Module 4 Quiz - Forensics
If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? A) Coordinate with the HAZMAT team. B) Determine a way to obtain the suspect's computer. C) Assume the suspect's computer is contaminated. D) Do not enter alone.
A) Coordinate with the HAZMAT team.
Which of the following techniques might be used in covert surveillance (Choose All That Apply)? A) Keylogging B) Data sniffing C) Network logs D) All of the above
A) Keylogging B) Data sniffing
Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? A) Most companies keep inventory databases of all hardware and software used. B) The investigator doesn't have to get a warrant. C) The investigator has to get a warrant. D) Users can load whatever they want on their machines.
A) Most companies keep inventory databases of all hardware and software used.
Commingling evidence means that sensitive or confidential information being mixed with data collected as evidence. A) True B) False
A) True
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. A) True B) False
A) True
mputer peripherals or attachments can contain DNA evidence. A) True B) False
A) True
What is the best approach to handling the expectation of privacy by employees in the event an investigation needs to be carried out on company-owned digital assets? A) Every employee has the right to privacy in the corporate environment, so no policies can be forced upon them. B) A well-defined published policy that clearly states that an employer has the right to examine, inspect or access company-owned assets. C) If an investigation needs to be carried out, simply have the employee sign a waiver form before it begins. D) No approach or planning is necessary - there is no right to privacy in the corporate environment.
B) A well-defined published policy that clearly states that an employer has the right to examine, inspect or access company-owned assets.
Which of the following are ideal examples of storage media? Choose two. A) VCRs B) CDs C) Floppy Disks D) Magnetic Tape
B) CDs D) Magnetic Tape
An initial-response field kit does not contain evidence bags. A) True B) False
B) False
Small companies rarely need investigators. A) True B) False
B) False
The plain view doctrine in computer searches is well-established law. A) True B) False
B) False
You should always answer questions from onlookers at a crime scene. A) True B) False
B) False
If you face an investigation where dangerous substances might be around, you may need to obtain which of the following? A) DANMAT certificate B) CHEMMAT certificate C) DANSUB certificate D) HAZMAT certificate
D) HAZMAT certificate
List two hashing algorithms commonly used for forensic purposes. A) MD5 and AES B) RSA and RC5 C) AES and SHA-2 D) MD5 and SHA-1
D) MD5 and SHA-1
When investigators find evidentiary items that aren't specified in a warrant or under probable cause, what type of doctrine applies? A) Clear view doctrine B) Fourth amendment doctrine C) Probable cause doctrine D) Plain view doctrine
D) Plain view doctrine
If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. A) True B) False
A) True
In forensic hashes, a collision occur when two different files have the same hash value. A) True B) False
A) True
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. A) True B) False
A) True
You should videotape or sketch anything at a digital crime scene that might be of interest to the investigation. A) True B) False
A) True
As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? A) You begin to take orders from a police detective without a warrant or subpoena. B) Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. C) Your internal investigation begins. D) None of the above.
A) You begin to take orders from a police detective without a warrant or subpoena.
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you? A) Extensive-response kit B) Initial-response kit C) Lightweight kit D) Car crash kit
B) Initial-response kit
Hashing algorithms are used on evidence files to uphold the chain of custody in an investigation. Which of the following is NOT a hashing algorithm? A) MD5 B) SHA-1 C) DAT-1 D) SHA-256
C) DAT-1
What are the three rules for a forensic hash? A) Fast, reliable, and the hash value should be at least 2048 bits B) Produce collisions, should be at least 2048 bits, and it can't be predicted C) It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes D) It can be predicted, fast and reliable
C) It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes
When you arrive at the scene, why should you extract only those items you need to acquire evidence? A) To conceal trade secrets B) To preserver your physical security C) To speed up the acquisition process D) To minimize how much you have to keep track of at the scene
D) To minimize how much you have to keep track of at the scene
