Computer Forensics Chapter 1
Digital Evidence Specialist
An expert who analyzes digital evidence and determines whether additional specialists are needed
Police in the United States must use procedures that adhere to which of the following?
Fouth Amendment
repeatable findings
beaing able to obtain the same resutls every time from a digital forensics examination
professional conduct
behaviro expected of an employee in the workplace or other professional setting
bit-stream copy
bit-by-bit duplicate of data on the origianl storage medium
3 Items that should be on an evidence custody form?
case number name of investigator assigned to the case nature of the case location where evidence was obtained description of the evidence
allegation
charge made against someone or something before proof has been found
attorney-client privilege (ACP)
communication between an attorney and client about legal matters is protected as confidential communications
netowrk intrustion detection and incident response
detecting attacks from intruders by using automated tools
computer technology investigator network (CTIN)
nonprofit group based in Seattle-Tacoma, WA composed of law enforcemetn members, private corporation security professionals, and other security professionals whose aim is to improve the quality of high-technology investigations in the Pacific Northwest
evidence bag
nonstatic bags, used to transport computer components and other digital devices
affidavit
notarized document, given under penalty of perjury, that investigators create to detail their findings
international association of computer investigative specialist (IACIS)
organization created to provide training and software for law enforcement in the digital forensics field
data recovery
retrieving files that were deleted accidentally or purposefully
fouth amendment
the fourth amendment to the US constitution in the bill or fights dictates that the government and its agnets must have probable cause for search and seizure
vulnerability/threat assessment and risk management
the group that determines the weakest points in a system
search and seizure
the legal act of acquiring evidence for an investigation
line of authority
the order in which people or positions are notified of a problem
digital investigations
the process of conducting forensics analysis of systems suspected of containing evidece related to an incident or a crime
interrogation
the process of trying to get a suspect to confess to a specific incident or crime
chain of custody
the route evidence takes from the time the investigator obtains it until the case is closed or goes to court
industrial espionage
theft of company sensitive or proprietary company information often to sell to a competitor
Why shoul dyoucritique your case after it's finished?
to improve your work
evidence custody form
A printed form indicating who has signed out o fbeen in physical possession of evidence
What are the necessary components of a search warrant?
A search warrant must specify who, what, when where, specifies on place, time, items being searched for Must be signed by an impartional judicial officer. Serach warrant can limit the scope of what can be seized
What is the purpose of an affidavit?
To provide facts in support of evidence of a crime to submit to a judge when requesting a search warant
forensic workstation
workstation set up to allow copying forensic evidence, whether it's on a hard drive, flash drive, or the cloud
What are some ways to determine the resources needed for an investiagation?
Determine the OS of the suspect computer and ist the software needed for the examination
Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work produce rule.
FALSE
multi-evidence form
an evidence custody form used to list all items associated with a case
verdict
decision returned by a jury
Policies can address rules for which of the following?
Any of the above
What do you call alist of people who have had physical possession of the evidence?
Chain of custody
3 Items that should be in your case report.
Explanation of basic computer or network processes a Narrative of what steps Description ofo your finding Log Files generated from analysis tools
Digital forensics and data recovery refer to the same activities.
FALSE
Under normal circumstances, a private-sector investigator is considered an agent of law enorcement.
FALSE
You should always prove the allegations made by the person who hired you.
FALSE
List two types of digital investigations typically conducted in a business environment?
Fraud embezzlement, insider trading, espionage, and email harassment
What is a professional conduct, and why is it important?
Professional conduct includes ethics, morals, an dstandards of behavior. It affects your credibility
List two items that should appear on a warning banner.
Statements that the organization has the right to monitor what users do, that their email is not personal
For digital evidence, an evidence bag is typically made of antistatic material.
TRUE
What's the purpose of maintaining a network of digital forensics specialists?
To develop a list of colleagues who speacialize in areas different from your own specialities in case you need help on an investigation
Why shoul dyou do a standard risk assessment to prepare for an investiagation?
To list problems that might happen when conducting an investigation, which can help in planning your case
Why should evidence media be write-protected?
To make sure data isn't altered
The Triad of computing security includes which of the following?
Vulneraiblity/thread assessment, intrustion detection and incident response, and digitial investigation
interview
a conversation conducted to collect information from a witness or suspect about specific facts related to an investigation
hostile work envirnment
an environment in which employees cannot perform their asisgned duties because of the actions of others
digital forensics
applying investigative procedures for legal purpose
inculpatory evidence
evidence that indicates a suspect is guility of the crime with which he or she is charged
exculpatory evidence
evidence that indicates the suspect is innocent of the crime
exhibits
evidence used in court to prove a case
bit-stream image
file where the bit-stream coy is stored;
approved secure container
fireproof container locked by a key or combination
single-evidence form
form that dedicates a page for each item retrieved for a case
authorized requester
in a private-sector environment, the person who has the right to request an investigation, such as the chief security officer or chief intelligence officer
search warrants
legal documents that all law enforcemnt to search an office, home or other locale for evidence related to an alleged crime
Digital Evidence First Responder (DEFR)
professional who secures digital evidence at the scene an densure its viability while transporting it to the lab
warning banner
text displayed on computer screens when people log onto a company computer