Ch. 2

Question 1

What is the role of an expert witness?

Answer 1

To educate the jury and court

Question 2

Who is a legitimate issuer of a search warrant?

Answer 2

A judge

Question 3

Under what circumstances has a court of law allowed investigators to perform searches without a warrant?

Answer 3

Delay in obtaining a warrant may lead to the destruction of evidence and hamper the investigation process.

Question 4

Forensic Lab: Physical and structural design considerations

Answer 4

• Lab Size: Budget and type of cases to be handled determine the size of the lab.
• Access to Essential Services: Easy access to essential services such as the fire department or other emergency vehicles is require. It must also have access to shipping and receiving without compromising the physical security of the lab.
• Space Estimation for Work Area and Evidence Storage: The lab must be large. There must be sufficient space to place all the equipment in the lab such as workstations and evidence storage.
  Heating, Ventilation, and Air-Conditioning: The environment in the lab such as the humidity, airflow, ventilation, and room temperature also plays an important factor. High exchange rate of air in the lab is needed in order to maintain fresh air inside the room and prevent unwanted odors in the lab. There must be proper cooling systems installed in the lab to overcome the heat that workstations generate.

Question 5

Forensic Lab: Work area considerations

Answer 5

• Workstation Requirement: A small-sized forensic lab generally has two workstations and one ordinary workstation with Internet connectivity. However, the requirement of forensics workstations varies according to the types and complexity of cases and processes handled in the lab.
• Ambience: Investigators spend long hours in a forensics lab. Hence, it is of utmost importance that the ambience of the lab is comfortable.
• Internet, Network, and Communication Line: Install a dedicated Integrated Services Digital Network (ISDN) for network and voice communication. A dedicate network is preferred for the forensic computer, as it requires continuous access to the Internet and other resources on the network. Dial-up Internet access must be available for the workstations in the laboratory.
• Lighting Systems and Emergency Power: The lab should have emergency power and protection for all equipment from power fluctuations. Lighting systems should be arranged to increase the productivity of the investigators. Adjust lighting to avoid glare and keep the monitors at an angle of 90 degrees from the windows.

Question 6

Computer Forensics Investigation Methodology

Answer 6

1. Documenting the Electronic Crime Scene
2. Search and Seizure
3. Evidence Preservation
4. Data Acquisition
5. Data Analysis
6. Case Analysis
7. Reporting
8. Testifying as an Expert Witness

Question 7

Investigators can immediately take action after receiving a report of a security incident. True/False

Answer 7

False. They have to follow a specific protocol that includes gathering of plaintiff information, type of incident, and obtaining permission and warrants for taking further action.

Question 8

Courts call knowledgeable persons to testify to the accuracy of the investigative process. These people who testify are known as the _________.

Answer 8

expert witness

Question 9

A chain of custody is a critical document in the computer forensics investigation process because the document provides legal validation of appropriate evidence handling. True/False

Answer 9

True

Question 10

What project was launched by the National Institute of Standards and Technology (NIST), that establishes a “methodology for testing computer forensics software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware.”

Answer 10

Computer Forensic Tool Testing Project (CFTTP)

Question 11

First responders can collect or recover data from any computer system or device that holds electronic information. True/False

Answer 11

False. Under no circumstances should anyone except qualified forensic analysts attempt to collect or recover data from any computer system or device that holds electronic information.

Question 12

First Response by System/Network Administrators

Answer 12

• Record what is on-screen if the computer is switched on
• Transfer copies of system logs onto a clean media
• If an ongoing attack is detected, seek top management approval before powering down any computing systems
• Isolate the computing systems or other digital devices from further use or tampering
• Document every detail relevant to the incident

Question 13

Written consent from the authority is sufficient to commence search and seizure activity. True/False

Answer 13

True

Question 14

When obtaining evidence, what action should a forensic investigator take if a computer is switched on and the screen is viewable?

Answer 14

Photograph the screen.

Question 15

Data duplication includes bit-by-bit copying of original data using a software or hardware tool. True/False

Answer 15

True