Forensics

For Windows XP, 2000, and NT servers and workstations, RAID 0 or ____ is available.

1

The EMR from a computer monitor can be picked up as far away as ____ mile.

1/2

What are the four levels cf certification offered by HTCN?

1> Certified Computer Crime Investigator (Basic) 2) Cert-f^ed Computer Crime Investigator (Advanced) 3) Certified Computer Forensic Technician (Basic) 4) Certified Computer Forensic Technician (Advanced)

IACIS requires recertification every ____ years to demonstrate continuing work in the field of computer forensics

3

Computing components are designed to last 18 to ____ months in normal business operations

36

Image files can be reduced by as much as ____% of the original when using lossless compression.

50%

When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to avoid damage to the drive from overheating.

80

What are the advantages and disadvantages of using Windows acquisition tools?

Advantages Make acquiring evidence from a suspect drive more convenient Especially when used with hot-swappable devices• Disadvantages Must protect acquired data with a well-tested write-blocking hardware deviceTools can't acquire data from a disk's host protected area

In the Pacific Northwest, ____ meets to discuss problems that digital forensics examiners encounter.

CTIN

What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases?

Certified Computer Forensic Technician, Basic

____ records are data the system maintains, such as system log files and proxy server logs.

Computer-generated

In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation.

Criminal

involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.

Data recovery

The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime.

Digital Investigation

A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.

Disaster Recovery Plan

Older Microsoft disk compression tools, such as DoubleSpace or ____, eliminate only slack disk space between files.

DriveSpace

Certain files, such as the ____ and Security log in Windows XP, might lose essential network activity records if the power is terminated without a proper shutdown.

Event Log

It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant.prosecutionreportsexhibitslitigation"

Exhibits

ISPs can investigate computer abuse committed by their customers.

FALSE

Computer investigations and forensics fall into the same category: public investigations.

False

For daily work production, several examiners can work together in a large open area, as long as they all have different levels of authority and access needs.

False

Maintaining credibility means you must form and sustain unbiased opinions of your cases.

False

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file.

False

often work as part of a team to secure an organization's computers and networks.

Forensics Investigator

) Explain the use of hash algorithms to verify the integrity of lossless compressed data.

Hash algorithms are taken before and after an investigation. The purpose of a hash algorithm is to ensure that data was not lost or changed during an investigation. If the hash numbers are the same before and after, then the data has not been altered.

Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain _

Hearsay

1. Illustrate with an example the problems caused by commingled data.

If someone kept files pertaining to the sale of illicit goods next to the company's new drone design plans. The drone design plans have been commingled with contraband so now you must report the crime to the police as required by many state's laws.

Describe how to use a journal when processing a major incident or crime scene.

Keep a journal to document your activities. Include the date and time you arrive on the scene, the people you encounter, and notes on every important task you perform. Update the journal as you process the scene. With mobile devices, you can easily record a log of what you're doing; just be sure to check who has access to your mobile device.

Discuss the use of a laptop PC as a forensic workstation

Laptops are good for investigations because they can brought to crime scenes to retrieve evidence. Lap tops are still limited on what they can do because the size of their processor. The better the processor the quicker

Autopsy uses ____ to validate an image.

MD5

llustrate a proper way of disposing materials on your computer investigation lab.

Maintain two separate trash containers, one to store items unrelated to an investigation, such as discarded CDs cr magnetic tapes, and the other for sensitive material that requires special handling to ensure that it's destroyed. Using separate trash containers maintains the integrity of criminal investigation processes and protects trade secrets and attornev-client privileged communications in a private corporation. Several commercially bonded firms specialize in disposing of sensitive materials. Ycur lab shculd have access to these services to maintain the integrity of your investigations.

The ____ command displays pages from the online help manual for information on Linux commands and their options.

Man

Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System

NTFS

Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity.

Once

Briefly describe the main characteristics of private investigations.

Private or corporate investigations deal with private companies, non-law-enforcement government agencies, and lawyers. These private organizations aren't governed directly by criminal law or Fourth Amendment issues, but by internal policies that define expected employee behavior and conduct in the workplace. Private corporate investigations also involve litigation disputes. Although private investigations are usually conducted in civil cases, a civil case can escalate into a criminal case, and a criminal case can be reduced to a civil case. If you follow good forensics procedures, the evidence found in your investigations can easily make the transition between civil and criminal cases.

In ____, two or more disk drives become one large volume, so the computer views the disks as a single disk.

RAID 0

Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer.

Silver-Platter

What are the duties of a lab manager?

The lab manager sets up processes for managing cases and also reviews cases. They also plan updates for the lab. The lab manager is also in charge of promoting quality assurance for the lab like specific steps for when cases are received.

A forensics analysis of a 6 TB disk, for example, can take several days or weeks.

True

A judge can exclude evidence obtained from a poorly worded warrant.

True

A separate manual validation is recommended for all raw acquisitions at the time of analysis.

True

Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are:

True

After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant.

True

By the 1970s, electronic crimes were increasing, especially in the financial sector

True

By using marketing to attract new customers or clients, you can justify future budgets for the lab's operation and staff.

True

FTK Imager requires that you use a device such as a USB dongle for licensing.

True

If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is not available.

True

In Autopsy and many other forensics tools raw format image files don't contain metadata.

True

Maintaining credibility means you must form and sustain unbiased opinions of your cases.

True

The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.

True

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file.

True

There's no simple method for getting an image of a RAID server's disks.

True

a separate manual validation is recommended for all raw acquisitions at the time of analysis

True

Briefly describe the triad that makes up computer security

Vulnerability assessment and risk management * Network intrusion detection and incident response * Computer investigations

Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab.

Warrant

What questions should an investigator ask to determine whether a computer crime was committed

What was the tool used to commit the crime? Was it a simple trespass? Was it a theft, a burglary, or vandalism?

During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system

Windows

In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____.

affidavit

In the ____, you justify acquiring newer and better resources to investigate digital forensics cases.

business case

Confidential business data included with the criminal evidence are referred to as ____ data.

commingled

In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery.

configuration management

If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.

consider using a logical acquisition or ____ acquisition data copy method. sparse

A ____ is where you conduct your investigations, store evidence, and do most of your work.

digital forensics lab

A(n) ____ is a person using a computer to perform routine tasks other than systems administration.

end user

Plain view doctrine

exception to the Fourth Amendment's warrant requirement that allows an officer to seize evidence and contraband that are found in plain view

If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available.

false

The law of search and seizure protects the rights of all people, excluding people suspected of crimes.

false

One way to investigate older and unusual computing systems is to keep track of ____ that you can find through an online search.

forums and blogs

Authorized requeste

is the person who can request for investigation during crime.. such as the chief security officer or chief intelligence officer

Most digital investigations in the private sector involve ____.

misuse of digital assets

Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes.

much easier than

____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.

probable cause

Evidence is commonly lost or corrupted through ____, which involves police officers and other professionals who aren't part of the crime scene processing team.

professional curiosity

One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.

proprietary

or mirrored striping, is a combination of RAID 1 and RAID 0

raid 10

Current distributions of Linux include two hashing algorithm utilities: md5sum and

sha1sum

Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server.

sniffing

A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.

steel

If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.

true

Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive

true

A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.

warning banner