Chapter 1: Review Questions

List three items that should be on an evidence custody form.

1. Case number 2. Investigating organization 3. Investigator's name 4. Nature of the case 5. Location where the evidence was obtained 6. Description of the evidence 7. Vendor's name 8. Model number or serial number 9. Who the evidence was recovered by 10. Date and time evidence was taken into custody 11. Evidence placed in which locker and when it was placed there 12. Item #/Evidence processed by/Disposition of evidence/Data/Time 13. Page #

List three items that should be in your case report.

1. What you did 2. What you found 3. Answer: Who, What, When, Where, How 4. Know your target reader and write for them 5. Provide an explanation for processes and how systems and their components work

The triad of computing security includes which of the following? 1. Detection, response, and monitoring 2. Vulnerability assessment, detection, and monitoring 3. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation 4. vulnerability assessment, intrusion response, and monitoring

3. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation

Policies can address rules for which of the following? 1. When you can log on to a company network from home 2. The Internet sites you can or can't access 3. The amount of personal e-mail you can send 4. Any of the above

4. Any of the above

What are some ways to determine the resources needed for an investigation?

Bases on the OS of the computer you're investigating, list the software you plan to use for the investigation, noting other software, tools, or expert assistance you might need.

Why should you critique your case after it's finished?

Because self-evaluation and peer review are essential parts of professional growth. When a case is complete, review it to identify successful decisions and actions and determine how you could have improved your performance.

You should always prove the allegations made by the person who hired you. True or False?

False. You must always maintain an unbiased perspective and be objective in your fact-finding.

Police in the United States must use procedures that adhere to which of the following? 1. Third Amendment 2. Fourth Amendment 3. First Amendment 4. None of the above

Fourth Amendment

What is professional conduct, and why is it important?

Professional conduct is the ethics, morals, and standards by which you conduct yourself and you business. It is important because it determines your credibility.

What are the necessary components of a search warrant?

The suspect's computer and its components. 1. It must be filled in good faith by a law enforcement officer 2. It must be based on reliable information showing probable cause to search 3. It must be issued by a neutral and detached magistrate 4. It must state specifically the place to be searched and the items to be seized

What's the purpose of maintaining a network of digital forensics specialists?

To supplement your knowledge and be able to get referrals and information when needed

What's the purpose of an affidavit?

To support facts about or evidence of a crime, in order to secure a warrant for seizure

List two types of digital investigations typically conducted in a business environment.

1. Employee termination cases 2. Internet abuse investigations 3. E-mail abuse investigations 4. Attorney-Client privilege investigations 5. Industrial espionage investigations

Why should you do a standard risk assessment to prepare for an investigation?

Identifying the risks can help mitigate or minimize any foreseeable issues with the investigation.

What do you call a list of people who have had physical possession of the evidence?

The Chain of Custody

For digital evidence, an evidence bag is typically made of antistatic material. True or False?

True.

Digital forensics and data recovery refer to the activities. True or False?

False.

Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product work. True or False?

False. Any information discovered before the memo is issued can be used in discovery by the opposition.

Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?

False. It's not until the private-sector investigator starts working at the direction of law enforcement that they are considered an agent of law enforcement.

List two items that should appear on a warning banner.

1. That the connection is restricted to authorized users 2. That the organization has a right to inspect and monitor computer and network usage

Why should evidence media be write-protected?

Because it maintains the quality and integrity of the evidence you're trying to preserve.