Explore all topics
Start Free Trial
Need Help? Contact us
back arrowfull exam logo
search
ai logoChat with AI
Servicesarrow
Discoverarrow

Topics

Explore all topics
Discover more topics

Deck 16: Applying Forensic Science to Computers

Full screen (f)
exit full mode
Question
If it is determined that some hardware should be collected, but there is no compelling need to collect everything, the most sensible approach is to employ:

A) Nearest reach doctrine
B) Direct connectivity doctrine
C) Independent component doctrine
D) Slice-the-pie doctrine
Use Space or
up arrow
down arrow
to flip the card.
Question
The forensic crime scene processing kit should include all of the following, EXCEPT:

A) Evidence bags, tags, and other items to label and package evidence
B) Forensically sanitized hard drives to store acquired data
C) Compilers for developing forensic tools on site
D) Hardware write blockers
Question
When surveying the crime scene for hardware, the investigator should focus on the computer systems since that is where most of the important evidence will be.
Question
The _______________documentation specifies who handled the evidence, when, where, and for what purpose.

A) Evidence inventory
B) Chain of custody
C) Evidence intake
D) Preservation notes
Question
Which of the following is NOT an artifact that will be irrevocably lost if the computer is shut down?

A) Running processes
B) Open network ports
C) Data stored in memory
D) System date and time
Question
A forensic crime scene processing kit should contain quantities of those items used to process computer equipment.
Question
When documenting a crime scene, the computer and surrounding area should be photographed, detailed sketches should be made, and copious notes should be taken, because:

A) The more evidence collected, the stronger the case.
B) This provides a record for what to look for when you return for the second visit.
C) It is prudent to document the same evidence in several ways.
D) All of the above.
Question
When processing the digital crime scene, one aspect of surveying for potential sources of digital evidence is:

A) Recognizing relevant hardware such as computers, removable media, etc.
B) Determining if electrical wiring is capable of supporting forensic machines
C) Confirming that the operating environment is suitable for electronic equipment
D) Making sure there is sufficient space to set up the forensic crime scene processing kit
Question
Which of the following is NOT one of the recommended approaches to preserving digital evidence?

A) Place the evidential computers and storage media in secure storage for later processing.
B) Preview the evidential computer, taking appropriate notes.
C) Extract just the information needed from evidential computers and storage media.
D) Acquire everything from evidential computer and storage media.
Question
Which of the following is NOT part of the set of forensic methodologies referenced in this book?

A) Preparation
B) Interdiction
C) Documentation
D) Reconstruction
Question
Preparation planning prior to processing a crime scene should include:

A) What computer equipment to expect at the site
B) What the systems are used for
C) Whether a network is involved
D) All of the above
Question
The reason UNIX "dd" is considered a de facto standard for making bitstream copies is:

A) The majority of tools for examining digital evidence can interpret bitstream copies.
B) "dd" stands for "digital data" and was developed for making forensic copies.
C) "dd," although a UNIX tool, is universally able to traverse Windows file systems.
D) The developers of "dd" have made arrangements with other forensic software companies.
Question
A crime scene investigator decides to collect the entire computer. In addition, he decides to collect all of the peripheral devices associated with that computer. What reason could he give to justify this?

A) It is especially important to collect peripheral hardware related to the type of digital evidence one would expect to find in the computer.
B) Since the computer is being collected, the suspect has no need for the peripherals.
C) The presence of the peripheral devices is essential to imaging the suspect hard drive.
D) None of the above.
Question
If possible, prior to entering a crime scene, it is useful to try and determine what kind of computer equipment to expect.
Question
Chain of custody documents record who handled the evidence, when, where, and for what purpose.
Question
The file signature of a Microsoft Word document is an example of what type of characteristic?

A) An individual characteristic
B) A class characteristic
C) An intermediate characteristic
D) A medial characteristic
Question
In regard to preservation, in a child pornography investigation, which of the following should be collected?

A) Photographs
B) Papers
C) Digital cameras
D) All of the above
Question
Regarding the examination of a piece of digital evidence, which of the following is NOT one of the fundamental questions that need to be answered?

A) What is it (identification)?
B) What classifications distinguish it?
C) Where did it come from?
D) What is its value?
Question
According to the us Federal guidelines for searching and seizing computers, safe temperature ranges for most magnetic media are:

A) 60-80 degrees Fahrenheit
B) 50-90 degrees centigrade
C) 50-90 degrees Fahrenheit
D) 60-80 degrees centigrade
Question
Since computer seizures usually happen pretty much the same way, there is no real need to do any pre-planning.
Question
The severity and the category of cybercrime largely determine how much digital evidence is collected.
Question
The updated ACPO recommendation for seizing a running computer is to pull the electrical cord from the back of the computer.
Question
A sound forensic practice is to make at least two copies of digital evidence and to confirm that at least one of the copies was successful and can be accessed on another computer.
Question
When a computer is to be moved or stored, evidence tape should be put around the main components of the computer in such a way that any attempt to open the casing or use the computer will be evident.
Question
"dd" is the only way to make a bitstream copy.
Question
At a crime scene, digital evidence will be found on the computer, on mobile devices, and on shelves, bookcases, and the area surrounding the computer. Therefore, there is no need to search the garbage for evidence.
Question
Given the risks of collecting a few files only, in most cases it is advisable to preserve the full contents of the disk.
Question
Under independent component doctrine, if a computer system must remain in place but it is necessary to take the original hard drive, a reasonable compromise is to duplicate the
Question
It is not prudent to document the evidence more than one way.
Question
Computers used to store and analyze digital evidence should be connected to the Internet, so that online research can be conducted.
Question
List the class and individual characteristics of each of the following:
- A JPEG file
- A thumb drive
- A user manual with handwritten notes
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/31
auto play flashcards
Play
simple tutorial
Full screen (f)
exit full mode
Deck 16: Applying Forensic Science to Computers
1
If it is determined that some hardware should be collected, but there is no compelling need to collect everything, the most sensible approach is to employ:

A) Nearest reach doctrine
B) Direct connectivity doctrine
C) Independent component doctrine
D) Slice-the-pie doctrine
C
2
The forensic crime scene processing kit should include all of the following, EXCEPT:

A) Evidence bags, tags, and other items to label and package evidence
B) Forensically sanitized hard drives to store acquired data
C) Compilers for developing forensic tools on site
D) Hardware write blockers
C
3
When surveying the crime scene for hardware, the investigator should focus on the computer systems since that is where most of the important evidence will be.
False
4
The _______________documentation specifies who handled the evidence, when, where, and for what purpose.

A) Evidence inventory
B) Chain of custody
C) Evidence intake
D) Preservation notes
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
5
Which of the following is NOT an artifact that will be irrevocably lost if the computer is shut down?

A) Running processes
B) Open network ports
C) Data stored in memory
D) System date and time
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
6
A forensic crime scene processing kit should contain quantities of those items used to process computer equipment.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
7
When documenting a crime scene, the computer and surrounding area should be photographed, detailed sketches should be made, and copious notes should be taken, because:

A) The more evidence collected, the stronger the case.
B) This provides a record for what to look for when you return for the second visit.
C) It is prudent to document the same evidence in several ways.
D) All of the above.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
8
When processing the digital crime scene, one aspect of surveying for potential sources of digital evidence is:

A) Recognizing relevant hardware such as computers, removable media, etc.
B) Determining if electrical wiring is capable of supporting forensic machines
C) Confirming that the operating environment is suitable for electronic equipment
D) Making sure there is sufficient space to set up the forensic crime scene processing kit
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
9
Which of the following is NOT one of the recommended approaches to preserving digital evidence?

A) Place the evidential computers and storage media in secure storage for later processing.
B) Preview the evidential computer, taking appropriate notes.
C) Extract just the information needed from evidential computers and storage media.
D) Acquire everything from evidential computer and storage media.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
10
Which of the following is NOT part of the set of forensic methodologies referenced in this book?

A) Preparation
B) Interdiction
C) Documentation
D) Reconstruction
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
11
Preparation planning prior to processing a crime scene should include:

A) What computer equipment to expect at the site
B) What the systems are used for
C) Whether a network is involved
D) All of the above
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
12
The reason UNIX "dd" is considered a de facto standard for making bitstream copies is:

A) The majority of tools for examining digital evidence can interpret bitstream copies.
B) "dd" stands for "digital data" and was developed for making forensic copies.
C) "dd," although a UNIX tool, is universally able to traverse Windows file systems.
D) The developers of "dd" have made arrangements with other forensic software companies.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
13
A crime scene investigator decides to collect the entire computer. In addition, he decides to collect all of the peripheral devices associated with that computer. What reason could he give to justify this?

A) It is especially important to collect peripheral hardware related to the type of digital evidence one would expect to find in the computer.
B) Since the computer is being collected, the suspect has no need for the peripherals.
C) The presence of the peripheral devices is essential to imaging the suspect hard drive.
D) None of the above.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
14
If possible, prior to entering a crime scene, it is useful to try and determine what kind of computer equipment to expect.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
15
Chain of custody documents record who handled the evidence, when, where, and for what purpose.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
16
The file signature of a Microsoft Word document is an example of what type of characteristic?

A) An individual characteristic
B) A class characteristic
C) An intermediate characteristic
D) A medial characteristic
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
17
In regard to preservation, in a child pornography investigation, which of the following should be collected?

A) Photographs
B) Papers
C) Digital cameras
D) All of the above
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
18
Regarding the examination of a piece of digital evidence, which of the following is NOT one of the fundamental questions that need to be answered?

A) What is it (identification)?
B) What classifications distinguish it?
C) Where did it come from?
D) What is its value?
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
19
According to the us Federal guidelines for searching and seizing computers, safe temperature ranges for most magnetic media are:

A) 60-80 degrees Fahrenheit
B) 50-90 degrees centigrade
C) 50-90 degrees Fahrenheit
D) 60-80 degrees centigrade
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
20
Since computer seizures usually happen pretty much the same way, there is no real need to do any pre-planning.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
21
The severity and the category of cybercrime largely determine how much digital evidence is collected.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
22
The updated ACPO recommendation for seizing a running computer is to pull the electrical cord from the back of the computer.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
23
A sound forensic practice is to make at least two copies of digital evidence and to confirm that at least one of the copies was successful and can be accessed on another computer.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
24
When a computer is to be moved or stored, evidence tape should be put around the main components of the computer in such a way that any attempt to open the casing or use the computer will be evident.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
25
"dd" is the only way to make a bitstream copy.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
26
At a crime scene, digital evidence will be found on the computer, on mobile devices, and on shelves, bookcases, and the area surrounding the computer. Therefore, there is no need to search the garbage for evidence.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
27
Given the risks of collecting a few files only, in most cases it is advisable to preserve the full contents of the disk.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
28
Under independent component doctrine, if a computer system must remain in place but it is necessary to take the original hard drive, a reasonable compromise is to duplicate the
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
29
It is not prudent to document the evidence more than one way.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
30
Computers used to store and analyze digital evidence should be connected to the Internet, so that online research can be conducted.
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
31
List the class and individual characteristics of each of the following:
- A JPEG file
- A thumb drive
- A user manual with handwritten notes
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Unlock Deck
k this deck
locked card icon
Unlock Deck
Unlock for access to all 31 flashcards in this deck.
Examlex
Examlex
Work With Us
Policies
Download the App
Scan to downloadDownload the App
qr-code
Links
Links
Work With Us
Download the App

Scan to downloadDownload the App
qr-code

Copyright © 2025 Examlex LLC.
  • facebook-footer
  • instagram-footer
  • x-footer
  • tiktok
  • Linktree