Digital Forensics Essentials all Questions

Which of the following NTFS system files contains definitions of all system- and user-defined attributes of the volume? $logfile $quota $upcase $attrdef

$attrdef

George, a forensic expert, was investigating a cybercrime. As part of the investigation, he examined a system running Windows OS based on NTFS to discover any malicious events. George accessed and analyzed the file system's metadata files stored in the root directory; the metadata files contain a record for every file in the file system. Which of the following system files has George accessed in the above scenario? $logfile $volume $mft $mftmirr

$mft

Jayce, a forensic specialist, was inspecting a suspected Linux system with an FHS file system. John initiated the investigation process by checking the file system. In this process, he extracted essential device files from the system, which served as potential evidence to track down the culprits. In which of the following directories of FHS did Jayce identify the essential device files? /etc /boot /dev /root

/dev

Gavin, a forensic expert, was analyzing a Linux system with an FHS file system that was affected by a security incident. Gavin suspected that an unauthorized removable storage device is plugged into the system, providing remote access to the system. Which of the following FHS directories can help Gavin in identifying mount points for removable storage devices? /boot /root /media /etc

/media

Rhett, a forensic expert, was inspecting a suspected Linux system with an FHS file system. In this process, he listed all the binary files present in the system and extracted these binary files from the root directory of the system. In which of the following directories of FHS did Rhett identify the binary files? /sbin /mnt /tmp /srv

/sbin

Given below are the different phases involved in the UEFI boot process: 1. Security phase 2. Boot Device Selection phase 3. Driver Execution Environment phase 4. Pre-EFI initialization phase 5. Runtime phase What is the correct sequence of phases involved in the UEFI boot process? 2 -> 5 -> 4 -> 3 -> 1 1 -> 2 -> 3 -> 4 -> 5 2 -> 3 -> 4 -> 1 -> 5 1 -> 4 -> 3 -> 2 -> 5

1 -> 4 -> 3 -> 2 -> 5

Given below are various activities involved in the computer forensics investigation methodology. 1 Evidence preservation 2 Documentation of the electronic crime scene 3 Search and seizure 4 Case analysis 5 Reporting 6 Data analysis 7 Testimony as an expert witness 8 Data acquisition What is the correct sequence of activities involved in the computer forensics investigation methodology? 1 -> 2 -> 3 -> 4 -> 5 -> 6 -> 7 -> 8 2 -> 3 -> 4 -> 1 -> 5 -> 7 -> 6 -> 8 2 -> 5 -> 4 -> 8 -> 3 -> 6 -> 7 -> 1 2 -> 3 -> 1 -> 8 -> 6 -> 4 -> 5 -> 7

2 -> 3 -> 1 -> 8 -> 6 -> 4 -> 5 -> 7

Given below are the different steps involved in forensic readiness planning. 1. Determine the sources of evidence. 2. Establish a legal advisory board to guide the investigation process. 3. Establish a policy for securely handling and storing the collected evidence. 4. Identify the potential evidence required for an incident. 5. Keep an incident response team ready to review the incident and preserve the evidence. 6. Identify if the incident requires a full or formal investigation. 7. Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption. 8. Create a process for documenting the procedure. What is the correct sequence of steps involved in forensic readiness planning? 4 -> 1 -> 7 -> 3 -> 6 -> 8 -> 2 -> 5 6 -> 8 -> 4 -> 2 -> 7 -> 5 -> 3 -> 1 1 -> 3 -> 4 -> 2 -> 5 -> 7-> 6 -> 8 2 -> 3 -> 5 -> 7 -> 8 -> 1 -> 4 -> 6

4 -> 1 -> 7 -> 3 -> 6 -> 8 -> 2 -> 5

Which of the following information will be present in the "Investigation process" section of the forensics investigation report? Purpose of investigation Case number Allotted investigators Significant findings

Allotted investigators

Which of the following will be present in the "Supporting Files" section of a forensics investigation report? Preservation of the evidence Investigative techniques Attachments and appendices Date and time the incident allegedly occurred

Attachments and appendices

Charles, a forensics team member familiar with all the applicable laws, participated in a crime investigation process. The role of Charles in the team was to assist the forensic investigators by providing legal advice on how to conduct the investigation and address the legal issues involved in various tasks. Which of the following roles did Charles play in the above scenario? Expert witness Evidence examiner Evidence manager Attorney

Attorney

Which of the following rules of evidence states that investigators must provide supporting documents regarding the legitimacy of the evidence, with details such as the source of the evidence and its relevance to the case? Authentic Admissible Reliable Complete

Authentic

Graham, a forensic expert, was analyzing raw data extracted from a suspected Windows system. In this process, he employed an automated tool to extract and analyze the deleted files. Which of the following tools did Graham employ in the above scenario? OWASP ZAP Burp Suite Wireshark Autopsy

Autopsy

Grayson, a forensic investigator, was able to retrieve evidence from a device by authenticating with the information of a card and the user through the level of access, configurations, and permissions. Identify the device utilized by Grayson to obtain the evidence Surveillance camera Thumb drive Router Biometric scanner

Biometric Scanner

Identify the process that involves examining, identifying, separating, converting, and modeling data to isolate useful information. Evidence preservation Data acquisition Data analysis Case analysis

Case analysis

Which of the following tasks is NOT the responsibility of a forensic investigator? Ensure appropriate handling of the evidence Identify and recover data required for investigation Configure network components Reconstruct the damaged storage devices

Configure network components

Identify the component of SSD serves that acts as a bridge between the flash memory components and the system by executing firmware-level software.

Controller

Which of the following laws was enacted in 1999 and requires financial institutions—companies offering consumers financial products or services such as loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data? GDPR - General Data Protection Regulation HIPAA - Health Insurance Portability and Accountability Act PCI DSS - Payment Card Industry Data Security Standard GLBA - Gramm-Leach-Bliley Act

GLBA or Gramm-Leach-Bliley Act

Sandra, a crime investigator, wants to use a disk that supports a maximum partition size ranging from 2 TiB to 8 ZiB for securely storing her evidence data. For this purpose, she purchased a Windows OS system that uses a partitioning scheme with support for up to 128 partitions as well as 64-bit LBAs and CRCs to ensure data integrity. Identify the partitioning scheme provided by Sandra's system. GPT - GUID partition table MBR - Master Boot Record Clusters BPB

GPT - GUID partition table

Which of the following elements is a 128-bit unique number generated by the Windows OS to identify a specific device, document, database entry, and/or the user? Slack Space MBR BPB GUID

GUID

Which of the following contents of a hard disk drive sector is used to provide time for the controller to continue the read process? Synchronization fields ID information Data Gaps

Gaps

Which of the following file systems is developed by Apple Computer, Inc. to support Mac OS in its proprietary Macintosh system and as a replacement for the Macintosh File System (MFS)? Encrypting File Systems Journaling File System Fourth Extended File System Hierarchical File System

Hierarchical File System

Which of the following contents of a sector contains the sector number and location, which identify sectors on the disk, as well as status information on the sector? Synchronization fields ID information Error correction coding (ECC) Gaps

ID information

Which of the following steps of forensic readiness planning defines the purpose of evidence collection and gathering information to determine evidence sources that can help deal with the crime and design the best methods of collection? Determine the sources of evidence Identify if the incident requires full or formal investigation Identify the potential evidence required for an incident Create a process for documenting the procedure

Identify the potential evidence required for an incident

A company, Finance Miracle, hired Harry for a role in a forensics investigation team. Harry is responsible for examining incidents as per their type, how they affect the systems, the different threats, and the vulnerabilities associated with them. Identify the designation of Harry in the investigation team. Evidence examiner Photographer Incident analyzer Evidence manager

Incident analyzer

Robert, a forensics team member, was tasked with investigating an attack on a system. He investigated the attack based on the evidence, identified its type, determined how it affected the system, and identified other threats and vulnerabilities associated with the target system. What was the designation of Robert in the investigation team? Photographer Evidence documenter Incident analyzer Incident responder

Incident analyzer

Cooper, a member of a forensics investigation team, was investigating a cyber-attack performed on an organization. During the investigation process, Cooper secured the incident area and collected all the evidence, following which he disconnected the affected systems from other systems to stop the spread of the incident. Identify the role played by Cooper in the investigation team. Attorney Incident analyzer Incident responder Evidence examiner

Incident responder

Jack, a disgruntled employee of an organization, gained access to the organization's database server. He manipulated client records stored on the database server to damage the reputation of the organization and to make the organization face legal consequences for losing integrity. Identify the type of attack performed by Jack in the above scenario. External attack Brute-force attack Internal attack Trojan horse attack

Internal Attack

Which of the following is a user-created evidence source that can assist forensic investigators in recording and analyzing whether the victim stored any malicious links or URLs? Database files Internet bookmarks Address books Media files

Internet bookmarks

Thomas, a forensic investigator, was working on a suspected machine to gather potential evidence. In this process, he went through all the evidence sources such as logs, configuration files, and cookies. Subsequently, he analyzed the evidentiary data to identify the criminal. Identify the forensics investigation phase demonstrated in the above scenario. Investigation phase Post-investigation phase Pre-investigation phase Preparatory phase

Investigation Phase

In which of the following investigation phases does the forensic officer perform data acquisition, preservation, and analysis of evidentiary data to identify the source of a crime and the culprit? Preparatory phase Post-investigation phase Investigation phase Pre-investigation phase

Investigation phase

Which of the following is a quality that makes one a good computer forensics investigator? Well-versed in a single computer platform or technology Inability to control emotions when dealing with issues that induce anger Lack of patience and willingness to work long hours Knowledge of the laws relevant to the case

Knowledge of the laws relevant to the case

Which of the following practices is NOT a good quality of a computer forensics investigator? Excellent writing skills to detail findings in the report Interviewing skills to gather extensive information Lack of patience and willingness to work long hours Has knowledge of the laws relevant to the case

Lack of patience and willingness to work long hours

Identify the information in the superblock of ext2 that allows the system to determine whether it needs to check the file system fully. Mount count and maximum mount count Magic number Block group number Revision level

Mount count and maximum mount count

Which of the following is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards? PCI DSS - Payment Card Industry Data Security Standard FISMA - Federal Information Security Modernization Act 2002 GDPR - General Data Protection Regulation HIPAA - Health Insurance Portability and Accountability Act

PCI DSS - Payment Card Industry Data Security Standard

Which of the following is a high-speed serial expansion card integrating flash directly into the motherboard and is connected to the host machine through its own serial link by eliminating the need to share a bus, reducing latency, and enhancing the data transfer speeds between a server and storage? Serial ATA Parallel ATA PCIe SSD - Peripheral Component Interconnect Express SSD ATA/PATA (IDE/EIDE)

PCIe SSD - Peripheral Component Interconnect Express SSD

Which of the following is a volatile form of memory, requires power to retain data, and is included in an SSD to increase its read/write performance? NAND flash memory Controller Host interface DRAM - Dynamic random-access memory

DRAM

Which of the following is a process of imaging or collecting information from various media in accordance with certain standards for analyzing its forensic value? Evidence preservation Reporting Testimony as an expert witness Data acquisition

Data acquisition

In which of the following steps of forensic readiness planning do investigators devise a strategy to ensure the collection of evidence from all relevant sources and ensure its preservation in a legally sound manner while causing minimal disruption to work? Define a policy that determines the pathway to legally extract electronic evidence Identify if the incident requires full or formal investigation Establish a legal advisory board to guide the investigation process Create a process for documenting the procedure

Define a policy that determines the pathway to legally extract electronic evidence

In which of the following steps of forensic readiness planning does an investigator determine what currently happens to the potential evidence data and its impact on the business while retrieving the information? Identify the potential evidence required for an incident Establish a legal advisory board to guide the investigation process Determine the sources of evidence Create a process for documenting the procedure

Determine the sources of evidence

Asher, a forensics specialist, was able to retrieve evidence from a device through its address book, notes, appointment calendars, phone numbers, email, etc. Which of the following devices did Asher acquire the evidence from? Network interface card Digital watch Fax machine Router

Digital watch

Identify the part in the MBR structure that is located at the end of the MBR, holds only 2 bytes of data, and is required by BIOS during booting? Master boot code Partition table Disk signature Boot strap

Disk signature

Identify the benefit an incident response team offers an organization if the team is forensically ready. Maximizes the cost of regulatory or legal requirements for disclosure of data Ensures that the investigation meets all regulatory requirements Allows attackers to cover their tracks Increases the complexity of evidence gathering

Ensures that the investigation meets all regulatory requirements

Aiden, an investigation officer, was investigating a suspected system from which a critical document was sent without permission. In this process, he discovered potential evidence from documents, film cartridges, and phone numbers to which the document was sent. Identify the source of potential evidence from which Aiden gathered the above information. Thumb drive Scanner Global Positioning System Fax machine

Fax machine

Identify the smallest physical storage unit on a hard disk drive that normally stores 512 bytes of data for HDDs and 2048 bytes for CD-ROMs and DVD-ROMs. Sector Cluster Platter Track

Sector

Identify the smallest physical storage unit on a hard-disk platter that is a mathematical term denoting a pie-shaped part of a circle and is enclosed by the perimeter of the circle and two radii. Sector Track numbering Sector addressing Track

Sector

Which of the following is the wasted area of a disk cluster lying between the end of a file and the end of the cluster and is created when the file system allocates a full cluster to a file smaller than the cluster size? Master boot record Lost cluster BIOS parameter block Slack space

Slack space

Which of the following titles of ECPA addresses the privacy of the contents of files stored by service providers and records held about the subscriber by service providers, such as subscriber name, billing records, and IP addresses? Title II Title I Title III Title IV

Title II: Also called the Stored Communications Act (SCA), Title II protects the privacy of the contents of files stored by service providers and of records held about the subscriber by service providers, such as subscriber name, billing records, or IP addresses.

Which of the following types of attack is performed using a seemingly harmless program containing malicious code that can later gain control and cause damage, such as destruction of the file allocation table on a hard disk?

Trojan Horse Attack

Identify the rule of evidence stating that investigators and prosecutors must present evidence in a clear and comprehensible manner to the members of the jury. Reliable Authentic Understandable Admissible

Understandable

Which of the following countries implements the cyber law "Regulation of Investigatory Powers Act 2000"? United States United Kingdom India Australia

United Kingdom

Which of the following types of digital evidence in a computer system will be lost as soon as the system is powered off? Swap file Slack space Non-volatile data Volatile data

Volatile Data

Which of the following types of digital evidence is temporary information on a digital device that requires constant power supply to retain and is deleted if the power supply is interrupted? Unallocated clusters Slack space Non-volatile data Volatile data

Volatile Data

Which of the following qualities is required for a good computer forensics investigator? Well-versed in more than one computer platform Lack of patience and willingness to work long hours Well-versed in a specific computer platform Minimal analytical skills to find evidence

Well-versed in more than one computer platform

James, a newly recruited employee of an organization, received an email containing a fake appointment letter. The letter claims to have been sent by the real organization. James failed to identify the legitimacy of the letter and downloaded it. Consequently, malicious software was installed on his system, and it provided remote access to the attacker. Identity the type of cybercrime performed by James in the above scenario. Denial-of-service attack Privilege escalation attack SQL injection attack Phishing attack

Phishing Attack

Before investigating a cybercrime, Joyce, a forensic investigator, sets up a computer forensics lab, builds a forensics workstation, develops an investigation toolkit, and secures the case perimeter and involved devices. Identify the investigation phase Joyce is currently in. Investigation phase Post-investigation phase Documenting phase Pre-investigation phase

Pre-investigation phase

Which of the following phases of the forensics investigation process involves setting up a computer forensics lab, building a forensics workstation, developing an investigation toolkit, building an investigation team, and obtaining approval from the relevant authority? Pre-investigation phase Investigation phase Documenting phase Post-investigation phase

Pre-investigation phase

Calvin, a forensic crime investigator, retrieved evidence from a device that consists of usage logs, time and date information, network identity information, and ink cartridges. Identify the device from which Calvin obtained the evidence. Switch Printer Modem Hub

Printer

John, a security specialist, was investigating a criminal case. He extracted all the possible evidence from a suspected laptop, created an exact copy of the evidence, and submitted the evidence as is to the jury members without any intermediary tampering. Identify the evidence rule demonstrated in the above scenario. Understandable Authentic Admissible Reliable

Reliable

Which of the following Federal Rules of Evidence states, "rules should be construed so as to administer every proceeding fairly, eliminating unjustifiable expense and delay, and promoting the development of evidence law, to the end of ascertaining the truth and securing a just determination"? Rule 103: Rulings on Evidence Rule 101: Scope Rule 102: Purpose Preserving a claim of error

Rule 102: Purpose

In which of the following phases of the UEFI boot process does the system clear the UEFI program from memory and transfer it to the OS? Driver Execution Environment phase Security phase Runtime phase Pre-EFI initialization phase

Runtime phase

Which of the following types of disk interface is a set of ANSI standard electronic interfaces that allow personal computers to communicate with peripheral hardware such as disk drives, tape drives, CD-ROM drives, printers, and scanners? SCSI - Small Computer System Interface Serial ATA or sata EIDE - Enhanced integrated drive electronics Parallel ATA or pata

SCSI - Small Computer System Interface

Which of the following acts was passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations? DPA - Data Processing Agreement SOX - The Sarbanes-Oxley Act of 2002 GDPR - General Data Protection Regulation ECPA - Electronic Communications Privacy Act of 1986

SOX - The Sarbanes-Oxley Act of 2002

Which of the following types of cybercrime involves taking advantage of unsanitized input vulnerabilities to pass commands through a web application and thereby retrieve information from the target database? SQL injection attack Brute-force attack Espionage Trojan horse attack

SQL injection attack

Austin, a forensic investigator, was tasked with examining a crime scene. In this process, he identified a few devices that were affected during the attack process. Austin secured all these devices in a lawful manner for further investigation. Identify the investigation phase Austin is currently performing in the above scenario. Data acquisition Search and seizure Data analysis Case analysis

Search and seizure

Which of the following tools is mainly used to inspect and edit all types of files as well as to recover deleted files or lost data from hard drives with corrupt file systems or from memory cards of digital cameras? Shodan HOIC WinHex Wireshark

WinHex

Which of the following is a built-in Windows utility that helps detect errors in the file system and disk media? dd command chkdsk command mmls command Get-GPT command

chkdsk command

Harrison, a forensic investigator, was working on a criminal case in which he had to extract all the possible data related to criminal activity on a device running Windows OS. For this purpose, Harrison wanted to view the detailed partition layout for the GPT disk, along with the MBR details. Which of the following commands will help Harrison in the above scenario? tcpdump mmls nc -l nmap

mmls

Which of the following measures is defined as the number of bits per square inch on a platter? Track density Bit density Areal density Seek time

Areal density

Don, a professional hacker, targeted Johana's official email account to steal her project-related files stored in it. In this process, Don tried all the possible combinations of password characters through the trial-and-error method and finally logged into her account. Identify the type of cybercrime demonstrated in the above scenario. Keylogger attack Brute-force attack Hybrid attack Dictionary attack

Brute-force Attack

Identify HIPAA's administrative statute and rules that require employers to have standard national numbers that identify them on standard transactions. Electronic Transaction and Code Sets Standards Enforcement Rule National Provider Identifier Standard Employer Identifier Standard

Employer Identifier Standard

Which of the following types of cybercrime is an offensive activity in which a computer connected to the web is employed as a source point to damage an organization's reputation? Privilege escalation Cyber defamation Data manipulation Intellectual property theft

Cyber defamation

Which of the following components of EFS uses CryptoAPI to extract the file encryption key (FEK) for a data file and uses it to encode the FEK to produce the DDF? EFS FSRTL EFS Driver EFS Service Win32 API

EFS Service

Medicing Inc. targeted their competitor organization to steal information about their product that gained immense popularity within a brief period. For this purpose, Medicing Inc. employed Don, a professional hacker. Don performed open-source intelligence gathering and analyzed the target product's details. Using the obtained information, Medicing Inc. created a similar product and launched it with a lower price. Identify the cybercrime demonstrated in the above scenario. Privilege escalation Espionage Spoofing Phishing

Espionage

Which of the following tasks is the responsibility of a forensic investigator? Configure network components Update and release patches for devices Manage servers and operating systems Evaluate the damage due to a security breach

Evaluate the damage due to a security breach

Identify the forensics investigation report section that includes investigative techniques used during the investigation process. Evaluation and analysis Process Investigation process Evidence information Details of the incident

Evaluation and analysis Process

Identify the forensics investigation report section that includes the tools and techniques used for collecting the evidence during the investigation process. Evaluation and analysis process Investigation process Evidence information Executive summary

Evidence information

Bruno, a forensics investigator, was tasked with investigating a recent cyber-attack on an organization. To protect the evidence, Bruno maintained a logbook of the project to record observations related to the evidence, used tagging to uniquely identify any evidence, and created a chain of custody record. In the above scenario, identify the investigation phase Bruno is currently in. Search and seizure Data analysis Evidence preservation Case analysis

Evidence preservation

Identify the member in the forensics investigation team who offers a formal opinion in the form of a testimony in a court of law. Evidence manager Evidence examiner Expert witness Evidence documenter

Expert witness

Henry, a professional hacker, targeted an organization to gain illegitimate access to its server. He launched an SQL injection attack from a remote location on the target server to obtain users' credentials. Which of the following types of attack has Henry performed in the above scenario? Insider attack Trojan horse attack External attack Internal attack

External Attack

Serah, a forensic investigator, was tasked with analyzing the disk layout with details such as locations of the partition area as well as the partition table and its backup copies. In this process, she executed a command to parse the GPTs of both types of hard disks and analyzed the first sector of the hard drive, determined the formatting type used, and then parsed the GPT. Identify the cmdlet utilized by Serah in the above scenario. Sleuth Kit mmls Get-BootSector Get-GPT Get-PartitionTable

Get-BootSector

Bryson, a forensic investigator, was tasked with analyzing a hard disk containing Windows OS. As details about the hard disk were scarcely available, Bryson extracted the GUID partition table and its backup copies to analyze the hard disk layout through Windows PowerShell. Identify the cmdlet used by Bryson in the above scenario. Get-Service Get-EventLog Get-GPT Get-Process

Get-GPT

Identify the type of cybercrime that involves the theft of trade secrets, copyrights, or patent rights of an asset or material belonging to individuals or entities, resulting in huge losses to the target organization. Intellectual property theft Data manipulation Phishing Trojan horse attack

Intellectual property theft

Which of the following structures of the HFS volume keeps track of the allocation blocks in use and those that are free? Logical block 0 Logical block 2 Logical block 3 Logical block 1

Logical block 3

Which of the following components of NFTS acts as a boot loader and accesses the file system to load the contents of the boot.ini file? Ntldlr.dll Hard disk Kernel mode Ntfs.sys

Ntldlr.dll

Jayden, a forensic investigator, was appointed to investigate a powered-off system recovered from a crime scene. He found many locked files in that computer and suspected that those files might contain information useful to identify the criminals. Which of the following evidence sources provided Jayden with useful information during the investigation? Password-protected files Compressed files Hidden files Misnamed files

Password-protected files

Lincoln, a forensic investigator, collected evidence from a crime scene. He used some hardware and software tools to complete the investigation process. Lincoln then created a report and documented all the actions performed during the investigation. Identify the investigation phase Lincoln is currently in. Investigation phase Pre-investigation phase Post-investigation phase Preparatory phase

Post-investigation phase

Xavier, a security specialist, was appointed to investigate a crime scene at an organization. He completed the investigation process successfully and created a document that includes all the individual tasks performed in resolving the case. Which of the following forensics investigation phases is Xavier currently in? Post-investigation phase Pre-investigation phase Preparatory phase Investigation phase

Post-investigation phase

Benjamin, a professional hacker, joined as an intern in an organization and obtained some permissions to access the resources related to his job. Soon after gaining trust in the organization, he obtained elevated permissions to access restricted parts of the network. Thus, he gained access to confidential data of the organization. Identify the type of attack performed by Benjamin in the above scenario. Session hijacking attack SQL injection attack Privilege escalation attack Denial-of-service attack

Privilege escalation attack

Which of the following characteristics of a hard disk represents the time taken by a hard-disk controller to identify a particular piece of data? Data transfer rate Rotational delay Rotational latency Seek time

Seek time

Identify the SWGDE standards and criteria insisting that all the activities related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and made available for review and testimony. Standards and Criteria 1.2 Standards and Criteria 1.1 Standards and Criteria 1.6 Standards and Criteria 1.5

Standards and Criteria 1.6

Identify the SWGDE standards and criteria stating that the agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness. Standards and Criteria 1.1 Standards and Criteria 1.2 Standards and Criteria 1.3 Standards and Criteria 1.4

Standards and Criteria 1.2

Identify the SWGDE standards and criteria stating that the agency must maintain written copies of appropriate technical procedures. Standards and Criteria 1.2 Standards and Criteria 1.1 Standards and Criteria 1.5 Standards and Criteria 1.4

Standards and Criteria 1.4

Identify the SWGDE standards and criteria stating that the agency must use hardware and software appropriate and effective for the seizure or examination procedure. Standards and Criteria 1.5 Standards and Criteria 1.1 Standards and Criteria 1.4 Standards and Criteria 1.2

Standards and Criteria 1.5