Computer Forensics and Security: Chapter 3: Digital Evidence in the Court Room

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

The section in the Federal Rules of Evidence 901 (b) (9) titled "Requirement of Authentication or Identification{ includes what?

"Evidence describing a process or system used to produce a result and showing the process or system procedures an accurate result"

With the advent of photocopiers, scanners, computers, and other technology that can create effectively identical duplicates, copies become acceptable in place of the original, unless what?

"A genuine question is raised as to the authenticity of the original or the accuracy of the copy or under the circumstances it would be unfair to admit the copy in lieu of the original"

The purpose of a court room is to administer justice, and the role of who in this context is to present supporting facts and probabilities?

Digital investigators

Proving that someone disturbed materials online is challenging and generally requires multiple data points that enable the court to reconnect the data back to the defendant beyond what?

A reasonable doubt

Who are often pressured, both subtly and overtly, to concentrate on specific areas of inquiry and to reach conclusions that are favorable to a particular party?

Digital investigators

Who may be confronted with a difficult choice-of renouncing such truth or facing the consequences of holding an unpopular belief?

Digital investigators

Who should be able to estimate and describe the level of certainty underlying their conclusions to help fact-finders determine that weight to attach?

Digital investigators

____________________ ________________ can also be influenced by the pressures of their peers.

Digital investigators

The most common mistake that prevents digital evidence from being admitted by courts is that it is obtained with authorization. True/False?

False - it is obtained without authorization

In "science," we are trying to identify rules that are universally false. True/False?

False - trying to identify rules that are universally true

The most effective way to counteract preconceived theories is to employ a methodology that compels digital investigators to find flaws in their theories, a practice known as ________________.

Falsification

C6 Level of Certainty

Files containing known child pornography were found on the defendant's computer, on the basis of hash values of the files matching known child pornography and a visual inspection of the file contents.

The case of United States v. Tank is significant because it is one of the first to deal with what?

The authentication of chat logs

The other approach is to examine the actual digital evidence for evidence of tampering and other damage. This is one of the general approaches to assessing whether digital evidence can be relied upon in court. True/False?

True

The source IP address of network traffic may be assigned to a proxy device rather than the actual originating computer, and GPS coordinates on a mobile device or satellite navigation system can be inaccurate. True/False?

True

The system clock on a computer can be incorrect, and date-time stamps can be interpreted incorrectly. True/False?

True

There are two general approaches to assessing whether digital evidence can be relied upon in court. True/False?

True

When describing the level of certainty associated with a particular finding, some digital investigators use an informal system of degrees of likelihood that can be used in both the affirmative and negative sense. What is the system of degrees of likelihood that can be used in both the affirmative and negative sense?

Almost definitely, most probably, probably, very possibly, and possibly

In the past, the majority of legislation in the United States and United Kingdom followed the first approach, instructing courts to evaluate computer-generated records on the basis of the reliability of the system and process that what?

Generated records

In some instances investigators will face what if they feel that a miscarriage of justice has occurred?

An ethical dilemma

Analysis of digital evidence requires interpretation that forms the bias of what?

Any conclusions reached

In 2009, the U.S. 9th Circuit Court recommended stricter controls for forensic analysis of digital evidence, challenging the concept of plain view in the digital dimension and suggesting approaches to reduce the risk of what?

Associated privacy violations

In one case, a suicide on a computer raised concern because it had a creation date after the victim's death. It transpired that the computer clock was incorrect and the note was actually written when?

Before the suicide

In common law countries, the standard of proof for criminal prosecutions is what and for civil disputes is the what?

Beyond a reasonable doubt; balance of probabilities

To be an effective digital investigator and expert witness, it is necessary to be more self-aware and resistant to self influences like ________________, ________________, and ________________.

Bias, emotion, and greed

Having standard operating procedures, continuing education, and clear policies helps to maintain consistency and prevent what?

Contamination of evidence

In fact, presenting a copy of what is usually more desirable because it eliminates the risk that the original will be accidentally altered?

Digital evdience

After the ___________ ____________ is preserved, it is generally prudent to obtain a warrant to conduct a forensic examination of the digital evidence.

Digital evidence

Although courts have been somewhat lenient in the past on improper handling of evidence, more challenges are being raised relating to evidence handling procedures as more judges and attorneys become familiar with what?

Digital evidence

Have the Fourth Amendment and/or ECPA requirements been met? This is one of four questions that investigators must consider when searching and seizing what?

Digital evidence

In 1997, the UK Law cCommission recommended the repeal of Section 69 of PACE (Law Commission, 1997)m noting the difficulties in asserting the inability of computer systems, and criticizing section 69 of PACE because the evidence might be unreliable, and it failed to address the major becaues of inaccuracy in what?

Digital evidence

In 2007, a case in Maryland dealt with the admissibility of what specifically and provided general guidelines for reaching a decision?

Digital evidence

In addition to requiring digital investigators to be honest and forthright, courts are concerned with the authenticity of the what they present?

Digital evidence

In general, when assessing the reliability of what, it is most effective to focus on the evidence itself rather than the reliability of the process it create?

Digital evidence

In some cases, the opposing party will attempt to cast doubt on more malleable forms of ___________________ _____________________, such as logs of online chat sessions.

Digital evidence

Members of law enforcement who conducted an investigation apprehend a defendant may be required to present what objectively in court and may have the duty to identify weaknesses in a prosecution case?

Digital evidence

More courts are likely to acknowledge the distinction between computer-generated and computer=stored records as they become familiar with what and as more refined methods for evaluating the reliability computer-generated data become available?

Digital evidence

Regarding exigency, a warrantless search can be made for any emergency threatening life and limb or in which what is imminently likely to be altered or destroyed?

Digital evidence

The field of digital forensics does not currently have formal mathematics or statistics to evaluate levels of certainty associated with ______________________ _________________.

Digital evidence

The reliability of what clearly plays a critical role in the authentication process as discussed in more detail later in this chapter?

Digital evidence

There is clearly a need for ma more formal and consistent method of referring to the relative certainty of different types of what?

Digital evidence

When there are concerns that what was mishandled and that potentially exculpatory information was destroyed, courts will decide to admit the evidence?

Digital evidence

__________________ ____________________ might not be admitted if it contains hearsay, because the speaker or author of the evidence is not present in court to verify its trustworthiness.

Digital evidence

Documenting the location of bad sectors will help a ______________________ ___________________ determine whether they are allocated files that are important to the case.

Digital investigator

Courts depend on the trustworthiness of ______________ ______________ and their ability to present evidence accurately.

Digital investigators

Generally, in the prosecutorial environment, theories based upon scientific truth are subordinate to legal judgement and who must accept the ruling of the court?

Digital investigators

If a prime suspect emerges as an investigation progresses; who must resist the urge to formally assert that an individual is guilty, even though it is an investigator's duty to champion the truth?

Digital investigators

In one case, who inadvertently booted the evidential computer but were able to satisfy the court that the digital evidence could still be trusted?

Digital investigators

The U.S. Federal Rules of Evidence, the UK Police and Criminal Evidence Act (PACE) and the Cival Evidence Act, and similar rules of evidence in other countries were established to help evaluate what?

Evidence

Because an exact duplicate of most forms of digital evidence can be made, a copy is generally not acceptable. True/False?

False - a copy is generally acceptable

Investigators have to convince a judge or magistrate that, in all probability a crime has not been committed. True/False?

False - a crime has been committed

Other issues that may prevent digital evidence from being admitted by courts are what?

Improper handling and illegal search and seizure

Computers can introduce errors and uncertainty in various ways including, what?

In the time and location of events

_________________ ______________ helps demonstrate that digital evidence has not been altered since it was collected.

Integrity documentation

The level of certainty that digital investigators assign to their findings is influenced by their ___________________ and ______________________.

Knowledge and experience

When technical evidence supporting theories based on scientific truth is presented to a group of reviewers who are not familiar with the methods used, what may occur?

Misunderstandings and misconceptions

Some jurisdictions have rules relating to admissibility that are formal sometimes inflexible while other jurisdictions give judges what?

More discretion

The collection or seizure phase of a digital investigation, having someone search on the search team who is trained to handle digital evidence can reduce the number of people who handle evidence, thereby streamlining the what?

Presentation of evidence

Some digital investigators say that the evidence "suggests" that something is in the realm of possibility and then the evidence "indicates" that something is what?

Probable

The magistrate outlined five issues that must be considered when assessing whether digital evidence ill be admitted. What are these five issues?

Relevance, authenticity, not hearsay or admissible hearsay, best evidence, not unduly prejudicial

The court process differs from the scientific peer review, where reviewers are qualified to understand and comment on what with credibility?

Relevant facts and methods

To authenticate digital evidence, it may also be necessary to assess its what?

Reliability

In nearly all trials, what kind of evidence is only part of the total picture?

Scientific and technical

______________ ______________ in the United Kingdom and other European countries can be more loosely defined than in the United States.

Search warrants

At the outset of an investigation, there is some form of what?

Suspicion, alert, or accusation

Even when investigators are authorized to search a computer, they must maintain focus on what?

The crime under investigation

The rationale for this approach is that, because records of this type are not the counterpart of a statement by a human declarant, which should ideally be tested by cross-examination of tat declarant, they should not be treated as hearsay, but rather their admissibility should be determined on the basis of the reliability and accuracy of the process involved. True/False?

True

When dealing with the contents of a writing, recording, or photograph, courts sometimes require what?

The original evidence

The first approach is to focus on whether the computer that generated the evidence was functioning normally. This is one of the general approaches to assessing whether digital evidence can be relied upon in court. True/False?

True

The main risk of developing full hypotheses before closely examining available evidence is that investigators will impose preconceptions during evidence and analysis, potentially missing or misinterpreting a critical clue simply because it does not match their notion of what occurred. True/False?

True

When a client tells a digital investigator how dishonest the other party is or presents the case in a way that is intended to garner sympathy, the digital investigator must resist any urge to form opinions about the case based on what?

These emotional needs

Although courts evaluate all computer-generated data as business records under the hearsay rule, this approach may be inappropriate when a person was not involved. True/False?

True

Although digital investigators could conceivably assign a C-Value to each piece of evidence they have analyzed, that approach can add confusion rather than clarity. True/False?

True

An e-mail message may be used to prove that an individual made certain statements, but cannot be used to prove the truth of the statements it contains. True/False?

True

Before deciding to take legal action, organizations must consider if they are required to disclose information about their systems that may be sensitive (e.g., network topology, system configuration information, and source code of custom monitoring tools) and other details about their operations that they may not want to make public. True/False?

True

Computer security professionals in the private sector often have to investigate longtime coworkers and cases in all sectors can involve brutal abuse of innocent victims, inciting distraught individuals and communities to strike out at the first available suspect. True/False?

True

Courts generally ask if the recovered evidence is the same as the originally seized data when considering whether digital evidence is admissible. True/False?

True

Courts need to determine whether evidence is "safe" to put before a jury and will provide a solid foundation for making a decision in the case. True/False?

True

Data that depend on humans for their accuracy, such as entries in a database that are derived from information provided by an individual, are ordered under the business record exception if they meet the above description. True/False?

True

Digital investigators must be extremely firm on what conclusions the evidence supports to avoid being swayed by an attorney trying to push the limits on evidence. True/False?

True

Digital investigators must generally accept an attorney's decision not to proceed with a case or not to disclose certain evidence. True/False?

True

Does the Fourth Amendment and/or the Electronic Communications Privacy Act )ECP) apply to the situation? This is one of four questions that investigators must consider when searching and seizing digital evidence. True/False?

True

Identifying and isolating falsified records in a specific log file or bad sectors on a hard drive enable fact-finders to rely on the remaining reliable data. True/False?

True

In fact computer-generated data may not be considered at all because they do not contain human statements or they do not assert a fact but simply document an act. True/False?

True

In situations where the hash value of digital evidence differs from the original, it may be possible to isolate the altered portions and verify the integrity of the remainder. True/False?

True

Individuals processing evidence must realize that, in addition to being pertinent, evidence must meet certain standards to be admitted. True/False?

True

Investigators have to convince a judge or magistrate that, in all probability evidence of crime is in existence. True/False?

True

Investigators have to convince a judge or magistrate that, in all probability the evidence is likely to exist at the place to be searched. True/False?

True

It is the duty of the digital investigators to present findings in a clear, factual, and objective manner. True/False?

True

It is the human condition to have emotional reactions, harbor prejudices, and be subject to other subtle influences. True/False?

True

On Internet Relay Chat (IRC), for example, in addition the chat window, there may be important information in other areas of an IRC client such as the status window and private chat or fserve windows. True/False?

True

Some digital investigators use the term likely to express a lower level of certainty than probably, whereas others treat these terms as synonyms. True/False?

True

The Canadian case against Pecciarich provides an interesting example of what my be considered hearsay in the context of online activities. True/False?

True

The Fourth Amendment requires that a search warrant be secured before law enforcement officers can search a person's house, person, papers, and effects. True/False?

True

To demonstrate that digital evidence is authentic, it is generally necessary to satisfy the court that it was acquired from a specific computer and/r location, that a complete and accurate copy of digital evidence was acquired and that it has remained unchanged since it was collected. True/False?

True

What do investigators need to reenter? This is one of four questions that investigators must consider when searching and seizing digital evidence. True/False?

True

When a large amount of data is missing on a computer and an intruder is suspected, digital investigators should determine if the damage is more consistent with disk corruption than an intrusion. True/False?

True

When digital investigators have a low level of confidence in available digital evidence, they may not be able to reach a conclusion without additional corroboration information. True/False?

True

Generally, a _______________ is required to search and seize evidence.

Warrant

In the United Kingdom, for instance, several kinds of warrants (e.g., a specific premises warrant, all=premises warrant, and multiple entry warrant), and they do not have to specify what?

What things will be seized


Kaugnay na mga set ng pag-aaral

Using Commas: Introductory Phrases and Clauses

View Set

Constitutional Government Chapter 2

View Set

All important terms life insurance questions and ultimate study guide

View Set

Chapter 29 Perioperative Nursing

View Set

8B. Quiz 1: Unit 8 Geography and Culture of France

View Set

Mastering Biology chapters 7 and 8

View Set

Psychology 1 Chapter 1-5 Homework and Quizzes

View Set