Ch. 1

Question 1

Computer Forensics

Answer 1

The process of finding evidence related to a digital crime to find the culprits and initiate legal action against them.

Question 2

Forensic readiness refers to _____________.

Answer 2

an organization’s ability to make optimal use of digital evidence in a limited time period and with minimal investigation costs

Question 3

Computer Forensics Objectives

Answer 3

• Identify, gather, and preserve the evidence of a cybercrime
• Track and prosecute the perpetrators in a court of law
• Interpret, document, and present the evidence such that it is admissible during prosecution
• Estimate the potential impact of malicious activity on the victim and assess the intent of the perpetrator
• Find vulnerabilities and security loopholes that help attackers
• Understand the techniques and methods used by attackers to avert prosecution and overcome them
• Recover deleted files, hidden files, and temporary data that can be used as evidence
• Perform incident response (IR) to prevent further loss of intellectual property, finances, and reputation during an attack
• Know the laws of various regions and areas, as digital crimes are widespread and remote
• Know the process of handling multiple platforms, data types, and operating systems
• Learn to identify and use the appropriate tools for forensic investigations

Question 4

Impact of Cybercrimes at the Organizational Level

Answer 4

1. Loss of confidentiality, integrity and availability of information stored in organizational systems
2. Theft of sensitive data
3. Sudden disruption of business activities
4. Loss of customer and stakeholder trust
5. Substantial reputational damage
6. Huge financial losses
7. Penalties arising from the failure to comply with regulations

Question 5

Criminal Cases

Answer 5

• Investigators must follow a set of standard forensic processes accepted by law in the respective jurisdiction
• Investigators, under a court’s warrant, have the authority to forcibly seize computing devices
• A formal investigation report is required
• Law enforcement agencies are responsible for collecting and analyzing evidence
• Punishments are harsh and include a fine, jail sentence, or both
• Standard of proof needs to be very high
• It is difficult to capture certain evidence, e.g. GPS device evidence

Question 6

Civil Cases

Answer 6

• Investigators try to show the opposite party some proof to support the claims and induce settlement
• Searching of the devices is generally based on mutual understanding and provides a wider time window to the opposite part to hide the evidence
• The initial reporting of the evidence is generally informal
• The claimant is responsible for the collection and analysis of the evidence
• Punishments include monetary compensation
• Poorly documented or unknown chain-of-custody for evidence
• Sometimes, evidence can be in third-party control

Question 7

User-Created Sources of Potential Evidence

Answer 7

• Address books
• Database files
• Media (images, graphics, audio, video, etc.) files
• Documents (text, spreadsheet, presentation, etc.) files
• Internet bookmarks, favorites, etc.

Question 8

User-Protected Sources of Potential Evidence

Answer 8

• Compressed files
• Misnamed files
• Encrypted files
• Password-protected files
• Hidden files
• Steganography

Question 9

Computer-Created Sources of Potential Evidence

Answer 9

• Backup files
• Log files
• Configuration files
• Printer spool files
• Cookies
• Swap files
• System files
• History files
• Temporary files

Question 10

Rules of Evidence

Answer 10

1. Understandable - Evidence must be clear and understandable to the judges
2. Admissible - Evidence must be related to the fact being proved
3. Authentic - Evidence must be real and appropriately related to the incident
4. Reliable - There must be no doubt about the authenticity or veracity of the evidence
5. Complete - The evidence must prove the attacker’s actions or his/her innocence

Question 11

Best Evidence Rule

Answer 11

The court only allows the original evidence of a document, photograph, or recording at the trial and not a copy. However, the duplicate may be accepted as evidence, provided the court finds the party’s reasons for submitting the duplicate to be genuine.

Question 12

Federal Rules of Evidence Rule 101: Scope

Answer 12

These rules apply to proceedings in United States courts. The specific courts and proceedings to which the rules apply, along with exceptions, are set out in Rule 1101.

Question 13

Federal Rules of Evidence Rule 102: Purpose

Answer 13

These rules should be construed so as to administer every proceeding fairly, eliminate unjustifiable expense and delay, and promote the development of evidence law, to the end of ascertaining the truth and securing a just determination.

Question 14

Federal Rules of Evidence Rule 103: Rulings on Evidence

Answer 14

a. Preserving a claim of error
b. Not needing to renew an objection or offer of proof
c. Court’s statement about the ruling; directing an offer of proof
d. Preventing the jury from hearing inadmissible evidence
e. Taking Notice of Plain Error

Question 15

Federal Rules of Evidence Rule 104: Preliminary Questions

Answer 15

• Questions of admissibility in general
• Relevancy conditioned on a fact
• Conducting a hearing so that the jury cannot hear it
• Cross-examining a defendant in a criminal case
• Evidence relevant to weight and credibility

Question 16

Federal Rules of Evidence Rule Rule 105: Limited Admissibility

Answer 16

If the court admits evidence that is admissible against a party or for a purpose - but not against another party or for another purpose - the court, on timely request, must restrict the evidence to its proper scope and instruct the jury accordingly.

Question 17

Federal Rules of Evidence Rule 402: General Admissibility of Relevant Evidence

Answer 17

Relevant evidence is admissible unless any of the following provides otherwise:
- The United States Constitution;
- A federal statue;
- the rules; or
- other rules prescribed by the Supreme Court
Irrelevant evidence is not admissible

Question 18

Federal Rules of Evidence Rule 502: Attorney-Client Privilege and Work Product; Limitations on Waiver

Answer 18

a. Disclosure made in a federal proceeding or to a federal office or agency; scope of a waiver.
b. Inadvertent disclosure
c. Disclosure made in a state proceeding
d. Controlling effect of a court order
e. Controlling effect of a party agreement
f. Controlling effect of this rule

Question 19

Federal Rules of Evidence Rule 608: A Witness’s Character for Truthfulness or Untruthfulness

Answer 19

a. Reputation or opinion evidence.
b. Specific instances of conduct.

Question 20

Federal Rules of Evidence Rule 609: Impeachment by Evidence of a Criminal Convistion

Answer 20

a. In general. The following rules apply to attacking a witness’s character for truthfulness by evidence of criminal conviction:
1. for a crime that, in the convicting jurisdiction, was punishable by death or by imprisonment for more than one year, the evidence:
i. must be admitted, subject to Rule 403, in a civil case or in a criminal case in which the witness is not a defendant; and
ii. must be admitted in a criminal case in which the witness is a defendant, if the probative value of the evidence outweighs its prejudicial effect to that defendant; and
2. for any crime regardless of the punishment, the evidence must be admitted if the court can readily determine that establishing the elements of the crime required proving - or the witness’s admitting - a dishonest act or false statement.
b. Limit on using the evidence after 10 years.
c. Effect of a pardon, annulment, or certificate of rehabilitation.
d. Juvenile adjudications.
e. Pendency of an appeal.

Question 21

Federal Rules of Evidence Rule 614: Court’s Calling or Examining a Witness

Answer 21

a. Calling. The court may call a witness on its own or at a party’s request. Each party is entitled to cross-examine the witness.
b. Examining. The court may examine a witness regardless of who calls the witness.
c. Objections. A party may object to the court’s calling or examining a witness either at that time or at the next opportunity when the jury is not present.

Question 22

Federal Rules of Evidence Rule 701: Opinion Testimony by Lay Witnesses

Answer 22

If a witness is not testifying as an expert, testimony in the form of an opinion is limited to one that is:
a. rationally based on the witness’s perception;
b. helpful to clearly understanding the witness’s testimony or to determining a fact in issue; and
c. not based on scientific, technical, or other specialized knowledge within the scope of Rule 702.

Question 23

Federal Rules of Evidence Rule 705: Disclosing the Facts or Data Underlying an Expert’s Opinion

Answer 23

Unless the court orders otherwise, an expert may state an opinion - and give the reasons for it - without first testifying the underlying facts or data. But the expert may be required to disclose those facts or data on cross-examination.

Question 24

Federal Rules of Evidence Rule 801: Definitions That Apply to This Article; Exclusions from Hearsay

Answer 24

“Hearsay” means a statement that
1. the declarant does not make while testifying at the current trial or hearing and
2. a party offers in evidence to prove the truth of the matter asserted in the statement.
Statements That Are Not Hearsay. A statement that meets the following conditions is not hearsay.
1. A Declarant-Witness’s Prior Statement. The declarant testifies and is subject to cross-examination about a prior statement, and the statement
A. is inconsistent with the declarant’s testimony and was given under penalty of perjury at a trial, hearing, or other proceeding or in a deposition;
B. is consistent with the declarant’s testimony and is offered:
i. to rebut an express or implied charge that the declarant recently fabricated it or acted from a recent improper influence or motive in so testifying; or
ii. to rehabilitate the declarant’s credibility as a witness when attacked on another ground; or
C. identifies a person as someone the declarant perceived earlier.
2. An Opposing Party’s Statement. The statement is offered against an opposing party and A. was made by the party in an individual or representative capacity; B. is one the party manifested that it adopted or believed to be true; C. was made by a person whom the party authorized to make a statement on the subject;
D. was made by the party’s agent or employee on a matter within the scope of that relationship and while it existed; or
E. was made by the party’s coconspirator during and in furtherance of the conspiracy.
The statement must be considered but does not by itself establish the declarant’s authority under (C); the existence or scope of the relationship under (D); or the existence of the conspiracy or participation in it under (E).

Question 25

Federal Rules of Evidence Rule 803: Exceptions to the Rule Against Hearsay-Regardless of Whether the Declarant is Available as a Witness

Answer 25

1. Present Sense Impression
2. Excited Utterance
3. Then-Existing Mental, Emotional, or Physical Condition
4. Statement Made for Medical Diagnosis or Treatment
5. Recorded Recollection
6. Records of a Regularly Conducted Activity
7. Absence of a Record of a Regularly Conducted Activity
8. Public Records
9. Public Records of Vital Statistics
10. Absence of a Public Record
11. Records of Religious Organizations Concerning Personal or Family History
12. Certificates of Marriage, Baptism, and Similar Ceremonies
13. Family Records
14. Records of Documents That Affect an Interest in Property
15. Statements in Documents That Affect an Interest in Property
16. Statements in Ancient Documents
17. Market Reports and Similar Commercial Publications
18. Statements in Learned Treatises, Periodicals, or Pamphlets
19. Reputation Concerning Personal or Family History
20. Reputation Concerning Boundaries or General History
21. Reputation Concerning Character
22. Judgment of a Previous Conviction
23. Judgments Involving Personal, Family, or General History, or a Boundary

Question 26

Federal Rules of Evidence Rule 1001: Definitions that apply to this article

Answer 26

In this article:
A. A ‘writing’ consists of letters, words, numbers, or their equivalent set down in any form.
B. A ‘recording’ consists of letters, words, numbers, or their equivalent recorded in any manner.
C. A ‘photograph’ means a photographic image or its equivalent stored in any form.
D. An ‘original’ of a writing or recording means the writing or recording itself or any counterpart intended to have the same effect by the person who executed or issued it. For electronically stored information, ‘original’ means any printout - or other output readable by sight - if it accurately reflects the information. An ‘original’ of a photograph includes the negative or a print from it.
E. A ‘duplicate’ means a counterpart produced by a mechanical, photographic, chemical, electronic, or other equivalent process or technique that accurately reproduces the original.”

Question 27

Federal Rules of Evidence Rule 1002: Requirement of the Original

Answer 27

An original writing, recording, or photograph is required in order to prove its content unless these rules or a federal statute provides otherwise.

Question 28

Federal Rules of Evidence Rule 1003: Admissibility of Duplicates

Answer 28

A duplicate is admissible to the same extent as the original unless a genuine question is raised about the original’s authenticity or the circumstances make it unfair to admit the duplicate.

Question 29

Federal Rules of Evidence Rule 1004: Admissibility of Other Evidence of Content

Answer 29

An original is not required and other evidence of the content of a writing, recording, or photograph is admissible if:
a. all the originals are lost or destroyed, and not by the proponent acting in bad faith;
b. an original cannot be obtained by any available judicial process;
c. the party against whom the original would be offered had control of the original; was at that time put on notice, by pleadings or otherwise, that the original would be a subject of proof at the trial or hearing; and fails to produce it at the trial or hearing; or
d. the writing, recording, or photograph is not closely related to a controlling issue

Question 30

Computer forensics

Answer 30

Refers to a set of methodological procedures and techniques to identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment in such a manner that the discovered evidence is acceptable during a legal and/or administrative proceeding in a court of law.

Question 31

Cybercrimes can be classified into the following two types of attacks, based on the line of attack.

Answer 31

Internal and external

Question 32

Espionage, theft of intellectual property, manipulation of records, and Trojan horse attacks are examples of what?

Answer 32

Insider attacks or primary threats

Question 33

External attacks occur when there are inadequate information-security policies and procedures. True/False

Answer 33

True

Question 34

What type of case involves disputes between two parties?

Answer 34

Civil

Question 35

________________ is the standard investigative model used by the FBI when conducting investigations against major criminal organizations.

Answer 35

Enterprise Theory of Investigation (ETI)

Question 36

Forensic readiness includes technical and non-technical actions that maximize an organization’s competence to use digital evidence. True/False

Answer 36

True

Question 37

Incident Response

Answer 37

The process of developing a strategy to address the occurrence of any security breach in the system or network. It includes the formulation of security policies and goals of incident response, creation of the incident response team, analysis of threats, establishing the methods for detecting a breach, and preparing to combat threats and mitigate damages in the event of a security breach.

Question 38

Code of Ethics - Computer forensic investigator should:

Answer 38

• Perform investigations based on well-known standard procedures
• Perform assigned tasks with high commitment and diligence
• Act with utmost ethical and moral principles
• Examine the evidence carefully within the scope of the agreement
• Ensure the integrity of the evidence throughout the investigation process
• Act in accordance with federal statutes, state statutes, and local laws and policies
• Testify honestly before any board, court or trial proceedings

Question 39

Code of Ethics - Computer forensic investigator should not:

Answer 39

• Refuse any evidence because that may cause failure in the case
• Expose confidential matters without authorized permission
• Take on assignments beyond his/her skills
• Perform actions that significantly leads to a conflict of interest
• Present the training, credentials, or association membership in a wrong way
• Provide personal or prejudiced opinions
• Reserve any evidence relevant to the case

Question 40

In forensics laws, “authenticating or identifying evidences” comes under which rule?

Answer 40

Rule 901

Question 41

What requires companies that offer financial products or services to protect customer information against security threats?

Answer 41

GLBA

Question 42

What Act includes security standards for health information?

Answer 42

HIPAA

Question 43

What is the act passed by the U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations?

Answer 43

SOX

Question 44

What is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards?

Answer 44

PCI DSS