you will practice Helix 2009R1 in a Windows live mode to preview your Windows
information. Please be aware that when running tools on a live system, you will disturb the state of the live
system.

You may want to review my Helix for Windows demo before beginning this activity.
 INSTRUCTIONS

1. Insert the Helix CD to a Windows system, and run helix.exe.

2. You will see a warning message. Read and understand the message, then click Accept to
continue.

3. The Helix Windows GUI will open with many tools available to show you both volatile and
nonvolatile data of the Windows system.

4. Explore Helix’s rich functionality, and then use Helix to answer the Check Your Work questions.

Check Your Work

5 points possible (ungraded)
Click the “Preview system information” icon on the left side of the window to see system
information. Click the orange arrow to go to the second System Information page, we
will see more systme information. From both page 1 and page 2, what system
information is displayed? (Select all that apply.)
Operating system information
Network information
Drives and file system information
Running processes
unanswered
Click the Acquisition icon; what types of tools are included in this collection? (Note: you
should use a write blocker when using the FTK Imager.)
Acquisition tools only for physical memory acquisition
Acquisition tools only for disk drives acquisition
Acquisition tools to acquire both physical memory and disk drives
unanswered
Click on Incident Response Icon, and click “Agile Risk Management’s Nigilant32” icon.
True or False: Nigilant32 supports Previewing Disk and Imaging Physical Memory.
(Note: without write blockers, previewing a disk may change data.)
True
False
unanswered
Can you recover deleted file with the Incident Response functions?
Yes
No
unanswered
Helix2009R1 loads images or pictures from the directory you choose and supports a
picture view through:
 Browse
Incident Response
File Recovery
Scan for Pictures

Unit 5: Question 1
1 point possible (graded)

EnCase’s FastBloc SE is a ______ that prevents any modifications to evidence drives.

hardware blocker

forensic imaging software

software blocker

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 5: Question 2
1 point possible (graded)

Which of the following statement is NOT true about EnCase images?

An EnCase image includes both MD5 and SHA1 hash values of the data source.

An EnCase image includes the Cyclic Redundancy Check (CRC) checksums for every 64
sectors of data for error detection.

EnCase images use extensions of ".E01", ".Ex01", ".Lx01".

An EnCase image is exactly the same as a raw dd image.

unanswered
Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 5: Question 3
1 point possible (graded)

Which of these devices or media can not be acquired using FTK imager without changing data
on the devices? (Select all that apply)

Hard drives combined with write blockers

Hard drives without write blockers

USB device without write protections

Write protected flash media

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 5: Question 4
1 point possible (graded)

Which of these tools are host-based Windows memory (RAM) acquisition tools? (Select two)

volatility framework

FTK Imager from Access Data

fmem

winen.exe from Guidance Software

unanswered
Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 5: Question 5
1 point possible (graded)

If a rootkit is installed on a Windows system to hide a malicious process by unlinking this

process from the EPROCESS list, which of the following Volatility Framework plugin is still able
to list/display this hidden process, given the Windows system’s memory image?

pslist

dlllist

psscan

dllscan

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 5: Question 6
1 point possible (graded)

To recover GIF files from a Windows pagefile (Note: a page file is a file on a hard drive that is
used as a temporary location to store information not being used by the computer RAM at the
moment), an investigator can use:

a data carving tool to extract GIF files from the pagefile.

the utility strings to dump out GIF files from the pagefile.

It is impossible to recover GIF files from a pagefile since there is no filesystem structure in
pagefile.
unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 5: Question 7
1 point possible (graded)

True or False: Helix3 operates in two different modes, one is in a windows live mode and
another is in a bootable environment. When using Helix3's bootable CD in a bootable
environment, Helix3 only mounts the hard drives in read-only mode.

True

False

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 5: Question 8
1 point possible (graded)

Which of the following tools are memory forensic analysis tools for analyzing memory
images/dumps? (Select two)

Rekall Memory Forensics Framework

LiME

MemoryDD

Volatility Framework

unanswered

Submit
You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 5: Question 9
1 point possible (graded)

Which of these commands and tools will display Windows system information? (Select two)
Hint: Check lecture slides: Memory Acquisition

Helix3 in Windows Live mode

psinfo (from Windows sysinternals suite)

pslist (from Windows sysinternals suite)

uname

unanswered

Submit

You have used 0 of 2 attemptsSome problems have options such as save, reset, hints, or show answer.
These options follow the Submit button.

SaveSave Your Answer

Unit 5: Question 10
1 point possible (graded)

How can a cold boot attack be useful in memory forensics?

It can be used to execute a network based attack on the target PC.

It may be possible to get a memory snapshot after a quick restart when there is no other
viable solution.

It is useful to plant a Trojan to the suspected PC.

It is absolutely useless in memory forensics.