Chat with AI
Deck 6: Conducting Digital Investigations
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/33
Play
Full screen (f)
Deck 6: Conducting Digital Investigations
1
Which of the following is NOT a class characteristic of files on magnetic media:
A) Extension (e.g., . jpg, .exe)
B) Date-time stamp (e.g., 02/28/2004 03:00 PM)
C) Name (e.g., encase.exe)
D) Directory structure
A) Extension (e.g., . jpg, .exe)
B) Date-time stamp (e.g., 02/28/2004 03:00 PM)
C) Name (e.g., encase.exe)
D) Directory structure
D
2
When digital photographs containing child pornography are found on a home computer, investigators can assert that:
A) Someone in the house transferred the photographs onto the computer from a disk or the Internet.
B) Someone in the house took the photographs with a digital camera and transferred them directly onto the computer.
C) Someone gained unauthorized access to the computer via the Internet and transferred the photographs onto the computer.
D) None of the above.
A) Someone in the house transferred the photographs onto the computer from a disk or the Internet.
B) Someone in the house took the photographs with a digital camera and transferred them directly onto the computer.
C) Someone gained unauthorized access to the computer via the Internet and transferred the photographs onto the computer.
D) None of the above.
D
3
The legal truth is always in agreement with the scientific truth in an investigation.
False
4
In the Staircase Model, why is case management shown spanning across all of the steps in the process model?
A) Case documents are intangible objects that can be held.
B) Case management provides stability and enables investigators to tie all relevant information together.
C) Case management documents the process function.
D) None of the above.
A) Case documents are intangible objects that can be held.
B) Case management provides stability and enables investigators to tie all relevant information together.
C) Case management documents the process function.
D) None of the above.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
5
Which of the following would be considered an individual characteristic?
A) The originating IP address in a network packet or e-mail header
B) A scratch on the glass of a flatbed scanner or digital camera lens
C) Date-time stamps of files on a disk or entries in a database
D) All of the above
A) The originating IP address in a network packet or e-mail header
B) A scratch on the glass of a flatbed scanner or digital camera lens
C) Date-time stamps of files on a disk or entries in a database
D) All of the above
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
6
When a network is involved in a crime, investigators must seize and preserve all systems on the network.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
7
Generating a plan of action and obtaining supporting resources and materials falls under which step in the digital investigation?
A) Preparation
B) Survey/identification
C) Preservation
D) Examination and analysis
A) Preparation
B) Survey/identification
C) Preservation
D) Examination and analysis
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
8
An investigation can be hindered by the following:
A) Preconceived theories
B) Improperly handled evidence
C) Offender concealment behavior
D) All of the above
A) Preconceived theories
B) Improperly handled evidence
C) Offender concealment behavior
D) All of the above
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
9
Which of the following should the digital investigator consider when arranging for the transportation of evidence?
A) Should the evidence be physically in the possession of the investigator at all times?
B) Will the evidence copies be shared with other experts at other locations?
C) Will there be environmental factors associated with the digital media?
D) All of the above
A) Should the evidence be physically in the possession of the investigator at all times?
B) Will the evidence copies be shared with other experts at other locations?
C) Will there be environmental factors associated with the digital media?
D) All of the above
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
10
The scientific method uses computers to verify findings in an investigation.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
11
Forensic examination involves which of the following:
A) Assessment, experimentation, fusion, correlation, and validation
B) Seizure and preservation
C) Recovery, harvesting, filtering, organization, and search
D) All of the above
A) Assessment, experimentation, fusion, correlation, and validation
B) Seizure and preservation
C) Recovery, harvesting, filtering, organization, and search
D) All of the above
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
12
The goal of an investigation is to:
A) Convict the suspect
B) Discover the truth
C) Find incriminating evidence
D) All of the above
A) Convict the suspect
B) Discover the truth
C) Find incriminating evidence
D) All of the above
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
13
Forensic examination and forensic analysis are separate processes.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
14
The first step in applying the scientific method to a digital investigation is to:
A) Form a theory on what may have occurred
B) Experiment or test the available evidence to confirm or refute your prediction
C) Make one or more observations based on events that occurred
D) Form a conclusion based on the results of your findings
A) Form a theory on what may have occurred
B) Experiment or test the available evidence to confirm or refute your prediction
C) Make one or more observations based on events that occurred
D) Form a conclusion based on the results of your findings
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
15
Not all incidents should be fully investigated nor do they all deserve the same priority and attention.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
16
Process models have their origins in the early theories of computer forensics which defined the field in terms of a __________process.
A) Complicated
B) Difficult
C) Linear
D) Polymorphic
A) Complicated
B) Difficult
C) Linear
D) Polymorphic
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
17
Standard operating procedures (SOPs) are important because they:
A) Help individuals avoid common mistakes
B) Ensure that the best available methods are used
C) Increase the probability that two forensic examiners will reach the same conclusions when they examine the evidence
D) All of the above
A) Help individuals avoid common mistakes
B) Ensure that the best available methods are used
C) Increase the probability that two forensic examiners will reach the same conclusions when they examine the evidence
D) All of the above
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
18
When you have developed a theory, what can you do to confirm that your hypothesis is correct?
A) Predict, based on your hypothesis, where artifacts should be located
B) Perform experiments to test results and rule out alternate explanations
C) Conclude, based on your findings, whether the evidence supports the hypothesis
D) All of the above
A) Predict, based on your hypothesis, where artifacts should be located
B) Perform experiments to test results and rule out alternate explanations
C) Conclude, based on your findings, whether the evidence supports the hypothesis
D) All of the above
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
19
Forensic analysis involves the following:
A) Assessment, experimentation, fusion, correlation, and validation
B) Seizure and preservation
C) Recovery, harvesting, filtering, organization, and search
D) All of the above
A) Assessment, experimentation, fusion, correlation, and validation
B) Seizure and preservation
C) Recovery, harvesting, filtering, organization, and search
D) All of the above
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
20
The process model whose goal is to completely describe the flow of information in a digital investigation is known as:
A) The Physical Model
B) The Staircase Model
C) The Evidence Flow Model
D) The Subphase Model
A) The Physical Model
B) The Staircase Model
C) The Evidence Flow Model
D) The Subphase Model
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
21
Survey/triage forensic inspection is the targeted review of all available media to determine which items contain the most useful evidence and require additional processing.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
22
Of particular significance in the scientific method is the weight attached to finding evidence which supports a particular hypothesis.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
23
When seizing a computer, it is always acceptable to lose the contents of RAM.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
24
How are class characteristics useful in an investigation? Give an example involving digital evidence.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
25
Case management is a critical part of digital investigations.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
26
If alternative theories are suggested later, digital investigators have an obligation to reevaluate their findings.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
27
Forensic examination is the process of extracting, viewing, and analyzing information from the evidence collected.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
28
Preparation for the preservation step ensures that the best evidence can be preserved when the opportunity arises.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
29
The process model whose primary strength is a notion of a continuous flow of information is known as the Subphase Model.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
30
Beebe and Clark contend that most investigative process models are too low level.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
31
Why is it important to process digital evidence properly while conducting an investigation?
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
32
Evidential artifacts found in the experimentation and testing process of the scientific method which are compatible with a particular hypothesis can be taken as proof of the hypothesis.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
33
What is Locard's Exchange Principle? Give an example of how this principle applies to computer crime.
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 33 flashcards in this deck.
