Name:
Class:
Date:
Indicate whether the statement is true or false.
1. To investigate employees suspected of improper use of company digital assets, a company policy statement about
misuse of digital assets allows corporate investigators to conduct covert surveillance with little or no cause, and access
company computer systems and digital devices without a warrant.
a.
True
b.
False
2. An emergency situation under the PATRIOT Act is defined as the immediate risk of death or personal injury, such as
finding a bomb threat in an e-mail.
a.
True
b.
False
3. The Fourth Amendment states that only warrants “particularly describing the place to be searched and the persons or
things to be seized” can be issued. The courts have determined that this phrase means a warrant can authorize a search of a
specific place for anything.
a.
True
b.
False
4. State public disclosure laws apply to state records, but FOIA allows citizens to request copies of public documents
created by federal agencies.
a.
True
b.
False
5. Computer-stored records are data the system maintains, such as system log files and proxy server logs.
a.
True
b.
False
Indicate the answer choice that best completes the statement or answers the question.
6. _______ would not be found in an initial-response field kit.
a.
Computer evidence bags (antistatic bags)
b.
Leather gloves and disposable latex gloves
c.
A digital camera with extra batteries or 35mm camera with film and flash
d.
External USB devices or a portable hard drive
7. You must abide by the _______ while collecting evidence.
a.
Fourth Amendment
b.
Federal Rules of Evidence
c.
state’s Rules of Evidence
d.
Fifth Amendment
8. In cases that involve dangerous settings, what kind of team should be used to recover evidence from the scene?
a.
B-Team
b.
HAZMAT
c.
CDC First Responders
Name:
Class:
Date:
d.
SWAT
9. What does FRE stand for?
a.
Federal Rules of Evidence
b.
Federal Regulations for Evidence
c.
Federal Rights for Everyone
d.
Federal Rules for Equipment
10. Which of the following is not done when preparing for a case?
a.
Describe the nature of the case.
b.
Identify the type of OS.
c.
Set up covert surveillance.
d.
Determine whether you can seize the computer or digital device.
11. The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires
sufficient _______.
a.
probable cause
b.
due diligence
c.
accusations
d.
reliability
12. Which court case established that it is not necessary for computer programmers to testify in order to authenticate
computer-generated records?
a.
United States v. Wong
b.
United States v. Carey
c.
United States v. Salgado
d.
United States v. Walser
13. _______ is a common cause for lost or corrupted evidence.
a.
Public access
b.
Not having enough people on the processing team
c.
Having an undefined security perimeter
d.
Professional curiosity
14. _______ is the term for a statement that is made by someone other than an actual witness to the event while testifying
at a hearing.
a.
Second-party evidence
b.
Rumor
c.
Fiction
d.
Hearsay
15. A _______ is not a private sector organization.
a.
small to medium business
b.
large corporation
c.
non-government organization
Name:
Class:
Date:
d.
hospital
16. If practical, _______ team(s) should collect and catalog digital evidence at a crime scene or lab.
a.
two
b.
five
c.
one
d.
three
17. What should you do while copying data on a suspect’s computer that is still live?
a.
Open files to view contents.
b.
Make notes regarding everything you do.
c.
Conduct a Google search of unknown extensions using the computer.
d.
Check Facebook for additional suspects.
18. _______ does not recover data in free or slack space.
a.
Raw format acquisition
b.
Live acquisition
c.
Static acquisition
d.
Sparse acquisition
19. The term _______ describes rooms filled with extremely large disk systems that are typically used by large business
data centers.
a.
storage room
b.
server farm
c.
data well
d.
storage hub
20. What type of media has a 30-year lifespan?
a.
DVDRs
b.
DLT magnetic tape
c.
hard drive
d.
USB thumb drive
21. _______ are a special category of private sector businesses, due to their ability to investigate computer abuse
committed by employees only, but not customers.
a.
Hospitals
b.
ISPs
c.
Law firms
d.
News networks
22. The term _______ is used to describe someone who might be a suspect or someone with additional knowledge that
can provide enough evidence of probable cause for a search warrant or arrest.
a.
criminal
b.
potential data source
c.
person of interest
Name:
Class:
Date:
d.
witness
23. As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state?
a.
The power cable should be pulled.
b.
The system should be shut down gracefully.
c.
The power should be left on.
d.
The decision should be left to the Digital Evidence First Responder (DEFR).
24. Which system below can be used to quickly and accurately match fingerprints in a database?
a.
Fingerprint Identification Database (FID)
b.
Systemic Fingerprint Database (SFD)
c.
Automated Fingerprint Identification System (AFIS)
d.
Dynamic Fingerprint Matching System (DFMS)
25. When seizing digital evidence in criminal investigations, whose standards should be followed?
a.
U.S. DOJ
b.
ISO/IEC
c.
IEEE
d.
ITU
Enter the appropriate word(s) to complete the statement.
26. In the United States, ____________ and similar agencies must comply with state public disclosure and federal
Freedom of Information Act (FOIA) laws, and make certain documents available as public records.
27.
________________ can be any information stored or transmitted in digital form.
28. The ____________________ doesn’t extend to supporting a general exploratory search from one object to another
unless something incriminating is found.
29. Instead of producing hard disks in court, attorneys can submit ______ copies of files as evidence.
30. The ______________ rule states that to prove the content of a written document, recording, or photograph, ordinarily
the original writing, recording, or photograph is required.
Match the terms with the correct definitions.
a.
Computer-generated records
b.
Keyed hash set
c.
Cyclic Redundancy Check
d.
Message Digest 5
e.
Computer-stored records
f.
Probable cause
g.
Extensive-response field kit
h.
Sniffing
i.
Nonkeyed hash set
j.
Initial-response field kit
31. Data the system maintains, such as system log files and proxy server logs
Name:
Class:
Date:
32. Electronic data that a person creates and saves on a computer or digital device, such as a spreadsheet or word-
processing document
33. A mathematic algorithm that translates a file into a unique hexadecimal value
34. A value created by an encryption utility’s secret key
35. A unique hash number generated by a software tool and used to identify files
36. An algorithm that produces a hexadecimal value of a file or storage media; used to determine whether data has
changed
37. Detecting data transmissions to and from a suspect’s computer and a network server to determine the type of data
being transmitted over a network
38. A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics
analysis in the field
39. A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene
involving computers
40. The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search,
or obtain a warrant for arrest
41. After you record the scene and shut down the system, you bag and tag the evidence. Describe the steps to follow for
bagging and tagging evidence.
42. The plain view doctrine states that objects falling in the direct sight of an officer who has the right to be in a location
are subject to seizure without a warrant and can be introduced into evidence. Provide the three criteria that must be met in
order for the plain view doctrine to apply.
43. At a scene, technical advisors can help direct other investigators to collect evidence correctly. List the responsibilities
of technical advisors.
44. To verify data integrity, different methods of obtaining a unique identity for file data have been developed. Explain
how you can use Cyclic Redundancy Check (CRC) and Message Digest 5 (MD5) for this purpose.
45. Describe the steps that must be taken to create image files.
46. Consistent practices help verify your work and enhance your credibility, so you must handle all evidence consistently.
Explain why it’s important to apply the same security and accountability controls for evidence in a civil lawsuit as in a
major crime.
47. Like most common law nations, the United States excludes hearsay as spelled out in the FRE Article VIII, Rule 802.
Rules 803 and 804 cite more than 20 exceptions for when hearsay can be used. Provide five examples that apply to digital
forensics investigations.
48. Describe the steps to take if you discover evidence of a crime during a company policy investigation.
Name:
Class:
Date:
49. With digital evidence, you need to consider how and on what type of media to save it and what type of storage device
is recommended to secure it. The media you use to store digital evidence usually depends on how long you need to keep
it. If you investigate criminal matters, store the evidence as long as you can. Name five ideal media types on which to
store digital data.
50. Compare and contrast hashing methods using a keyed hash set and a nonkeyed hash set.
Name:
Class:
Date:
Name:
Class:
Date:
Name:
Class:
Date:
Name:
Class:
Date: