Chapter 4 Sammons & Cengage Quizzes
C. discovery.
"The process of identifying, preserving, collecting, preparing, reviewing, and producing ESI in the context of the legal process" is the definition of A. forensic imaging. B. the cleaning process. C. discovery. D. hashing.
A. forensic clone. B. bit stream image.
A bit for bit copy of a hard drive is known as a (choose all that apply) A. forensic clone. B. bit stream image. C. copy and paste. D. unallocated space.
False
An initial-response field kit does not contain evidence bags. True False
You begin to take orders from a police detective without a warrant or subpoena.
As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? You begin to take orders from a police detective without a warrant or subpoena. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. Your internal investigation begins. None of the above.
False
Books and manuals can give investigators clues as to the skill level of the target but not what kind of technology they may be up against. True False
A. they may be wiped by the cell provider. B. the battery may drain.
Cellphones are vulnerable because (choose all that apply) A. they may be wiped by the cell provider. B. the battery may drain. C. Farady bags are expensive. D. B and C.
True
Commingling evidence means that sensitive or confidential information being mixed with data collected as evidence. True False
True
Computer peripherals or attachments can contain DNA evidence. True False
False
Copying and pasting gets the active data - that is, data that are accessible to the user as well as deleted files. True False
True
Exigent circumstances may provide rationale for conducting your examination on the original digital evidence. True False
True
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True False
Coordinate with the HAZMAT team.
If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? Coordinate with the HAZMAT team. Determine a way to obtain the suspect's computer. Assume the suspect's computer is contaminated. Do not enter alone.
True
If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True False
True
In forensic hashes, a collision occur when two different files have the same hash value. True False
True
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. True False
MD5 and SHA-1
List two hashing algorithms commonly used for forensic purposes. RSA and RC5 MD5 and SHA-1 MD5 and AES AES and SHA-2
Most companies keep inventory databases of all hardware and software used.
Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? Most companies keep inventory databases of all hardware and software used. The investigator doesn't have to get a warrant. The investigator has to get a warrant. Users can load whatever they want on their machines.
A. stringing crime tape. B. posting guards. C. asking people to leave.
Securing a traditional scene is accomplished by (choose all that apply) A. stringing crime tape. B. posting guards. C. asking people to leave. D. makng certain you immediately shut off all electronic devices.
False
Small companies rarely need investigators. True False
C. registers, memory, archival media.
The correct order of volatility (from most volatile to least volatile) A. archival media, swap space, memory. B. remotely logged data, data on hard disk, registers. C. registers, memory, archival media. D. temp files, memory, registers.
False
The plain view doctrine in computer searches is well-established law. True False
False
The suspect's drive is known as the destination drive and the drive the investigator is cloning to is called the source drive because it is the source of the analysis. True False
True
Under certain legal requirements, your notes could become discoverable and made available to the opposing side. This can happen if you take your notes with you to the witness stand. True False
It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes
What are the three rules for a forensic hash? Fast, reliable, and the hash value should be at least 2048 bits Produce collisions, should be at least 2048 bits, and it can't be predicted It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes It can be predicted, fast and reliable
To minimize how much you have to keep track of at the scene
When you arrive at the scene, why should you extract only those items you need to acquire evidence? To conceal trade secrets To preserver your physical security To speed up the acquisition process To minimize how much you have to keep track of at the scene
Keylogging Data sniffing
Which of the following techniques might be used in covert surveillance (Choose All That Apply)? Keylogging Data sniffing Network logs All of the above
Initial-response kit
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you? Extensive-response kit Initial-response kit Lightweight kit Car crash kit
False
You should always answer questions from onlookers at a crime scene. True False
True
You should videotape or sketch anything at a digital crime scene that might be of interest to the investigation. True False
