Question 1

When a piece of evidence has both a biological and a digital component, who should process it first?&#10;A) The crime scene technician, because biological artifacts are much more fragile&#10;B) The digital investigator, because processing the biological artifacts will destroy digital evidence&#10;C) Neither; the evidence should be preserved and transported to the lab for processing&#10;D) Both the crime scene technician and the digital investigator, in a cooperative effort, assuring that the biological evidence is collected in a way that does not damage the digital component

Accepted Answer

Both the crime scene technician and the digital investigator need to work together to ensure that the evidence is processed correctly without compromising either the biological or digital components. This cooperative effort is crucial for preserving the integrity of the evidence for analysis and legal proceedings.

Question 2

Why is the first step to secure the physical crime scene by removing everyone from the immediate area?&#10;A) To prevent them from contaminating evidence&#10;B) To prevent them from asking questions about the case before they can be interviewed&#10;C) To give them time to fill out a personal information survey&#10;D) To keep them from blocking the view when photographs are being taken

Accepted Answer

Securing the physical crime scene and removing everyone from the immediate area is crucial to prevent contamination of evidence. This ensures that the integrity of physical evidence is maintained for investigation and analysis.

Question 3

Since crime scenes are typically pretty much the same, very little planning needs to take place prior to first entering the scene.

Accepted Answer

Each crime scene is unique, requiring careful planning and a tailored approach to ensure evidence is properly collected and preserved.

Question 4

A thorough crime scene survey should include:&#10;A) Manuals for software applications&#10;B) Removable media&#10;C) Mobile devices&#10;D) All of the above

Accepted Answer

A thorough crime scene survey should include all items that could potentially store relevant data, including removable media and mobile devices. Manuals for software applications, while not directly storing data, could provide valuable information for accessing or interpreting data on other devices.

Question 5

Digital investigators like to preserve every potential source of digital evidence; however, they are constrained by:&#10;A) The law&#10;B) Resources&#10;C) The interests of business&#10;D) All of the above

Accepted Answer

Digital investigators are constrained by legal regulations, limited resources, and the interests of businesses, all of which can impact their ability to preserve digital evidence.

Question 6

Examples of data that should be immediately preserved include:&#10;A) USB drives&#10;B) Digital picture frames&#10;C) System and network information&#10;D) USB bracelets

Accepted Answer

System and network information should be immediately preserved as it contains critical data about the configuration and usage of computer systems and networks, which can be vital for forensic analysis, troubleshooting, and understanding the context of data or security incidents. USB drives, digital picture frames, and USB bracelets are types of physical storage devices or items that may contain data to be preserved, but the devices themselves are not examples of data.

Question 7

When first entering a crime scene, the first responder should immediately focus on the computers and technology.

Accepted Answer

The first responder should prioritize securing and preserving the scene to ensure safety and prevent contamination or loss of evidence.

Question 8

The challenge to controlling access to a digital crime scene is that:&#10;A) Information may be stored on Internet servers in different locations.&#10;B) The computer may be shared.&#10;C) The computer case may be locked.&#10;D) None of the above.

Accepted Answer

Information stored on Internet servers in different locations can complicate access control, as it may involve multiple jurisdictions and legal considerations.

Question 9

In the case where digital investigators dealing with distributed systems need to collect data from remote sites, the following procedure is recommended:&#10;A) Notify personnel at the remote sites to leave everything as is, and arrange for travel to the remote locations&#10;B) Notify personnel at the remote sites to shut down all systems and send the hard drives to the forensic lab&#10;C) Utilize remote forensics tools to acquire data from the remote sites' RAM as well as the hard drives&#10;D) None of the above

Accepted Answer

Utilizing remote forensics tools allows investigators to efficiently collect necessary data without the need for physical presence, which is crucial for preserving the integrity and timeliness of evidence in distributed systems.

Question 10

When a first responder encounters technology or equipment that he is not familiar with, the recommended course of action is to:&#10;A) Seize the equipment as if it were a known device&#10;B) Seek assistance from a more experienced digital investigator&#10;C) Leave that particular piece of equipment at the crime scene&#10;D) Ask the suspect for details on the equipment

Accepted Answer

Seeking assistance from a more experienced digital investigator is the recommended course of action when encountering unfamiliar technology or equipment. This ensures that the evidence is handled correctly and that the integrity of the investigation is maintained.

Question 11

In most situations, it is advisable to let the physical crime scene technicians, under the direction of the forensic investigator, process the scene first.

Accepted Answer

The answer of In most situations, it is advisable to...

Question 12

During the initial survey of a crime scene, why it is necessary to photograph or videotape the area and items of potential interest in their current state?&#10;A) This simplifies inventorying the crime scene.&#10;B) Photographing items to be seized records their actual condition, and precludes damage claims when the items are returned to the offender.&#10;C) To record the fact that a particular item was actually found at the crime scene.&#10;D) None of the above.

Accepted Answer

The answer of During the initial survey of a crime...

Question 13

On entering a crime scene, an investigator notes that a piece of equipment with antennas attached is connected to one of the target computers. Since this indicates a wireless connection, it is advisable to either disconnect or disable the piece of equipment.

Accepted Answer

The answer of On entering a crime scene, an investigator...

Question 14

The crime scene preservation process includes all but which of the following:&#10;A) Protecting against unauthorized alterations&#10;B) Acquiring digital evidence&#10;C) Confirming system date and time&#10;D) Controlling access to the crime scene

Accepted Answer

The answer of The crime scene preservation process includes all...

Question 15

The following organizations have published guidelines for handling digital crime scenes:&#10;A) US Secret Service&#10;B) Association of Chief Police Officers&#10;C) US Department of Justice&#10;D) All of the above

Accepted Answer

The answer of The following organizations have published guidelines for...

Question 16

When entering a crime scene, the initial survey should:&#10;A) Include user manuals&#10;B) Involve tracing cables&#10;C) Collect relevant data such as passwords and account details&#10;D) All of the above

Accepted Answer

The answer of When entering a crime scene, the initial...

Question 17

The likelihood of collecting notable information from a running computer is relatively small, so it is safe to shut down any running computer to preserve the data on the hard drive.

Accepted Answer

The answer of The likelihood of collecting notable information from...

Question 18

When presenting evidence on an organizational network, the digital investigator may require the assistance of:&#10;A) System administrators&#10;B) The CEO of the organization&#10;C) The CSO (Chief Security Officer)&#10;D) Additional forensic investigators

Accepted Answer

The answer of When presenting evidence on an organizational network,...

Question 19

When preparing a questionnaire for interviewing individuals of the crime scene which of the following should NOT be requested:&#10;A) Passwords&#10;B) Encryption keys&#10;C) Admission of guilt&#10;D) Details on removable storage

Accepted Answer

The answer of When preparing a questionnaire for interviewing individuals...

Question 20

Which of the following is not a safety consideration for a first responder?&#10;A) Additional personnel to control those present at the crime scene&#10;B) Protection against ELF emanations from monitors&#10;C) Proper tools for disassembling and reassembling computer cases&#10;D) Protective gloves and eyewear

Accepted Answer

The answer of Which of the following is not a...

Question 21

The contents of volatile memory are becoming more and more important.

Accepted Answer

The answer of The contents of volatile memory are becoming...

Question 22

Computer security professionals should obtain instructions and written authorization from their attorneys before gathering digital evidence relating to an investigation with an organization.

Accepted Answer

The answer of Computer security professionals should obtain instructions and...

Question 23

What considerations are there when developing a crime scene plan?

Accepted Answer

The answer of What considerations are there when developing a...

Question 24

The proper collection of evidence at a crime scene is crucial in terms of admissibility in court.

Accepted Answer

The answer of The proper collection of evidence at a...

Question 25

When seizing a computer, it is advisable to remove the computer's case and to unplug power cables from hard drives.

Accepted Answer

The answer of When seizing a computer, it is advisable...

Question 26

The Fourth Amendment, like ECPA, only applies to the government, not the private sector.

Accepted Answer

The answer of The Fourth Amendment, like ECPA, only applies...

Question 27

When shutting down a live system it is generally recommended to unplug the power from the back of the computer.

Accepted Answer

The answer of When shutting down a live system it...

Question 28

What information would you provide when preparing a search warrant?

Accepted Answer

The answer of What information would you provide when preparing...

Question 29

When performing triage at a crime scene, an important first step is to turn on any computers that are off and immediately look for items of evidence.

Accepted Answer

The answer of When performing triage at a crime scene,...

Question 30

Capturing volatile data or specific files from a live system is a straightforward process usually handled by the first responder.

Accepted Answer

The answer of Capturing volatile data or specific files from...

Question 31

When an organization itself is under investigation, it is always feasible to collect all the data for every system.

Accepted Answer

The answer of When an organization itself is under investigation,...

Question 32

The decision to seize an entire computer versus create a forensic duplicate of the internal hard drive will be influenced by the role of the computer.

Accepted Answer

The answer of The decision to seize an entire computer...

Deck 7: Handling a Digital Crime Scene