Chapter 15 Computer Forensics and Investigations
What is a forensic duplicate image?
A bit-by-bit copy of the original storage media
Which of the following prevents the government from using illegally gathered evidence at a criminal trial? A. Fruit of the poisonous tree doctrine B. Locard's exchange principle C. The Daubert test D. Probative evidence
A. Fruit of the poisonous tree doctrine
Which of the following is true of the Pen Register and Trap and Trace Statute? A. No one is allowed to install wiretaps on telephones to intercept telephonic communications. B. A court order is required to use pen register or trap and trace devices to intercept electronic communications transmission data. C. No one may access the contents of stored communications unless it is allowed somewhere else in the statute. D. This law applies to communications content.
B. A court order is required to use pen register or trap and trace devices to intercept electronic communications
Why can non-probative evidence be excluded from trial?
Because it is not relevant
Alice is a computer forensic examiner. She is at a crime scene and finds a computer that must be taken into evidence. She tags the computer, notes that a network cable was attached, and removes the computer from the scene. At which step of the investigative process is Alice most likely working?
Collection
What are CCE, CCFE, CFCE, and GCFA examples of?
Computer forensics certifications
All of the following statements are true except: A. to be admissible, evidence must be collected in a lawful manner. B. a judge or jury can consider only admissible evidence when they decide cases. C. forensic examiners must use established practices and procedures when collecting evidence. D. all evidence is admissible as long as it is reproducible in a tangible form.
D. all evidence is admissible as long as it is reproducible in a tangible form.
What is a test for measuring the reliability of a scientific methodology?
Daubert
At the federal level, what is the name of the main guidance regarding how parties introduce evidence at trial?
Federal Rules of Evidence
A computer or any electronic device can play one of four roles in computer crime. Cyberstalking and phishing scams are examples of which role?
To facilitate a crime
True or False? A reasonable Daubert test question is: "Is there a known error rate for the tool?"
True
True or False? A search warrant is a court order, and probable cause is a burden of proof.
True
True or False? Computer forensics is the scientific process for examining data stored on, received from, or transmitted by electronic devices.
True
True or False? During the identification phase of an investigation, computer forensic examiners learn about the crime, event, or activity being investigated.
True
True or False? Law enforcement may conduct inventory searches without a warrant when they arrest a suspect. These searches are allowed when they are made for non-investigative purposes.
True
True or False? Records recovered from a computer can be hearsay, depending on how they were created originally.
True
True or False? Relevance of evidence can occasionally be a problem for digital evidence because it is sometimes hard for judges and juries to understand very technical information.
True
True or False? The Fourth Amendment protects people from unreasonable government search and seizure.
True
True or False? The chain of custody shows who obtained evidence, where and when it was obtained, who secured it, and who had control or possession of it.
True
True or False? The exception that allows law enforcement to make a warrantless search in order to protect their safety and to ensure that evidence is not destroyed during an arrest is known as the protective sweep exception.
True
True or False? The test for measuring the reliability of a scientific methodology in computer forensic investigations is called the Daubert test.
True
True or False? To get a search warrant, law enforcement must clearly specify the criminal activity that is being investigated.
True
During which step of a computer crime investigation is expert witness testimony taken?
Presentation
During which step of a computer crime investigation is the crime scene typically documented?
Preservation
A judge or jury can consider only __________ evidence when deciding cases.
admissible
A(n) _______ happens when a person's reasonable expectation of privacy in a place or thing is compromised. A(n) ______ happens when the government interferes with a person's property.
search, seizure
True or False? A warrant is always required to use "silver platter" evidence in court.
False
True or False? During the collection step of an investigative process, computer forensic examiners secure the crime scene and any electronic devices and ensure no one tampers with or modifies evidence.
False
True or False? In a search incident to a lawful arrest, law enforcement is required to have a warrant to search for weapons or contraband on the body of an arrested person.
False
True or False? Probable cause occurs when a person's reasonable expectation of privacy in a place or thing is compromised.
False
True or False? Regarding forensic investigations, all rules and processes apply equally to both law enforcement and private entities.
False
True or False? The examination step of an investigative process is sometimes referred to as the "bag and tag" step.
False
Which of the following is best described as "whenever two objects come in contact, a transfer of material occurs"? A. Fruit of the poisonous tree doctrine B. Locard's exchange principle C. The Daubert test d. Plain view doctrine
B. Locards exchange principle
Which of the following is not considered a potential source of digital evidence? A. Internet of Things (IoT) device B. Mobile phone C. Faxed document D. Network router
C. Faxed Document
Which of the following is not an exception to the Fourth Amendment's requirements for search warrants? A. Consent B. Plain view doctrine C. Interference D. Exigent circumstances
C. Interface
Which of the following cannot be examined on a forensic duplicate image? A. Volatile data cache B. File download history C. Internet browsing history D. Instant message or internet chat logs
D. Instant message or internet chat logs
True or False? A court-recognized exception to the Fourth Amendment's search warrant requirements is exigent circumstances, under which law enforcement does not need a warrant to search for weapons or contraband on the body of an arrested person.
False
True or False? A forensic duplicate image is generally made by the forensic examiner during the preservation step of the investigative process.
False
___________ includes reviewing transaction logs and uses real-time monitoring to find evidence.
Network analysis
What does the best evidence rule require?
That original documents be used at trial
