question
By the 1970s, electronic crimes were increasing, especially in the financial sector.
question
To be a successful computer forensics investigator, you must be familiar with more than one computing platform.
question
Computer investigations and forensics fall into the same category: public investigations.
question
The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
question
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
question
The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime.
answer
computer investigations
question
By the early 1990s, the ____ introduced training on software for forensics investigations.
question
Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.
question
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____.
question
The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.
question
Most computer investigations in the private sector involve ____.
answer
misuse of computing assets
question
Chain of custody is also known as chain of evidence.
question
Employees surfing the Internet can cost companies millions of dollars.
question
You cannot use both multi-evidence and single-evidence forms in your investigation.
question
Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several thousand pages of data.
question
A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible.
question
The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court.
question
When preparing a case, you can apply ____ to problem solving.
answer
standard systems analysis steps
question
The list of problems you normally expect in the type of case you are handling is known as the ____.
answer
standard risk assessment
question
A(n) ____ helps you document what has and has not been done with both the original evidence and forensic copies of the evidence.
answer
evidence custody form
question
Use ____ to secure and catalog the evidence contained in large computer components.
question
____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or computer lab.
question
____ investigations typically include spam, inappropriate and offensive message content, and harassment or threats.
question
To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as a ____.
answer
forensic workstation
question
You can use ____ to boot to Windows without writing any data to the evidence disk.
question
To begin conducting an investigation, you start by ____ the evidence using a variety of methods.
question
A ____ is a bit-by-bit copy of the original storage medium.
question
A bit-stream image is also known as a(n) ____.
question
When analyzing digital evidence, your job is to ____.
question
When you write your final report, state what you did and what you ____.
question
In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____.
answer
repeatable findings
question
After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and ____.
question
If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.
question
Computing systems in a forensics lab should be able to process typical cases in a timely manner.
question
A ____ is where you conduct your investigations, store evidence, and do most of your work.
answer
computer forensics lab
question
____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.
answer
Uniform crime reports
question
Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Windows File System.
question
____ was created by police officers who wanted to formalize credentials in computing investigations.
question
What HTCN certification level requires candidates have three years of investigative experience in any discipline from law enforcement or corporate or have a college degree with one year of experience in investigations?
answer
Certified Computer Forensic Technician, Basic
question
To preserve the integrity of evidence data, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe.
question
The EMR from a computer monitor can be picked up as far away as ____ mile.
question
A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.
question
Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity.
question
One way to investigate older and unusual computing systems is to keep track of ____ that still use these systems.
question
A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.
question
You should have at least one copy of your backups on site and a duplicate copy or a previous copy of your backups stored in a safe ____ facility.
question
In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery.
answer
configuration management
question
For labs using high-end ____ servers (such as Digital Intelligence F.R.E.D.C. or F.R.E.D.M.), you must consider methods for restoring large data sets.
question
____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment.
question
Computing components are designed to last 18 to ____ months in normal business operations.
question
In the ____, you justify acquiring newer and better resources to investigate computer forensics cases.
question
By using ____ to attract new customers or clients, you can justify future budgets for the lab's operation and staff.
question
One advantage with live acquisitions is that you are able to perform repeatable processes.
question
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file.
question
Many acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
question
FTK Imager requires that you use a device such as a USB or parallel port dongle for licensing.
question
Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.
question
For computer forensics, ____ is the task of collecting digital evidence from electronic media.
question
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.
question
Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.
question
If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.
question
The most common and flexible data-acquisition method is ____.
answer
Disk-to-image file copy
question
SafeBack and SnapCopy must run from a(n) ____ system.
question
If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.
question
Image files can be reduced by as much as ____% of the original.
question
Microsoft has recently added ____ in its Vista Ultimate and Enterprise editions, which makes performing static acquisitions more difficult.
answer
whole disk encryption
question
Linux ISO images are referred to as ____.
question
The ____ command displays pages from the online help manual for information on Linux commands and their options.
question
The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.
question
The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.
question
Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.
question
The ____ DOS program En.exe requires using a forensic MS-DOS boot floppy or CD and a network crossover cable.
question
EnCase Enterprise is set up with an Examiner workstation and a Secure Authentication for EnCase (____) workstation
question
SnapBack DatArrest runs from a true ____ boot floppy.
question
SnapBack DatArrest can perform a data copy of an evidence drive in ____ ways.
question
SafeBack performs a(n) ____ calculation for each sector copied to ensure data integrity
question
____ has developed the Rapid Action Imaging Device (RAID) to make forensically sound disk copies.
question
If a corporate investigator follows police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.
question
The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location.
question
Most federal courts have interpreted computer records as ____ evidence.
question
Generally, computer records are considered admissible if they qualify as a ____ record.
question
____ records are data the system maintains, such as system log files and proxy server logs.
question
Investigating and controlling computer incident scenes in the corporate environment is ____ in the criminal environment.
question
Every business or organization must have a well defined process that describes when an investigation can be initiated. At a minimum, most corporate policies require that employers have a ____ that a law or policy is being violated.
answer
reasonable suspicion
question
Confidential business data included with the criminal evidence are referred to as ____ data.
question
____ is facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed.
question
Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab.
question
Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.
question
When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to prevent a hard disk from overheating to prevent damage.
question
With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible.
answer
initial-response field kit
question
A(n) ____ should include all the tools you can afford to take to the field.
answer
extensive-response field kit
question
Courts consider evidence data in a computer as ____ evidence.
question
Evidence is commonly lost or corrupted through ____, which involves police officers and other professionals who aren't part of the crime scene processing team.
answer
professional curiosity
question
During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system.
question
One technique for extracting evidence from large systems is called ____.
question
Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server.
question
The most common computer-related crime is ____.
question
Computer forensics is obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases.
answer
Obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases.
question
Please explain what is the forth amendment
answer
The fourth amendment requires a search warrant for obtaining evidence, protects everyones right to be secure in their person, residence, and property from search and seizure.
question
Please explain what is public investigation and private investigation
answer
A public investigation involves government agencies responsible for criminal investigation and prosecution. Organizations must observe legal guidelines and are governed by criminal law and fourth amendment. A private investigation deals with private companies, non-law enforcement government agencies and lawyers and is not governed directly by criminal law or the fourth amendment, it is governed by internal policies.
question
Please list the main commerical forensics tool, Linux forensics tool and other tool
answer
The main commercial forensics tools are Encase, FTK, and Prodiscover. The linux based forensic tools are Backtrack, Helix, and Knoppiz Live CD's. The other tools are hash calculator and Metasploit.
question
please list the five main cases for employee termination
answer
1. Employee Termination Case 2. Email Abuse investigation 3. Media Leak Investigation 4. Industrial Espionage Investigation 5. Attorney-Client Privelage Investigation
question
Please explain what is Bit-stream copy and what is Bit-stream image
answer
1. Bit-stream copy- bit by bit copy of the original storage medium, exact copy of the original disk, different then simple back up copy 2. Bit-stream image- forensics copy, file containing the bit-stream copy of all the data on a disk or partition
question
American Society of Crime Laboratory Directors (ASCLD) offers what guidlines?
answer
1. managing a lab 2. acquiring an official certification 3. auditing lab functions and procedures
question
Please list the general rules for policy lab.
answer
1. one computer investigator for every 250,000 people in the region 2. one multipurpose forensic workstation, one general-purpose workstation
question
Please list the two main types of data acquisition. Please explain the different data acquisition from the following aspects: data changing or not. What are the two good aspects of live acquisition?
answer
1. Static Acquisition - the computer is off during capturing of data therefore data is not changed. 2. Live Acquisition - the computer is on during capturing of data therefore data is altered. Two advantages of live acquisition are it collects RAM data and it is preffered because it bypasses hardisk encryption.
question
Please list the three main formats for data storage. Suppose there is evidence disk size about 100 GB. I only have two disks. One is about 20 GB and one is about 30 GB to store the evidence image. I also need to put investigator's name and hash value into the two disks. Also, I need to use different tools later to work on these evidence images. What kind of format you are going to use
answer
1. Raw format - bit to bit 2. Propreitary format - certain forensic tools 3. Advanced forensics format - multiple forensics tools In the case stated above we would use advanced forensics format to capture the data because it will compress the data size and allow us to analyze the data with a number of forensic tools.
question
What are the three method of disk acquisition methods
answer
1. Disk to disk - bit to bit 2. Disk to image - bit to image 3. Logical - only acquiring needed information
question
Can computer evidence be directly adopted in law? Is there any exception. How to prove this kind of exception
answer
Digital evidence cannot be directly adopted in law because it is actually considered hearsy evidence, meaning second hand or indirect evidence. There are two exceptions: business record exception and computer sorted exception. Business record exception can be proved by assuring that the program creating the output is functioning correctly. Computer sorted exception can be proved by confirming a special person created the records.
question
If you are a corporate investigator and the law enforcement officer ask you to find more information, you should do what
answer
Don't do any further investigation until you receive a subpoena or court order.
question
what is innocent information?
answer
Innocent information is unrelated information.
question
How to handle a running computer when you seize the computer
answer
1, Live acquisition 2. Normal shutdown 3. Save the data 4. Record activity 5. Photograph the screen