Digital Forensics Flashcards
Volatile information locations such as the RAM change constantly and data collection should occur in the order of volatility or lifetime of the data. Order the following list from most volatile (which should be collected first) to least volatile.
Routing tables, ARP cache, process tables, kernel statistics
Memory (RAM)
CPU, cache, and register contents
Temporary file system/swap space
CPU, cache, and register contents
Routing tables, ARP cache, process tables, kernel statistics
Memory (RAM)
Temporary file system/swap space
The most volatile elements should be examined and collected first and in this order
A common data element needed later in the forensics process is an accurate system time with respect to an accurate external time source. A record time offset is calculated by measuring system time with an external clock such as a Network Time Protocol (NTP) server. Which of the following must be considered relative to obtaining a record time offset?
The record time offset can be lost if the system is powered down, so it is best collected while the system is still running.
The internal clock may not be recorded to the same level of accuracy, so conversions may be necessary.
External clock times may vary as much as 2 to 3 seconds, so it is best to obtain the time from several NTP servers to gain a more accurate reading.
The record time offset can be lost if the system is powered down, so it is best collected while the system is still running.
Record time offset will be lost if the system is powered down, so it is best collected while the system is still running
What is the term used to describe the process that accounts for all persons who handled or had access to a piece of evidence?
Secure e-discovery
Chain of custody
Evidence accountability process
Chain of custody
The chain of custody accounts for all persons who handled or had access to the evidence
In the U.S. legal system, at what point does legal precedent require that potentially relevant information must be preserved?
When the owner is provided with a warrant to seize the storage device
At the instant a party “reasonably anticipates” litigation or another type of formal dispute
The moment any investigation is begun
At the instant a party “reasonably anticipates” litigation or another type of formal dispute
In the U.S. legal system, legal precedent requires that potentially relevant information must be preserved at the instant a party “reasonably anticipates” litigation or another type of formal dispute
Which standard of evidence states the evidence must be convincing or measure up without question?
Direct evidence
Relevant evidence
Sufficient evidence
Sufficient evidence
Sufficient evidence states the evidence must be convincing or measure up without question. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness’s statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Competent evidence states the evidence must be legally qualified and reliable. Relevant evidence states the evidence must be material to the case or have a bearing on the matter at hand
Which standard of evidence states the evidence must be material to the case or have a bearing on the matter at hand?
Direct evidence
Competent evidence
Relevant evidence
Relevant evidence
Relevant evidence states the evidence must be material to the case or have a bearing on the matter at hand. Sufficient evidence states the evidence must be convincing or measure up without question. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness’s statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Competent evidence states the evidence must be legally qualified and reliable
Which type of evidence is oral testimony that proves a specific fact (such as an eyewitness’s statement), where the knowledge of the fact is obtained through the recollection of five senses of the witness, with no inferences or presumptions?
Direct evidence
Real evidence
Documentary evidence
Direct evidence
Direct evidence is oral testimony that proves a specific fact (such as an eyewitness’s statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Real evidence is also known as associative or physical evidence and this includes tangible objects that prove or disprove a fact. Physical evidence links the suspect to the scene of a crime. Evidence in the form of business records, printouts, manuals, and similar objects, which make up much of the evidence relating to computer crimes, is documentary evidence. Demonstrative evidence is used to aid the jury and can be in the form of a model, experiment, chart, and so on, offered to prove that an event occurred
Which type of evidence is also known as associative or physical evidence and includes tangible objects that prove or disprove a fact?
Direct evidence
Real evidence
Documentary evidence
Real evidence
Real evidence is also known as associative or physical evidence and includes tangible objects that prove or disprove a fact. Physical evidence links the suspect to the scene of a crime. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness’s statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Evidence in the form of business records, printouts, manuals, and similar objects, which make up much of the evidence relating to computer crimes, is documentary evidence. Demonstrative evidence is used to aid the jury and can be in the form of a model, experiment, chart, and so on, offered to prove that an event occurred
Which rule states that evidence is not admissible if it was collected in violation of the Fourth Amendment’s prohibition of unreasonable search and seizure?
Best evidence rule
Hearsay rule
Exclusionary rule
Exclusionary rule
The Fourth Amendment to the U.S. Constitution precludes illegal search and seizure. Therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence. This is addressed by the exclusionary rule. The best evidence rule addresses the fact that courts prefer original evidence rather than a copy, to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred. Hearsay rule addesses second-hand evidence—evidence offered by the witness that is not based on the personal knowledge of the witness but is being offered to prove the truth of the matter asserted. There was no discussion of a direct evidence rule
Which rule of evidence addresses the fact that courts prefer original evidence rather than a copy, to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred?
Best evidence rule
Hearsay rule
Exclusionary rule
Best evidence rule
The best evidence rule addresses the fact that courts prefer original evidence rather than a copy, to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred. Hearsay rule addresses second-hand evidence—evidence offered by the witness that is not based on the personal knowledge of the witness but is being offered to prove the truth of the matter asserted. The Fourth Amendment to the U.S. Constitution precludes illegal search and seizure. Therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence. This is addressed by the exclusionary rule. There was no discussion of a direct evidence rule
Which of the following would a capture video not be used to collect?
Serial number plates
Cable connections
System image
System image
A system image is a dump of the physical memory of a computer system and would not be captured in a video. All of the others are static sources of information that a capture video is valuable in recording
Which of the following performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check?
Cryptographic algorithm
Authentication code
Hashing algorithm
Hashing algorithm
A hashing algorithm performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check (CRC). It applies mathematical operations to a data stream (or file) to calculate some number that is unique based on the information contained in the data stream (or file)
What type of plan is implemented when you have an idea of what information you will want to be able to examine and want to ensure the information is logged when it occurs, and if at all possible in a location that prevents alteration?
System logging plan
Forensic logging plan
Active logging plan
Active logging plan
When you have an idea of what information you will want to be able to examine, you can make an active logging plan that ensures the information is logged when it occurs, and if at all possible in a location that prevents alteration
From the initial step in the forensics process, the most important issue must always be which of the following?
Preservation of the data
Chain of custody
Documenting all actions taken
Preservation of the data
While all of these are important, from the initial step in the forensics process, the most important issue must always be preservation of the data
