1-Guide to Computer Forensics and Investigations

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

What do you call a list of people who have had physical possession of the evidence?

Chain of Custody

Digital forensics and data recovery refer to the same activities. (T/F)

False

Organization that exchanges information about techniques related to computer investigations and security.

HTCIA

By the early 1990s, the ____________ introduced training on software for forensics investigations.

IACIS

Without a warning banner, employees might have an assumed __________________when using a company's computer systems and network accesses.

Right of privacy

Recognizes file types and retrieves lost or deleted files.

Xtree Gold

Based on the incident or crime, the complainant makes a(n) ____________, an accusation or supposition of fact that a crime has been committed.

allegation

The FBI _____________ was formed in 1984 to handle the increasing number of cases involving digital evidence.

(CART) Computer Analysis and Response Team

List three items that should be in your case report.

Explanation of basic computer and network processes A narrative of what steps you took A description of findings

When you work in the enterprise digital group, you test and verify the integrity of standalone workstations and network servers. (T/F)

False (correct answer is vulnerability/threat assessment and risk management group)

_______ often work as part of a team to secure an organization's computers and networks.

Forensics Investigator

Involves selling sensitive or confidential company information to a competitor.

Industrial Espionage

Specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.

Line of Authority

The legal process of proving guilt or innocence in court.

Litigation

In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) _______________.

affidavit

A(n) _______________ is a person using a computer to perform routine tasks other than systems administration.

end user

Published company policies provide a(n) _______________ for a business to conduct internal investigations.

line of authority

What are some examples of text for internal banner messages?

* access to this system and network is restricted * use of this system and network is for official business only * systems and networks are subject to monitoring at any time by the owner * using this system implies consent to monitoring by the owner * unauthorized or illegal users of this system or network will be subject to discipline or prosecution *users of this system agree that they have no expectation of privacy relating to all activity on this system

List two items that should appear on a warning banner.

Access to this system and network is restricted and use of this system and network is for official business only

Sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence.

Affidavit

What's the purpose of an affidavit?

Affidavit is often used to justify issuing a warrant or to deal with abuse in a corporation.

Why is confidentiality critical in the private-sector environment?

Because when dealing with employees who have been terminated, the agreement between the company and the employee might have been to represent the termination as a layoff or resignation in exchange for no bad references. If you give case details and the employee's name to others, your company could be liable for breach of contract. In the wrong hands, confidential information can be misused to commit illegal activity, which can turn in to costly law-suits.

What is professional conduct, and why is it important?

Behavior expected of an employee in the workplace or other professional setting. It is important because it determines your credibility.

In the Pacific Northwest, _________________ meets to discuss problems that digital forensics examiners encounter.

CTIN

Allows legal counsel to use previous cases similar to the current one because the laws don't yet exist.

Case Law

List three items that should be on an evidence custody form.

Case number Investigating Organization Investigator

Investigates data that can be retrieved from a computer's hard disk or other storage media.

Computer Forensics

_________ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.

Data Recovery

What are some ways to determine the resources needed for an investigation?

Determine the OS of the suspect computer and list the software to use for the examination

The definition of ___________________ has evolved over the years from simply involving securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases. (T/F)

Digital Forensics

The ____________ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime.

Digital Investigations

Computer investigations and forensics fall into the same category: public investigations. (T/F)

False

Maintaining credibility means you must form and sustain unbiased opinions of your cases (T/F)

False

The law of search and seizure protects the rights of all people, excluding people suspected of crimes. (T/F)

False

Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. (T/F)

False

Your should always prove the allegations made by the person who hired you. (T/F)

False

The police blotter provides a record of clues to crimes that have been committed previously. (T/F)

False All information entered into the police becomes public record: Public record laws do include exceptions for protecting sensitive company information; ultimately, however, a judge decides what to protect.

Yields information about how a perpetrator or an attacker gained access to a network.

Network Forensics

Briefly describe the main characteristics of private-sector investigations.

Private or corporate investigations deal with private companies, non-law enforcement gov't agencies, and lawyers. These private organizations aren't governed directly by criminal law or Fourth Amendment issues, but by internal policies that define expected employee behavior and conduct in the workplace. Private corporate investigations also involve litigation disputes. Although private investigations are usually conducted in civil cases, a civil case can escalate into a criminal case, and a criminal case can be reduced to a civil case. If you follow good forensics procedures, the evidence found in your investigations can easily make the transition between civil and criminal cases.

What are some of the most common types of private-sector computer crime?

Private-sector computer crime can involve the following: e-mail harassment gender and age discrimination white colllar crimes (such as falsification of data, embezzlement, and sabotage) industrial espionage

Briefly describe the main characteristics of public-sector investigations.

Public investigations involve government agencies responsible for criminal investigations and prosecution. Gov't agencies range from local, county, and state or provincial police departments to federal regulatory enforcement agencies. These organizations must observe legal guidelines such as Article 8 in the Charter of Rights of Canada, the Criminal Procedures Act of the Republic of Namibia, and U.S. Fourth Amendment issues related to search and seizure rules.

Briefly describe the triad that makes up computer security.

The computer investigations function is one of three in a triad that makes up computing security. In an enterprise the triad consists of the following parts: Vulnerability assessment and risk management Network Intrusion detection and incident response Computer investigations

What is the role of an authorized requester?

They have the power to initiate investigations.

Why should you critique your case after it's finished?

To determine what improvements you made during each case, what could have been done differently, and how to apply those lessons to future cases.

What's the purpose of maintaining a network of digital forensics specialists?

To have the option of calling on a specialist to help with a case you cannot solve.

Why should evidence media be write-protected?

To make sure the data cannot be altered.

After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant. (T/F)

True

By the 1970s, electronic crimes were increasing, especially in the financial sector. (T/F)

True

Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. (T/F)

True

For digital evidence, an evidence bag is typically made of antistatic material. (T/F)

True

The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence and property from search and seizure. (T/F)

True

To be a successful computer forensics investigator, you must be familiar with more than one computing platform. (T/F)

True

Briefly describe hostile work environment?

Unwelcome or offensive behavior in the workplace, which causes one or more employees to feel uncomfortable, scared, or intimidated in their place of employment. examples: excessive use of a company's e-mail system for personal use to making threats or harassing others via e-mail.

A ______________ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.

Warning banner

What questions should an investigator ask to determine whether a computer crime was committed?

What was the tool used to commit the crime? Was it a simple trespass? Was it a theft or vandalism? Did the perpetrator infringe on someone's else's rights by cyberstalking or e-mail harassment?

Why should you do a standard risk assessment to prepare for an investigation?

You do a standard risk assessment to understand the risks that could halt investigation.

What are the necessary components of a search warrant?

You need an affidavit of the evidence to conduct an investigation.

How can you begin assessing a case?

You start with devices OS, hardware, and peripheral devices. You then determine whether resources are available to process all the evidence. You then determine whether you have the right tools to collect and analyze evidence and whether you need to call on other specialists to assist in collecting and processing data. After your role is to delegate, collect and process the information related to the complaint.

In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____________ who has the power to conduct investigations.

authorized requester

Police in the United States must use procedures that adhere to which of the following? a. Third Amendment b. Fourth Amendment c. First Amendment d. None of the above

b. Fourth Amendment

In a _____________ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation.

criminal

Policies can address rules for which of the following? a. When you can log on to a company network from home b. The Internet sites you can or cannot access c. The amount of personal e-mail you can send d. Any of the above

d. Any of the above

The triad of computing security includes which of the following? a. Detection, response, and monitoring b. Vulnerability assessment, detection, and monitoring c. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation d. Vulnerability assessment, intrusion response, and monitoring

d. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation

List two types of digital investigations typically conducted in a business environment.

email abuse, and internet abuse

It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant.

exhibits

Most digital investigations in the private sector involve ____________.

misuse of digital assests

The affidavit must be __________________ under sworn oath to verify that the information in the affidavit is true.

notarized

In general, a criminal case follows three stages: the complaint, the investigation, and the ________________.

proesecution

Your ____________ as a digital investigation and forensics analyst is critical because it determines your credibility.

professional conduct

Corporations often follow the _________ doctrine, which is what happens when a civilian or corporate investigate agent delivers evidence to a law enforcement officer.

silver platter


Kaugnay na mga set ng pag-aaral

HAP lecture exam; urinary system

View Set

Art Appreciation Ch. 12 (Gothic art)

View Set

coursera spanish - Paleolithic & neolithic

View Set

Homework 16: Monopolistic Competition

View Set