Some Reviews for Midterm
_T_ 1. By the 1970s, electronic crimes were increasing, especially in the financial sector.
_T__ 2. To be a successful computer forensics investigator, you must be familiar with more than one computing
_F__ 3. Computer investigations and forensics fall into the same category: public investigations.
_F__ 4. The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
_T__ 5. After a judge approves and signs a search warrant, it’s ready to be executed, meaning you can collect
evidence as defined by the warrant.
_T__ 6. Chain of custody is also known as chain of evidence.
_T__ 7. Employees surfing the Internet can cost companies millions of dollars.
_F__ 8. You cannot use both multi-evidence and single-evidence forms in your investigation.
_T__ 9. Many attorneys like to have printouts of the data you have recovered, but printouts can present problems
when you have log files with several thousand pages of data.
_F__ 10. Abit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever
_T__ 11. Performing a forensic analysis of a disk 200 GB or larger can take several days and often involves running
imaging software overnight and on weekends.
_F__ 12. Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase
_F__ 13. If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to
be repaired immediately.
_T__ 14. Agood working practice is to use less powerful workstations for mundane tasks and multipurpose
workstations for the higher-end analysis tasks.
_T__ 15. Computing systems in a forensics lab should be able to process typical cases in a timely manner.
_F__ 16. One advantage with live acquisitions is that you are able to perform repeatable processes.
_F__ 17. The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your
evidence image file.
_T__ 18. Many acquisition tools don’t copy data in the host protected area (HPA) of a disk drive.
_T__ 19. FTK Imager requires that you use a device such as a USB or parallel port dongle for licensing.
_F__ 20. Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.
_F__ 21. ISPs can investigate computer abuse committed by their customers.
_T__ 22. If a corporate investigator follows police instructions to gather additional evidence without a search warrant
after you have reported the crime, you run the risk of becoming an agent of law enforcement. http://quizlet.com/12459315/computer-forensics-flash-cards/
T 23. Ajudge can exclude evidence obtained from a poorly worded warrant.
_T__ 24. The reason for the standard practice of securing an incident or crime scene is to expand the area of control
beyond the scene’s immediate location.
____ 25. Corporate investigators always have the authority to seize all computers equipments during a corporate
____ 26. The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence.
a. Federal Rules of Evidence (FRE)
b.Department of Defense Computer Forensics Laboratory (DCFL)
d. ComputerAnalysis and Response Team (CART)
____ 27. ____ involves recovering information from a computer that was deleted by mistake or lost during a power
surge or server crash, for example.
a. Data recovery c. Computer forensics
b. Network forensics d. Disaster recovery
____ 28. ____ involves preventing data loss by using backups, uninterruptible power supply (UPS) devices, and
a. Computer forensics c. Disaster recovery
b. Data recovery d. Network forensics
____ 29. The ____ group manages investigations and conducts forensic analysis of systems suspected of containing
evidence related to an incident or a crime.
a. network intrusion detection c. incident response
b. computer investigations d. litigation
____ 30. By the early 1990s, the ____ introduced training on software for forensics investigations.
a. IACIS c. CERT
b. FLETC d. DDBIA
____ 31. In the Pacific Northwest, ____ meets monthly to discuss problems that law enforcement and corporations
a. IACIS c. FTK
b. CTIN d. FLETC
____ 32. In a ____ case, a suspect is tried for a criminal offense, such as burglary, murder, or molestation.
a. corporate c. criminal
b. civil d. fourth amendment
____ 33. In general, a criminal case follows three stages: the complaint, the investigation, and the ____.
a. litigation c. blotter
b. allegation d. prosecution
____ 34. Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a
crime has been committed.
a. litigation c. blotter
b. allegation d. prosecution
____ 35. In a criminal or public case, if you have enough information to support a search warrant, the prosecuting
attorney might direct you to submit a(n) ____.
a. blotter c. litigation report http://quizlet.com/12459315/computer-forensics-flash-cards/
b. exhibit report d. affidavit
Computer Forensic- Midterm http://quizlet.com/12459315/computer-forensics-flash-cards/
____ 36. It’s the investigator’s responsibility to write the affidavit, which must include ____ (evidence) that support the
allegation to justify the warrant.
a. litigation c. exhibits
b. prosecution d. reports
____ 37. The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.
a. notarized c. recorded
b. examined d. challenged
____ 38. Published company policies provide a(n) ____ for a business to conduct internal investigations.
a. litigation path c. line of allegation
b. allegation resource d. line of authority
____ 39. A____ usually appears when a computer starts or connects to the company intranet, network, or virtual
private network (VPN) and informs end users that the organization reserves the right to inspect computer
systems and network traffic at will.
a. warning banner c. line of authority
b. right of privacy d. right banner
____ 40. A(n) ____ is a person using a computer to perform routine tasks other than systems administration.
a. complainant c. end user
b. user banner d. investigator
____ 41. Without a warning banner, employees might have an assumed ____ when using a company’s computer
systems and network accesses.
a. line of authority c. line of privacy
b. right of privacy d. line of right
____ 42. In addition to warning banners that state a company’s rights of computer ownership, businesses should
specify a(n) ____ who has the power to conduct investigations.
a. authorized requester c. line of right
b. authority of line d. authority of right
____ 43. Most computer investigations in the private sector involve ____.
a. e-mail abuse c. Internet abuse
b. misuse of computing assets d. VPN abuse
____ 44. Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative
agent delivers evidence to a law enforcement officer.
a. silver-tree c. silver-platter
b. gold-tree d. gold-platter
____ 45. Your ____ as a computer investigation and forensics analyst is critical because it determines your credibility.
a. professional policy c. line of authority
b. oath d. professional conduct
____ 46. Maintaining ____ means you must form and sustain unbiased opinions of your cases.
a. confidentiality c. integrity
b. objectivity d. credibility
____ 47. The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court.
a. acquisition plan c. evidence path
b. chain of custody d. evidence custody
____ 48. When preparing a case, you can apply ____ to problem solving.
a. standard programming rules c. standard systems analysis steps
b. standard police investigation d. bottom-up analysis
____ 49. The list of problems you normally expect in the type of case you are handling is known as the ____. http://quizlet.com/12459315/computer-forensics-flash-cards/
Computer Forensic- Midterm
a. standard risk assessment c. standard problems form
b. chain of evidence d. problems checklist form
____ 50. The basic plan for your investigation includes gathering the evidence, establishing the ____, and performing
the forensic analysis.
a. risk assessment c. chain of custody
b. nature of the case d. location of the evidence
____ 51. A(n) ____ helps you document what has and has not been done with both the original evidence and forensic
copies of the evidence.
a. evidence custody form c. initial investigation form
b. risk assessment form d. evidence handling form
____ 52. Use ____ to secure and catalog the evidence contained in large computer components.
a. Hefty bags c. paper bags
b. regular bags d. evidence bags
____ 53. ____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or
a. An antistatic wrist band c. An antistatic pad
b. Padding d. Tape
____ 54. ____ investigations typically include spam, inappropriate and offensive message content, and harassment or
a. VPN c. E-mail
b. Internet d. Phone
____ 55. To conduct your investigation and analysis, you must have a specially configured personal computer (PC)
known as a ____.
a. mobile workstation c. forensic lab
b. forensic workstation d. recovery workstation
____ 56. You can use ____ to boot to Windows without writing any data to the evidence disk.
a. a SCSI boot up disk c. a write-blocker
b. a Windows boot up disk d. Windows XP
____ 57. To begin conducting an investigation, you start by ____ the evidence using a variety of methods.
a. copying c. opening
b. analyzing d. reading
____ 58. A____ is a bit-by-bit copy of the original storage medium.
a. preventive copy c. backup copy
b. recovery copy d. bit-stream copy
____ 59. Abit-stream image is also known as a(n) ____.
a. backup copy c. custody copy
b. forensic copy d. evidence copy
____ 60. To create an exact image of an evidence disk, copying the ____ to a target work disk that’s identical to the
evidence disk is preferable.
a. removable copy c. bit-stream image
b. backup copy d. backup image
____ 61. ____ from Technology Pathways is a forensics data analysis tool. You can use it to acquire and analyze data
from several different file systems.
a. Guidance EnCase c. DataArrest SnapCopy
b. NTI SafeBack d. ProDiscover Basic http://quizlet.com/12459315/computer-forensics-flash-cards/
____ 62. Forensics tools such as ____ can retrieve deleted files for use as evidence.
Computer Forensic- Midterm
a. ProDiscover Basic c. FDisk
b. ProDelete d. GainFile
____ 63. When analyzing digital evidence, your job is to ____.
a. recover the data c. copy the data
b. destroy the data d. load the data
____ 64. ____ can be the most time-consuming task, even when you know exactly what to look for in the evidence.
a. Evidence recovery c. Data analysis
b. Data recovery d. Evidence recording
____ 65. When you write your final report, state what you did and what you ____.
a. did not do c. wanted to do
b. found d. could not do
____ 66. In any computing investigation, you should be able to repeat the steps you took and produce the same results.
This capability is referred to as ____.
a. checked values c. evidence backup
b. verification d. repeatable findings
____ 67. After you close the case and make your final report, you need to meet with your department or a group of
fellow investigators and ____.
a. critique the case c. present the case
b. repeat the case d. read the final report
____ 68. A____ is where you conduct your investigations, store evidence, and do most of your work.
a. forensic workstation c. storage room
b. computer forensics lab d. workbench
____ 69. Lab costs can be broken down into daily, ____, and annual expenses.
a. weekly c. bimonthly
b. monthly d. quarterly
____ 70. ____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.
a. HTCN reports c. Uniform crime reports
b. IDE reports d. ASCLD reports
____ 71. Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Windows
a. NTFS c. FAT24
b. ext3 d. ext2
____ 72. ____ was created by police officers who wanted to formalize credentials in computing investigations.
a. HTCN c. TEMPEST
b. NISPOM d. IACIS
____ 73. IACIS requires recertification every ____ years to demonstrate continuing work in the field of computer
a. 2 c. 4
b. 3 d. 5
____ 74. What HTCN certification level requires candidates have three years of investigative experience in any
discipline from law enforcement or corporate or have a college degree with one year of experience in
a. Certified Computer Crime Investigator, Basic Level
b. Certified Computer Crime Investigator,Advanced Level
c. Certified Computer Forensic Technician, Basic
d. Certified Computer Forensic Technician, Advanced
Computer Forensic- Midterm
____ 75. To preserve the integrity of evidence data, your lab should function as an evidence locker or safe, making it a
____ or a secure storage safe.
a. secure workstation c. protected PC
b. secure workbench d. secure facility
____ 76. The EMR from a computer monitor can be picked up as far away as ____ mile.
a. 1/4 c. 3/4
b. 1/2 d. 1
____ 77. Defense contractors during the Cold War were required to shield sensitive computing systems and prevent
electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special
computer-emission shielding ____.
a. TEMPEST c. NISPOM
b. RAID d. EMR
____ 78. A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external
a. gypsum c. wood
b. steel d. expanded metal