It’s asking for the specific tool name for the job, I got the answer wrong. I thought CISSP was conceptual/high level; are we supposed to get questions like this. Or it’s just the practice tests that are more technical than the real exam?
Megan needs to create a forensic copy of a hard drive that will be used in an investigation. Which of the following tools is best suited to her work?
Everything is not impossible:)
ISC2 states that CISSP is an experience-based exam, and “CISSP validates an information security professional’s deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization.” It’s true.
We all know CISSP requires a minimum of five years of work experience. So, everything is possible to appear in the exam because it entails “deep technical and managerial knowledge and experience.” However, I believe the CISSP exam focuses on comprehension and application of concepts and principles.
Effective and Continuous Learning
It’s rare for someone who knows everything, so the best strategy is to learn effectively and continuously. Taking practice questions is also a process of learning as crucial as studying books. Determining the so-called correct answer is never the purpose of exercising practice questions; it is the real thing we explore and research the question and its options and learn from them.
Exploration and Research
For example, this question mentioned forensic copy, investigation, and tools. It is a good opportunity to dig deep into the investigation types, e-discovery, admissibility of evidence, legal systems, well-known forensic tools, storage architecture and solutions, fault tolerance, covert channel, data sanitization, and data remanence, etc.
- What’s the Difference between Statute, Regulation, and Common Law?
- Investigation Types
- Discovery and E-Discovery
- Legal Evidence
- Exceptions to the Rule against Hearsay
- Incident Response
- NIST Special Publication 800-86 (Guide to Integrating Forensic Techniques into Incident Response)
- Data Remanence and Sanitization
- The Master Boot Record (MBR) and Boot Sectors
- The Pyramid of Pain
- Covert Channel
- Common Attacks
A forensic image (forensic copy) is a bit-by-bit, sector-by-sector direct copy of a physical storage device, including all files, folders and unallocated, free and slack space. Forensic images include not only all the files visible to the operating system but also deleted files and pieces of files left in the slack and free space.
Source: Capsicum Group, LLC
A forensic copy is a comprehensive duplicate of electronic media. A hash of the original media is created to validate if the copy is an exact duplicate. It’s not uncommon for people to refer to them as forensically sound copy, forensic image, forensic clone, bit-by-bit copy, sector-by-sector direct copy, mirror image, exact copy, or bit-stream image, and terms like disk duplicating, disk cloning, and disk mirroring as the duplicating process. That may complicate communication.
Sean Goldstein distinguishes a forensic image from a forensic clone in terms of immutability; that is, a forensic image is a petrified or unchangeable snapshot of the original media, while a forensic clone is a working or changeable snapshot.
The Bottom Line
Focus on the learning process and everything related to topics in the CISSP exam outline. After exploration and research, I believe you can learn by topics or themes, justify and conclude your decisions. That’s what I see in CISSP!
- xcopy. It is an OS-level utility that copies files in terms of file systems. It won’t cover partition table, boot sector, unallocated, free and slack space, corrupted sectors, etc.
- dd (disk dump). For the dollar, there is no better tool for data forensics than dd because it is free. Included with every Linux and Unix distribution, dd is capable of creating perfect copies of any disk, regardless of whether it is IDE or SCSI. In a review of forensic tools by SC Info Security Magazine, dd was the only tool besides Symantec’s Ghost to image a disk accurately. [SANS GIAC Certification: Security Essentials Toolkit (GSEC)]
- DBAN. It’s a tool for data sanitization. Darik’s Boot and Nuke, also known as DBAN, is a free and open-source project hosted on SourceForge. The program is designed to securely erase a hard disk until its data is permanently removed and no longer recoverable, which is achieved by overwriting the data with pseudorandom numbers generated by Mersenne Twister or ISAAC. (Wikipedia)
- ImageMagik. It’s created for “pictures,” not for storage images. ImageMagick is a free and open-source cross-platform software suite for displaying, creating, converting, modifying, and editing raster images. Created in 1987 by John Cristy, it can read and write over 200 image file formats. It and its components are widely used in open-source applications. (Wikipedia)
- Forensics 101: What is a forensic image?
- Advanced Forensic Format: An Open, Extensible Format for Disk Imaging
- Forensic Image
- Two Key Differences Between Digital Forensic Imaging And Digital Forensic Clone And How They Can Affect Your Legal Case.
- PassMark Supported Image Formats
- How to Create a Forensic Image with FTK Imager
- Making Copies of Forensic Evidence
- PassMark OSFClone
- The Best Open Source Digital Forensic Tools
- List of Unix commands
- Manipulating Images with ImageMagik
- How to Easily Clone and Restore a Linux Disk Image With dd
- How to Clone Your Linux Hard Drive: 4 Methods
- Sustainability of Digital Formats: Planning for Library of Congress Collections
- Darik’s Boot and Nuke
- SANS GIAC Certification: Security Essentials Toolkit (GSEC)