Set 1

Question 1

What is a forensics Lab?

Answer 1

Workspace to perform data extraction, analysis, and reporting, must be accredited such as with ISO/IEC 17025:2005

Question 2

What is a Forensics Lab Manager responsible for?

Answer 2

for the overall operation of the lab, ensures analysts have what they need, handles staffing, ensures staff receive appropriate training.

Question 3

What does a Forensics Analyst do?

Answer 3

Performs scientific analysis of collected digital evidence collected from a variety of sources.

Question 4

Define a Forensics investigator.

Answer 4

Focuses on collection and retrieval of digital evidence. Similiar to Forensics Analyst.

Question 5

What does ASCLD stand for?

Answer 5

American Society Crimes Laboratory Directors

Question 6

What does ASCLD/Labs group do?

Answer 6

They conduct forensics lab certification.

Question 7

What do the security mechanisms Preventive, Detective, & Corrective mean?

Answer 7

Preventive - Prevents a security incident from happening
Detective - Discovers if a security event is in progress or has already occurred
Corrective - Aimed at fixing the root cause of the vulnerability that gave rise to the incident

Question 8

What do the security mechanisms Recovery, Deterrent, and Compensating mean?

Answer 8

Recovery - Restores the computing environment back to a “good known state”
Deterrent - Keeps an event from happening by creating an obstacle for the attacker
Compensating - A control inserted to compensate for lack of a permanent control

Question 9

What are two principles of physical security?

Answer 9

Ensure the physical security of the lab.

Ensure the physical security of the evidence within the lab.

Question 10

Why would you want two separate tables in a forensics lab?

Answer 10

One with two forensics workstations
One with one or two plain workstations for results validation.

Question 11

What is 5WH?

Answer 11

Questions used for problem solving.

They consist of who, what, when, where, why, how.

Question 12

Define computer forensics

Answer 12

The collection and preservation of evidence

Question 13

What is used to manipulate mace attributes and how?

Answer 13

Time stomp, modifies the timestamp of a file

Question 14

Who was a Nobel Prize winner and discovered blood types?

Answer 14

Karl Landsteiner

Question 15

What is Locard’s exchange principle?

Answer 15

A criminal will bring something and leave something that can be used as forensic evidence.

Question 16

How many set of criminal laws exist in the united states?

Answer 16

51

Question 17

Unreasonable search and seizure is what bill?

Answer 17

The 4th

Question 18

Security control that happens in the event of a crime?

Answer 18

Detection

Question 19

what is considered investigation for business use?

Answer 19

Corporate

Question 20

Data forensic analysis is responsible for what?

Answer 20

Collecting and preserving criminal evidence

Question 21

Which are considered two great laws of forensics?

Answer 21

Never work with the original, preserve the state it was found in.

Question 22

What determined the murderer of Robert eidman?

Answer 22

touch DNA from the lining of Eidman’s pocket

Question 23

People vs holcolm is a criminal case? true or false

Answer 23

True

Question 24

What two departments should you get authorization from before any search and seizure?

Answer 24

Legal and HR

Question 25

What is an example of not digital evidence?

Answer 25

Document from a printer

Question 26

Chain-of-custody?

Answer 26

Chain of custody is a documented record of who had possession and control over a particular piece of evidence at every moment until that object is entered into evidence in the courtroom.

Question 27

chain-of-evidence?

Answer 27

Includes the search and seizure of that evidence and the cataloging of that evidence, as well as the chain of custody of that evidence once it has been obtained.

Question 28

Digital evidence is not considered fragile true or false?

Answer 28

False

Question 29

What is a magic byte?

Answer 29

Indicators at the beginning of a hash that tell you what type of file it is.

Question 30

Which of the following would not be considered anti forensics techniques?
Encryption
Disk Wiping
Compression
preventing mace values from changing

Answer 30

preventing mace values from changing

Question 31

What is anti-forensics?

Answer 31

Anti-forensics is the art of destroying data

Question 32

What are the two main types of evidence?

Answer 32

Relevant (what is relevant to the case) and admissible (what is used in court)

Question 33

What are Invisible attributes called?

Answer 33

Meta data

Question 34

Difference between live collection and dead collection?

Answer 34

Live is when system is running, dead is when system is off

Question 35

An incident responder is not concerned with what?

Answer 35

Determining motive

Question 36

What attempting to solve a crime what would you use to create a hypothesis?

Answer 36

the Scientific method

Question 37

According to first responders what should not be done during a crime scene?

Answer 37

Turning something on if its off

Question 38

Which of the following peripherals is most likely to contain digital evidence?
Laptop
Computer
Printer
Hard Drive

Answer 38

Printer

The only peripheral listed.

Question 39

What is the Magic byte of 5a4d?

Answer 39

An executable

Question 40

Federal rules of evidence should be used by state level? yes or no

Answer 40

Yes

Question 41

What is best evidence?

Answer 41

The best evidence rule applies when a party wants to admit as evidence the contents of a document at trial but the original document is not available.

Question 42

What is a warrant?

Answer 42

probable cause or signed allowance for search and seizure or whatever is listed on the warrant

Question 43

What is the HIPO (Hierarchical Input-Process-Output) diagram?

Answer 43

Guidelines for digital forensics investigators.

1. Pre-Investigation
2. Preparing the Investigation
3. Search and Seizure
4. Analyzing the Evidence
5. Reporting and Testifying
6. Post-Investigation

Question 44

What do Pre-investigation, preparing the investigation, and search and seizure involve?

Answer 44

Pre-investigation-Learn requirements for case, build forensic capabilities, forensic hardware and methods

Preparing the investigation-Info about the case, develop hypothesis and plans, plan to obtain digital evidence

Search and seizure- Forensically sound seizure of evidence

Question 45

What do
Analyzing the Evidence
Reporting and Testifying
Post-Investigation
involve?

Answer 45

Analyzing the Evidence- Using captured evidence and creating an analysis based on your hypotheses, getting results of an analysis that has value

Reporting and Testifying- Final report is written and testimony is given

Post-Investigation- Analyze notes taken and the process used to update investigative methods and risks

Question 46

Which is used for having a smartphone not remotely wiped?

Answer 46

Faraday bag

Question 47

When a system is powered on but screen is blank what should you do?

Answer 47

Move the mouse

Question 48

If a warrant isn’t quick enough and it’s a dangerous circumstance can you go without a warrant?

Answer 48

Yes

Question 49

A forensic image of a hard drive image is created how?

Answer 49

bit by bit

Question 50

Which is not included in an investigation toolkit?

Answer 50

Magnets

Question 51

Drunk driver can be sued with tort law? True or False

Answer 51

True

Question 52

As a member of corporate what do you need before acting?

Answer 52

Authorization

Question 53

What helps in keeping records of an investigation and writing a findings report?

Answer 53

photographs and sketches

Question 54

When evidence changes hands?

Answer 54

Change of custody

Question 55

What is not in the Analyzing the evidence phase?

Answer 55

Testifying in court

Question 56

Who can assess what the evidence proves to the court?

Answer 56

expert witness

Question 57

Before touching a laptop what should you do?

Answer 57

Photograph it

Question 58

Which type of form would be completed as they collect things identified as evidence?

Answer 58

Chain-of-evidence