Chapter 4

________________ can be any information stored or transmitted in digital form.

Digital evidence

21. When seizing digital evidence in criminal investigations, whose standards should be followed? a. U.S. DOJ b. ISO/IEC c. IEEE d. ITU

ANSWER: a

23. What type of media has a 30year lifespan? a. DVDRs b. DLT magnetic tape c. hard drive d. USB thumb drive

ANSWER: b

9. If practical, _______ team(s) should collect and catalog digital evidence at a crime scene or lab. a. two b. five c. one d. three

ANSWER: c

37. In the United States, ____________ and similar agencies must comply with state public disclosure and federal Freedom of Information Act (FOIA) laws, and make certain documents available as public records.

non-government organizations (NGOs)

39. The ____________________ doesn't extend to supporting a general exploratory search from one object to another unless something incriminating is found.

plain view doctrine

1. Computerstored records are data the system maintains, such as system log files and proxy server logs. a. True b. False

ANSWER: False

31. An algorithm that produces a hexadecimal value of a file or storage media; used to determine whether data has changed a. Computergenerated records b. Keyed hash set c. Cyclic Redundancy Check d. Message Digest 5 e. Computerstored records f. Probable cause g. Extensiveresponse field kit h. Sniffing i. Nonkeyed hash set j. Initial-response field kit

ANSWER: d

7. _______ is a common cause for lost or corrupted evidence. a. Public access b. Not having enough people on the processing team c. Having an undefined security perimeter d. Professional curiosity

ANSWER: d

30. A unique hash number generated by a software tool and used to identify files a. Computergenerated records b. Keyed hash set c. Cyclic Redundancy Check d. Message Digest 5 e. Computerstored records f. Probable cause g. Extensiveresponse field kit h. Sniffing i. Nonkeyed hash set j. Initial-response field kit

ANSWER: i

38. The ______________ rule states that to prove the content of a written document, recording, or photograph, ordinarily the original writing, recording, or photograph is required.

best evidence

43. Compare and contrast hashing methods using a keyed hash set and a nonkeyed hash set.

ANSWER: A nonkeyed hash set is a unique hash number generated by a software tool, such as the Linux md5sum command. The advantage of this type of hash is that it can identify known files, such as executable programs or viruses, that hide themselves by changing their names. For example, many people who view or transmit pornographic material change filenames and extensions to obscure the nature of the contents. However, even if a file's name and extension change, the hash value doesn't. A keyed hash set is created by an encryption utility's secret key. You can use the secret key to create a unique hash value for a file. Although a keyed hash set can't identify files as nonkeyed hash methods can, it can produce a unique hash set for digital evidence.

50. Consistent practices help verify your work and enhance your credibility, so you must handle all evidence consistently. Explain why it's important to apply the same security and accountability controls for evidence in a civil lawsuit as in a major crime.

ANSWER: Apply the same security and accountability controls for evidence in a civil lawsuit as a major crime to comply with your state's rules of evidence or with the Federal Rules of Evidence (FRE). Also, evidence admitted in a criminal case might also be used in a civil suit, and vice versa.

44. To verify data integrity, different methods of obtaining a unique identity for file data have been developed. Explain how you can use Cyclic Redundancy Check (CRC) and Message Digest 5 (MD5) for this purpose.

ANSWER: Both Cyclic Redundancy Check (CRC) and Message Digest 5 (MD5) can be used to generate a hash value based on the contents of a file, which can then be used to determine if file contents have changed. In the event of a change of the file contents, the hash value will not match the original file's hash value.

3. The Fourth Amendment states that only warrants "particularly describing the place to be searched and the persons or things to be seized" can be issued. The courts have determined that this phrase means a warrant can authorize a search of a specific place for anything. a. True b. False

ANSWER: False

41. Like most common law nations, the United States excludes hearsay as spelled out in the FRE Article VIII, Rule 802. Rules 803 and 804 cite more than 20 exceptions for when hearsay can be used. Provide five examples that apply to digital forensics investigations.

ANSWER: Five examples of hearsay that can be used are: Business records, including those of a public agency Certain public records and reports Evidence of the absence of a business record or entry Learned treatises used to question an expert witness Statement of the absence of a public record or entry

45. Describe the steps to take if you discover evidence of a crime during a company policy investigation.

ANSWER: If you find evidence of a crime during a company policy investigation, first determine whether the incident meets the elements of criminal law. You might have to consult with your corporate attorney to determine whether the situation is a potential crime. Next, inform management of the incident; they might have other concerns, such as protecting confidential business data that might be included with the criminal evidence (called "commingled data"). In this case, coordinate with management and the corporate attorney to determine the best way to protect commingled data. After you submit evidence containing sensitive information to the police, it becomes public record. Public record laws do include exceptions for protecting sensitive corporate information; ultimately, however, a judge decides what to protect. After you discover illegal activity and document and report the crime, stop your investigation to make sure you don't violate Fourth Amendment restrictions on obtaining evidence. If the information you supply is specific enough to meet the criteria for a search warrant, the police are responsible for obtaining a warrant that requests any new evidence. If you follow police instructions to gather additional evidence without a search warrant after you report a crime, you run the risk of becoming an agent of law enforcement. Instead, consult with your corporate attorney on how to respond to a police request for information. The police and prosecutor should issue a subpoena for any additional new evidence, which minimizes your exposure to potential civil liability. In addition, you should keep all documentation of evidence collected to investigate an internal company policy violation.

42. The plain view doctrine states that objects falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a warrant and can be introduced into evidence. Provide the three criteria that must be met in order for the plain view doctrine to apply.

ANSWER: In order for the plain view doctrine to apply, the following three criteria must be met: The officer is where he or she has a legal right to be. Ordinary senses must not be enhanced by advanced technology in any way, such as with binoculars. Any discovery must be by chance.

47. At a scene, technical advisors can help direct other investigators to collect evidence correctly. List the responsibilities of technical advisors.

ANSWER: The following are responsibilities of technical advisors: Know all aspects of the system being seized and searched. Direct investigators on how to handle sensitive media and systems to prevent damage. Help ensure security of the scene. Help document the planning strategy for the search and seizure. Conduct ad hoc training for investigators on the technologies and components being seized and searched. Document activities during the search and seizure. Help conduct the search and seizure.

46. After you record the scene and shut down the system, you bag and tag the evidence. Describe the steps to follow for bagging and tagging evidence.

ANSWER: The following steps are to be followed when bagging and tagging evidence: 1. Assign one person, if possible, to collect and log all evidence. Minimize the number of people handling evidence to ensure its integrity. 2. Tag all the evidence you collect with the current date and time, serial numbers or unique features, make and model, and name of the person who collected it. 3. Maintain two separate logs of collected evidence to be reconciled for audit control purposes and to verify everything you have collected. 4. Maintain constant control of the collected evidence and the crime or incident scene.

49. With digital evidence, you need to consider how and on what type of media to save it and what type of storage device is recommended to secure it. The media you use to store digital evidence usually depends on how long you need to keep it. If you investigate criminal matters, store the evidence as long as you can. Name five ideal media types on which to store digital data.

ANSWER: The ideal media on which to store digital data are: CDs DVDs DVD-Rs DVD+Rs DVD-RWs

2. An emergency situation under the PATRIOT Act is defined as the immediate risk of death or personal injury, such as finding a bomb threat in an e-mail. a. True b. False

ANSWER: True

4. State public disclosure laws apply to state records, but FOIA allows citizens to request copies of public documents created by federal agencies. a. True b. False

ANSWER: True

5. To investigate employees suspected of improper use of company digital assets, a company policy statement about misuse of digital assets allows corporate investigators to conduct covert surveillance with little or no cause, and access company computer systems and digital devices without a warrant. a. True b. False

ANSWER: True

48. Describe the steps that must be taken to create image files.

ANSWER: You use the following steps to create image files: 1. Copy all image files to a large drive. 2. Start your forensics tool to access and open the image files. 3. Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash. 4. When you finish copying image files to a larger drive, secure the original media in an evidence locker. Don't work with the original media; it should be stored in a locker that has an evidence custody form. Be sure to fill out the form and date it.

11. You must abide by the _______ while collecting evidence. a. Fourth Amendment b. Federal Rules of Evidence c. state's Rules of Evidence d. Fifth Amendment

ANSWER: a

16. The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient _______. a. probable cause b. due diligence c. accusations d. reliability

ANSWER: a

26. Data the system maintains, such as system log files and proxy server logs a. Computergenerated records b. Keyed hash set c. Cyclic Redundancy Check d. Message Digest 5 e. Computerstored records f. Probable cause g. Extensiveresponse field kit h. Sniffing i. Nonkeyed hash set j. Initial-response field kit

ANSWER: a

8. What does FRE stand for? a. Federal Rules of Evidence b. Federal Regulations for Evidence c. Federal Rights for Everyone d. Federal Rules for Equipment

ANSWER: a

14. In cases that involve dangerous settings, what kind of team should be used to recover evidence from the scene? a. BTeam b. HAZMAT c. CDC First Responders d. SWAT

ANSWER: b

15. _______ are a special category of private sector businesses, due to their ability to investigate computer abuse committed by employees only, but not customers. a. Hospitals b. ISPs c. Law firms d. News networks

ANSWER: b

18. What should you do while copying data on a suspect's computer that is still live? a. Open files to view contents. b. Make notes regarding everything you do. c. Conduct a Google search of unknown extensions using the computer. d. Check Facebook for additional suspects.

ANSWER: b

19. The term _______ describes rooms filled with extremely large disk systems that are typically used by large business data centers. a. storage room b. server farm c. data well d. storage hub

ANSWER: b

29. A value created by an encryption utility's secret key a. Computergenerated records b. Keyed hash set c. Cyclic Redundancy Check d. Message Digest 5 e. Computerstored records f. Probable cause g. Extensiveresponse field kit h. Sniffing i. Nonkeyed hash set j. Initial-response field kit

ANSWER: b

6. _______ would not be found in an initial-response field kit. a. Computer evidence bags (antistatic bags) b. Leather gloves and disposable latex gloves c. A digital camera with extra batteries or 35mm camera with film and flash d. External USB devices or a portable hard drive

ANSWER: b

12. Which of the following is not done when preparing for a case? a. Describe the nature of the case. b. Identify the type of OS. c. Set up covert surveillance. d. Determine whether you can seize the computer or digital device.

ANSWER: c

17. Which court case established that it is not necessary for computer programmers to testify in order to authenticate computergenerated records? a. United States v. Wong b. United States v. Carey c. United States v. Salgado d. United States v. Walser

ANSWER: c

22. The term _______ is used to describe someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest. a. criminal b. potential data source c. person of interest d. witness

ANSWER: c

25. Which system below can be used to quickly and accurately match fingerprints in a database? a. Fingerprint Identification Database (FID) b. Systemic Fingerprint Database (SFD) c. Automated Fingerprint Identification System (AFIS) d. Dynamic Fingerprint Matching System (DFMS)

ANSWER: c

28. A mathematic algorithm that translates a file into a unique hexadecimal value a. Computergenerated records b. Keyed hash set c. Cyclic Redundancy Check d. Message Digest 5 e. Computerstored records f. Probable cause g. Extensiveresponse field kit h. Sniffing i. Nonkeyed hash set j. Initial-response field kit

ANSWER: c

10. _______ is the term for a statement that is made by someone other than an actual witness to the event while testifying at a hearing. a. Secondparty evidence b. Rumor c. Fiction d. Hearsay

ANSWER: d

13. A _______ is not a private sector organization. a. small to medium business b. large corporation c. nongovernment organization d. hospital

ANSWER: d

20. _______ does not recover data in free or slack space. a. Raw format acquisition b. Live acquisition c. Static acquisition d. Sparse acquisition

ANSWER: d

24. As a general rule, what should be done by forensics experts when a suspect computer is seized in a poweredon state? a. The power cable should be pulled. b. The system should be shut down gracefully. c. The power should be left on. d. The decision should be left to the Digital Evidence First Responder (DEFR).

ANSWER: d

27. Electronic data that a person creates and saves on a computer or digital device, such as a spreadsheet or wordprocessing document a. Computergenerated records b. Keyed hash set c. Cyclic Redundancy Check d. Message Digest 5 e. Computerstored records f. Probable cause g. Extensiveresponse field kit h. Sniffing i. Nonkeyed hash set j. Initial-response field kit

ANSWER: e

35. The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest a. Computergenerated records b. Keyed hash set c. Cyclic Redundancy Check d. Message Digest 5 e. Computerstored records f. Probable cause g. Extensiveresponse field kit h. Sniffing i. Nonkeyed hash set j. Initial-response field kit

ANSWER: f

34. A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers a. Computergenerated records b. Keyed hash set c. Cyclic Redundancy Check d. Message Digest 5 e. Computerstored records f. Probable cause g. Extensiveresponse field kit h. Sniffing i. Nonkeyed hash set j. Initial-response field kit

ANSWER: g

32. Detecting data transmissions to and from a suspect's computer and a network server to determine the type of data being transmitted over a network a. Computergenerated records b. Keyed hash set c. Cyclic Redundancy Check d. Message Digest 5 e. Computerstored records f. Probable cause g. Extensiveresponse field kit h. Sniffing i. Nonkeyed hash set j. Initial-response field kit

ANSWER: h

33. A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field a. Computergenerated records b. Keyed hash set c. Cyclic Redundancy Check d. Message Digest 5 e. Computerstored records f. Probable cause g. Extensiveresponse field kit h. Sniffing i. Nonkeyed hash set j. Initial-response field kit

ANSWER: j

40. Instead of producing hard disks in court, attorneys can submit ______ copies of files as evidence.

printed