Networking 978-0123742681 Chapter 16 Quiz

Unlock access to all the studying documents.

View Full Document

Chapter 16

Applying Forensic Science to Computers

On completion of this chapter the student will:

– Be able to apply those forensic methodologies discussed earlier in this book to stand-

alone Computer Systems. The methodologies include:

o Preparation

o Survey

– Recognize the value of data reduction.

– Be aware of the process of examining a piece of evidence.

– Recognize that data recovery procedures may need to be applied to digital evidence.

Computer technology continues to evolve rapidly but the fundamental components have

Multiple Choice Questions

1. Which of the following is NOT part of the set of forensic methodologies referenced in

this book?

2. Preparation planning prior to processing a crime scene should include:

3. The forensic crime scene processing kit should include all of the following, EXCEPT:

4. When processing the digital crime scene, one aspect of surveying for potential sources of

digital evidence is:

kit

5. The _____________ documentation specifies who handled the evidence, when, where,

and for what purpose.

6. When documenting a crime scene, the computer and surrounding area should be

photographed, detailed sketches should be made, and copious notes should be taken,

because:

7. In regard to preservation, in a child pornography investigation, which of the following

should be collected?

8. If it is determined that some hardware should be collected, but there is no compelling

need to collect everything, the most sensible approach is to employ:

9. A crime scene investigator decides to collect the entire computer. In addition, he decides

to collect all of the peripheral devices associated with that computer. What reason could

he give to justify this?

10. According to the us Federal guidelines for searching and seizing computers, safe

temperature ranges for most magnetic media are:

11. Which of the following is NOT an artifact that will be irrevocably lost if the computer is

shut down?

12. Which of the following is NOT one of the recommended approaches to preserving digital

evidence?

13. o standard for making bitstream copies is:

14. Regarding the examination of a piece of digital evidence, which of the following is NOT

one of the fundamental questions that need to be answered?

15. The file signature of a Microsoft Word document is an example of what type of

characteristic?

True or False Questions

1. Since computer seizures usually happen pretty much the same way, there is no real need

to do any pre-planning.

2. If possible, prior to entering a crime scene, it is useful to try and determine what kind of

computer equipment to expect.

3. A forensic crime scene processing kit should contain quantities of those items used to

process computer equipment.

4. When surveying the crime scene for hardware, the investigator should focus on the

computer systems since that is where most of the important evidence will be.

5. Chain of custody documents record who handled the evidence, when, where, and for

what purpose.

6. It is not prudent to document the evidence more than one way.

7. The severity and the category of cybercrime largely determine how much digital evidence

is collected.

8. Under independent component doctrine, if a computer system must remain in place but it

is necessary to take the original hard drive, a reasonable compromise is to duplicate the

hard drive, restoring the contents onto a similar hard drive that can be placed in the

computer, and to take the original into evidence.

9. At a crime scene, digital evidence will be found on the computer, on mobile devices, and

on shelves, bookcases, and the area surrounding the computer. Therefore, there is no

need to search the garbage for evidence.

10. When a computer is to be moved or stored, evidence tape should be put around the main

components of the computer in such a way that any attempt to open the casing or use the

computer will be evident.

11. The updated ACPO recommendation for seizing a running computer is to pull the

electrical cord from the back of the computer.

12. A sound forensic practice is to make at least two copies of digital evidence and to

confirm that at least one of the copies was successful and can be accessed on another

computer.

13. Given the risks of collecting a few files only, in most cases it is advisable to preserve the

full contents of the disk.

14. Computers used to store and analyze digital evidence should be connected to the Internet,

so that online research can be conducted.

15.

Essay Questions

1. List the class and individual characteristics of each of the following:

– A JPEG file

– A thumb drive

– A user manual with handwritten notes

2. You have arrived at a crime scene containing one computer, one printer, connecting cables,

connection to a phone line, and a shelf above the computer containing books, user manuals, and

printouts.

What is your first step in processing the crime scene?

Would you seize the computer? If so, would you seize the printer?

What communication issues do you see with the above installation?