CHFI Book Chapter 1
What is the "Federal Rule of Evidence, Rule 101"?
A statement that all other federal rules of evidence apply to all proceedings in the courts of the United States.
What is the "Federal Rule of Evidence, Rule 102"?
A statement that the other federal rules of evidence secure fairness in administration, elimination of unjustifiable expense and delay, and promotion of growth and development of the law.
Which of the following is NOT an objective of computer forensics? A) Interpret, document, and present the evidence to be admissible during prosecution. B) Document vulnerabilities allowing further loss of intellectual property, finances, and reputation during an attack. C) Identify, gather, and preserve the evidence of a cybercrime. D) Track and prosecute the perpetrators in a court of law.
B) Document vulnerabilities allowing further loss of intellectual property, finances, and reputation during an attack.
Which of the following should be work area considerations for forensics labs? A) Multiple examiners should share workspace for efficiency. B) Examiner station has an area of about 50-63 square feet. C) Physical computer examinations should take place in a separate workspace. D) Additional equipment such as note pads, printers, etc., should be stored elsewhere.
B) Examiner station has an area of about 50-63 square feet.
Which of the following is true regarding Enterprise Theory of Investigation (ETI)? A) It encourages reactive action on the structure of the criminal enterprise. B) It adopts a holistic approach toward any criminal activity as a criminal operation rather than as a single criminal act. C) It differs from traditional investigative methods and it is less complex and less time consuming. D) It adopts an approach toward criminal activity as a criminal act.
B) It adopts a holistic approach toward any criminal activity as a criminal operation rather than as a single criminal act.
Which of the following Federal Rules of Evidence states that the court shall restrict the evidence to its proper scope and instruct the jury accordingly? A) Rule 103 B) Rule 105 C) Rule 102 D) Rule 101
B) Rule 105
External attacks are: A) Primary threats B) Secondary threats
B) Secondary threats
Which of the following is a user-created source of potential evidence? A) printer spool B) address book C) cookies D) log files
B) address book
Which of the following should be considered before planning and evaluating the budget for the forensic investigation case? A) past success rate as a measure of value B) break down of costs into daily and annual expenditure C) use of outdated, but trusted, technologies D) current media coverage of high-profile computer crimes
B) break down of costs into daily and annual expenditure
Which of the following answers refers to a set of methodological procedures and techniques to identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment in such a manner that the discovered evidence is acceptable during a legal and/or administrative proceeding in a court of law? A) incident handling B) computer forensics C) network analysis D) disaster recovery
B) computer forensics
Which of the following is NOT an element of cyber crime? A) fast-paced speed B) evidence smaller in size C) anonymity through masquerading D) volatile evidence
B) evidence smaller in size
What must an investigator do in order to offer a good report to a court of law and ease the prosecution? A) prosecute the evidence B) preserve the evidence C) obfuscate the evidence D) authorize the evidence
B) preserve the evidence
Which of the following is NOT part of the Computer Forensics Investigation Methodology? A) data acquisition B) testify as an expert defendant C) testify as an expert witness D) data analysis
B) testify as an expert defendant
What is the role of an expert witness? A) to testify against the plaintiff B) to educate the public and court C) to support the defense D) to evaluate the court's decisions
B) to educate the public and court
Which of the following is NOT part of the Computer Forensics Investigation Methodology? A) Collect the evidence. B) Assess the evidence. C) Destroy the evidence. D) Secure the evidence.
C) Destroy the evidence.
________ is the standard investigative model used by the FBI when conducting investigations against major criminal organizations. A) Both Enterprise Theory of Investigation (ETI) and Entrepreneur Theory of Investigation B) Entrepreneur Theory of Investigation C) Enterprise Theory of Investigation (ETI)
C) Enterprise Theory of Investigation (ETI)
Which of the following Federal Rules of Evidence governs proceedings in the courts of the United States? A) Rule 105 B) Rule 103 C) Rule 101 D) Rule 102
C) Rule 101
Forensic readiness refers to: A) having no impact on prospects of successful legal action. B) the establishment of specific incident response procedures and designated trained personnel to prevent a breach. C) an organization's ability to make optimal use of digital evidence in a limited time period and with minimal investigation costs. D) replacing the need to meet all regulatory requirements.
C) an organization's ability to make optimal use of digital evidence in a limited time period and with minimal investigation costs.
Which type of cases involve disputes between two parties? A) investigative B) criminal C) civil D) administrative
C) civil
Computer forensics deals with the process of finding ________ related to a digital crime to find the culprits and initiate legal action against them. A) insider threats B) fraud C) evidence D) malware
C) evidence
Cybercrimes can be classified into the following two types of attacks, based on the line of attack. A) fraud and spam B) phishing and malware C) internal and external
C) internal and external
Under which of the following conditions will duplicate evidence NOT suffice? A) when original evidence is in possession of a third party B) when original evidence is destroyed due to fire or flood C) when original evidence is in possession of the originator D) when original evidence is destroyed in the normal course of business
C) when original evidence is in possession of the originator
Under which of the following circumstances has a court of law allowed investigators to perform searches without a warrant? A) Expediting the process of obtaining a warrant may lead to the timely prosecution of a perpetrator. B) Expediting the process of obtaining a warrant may lead to a delay in prosecution of a perpetrator. C) Delay in obtaining a warrant may lead to the preservation of evidence and expedite the investigation process. D) Delay in obtaining a warrant may lead to the destruction of evidence and hamper the investigation process.
D) Delay in obtaining a warrant may lead to the destruction of evidence and hamper the investigation process.
Which of the following should be physical location and structural design considerations for forensics labs? A) Light-weight construction materials need to be used. B) Room size should be compact with standard HVAC equipment. C) Computer systems should be visible from every angle. D) Lab exteriors should have no windows.
D) Lab exteriors should have no windows.
Which of the following Federal Rules of Evidence ensures that the truth may be ascertained and the proceedings justly determined? A) Rule 101 B) Rule 105 C) Rule 103 D) Rule 102
D) Rule 102
Which of the following Federal Rules of Evidence contains Rulings on Evidence? A) Rule 105 B) Rule 102 C) Rule 101 D) Rule 103
D) Rule 103
Which of the following is true of civil crimes? A) The standards of proof need to be very high. B) Law enforcement agencies are responsible for collecting and analyzing evidence. C) A formal investigation report is required. D) The initial reporting of the evidence is generally informal.
D) The initial reporting of the evidence is generally informal.
Which of the following is NOT a legitimate authorizer of a search warrant? A) court of law B) magistrate C) concerned authority D) first responder
D) first responder
Espionage, theft of intellectual property, manipulation of records, and Trojan horse attacks are examples of what? A) insider attacks or secondary threats B) outsider attacks or secondary threats C) outsider attacks or primary threats D) insider attacks or primary threats
D) insider attacks or primary threats
What are "Standard Operating Procedures" (SOPs)?
Documented quality-control guidelines that must be supported by proper case records and broadly accepted procedures, equipment, and materials.
What is "Enterprise Theory of Investigation" (ETI)?
ETI is a holistic methodology for investigating criminal activity that views any criminal activity as a criminal operation, rather than as a single criminal act. ETI encourages authorities to consider that individuals commit crimes not for their own personal motives, but to benefit a larger criminal enterprise.
Rules of evidence are based on what?
English common law.
What is the "Federal Rule of Evidence, Rule 105"?
Evidence may be restricted to one party or purpose, and deemed inadmissible to the other party, or when used for another purpose. Rule 105 also covers heresay.
T/F: Registry settings are considered violate data.
False.
T/F: Swap files are considered non-violate data.
False.
T/F: Criminal and Civil cases have the same rules when it comes to the chain-of-custody of evidence.
False; Criminal has strict chain-of-custody requirements, whereas civil has more relaxed evidence chain-of-custody requirements.
T/F: A computer forensic examiner can investigate any crime as long as he or she takes detailed notes and follows the appropriate processes.
False; The computer forensic examiner must not continue with the investigation if the examination is going to be beyond his or her knowledge level or skill level. In these circumstances, the forensic investigator must seek the assistance of an experienced specialist investigator or undergo training in that particular field to enhance his or her knowledge or skill set. It would be wise to discontinue with the investigation if it is going to adversely affect the outcome of the case.
T/F: System peripherals (keyboards, mice, monitors, etc.) are of little use to computer forensic professionals and thus, are not taken into custody.
False; The tools of the crime include the computer or workstation used for the crime including all hardware such as the keyboard, the mouse, and the monitor. Forensic investigators usually take all such tools into custody to use them as evidence.
T/F: Per the code of ethics, forensic investigators should discard/reserve any evidence that may cause failure in the case.
False; all evidence must be considered regardless of the effect it will have on the outcome of the case.
What is the "Federal Rule of Evidence, Rule 801"?
Hearsay is not admissible except as provided by other rules.
Are statements made in court during a cross-examination hearsay? Are they admissible in court?
No, they are not hearsay, therefore, unless otherwise noted, they are admissible.
Are statements made in court expressing the statements of another party hearsay? Are they admissible in court?
No, they are not hearsay, therefore, unless otherwise noted, they are admissible.
Are statements made in court to identify a person hearsay? Are they admissible in court?
No, they are not hearsay, therefore, unless otherwise noted, they are admissible.
Is "hearsay" admissible as evidence?
No.
What is "non-volatile" data?
Non-volatile data refers to the permanent data stored on secondary storage devices, such as hard disks and memory cards. Non-volatile data does not depend on power supply and remains intact even when the device is switched off.
What are the 10 rules that forensic investigators should follow?
1) Limit access and examination of the original evidence. 2) Record changes made to the evidence files. 3) Create a chain of custody document. 4) Set (and comply with) standards for investigating the evidence. 5) Hire professionals for analysis of evidence. 6)Evidence should be strictly related to the incident. 7) The evidence should comply with the jurisdiction standards. 8)Document the procedures applied on the evidence. 9) Securely store the evidence. 10) Use recognized tools for analysis.
What are the 3 exceptions, per the "Best Evidence Rule", that allow evidence duplicates to be admissible?
1) Original evidence was destroyed due to fire or flood. 2) Original evidence was destroyed in the normal course of business. 3) Original evidence was in possession of a third party.
What are the 3 sources of potential evidence? Provide an example of each.
1) User-Created Files. (Internet bookmarks, media files, etc.) 2) User-Protected Files. (Steganographic files, encrypted files, compressed files, misnamed files, etc.) 3) Computer-Created Files. (Configuration files, log files, system files, temporary files, etc.)
In a criminal case, ____(1)____ are in charge of collecting evidence, whereas in a civil case, ____(2)____ are in charge of collecting evidence.
1): Law enforcement agencies 2): Claimants
What are the 9 steps to Forensic Readiness Planning?
1)Identify the potential evidence required for an incident. 2) Determine the source of the evidence. 3) Define a policy to extract electronic evidence with minimal disruption. 4) Establish a policy for securely handling and storing the collected evidence. 5) Identify if the incident requires full or formal investigation. 6) Train the staff to handle the incident and preserve the evidence. 7) Create a special process for documenting the procedure. 8) Establish a legal advisory board to guide the investigation process.
What is SOP 1.1?
A Standard Operating Procedure, that states that all agencies that seize and/or examine digital evidence must maintain an appropriate SOP document.
What is the "Federal Rule of Evidence, Rule 1002"?
A requirements that original evidence is used unless directed by another rule.
What is the "Federal Rule of Evidence, Rule 1003"?
A rule that states the duplicates are admissible so long as the duplicate is authentic and it is fair to consider the duplicate in place of the original.
What are the 7 characteristics of digital evidence? (AKA the 7 "be"s)
1) Be relevant 2) Be probative 3) Be authentic 4) Be accurate 5) Be complete 6) Be convincing 7) Be admissible
What is SOP 1.3?
SOPs must be generally accepted in the field or supported by data gathered and recorded in a scientific manner.
What does "SWGDE" stand for?
Scientific Working Group on Digital Evidence
Which amendment gives citizens the right to privacy and forbids searches without warrants?
The 4th amendment.
What is SOP 1.4?
The agency must maintain written copies of the appropriate technical procedures .
What is SOP 1.5?
The agency must use hardware and software that is appropriate and effective for the seizure or examination procedure.
What is the "Best Evidence Rule"?
The best evidence rule is designed to prevent any alteration of digital evidence, either intentionally or unintentionally. It ensures that the court considers only the best evidence related to a specific matter or particular computer crime case.
What is an example of non-violate data?
The contents of a computer's HDD (Hard Disk Drive).
What is an example of violate data?
The contents of a computer's RAM (Random Access Memory).
What is the "Federal Rule of Evidence, Rule 1001"?
The definitions of the terms "writings/recordings", "original", "duplicate", and "photograph".
What does it mean for evidence to be "admissible" in a court of law?
The evidence has been deemed to meet certain relevancy, authenticity, and other requirements that make it eligible for consideration.
What does it mean for evidence to be "complete"?
The evidence must be able to be proven to be factual.
What does it mean for evidence to be "believable"?
The evidence must be presented in a clear and comprehensible manner to the members of jury. The facts must be explained clearly and an expert opinion may be required to confirm.
What does it mean for evidence to be "reliable"?
The evidence must have been carefully maintained so that its integrity is dependable.
What must be done before evidence may be examined?
The forensic examiner must make duplicate copies of the original evidence and only examine the duplicates.
If a piece of evidence is naturally modified (i.e. memory is deleted on the shutdown of a computer), what should the forensic examiner do?
The forensic examiner should record the extent of the modifications and the reasons for the modifications.
What should a forensic examiner do if they find that the examination is going to be beyond his / her knowledge level or skill level?
The forensic investigator must seek the assistance of an experienced specialist investigator, or undergo training in that particular field to enhance his / her knowledge or skill set.
What is "Locard's exchange principle"?
The idea that something is added and removed from a crime scene whenever someone, or something, enters/leaves the crime scene.
Define "computer forensics".
The procedures and techniques used to identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment in such a manner that the discovered evidence is admissible in a court of law.
What is "Forensic Readiness Planning"?
The process of building a structure that enables an organization to deal with legal procedures following a criminal offense.
What does it mean for evidence to be "authentic"?
The source of the evidence and its relevance to the case are known.
T/F: When dealing with evidence related to Internet usage, investigators must preserve anonymity of other users.
True, the fourth amendment protects users whom warrants have not been issued for.
T/F: Given that digital crimes are often remote in nature, it is important that a computer forensic professional be knowledgeable about the laws of various regions and areas.
True.
T/F: Digital devices store data about sessions such as user and type of connection.
True; Digital devices used in cyberattacks and other security breaches store some data about the session, such as login user, time, type of connection, IP addresses, etc., which can act as evidence for prosecuting the attacker. Digital evidence includes all such information that is either stored or transmitted in digital form and has probative value, thus helping investigators find the perpetrator.
T/F: Forensic readiness includes technical and non-technical actions that maximize an organization's competence to use digital evidence.
True; Forensic readiness includes technical and nontechnical actions that maximize an organization's competence to use digital evidence.
T/F: Computer forensic professionals are effective in preparing for incidents in advance.
True; they are well suited to secure and strengthen defense mechanisms, as well as filling the holes in security prior to an incident.
What is "volatile" data?
Volatile data refers to the temporary information on a digital device that requires a constant power supply and is deleted if the power supply is interrupted.
What is a "cybercrime"?
Any illegal act that involves a computer, its systems, or its applications.
What are the 3 approaches used to manage cybercrime investigations?
*1) Civil:* Disputes between two parties, which may include an individual versus a company, an individual versus another individual, or a company versus another. They relate to violation of contracts and lawsuits, where a guilty verdict generally results in monetary damages to plaintiff. *2) Criminal:* Crimes that are considered harmful to the society and involve action by law enforcement agencies against a company, individual, or group of individuals in response to a suspected violation of law. A guilty outcome may result in monetary damages, imprisonment, or both. *3) Administrative:* Refers to an internal investigation by an organization to discover if its employees, clients, and partners are abiding by the rules or policies.
What innate challenges make cybercrimes difficult for investigators?
*1) Speed:* Technology has increased the speed of cybercrimes and warrant authorizations take time to be approved. *2) Anonymity:* Cyber criminals are able to masquerade behind the identities of others, making identification difficult. *3) Violate Nature of Evidence:* Most digital evidence can be easily lost, as it is in the form of volatile data. *4) Evidence Size & Complexity:* The diversity and distributed nature of digital devices results in an increased size of evidence data and complexity. *5) Anti-Digital Forensics (ADF):* Attackers use encryption and other data hiding techniques to hide digital evidence. *6) Differences in Global Laws:* Perpetrators can initiate crimes from any part of the world, whereas the authorities only have jurisdiction over local crimes. Very few cyber laws are present that empower authorities of one jurisdiction to try perpetrators present in another, distant jurisdiction. Lack of such laws is helping the attackers avert prosecution even if the authorities have strong evidence against them. *7) Limited legal understanding:* Many victims are unaware of the laws violated during incidents and fail to defend their claims. Additionally, some prosecutors have insufficient technical knowledge, which may lead to inappropriate dismissals of cases.
What are the 2 types of attacks in a cybercrime?
*Internal/Insider Attacks*: Insider attacks refer to attacks by actors whom are inside the organization, ones who have legitimate access to the systems. *External Attacks:* External attacks originate from outside of an organization or can be remote in nature.
Which of the following is true regarding computer forensics? A) Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them. B) Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and avoid legal action against them. C) Computer forensics deals with the process of finding evidence related to a crime to find the culprits and initiate legal action against them. D) Computer forensics deals with the process of finding evidence related to a digital crime to find the victims and prevent legal action against them.
A) Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them.
Which of the following is true of cyber crimes? A) Investigators, with a warrant, have the authority to forcibly seize the computing devices. B) Investigators attempt to demonstrate information to the opposite party to support the claims and induce settlement. C) The claimant is responsible for the collection and analysis of the evidence. D) The searching of the devices is based on mutual understanding and provides a wider time frame to hide the evidence.
A) Investigators, with a warrant, have the authority to forcibly seize the computing devices.
Insider attacks are: A) Primary threats B) Secondary threats
A) Primary threats
Which of the following is NOT where potential evidence may be located? A) processor B) digital camera C) thumb drive D) smart card
A) processor
Which of the following is a computer-created source of potential evidence? A) swap file B) steganography C) spreadsheet D) bookmarks
A) swap file
Which of the following is NOT a consideration during a cyber crime investigation? A) value or cost to the victim B) collection of clues and forensic evidence C) presentation of admissible evidence D) analysis of digital evidence
A) value or cost to the victim
What is SOP 1.2?
Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness.
What is SOP 1.6?
All activities related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony.
What is "Forensic Readiness"?
An organization's ability to make optimal use of digital evidence in a limited period and with minimal investigation costs.
What is "hearsay"?
An out-of-court statement offered to prove the truth of a matter.
Provide an example of an "External Attack".
Any 1 of the following: * SQL attack * brute force cracking * identity theft * phishing/spoofing, * denial of service attack * cyber defamation.
Provide an example of an "Insider Attack".
Any 1 of the following: * Theft of intellectual property * Espionage * Manipulation of records * Trojan horse implantation
What is SOP 1.7?
Any action that has the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner.
What is the "Federal Rule of Evidence, Rule 103"?
This rule empowers legal counsel to object to inadmissible evidence. This objection, if granted, prevents a jury from hearing the inadmissible evidence.
T/F: External attacks occur when there are inadequate information-security policies and procedures.
True
T/F: Minimizing the tangible and intangible losses to the organization or an individual is considered an essential computer forensics use.
True