question By the 1970s, electronic crimes were increasing, especially in the financial sector.
question To be a successful computer forensics investigator, you must be familiar with more than one computing platform.
question Computer investigations and forensics fall into the same category: public investigations.
question The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
question ____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
question The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime. answer computer investigations
question By the early 1990s, the ____ introduced training on software for forensics investigations.
question Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.
question In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____.
question The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.
question Most computer investigations in the private sector involve ____. answer misuse of computing assets
question Chain of custody is also known as chain of evidence.
question Employees surfing the Internet can cost companies millions of dollars.
question You cannot use both multi-evidence and single-evidence forms in your investigation.
question Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several thousand pages of data.
question A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible.
question The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court.
question When preparing a case, you can apply ____ to problem solving. answer standard systems analysis steps
question The list of problems you normally expect in the type of case you are handling is known as the ____. answer standard risk assessment
question A(n) ____ helps you document what has and has not been done with both the original evidence and forensic copies of the evidence. answer evidence custody form
question Use ____ to secure and catalog the evidence contained in large computer components.
question ____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or computer lab.
question ____ investigations typically include spam, inappropriate and offensive message content, and harassment or threats.
question To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as a ____. answer forensic workstation
question You can use ____ to boot to Windows without writing any data to the evidence disk.
question To begin conducting an investigation, you start by ____ the evidence using a variety of methods.
question A ____ is a bit-by-bit copy of the original storage medium.
question A bit-stream image is also known as a(n) ____.
question When analyzing digital evidence, your job is to ____.
question When you write your final report, state what you did and what you ____.
question In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____. answer repeatable findings
question After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and ____.
question If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.
question Computing systems in a forensics lab should be able to process typical cases in a timely manner.
question A ____ is where you conduct your investigations, store evidence, and do most of your work. answer computer forensics lab
question ____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed. answer Uniform crime reports
question Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Windows File System.
question ____ was created by police officers who wanted to formalize credentials in computing investigations.
question What HTCN certification level requires candidates have three years of investigative experience in any discipline from law enforcement or corporate or have a college degree with one year of experience in investigations? answer Certified Computer Forensic Technician, Basic
question To preserve the integrity of evidence data, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe.
question The EMR from a computer monitor can be picked up as far away as ____ mile.
question A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.
question Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity.
question One way to investigate older and unusual computing systems is to keep track of ____ that still use these systems.
question A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.
question You should have at least one copy of your backups on site and a duplicate copy or a previous copy of your backups stored in a safe ____ facility.
question In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery. answer configuration management
question For labs using high-end ____ servers (such as Digital Intelligence F.R.E.D.C. or F.R.E.D.M.), you must consider methods for restoring large data sets.
question ____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment.
question Computing components are designed to last 18 to ____ months in normal business operations.
question In the ____, you justify acquiring newer and better resources to investigate computer forensics cases.
question By using ____ to attract new customers or clients, you can justify future budgets for the lab's operation and staff.
question One advantage with live acquisitions is that you are able to perform repeatable processes.
question The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file.
question Many acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
question FTK Imager requires that you use a device such as a USB or parallel port dongle for licensing.
question Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.
question For computer forensics, ____ is the task of collecting digital evidence from electronic media.
question One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.
question Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.
question If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.
question The most common and flexible data-acquisition method is ____. answer Disk-to-image file copy
question SafeBack and SnapCopy must run from a(n) ____ system.
question If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.
question Image files can be reduced by as much as ____% of the original.
question Microsoft has recently added ____ in its Vista Ultimate and Enterprise editions, which makes performing static acquisitions more difficult. answer whole disk encryption
question Linux ISO images are referred to as ____.
question The ____ command displays pages from the online help manual for information on Linux commands and their options.
question The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.
question The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.
question Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.
question The ____ DOS program En.exe requires using a forensic MS-DOS boot floppy or CD and a network crossover cable.
question EnCase Enterprise is set up with an Examiner workstation and a Secure Authentication for EnCase (____) workstation
question SnapBack DatArrest runs from a true ____ boot floppy.
question SnapBack DatArrest can perform a data copy of an evidence drive in ____ ways.
question SafeBack performs a(n) ____ calculation for each sector copied to ensure data integrity
question ____ has developed the Rapid Action Imaging Device (RAID) to make forensically sound disk copies.
question If a corporate investigator follows police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.
question The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location.
question Most federal courts have interpreted computer records as ____ evidence.
question Generally, computer records are considered admissible if they qualify as a ____ record.
question ____ records are data the system maintains, such as system log files and proxy server logs.
question Investigating and controlling computer incident scenes in the corporate environment is ____ in the criminal environment.
question Every business or organization must have a well defined process that describes when an investigation can be initiated. At a minimum, most corporate policies require that employers have a ____ that a law or policy is being violated. answer reasonable suspicion
question Confidential business data included with the criminal evidence are referred to as ____ data.
question ____ is facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed.
question Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab.
question Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.
question When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to prevent a hard disk from overheating to prevent damage.
question With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible. answer initial-response field kit
question A(n) ____ should include all the tools you can afford to take to the field. answer extensive-response field kit
question Courts consider evidence data in a computer as ____ evidence.
question Evidence is commonly lost or corrupted through ____, which involves police officers and other professionals who aren't part of the crime scene processing team. answer professional curiosity
question During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system.
question One technique for extracting evidence from large systems is called ____.
question Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server.
question The most common computer-related crime is ____.
question Computer forensics is obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases. answer Obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases.
question Please explain what is the forth amendment answer The fourth amendment requires a search warrant for obtaining evidence, protects everyones right to be secure in their person, residence, and property from search and seizure.
question Please explain what is public investigation and private investigation answer A public investigation involves government agencies responsible for criminal investigation and prosecution. Organizations must observe legal guidelines and are governed by criminal law and fourth amendment. A private investigation deals with private companies, non-law enforcement government agencies and lawyers and is not governed directly by criminal law or the fourth amendment, it is governed by internal policies.
question Please list the main commerical forensics tool, Linux forensics tool and other tool answer The main commercial forensics tools are Encase, FTK, and Prodiscover. The linux based forensic tools are Backtrack, Helix, and Knoppiz Live CD's. The other tools are hash calculator and Metasploit.
question please list the five main cases for employee termination answer 1. Employee Termination Case 2. Email Abuse investigation 3. Media Leak Investigation 4. Industrial Espionage Investigation 5. Attorney-Client Privelage Investigation
question Please explain what is Bit-stream copy and what is Bit-stream image answer 1. Bit-stream copy- bit by bit copy of the original storage medium, exact copy of the original disk, different then simple back up copy 2. Bit-stream image- forensics copy, file containing the bit-stream copy of all the data on a disk or partition
question American Society of Crime Laboratory Directors (ASCLD) offers what guidlines? answer 1. managing a lab 2. acquiring an official certification 3. auditing lab functions and procedures
question Please list the general rules for policy lab. answer 1. one computer investigator for every 250,000 people in the region 2. one multipurpose forensic workstation, one general-purpose workstation
question Please list the two main types of data acquisition. Please explain the different data acquisition from the following aspects: data changing or not. What are the two good aspects of live acquisition? answer 1. Static Acquisition - the computer is off during capturing of data therefore data is not changed. 2. Live Acquisition - the computer is on during capturing of data therefore data is altered. Two advantages of live acquisition are it collects RAM data and it is preffered because it bypasses hardisk encryption.
question Please list the three main formats for data storage. Suppose there is evidence disk size about 100 GB. I only have two disks. One is about 20 GB and one is about 30 GB to store the evidence image. I also need to put investigator's name and hash value into the two disks. Also, I need to use different tools later to work on these evidence images. What kind of format you are going to use answer 1. Raw format - bit to bit 2. Propreitary format - certain forensic tools 3. Advanced forensics format - multiple forensics tools In the case stated above we would use advanced forensics format to capture the data because it will compress the data size and allow us to analyze the data with a number of forensic tools.
question What are the three method of disk acquisition methods answer 1. Disk to disk - bit to bit 2. Disk to image - bit to image 3. Logical - only acquiring needed information
question Can computer evidence be directly adopted in law? Is there any exception. How to prove this kind of exception answer Digital evidence cannot be directly adopted in law because it is actually considered hearsy evidence, meaning second hand or indirect evidence. There are two exceptions: business record exception and computer sorted exception. Business record exception can be proved by assuring that the program creating the output is functioning correctly. Computer sorted exception can be proved by confirming a special person created the records.
question If you are a corporate investigator and the law enforcement officer ask you to find more information, you should do what answer Don't do any further investigation until you receive a subpoena or court order.
question what is innocent information? answer Innocent information is unrelated information.
question How to handle a running computer when you seize the computer answer 1, Live acquisition 2. Normal shutdown 3. Save the data 4. Record activity 5. Photograph the screen |