ch. 4 Processing Crime and Incident Scenes
Automated Fingerprint Identification System (AFIS)
A computerized system for identifying fingerprints that's connected to a central database; used to identify criminal suspects and review thousands of fingerprint samples at high speed.
Secure Hash Algorithm version 1 (SHA-1)
A forensic hashing algorithm created by NIST to determine whether data in a file or on storage media has been altered.
Scientific Working Group on Digital Evidence (SWGDE)
A group that sets standards for recovering, preserving, and examining digital evidence.
Cyclic Redundancy Check (CRC)
A mathematical algorithm that translates a file into a unique hexadecimal value.
initial-response field kit
A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field.
extensive-response field kit
A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers. This kit should contain two or more types of software or hardware computer forensics tools, such as extra storage drives.
nonkeyed hash set
A unique hash number generated by a software tool and used to identify files.
hash value
A unique hexadecimal value that identifies a file or drive.
keyed hash set
A value created by an encryption utility's secret key.
Message Digest 5 (MD5)
An algorithm that produces a hexadecimal value of a file or storage media. Used to determine whether data has been changed
If a suspect computer is running Windows 2000, which of the following can you safely perform?
Browsing open applications
hazardous materials (HAZMAT)
Chemical, biological, or radiological substances that can cause harm to people.
If a suspect computer is located in an area that might have toxic chemicals, you must do which of the following? (Choose all that apply.)
Coordinate with the HAZMAT team., Assume the suspect machine is contaminated.
ow-level investigations
Corporate cases that require less investigative effort than a major criminal case.
computer-generated records
Data generated by a computer, such as system log files or proxy server logs.
innocent information
Data that doesn't contribute to evidence of a crime or violation.
sniffing
Detecting data transmissions to and from a suspect's computer and a network server to determine the type of data being transmitted over a network.
computer-stored records
Digital files generated by a person, such as electronic spreadsheets.
digital evidence
Evidence consisting of information stored or transmitted in electronic form.
Small companies rarely need investigators.True or False?
False
The plain view doctrine in computer searches is well-established law. True or False?
False
You should always answer questions from onlookers at a crime scene.
False
Which of the following techniques might be used in covert surveillance?
Key logging, Data sniffing
What should NOT be videotaped or sketched at a computer crime scene.
None of the above
covert surveillance
Observing people or places without being detected, often using electronic equipment, such as video cameras or key stroke/screen capture programs.
National Institute of Standards and Technology (NIST)
One of the governing bodies responsible for setting standards for some U.S. industries.
Commingling evidence means what in a corporate setting?
Sensitive corporate information being mixed with data collected as evidence
person of interest
Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest.
probable cause
The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest
When you arrive at the scene, why should you extract only those items you need to acquire evidence?
To minimize the amount of items that you have to keep track of., To protect your equipment.
Computer peripherals or attachments can contain DNA evidence.
True
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False?
True
If you discover a criminal act, such as murder or child pornography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?
True
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause. True or False?
True
MD5 and SHA-1 are two hashing algorithms commonly used for forensic purposes.
True
One of the rules of forensic hash is that no two files can have the same hash value.
True
plain view doctrine
When conducting a search and seizure, objects in plain view of a law enforcement officer, who has the right to be in position to have that view, are subject to seizure without a warrant and can be introduced as evidence. As applied to executing searches of computers, the plain view doctrine's limitations are less clear.
limiting phrase
Wording in a search warrant that limits the scope of a search for evidence.
Which items should be included in an initial response field kit?
all of the above
professional curiosity
he motivation for law enforcement and other professional personnel to examine an incident or crime scene to see what happened.
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?
initial-response field kit
Corporate investigations are typically easier than law enforcement investigations because ____________.
most companies keep inventory databases of all hardware and software used.
In forensic hashes, a collision occurs when ____________________.
two files have the same hash value
As a corporate investigator, you can become an agent of law enforcement when ____________.
you begin to take orders from a police detective without a warrant or subpoena., your internal investigation has concluded
