CHFI_CH1

Question 1

Rule 105

Answer 1

Limited Admissibility, If the court admits evidence that is admissible against a party or for a purpose — but not against another party or for another purpose — the court, on timely request, must restrict the evidence to its proper scope and instruct the jury accordingly.”

Question 2

Incident Response Flow

Answer 2

Step 1: Preparation for Incident Handling
Step 2: Incident Recording and Assignment
Step 3: Incident Triage
Step 4: Notification
Step 5: Containment
Sep 6: Evidence Gathering and Forensic Analysis
Step 7: Eradication
Step 8: Recovery

Question 3

volatile data examples

Answer 3

RAM the most volatile data is discarded when the device is powered off. Also system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, command history, etc.

Question 4

The Electronic Communications Privacy Act

Answer 4

This act and the Stored Wire Electronic Communications Act are commonly referred together as the Electronic Communications Privacy Act (ECPA) of 1986, which comes under 18 U.S.C. §§ 2510-2523.

Question 5

SWGDE Principle 1

Answer 5

In order to ensure that digital evidence is collected, preserved, examined, or transferred in a manner that safeguards the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system.

Question 6

SWDGE 1.7

Answer 6

Any action that has the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner.

Question 7

SWDGE 1.6

Answer 7

All activity related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony.

Question 8

SWDGE 1.5

Answer 8

The agency must use hardware and software that are appropriate and effective for the seizure or examination procedure.

Question 9

SWDGE 1.4

Answer 9

The agency must maintain written copies of appropriate technical procedures.

Question 10

SWDGE 1.3

Answer 10

States SOP’s must generally be accepted or supported by data gathered and recorded in a scientific manner.

Question 11

SWDGE 1.2

Answer 11

Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness.

Question 12

SWDGE 1.1

Answer 12

All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency’s policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency’s management authority.

Question 13

SOC Workflow

Answer 13

Collection
Ingestion
Validation
Reporting
Response
Documentation

Question 14

Singapore

Answer 14

Computer Misuse Act

Question 15

Sarbanes-Oxley Act (SOX) of 2002

Answer 15

An act passed by U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations. TheSarbanes-Oxley Act (SOX) mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud.

Question 16

Rule 1004

Answer 16

Admissibility of Other Evidence of Content: An original is not required and other evidence of the content of a writing, recording, or photograph is admissible if:
a. all the originals are lost or destroyed, and not by the proponent acting in bad faith;
b. an original cannot be obtained by any available judicial process;
c. the party against whom the original would be offered had control of the original; was at that time put on notice, by pleadings or otherwise, that the original would be a subject of proof at the trial or hearing; and fails to produce it at the trial or hearing; or
d. the writing, recording, or photograph is not closely related to a controlling issue.

Question 17

Rule 1003

Answer 17

Admissibility of Duplicate: A duplicate is admissible to the same extent as the original unless a genuine question is raised about the original’s authenticity or the circumstances make it unfair to admit the duplicate.

Question 18

Rule 1002:

Answer 18

Requirement of the Original: An original writing, recording, or photograph is required in order to prove its content unless these rules or a federal statute provides otherwise.

Question 19

Rule 1001: Definitions that apply to this article

Answer 19

(a) A “writing” consists of letters, words, numbers, or their equivalent set down in any form.
(b) A “recording” consists of letters, words, numbers, or their equivalent recorded in any manner.
(c) A “photograph” means a photographic image or its equivalent stored in any form.
(d) An “original” of a writing or recording means the writing or recording itself or any counterpart intended to have the same effect by the person who executed or issued it.
(e) A “duplicate” means a counterpart produced by a mechanical, photographic, chemical, electronic, or other equivalent process or technique that accurately reproduces the original.

Question 20

Rule 901

Answer 20

Authenticating or Identifying Evidence: In general. To satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is.

Question 21

Rule 804

Answer 21

Exceptions to the Rule Against Hearsay-When the Declarant is Unavailable as a Witness

Question 22

Rule 803

Answer 22

Exceptions to the Rule Against Hearsay-Regardless of Whether the Declarant is Available as a Witness: Parts 1-23

Question 23

Rule 801: Definitions That Apply to This Article; Exclusions from Hearsay

Answer 23

“Hearsay” means a statement that
1. the declarant does not make while testifying at the current trial or hearing and
2. a party offers in evidence to prove the truth of the matter asserted in the statement.

Question 24

Rule 801 Statements That Are Not Hearsay. Part 2

Answer 24

2. An Opposing Party’s Statement. The statement is offered against an opposing party and A. was made by the party in an individual or representative capacity; B. is one the party manifested that it adopted or believed to be true;
   C. was made by a person whom the party authorized to make a statement on the subject;
   D. was made by the party’s agent or employee on a matter within the scope of that relationship and while it existed; or
   E. was made by the party’s coconspirator during and in furtherance of the conspiracy.
   The statement must be considered but does not by itself establish the declarant’s authority under (C); the existence or scope of the relationship under (D); or the existence of the conspiracy or participation in it under (E).

Question 25

Rule 801 Statements That Are Not Hearsay. Part 1

Answer 25

1. A Declarant-Witness’s Prior Statement.
   A. is inconsistent with the declarant’s testimony and was given under penalty of perjury at a trial, hearing, or other proceeding or in a deposition;
   B. is consistent with the declarant’s testimony and is offered:
   i. to rebut an express or implied charge that the declarant recently fabricated it or acted from a recent improper influence or motive in so testifying; or
   ii. to rehabilitate the declarant’s credibility as a witness when attacked on another ground; or
   C. identifies a person as someone the declarant perceived earlier.

Question 26

Rule 705

Answer 26

Disclosing the Facts or Data Underlying an Expert’s Opinion: Unless the court orders otherwise, an expert may state an opinion — and give the reasons for it — without first testifying to the underlying facts or data. But the expert may be required to disclose those facts or data on cross-examination.

Question 27

Rule 701: Opinion Testimony by Lay Witnesses

Answer 27

If a witness is not testifying as an expert, testimony in the form of an opinion is limited to one that is:
a. rationally based on the witness’s perception;
b. helpful to clearly understanding the witness’s testimony or to determining a fact in issue; and
c. not based on scientific, technical, or other specialized knowledge within the scope of Rule 702.

Question 28

Rule 614

Answer 28

Court’s Calling or Examining a Witness: a. Calling. The court may call a witness on its own or at a party’s request. Each party is entitled to cross-examine the witness.
b. Examining. The court may examine a witness regardless of who calls the witness.
c. Objections. A party may object to the court’s calling or examining a witness either at that time or at the next opportunity when the jury is not present.

Question 29

Rule 609

Answer 29

Impeachment by Evidence of a Criminal Conviction
a. In general
b. Limit on using the evidence after 10 years.
c. Effect of a pardon, annulment, or certificate of rehabilitation.
d. Juvenile adjudications.
e. Pendency of an appeal

Question 30

Rule 608. A Witness’s Character for Truthfulness or Untruthfulness

Answer 30

a. Reputation or opinion evidence.
b. Specific instances of conduct.

Question 31

Rule 502

Answer 31

Attorney-Client Privilege and Work Product; Limitations on Waiver, Disclosure made in a federal proceeding or to a federal office or agency; scope of a waiver.

Question 32

Rule 402

Answer 32

General Admissibility of Relevant Evidence, Relevant evidence is admissible unless any of the following provides otherwise: ▪ the United States Constitution; ▪ a federal statute; ▪ these rules; or ▪ other rules prescribed by the Supreme Court

Question 33

Rule 104 : 1-5

Answer 33

Preliminary Questions:
1. Questions of admissibility in general
2. Relevancy conditioned on a fact
3. Conducting a hearing so that the jury cannot hear it
4. Cross-examining a defendant in a criminal case
5. Evidence relevant to weight and credibility

Question 34

Rule 103.

Answer 34

Rulings on Evidence
(a) Preserving a Claim of Error
b Not needing to renew an objection or offer of proof
c Court’s statement about the ruling; directing an offer of proof
d Preventing the jury from hearing inadmissible evidence
e Taking Notice of Plain Error

Question 35

Rule 102. Purpose

Answer 35

These rules should be construed so as to administer every proceeding fairly, eliminate unjustifiable expense and delay, and promote the development of evidence law, to the end of ascertaining the truth and securing a just determination.

Question 36

Rule 101. Scope

Answer 36

These rules apply to proceedings in United States courts. The specific courts and proceedings to which the rules apply, along with exceptions, are set out in Rule 1101.

Question 37

Privacy Act of 1974

Answer 37

5 U.S.C. § 552a, establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies.

Question 38

Philippines

Answer 38

The Data Privacy Act of 2012 seeks to ensure “the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.

Question 39

Payment Card Industry Data Security Standard (PCI DSS)

Answer 39

The PCI DSS is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

Question 40

non-volatile data examples

Answer 40

permanent data on secondary storage, hard disks, and memory cards. hidden files, slack space, swap file, index data files, unallocated clusters, unused partitions, hidden partition, registry settings, and event logs

Question 41

National Information Infrastructure Protection Act of 1996

Answer 41

Revises federal criminal code provisions regarding fraud and related activity in connection with computers.

Question 42

Italy

Answer 42

Penal Code Article 615 ter

Question 43

India

Answer 43

Information Technology Act

Question 44

Incident Response Process Flow

Answer 44

Step 1: Preparation for Incident Handling and Response
Step 2: Incident Recording and Assignment
Step 3: Incident Triage
Step 4: Notification
Step 5: Containment
Step 6: Evidence Gathering and Forensic Analysis
Step 7: Eradication
Step 8: Recovery
Step 9: Post-Incident Activities

Question 45

Hong Kong

Answer 45

Cap. 486 Personal Data (Privacy) Ordinance (PDPO)

Question 46

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Answer 46

Provides federal protections for individually identifiable health information held by covered entities and their business associates and offers patients an array of rights with respect to such information.

Question 47

Gramm-Leach-Bliley Act (GLBA)

Answer 47

Enacted in 1999, requires financial institutions-companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance-to explain their information-sharing practices to their customers and to safeguard sensitive data.

Question 48

Germany

Answer 48

Section 202a. Data Espionage

Question 49

General Data Protection Regulation (GDPR)

Answer 49

Proposed set of regulations adopted by the European Union to protect Internet users from clandestine tracking and unauthorized personal data usage.

Question 50

Freedom of Information Act (FOIA)

Answer 50

1966 law that allows citizens to obtain copies of most public records

Question 51

Foreign Intelligence Surveillance Act of 1978 (FISA)

Answer 51

FISA prescribes procedures for requesting judicial authorization for electronic surveillance and physical search of persons engaged in espionage or international terrorism against the United States on behalf of a foreign power.

Question 52

Federal Information Security Modernization Act of 2014 (FISMA)

Answer 52

FISMA was introduced as an amendment to the Federal Information Security Management Act of 2002, which was implemented to provide a framework for federal information systems to have more effective information security controls in place.

Question 53

ECPA Title III

Answer 53

addresses pen register and trap and trace devices and requires government entities to obtain a court order authorizing the installation and use of a pen register.

Question 54

ECPA Title II

SCA

Answer 54

Also called the Stored Communications Act (SCA), Title II protects the privacy of the contents of files stored by service providers and of records held about the subscriber by service providers, such as subscriber name, billing records, or IP addresses.

Question 55

ECPA Title I

Answer 55

Prohibits the intentional, actual, or attempted interception, use, disclosure, or “procure[ment] [of] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication.” Title I also prohibits the use of illegally obtained communications as evidence.

Question 56

digital evidence

Answer 56

Evidence consisting of information stored or transmitted in electronic form.

Question 57

Data Protection Act 2018

Answer 57

Aims to protect the rights of the owners of data - the data subjects. It does not protect the data itself.

Question 58

cybercrime

Answer 58

Any illegal Internet-mediated activity that takes place in electronic networks, computers, or its application

Question 59

criminal cases

Answer 59

involve actions that go against the interests of society, the burden of proving that the accused is guilty lies entirely with the prosecution. Cases that are considered harmful to society and involve action by law enforcement.

Question 60

Computer Security Act of 1987

Answer 60

one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices

Question 61

civil investigation

Answer 61

disputes between two parties, such as an individual versus a company; an individual versus another individual; a company versus another; or in some countries, a government regulatory agency versus an individual (or a company)

Question 62

Canada

Answer 62

Canadian Criminal Code Section 342.1

Question 63

Brazil

Answer 63

Unauthorized modification or alteration of the information system

Question 64

Best Evidence Rule

Answer 64

states that the court only allows the original evidence of a document, photograph, or recording at the trial and not a copy.

Question 65

Belgium

Answer 65

Article 550(b) of the Criminal Code - Computer Hacking

Question 66

Australia laws

Answer 66

Cybercrime Act 2001 and Information Privacy Act 2014

Question 67

administrative investigation

Answer 67

-Part of regulation involves ensuring conduct is legitimate
-May investigate organizations or individuals to discover if its employees, clients, and partners are complying with rules or polices

Question 68

ACPO Principle 4

Answer 68

The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

Question 69

ACPO Principle 3

Answer 69

An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Question 70

ACPO Principle 2

competency

Answer 70

In circumstances where a person finds it necessary to access original data held on a computer, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Question 71

ACPO Principle 1

Answer 71

Intergrity
No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data, which may subsequently be relied upon in court.