Computer forensics - 2nd half - quiz 13, Computer forensics - 2nd half - quiz 14, computer forensics - 2nd half - chapter 15, computer forensics - 2nd half - quiz 16, CH 16 Ethics for the Expert Witness
What Unicode value is used to identify the Latin alphabet?
0x00
On NTFS drives, Unicode values are how many bits in length?
16 bits
Which of the following options would represent a valid retainer?
2 to 8 hours of your usual billable rate
FRE ___________ describes whether the expert is qualified and whether the expert opinion can be helpful.
702
FRE ________ describes whether basis for the testimony is adequate.
703
Currently, expert witnesses testify in more than __________ percent of trials.
80
The ________ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients.
ABA
_______ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities.
APA's Ethics Code
For psychologists, the most broadly accepted set of guidelines governing their conduct as experts is the __________________ (APA's) Ethical Principles of Psychologists and Code of Conduct.
American Physiological Association
The ISFCE offers a ______________ certification and includes ethical standards for examiners holder this certification.
CCE
External rules that often have the effect of law in limiting professional's actions; breach of these rules can result in discipline, including suspension or loss of a license to practice and civil and criminal liability.
Codes of professional conduct or responsibility
Payments that depend on the content of the expert's testimony or the outcome of the case.
Contingency fees
One of the effects of violating court rules or laws.
Disqualification
Help you maintain your self-respect and the respect of your profession.
Ethics
Expert opinions cannot be presented without starting the underlying factual basis.
False
The American Bar Association (ABA) is a licensing body.
False
Prescribe the methods by which experts appear at trial.
Federal Rules of Evidence
An organization that provides a detailed Code of Ethics of Professional Standards Conduct for its members.
HTCIA
Provides a well-defined, simple guide for expected behavior of computer forensics examiners.
IACIS
A type of witness that is expected to present unbiased, specialized, and technical evidence to a jury.
ISFCE
An organization that provides guidelines for its members in the form of a Code of Ethics on how they are expected to perform their duties as forensics examiners.
ISFCE
Experts should be paid in full for all previous work and for the anticipated time required for testimony.
True
In the United States, there's no state or national licensing body for computer forensics examiners.
True
People need ethics to help maintain their balance, especially in difficult and contentious situations.
True
On NTFS, a 16 value, the first 8 bits of which are the character values, and the remaining 8 bits identify the language.
Unicode
In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous contact with an opposing party?
Wang Laboratories, Inc. v. Toshiba Corp
A ??? is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities a. court order b. temporary restraining order c. warrant d. subpoena
a
A consultant who doesn't testify can earn a ____________________ for locating testifying experts or investigative leads. a. contingency fee b. retainer c. stake in a case d. reprimand
a
A report can provide justification for collecting more evidence and be used at a probable cause hearing. a. true b. false
a
As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers. a. true b. false
a
As an expert witness, you have opinions about what you have found or observed. a. true b. false
a
Discuss any potential problems with your attorney ____ a deposition. a. before b. after c. during d. during direct examination at
a
Experts should be paid in full for all previous work and for the anticipated time required for testimony. a. true b. false
a
FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful. a. 702 b. 703 c. 704 d. 705
a
In the United States, there's no state or national licensing body for computer forensics examiners. a. true b. false
a
Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise. a. true b. false
a
People need ethics to help maintain their balance, especially in difficult and contentious situations. a. true b. false
a
Specially trained system and network administrators are often a CSP's first responders. a. true b. false
a
Technical terms, if included in a report, should be defined in ordinary language such that lawyers, judges, and jurors can understand them. a. true b. false
a
Validate your tools and verify your evidence with ____ to ensure its integrity. a. hashing algorithms b. watermarks c. steganography d. digital certificates
a
When cases go to trial, you as a forensics examiner can play one of ____ roles. a. 2 b. 3 c. 4 d. 5
a
When you give ____ testimony, you present this evidence and explain what it is and how it was obtained. a. technical/scientific b. expert c. lay witness d. deposition
a
Which of the following options would represent a valid retainer? a. 2 to 8 hours of your usual billable rate b. a verbal agreement c. complete discussion of an ongoing case d. dissemination of evidence
a
You provide ____ testimony when you answer questions from the attorney who hired you. a. direct b. cross c. examination d. rebuttal
a
____ from both plaintiff and defense is an optional phase of the trial. Generally, it's allowed to cover an issue raised during cross-examination. a. rebuttal b. plaintiff c. closing arguments d. opening statements
a
__________________ means the tone of language you use to address the reader. a. Style b. Format c. Outline d. Prose
a
An expert's opinion is governed by ________________ and the corresponding rule in many states. a. FRE, Rule 705 b. FRE, Rule 507 c. FRCP 26 d. FRCP 62
a
When using the PassMark software to find forensic information in e-mails, messages that appear to be suspicious should be flagged __________. a. yellow b. green c. red d. orange
a
A ??? is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it's accessed through the application's Web interface a. configuration manager b. management plane c. backdoor d. programming language
b
An ___________________ is a document that serves as a guideline for knowing what questions to expect when you're testifying. a. testimony procedure b. examination plan c. planned questionnaire d. testimony excerpt
b
An expert's opinion is governed by FRCP, Rule 26, and the corresponding rule in many states. a. true b. false
b
At what offset is a prefetch file's create date & time located a. 0x88 b. 0x80 c. 0x98 d. 0x90
b
Currently, expert witnesses testify in more than __ percent of trials. a. 55 b. 80 c. 92 d. 78
b
Expert opinions cannot be presented without stating the underlying factual basis. a. true b. false
b
Expert witnesses are not required to submit a written report for civil cases. a. true b. false
b
For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you're constantly enhancing your skills through training, teaching, and experience. a. testimony b. CV c. examination plan d. deposition
b
Generally, the best approach your attorney can take in direct examination is to ask you ____ questions and let you give your testimony. a. setup b. open-ended c. compound d. repid-fire
b
How you format _____________ is less important than being consistent in applying formatting. a. words b. text c. paragraphs d. sections
b
If a preliminary report is written, destroying the preliminary report after the final report is complete could be considered ______________. a. proper data security b. spoliation c. beneficial d. necessary
b
If a report is long and complex, you should include a(n) _____________. a. appendix b. abstract c. glossary d. table of contents
b
If your CV is more than ____ months old, you probably need to update it to reflect new cases and additional training. a. 2 b. 3 c. 4 d. 5
b
Lawyers may request _________________ of previous testimony by their own potential experts to ensure that the experts haven't previously testified to a contrary position. a. warrants b. transcripts c. subpoenas d. evidence
b
Like a job resume, your CV should be geared for a specific trial. a. true b. false
b
People who fear having their ______________ acts revealed feel as though they must protest the ________________ acts of others being revealed. a. legal b. improper c. secret d. public
b
The ??? tool can be used by bypass a virtual machine's hypervisor, and can by used with OpenStack a. Openforensics b. FROST c. WinHex d. ARC
b
The American Bar Association (ABA) is a licensing body. a. true b. false
b
The Google drive file ??? contains a detailed list of a user's cloud transactions a. loggedtransactions.log b. sync_log.log c. transact_user.db d. history.db
b
The ____ is the most important part of testimony at a trial. a. cross-examination b. direct examination c. rebuttal d. motions in limine
b
The ________________ section of a report starts by referring to the report's purpose, states the main points, draws conclusions, and possibly renders an opinion. a. body b. conclusion c. appendix d. reference
b
The purpose of requesting the ________________ is to deter attorneys from communicating with you solely for the purpose of disqualifying you. a. case b. retainer c. juror list d/ evidence
b
The report generator in ProDiscover defaults to ______________________, which can be opened by most word processors. a. HyperText Markup Language (HTML) b. Rich Text Format (RTF) c. Extensible Markup Language (XML) d. Microsoft Word document format
b
There are two types of depositions: ____ and testimony preservation. a. examination b. discovery c. direct d. rebuttal
b
Where is the snapshot database created by Google Drive located in Windows a. C:/Program Files/Google/Drive b.C:/Users/username/AppData/Local//Google/Drive c. C:/Users/username/Google/Google drive d. C:/Google/drive
b
Which of the following is not a valid source for cloud forensics training a. Sans Cloud Forensics with F-Response b. A+ Security c. INFOSEC Intitute d. (ISC)2 Certified Cyber Forensics Professional
b
You should create a formal checklist of your procedures that's applied to all your cases or include such a checklist in your report. a. true b. false
b
____ questions can give you the factual structure to support and defend your opinion. a. rapid-fire b. hypothetical c. setup d. compound
b
Before allowing an attorney to describe any case details, determine who the parties are to reduce the possibility of a _______________. a. collaboration b. conflict c. mistrial d. contradiction
b
In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous contact with an opposing party? a. Tidemann v. Toshiba Corp b. Wang Laboratories, Inc v. Toshiba Corpc c. Tidemann v. Nadler Golf Car Sales, Inc d. Hewlett-Pachard v. EMC Corp
b
Attorneys search ____ for information on expert witnesses. a. cross-examination banks b. examination banks c. deposition banks d. disqualification banks
c
How many words should be in the abstract of a report? a. 50 to 100 words b. 100 to 150 words c. 150 to 299 words d. 200 to 250 words
c
Leading questions such as "Isn't it true that forensics experts always destroy their handwritten notes?" are referred to as ____ questions. a. hypothetical b. attorney c. setup d. nested
c
Regarding a trial, the term ____ means rejecting potential jurors. a. voir dire b. rebuttal c. strikes d. venireman
c
Sometimes opposing attorneys ask several questions inside one question; this practice is called a ____ question. a. leading b. hypothetical c. compound d. rapid-fire
c
The ??? Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system a. read_filejournal b. filetx.log c. filecache.dbx d. filecache.dll
c
The ??? is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for privacy agreements, security measures, questionnaires, and more a. OpenStack Framework Alliance b. vCluod Security Advisory Panel c. Cloud Security Alliance d. Cloud Architecture Group
c
The most important laws applying to attorneys and witnesses are the ____. a. professional ethics b. rules of ethics c. rules of evidence d. professional codes of conduct
c
The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery; the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in which it belongs", was established in what court case? a. Daubert v. Merrell Dow Pharmaceuticals, Inc b. Smith v. United States c. Frye v. United States d. Dillon v. United States
c
What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing a. Amazon EC2 b. IBM Cloud c. Salesforce d. HP Helion
c
What cloud service listed below provides a freeware type 1 hypervisor used for public and private clouds a. HP Helion b. Amazon EC2 c. XenServer and XenCenter Windows Management Console d. Cisco Cloud Computing
c
When writing a report, group related ideas and sentences into ___________________, a. chapters b. sections c. paragraphs d. separate reports
c
Which is not a valid method of deployment for a cloud a. community b. public c. targeted d. private
c
Which of the following is NOT a service level for the cloud a. Platform as a service b. Infrastructure as a service c. Virtualization as a service d. Software as a service
c
_______________ is the process of opposing attorneys seeking information from each other. a. Subpoena b. Warranting c. Discovery d. Digging
c
A report using the _________________ system divides material into sections and restarts numbering with each main section. a. numerically ordered b. hierarchical c. decimal numbering d. number formatted
c
In addition to opinions and exhibits, the ______________ must specify fees paid for the expert's services and list all other civil or criminal cases in which the expert has testified. a. verbal report b. informal report c. written report d. preliminary report
c
The _________________ numbering system is often used in legal pleadings. Each Roman numeral represents a major aspect of the report, and each Arabic numeral is an important piece of supporting information. a. decimal b. ordered-sequential c. legal-sequential d. reverse-order
c
What are the first 8 bits of a Unicode value used for?
character hexadecimal values
Before allowing an attorney to describe any case details, determine who the parties are to reduce the possibility of a ____________.
conflict
Some attorneys contact many experts as a ploy to disqualify them or prevent opposing counsel from hiring them; this practice is called "_____________"
conflicting out
A consultant who doesn't testify can earn a ___________ for locating testifying experts or investigative leads.
contingency leads
A ____ differs from a trial testimony because there is no jury or judge. a. rebuttal b. plaintiff c. civil case d. deposition
d
As with any research paper, write the ___________________ last. a. appendix b. body c. acknowledgements d. abstract
d
Computer forensics examiners have two roles: fact witness and ____ witness. a. professional b. direct c. discovery d. expert
d
FRE ____ describes whether basis for the testimony is adequate. a. 700 b. 701 c. 702 d. 703
d
If a microphone is present during your testimony, place it ____ to eight inches from you. a. 3 b. 4 c. 5 d. 6
d
In a prefetch file, the application's last access date and time are at offset ??? a. 0x80 b. 0x88 c. 0xD4 d. 0x90
d
Jurors typically average just over ____ years of education and an eighth-grade reading level. a. 9 b. 10 c. 11 d. 12
d
Metadata in a prefetch file contains an application's ??? times in UTC format and a counter of how many times the application has run since the prefect file was created a. startup / access b. log event c. ACL d. MAC
d
Select the folder below that is most likely to contain Dropbox files for a specific user a. C:/User/username/AppData/Dropbox b. C:/Dropbos c. C:/Users/Dropbox d. C:/Users/username/Dropbox
d
The ____ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients. a. HTCIA b. IACIS c. ISFCE d. ABA
d
To reduce the time it takes to start applications, Microsoft has created ??? files, which contain the DLL pathnames and metadata used by application a. temp b. cache c. config d. prefetch
d
What information blow is not something recorded in Google Drive's snapshot.db file a. modified and created times b. URL pathnames c. file access records d. file SHA values and sizes
d
What rule of the Federal Rules of Civil Procedure requires that parties who anticipate calling an expert witness to testify must provide a copy of the expert's written report that includes all opinions, the basis for the opinions, and the information considered in coming to those opinions? a. rule 24 b. rule 35 c. rule 36 d. rule 26
d
Which of the following is not one of the five mechanisms the government can use to get electronic information from a provider a. search warrants b. subpoenas c. court orders d. seizure order
d
Which type of report typically takes place in an attorney's office? a. Examination Plan b. Written Report c. Preliminary Report d. Verbal Report
d
With cloud systems running in a virtual environment, ??? can give you valuable information before, during, and after an incident a. carving b. live acquisition c. RAM d. snapshot
d
___ is an attempt by opposing attorneys to prevent you from serving on an important case. a. conflict of interest b. warrant c. deposition d. conflicting out
d
____ evidence is evidence that exonerates or diminishes the defendant's liability. a. rebuttal b. plaintiff c. inculpatory d. exculpatory
d
____ is a written list of objections to certain testimony or exhibits. a. defendant b empanelling the jury c. plaintiff d. motion in limine
d
____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities. a. AMA's law b. ABA's model rule c. ABA's model codes d. APA's ethics code
d
Attorneys search _____ for information an expert witnesses.
deposition banks
____________________ are the rules you internalize and use to measure your performance.ethics
ethics
Computer forensics examiners have two roles: fact witness and _______ witness.
expert
A search warrant can be used in any kind of case, either civil or criminal T/F
false
The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect. T/F
false
___________ questions can give you the factual structure to support and defend your opinion.
hypothetical
People who fear having their ________________ acts revealed feel as though they must protest the ______________ acts of others being revealed.
improper
What do the last 8 bits of a Unicode value represent?
language identification
When converting plain text to hexadecimal for use with ProDiscover, you need to place ______________ between each character's hex values.
null (FF) values
The purpose of requesting the ____________ is to deter attorneys from communicating with you solely for purpose of disqualifying you.
retainer
_________________ are standards that others apply to you or that you are compelled to adhere to by external forces, such as licensing bodies.
rules of conduct
The most important laws applying to attorneys and witnesses are the _____________.
rules of evidence
In the United State, the Electronic Communications Privacy Act (ECPA) describes 5 mechanisms the government can use to get electronic information from a provider T/F
true
Specially trained system and network administrators are often a CSP's first responders T/F
true
The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET) T/F
true
