IS4670 Lab 4
1. What is that main advantage of a bootable forensics suite like HELIX?
The main advantage of a bootable suite is that it can analyze live hosts and volatile memory.
2. 5 sysinternals process explorer features that can be used in computer forensics as part of a investigation?
Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, who owns each process, program has a particular file or directory open Process Explorer shows you information about which handles and DLLs processes have opened or loaded, track down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.
3. If you wanted to delete files from your system in a secure manner which tool could be used to accomplish this?
4. What is nirisoft tool would you use to reveal passwords behind asterisks on a computer?
5. Choose 1 sysinternal tool in the lab and one nirisoft tool not in the lab run them and submit a few sentences on why you chose them why they were interesting and what they did
Nrisoft: asterisks logger, asterisks logger reveals passwords behind asterisks, who doesn’t like to learn something hidden
Sysinternals: what files, registry keys and objects processes have opened, could be a make or break point for a case
6. In what OSes can the HELIX 3 be used?
7. What is the difference between data and evidence.
all data is information. However, evidence is data that can support a claim made by a scientist
8. What are the four basic types of evidence ?
Personal, physical, miscellaneous, corpus delicti
9. Explain some precautions when transporting evidence.
It is sealed, anyone who handles the evidence is logged, no one changes anything about the evidence, any distinguishing physical properties are logged.
10. How should evidence be stored?
Sealed in a faraday bag with a log of everyone who has come into contact with that evidence.