Chapter 16
Applying Forensic Science to Computers
On completion of this chapter the student will:
Be able to apply those forensic methodologies discussed earlier in this book to stand-
alone Computer Systems. The methodologies include:
o Preparation
o Survey
Recognize the value of data reduction.
Be aware of the process of examining a piece of evidence.
Recognize that data recovery procedures may need to be applied to digital evidence.
Computer technology continues to evolve rapidly but the fundamental components have
Multiple Choice Questions
1. Which of the following is NOT part of the set of forensic methodologies referenced in
this book?
2. Preparation planning prior to processing a crime scene should include:
3. The forensic crime scene processing kit should include all of the following, EXCEPT:
4. When processing the digital crime scene, one aspect of surveying for potential sources of
digital evidence is:
kit
5. The _____________ documentation specifies who handled the evidence, when, where,
and for what purpose.
6. When documenting a crime scene, the computer and surrounding area should be
photographed, detailed sketches should be made, and copious notes should be taken,
because:
7. In regard to preservation, in a child pornography investigation, which of the following
should be collected?
8. If it is determined that some hardware should be collected, but there is no compelling
need to collect everything, the most sensible approach is to employ:
9. A crime scene investigator decides to collect the entire computer. In addition, he decides
to collect all of the peripheral devices associated with that computer. What reason could
he give to justify this?
10. According to the us Federal guidelines for searching and seizing computers, safe
temperature ranges for most magnetic media are:
11. Which of the following is NOT an artifact that will be irrevocably lost if the computer is
shut down?
12. Which of the following is NOT one of the recommended approaches to preserving digital
evidence?
13. o standard for making bitstream copies is:
14. Regarding the examination of a piece of digital evidence, which of the following is NOT
one of the fundamental questions that need to be answered?
15. The file signature of a Microsoft Word document is an example of what type of
characteristic?
True or False Questions
1. Since computer seizures usually happen pretty much the same way, there is no real need
to do any pre-planning.
2. If possible, prior to entering a crime scene, it is useful to try and determine what kind of
computer equipment to expect.
3. A forensic crime scene processing kit should contain quantities of those items used to
process computer equipment.
4. When surveying the crime scene for hardware, the investigator should focus on the
computer systems since that is where most of the important evidence will be.
5. Chain of custody documents record who handled the evidence, when, where, and for
what purpose.
6. It is not prudent to document the evidence more than one way.
7. The severity and the category of cybercrime largely determine how much digital evidence
is collected.
8. Under independent component doctrine, if a computer system must remain in place but it
is necessary to take the original hard drive, a reasonable compromise is to duplicate the
hard drive, restoring the contents onto a similar hard drive that can be placed in the
computer, and to take the original into evidence.
9. At a crime scene, digital evidence will be found on the computer, on mobile devices, and
on shelves, bookcases, and the area surrounding the computer. Therefore, there is no
need to search the garbage for evidence.
10. When a computer is to be moved or stored, evidence tape should be put around the main
components of the computer in such a way that any attempt to open the casing or use the
computer will be evident.
11. The updated ACPO recommendation for seizing a running computer is to pull the
electrical cord from the back of the computer.
12. A sound forensic practice is to make at least two copies of digital evidence and to
confirm that at least one of the copies was successful and can be accessed on another
computer.
13. Given the risks of collecting a few files only, in most cases it is advisable to preserve the
full contents of the disk.
14. Computers used to store and analyze digital evidence should be connected to the Internet,
so that online research can be conducted.
15.
Essay Questions
1. List the class and individual characteristics of each of the following:
A JPEG file
A thumb drive
A user manual with handwritten notes
2. You have arrived at a crime scene containing one computer, one printer, connecting cables,
connection to a phone line, and a shelf above the computer containing books, user manuals, and
printouts.
What is your first step in processing the crime scene?
Would you seize the computer? If so, would you seize the printer?
What communication issues do you see with the above installation?