DFIA 440 Final Prep

Order the following from MOST volatile to LEAST volatile.

1. Registers & cache 2. Routing tables, process tables, kernel statistics 3. RAM 4. Swap space 5. Disks or other storage media 6. Remotely logged data 7. Archival media

An MD5 hash value is comprised of ________ bits.

128

Authentication is a ______ step process

2

Digital forensics can be used in the following areas...

All of these

The actions you take when collecting evidence could impact the...

All the above

Which of the following is NOT true about being a juror?

All the above.

What is the primary difference between an expert witness and a fact witness?

An expert witness can provide an opinion and is there to testify to methods, procedures, and their outcomes. A fact witness is directly related to the crime, cannot give an opinion, and can only stat what they saw, heard, etc. *UNGRADED*

Evidence Changes... (choose all the apply)

B. Should always be minimized C. Should always be noted in the final report *1.5 out of 2 points with these*

The odds of two different pieces of evidence having the same MD5 hash value is about 1 in 340....

Billion Billion Billion Billion

What is evidence dynamics?

Evidence dynamics is any sort of interaction that can damage, alter, or destroy evidence.

What is exculpatory evidence? What obligation(s) would you have regarding it?

Exculpatory evidence is evidence that is favorable to the defendant and would probably prove their innocence. You are obliged to bring it forward in court so an innocent person doesn't go to prison. *UNGRADED*

Based on the order of volatility, data in cache should be collected after data from the drive since the drive is larger and contains potentialy more evidence.

False

By definition, digital evidence refers only to data that is stored.

False

Cell phones that are powered on should be placed in a plastic or paper evidence bag just like other types of digital evidence.

False

Cloning should always be done on the scene to safeguard the evidence.

False

Complexity in your testimony and slides is critical in the age of the "CSI Effect" if your testimony is be deemed credible by the jury.

False

Data in volatile storage can be recovered if the attempt is made within 10 min of power being removed.

False

Data on a USB drive is more volatile than data help in RAM.

False

Data stored on the hard drive is considered volatile.

False

Digital evidence can have either class or individual characteristics, but not both.

False

During an analysis of a suspects machine, you find evidence of key logging software. In order to verify your findings you rerun the examination using the same tools in verify the result (you should get the same results as the first exam). This is an example of cross validation.

False

Experts are always great expert witnesses.

False

Experts are powerful witnesses. Once designated as such, they are free to give their unsubstantiated opinions.

False

From a practical standpoint, all crime scenes are created the same.

False

If you make a change to a running system, any evidence obtained from that system is compromised and therefore inadmissible.

False

In court, science always trumps legal judgement.

False

It is determined that an expert flasified parts of he CV. While not the best idea, this will likely be overlooked as long as her work was found to be 100% accurate.

False

It's best to pull the plug from any powered-on device.

False

It's not important for you to familiarize yourself with multiple operating systems and how to shut them down.

False

MAC times are always accurate and reliable.

False

Potential sources of digital evidence should never be left behind. This could lead to imporatnt evidence being missed. Therefore every source of potential evidence should be collected from every scene.

False

Preperation is a non-essential element of the forensic process.

False

States and federal courts utilize the same rules for designating a person as an expert. This keeps things uniform, increasing the efficiency of the system.

False

The MD5 algorithm output is a combination of 34 letters and numbers.

False

The foresnic examination process heavily involves critical thinking.

False

The role of the expert witness is much like that of the attorney. They should advocate for one side of the other. It is then up to the judge or jury to determinehow much weight to give their testimony.

False

There is only one acceptable way to properly document and handle a running computer.

False

When collecting digital evidence, we should never make a change to the system.

False

When forensically cleaning a hard drive, it's best to overwrite it with a totall random series of 1's and 0's. This ensures total destruction of any data that has been previously written.

False

You are working as a consultant in a civil case. As part of the case, you are collecting potential evidence from a business. During the evidence collection process, a system with critical data (accounting) is inadvertently destroyed. As a digital evidence professional, working in a legal capacity, you can never be held liable for data lost as a result of your actions.

False

You are working on a case as a digital forensics examiner involving the theft of intellectual property. During the forensic examination of the defendants computer, incriminting evidence was found in the swap space. During trial, the plaintiffs attorney calls the female employee (member of the sales team) that possessed the defendants laptop before it was issued to him. The primary focus of her diect examination was to determine if she had written the email that was reovered from the swap space. During cross examination, the defense attorney asks her "Is it possible that a third party had hacked the computerand was able to deposit the evidence without my clients knowledge or permission?" This questiion is legally permissible since she had care, custody, and control of the laptop prior to his client.

False

You have been retained to provide digital forensic services for the plaintiff in a civil action. You are at the defendant's place of business to collect digital evidence from three machines in the office. One of the machines belongs to the payroll clerk. You are looking for 7 specific files. The clerk's machines has three TB os storage. The clerk is currently processessing the payroll (which is due tomorrow) for the 217 employees of the company. Based on sound forensic practices, you should simply take the entire machine. This is the best option in this scenario for preserving and collecting evidence.

False

There are two classifications of evidence characteristics. What are they?

Individual and Class characteristics.

_____________________ is the examination level that is typically done on scene in order to prioritize evidence sources.

Survey

List the type of info that should be included in your CV.

Information included in the CV should be anything you have done. Teaching, trainings, certificates, jobs, conferences, anything that is relevant to you or a position you want. *UNGRADED*

Contact between two items will result in an exchange. This is known as

Locard's Exchange Principle

What is Locard's Exchange Principle?

Locards Exchange Principle states that any interaction between two objects involves a transfer of information.

What are the two types of memory?

Long term memory and short term (Working) memory.

The two most common hashing algorithms are

MD5 SHA1

The name of the Marshall mascot is......

Marco

List the four ways to document a crime scene.

The crime scene can be documented with a photos, videos, notes, and drawings.

When you use a slide with lots text when you testify, you're really forcing the jury to make a choice. Exlain.

The jury can only listen OR read the slides. Using lots of text forces them to make a decision of whether to read off the slides or listen to you. *UNGRADED*

According to the text, what is one potential cause of a hash value mismatch between an original evidence drive and its bitstream image?

The text states that one potential cause can be if the bit stream is being copied from an SSD drive. This will result in mismatching hashes due to garbage collection.

List the three kinds of reconstructive analysis.

The three kinds of analysis are functional analysis, relational analysis, and temporal analysis.

Always best to save digital evidence to a forensically clean hard drive.

True

Always make two copies of digital evidence.

True

As an expert witness, one of the greatest services we can perform for the jury is filtering.

True

Attorneys often make speaches and phrase them as questions.

True

Bias has no place in forensic science.

True

Class evidence is largely circumstantial evidence.

True

Courts depend heavily on the trustworthiness of the expert witness and to present information accurately.

True

Crime labs are found at all levels of government (city, county, state, and federal).

True

DNA forensics has had a major influence on forensic science as a whole.

True

Digital evidence is generally an abstraction of some digital object or event.

True

Documentation is a critical piece of the forensic process.

True

Even the appearance of bias must be avoided.

True

Everything that a computer does must go through the RAM before it is executed by the CPU.

True

If a computer is on, things are changing.

True

Ignoring irrelevant sources of evidence is an important part of the survey.

True

It is important for the computer forensic examiner to be able to adjust the focus of every examination to the specifics of that case.

True

One consideration to be made when collecting evidence from a running system is if the system is functioning properly.

True

Pulling the plug on a running computer is always the best solution from an investigative standpoint. This ensures that there can be no accusations from the opposing party that evidence was tainted at the crime scene.

True

Repeatability is a critical aspect of the scientific method.

True

Science from the classroom can help you in the courtroom.

True

Technology has exploded and diversified such that specializations have begun to emerge in computer/digital forensics.

True

The best expert witness is also a great teacher.

True

The decisions you make when evidence is collected can have a significant impact on the case going forward.

True

The first link in th echain of custody is the person that collects the evidence.

True

The general rule of thumb is 1 concept per slide.

True

The results of the forensic process should always be reproducible and acurate.

True

The role of the opposing attorney is to discredit you as an expert and make you appear incompetent to the jury.

True

To be considered "scientific," your process must involve the testing of a hypothesis.

True

To be considered "scientific," your results must be based on empirical /measurable data.

True

When collecting digital evidence, we should always attempt to minimize the changes made to the system.

True

When collecting the evidence, you should always label the items themselves as well as the bags they are stored in to keep track of the items.

True

When evidence is in your custody, you are 100% responsible for ensuring nothing happens to it.

True

When interacting with a running system, you should always minimize the number of clicks it takes you to perform a graceful shutdown of a computer.

True

When photographing evidence, you should always include a picture of any labels and identifying information (e.g. serial number, model numbers, make, etc.).

True

When rendering an opinion or conclusion, it's best to use a scale.

True

Whenever possible, you should always mark the evidence with your initials using a permanent marker.

True

You are always better off to minimize jargon and acronyms and maximize the use of everyday language.

True

You should always use the least intrusive possible when interacting with potential evidence.

True

Upon discovery of computer equipment which appears to be switched off, you should do all EXCEPT:

Turn the computer on

Why should we collect volatile data?

We should collect volatile data because evidence can be in the volatile data. Volatile memory can contain applications, passwords, history, and other extremely useful items for investigators.

List three things you would document when collecting evidence.

We should document where it was found, who found it, and the state the evidence was found in.

When fingerprints and biological evidence exist on the evidential computers (i.e. keyboard and mouse), this is known as __________ forensics.

Wet

You are testifying in court. After your analysis, you are 100% confident that your conclussion is accurate. What is the appropriate C Scale level?

C6 - Certain

The six phases of the CFFTPM are: Planning, triage, usage/user profiles,email & IM, case specific evidence, and .........

Chronology/timeline

CV stands for _____ _____.

Curriculum Vitae

When surveying the scene for potential sources of digital evidence, which of the following could be easily excluded?

None of the Above

Choose the BEST match for each term or concept.

Open System: Computer Communication System: Telephone Embedded System: "Black box" in Mercedes Authentication: Same Integrity: No change

The first step in working with volatile data is:

Perform a risk assessment

Select the BEST match for each stage of the process.

Question Selected Match Preparation: How much? Survey: Sources Documentation: Chain of Custody Preservation: What kind of OS? Examination and Analysis: 3 levels Reconstruction: Timeline Reporting Results: Audience * 5 /7 points with these*

As an expert witness, we should always be trying to __________ a jurors cognitive load.

Reduce

Fill in the blanks in these case names: ______ v. Merrell ______ Pharmaceutical.

Daubert Dow

A SHA1 hash value has _________ bits.

160

How many things can your working memory hold (generally) at a time?

3-4

What is meant by a "graceful shutdown" of a computer?

A "graceful shutdown" is when the OS shuts down the computer and performs certain task before shutting down.

Why is it important to perform a 'graceful shutdown" of a system?

A graceful shutdown properly closes file handles, closes open connections, and makes sure no data is lost during shutdown. *.5 points with this*

What is a metaphor?

A metaphor is a figure of speech used to refer to one thing by mentioning another. It is used to provide clarity and show similarities.

An important aspect of the scientific method is that our results must be able to be independently verified. This is known as

cross validation

Essentially, there are two kinds of witnesses. They are ______ witnesses and ______ witnesses.

fact expert

A computer that was purchased with a stolen credit card is considered to be a ___________ of the crime.

fruit

If the chain of custody is broken, it's possible that the evidence would be _________________ in court.

inadmissible

Digital evidence should be collected from the most volatile to the least volatile. This is know as the

order of volatility

Volatility is a measure of how _______________ the data is.

perishable

A ____________________ exam is one that's more than a cursory search on the scene yet less than a full detailed analysis.

prservation

Of all the resources available to the examiner, ______is usually in shortest supply.

time

Why should we collect volatile data?_______________ memory is a temporary holding space for data.

volatile

A computer that is found at the scene is powered off. Prior to collection its critical to turn the system on to ensure it's working.

False

A good explanation is easy to devise and deliver.

False

AFF and Unix dd are the "defacto" forensic file formats used today.

False

All items connected to a computer are seizable.

False

Alternative scenarios are never addressed in a final report as it's outside the scope of the examiner's responsibility.

False

As an expert witness, It's not important to be aware of and manage the working memory of the jurors.

False

What is the optimal number of slides in a 60 minute presentation?

As many as it takes.

_____________ is the phase that is performed before you arrive at the scene.

Assessment

What is the most common method used to verify the integrity of digital evidence?

Hashing is the most common method used to verify digital evidence.

What is the excepted method used in digital forensics to verify that a particular piece of digital evidence (file, hard drive, etc) has not been altered?

Hashing the original, and then hashing after it has been examined. if it has been modified, the hashes will be different.

List three pieces of information that you would like to have before you arrive at a scene to collect or interact with potential digital evidence.

I would like to know where the scene is located. I would also like to know what kind of place it is in, such as house or industrial building. I would also like to know what the crime was. Thirdly, I would also like to know how big the crime scene is. Is it a room? Whole building? Business? This information can help drastically in the preparation phase and doesn't disclose any information that could lead to possible bias.

It's not possible to authenticate all all forms of digital evidence.

True

Working memory is analogous to....

RAM

According to the ACPO guide, what is the first step in collecting a mobile device?

Section 1.1 of the ACPO guide states that the first in collecting any evidence, including mobile, is to take control of the area the evidence is in. This includes not allowing other to interact with it and making sure proper perimeters are created. *WRONG* *UNGRADED*

Ultimately, it's up to the ______ if you are permitted to testify as an expert witness.

judge

Prior knowledge possessed by a juror isn't important and as such, isn't something to be concerned about by an expert witness. Agree or disagree? Why or why not? Provide an example.

Agree. A single jury member may have previous knowledge but another may not. Therefore, you must explain it to all of them as if all them know nothing about the subject. *UNGRADED*

What does "A" in SALUTE stand for? - Activity

Activity

As an expert, you should not expect subtle and overt pressure to render an opinion that is favorable to one side or the other. All parties should be aware of your duty to remain neutral.

False

Which method is NOT commonly used to record the location of digital evidence at a crime scene?

Geographical Positioning System

Which of the following is NOT part of a final report?

NOT "Glossary of Terms" NOT "Conclusions" NOT "Evidence Summary"

What is the C Scale value for 'Somewhat Certain?"

NOT C0 NOT C3 NOT C4 NOT C5 NOT C6

A detailed, well-written report can convince the opposing party to settle the case or plead guilty. A poor, sloppy report may embolden them.

True

If the chain of custody is broken, what significant legal consequence could be imposed by the court.

Breaking the chain of custody could lead to the evidence being dismissed in court.

What is the C Scale value for "Erroneous/Incorrect?"

C0

What is cognitive load?

Cognitive load is the total working memory of the brain. It can be likened to RAM, only able to hold so much at one time. *Ungraded*

Which is the most accurate description of our discipline?

Digital Forensics

"Preserve everything but change nothing" is a bedrock principle of forensic science that must be strictly followed at all times.

False

Forensic examination and forensic analysis are synonymous.

False

Generally speaking, class charateristics are unique.

False

Photographs of the evidence should only be taken after it has been properly marked and collected.

False

Testifying effectively is generally the same as solving a technical problem.

False

The "copy & paste" functionality found in a Windows computer is synonymous with a forensic clone or bit stream image.

False

The MD5 hash value of a particular evidence document is 042c 7d4a 8364 3e54 6851 9cd8 3673 c128. This is an example of a class characteristic.

False

The courts have ruled that in order to be forensically sound, there can be no changes made to the target system as part and parcel of the acquisition process.

False

The final report is written with an expert style using just technical terms. This report is written for another digital forensics practitioner.

False

The first photos you take of an evidence item should include the markers. This ensures that evidence items are not mistakenly identified.

False

There are certain situation where there is a low probability that a case will go to court. In these instances time and effort should not be wasted following strict forensically sound protocols since the case will never be adjudicated.

False

To be forensically sound, a method of preservation and collection must never alter the evidence in any way.

False

To be qualified as an expert witness, you must show evidence of advanced degrees, certifications, and/or training.

False

Unix dd computes a checksum on partial pieces of evidence.

False

You are conducting an examination and analysis on digital evidence relating to the theft of company data. You have located an Excel spreadsheet on the suspects laptop containing a list of current clients, accounts numbers, etc. The SHA1 hash value for this file is just one class characteristic that you can use to positively identify the file as belonging to the victim corporation. This is excellent evidence that can be used to show that this specific file was located on the company's network and is now on the suspect's personal computer.

False

You are looking for a specific word document on a suspects hard drive. In this example, the file extension .docx would be an example of an individual characteristic.

False

You encounter a running computer during your survey of the scene. The best course of action in this situation is the simply pull the plug from the wall. This ensures there can be no claim that the evidence was somehow compromised while interacted with the machine.

False

Evidence with individual characteristics is stronger than evidence with other characteristics. Why?

It makes it unique and can therefore be used as major proof of an accusation.

A computer that is infected by a virus or otherwise impaired by the criminal act is considered to be the __________ of a crime.

NOT fruit

A computer that is stolen is considered to be the _________ of a crime.

NOT fruits

"Explaining science with science." A good strategy as an expert? Why or why not?

No, you should explain science with basic terms the average person would understand. You want to help them understand the science, not confuse them with even more science they don't know.

What is the name of the American Academy of Forensic Science section that focuses on evidence in digital format?

The AAFS has named it Digital & Multimedia Sciences.

What is the chain of custody and where does it begin?

The chain of custody is a log of all who have handles, found, or interacted with a piece of evidence. It begins as soon as the evidence is found.

What are the five issues that must be considered when determining whether or not evidence will be admitted?

The first and foremost is whether the evidence was obtained outside a proper search warrant. Second, it can be excluded if it was obtained illegally by law enforcement. (This is known as fruit of the poisonous tree) Thirdly, evidence may not be admitted if the judge thinks it has no significant impact on the case. Fourth, it can be excluded if it is thought to be inaccurate or obtained through unreliable methods. And fifthly, it may not be admitted if it is from a witness and the witness is not trustable.

What is the goal of the survey?

The goal of the survey is to gather information about the scene and begin making a plan of action while searching for possible sources of evidence.

The Daubert case prescribed a two-prong test. What are those two prongs?

The two prongs are described as relevancy and reliability.

___________ is a process in which things are ranked in terms of importance or priority.

Triage

"If you didn't write it down, it didn't happen."

True

A hash value can be likened to a "digital fingerprint" or "digital dna."

True

Bias can come in different forms. It can be conscious or subconscious.

True

Encryption software could be one example of contraband.

True

In regard to the Explanation Continuum, there is a real risk in trying to move the jurors too far to the right, from a position of less understanding to more understanding.

True

In the context of comparrison, a hash value can be compared to DNA based on its unique nature.

True

It is important to know as much as possible about the scene and the digital evidence to be collected before you actually arrive at the location.

True

Multi-tasking is really a myth.

True

One effective way to explain the hashing process and it's output is to liken it to a "digital fingerprint." This is to emphasize the near uniqueness of the hash value.

True

The MD5 output is actually a 16 character hexadecimal value with each byte represented by a pair of letters and numbers.

True

To verify the validity of a result or finding, you should use a different validated tool. The results should be the same.

True

Science from the classroom can help you be a more effective expert witness. Why or why not?

You can apply the techniques of learning and how people learn better to the court room. In court, you are essentially the teacher. You will teach the jury the top level basic view of techniques and methods. In order to teach them effectively, it is best to apply techniques teachers use in the classroom. Visual aids, repeating things, basic language, and good clear logical thoughts are great things from the classroom that can be used in the court as well.

The book identifies three different types of computer systems. A land line used to call from one city to another would be an example of a(n) __________________ system.

communication

The book identifies three different types of computer systems. An Internet of Things (IoT) device designed to monitor the level of carbon monoxide in a specific room, would be an example of a(n) __________________ system.

embedded

The book identifies three different types of computer systems. A Macbook Pro running OS X 10.11.6 would be an example of a(n) __________________ system.

open