Q1. What investigative questions is a live data collection likely to help answer? Live data collection of data helps to find the answers of any investigation that initial on computer system device. This collection depended on the data the user do collect during the investigation to find data sources such as the collection of users, process, registry keys, or networks where it helps the investigation to know if there is any malicious attacks by preservation of information from receiving data from running system or offline system that systems have memory, hard drives, log files, and network. The most common questions the investigators is to ask if the virus was active on the system or any copied any important data or stolen from the system. Some of the questions we ask to collect data as does the program or software works probably fine after/before inserting the new data? How the system is originally compromised by checking the firewall logs or host-based inspection tools? It is all about asking if the system was compromised or not. In the other hand of one of the example that we do daily in our day throw the internet to collect data for the website we visit every day is the browsing history where we can collect data sources of the website we visit or downloads. The deep data we collect the deep answers we get. Q2. should you perform a live data collection on each system you suspect is compromised? Explain your answer .**need to be finished Yes, I should perform a live data collection on each system we have in the network or connected that suspect to be compromised. The reason why is because Q3. In what situations would collecting an image of memory be most useful to the investigation? There are two situations of collecting an image of memory that most useful to the investigation. The first situation is the malware when primarily memory resident place some trace evidence on storage. On the other hand, the second situation is when the milsouce attacker uses any encryption messages. These are very helpful to collect image memory for the investigation to get more answers on knowing the and finding the system log files. Q4. Define/describe simple duplication. Define/describe forensic duplication. Define Simple Duplication: is the consists of making a copy of any specific data that hide in single file, group of files, partition on a hard drive or the whole hard drive, and elements of data storage devices. Define Forensic Duplication: is the accurate copy of data that is or have been created with the goal of being admissible as evidence in legal proceedings that consider as an image of an accessible bit from the source medium. Q5. If you have connected evidence hard drives to a system for imaging. Do you need to use a write blocker if you going to boot a linux-based CD? Explain why or why not.* Yes, I do need to use a writer blocker if am going to boot a linux-based CD. The reason why is because read-only helps to mount the commands to not be sufficient but we have to make sure of the use on forensic CD such as knowing the use on how to state the source material, file system in use, and the volume definition. Q6. How would you quickly identify whether a large pcap file with thousands of sessions contained FTP activity? How would you extract the transferred files?* Is by going over and reviewing the files that get capture from FTP and FTP-data connection. I would use Wireshark to capture the transferred files where it helps me to reconstruct the files. Q7. You have configured and used the open source forensics tool FTimes and learned its capabilities. Especially for change detection. Explain how you might use FTimes as a component in your home network security. &&&& Q8. Given the following scenario, explain how you would proceed an investigation stockholder tells you that one of the most critical objectives is to prove that a file with a specific MD5 hash was not present on a system at the time of analysis. You have a recent forensic disk image for the system.**need to be complete There are some ways to generate the investigation but the best way is to collect the MD5 hashes of every single files on the filesystem to do the search to determine where the file located which the hash helps to find the location and helps the reliability of the data source. Hash search doesn’t identify and IDS product such as Trojan if the has come from it because IDs products are executable and has self-removable post execution. In the other hand, the Hash search come from the analysis of the Trojan and second-stage that is never can return to the environment because malicious hashes such as IDC product will search in the present and simple hashes such as MD5 will clear the whole system. Q9.A manager at another office let you know to expect a disk image via courier within the next day. You are tasked with recovering deleted files what questions would you ask before the image arrives?why? Questions that I would ask are? Q1. When was the image located? When was the incident found? Q2. What was the response that was taken when this incident happened? Q3. In what time and action did the delete of the image happened? What was deleted? Did the deletion effect any other application or process? Q4. Is there any copies of the file that was deleted, in other location? For any examiner that wants to do the investigation, they have to keep in mind to ask the most important questions in knowing and analyzing the information to gather more answers by first knowing where the source of data come from and knowing the location and how this has been handled so the examiner can make sure and observe the disk image where these two question will lead the examiner to know the where the base control are located by having more answers and evidence. Q10.List the types of data you would collect in a live response. Hint this is volatile data that is no longer accessible after a system shut down. There are many list of types of data that needs to be collecting in Live Response such as: - List system information like memory capacity, disk storage, DRAM..etc. - List of services and programs. - List of all user accounts, IP addresses, and MAC addresses that include in network interface. - List of running process such as PIDs. - List of user login/logout history. - List of installed software. - List of system configuration data. Q11. What are 5 factors when considering the appropriateness of Live Response? 1- Factor one: is to know if there is a reason to be a volatile data contains critical forensic information. 2- Factor two: is to know if the live response can be executed in manner of minimizes the change to the system. 3- Factor three: is to know the number of systems and total storage are too much to the forensic image. 4- Factor fourth: is to know if there any risk that forensic duplications will take over much time. 5- Factor fifth: is to know if there are any legal considerations that might take or make decision to preserve all data. Q12.What are the 2 general categories of data to collect during a Live Response? Give examples of each category? The two general categories: 1- Category One: Volatile Data which is the current running state of the system which helps to give answers for what is happing in the present during the process. Some of the example: Network connection, Running process, Contents of System Memory, and swap space such as pagefile.sys. 2- Category Two: The Nonvolatile Data helps to find answer for what happened in the past in the process. Examples of this category are: file listing such as topography, system logs, application specific data, and operating system. Q13.List the requirements for digital forensics tools as described in the Media book? idk Q14. List the 3 forensic image format as described in the Mandia book? - Partition Image: is to specify the induvial partition such as the source for an image. - Complete Disk Image: is to duplicate the address location on storage medium. - Logical Image: is to duplicate a simple copy where it’s the a restore Q15.Describe what we mean by unallocated space and file slack within a filesystem? It means to allow specify an induvial partition or volume in forensic imaging tools to find the source for an image because the partition image consider as the subnet of complete disk image and contains allocation units from an individual partition on the drive because the partition image which has the unallocated space and file slack have the ability to become a low level analysis and to become undelete files because of the space between the partitions that make diffuclet to be capture all the data in the drive. In another word, is the space between file and another file in the filesystem that is hard to be found. In another word, File slack is the data that present between the logical end of file and the end of allocation unite but another file can’t use file slack space because technically file slack is allocated space Q16. Do you believe that digital forensics should be a core component of information assurance curriculum? Why or why not?*** need to be answered
Purchase answer to see full attachment