Chapter 4 Flashcards by Sean Sanders (2024)

Corporate investigations are typically easier than law enforcement investigations for which of the following reasons?

a. Most companies keep inventory databases of all hardware and software used.

n the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause.

T

If you discover a criminal act, such as murder or child p*rnography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement.

T

A, B

The plain view doctrine in computer searches is well-established law.

F

a, c

What are the three rules for a forensic hash?

It can’t be predicted, no two files can have the same hash value, and if the file changes, the hash value changes.

In forensic hashes, a collision occurs when ________.

two files have the same hash value

List three items that should be in an initial-response field kit.

Small computer toolkit, large-capacity drive, IDE ribbon cables, forensic boot media, laptop IDE 40-to-44 pin adapter, laptop or portable computer, FireWire or USB dual write-protect external bay, flashlight, digital camera or 35mm camera

When you arrive at the scene, why should you extract only those items that you need to acquire evidence?

To minimize how much you have to keep track of at the scene.

Computer peripherals or attachments can contain DNA evidence. True or False?

T

If a suspect computer is running Windows 2000, which of the following can you perform safely?

Browsing open applications.

Describe what should be videotaped or sketched at a computer crime scene.

Computers, cable connections, overview of scene—anything that might be of interest to the investigation.

Which of the following techniques might be used in covert surveillance?

Keylogging, data sniffing.

Commingling evidence means what in a corporate setting?

Sensitive corporate information being mixed with data collected as evidence.

Two hashing algorithms commonly used for forensic purposes are_____.

MD5 and SHA-1

Small companies rarely need investigators. True or False?

F

If a company doesn’t distribute a computing use policy stating an employer’s rights to inspect employee’s computers freely, including e-mail and web use, employees have an expectation of privacy. True or False?

T

You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?

Initial-response field kit.

You should always answer questions from onlookers at the crime scene? True or False?

F

Automated Fingerprint Identification System (AFIS)

A computerized system for identifying fingerprints that’s connected to a central database; used to identify criminal suspects and review thousands of fingerprint samples at high speed.

A computerized system for identifying fingerprints that’s connected to a central database; used to identify criminal suspects and review thousands of fingerprint samples at high speed.

Automated Fingerprint Identification System (AFIS)

computer-generated records

Digital files generated by a computer

Digital files generated by a computer

computer-generated records

computer-stored records

Digital files generated by a person

Digital files generated by a person

computer-stored records

covert surveillance

observing people or places without being detected

observing people or places without being detected

covert surveillance

Cyclic Redundancy Check (CRC)

A mathematical algorithm that translates a file into a unique hexadecimal value

A mathematical algorithm that translates a file into a unique hexadecimal value

Cyclic Redundancy Check (CRC)

digital evidence

Evidence consisting of information stored or transmitted in electronic form

Evidence consisting of information stored or transmitted in electronic form

digital evidence

extensive-response field kit

A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers

A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers

extensive-response field kit

What should an extensive-response field kit include?

Two or more types of software or hardware computer forensics tools

hash value

A unique hexadecimal value that identifies a file or drive

A unique hexadecimal value that identifies a file or drive

hash value

hazardous materials (HAZMAT)

Chemical, biological, or radiological substances that can cause harm to people

Chemical, biological, or radiological substances that can cause harm to people

hazardous materials (HAZMAT)

initial-response field kit

A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field.

A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field.

initial-response field kit

innocent information

Data that doesn’t contribute to evidence of a crime or violation

Data that doesn’t contribute to evidence of a crime or violation

innocent information

keyed hash set

A value created by an encryption utility’s secret key

A value created by an encryption utility’s secret key

keyed hash set

limiting phrase

Wording in a search warrant that limits the scope of a search for evidence

Wording in a search warrant that limits the scope of a search for evidence

limiting phrase

low-level investigations

Corporate cases that require less investigative effort than a major criminal case

Corporate cases that require less investigative effort than a major criminal case

low-level investigations

Message Digest 5 (MD5)

An algorithm that produces a hexadecimal value of a file or storage media.

An algorithm that produces a hexadecimal value of a file or storage media.

Message Digest 5 (MD5)

National Institute of Standards and Technology (NIST)

One of the governing bodies responsible for setting standards for some U.S. industries.

One of the governing bodies responsible for setting standards for some U.S. industries.

National Institute of Standards and Technology (NIST)

nonkeyed hash set

A unique hash number generated by a software tool and used to identify files

A unique hash number generated by a software tool and used to identify files

nonkeyed hash set

person of interest

Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest

Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest

person of interest

plain view doctrine

When conducting a search and seizure, objects in plain view of a law enforcement officer, who has the right to be in position to have that view, are subject to seizure without a warrant and can be introduced as evidence.

When conducting a search and seizure, objects in plain view of a law enforcement officer, who has the right to be in position to have that view, are subject to seizure without a warrant and can be introduced as evidence.

plain view doctrine

probable cause

The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.

The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.

probable cause

professional curiosity

The motivation for law enforcement and other professional personnel to examine an incident or crime scene to see what happened

The motivation for law enforcement and other professional personnel to examine an incident or crime scene to see what happened

professional curiosity

Scientific Working Group on Digital Evidence (SWGDE)

A group that sets standards for recovering, preserving, and examining digital evidence

A group that sets standards for recovering, preserving, and examining digital evidence

Scientific Working Group on Digital Evidence (SWGDE)

Secure Hash Algorithm version 1 (SHA-1)

A forensic hashing algorithm created by NIST to determine whether data in a file or storage media has been altered.

A forensic hashing algorithm created by NIST to determine whether data in a file or storage media has been altered.

Secure Hash Algorithm version 1 (SHA-1)

sniffing

Detecting data transmissions to and from a suspect’s computer and a network server to determine the type of data being transmitted over a network

Detecting data transmissions to and from a suspect’s computer and a network server to determine the type of data being transmitted over a network

sniffing