Module 2: Digital Evidence Collection
Which one of the following is a way that a crime would require a digital forensics investigation? Select one: a. A computer is used to store records of illegal gambling. b. A flash drive is found on a suspect in a drug store robbery. c. A computer store is broken into and items are stolen. d. None of the above.
a. A computer is used to store records of illegal gambling.
Which one of the following is NOT considered to be a necessary physical security measure for a forensics lab? Select one: a. Armed security guards on either side of each door. b. Identification badges with pictures. c. Locked doors for all exits. d. True floor to ceiling walls.
a. Armed security guards on either side of each door.
A record of the validation should be found in the _______. Select one: a. Investigator's journal. b. Documentation diary. c. Postmortem. d. Investigation plan.
a. Investigator's journal.
A procedure is best described as _______. Select one: a. List of steps to complete a process. b. List of tasks that together complete one step in a plan. c. List of steps which together complete a single task or part of a task for a forensics investigation. d. List of tasks which together complete a forensics investigation.
a. List of steps to complete a process.
Carving tools will scan an acquired partition image in order to _______. Select one: a. Reconstruct partial or complete files from fragments. b. Identify all files "split" into multiple parts. c. Identify all RAM slack on the system. d. Decrypt all files or partial files.
a. Reconstruct partial or complete files from fragments.
________ is the term that describes how different tasks are assigned to the forensics staff based on the difficulty of the task and the level of expertise of each staff member. Select one: a. Separation of Duties. b. Certification. c. Chain of Custody. d. None of the Above.
a. Separation of Duties.
The lead forensic investigator contributes _________ to the journal for an investigation. Select one: a. The assignment of tasks. b. The specific time each task should be performed. c. The results of the assignments. d. The procedures followed for each task or assignment.
a. The assignment of tasks.
Post-mortem meetings should occur at the point when _________. Select one: a. The case is closed. b. The lead investigator passes the results of the forensics investigations to the detectives. c. The lead investigator passes the results of the forensics investigations to the attorneys. d. The case begins litigation.
a. The case is closed.
Which one of the following questions is NOT one to be answered by the investigation plan? Select one: a. What age is the suspect? b. What skills are needed to extract the evidence? c. Where is the evidence likely to be located? d. What local laws and court processes will affect this investigation?
a. What age is the suspect?
Which three of the following are facts that an investigator should know before proceeding with evidence acquisition or extraction? Select one or more: a. The suspect in the investigation. b. The permission and scope to acquire evidence. c. The answers being sought by the legal system. d. The urgency of the request by the legal system.
b, c, d
Which of the following are good reasons why certification is more important early in the career of forensics investigators? Select one or more: a. Certification prompts education and training of inexperienced staff. b. Senior investigators are required to have at least a minimal level of education and certifications. c. Forensics software is too advanced for younger staff, and so requires more training and validation of skills. d. The legal system often requests/requires validation of forensics investigators' skill(s).
b, d
Of the three duties defined in the triad of computer forensics, which two will collect evidence for later use in civil or public investigations? Select one or more: a. Remediation Staff. b. Forensics Investigators. c. Incident Response Staff. d. Vulnerability Assessment Staff.
b, not d
Maintaining a chain of custody implies _______. Select one: a. Physical security of the forensics building. b. Keeping a record of who accessed the evidence, when they accessed it, and why it was accessed. c. Maintenance of a record documenting the usefulness of each piece of evidence in a court of law. d. Physical security of the evidence locker.
b. Keeping a record of who accessed the evidence, when they accessed it, and why it was accessed.
Which one of the following is an acceptable method of maintaining a proper "chain of custody"? Select one: a. Peer review of work performed on evidence. b. Paper forms that track who collected evidence. c. Software to acquire and analyze digital evidence. d. Testimony at trial.
b. Paper forms that track who collected evidence.
The forensics lab will have a dedicated area called the ________ that stores equipment in evidence. Select one: a. Forensics footlocker. b. Secured evidence locker. c. Security zone. d. None of the above.
b. Secured evidence locker.
A _______ is the name for skilled staff qualified to accomplish a specific type of tasks. Select one: a. Certified professional. b. Subject matter expert. c. Team leader. d. All of the above.
b. Subject matter expert.
The lead forensic investigator contributes _________ to the journal for an investigation. Select one: a. The results of the assignments. b. The assignment of tasks. c. The specific time each task should be performed. d. The procedures followed for each task or assignment.
b. The assignment of tasks.
In order to maintain the _________, both a single-evidence form and a multi-evidence form are used to document and catalog evidence. Select one: a. Evidence validation. b. Image reconstruction. c. Chain of custody. d. Proper signatures.
c. Chain of custody.
In order to stay abreast of the latest technical changes in software, hardware, networking, operating systems, and even the latest investigation techniques, the investigator must dedicate large portions of time and energy to _______. Select one: a. Meetings with his/her superiors to ensure consistency. b. Meetings with staff to keep them updated. c. Continual education and re-education. d. Be sure there are no discrepancies in the agenda of the investigation.
c. Continual education and re-education.
Which one of the following acquired copies of digital evidence is sufficient to fully reconstruct a disk? Select one: a. Backup copy b. File system copy c. Disk image d. Partition image
c. Disk image
Which one of the following strategies would NOT help identify evidence relevant to a specific case? Select one: a. Identify and exclude files that are common to all Windows installations. b. Identify the file types that are highly probable to contain inculpatory or exculpatory evidence. c. Exclude files that have not been modified. d. Exclude files that are known to be irrelevant (such as files with well-known signatures).
c. Exclude files that have not been modified.
Which one of the following is NOT part of the triad of computer forensics? Select one: a. Incident Response. b. Vulnerability Assessment. c. Remediation. d. Investigations.
c. Remediation.
Forensics is best described as the field that provides ________. Select one: a. Detective services. b. Evidence. c. Scientific answers to legal questions. d. Scientific explanations.
c. Scientific answers to legal questions.
All of the following are examples of "separation of duties" EXCEPT ________. Select one: a. Separation of physical evidence collection and digital evidence collection. b. Separation of acquisition and extraction. c. Separation of computer forensics and digital forensics. d. Separation of digital evidence collection and digital evidence analysis.
c. Separation of computer forensics and digital forensics.
Which of the following questions would not be answered by the investigation plan? Select one: a. Where is the evidence likely to be located? b. What local laws and court processes will affect this investigation? c. What is the sex of the suspect? d. What skills are needed to extract the evidence?
c. What is the sex of the suspect?
Which of the following items would NOT be found in the inventory of computer software and equipment at a standard forensics lab? Select one: a. A power cord for a European laptop. b. A hard-drive with the same or similar specification as the suspect's hard-drive model. c. Memory for an 8086 computer (a computer from the 1980s). d. A copy of a suspect's hard-drive image.
d. A copy of a suspect's hard-drive image.
Which one of the following is a step to be completed when collecting and analyzing evidence? Select one: a. Secure the system. b. Assess the best environment to analyze the data. c. Acquire and validate a copy of the digital evidence. d. All of the above
d. All of the above
Which one of the following function(s) is included in extraction? Select one: a. Carving. b. Decryption. c. Compression. d. All of the above.
d. All of the above.
In public investigations in which a crime has been committed, exculpatory evidence for a suspect will ________. Select one: a. Exclude any explanation other than the current theory of events. b. Have no effect on the suspect since exculpatory evidence relates to theories of events. c. Prove the guilt of the suspect. d. Clear or exonerate the suspect.
d. Clear or exonerate the suspect.
In public investigations in which a crime has been committed, exculpatory evidence for a suspect will ________. Select one: a. Exclude any explanation other than the current theory of events. b. Prove the guilt of the suspect. c. Have no effect on the suspect since exculpatory evidence relates to theories of events. d. Clear or exonerate the suspect.
d. Clear or exonerate the suspect.
A ________ is used in the validation of digital image evidence to compare an original set of data with a copied image to ensure that they are identical matches. Select one: a. Data compare. b. Boot record. c. String. d. Digital signature.
d. Digital signature.
Working alongside the investigative team and the vulnerability assessment team, the staff assigned the task of "intrusion response" will perform the following (among other) tasks: Select one: a. Reproduce the exploit used by the intruder to gain unauthorized access. b. Using forensics tools, assess the vulnerabilities used by the intruders to gain unauthorized entry. c. Arrest criminals for litigation against any intruders that are caught. d. Track, locate, and identify the intruder and deny further access to the network and hosts.
d. Track, locate, and identify the intruder and deny further access to the network and hosts.
MD5 and SHA are algorithms that provide _______ features to forensics investigations. Select one: a. Extraction. b. Imaging. c. Reporting. d. Validation.
d. Validation.
A process is best described as a _______. Select one: a. List of tasks that together complete one step in a procedure. b. List of steps which together complete a single task or part of a task for a forensics investigation. c. List of steps to complete a procedure. d. List of tasks that together complete a forensics investigation.
not b
In public investigations, which one of the following phrases describes methods for using a computer to commit a crime? Select one: a. Crimes in which the computer is the target. b. Crimes in which the computer is the instrument of the crime. c. Crimes in which the computer is incidental to another crime. d. All of the above.
not b
Which of the following is NOT an example of digital evidence? Select one: a. Online public database. b. Computer. c. Data on a computer's hard disk. d. Cell Phone.
not b
Which one of the following is NOT a benefit of holding post-mortem sessions? Select one: a. Improved analysis of the investigation's evidence. b. Perspective on the legal process. c. Education from peer training. d. Learn and hone skills.
not b
Reconstruction, a type of investigation tool, supports the following types of data copies EXCEPT: Select one: a. Disk to disk. b. Image to disk. c. Image to partition. d. Disk to partition.
not c
The master boot record will only be found in the _______. Select one: a. Disk image. b. C: Drive image. c. Boot Drive image. d. Partition image.
not c
Which of the following would help investigators set the scope for strategies to extract evidence from acquired images? Select one: a. The password of the suspect. b. Items found in pockets of clothing owned by the suspect. c. The question or questions to be answered by the evidence. d. The type of files that are not sought by a warrant.
not c