Computer Crime Study Guide 2
You cannot use both multi-evidence and single-evidence forms in your investigation.
False
is the more well-known and lucrative side of the computer forensics business
Data recovery
extracts all related e-mail address information for Web-based e-mail investigations
FTK's Internet Keyword Search
A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible.
False
also known as a computer forensics workstation
Forensic workstation
can be used for new files that are saved or files that expand as data is added to them
Free space
process of trying to get a suspect to confess to a specific incident or crime
Interrogation
the least intrusive (in terms of changing data) Microsoft operating system
MS-DOS 6.22
a type of evidence custody form
Multi-evidence form
an older computer forensics tool
Norton DiskEdit
an essential part of professional growth
Self-evaluation
Chain of custody is also known as chain of evidence.
True
Employees surfing the Internet can cost companies millions of dollars.
True
Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several thousand pages of data.
True
Forensics tools such as ____ can retrieve deleted files for use as evidence. a. ProDiscover Basic b. ProDelete c. FDisk d. GainFile
a. ProDiscover Basic
To begin conducting an investigation, you start by ____ the evidence using a variety of methods. a. copying c. opening b. analyzing d. reading
a. copying
After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and ____. a. critique the case c. present the case b. repeat the case d. read the final report
a. critique the case
A(n) ____ helps you document what has and has not been done with both the original evidence and forensic copies of the evidence. a. evidence custody form c. initial investigation form b. risk assessment form d. evidence handling form
a. evidence custody form
When analyzing digital evidence, your job is to ____. a. recover the data c. copy the data b. destroy the data d. load the data
a. recover the data
The list of problems you normally expect in the type of case you are handling is known as the ____. a. standard risk assessment c. standard problems form b. chain of evidence d. problems checklist form
a. standard risk assessment
____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or computer lab. a. An antistatic wrist band c. An antistatic pad b. Padding d. Tape
b. Padding
The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court. a. acquisition plan c. evidence path b. chain of custody d. evidence custody
b. chain of custody
A bit-stream image is also known as a(n) ____. a. backup copy c. custody copy b. forensic copy d. evidence copy
b. forensic copy
To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as a ____. a. mobile workstation c. forensic lab b. forensic workstation d. recovery workstation
b. forensic workstation
When you write your final report, state what you did and what you ____. a. did not do c. wanted to do b. found d. could not do
b. found
____ can be the most time-consuming task, even when you know exactly what to look for in the evidence. a. Evidence recovery c. Data analysis b. Data recovery d. Evidence recording
c. Data analysis
____ investigations typically include spam, inappropriate and offensive message content, and harassment or threats. a. VPN c. E-mail b. Internet d. Phone
c. E-mail
You can use ____ to boot to Windows without writing any data to the evidence disk. a. a SCSI boot up disk c. a write-blocker b. a Windows boot up disk d. Windows XP
c. a write-blocker
To create an exact image of an evidence disk, copying the ____ to a target work disk that's identical to the evidence disk is preferable. a. removable copy c. bit-stream image b. backup copy d. backup image
c. bit-stream image
The basic plan for your investigation includes gathering the evidence, establishing the ____, and performing the forensic analysis. a. risk assessment c. chain of custody b. nature of the case d. location of the evidence
c. chain of custody
When preparing a case, you can apply ____ to problem solving. a. standard programming rules c. standard systems analysis steps b. standard police investigation d. bottom-up analysis
c. standard systems analysis steps
____ from Technology Pathways is a forensics data analysis tool. You can use it to acquire and analyze data from several different file systems. a. Guidance EnCase c. DataArrest SnapCopy b. NTI SafeBack d. ProDiscover Basic
d. ProDiscover Basic
A ____ is a bit-by-bit copy of the original storage medium. a. preventive copy c. backup copy b. recovery copy d. bit-stream copy
d. bit-stream copy
Use ____ to secure and catalog the evidence contained in large computer components. a. Hefty bags c. paper bags b. regular bags d. evidence bags
d. evidence bags
In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____. a. checked values c. evidence backup b. verification d. repeatable findings
d. repeatable findings