Guide to Computer Forensics and Investigations, 4e, 1435498836
Ch. 4 Solutions-1
Chapter 4 Solutions
Review Questions
1. Corporate investigations are typically easier than law enforcement investigations for
which of the following reasons?
2. In the United States, if a company publishes a policy stating that it reserves the right
to inspect computing assets at will, a corporate investigator can conduct covert
surveillance on an employee with little cause. True or False?
3. If you discover a criminal act, such as murder or child pornography, while
investigating a corporate policy abuse, the case becomes a criminal investigation and
should be referred to law enforcement. True or False?
4. As a corporate investigator, you can become an agent of law enforcement when
which of the following happens? (Choose all that apply.)
5. The plain view doctrine in computer searches is well-established law. True or False?
6. If a suspect computer is found in an area that might have toxic chemicals, you must
do which of the following? (Choose all that apply.)
7. What are the three rules for a forensic hash?
8. In forensic hashes, a collision occurs when ____________________.
9. List three items that should be in an initial-response field kit.
Answers can include small computer toolkit, large-capacity drive, IDE ribbon cables, forensic
10. When you arrive at the scene, why should you extract only those items you need to
acquire evidence?
11. Computer peripherals or attachments can contain DNA evidence. True or False?
12. If a suspect computer is running Windows 7, which of the following can you perform
safely?
13. Describe what should be videotaped or sketched at a digital crime scene.
14. Which of the following techniques might be used in covert surveillance? (Choose all
15. Commingling evidence means what in a corporate setting?
16. List two hashing algorithms commonly used for forensics purposes.
MD5 and SHA-1
17. Small companies rarely need investigators. True or False?
18. If a company doesn’t distribute a computing use policy stating an employer’s right to
inspect employees’ computers freely, including e-mail and Web use, employees have
an expectation of privacy. True or False?
19. You have been called to the scene of a fatal car crash where a laptop computer is still
running. What type of field kit should you take with you?
20. You should always answer questions from onlookers at a crime scene. True or False?
Hands-On Projects
Hands-On Project 4-1
Students should compare what’s in the detectives’ reports and the combined affidavit and warrant.
Be sure they state their reasons for agreeing or disagreeing with the result.
Hands-On Project 4-2
Students’ answers should include the following:
• State that they have contacted their immediate management and Legal Department to
inform them of the facts stated in the project description.
• List the steps they have taken to preserve and secure the evidence.
Guide to Computer Forensics and Investigations, 4e, 1435498836
Ch. 4 Solutions-3
Hands-On Project 4-3
Students should give screen shots showing what they found on Terry’s thumbdrive.
Hands-On Project 4-4
Hands-On Project 4-5
Case Projects
Case Project 4-1
Students should outline the steps for coordinating with the company’s Investigation Department to
preserve evidence while they collect enough information for probable cause to obtain a search
warrant. Second, for a company with no internal Investigation Department, students should outline
Case Project 4-2
Students’ answers should include a definition of the plain view doctrine and state that using
Case Project 4-3
Students’ answers should include detailed instructions on how the spouse should report the crime
to school administrators and outline how the school’s administrators can inspect the computer
under guidance from the school district’s Legal Department. An independent investigator can’t
Case Project 4-4
Students’ answers should include a list of forensic tools and supplies (such as those listed in Table
4-1) needed to preserve magnetic media at the alleged crime scene. Their plans should consider