Chapter 4

Question 1

Corporate investigations are typically easier than law enforcement investigations for which of the following reasons?

Answer 1

a. Most companies keep inventory databases of all hardware and software used.

Question 2

n the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause.

Answer 2

T

Question 3

If you discover a criminal act, such as murder or child pornography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement.

Answer 3

T

Question 4

As a corporate investigator, you can become an agent of law enforcement when which of the following happens? (Choose all that apply.)

a. You begin to take orders from a police detective without a warrant or subpoena.
b. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement.
c. Your internal investigation begins.

Answer 4

A, B

Question 5

The plain view doctrine in computer searches is well-established law.

Answer 5

F

Question 6

If a suspect computer is located in an area that might have toxic chemicals, you must do which of the following? (Choose all that apply.)

a. Coordinate with the HAZMAT team.
b. Determine a way to obtain the suspect computer
c. Assume the suspect computer is contaminated.
d. Do not enter alone

Answer 6

a, c

Question 7

What are the three rules for a forensic hash?

Answer 7

It can’t be predicted, no two files can have the same hash value, and if the file changes, the hash value changes.

Question 8

In forensic hashes, a collision occurs when ________.

Answer 8

two files have the same hash value

Question 9

List three items that should be in an initial-response field kit.

Answer 9

Small computer toolkit, large-capacity drive, IDE ribbon cables, forensic boot media, laptop IDE 40-to-44 pin adapter, laptop or portable computer, FireWire or USB dual write-protect external bay, flashlight, digital camera or 35mm camera

Question 10

When you arrive at the scene, why should you extract only those items that you need to acquire evidence?

Answer 10

To minimize how much you have to keep track of at the scene.

Question 11

Computer peripherals or attachments can contain DNA evidence. True or False?

Answer 11

T

Question 12

If a suspect computer is running Windows 2000, which of the following can you perform safely?

Answer 12

Browsing open applications.

Question 13

Describe what should be videotaped or sketched at a computer crime scene.

Answer 13

Computers, cable connections, overview of scene—anything that might be of interest to the investigation.

Question 14

Which of the following techniques might be used in covert surveillance?

Answer 14

Keylogging, data sniffing.

Question 15

Commingling evidence means what in a corporate setting?

Answer 15

Sensitive corporate information being mixed with data collected as evidence.

Question 16

Two hashing algorithms commonly used for forensic purposes are_____.

Answer 16

MD5 and SHA-1

Question 17

Small companies rarely need investigators. True or False?

Answer 17

F

Question 18

If a company doesn’t distribute a computing use policy stating an employer’s rights to inspect employee’s computers freely, including e-mail and web use, employees have an expectation of privacy. True or False?

Answer 18

T

Question 19

You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?

Answer 19

Initial-response field kit.

Question 20

You should always answer questions from onlookers at the crime scene? True or False?

Answer 20

F

Question 21

Automated Fingerprint Identification System (AFIS)

Answer 21

A computerized system for identifying fingerprints that’s connected to a central database; used to identify criminal suspects and review thousands of fingerprint samples at high speed.

Question 22

A computerized system for identifying fingerprints that’s connected to a central database; used to identify criminal suspects and review thousands of fingerprint samples at high speed.

Answer 22

Automated Fingerprint Identification System (AFIS)

Question 23

computer-generated records

Answer 23

Digital files generated by a computer

Question 24

Digital files generated by a computer

Answer 24

computer-generated records

Question 25

computer-stored records

Answer 25

Digital files generated by a person

Question 26

Digital files generated by a person

Answer 26

computer-stored records

Question 27

covert surveillance

Answer 27

observing people or places without being detected

Question 28

observing people or places without being detected

Answer 28

covert surveillance

Question 29

Cyclic Redundancy Check (CRC)

Answer 29

A mathematical algorithm that translates a file into a unique hexadecimal value

Question 30

A mathematical algorithm that translates a file into a unique hexadecimal value

Answer 30

Cyclic Redundancy Check (CRC)

Question 31

digital evidence

Answer 31

Evidence consisting of information stored or transmitted in electronic form

Question 32

Evidence consisting of information stored or transmitted in electronic form

Answer 32

digital evidence

Question 33

extensive-response field kit

Answer 33

A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers

Question 34

A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers

Answer 34

extensive-response field kit

Question 35

What should an extensive-response field kit include?

Answer 35

Two or more types of software or hardware computer forensics tools

Question 36

hash value

Answer 36

A unique hexadecimal value that identifies a file or drive

Question 37

A unique hexadecimal value that identifies a file or drive

Answer 37

hash value

Question 38

hazardous materials (HAZMAT)

Answer 38

Chemical, biological, or radiological substances that can cause harm to people

Question 39

Chemical, biological, or radiological substances that can cause harm to people

Answer 39

hazardous materials (HAZMAT)

Question 40

initial-response field kit

Answer 40

A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field.

Question 41

A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field.

Answer 41

initial-response field kit

Question 42

innocent information

Answer 42

Data that doesn’t contribute to evidence of a crime or violation

Question 43

Data that doesn’t contribute to evidence of a crime or violation

Answer 43

innocent information

Question 44

keyed hash set

Answer 44

A value created by an encryption utility’s secret key

Question 45

A value created by an encryption utility’s secret key

Answer 45

keyed hash set

Question 46

limiting phrase

Answer 46

Wording in a search warrant that limits the scope of a search for evidence

Question 47

Wording in a search warrant that limits the scope of a search for evidence

Answer 47

limiting phrase

Question 48

low-level investigations

Answer 48

Corporate cases that require less investigative effort than a major criminal case

Question 49

Corporate cases that require less investigative effort than a major criminal case

Answer 49

low-level investigations

Question 50

Message Digest 5 (MD5)

Answer 50

An algorithm that produces a hexadecimal value of a file or storage media.

Question 51

An algorithm that produces a hexadecimal value of a file or storage media.

Answer 51

Message Digest 5 (MD5)

Question 52

National Institute of Standards and Technology (NIST)

Answer 52

One of the governing bodies responsible for setting standards for some U.S. industries.

Question 53

One of the governing bodies responsible for setting standards for some U.S. industries.

Answer 53

National Institute of Standards and Technology (NIST)

Question 54

nonkeyed hash set

Answer 54

A unique hash number generated by a software tool and used to identify files

Question 55

A unique hash number generated by a software tool and used to identify files

Answer 55

nonkeyed hash set

Question 56

person of interest

Answer 56

Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest

Question 57

Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest

Answer 57

person of interest

Question 58

plain view doctrine

Answer 58

When conducting a search and seizure, objects in plain view of a law enforcement officer, who has the right to be in position to have that view, are subject to seizure without a warrant and can be introduced as evidence.

Question 59

When conducting a search and seizure, objects in plain view of a law enforcement officer, who has the right to be in position to have that view, are subject to seizure without a warrant and can be introduced as evidence.

Answer 59

plain view doctrine

Question 60

probable cause

Answer 60

The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.

Question 61

The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.

Answer 61

probable cause

Question 62

professional curiosity

Answer 62

The motivation for law enforcement and other professional personnel to examine an incident or crime scene to see what happened

Question 63

The motivation for law enforcement and other professional personnel to examine an incident or crime scene to see what happened

Answer 63

professional curiosity

Question 64

Scientific Working Group on Digital Evidence (SWGDE)

Answer 64

A group that sets standards for recovering, preserving, and examining digital evidence

Question 65

A group that sets standards for recovering, preserving, and examining digital evidence

Answer 65

Scientific Working Group on Digital Evidence (SWGDE)

Question 66

Secure Hash Algorithm version 1 (SHA-1)

Answer 66

A forensic hashing algorithm created by NIST to determine whether data in a file or storage media has been altered.

Question 67

A forensic hashing algorithm created by NIST to determine whether data in a file or storage media has been altered.

Answer 67

Secure Hash Algorithm version 1 (SHA-1)

Question 68

sniffing

Answer 68

Detecting data transmissions to and from a suspect’s computer and a network server to determine the type of data being transmitted over a network

Question 69

Detecting data transmissions to and from a suspect’s computer and a network server to determine the type of data being transmitted over a network

Answer 69

sniffing