QUESTIONS- Chapter 30 Digital Forensics
2. A common data element needed later in the forensics process is an accurate system time with respect to an accurate external time source. A record time offset is calculated by measuring system time with an external clock such as a Network Time Protocol (NTP) server. Which of the following must be considered relative to obtaining a record time offset? A. The record time offset can be lost if the system is powered down, so it is best collected while the system is still running. B. The internal clock may not be recorded to the same level of accuracy, so conversions may be necessary. C. External clock times may vary as much as 2 to 3 seconds, so it is best to obtain the time from several NTP servers to gain a more accurate reading. D. Recording time to track man-hours is a legal requirement.
A. Record time offset will be lost if the system is powered down, so it is best collected while the system is still running.
7. You have been tasked with assisting in the forensic investigation of an incident relating to employee misconduct. The employee's supervisor believes evidence of this misconduct can be found on the employee's assigned workstation. Which of the following choices best describes what should be done? A. Create a timeline of events related to the scope. B. Copy the user profile to reduce the search space. C. Sign in as the user and search through their recent efforts. D. Examine log file entries under the user's profile.
A. The scope defines the boundaries of the investigation, and the timeline shows what a user did within that scope period with respect to items of interest.
10. From the initial step in the forensics process, the most important issue must always be which of the following? A. Preservation of the data B. Chain of custody C. Documenting all actions taken D. Witness preparation
A. While all of these are important, from the initial step in the forensics process, the most important issue must always be preservation of the data.
6. Which type of evidence is also known as associative or physical evidence and includes tangible objects that prove or disprove a fact? A. Direct evidence B. Real evidence C. Documentary evidence D. Demonstrative evidence
B. Real evidence is also known as associative or physical evidence and includes tangible objects that prove or disprove a fact. Physical evidence links the suspect to the scene of a crime. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness's statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Evidence in the form of business records, printouts, manuals, and similar objects, which make up much of the evidence relating to computer crimes, is documentary evidence. Demonstrative evidence is used to aid the jury and can be in the form of a model, experiment, chart, and so on, offered to prove that an event occurred.
3. What is the term used to describe the process that accounts for all persons who handled or had access to a piece of evidence? A. Secure e-discovery B. Chain of custody C. Evidence accountability process D. Evidence custodianship
B. The chain of custody accounts for all persons who handled or had access to the evidence.
1. Volatile information locations such as the RAM change constantly, and data collection should occur in the order of volatility or lifetime of the data. Order the following list from most volatile (which should be collected first) to least volatile. A. Routing tables, ARP cache, process tables, kernel statistics B. Memory (RAM) C. CPU, cache, and register contents D. Temporary file system/swap space
C, A, B, and D. The most volatile elements should be examined and collected first and in this order.
8. Which of the following would a capture video not be used to collect? A. Serial number plates B. Cable connections C. System image D. Physical layout and existence of systems
C. A system image is a dump of the physical memory of a computer system and would not be captured in a video. All of the others are static sources of information that a capture video is valuable in recording.
5. A judge has issued an order for all e-mail to be preserved and that order is in effect. Which of the following statements is correct? A. You can delete old e-mail after the standard retention period. B. You should have the legal department determine which records must be saved. C. You should continue archiving all e-mail. D. You can delete the e-mail after making a copy to save for e-discovery.
C. You should continue archiving all e-mail. You must continue to comply with the court order. Letting legal make determinations when the order specifies "all e-mail" is a mistake. Making copies of the e-mail is only legit if you make forensically secure copies, not just backups.
9. Which of the following performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check? A. Record offset B. Cryptographic algorithm C. Authentication code D. Hashing algorithm
D. A hashing algorithm performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check (CRC). It applies mathematical operations to a data stream (or file) to calculate some number that is unique based on the information contained in the data stream (or file).
4. Which standard of evidence states the evidence must be convincing or measure up without question? A. Direct evidence B. Competent evidence C. Relevant evidence D. Sufficient evidence
D. Sufficient evidence states the evidence must be convincing or measure up without question. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness's statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Competent evidence states the evidence must be legally qualified and reliable. Relevant evidence states the evidence must be material to the case or have a bearing on the matter at hand.