Chapter 8 Adv. Sec. Prac.

The laws governing search and seizure in the public sector are much more straightforward than those in the private sector.

False

The forensic tool ____ does extensive pre-processing of evidence items that recovers deleted files and extracts e-mail messages.

Forensic Toolkit (FTK)

____ is the determination of the initial flaw or vulnerability that allowed an incident to occur.

Root cause analysis

Ignorance of policy is a legal excuse for an employee.

True

To analyze evidence, the original is obtained from storage, a copy of the evidence is made for analysis, and the original is returned to storage, because it is crucial that the analysis never takes place on the original evidence.

True

Many private sector organizations require a formal statement, called a(n) ____, which provides search authorization and furnishes much of the same information usually found in a public sector search warrant.

affidavit

Grounds for challenging the results of a digital investigation can come from possible ____—that is, alleging that the relevant evidence came from somewhere else or was somehow tainted in the collection process.

contamination

The ____ phase of forensic analysis involves the use of forensic tools to recover the content of files that were deleted, operating system artifacts (such as event data and logging of user actions), and other relevant facts.

examination

The functional part of forensics called ____ is about assessing the "scene," identifying the sources of relevant digital information, and preserving it for later analysis using sound processes.

first response

Because it is possible for investigators to confuse the suspect and destination disks when performing imaging, and to preclude any grounds for challenging the image output, it is common practice to protect the suspect media using a ____.

write blocker