Question 1

The file signature of a Microsoft Word document is an example of what type of characteristic?

Accepted Answer

A)  An individual characteristic 
B)  A class characteristic 
C)  An intermediate characteristic 
D)  A medial characteristic 
A)  An individual characteristic 
B)  A class characteristic 
C)  An intermediate characteristic 
D)  A medial characteristic B

Question 2

List the class and individual characteristics of each of the following:
- A JPEG file
- A thumb drive
- A user manual with handwritten notes

Accepted Answer

Class characteristics are generally true for a particular object. Individual characteristics are how that object has been changed by the user.

Question 3

Regarding the examination of a piece of digital evidence, which of the following is NOT one of the fundamental questions that need to be answered?

Accepted Answer

A)  What is it (identification)? 
B)  What classifications distinguish it? 
C)  Where did it come from? 
D)  What is its value? 
A)  What is it (identification)? 
B)  What classifications distinguish it? 
C)  Where did it come from? 
D)  What is its value? D

Question 4

Given the risks of collecting a few files only, in most cases it is advisable to preserve the full contents of the disk.

Accepted Answer

A) True 
 B)False

Question 5

Preparation planning prior to processing a crime scene should include:

Accepted Answer

A)  What computer equipment to expect at the site 
B)  What the systems are used for 
C)  Whether a network is involved 
D)  All of the above 
A)  What computer equipment to expect at the site 
B)  What the systems are used for 
C)  Whether a network is involved 
D)  All of the above

Question 6

When processing the digital crime scene, one aspect of surveying for potential sources of digital evidence is:

Accepted Answer

A)  Recognizing relevant hardware such as computers, removable media, etc. 
B)  Determining if electrical wiring is capable of supporting forensic machines 
C)  Confirming that the operating environment is suitable for electronic equipment 
D)  Making sure there is sufficient space to set up the forensic crime scene processing kit 
A)  Recognizing relevant hardware such as computers, removable media, etc. 
B)  Determining if electrical wiring is capable of supporting forensic machines 
C)  Confirming that the operating environment is suitable for electronic equipment 
D)  Making sure there is sufficient space to set up the forensic crime scene processing kit

Question 7

If it is determined that some hardware should be collected, but there is no compelling need to collect everything, the most sensible approach is to employ:

Accepted Answer

A)  Nearest reach doctrine 
B)  Direct connectivity doctrine 
C)  Independent component doctrine 
D)  Slice-the-pie doctrine 
A)  Nearest reach doctrine 
B)  Direct connectivity doctrine 
C)  Independent component doctrine 
D)  Slice-the-pie doctrine

Question 8

It is not prudent to document the evidence more than one way.

Accepted Answer

A) True 
 B)False

Question 9

According to the us Federal guidelines for searching and seizing computers, safe temperature ranges for most magnetic media are:

Accepted Answer

A)  60-80 degrees Fahrenheit 
B)  50-90 degrees centigrade 
C)  50-90 degrees Fahrenheit 
D)  60-80 degrees centigrade 
A)  60-80 degrees Fahrenheit 
B)  50-90 degrees centigrade 
C)  50-90 degrees Fahrenheit 
D)  60-80 degrees centigrade

Question 10

When a computer is to be moved or stored, evidence tape should be put around the main components of the computer in such a way that any attempt to open the casing or use the computer will be evident.

Accepted Answer

A) True 
 B)False

Question 11

A forensic crime scene processing kit should contain quantities of those items used to process computer equipment.

Accepted Answer

A) True 
 B)False

Question 12

Computers used to store and analyze digital evidence should be connected to the Internet, so that online research can be conducted.

Accepted Answer

A) True 
 B)False

Question 13

A crime scene investigator decides to collect the entire computer. In addition, he decides to collect all of the peripheral devices associated with that computer. What reason could he give to justify this?

Accepted Answer

A)  It is especially important to collect peripheral hardware related to the type of digital evidence one would expect to find in the computer. 
B)  Since the computer is being collected, the suspect has no need for the peripherals. 
C)  The presence of the peripheral devices is essential to imaging the suspect hard drive. 
D)  None of the above. 
A)  It is especially important to collect peripheral hardware related to the type of digital evidence one would expect to find in the computer. 
B)  Since the computer is being collected, the suspect has no need for the peripherals. 
C)  The presence of the peripheral devices is essential to imaging the suspect hard drive. 
D)  None of the above.

Question 14

In regard to preservation, in a child pornography investigation, which of the following should be collected?

Accepted Answer

A)  Photographs 
B)  Papers 
C)  Digital cameras 
D)  All of the above 
A)  Photographs 
B)  Papers 
C)  Digital cameras 
D)  All of the above

Question 15

The forensic crime scene processing kit should include all of the following, EXCEPT:

Accepted Answer

A)  Evidence bags, tags, and other items to label and package evidence 
B)  Forensically sanitized hard drives to store acquired data 
C)  Compilers for developing forensic tools on site 
D)  Hardware write blockers 
A)  Evidence bags, tags, and other items to label and package evidence 
B)  Forensically sanitized hard drives to store acquired data 
C)  Compilers for developing forensic tools on site 
D)  Hardware write blockers

Question 16

Since computer seizures usually happen pretty much the same way, there is no real need to do any pre-planning.

Accepted Answer

A) True 
 B)False

Question 17

The reason UNIX "dd" is considered a de facto standard for making bitstream copies is:

Accepted Answer

A)  The majority of tools for examining digital evidence can interpret bitstream copies. 
B)  "dd" stands for "digital data" and was developed for making forensic copies. 
C)  "dd," although a UNIX tool, is universally able to traverse Windows file systems. 
D)  The developers of "dd" have made arrangements with other forensic software companies. 
A)  The majority of tools for examining digital evidence can interpret bitstream copies. 
B)  "dd" stands for "digital data" and was developed for making forensic copies. 
C)  "dd," although a UNIX tool, is universally able to traverse Windows file systems. 
D)  The developers of "dd" have made arrangements with other forensic software companies.

Question 18

When documenting a crime scene, the computer and surrounding area should be photographed, detailed sketches should be made, and copious notes should be taken, because:

Accepted Answer

A)  The more evidence collected, the stronger the case. 
B)  This provides a record for what to look for when you return for the second visit. 
C)  It is prudent to document the same evidence in several ways. 
D)  All of the above. 
A)  The more evidence collected, the stronger the case. 
B)  This provides a record for what to look for when you return for the second visit. 
C)  It is prudent to document the same evidence in several ways. 
D)  All of the above.

Question 19

Which of the following is NOT part of the set of forensic methodologies referenced in this book?

Accepted Answer

A)  Preparation 
B)  Interdiction 
C)  Documentation 
D)  Reconstruction 
A)  Preparation 
B)  Interdiction 
C)  Documentation 
D)  Reconstruction

Question 20

The severity and the category of cybercrime largely determine how much digital evidence is collected.

Accepted Answer

A) True 
 B)False

Exam 16: Applying Forensic Science to Computers

The file signature of a Microsoft Word document is an example of what type of characteristic?

List the class and individual characteristics of each of the following: - A JPEG file - A thumb drive - A user manual with handwritten notes

Regarding the examination of a piece of digital evidence, which of the following is NOT one of the fundamental questions that need to be answered?

Given the risks of collecting a few files only, in most cases it is advisable to preserve the full contents of the disk.

Preparation planning prior to processing a crime scene should include:

When processing the digital crime scene, one aspect of surveying for potential sources of digital evidence is:

If it is determined that some hardware should be collected, but there is no compelling need to collect everything, the most sensible approach is to employ:

It is not prudent to document the evidence more than one way.

According to the us Federal guidelines for searching and seizing computers, safe temperature ranges for most magnetic media are:

When a computer is to be moved or stored, evidence tape should be put around the main components of the computer in such a way that any attempt to open the casing or use the computer will be evident.

A forensic crime scene processing kit should contain quantities of those items used to process computer equipment.

Computers used to store and analyze digital evidence should be connected to the Internet, so that online research can be conducted.

A crime scene investigator decides to collect the entire computer. In addition, he decides to collect all of the peripheral devices associated with that computer. What reason could he give to justify this?

In regard to preservation, in a child pornography investigation, which of the following should be collected?

The forensic crime scene processing kit should include all of the following, EXCEPT:

Since computer seizures usually happen pretty much the same way, there is no real need to do any pre-planning.

The reason UNIX "dd" is considered a de facto standard for making bitstream copies is:

When documenting a crime scene, the computer and surrounding area should be photographed, detailed sketches should be made, and copious notes should be taken, because:

Which of the following is NOT part of the set of forensic methodologies referenced in this book?

The severity and the category of cybercrime largely determine how much digital evidence is collected.

Foundations of Digital Forensics

Language of Computer Crime Investigation

Digital Evidence in the Courtroom

Cybercrime Law: a United States Perspective

Cybercrime Law: a European Perspective

Conducting Digital Investigations

Handling a Digital Crime Scene

Investigative Reconstruction With Digital Evidence

Modus Operandi, Motive, and Technology

Violent Crime and Digital Evidence

Digital Evidence As Alibi

Sex Offenders on the Internet

Computer Intrusions

Cyberstalking

Computer Basics for Digital Investigators

Digital Evidence on Windows Systems

Digital Evidence on Unix Systems

Digital Evidence on Macintosh Systems

Digital Evidence on Mobile Devices

Network Basics for Digital Investigators

Applying Forensic Science to Networks

Digital Evidence on the Internet

Digital Evidence at the Physical and Data-Link Layers

Digital Evidence at the Network and Transport Layers

Filters