As I said we would be continuing to provide more and more content within the area of computer forensics as the weeks go by. Below are a set of computer forensic questions. I will provide the answers to these questions within several days.
Indicate whether the statement is true or false.
____ 1. Chain of custody is also known as chain of evidence.
____ 2. Employees surfing the Internet can cost companies millions of dollars.
____ 3. You cannot use both multi-evidence and single-evidence forms in your investigation.
____ 4. Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when
you have log files with several thousand pages of data.
____ 5. A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever
Identify the choice that best completes the statement or answers the question.
____ 6. The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court.
a. acquisition plan c. evidence path
b. chain of custody d. evidence custody
____ 7. When preparing a case, you can apply ____ to problem solving.
a. standard programming rules c. standard systems analysis steps
b. standard police investigation d. bottom-up analysis
____ 8. The list of problems you normally expect in the type of case you are handling is known as the ____.
a. standard risk assessment c. standard problems form
b. chain of evidence d. problems checklist form
____ 9. The basic plan for your investigation includes gathering the evidence, establishing the ____, and performing the
a. risk assessment c. chain of custody
b. nature of the case d. location of the evidence
____ 10. A(n) ____ helps you document what has and has not been done with both the original evidence and forensic
copies of the evidence.
a. evidence custody form c. initial investigation form
b. risk assessment form d. evidence handling form
____ 11. Use ____ to secure and catalog the evidence contained in large computer components.
a. Hefty bags c. paper bags
b. regular bags d. evidence bags
____ 12. ____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or
a. An antistatic wrist band c. An antistatic pad
b. Padding d. Tape
____ 13. ____ investigations typically include spam, inappropriate and offensive message content, and harassment or
a. VPN c. E-mail
b. Internet d. Phone
____ 14. To conduct your investigation and analysis, you must have a specially configured personal computer (PC)
known as a ____.
a. mobile workstation c. forensic lab
b. forensic workstation d. recovery workstation
____ 15. You can use ____ to boot to Windows without writing any data to the evidence disk.
a. a SCSI boot up disk c. a write-blocker
b. a Windows boot up disk d. Windows XP
____ 16. To begin conducting an investigation, you start by ____ the evidence using a variety of methods.
a. copying c. opening
b. analyzing d. reading
____ 17. A ____ is a bit-by-bit copy of the original storage medium.
a. preventive copy c. backup copy
b. recovery copy d. bit-stream copy
____ 18. A bit-stream image is also known as a(n) ____.
a. backup copy c. custody copy
b. forensic copy d. evidence copy
____ 19. To create an exact image of an evidence disk, copying the ____ to a target work disk that’s identical to the
evidence disk is preferable.
a. removable copy c. bit-stream image
b. backup copy d. backup image
____ 20. ____ from Technology Pathways is a forensics data analysis tool. You can use it to acquire and analyze data
from several different file systems.
a. Guidance EnCase c. DataArrest SnapCopy
b. NTI SafeBack d. ProDiscover Basic
____ 21. Forensics tools such as ____ can retrieve deleted files for use as evidence.
a. ProDiscover Basic c. FDisk
b. ProDelete d. GainFile
____ 22. When analyzing digital evidence, your job is to ____.
a. recover the data c. copy the data
b. destroy the data d. load the data
____ 23. ____ can be the most time-consuming task, even when you know exactly what to look for in the evidence.
a. Evidence recovery c. Data analysis
b. Data recovery d. Evidence recording
____ 24. When you write your final report, state what you did and what you ____.
a. did not do c. wanted to do
b. found d. could not do
____ 25. In any computing investigation, you should be able to repeat the steps you took and produce the same results.
This capability is referred to as ____.
a. checked values c. evidence backup
b. verification d. repeatable findings
____ 26. After you close the case and make your final report, you need to meet with your department or a group of fellow
investigators and ____.
a. critique the case c. present the case
b. repeat the case d. read the final report
Complete each statement.
27. When you are dealing with password protected files, you might need to acquire ____________________ or
find an expert who can help you crack the passwords.
28. During the ____________________ design or approach to the case, you outline the general steps you need to
follow to investigate the case.
29. A(n) ____________________ lists each piece of evidence on a separate page.
30. A(n) ____________________ is usually conducted to collect information from a witness or suspect about
specific facts related to an investigation.
31. A(n) ____________________ is where you conduct your investigations and where most of your equipment and
software are located, including the secure evidence containers.
Match each item with a statement below
a. FTK’s Internet Keyword Search f. Norton DiskEdit
b. Data recovery g. MS-DOS 6.22
c. Free space h. Multi-evidence form
d. Interrogation i. Self-evaluation
e. Forensic workstation
____ 32. an essential part of professional growth
____ 33. extracts all related e-mail address information for Web-based e-mail investigations
____ 34. process of trying to get a suspect to confess to a specific incident or crime
____ 35. a type of evidence custody form
____ 36. also known as a computer forensics workstation
____ 37. is the more well-known and lucrative side of the computer forensics business
____ 38. can be used for new files that are saved or files that expand as data is added to them
____ 39. the least intrusive (in terms of changing data) Microsoft operating system
____ 40. an older computer forensics tool
41. What should you do to handle evidence contained in large computer components?
42. What is required to conduct an investigation involving Internet abuse?
43. What is required to conduct an investigation involving e-mail abuse?
44. What are the differences between computer forensics and data recovery?
45. Describe some of the technologies used with hardware write-blocker devices. Identify some of the more
commonly used vendors and their products.
46. What are the items you need when setting up your workstation for computer forensics?
47. What additional items are useful when setting up a forensic workstation?
48. What items are needed when gathering the resources you identified in your investigation plan?
49. Describe the process of creating a bit-stream copy of an evidence disk.
50. Mention six important questions you should ask yourself when critiquing your work.