Computer Forensics Exam 3 - Chpts 11, 14, 15, 16

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

What is Voir Dire? What is the purpose of Voir Dire?

"to see, to say" or "to speak the truth" qualification process at beginning of testimony during Voir Dire, the expert witness is asked a series of questions by the attorney that hired him questions are intended to show the expert witness is qualified to testify opposing counsel may also question the expert witness in an attempt to disqualify him

What is required for law enforcement to access Social Media servers? What other challenges may exist in accessing these servers?

* Social Network Analysis (SNA) and other software may be used to collect artifacts/evidence * a warrant or subpoena is needed to access social media servers *Social media investigations involve multiple jurisdictions that may cross national boundaries * in cases involving imminent danger, law enforcement can file for emergency requests (under U.S. Patriot Act and other Federal provisions.) usually a warrant (4th amendment); not many tools are available now for investigating social media, also how will the information gathered be used in court; may need a new warrant if you discover evidence unrelated to the case i.e. investigating fraud but find evidence of corporate espionage

What suggestions are made to the computer forensic investigator in Chapter 14 for remaining objective?

* avoid personal comments * base all opinions in reports on knowledge and expertise * don't use facts that can change, cannot be used, or are not relevant to your expert opinion Take a step back from the details and synthesize what has and has not been learned about the problem and what the information means. Describe what you actually found, not what you hoped to find. Link your discussion to figures and tables as you present results, and describe and interpret what these supporting materials show.

According to the chapter, what common digital artifacts can be found on Social Media?

* evidence of cyberbullying and witness tampering * a company or person's position on an issue * whether intellectual property rights have been violated * who posted information and when it was posted * if a suspect researched a victim or other specifics of an alleged crime or incident (i.e. Casey Anthony case) videos, pictures, GPS locations, text messages, emails, tweets, and posts

According to Federal Rules of Civil Procedure (FRCP), what must a computer forensic investigator include in a written report?

* expert opinions * basis for the opinions * information considered in coming to opinions * related exhibits * expert witness Curriculum Vitae All opinions, the basis for the opinions, and the information considered in coming to those opinions. Also include related exhibits, such as photographs or diagrams, and the witness's curriculum vitae listing all publications he or she contributed to during the preceding 10 years.

How can forensic tools (such as FTK & ProDiscover) help with report creation?

* software tools can generate logs and other reports * output is text, MS-Word, or HTML format * reporting from forensic tools is intended to supplement, NOT replace a formal written report * forensic tool reporting is typically referenced in the Appendices of a formal written report The forensic investigator can easily use the report wizard in FTK to generate this report in less time than if he/she had to type the full report out on their own.

List and briefly describe various professional organizations that provide ethical guidance to expert witnesses.

*** see pages 573-575 for descriptions -International Society of Forensic Computer Examiners (ISFCE) -International High Technology Crime Investigation Association (HTCIA) -International Association of Computer Investigative Specialists (IACIS) -American Bar Association (ABA) -American Medical Association (AMA) -American Psychological Association (APA)

Why should an investigator not rely on the return path in an email header? How can you tell if this information has been altered by a suspect?

*address in Return Path line may be spoofed (faked) *to check for spoofing, verify the server listed in the Return Path and server listed in Received From Server are the same

What ethical responsibilities are owed to you as the expert witness?

-A fair statement of the case -Adequate time to review evidence and prepare report -Reasonable opportunity to examine data, conduct tests, and investigate before rendering an opinion -Appropriate pay for your services that is NOT contingent on the outcome of the case

List four steps you should take, in the correct order, to handle a deposition in which physical circumstance are uncomfortable.

-Ask the attorney to correct the situation. -If the situation is not corrected, note these conditions into the record, and repeat noting them as long as the conditions persist. -After you have noted the problem into the record, you can refuse to continue with the deposition. -Generally, you should consult with an attorney before taking this step. -If you think the behavior was serious enough that you can justify refusing to continue, consider reporting the attorney to his/her state bar association.

Explain the inherent conflict between the goals of attorneys and the goals of an expert witness.

-Attorneys seek to win cases for their clients -Attorneys are to be advocates for their party/client -Attorneys work in a subjective, adversarial system, in which the most persuasive expert witness is often regarded as the most credible -Scientists work in objective facts, not persuasive forums

List three obvious ethical errors.

-Don't present false or altered data. -Don't report work that was not done. -Don't ignore available contradictory data. -Don't work beyond your expertise or competence -Don't fail to report a possible conflict of interest. -Don't reach a conclusion before you have done complete research.

What factors can courts use to disqualify you as an expert witness?

-If the attorney informed the expert witness that discussions were confidential -If the expert witness reviewed confidential materials -If the attorney asked the expert witness to sign a confidentiality agreement -If too many discussions were held with attorney over a period of time -Amount of time involved in attorney discussions -If the attorney did not formally retain the expert -If the expert witness performed services for the attorney -How/when the expert witness was compensated

Describe the ethical guidelines provided by the American Bar Association (ABA).

-Limits fees experts can receive for their services -States that experts DO NOT owe a duty of loyalty to clients -Experts should not strive to advocate or persuade the judge and jury toward a certain point of view -Attorneys cannot falsify evidence or assist a witness in false testimony

What are obvious ethical errors that you should avoid as an expert witness?

-Presenting false or altered data -Reporting work that was not done -Ignoring contradictory data -Working beyond your expertise -Allowing your opinion to be influenced by the attorney -Accepting an assignment that cannot be done in allotted timeframe -Reaching a conclusion without complete research -Failing to report conflicts of interest

List three sound reasons for offering a different opinion from one you testified to in a previous case.

-Recent developments in technology. -New tools with new capabilities. -The facts of the current case being distinguishable from a previous case.

Describe two types of ethical standards.

-Standards that others apply to you or that you're compelled to adhere to by external forces (such as licensing bodies). -your own internal rules you use to measure your performance.

List 3 or more factors courts have used in determining whether to disqualify an expert witness

-Whether the attorney informed the expert that their discussions were confidential. -Whether the expert was asked to sign a confidentiality agreement. -Whether the expert reviewed materials marked as confidential or attorney work product. -Number of discussions held over a period of time. -Whether the attorney formally retained the expert. -Whether the expert was requested to perform services for the attorney.

What forensic tools are available for email investigations?

AccessData FTK ProDiscover Basic FINALeMAIL Sawmill-Groupwise DBXtract Fookes Aid4Mial and MailBag Assistant Paraben EMail Examiner Ontrack Easy REcovery EmailRepair R-Tools R-Mail

Logging options on many email servers can be: a. Disabled by the administrator b. Set up in circular logging configuration c. Configured to a specified size before being overwritten d. All of the above

All of the above

What is a Curriculum Vitae (CV)? What items should a CV contain and not contain?

CV is outline of an expert witness professional history, including education, training, work, publications, and other cases in which the expert witness has been involved. Contain: any item that helps to establish your qualifications as an expert witness, education experience, professional associations, and any past investigations & testimony Should be updated every 3 months CV should NOT be specific to a particular trial or case

What is circular logging? How can this information affect email investigations?

Circular logging is a method of conserving hard disk space in the Microsoft Exchange transactional logging process. It works by overwriting individual log files to keep the transactional log (the set of all log files) from expanding without limit on the hard disk. When circular logging is enabled, the transactional log can only grow to one megabyte (1 MB) in size. After that limit has been reached, the first log file is overwritten automatically to keep the transactional log database from growing any larger. The term "circular" arises from the fact that the set of log files starts to "rotate" once the disk space limit is reached, something like a LIFO (last-in, first-out) queue. Circular logging is commonly used with Exchange native data protection because, in that mode, backups are not made so a detailed transactional log is not necessary.

What are ethics and how do they differ from law?

Ethics - rules internalized by a person that are used to measure that person's performance laws - standards that licensing bodies (ie. courts) apply to individuals. Individuals in a society are complied to follow standards under threat of sanctions or punishment Ethics are internal to an individual, laws are external to an individual

All expert witnesses must be members of associations that license them. True or False?

False

Codes of professional conduct or responsibility set the highest standards for professional's expected performance. True or False?

False

Ethical obligations are duties that you owe only to others. True or False?

False

To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server's internal operations. True or False?

False

Why should a computer forensic investigator not include a checklist of procedures in his/her written report or testimony?

Formal checklists should not be used during an investigation nor referred to in reports or testimony. Opposing attorneys can use format checklists to disqualify an expert witness if any procedure deviated from the checklist.

List three organizations that have a code of ethics or conduct.

ISFCE IACIS AMA APA ABA

Can emails ever be completely "deleted?" Why or why not?

In almost all email programs and web interfaces, deleting an email message doesn't actually delete it. Instead, the message is simply moved to a special folder - typically called "trash" or "deleted items". What happens next depends on the specific program or service. But even deleted files can be recovered in computer forensics. * a copy of deleted emails is maintained on email server *an email is perpetuated (copied) from one email server to the next, until it reaches its final recipient (i.e. one email may exist on multiple private email servers and/or ISP email servers)

What are the two main environments in which emails are sent/received?

Internet (public) Controlled - private corporation Intranet

Differentiate among the following types of witnesses: Lay, Technical/Scientific, and Expert.

Lay witness - person who's testimony relies on personal observation only; not considered to be an expert in any particular field technical/scientific witness - person who testifies using only the FACTS related to an investigation, NO expert opinion is given Expert witness - person who may give opinions during testimony; expert opinions are based on experience and facts gathered during the investigation

Describe an unethical technique opposing counsel might use to make a deposition difficult for you.

Opposing counsel might attempt to make discovery depositions physically uncomfortable.Other tactics include the attorney who has set the deposition neglecting to have payment ready for you.

What is Disqualification? What tactics can opposing council use to disqualify you as an expert witness?

Process by which an expert witness is excluded from testifying Opposing attorneys can attempt to disqualify an expert witness by . . . -Showing a deviation in opinion by the expert witness -Conflicting Out - by contacting the expert witness before testimony -Showing a conflict of interest between the expert witness and other parties in the case

Discuss the pros and cons of using non-standard forensics tools.

Pros -Non-standard tools may be superior for a particular type of analysis (i.e., run faster, display results in friendlier format) Cons -Non-standard tools must still be tested and validated for accuracy -If court deems a non-standard tool as unreliable, any evidence recovered using the tool is inadmissible -Borrowing code or features from other tools may be a copyright violation and therefore against the law

What information is contained in an email header?

Return path recipient's email address type of sending email service IP address of sending server name of the email server unique message number date and time of email was sent attachment files (if any) information The email header is a code snippet in an HTML email, that contains information about the sender, recipient, email's route to get to the inbox and various authentication details. p. 429

What is destroying a report before the final resolution of a case called?

Spoliation

What is a deposition bank? Why are they used?

Store examples of expert witness' testimony used by attorneys on either side to discover contrary positions that an expert witness may have made in the past (libraries of previously given testimony that law firms can access to review transcripts of previous testimony by their own potential experts to ensure that the experts haven't previously testified to a contrary position. to review transcripts of opposing party's expert witnesses)

Define the term "opinion shopping."

Tactic used by attorneys to find an Expert Witness who will help the attorney win the case Expert witnesses should always testify to the facts in a case and remain neutral to the outcome of the case An Expert Witness who becomes biased over a case risks being discredited (at best) or losing his/her job

What is Conflicting Out? How can a forensic investigator avoid this?

Tactic used by opposing attorneys to disqualify an expert witness by discussing the case with the expert witness. The opposing attorney claims that the discussion has led to an conflict of interest. Expert witnesses should avoid this tactic by avoiding any and all conversations with opposing attorneys

All email headers contain the same types of information. True or False?

True

If you were a lay witness at a previous trial, you shouldn't list that case in your written report. True or False?

True

In the United States, no state or national licensing body specifically licenses computer forensics examiners. True or False?

True

Internet e-mail accessed with a Web brower leaves files in temporary folders. True or False.

True

Voir dire is the process of qualifying a witness as an expert. True or False?

True

You can view e-mail headers in Notepad with all popular e-mail clients. True or False?

True

What is the educational level of a typical juror in the U.S.?

Typical juror averages 12 years of education and reads on an 8th grade level must speak in "layperson's" language and avoid technical jargon define technical words if must be used use analogies that a layperson would understand

What is a major advantage of automated forensics tools in report writing?

You can incorporate the log files and reports these tools generate into your written reports. Generally, these generated files are in a format that's easy to incorporate into an electronic document.

What is an Examination Plan? What should and should not be included in an Examination Plan?

a document that serves as a guideline for knowing what questions to expect when you're testifying typically a verbal report includes: * example questions that an attorney may ask * definitions of forensic terms and functions * substantive information the attorney may have omitted DON'T include: * answers to questions * anything that could be construed as "coaching" by your attorney

In Microsoft Outlook, what are the email storage files typically found on a client computer? a. .pst & .ost b. res1.log & res2.log c. PU020102.db d. .evolution

a. .pst and .ost

What Unicode value is used to identify the Latin alphabet? a. 0x00 b. 0xF8 c. 0xAB d. 0x01

a. 0x00

When cases go to trial, you as a forensics examiner can play one of ____ roles. a. 2 b. 3 c. 4 d. 5

a. 2

Which of the following options would represent a valid retainer? a. 2 to 8 hours of your usual billable rate b. a verbal agreement c. complete discussion of an ongoing case d. dissemination of evidence

a. 2 to 8 hours of your usual billable rate

FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful. a. 702 b. 703 c. 704 d. 705

a. 702

Your curriculum vitae is which of the following? (Choose all that apply) a. A necessary tool to be an expert witness b. A generally required document to be made available before your testimony c. A detailed record of your experience, education, and training d. Focused on your skills as they apply to the current case

a. A necessary tool to be an expert witness b. A generally required document to be made available before your testimony c. A detailed record of your experience, education, and training

What information is not in an e-mail header? a. blind copy addresses b. internet addresses c. domain name d. contents of the message e. type of e-mail server used to sen the e-mail

a. Blind copy (Bcc) addresses d. Contents of the message

Before testifying, you should do which of the following? (Choose all that apply) a. Create an examination plan with your attorney. b. Make sure you've been paid for your services and the estimated fee for the deposition or trial. c. Get a haircut d. Type all the draft notes you took during your investigation

a. Create an examination plan with your attorney. b. Make sure you've been paid for your services and the estimated fee for the deposition or trial.

When searching a victims computer for a crime committed with a specific email, what provides information for determining the emails originator? (choose all that apply) a. E-mail header b. username and password c. Firewall log d. All of the above

a. E-mail header c. Firewall log

Which of the following rules or laws requires an expert to prepare and submit a report? a. FRCP 26 b. FRE 801 c. Neither d. Both

a. FRCP 26

An expert's opinion is governed by ________________ and the corresponding rule in many states. a. FRE, Rule 705 b. FRE, Rule 507 c. FRCP 26 d. FRCP 62

a. FRE, Rule 705

What should you do if you realize you have made a mistake or misstatement during a deposition? (Choose all that apply) a. If the deposition is still in session, refer back to the error and correct it. b. Decide weather the error is minor, and if so, ignor it c. If the deposition if over, make the correction on the corrections page of the copy provided for your signature d. Call the opposing attorney and inform him of your mistake or misstatement e. Request an opportunity to make the correction at trial.

a. If the deposition is still in session, refer back to the error and correct it. c. If the deposition if over, make the correction on the corrections page of the copy provided for your signature

Externally enforced ethical rules, with sanctions that can restrict a professional's practice, are more accurately, described as which of the following? a. Laws b. Objectives c. A higher calling d. All of the above

a. Laws

During your cross-examination, you should do which of the following? (Choose all that apply) a. Maintain eye contact with the jury b. Pay close attention to what your attorney is objecting to. c. Help the attorneys, judge, and jury in understanding the case, even if you have to go a bit beyond the scope of your expertise d. Pay close attention to opposing counsel's questions. e. Answer opposing counsel's questions as briefly as is practical

a. Maintain eye contact with the jury b. Pay close attention to what your attorney is objecting to. d. Pay close attention to opposing counsel's questions. e. Answer opposing counsel's questions as briefly as is practical

When using graphics while testing, which of the following guidelines applies? (Choose all that apply) a. Make sure the jury can see your graphics b. Practice using charts for courtroom testimony c. Your exhibits must be clear and easy to understand d. Make sure you have plenty of extra graphics, in case you have to explain more complex supporting issues.

a. Make sure the jury can see your graphics b. Practice using charts for courtroom testimony c. Your exhibits must be clear and easy to understand

Which of the following describes fact testimony? a. Scientific or technical testimony describing information recovered during an examination b. Testimony by law enforcement officers c. Testimony based on observations by lay witnesses d. None of the above

a. Scientific or technical testimony describing information recovered during an examination

__________________ means the tone of language you use to address the reader. a. Style b. Format c. Outline d. Prose

a. Style

Which of the following describes expert witness testimony? (Choose all that apply.) a. Testimony designed to assist the jury in determining matters beyond the ordinary person's scope of knowledge b. Testimony that defines issues of the case for determination by the jury c. Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience. d. Testimony designed to raise doubt about facts or witnesses' credibility

a. Testimony designed to assist the jury in determining matters beyond the ordinary person's scope of knowledge c. Testimony resulting in the expression of an opinion by a witness with scientific, technical, or other professional knowledge or experience.

E-mail headers contain which of the following information? (Choose all that apply.) a. The sender and receiver email addresses b. An Enhanced Simples Mail Transfer Protocol (ESMTOP) or reference number c. The email servers the message traveled through to reach its destination d. The IP address of the receiving server a. All of the above

a. The sender and receiver email addresses b. An Enhanced Simples Mail Transfer Protocol (ESMTOP) or reference number c. The email servers the message traveled through to reach its destination

For what purpose have hypothetical questions traditionally been used in litigation? a. To frame the factual context of rendering an expert witness's opinion. b. To define the case issues for the finder of fact to determine. c. To stimulate discussion between the consulting expert and the expert witness d. To deter witness from expanding the scope of his or her investigation beyond the case requirements. e. All of the above

a. To frame the factual context of rendering an expert witness's opinion.

Discuss any potential problems with your attorney ____ a deposition. a. before b. after c. during d. during direct examination at

a. before

A consultant who doesn't testify can earn a ____________________ for locating testifying experts or investigative leads. a. contingency fee b. retainer c. stake in a case d. reprimand

a. contingency fee

You provide ____ testimony when you answer questions from the attorney who hired you. a. direct b. cross c. examination d. rebuttal

a. direct

Validate your tools and verify your evidence with ____ to ensure its integrity. a. hashing algorithms b. watermarks c. steganography d. digital certificates

a. hashing algorithms

What do the last 8 bits of a Unicode value represent? a. language identification b. character hexadecimal values c. file type identification d. font selection

a. language identification

In UNIX -like system, which file specifies where to save different types of email log files? a. maillog b. /va/spool/log c. syslog.conf d. log

a. maillog

____ from both plaintiff and defense is an optional phase of the trial. Generally, it's allowed to cover an issue raised during cross-examination. a. rebuttal b. plaintiff c. closing arguments d. opening statements

a. rebuttal

Sendmail uses which file for instructions on processing an e-mail message? a. sendmail.cf b. syslogd.conf c. mese.ese d. mapi.log

a. sendmail.cf

When you give ____ testimony, you present this evidence and explain what it is and how it was obtained. a. technical/scientific b. expert c. lay witness d. deposition

a. technical/scientific

As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers. a. true b. false

a. true

As an expert witness, you have opinions about what you have found or observed. a. true b. false

a. true

Experts should be paid in full for all previous work and for the anticipated time required for testimony. a. true b. false

a. true

In the United States, there's no state or national licensing body for computer forensics examiners. a. true b. false

a. true

Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise. a. true b. false

a. true

People need ethics to help maintain their balance, especially in difficult and contentious situations. a. true b. false

a. true

When using the PassMark software to find forensic information in e-mails, messages that appear to be suspicious should be flagged __________. a. yellow b. green c. red d. orange

a. yellow

What is the typical structure of an investigation report?

abstract table of contents body of report conclusion references glossary acknowledgements appendixes

What can be included in report appendixes?

additional resource material not included in the text, raw data, figures not used in the body of the report, and anticipated exhibits

Why should draft or preliminary reports not be created?

anything written down is subject to discovery from the opposing attorney. Discovery allows one party to force the other parties to produce requested documents or other physical evidence Opposing council could demand copies of your preliminary reports as part of Discovery process any discrepancies between the Preliminary Reports and the Final Copies could be used to discredit the expert witness

If your CV (curriculum vitae) is more than ____ months old, you probably need to update it to reflect new cases and additional training. a. 2 b. 3 c. 4 d. 5

b. 3

Currently, expert witnesses testify in more than __ percent of trials. a. 55 b. 80 c. 92 d. 78

b. 80

When working for a prosecutor, what should you do if the evidence you found appears to be exculpatory and isn't being released to the defense? a. Keep the information on file for later review b. Bring the information to the attention of the prosecutor, then his or her supervisor and finally to the judge (the court) c. Destroy the evidence d. Five the evidence to the defense attorney

b. Bring the information to the attention of the prosecutor, then his or her supervisor and finally to the judge (the court)

For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you're constantly enhancing your skills through training, teaching, and experience. a. testimony b. CV (curriculum vitae) c. examination plan d. deposition

b. CV (curriculum vitae)

Which of the following is a current formatting standard for e-mail? a. SMTP b. MIME c. Outlook d. HTML

b. MIME

What's the main piece of information you look for in an email message you're investigating? a. Senders or receivers's e-mail address b. originating email domain or IP address c. Subject line content d. Message Number e. All of the above

b. Origination email domain or IP address

The most reliable way to ensure that jurors recall testimony is to do which of the following? a. Present evidence using oral testimony supported by hand gestures and facial expressions b. Present evidence combining oral testimony and graphics that support the testimony c. Wear bright-colored clothing to attract juror's attention d. Emphasize your points with humorous anecdotes e. Memorize your testimony carefully

b. Present evidence combining oral testimony and graphics that support the testimony

When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation you need for your investigation, and the client has deleted the e-mail, what should you do? a. search available log files for any forwarded messages b. restore the e-mail server from a backup c. check the current database files for an existing copy of the e-mail d. after it's deleted, the file can o longer be recovered.

b. Restore the e-mail server from a backup

The report generator in ProDiscover defaults to ______________________, which can be opened by most word processors. a. HyperText Markup Language (HTML) b. Rich Text Format (RTF) c. Extensible Markup Language (XML) d. Microsoft Word document format

b. Rich Text Format (RTF)

What expressions are acceptable to use in testimony to respond to a question for which you have no answer? (Choose all that apply) a. No Comment b. That's beyond the scope of my expertise c. I don't want to answer that questino d. I was not requested to investigate that e. That is beyond the scope of my investigation

b. That's beyond the scope of my expertise d. I was not requested to investigate that e. That is beyond the scope of my investigation

In answering a question about the size of a hard drive, which of the following responses is appropriate? (Choose all that apply.) a. It's a very large hard drive b. The technical data sheet indicates it's a 3 terabyte hard drive. c. It's a 3 terabyte hard drive configured with 2.78 terabytes of accessible storage. d. I was unable to determine the drive size because it was so badly damaged

b. The technical data sheet indicates it's a 3 terabyte hard drive. c. It's a 3 terabyte hard drive configured with 2.78 terabytes of accessible storage. d. I was unable to determine the drive size because it was so badly damaged

In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous contact with an opposing party? a. Tidemann v. Toshiba Corp b. Wang Laboratories, Inc v. Toshiba Corpc c. Tidemann v. Nadler Golf Car Sales, Inc d. Hewlett-Pachard v. EMC Corp

b. Wang Laboratories, Inc v. Toshiba Corpc

At trial as a fact or expert witness, what must you always remember about your testimony? a. You're responsible for the outcome of the case b. Your duty is to report your technical or scientific findings or render an honest opinion c. Avoid mentioning how much you were paid for your services d. All of the above

b. Your duty is to report your technical or scientific findings or render an honest opinion

If a report is long and complex, you should include a(n) _____________. a. appendix b. abstract c. glossary d. table of contents

b. abstract

Which of the following is an example of a written report? a. A search warrant b. An affidavit c. Voir dire d. All of the above

b. an affidavit

The ________________ section of a report starts by referring to the report's purpose, states the main points, draws conclusions, and possibly renders an opinion. a. body b. conclusion c. appendix d. reference

b. conclusion

Before allowing an attorney to describe any case details, determine who the parties are to reduce the possibility of a _______________. a. collaboration b. conflict c. mistrial d. contradiction

b. conflict

The ____ is the most important part of testimony at a trial. a. cross-examination b. direct examination c. rebuttal d. motions in limine

b. direct examination

There are two types of depositions: ____ and testimony preservation. a. examination b. discovery c. direct d. rebuttal

b. discovery

An ___________________ is a document that serves as a guideline for knowing what questions to expect when you're testifying. a. testimony procedure b. examination plan c. planned questionnaire d. testimony excerpt

b. examination plan

Automated tools help you collect and report evidence, but you're responsible for doing which of the following? a. Explaining your formatting choices, b. Explaining the significance of the evidence, c. Explaining in detail how the software works, d. All of the above

b. explaining the significance of the evidence

Expert opinions cannot be presented without stating the underlying factual basis. a. true b. false

b. false

Like a job resume, your CV (curriculum viate) should be geared for a specific trial. a. true b. false

b. false

The American Bar Association (ABA) is a licensing body. a. true b. false

b. false

You should create a formal checklist of your procedures that's applied to all your cases or include such a checklist in your report. a. true b. false

b. false

____ questions can give you the factual structure to support and defend your opinion. a. rapid-fire b. hypothetical c. setup d. compound

b. hypothetical

People who fear having their ______________ acts revealed feel as though they must protest the ________________ acts of others being revealed. a. legal b. improper c. secret d. public

b. improper

Phishing does which of the following? a. Uses DNS poisoning b. Lures users with false promises c. Takes people to fake Web sites d. uses DHCP

b. lures users with false promises

Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony. a. setup b. open-ended c. compound d. repid-fire

b. open-ended

The purpose of requesting the ________________ is to deter attorneys from communicating with you solely for the purpose of disqualifying you. a. case b. retainer c. juror list d. evidence

b. retainer

If a preliminary report is written, destroying the preliminary report after the final report is complete could be considered ______________. a. proper data security b. spoliation c. beneficial d. necessary

b. spoliation

How you format _____________ is less important than being consistent in applying formatting. a. words b. text c. paragraphs d. sections

b. text

Lawyers may request _________________ of previous testimony by their own potential experts to ensure that the experts haven't previously testified to a contrary position. a. warrants b. transcripts c. subpoenas d. evidence

b. transcripts

Which of the following types of files can provide useful information when you're examining an e-mail server? a. .dbf firles b. .emx files c. .log files d. .slf files

c. .log files

How many words should be in the abstract of a report? a. 50 to 100 words b. 100 to 150 words c. 150 to 299 words d. 200 to 250 words

c. 150 to 299 words

On NTFS drives, Unicode values are how many bits in length? a. 8 bits b. 32 bits c. 16 bits d. 64 bits

c. 16 bits

To trace an IP address in an email header, what type of lookup service can you use? (Choose all that apply) a. Intelius Inc.'s AnyWho online directory b. Verizon superpages.com c. A Domain lookup service, such as www.arin.net, www.internic.com.,or ww.whois.net d. Any web search engine

c. A Domain lookup service, such as www.arin.net, www.internic.com.,or ww.whois.net d. Any Web search engine

What is the motion in limine? a. A motion to discuss the case b. The movement of molecules in a random fashion c. A pretrial motion for the purpose of excluding certain evidence d. A pretrial motion to revise the case schedule

c. A pretrial motion for the purpose of excluding certain evidence

When you access your email, what type of computer architecture are you using? a. mainframe and minicomputers b. Domain c. Client/server d. None of the above.

c. Client/server

_______________ is the process of opposing attorneys seeking information from each other. a. Subpoena b. Warranting c. Discovery d. Digging

c. Discovery

What kind of information do fact witnesses provide during testimony? (Choose all that apply) a. Their professional opinion on the significance of evidence b. Definitions of issues to be determined bu the founder of the fact c. Facts only d. Observations of the results of tests they performed.

c. Facts only d. Observations of the results of tests they performed.

The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery; the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in which it belongs", was established in what court case? a. Daubert v. Merrell Dow Pharmaceuticals, Inc b. Smith v. United States c. Frye v. United States d. Dillon v. United States

c. Frye v. United States

What purpose does making your own recording during a deposition serve? a. It shows the court reporter that you do not trust him or her b. It assists you with reviewing the transcript of the deposition c. It allows you to review your testimony with your attorney during breaks. d. It prevents opposing counsel from intimidating you.

c. It allows you to review your testimony with your attorney during breaks.

The term "via Frontend Transport" in a header indicates that the e-mail is on which of the following? a. UNIX server b. Older NetWare server c. Microsoft Exchange server d. Mac server

c. Microsoft Exchange server

Which of the following is the standard format for reports filed electronically in federal courts? a. Word b. Excel c. PDF d. HTML e. any of the above

c. PDF

Router logs can be used to verify what types of email data? a. Message content b. content of attached files c. tracking flows though e-mail server ports d. finding blind copies

c. Tracking flows through email server ports

If you're giving an answer that you think your attorney should follow up on, what should you do? a. Change the tone of your voice b. Argue with the attorney who asked the question c. Use an agreed-on expression to alert the attorney to follow up on the question d. Try to include as much information in your answer as you can.

c. Use an agreed-on expression to alert the attorney to follow up on the question

Contingency fees can be used to compensate an expert under which circumstances? a. When the expert is too expensive to compensate at the hourly rate b. When the expert is willing to accept a contingency fee arrangement c. When the expert is acting only as a consultant, not a witness d. All of the above

c. When the expert is acting only as a consultant, not a witness

What are some risks of using tools you have created yourself? a. The tool might not perform reliably b. The judge might be suspicious of the validity of the results c. You might have to share the tool's source code with opposing counsel for review d. The tool doesn't generate the reports in a standard format

c. You might have to share the tool's source code with opposing counsel for review

What are the first 8 bits of a Unicode value used for? a. file type identification b. font selection c. character hexadecimal values d. language identification

c. character hexadecimal values

Sometimes opposing attorneys ask several questions inside one question; this practice is called a ____ question. a. leading b. hypothetical c. compound d. rapid-fire

c. compound

A report using the _________________ system divides material into sections and restarts numbering with each main section. a. numerically ordered b. hierarchical c. decimal numbering d. number formatted

c. decimal numbering

Attorneys search ____ for information on expert witnesses. a. cross-examination banks b. examination banks c. deposition banks d. disqualification banks

c. deposition banks

The _________________ numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect of the report, and each Arabic numeral is an important piece of supporting information. a. decimal b. ordered-sequential c. legal-sequential d. reverse-order

c. legal-sequential

When writing a report, group related ideas and sentences into ___________________, a. chapters b. sections c. paragraphs d. separate reports

c. paragraphs

The most important laws applying to attorneys and witnesses are the ____. a. professional ethics b. rules of ethics c. rules of evidence d. professional codes of conduct

c. rules of evidence

Leading questions such as "Isn't it true that forensics experts always destroy their handwritten notes?" are referred to as ____ questions. a. hypothetical b. attorney c. setup d. nested

c. setup

Regarding a trial, the term ____ means rejecting potential jurors. a. voir dire b. rebuttal c. strikes d. venireman

c. strikes

In addition to opinions and exhibits, the ______________ must specify fees paid for the expert's services and list all other civil or criminal cases in which the expert has testified. a. verbal report b. informal report c. written report d. preliminary report

c. written report

Which environment makes emails easier to trace and why?

corporate because accounts use standard names the administrator establishes

Jurors typically average just over ____ years of education and an eighth-grade reading level. a. 9 b. 10 c. 11 d. 12

d. 12

If a microphone is present during your testimony, place it ____ to eight inches from you. a. 3 b. 4 c. 5 d. 6

d. 6

FRE ____ describes whether basis for the testimony is adequate. a. 700 b. 701 c. 702 d. 703

d. 703

The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients. a. HTCIA b. IACIS c. ISFCE d. ABA

d. ABA

____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities. a. AMA's law b. ABA's model rule c. ABA's model codes d. APA's ethics code

d. APA's ethics code

Which of the following statements about the legal-sequential numbering system in report writing is true? a. It' s favored because it' s easy to organize and understand. b. It' s most effective for shorter reports. c. It doesn't indicate the relative importance of information .d. It's required for reports submitted in federal court.

d. It doesn't indicate the relative importance of information.

When you begin a conversation with an attorney about a specific case, what should you do? (Choose all that apply) a. Ask to meet with the attorney b. Answer his or her questions in as much detail as possible c. Ask who the parties in the case are d. Refuse to discuss details until a retainer agreement is returned

d. Refuse to discuss details until a retainer agreement is returned

Which type of report typically takes place in an attorney's office? a. Examination Plan b. Written Report c. Preliminary Report d. Verbal Report

d. Verbal Report

As with any research paper, write the ___________________ last. a. appendix b. body c. acknowledgements d. abstract

d. abstract

An expert witness can give an opinion in which of the following situations? a. The opinion, inferences, or conclusions depend on special knowledge, skills, or training not within the ordinary experience of laypeople. b. The witness is shown to be qualified as a true expert in the field. c. The witness testifies to a reasonable degree of certainty (probability) about his or her opinion, inferences, or conclusion. d. All of the above

d. all of the above

___ is an attempt by opposing attorneys to prevent you from serving on an important case. a. conflict of interest b. warrant c. deposition d. conflicting out

d. conflicting out

When writing a report, what's the most important aspect of formatting? a. a neat appearance b. size of the font c. clear use of symbols and abbreviations d. consistency

d. consistency

A ____ differs from a trial testimony because there is no jury or judge. a. rebuttal b. plaintiff c. civil case d. deposition

d. deposition

____ evidence is evidence that exonerates or diminishes the defendant's liability. a. rebuttal b. plaintiff c. inculpatory d. exculpatory

d. exculpatory

Computer forensics examiners have two roles: fact witness and ____ witness. a. professional b. direct c. discovery d. expert

d. expert

____ is a written list of objections to certain testimony or exhibits. a. defendant b empanelling the jury c. plaintiff d. motion in limine

d. motion in limine

When converting plain text to hexadecimal for use with ProDicsover, you need to place ??? between each character's hexadecimal values. a. space (A0) values b. blank (00) values c. null (FF) values d. null (00) values

d. null (00) values

What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a copy of the expert's written report that includes all opinions, the basis for the opinions, and the information considered in coming to those opinions? a. rule 24 b. rule 35 c. rule 36 d. rule 26

d. rule 26

What is a Deposition? How does a Deposition differ from a Trial?

deposition is a formal examination in which the expert witness is questioned under oath no judge or jury is present at a deposition Trial would include all parties present at a deposition, plus the addition of a judge and jury

What is Spoliation? How does Spoliation relate to written reports?

destroying, altering, hiding, or failing to preserve evidence, whether it's intentional or a result of negligence. Destroying a draft or preliminary version of a report could be considered spoliation and could subject the attorney or expert witness to evidentiary sanctions.

What is the difference between Direct and Cross Examination?

direct examination - when an expert witness is asked questions by the attorney who hired him cross examination - when an expert witness is asked questions by the opposing attorney

List two types of depositions.

discovery deposition - part of Discovery process. The opposing attorney asks both direct and cross examination questions as the testimony is video-taped or a written transcript is made testimony preservation deposition - held at the request of the attorney who hired the expert witness. It is usually held to preserve the expert witness' testimony in the event of schedule conflicts or health problems. It is also recorded by video or written transcript.

An expert's opinion is governed by FRCP, Rule 26, and the corresponding rule in many states. True or False?

false

Expert witnesses are not required to submit a written report for civil cases. True or False?

false

Specially trained system and network administrators are often a CSP's first responders. True or False?

true

Technical terms, if included in a report, should be defined in an ordinary language such that lawyers, judges, and jurors can understand them. True or False?

true

What Internet resources can be used to trace IP addresses?

www.arin.net www.internic.com www.freeality.com www.google.com


Kaugnay na mga set ng pag-aaral

Community Exam 3 Practice Questions

View Set

Pharm Chapter 33: Antihyperlipidemic Drugs

View Set

4.2 The Jazz Age - Check Your Understanding

View Set

Biological Diversity Chp. 49, 51, 52, 53 Study Module Questions

View Set

Theme for English B and Any Human to Another Quiz Review

View Set

Chapter 16: Notes Payable and Notes Receivable

View Set

Substance Abuse, Eating Disorders, Impulse Control Disorders

View Set