Final for cj 500
In order to pass the written exam for the GCFE certification you must obtain a final score of ________ or higher.
%71
What fraction of the membership of Congress is required to pass a Constitutional amendment?
2/3
There are currently ________ amendments to the Constitution.
27
A 32-bit operating system is capable of supporting up to ________ gigabytes of RAM
4
How many memory channels can a quad core processor support?
4
In the Electronic Discovery Reference Model, there are ________ individual steps listed
9
According to surveys conducted as much as ten years ago, nearly ________ of all information produced by a large organization never gets printed.
95%
All facilities that use computers know that operating systems and applications require frequent patches and upgrades. Which of the following is essential to a good forensics facility?
A documented change control program that records every patch or upgrade performed, along with the time and date
During which phase of an investigation do you make your first entries into a chain of custody log?
Acquisition
Before a judge will enter any exhibit as evidence, whether that evidence be physical or documentary, she will first determine whether or not the evidence is ________
Admissible
Computer scientists break the movement of information from raw electrical voltage changes to humanly readable information as a series of abstraction layers. Which of the following is one of these abstraction layers?
All of the above
From the following list of possible stakeholders, identify only those who would be involved in e-discovery during a lawsuit between a large financial institution and a group of investors
All of the above
Under which circumstances may a student's private information be released?
All of the above qualify.
Which of the following is considered an example of probable cause?
All of the above.
As a digital forensic investigator, which of the following statements define a valid piece of evidence?
All of the other answers are correct.
What is the best definition of privileged information?
Any documents or other material evidence that, while otherwise defined by a discovery motion, may be withheld from evidence due to the nature of the material.
What does the term forensics actually mean?
Belonging to or usable in a a court of judicature or a public debate
There are three major factors to address when configuring a forensic workstation. Which of the following is actually not one of those factors?
Capacitity
During which phase of the Electronic Discovery Reference Model would one begin to identify the search strings to be used in digging out the requested documents?
Collection
There are four attributes of a good tool that can be used to calculate its usability as a tool. Which of the following is not one of those attributes?
Cost
The FRCP is a set of rules that is relevant to which type of investigation?
Criminal
In order to pass the scrutiny of a judge a tool must pass four separate tests that provide a measure of the scientific validity of the results. These tests are part of the ________ process.
Daubert
The Digital Forensics Certified Practitioner certification is administered by ________.
Digital Forensics Certification Board
FREDDIE is a forensic workstation available from which of the following companies?
Digital Intelligence
Memory is often called DDR, DDR2 and DDR3. What does DDR stand for and what do the numbers after it mean?
Double Data Rate SDRAM
A witness for the prosecution is introducing a tape recording that clearly implicates the person on trial in a crime. While the information is factual and accurate, and there is no doubt about where the recording came from, it is highly prejudicial to the suspect. On what grounds can the counsel for the defense get this evidence removed?
Due to its prejudicial nature, the evidence is determined by the judge to be incompetent.
The process of determining, locating, and presenting electronic documentation as evidence for a trial is called
E-Discovery
There were two subsets of the Electronic Communications Privacy Act that covered stored communications. These were ________ and ________.
Electronic Communications Services Remote Computing Services
You suspect that there are a number of deleted files that can still be salvaged in the unallocated space of a drive image. During which phase of the investigation would you use a data carving utility?
Examination
If evidence is collected against a suspect in a criminal case and it is found to have been collected in violation of the suspect's Constitutional rights, that evidence will be disallowed under the ________.
Exclusionary Rule
Which of the following forensic workstations is designed as a somewhat portable device?
FREDDIE
Which of the following acts was passed first?
Fair Credit Reporting Act
Because yours is a private forensics division dedicated exclusively to the use of your organization, there is no real requirement to maintain a chain of custody for the items you confiscate for examination.
False
Collecting exculpatory evidence is exclusively the responsibility of the defense counsel.
False
Drug dealers meet in the middle of a pasture to do a drug deal. They chose this place because it is in the middle of nowhere and nobody can easily overhear what they say. Federal agents use specialized equipment to record and video their actions. The drug dealers can have those tapes dismissed as evidence because they invaded their privacy.
False
Evidence uncovered during an illegal search will be dismissed as a result of the exculpatory rule.
False
Graham-Leach-Bliley actually does not impact the work of a digital investigator in any way.
False
It is critical that every new patch released by a software developer be immediately installed.
False
Once a warrant has been legally issued by a court, it can be executed at the investigating officer's leisure.
False
Only the Supreme Court can modify the Constitution
False
Prior to becoming a qualified digital forensic investigator, a person must prove their ability as a computer scientist.
False
The Third Amendment is the portion of the Bill of Rights that addresses a citizen's right to privacy
False
The Wiretap Act originally passed as a method of controlling data moving over a network, but was subsequently revised to include telephone communications
False
The most commonly seen expansion slot in most current system boards is the PCI-X slot
False
Under The Privacy Act, if any citizen requests access to their records, the agency storing those records has no option but to provide those records.
False
You are working on a criminal case in which a spreadsheet found on the computer system indicates that the victim transferred money to the suspect just days before the crime was committed. You provide a hard copy of the spreadsheet, printed in landscape format, along with the digital file. The judge is most likely going to reject one or the other as evidence because they represent duplicate items
False
You arrive on the scene of an investigation. The computer sitting on the suspect's desk is turned off, but the monitor is on. The proper procedure in this situation is to turn the computer on to make sure it is functional before seizing it as evidence
False
When transporting a cellular telephone as evidence you want to prevent anyone from making contact with the device. In order to do that, you store the phone in a ________.
Faraday bag
There are three basic categories of information that an Internet service provider can collect regarding its customers. Which of the following is not one of those categories?
Financial Profile
What would be the only logical argument for not utilizing a free open-source suite of office productivity applications such as Open Office?
Formal support is not just a phone call away.
Which Constitutional amendment directly addresses the government's right to search a person's property
Fourth Amendment
Evidence found during an illegal search is known as ________.
Fruit of a poisonous tree
You are among the first onto a scene in which multiple computers are being seized. As a part of the festivities, you take a number of digital photographs and a video recording of the scene. What primary collection of documentation hosts these images and videos
General Case Documentation
As a digital investigator, it is critical that you make sure everything you present as evidence is authentic. Which two of the following are critical elements of that effort?
Good documentation An unbroken chain of custody
Which of the following pieces of recent legislation is a law that defines a person's right to privacy regarding the information a financial organization can maintain and disseminate?
Graham-Leach-Bliley
Collecting the legal authorizations to begin an investigation are part of the ________ stage of the model.
Identification/Assessment
What is the Context triggered piecewise hashing method used for?
Identifying near-duplicate files
Which of the following are examples of situations in which a person can expect privacy
In an enclosed telephone booth. Material that has been placed into opaque bags before thrown into the trash.
The Certified Digital Forensic Examiner certification is administered by ________.
Information Assurance Certification Review Board
Which of the following organizations offers the CCE Boot Camp Training program?
International Society of Forensic Computer Examiners
In Eoghan Casey's model of an investigation there are multiple steps. Which of these is not one of those steps?
Interrogation
You are working on an investigation and one of the pieces of evidence is a 4th Generation iPod Classic. It is black and has a 120GB capacity. On it are 6,240 songs. It has a cracked screen cover. Which of the following is an example of an individual characteristic?
It has 6,240 songs. It has a cracked screen cover.
As an experienced digital investigator, you have been called in to testify about the reliability of the tool that was used to extract a forensic image. In your testimony you explain that you tested the utility against several ________
Known data sets
Many years ago a scientist pointed out that everything a person or object touches is affected by that contact. And when departing the scene, the object will take a part of the scene with it. This idea was accepted a fact and became known as the ________.
Locard's Exchange Principle
Which of the following file types would be considered near-duplicates of one another?
Microsoft Word file of the original documentPDF Printout of the original document Edited version of the original document
Which of the following institutions maintains a program for testing digital forensic tools?
National Institute of Standards and Testing
Upon receiving word that a major client is filing suit against his company, a manager approaches the corporate legal department and has a long discussion. In the course of the conversation, the manager admits to having altered some records to edit out defamatory remarks. Unfortunately the editing occurred after the remarks were disseminated. Which of the following principles means that this information will never reach court?
None of the above. This information may be demanded by opposing counsel.
Which if the following is a factor for determining the legality of a search warrant
Particularity
In addition to the three software categories, software tools can be broken down into functional categories as well. A good toolkit will have a utility or application that will work on what four levels?
Physical media capture and analysis Data capture File system analysis Media management Memory capture and examination Application analysis Network capture and analysis
Two phrases in the Fourth Amendment that place limitations on the government's ability to acquire a search warrant are (select 2):
Probable Cause Against Unreasonable Searches
During which phase of the Electronic Discovery Reference Model would one begin to apply the predetermined search strings and start to bring the requested documents into a mutually accessible repository?
Search
Which of the following suites is an open-source set of utilities that is made available to the community at no charge?
Sleuthkit
Which of the following utilities can detect a file that has been configured as an alternate data fork to another file?
Streams
When selecting a suitable enclosure for a forensic workstation there are several factors to consider. Select some appropriate factors from the following list that are essential.
Sufficient drive bays Hot swap capability for some drive bays A decent number of slots for expansion cards
Microsoft provides a collection of free utilities for analyzing and troubleshooting problems specific to the Windows operating system. These utilities are part of the ________ suite.
Sysinternals
A records keeper for a local hospital is approached by law enforcement officials. One of them informs him that they are searching for a suspect in a homicide and that they have reason to believe that person was recently examined by that institution. They are asking for specific information regarding distinguishing characteristics, such as scars or birthmarks. They also want to know the person's date of birth. Which of the following actions are appropriate?
Tell them to go away until they have a court-issued warrant or subpoena. Provide this information without the need for a warrant. This information may be provided as long as the scar or birthmark being described is one that is generally visible when the suspect is seen in public.
Criminal cases have more stringent evidence-gathering requirements because ____________
The Constitution protects the rights of citizens being tried in criminal proceedings.
If a person is forced, against their will, by a government official to reveal a password, that person may be able to claim that their Constitutional rights, as defined by ________, have been violated
The Fifth Amendment
Every change that is made to a hard disk leaves behind artifacts of that change. Erased data leaves behind file system artifacts even if the data is overwritten on the disk. Electrical charges are altered...metadata is changed. All of these examples are evidence of ________ at work.
The Locard's Exchange Principle
You were the arresting officer in a child pornography sting. You were acting on probable cause and did not enter the premises with a search warrant. In the course of the arrest, you confiscate an unregistered handgun and a computer. Since this search was accomplished in the course of an arrest, you go ahead and look through the files on the system. You find what you need to convict the guy on child pornography charges. Yet, when the dust clears, he skates on the CP and is only convicted on a firearms charge. Why was the gun legal evidence and not the computer?
The computers as containers test applies. You "opened" the container to view the files.
Defense counsel wants to challenge the admissibility of evidence based on the fact that the exhibit is not authentic. Which of the following conditions might convince the judge to honor this request?
The evidence is hearsay. Since the chain of custody was broken, the material lacks credibillty
When objecting the introduction of a particular piece of evidence, a defense attorney insisted that the exhibit was not material. What did he mean by that?
The evidence was not legally obtained.
Officers show up at the home of Ima Leevin. A woman answers the door and identifies herself as Ima and gives them permission to search the house. Drug paraphernalia is discovered. The REAL Ima shows up and is arrested. Her attempt to get the evidence dismissed as the result of an illegal search fails. Why is that?
The fake Ima had apparent authority to grant permission for the search.
What is the biggest difference between a computer scientist and a digital forensic investigator?
The investigator needs to know a little about many aspects of how computers work, whereas the computer scientist will know a whole lot about a specialized area of computer science.
Which of the following is not a piece of information that must be defined in the search warrant in order for it to be legal?
The names of each individual on the premises who is subject to the search
Which of the following is one of the tools on the court-approved lists issued by the Federal Judiciary?
There is no list of court-approved tools.
Any organization within the government can be held responsible if information they store about an individual is found to be incorrect
True
As an investigator you confiscate a computer as part of the execution of a legal warrant that specified you could search the house. Now in order to search the hard disk of that drive you will need an additional warrant
True
Just knowing that a corporation has invested in a dedicated facility for performing forensic investigations has an impact on the corporate culture.
True
The Bill of Rights, as defined in the Constitution, does not apply to citizens' interactions with one another
True
The Work Product Doctrine is a legally defined category of privileged information.
True
The fastest and most durable permanent storage mechanism is the solid state drive.
True
There is little or no reciprocity between states in regards to the licensing requirements for digital investigators.
True
The prosecution was trying to enter a document as evidence which would have a severely negative impact on the defense's case. The document was clearly related to the case at hand and was obviously obtained legally, morally, and ethically. Which of the following might be a circumstance that would force the judge to disallow the evidence without calling a lot of expert witnesses?
Under the conditions described, there's little chance of getting the evidence disallowed.
Which of the following is a way to write protect an I/O path when there is no hardware device available for the task?
Use the system BIOS to disable writing to that partcular port.
The legal document that allows a law enforcement official to enter a person's home and conduct a thorough search is called what
Warrant
Which of the following is an example of a write blocker that can be used to assure a forensically sound copy of a suspect drive?
Weibetech Ultradock
When would a search by a private individual be considered unconstitutional?
Whenever a government official approached the person doing the search and asked for their help in collecting evidence.
As the document management specialist for a large financial institution, several years ago you defined a specific set of rules for how long a variety of document types were to be kept by your organization. When the parameters are met for no longer keeping a specific document, your policy calls for that document to be securely wiped from all digital storage media and all hard copies of said document be shredded and turned over to a bonded third-party vendor for destruction. The formal nomenclature for this set of rules is ________.
document retention policy
After the initial cheery get-together between the lawyers on your side and the lawyers on their side, you've come to the agreement that a third-party web site will host a secure FTP site where all documents will be uploaded as they are found. This will give both sides the opportunity to view files as they become available instead of having 60 tons of documents dumped on them at once. This process is known as a(n) ________.
rolling review