Download NWIT 263 Midterm: Digital Forensics and Investigations (Chapters 1-4) and more Exams Forensics in PDF only on Docsity!
NWIT 263 Midterm (Chapters 1-4) 100% Verified
Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? a. Most companies keep inventory databases of all hardware and software used.
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. True or False? True
If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False? True
As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? (Choose all that apply.) a. You begin to take orders from a police detective without a warrant or subpoena. b. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement.
The plain view doctrine in computer searches is well-established law. True or False? False
We have an expert-written solution to this problem!
If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? (Choose all that apply.) a. Coordinate with the HAZMAT team. c. Assume the suspect's computer is contaminated.
What are the three rules for a forensic hash? It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes.
In forensic hashes, when does a collision occur? When two different files have the same hash value
List three items that should be in an initial-response field kit. Evidence labels, permanent ink marker, USB drives
When you arrive at the scene, why should you extract only those items you need to acquire evidence? To minimize how much you have to keep track of at the scene
Computer peripherals or attachments can contain DNA evidence. True or False? True
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False? True
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you? Initial-response field kit
You should always answer questions from onlookers at a crime scene. True or False? False
What's the main goal of a static acquisition? Preservation of digital evidence
Name the three formats for digital forensics data acquisitions. Raw format, proprietary formats, and Advanced Forensic Format (AFF)
What are two advantages and disadvantages of the raw format? Advantages: faster data transfer speeds and ignores minor data errors Disadvantages: doesn't contain metadata and might not collect bad blocks.
List two features common with proprietary format acquisition files.
- Can compress or not compress the acquisition data
- Case metadata can be added to the acquisition file
Of all the proprietary formats, which one is the unofficial standard? Expert Witness
Name two commercial tools that can make a forensic sector-by-sector duplicate of a drive to a larger drive. EnCase and X-Ways Forensics
What does a logical acquisition collect for an investigation? only specific files of interest to the case
What does a sparse acquisition collect for an investigation? fragments of unallocated data and logical allocated data
What should you consider when determining which data acquisition method to use? Size of the drive, whether the drive is evidence, time the acquisition will take, and where the disk evidence is located
Why is it a good practice to make two images of a suspect drive in a critical
A program designed to create a binary number that represents the uniqueness of a piece of data
In the Linux dcfldd command, which three options are used for validating data? hash, hashlog, and vf
What's the maximum file size when writing data to a FAT32 drive? 2 GB
What are two concerns when acquiring data from a RAID server? Amount of data storage needed Type of RAID server
With remote acquisitions, what problems should you be aware of? (Choose all that apply.) a. Data transfer speeds b. Permission Access c. Antimalware and firewall programs
Which forensics tools can connect to a suspect's remote computer and run surreptitiously? EnCase Enterprise and ProDiscover Incident Response
EnCase, FTK, SMART, and iLookIX treat the image file as though it were the original disk. True or False? True
FTK Imager can acquire data in a drive's host protected area. True or False? False
An employer can be held liable for e-mail harassment. True or False? True
Building a business case can involve which of the following? d. All of the above
The ANAB mandates the procedures established for a digital forensics lab. True or False? False
The manager of a digital forensics lab is responsible for which of the following? (Choose all that apply.) a. Necessary changes in lab procedures/software b. Ensuring that staff members have enough training c. Knowing lab objectives
Large digital forensics labs should have at least ______ exits. two
Typically, a(n) ____________ lab has a separate storage area or room for evidence. regional
Digital forensics facilities always have windows. True or False? False
Evidence storage containers should have several master keys. True or False? False
A forensic workstation should always have a direct broadband connection to the Internet. True or False? False
We have an expert-written solution to this problem! Good information on safe storage containers can be found by which organization? NISPOM
Guidelines on how to operate a digital forensics lab can be found from which organization? ASCLD
What name refers to labs constructed to shield EMR emissions? TEMPEST
Digital forensics and data recovery refer to the same activities. True or False? False
Police in the United States must use procedures that adhere to which of the following? b. Fourth Amendment
The triad of computing security includes which of the following? -Threat assessment -Intrusion detection -Incident response -Digital investigation
What's the purpose of maintaining a network of digital forensics specialists? To develop a list of colleagues who specialize in areas different from your own specialties
What's the purpose of an affidavit? To provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant
A search warrant must specify who, what, when, and where — that is, specifics on place, time, items being searched for, and so forth — and include any supporting materials (affidavits and exhibits, for example). In addition, a search warrant must be signed by an impartial judicial officer. In many cases, a search warrant can limit the scope of what can be seized. What are the necessary components of a search warrant?
What are some ways to determine the resources needed for an investigation? Determine the OS of the suspect computer and list the software needed for the examination.
List three items that should be on an EVIDENCE CUSTODY FORM. Case number, nature of the case, description of the evidence
Why should you do a standard risk assessment to prepare for an investigation? To list problems that might happen when conducting an investigation
You should always prove the allegations made by the person who hired you. True or False?
False
For digital evidence, an evidence bag is typically made of antistatic material. True or False? True
Why should evidence media be write-protected? To make sure data isn't altered
List three items that should be in your CASE REPORT. A list of steps you took, a description of your findings, and log files generated from your analysis tools.
Why should you critique your case after it's finished? To improve your work
What do you call a list of people who have had physical possession of the evidence? Chain of custody
We have an expert-written solution to this problem! Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False?
