Chpt 19

Question 1

3 Requirements for evidence to be admissible

Answer 1

Must be 1) relevant, 2) material (related) to the case, and 3) competent (obtained legally)

Question 2

SP 800-86

Answer 2

NIST guide to integrating forensic techniques into incident response

Question 3

4 major categories of evidence

Answer 3

Real, documentary, testimonial, and demonstrative

Question 4

Rules applied to documentary evidence

Answer 4

Best evidence - original copies are needed
Parol evidence - written agreements are assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement

Question 5

write blocker

Answer 5

hardware adapter used to prevent alteration to storage devices during media analysis

Question 6

memory dump

Answer 6

a file of memory of live systems used for in-memory analysis

Question 7

ways to collect network traffic for an investigation

Answer 7

SPAN port on a switch, network tap hardware device, or software protocol analyzer on one of the communicating systems (less reliable)

Question 8

an FBI-led consortium of forensic analysts who produce detailed guidance on gathering digital evidence

Answer 8

The Scientific Working Group on Digital Evidence

Question 9

RFC 1087

Answer 9

“Ethics and the Internet,” created by the Internet Architecture Board (IAB), describes unacceptable and unethics activity:
- seeks to gain unauthorized access
- disrupts the intended use of the internet
- wasted resources
- destroys the integrity of computer-based info
- compromised the privacy of users

Question 10

6 types of computer crimes

Answer 10

military and intelligence, business, financial, terrorist, grudge, thrill