Review Questions Ch. 2
What are some ways to determine the resources needed for an investigation?
Determine the OS of the suspect computer. List the necessary software to use for the examination.
You should always prove the allegations made by the person who hired you. True or False?
False
Data collected before an attorney issues a memorandum for an attorney-client privilege case is protected under the confidential work product rule. True or False?
False. All data collected before an attorney issues notice of attorney-client privilege is subject to discovery by opposing counsel.
When might an interview turn into an interrogation?
Interviews are intended to collect facts about an investigation. An investigator might find that these facts warrant considering the witness to be a suspect, at which point the interview becomes an interrogation.
What are the basic guidelines when working on an attorney-client privilege case?
Minimize written correspondence, Make sure all written documentation and communication includes a label stating that it's privileged communications and confidential work product, And assisting the attorney and paralegal in analyzing data.
What are some reasons that an employee might leak information to the press?
Reasons range from disgruntled employees wanting to embarrass the company to rival organizations competing against each other.
For digital evidence, an evidence bag is typically made of antistatic material. True or False?
True
List three items that should be in your case report.
an explanation of basic computer and network processes, a narrative of what steps you took, a description of your findings, and log files generated from your analysis tools.
Who should have access to a secure container? a. Only the primary investigator b. Only the investigators in the group c. Everyone on the floor d. Only senior-level management
b. Only the investigators in the group
List three items that should be on an evidence custody form.
case number, name of the investigator assigned to the case, nature of the case, location where evidence was obtained, description of the evidence, and so on.
What do you call a list of people who have had physical possession of the evidence?
chain of custody
For employee termination cases, what types of investigations do you typically encounter?
hostile work environment caused by inappropriate Internet use sending harassing e-mail messages
What is the most important point to remember when assigned to work on an attorney-client privilege case?
keeping all your finding confidential
What two tasks is an acquisitions officer responsible for at a crime scene?
providing a list of all components that were seized, noting whether the computer was running at the time it was taken into evidence, making notes of the computer's state at the time it was acquired, noting the operating system if the computer is running, and photographing any open windows to document currently running programs.
Why should your evidence media be write-protected?
to ensure that data isn't altered
Why should you critique your case after it's finished?
to improve your work
Why should you do a standard risk assessment to prepare for an investigation?
to list problems that might happen when conducting your investigation as an aid in planning your case
What are some initial assessments you should make for a computing investigation?
Talk to others involved in the case and ask about the incident. Determine whether law enforcement or company security officers already seized the computer evidence. Determine whether the computer was used to commit a crime or contains evidence about the crime.