CIS 562 Week 5 Midterm Exam – Strayer NEW
Click On The Link Below To Purchase A+ Graded Material
Instant Download
Chapters 1 Through 6
Chapter 1: Computer Forensics and Investigations as a Profession
TRUE/FALSE
1. By the 1970s, electronic crimes were increasing, especially in the financial sector.
2. To be a successful computer forensics investigator, you must be familiar with more than one computing platform.
3. Computer investigations and forensics fall into the same category: public investigations.
4. The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
5. After a judge approves and signs a search warrant, it’s ready to be executed, meaning you can collect evidence as defined by the warrant.
MULTIPLE CHOICE
1. The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence.
a.
Federal Rules of Evidence (FRE)
b.
Department of Defense Computer Forensics Laboratory (DCFL)
c.
DIBS
d.
Computer Analysis and Response Team (CART)
2. ____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
a.
Data recovery
c.
Computer forensics
b.
Network forensics
d.
Disaster recovery
3. ____ involves preventing data loss by using backups, uninterruptible power supply (UPS) devices, and off-site monitoring.
a.
Computer forensics
c.
Disaster recovery
b.
Data recovery
d.
Network forensics
4. The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime.
a.
network intrusion detection
c.
incident response
b.
computer investigations
d.
litigation
5. By the early 1990s, the ____ introduced training on software for forensics investigations.
a.
IACIS
c.
CERT
b.
FLETC
d.
DDBIA
6. In the Pacific Northwest, ____ meets monthly to discuss problems that law enforcement and corporations face.
a.
IACIS
c.
FTK
b.
CTIN
d.
FLETC
7. In a ____ case, a suspect is tried for a criminal offense, such as burglary, murder, or molestation.
a.
corporate
c.
criminal
b.
civil
d.
fourth amendment
8. In general, a criminal case follows three stages: the complaint, the investigation, and the ____.
a.
litigation
c.
blotter
b.
allegation
d.
prosecution
9. Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.
a.
litigation
c.
blotter
b.
allegation
d.
prosecution
10. In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____.
a.
blotter
c.
litigation report
b.
exhibit report
d.
affidavit
11. It’s the investigator’s responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant.
a.
litigation
c.
exhibits
b.
prosecution
d.
reports
12. The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.
a.
notarized
c.
recorded
b.
examined
d.
challenged
13. Published company policies provide a(n) ____ for a business to conduct internal investigations.
a.
litigation path
c.
line of allegation
b.
allegation resource
d.
line of authority
14. A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.
a.
warning banner
c.
line of authority
b.
right of privacy
d.
right banner
15. A(n) ____ is a person using a computer to perform routine tasks other than systems administration.
a.
complainant
c.
end user
b.
user banner
d.
investigator
16. Without a warning banner, employees might have an assumed ____ when using a company’s computer systems and network accesses.
a.
line of authority
c.
line of privacy
b.
right of privacy
d.
line of right
17. In addition to warning banners that state a company’s rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations.
a.
authorized requester
c.
line of right
b.
authority of line
d.
authority of right
18. Most computer investigations in the private sector involve ____.
a.
e-mail abuse
c.
Internet abuse
b.
misuse of computing assets
d.
VPN abuse
19. Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer.
a.
silver-tree
c.
silver-platter
b.
gold-tree
d.
gold-platter
20. Your ____ as a computer investigation and forensics analyst is critical because it determines your credibility.
a.
professional policy
c.
line of authority
b.
oath
d.
professional conduct
21. Maintaining ____ means you must form and sustain unbiased opinions of your cases.
a.
confidentiality
c.
integrity
b.
objectivity
d.
credibility
COMPLETION
1. ____________________ involves obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases.
2. The ____________________ to the U.S. Constitution (and each state’s constitution) protects everyone’s rights to be secure in their person, residence, and property from search and seizure.
3. The term ____________________ refers to large corporate computing systems that might include disparate or formerly independent systems.
4. When you work in the ____________________ group, you test and verify the integrity of standalone workstations and network servers.
5. The ____________________ provides a record of clues to crimes that have been committed previously.
MATCHING
Match each item with a statement below:
a.
Computer forensics
f.
HTCIA
b.
Network forensics
g.
Affidavit
c.
Litigation
h.
Industrial espionage
d.
Xtree Gold
i.
Line of authority
e.
Case law
1. the legal process of proving guilt or innocence in court
2. recognizes file types and retrieves lost or deleted files
3. investigates data that can be retrieved from a computer’s hard disk or other storage media
4. sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence
5. allows legal counsel to use previous cases similar to the current one because the laws don’t yet exist
6. specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence
7. organization that exchanges information about techniques related to computer investigations and security
8. yields information about how a perpetrator or an attacker gained access to a network
9. involves selling sensitive or confidential company information to a competitor
SHORT ANSWER
1. Briefly describe the triad that makes up computer security.
2. Briefly describe the main characteristics of public investigations.
3. Briefly describe the main characteristics of private investigations.
4. What questions should an investigator ask to determine whether a computer crime was committed?
5. What are the three levels of law enforcement expertise established by CTIN?
6. What are some of the most common types of corporate computer crime?
7. What is embezzlement?
8. Briefly describe corporate sabotage.
9. What text can be used in internal warning banners?
10. Mention examples of groups that should have direct authority to request computer investigations in the corporate environment.
Chapter 2: Understanding Computer Investigations
TRUE/FALSE
1. Chain of custody is also known as chain of evidence.
2. Employees surfing the Internet can cost companies millions of dollars.
3. You cannot use both multi-evidence and single-evidence forms in your investigation.
4. Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several thousand pages of data.
5. A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible.
MULTIPLE CHOICE
1. The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court.
a.
acquisition plan
c.
evidence path
b.
chain of custody
d.
evidence custody
2. When preparing a case, you can apply ____ to problem solving.
a.
standard programming rules
c.
standard systems analysis steps
b.
standard police investigation
d.
bottom-up analysis
3. The list of problems you normally expect in the type of case you are handling is known as the ____.
a.
standard risk assessment
c.
standard problems form
b.
chain of evidence
d.
problems checklist form
4. The basic plan for your investigation includes gathering the evidence, establishing the ____, and performing the forensic analysis.
a.
risk assessment
c.
chain of custody
b.
nature of the case
d.
location of the evidence
5. A(n) ____ helps you document what has and has not been done with both the original evidence and forensic copies of the evidence.
a.
evidence custody form
c.
initial investigation form
b.
risk assessment form
d.
evidence handling form
6. Use ____ to secure and catalog the evidence contained in large computer components.
a.
Hefty bags
c.
paper bags
b.
regular bags
d.
evidence bags
7. ____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or computer lab.
a.
An antistatic wrist band
c.
An antistatic pad
b.
Padding
d.
Tape
8. ____ investigations typically include spam, inappropriate and offensive message content, and harassment or threats.
a.
VPN
c.
E-mail
b.
Internet
d.
Phone
9. To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as a ____.
a.
mobile workstation
c.
forensic lab
b.
forensic workstation
d.
recovery workstation
10. You can use ____ to boot to Windows without writing any data to the evidence disk.
a.
a SCSI boot up disk
c.
a write-blocker
b.
a Windows boot up disk
d.
Windows XP
11. To begin conducting an investigation, you start by ____ the evidence using a variety of methods.
a.
copying
c.
opening
b.
analyzing
d.
reading
12. A ____ is a bit-by-bit copy of the original storage medium.
a.
preventive copy
c.
backup copy
b.
recovery copy
d.
bit-stream copy
13. A bit-stream image is also known as a(n) ____.
a.
backup copy
c.
custody copy
b.
forensic copy
d.
evidence copy
14. To create an exact image of an evidence disk, copying the ____ to a target work disk that’s identical to the evidence disk is preferable.
a.
removable copy
c.
bit-stream image
b.
backup copy
d.
backup image
15. ____ from Technology Pathways is a forensics data analysis tool. You can use it to acquire and analyze data from several different file systems.
a.
Guidance EnCase
c.
DataArrest SnapCopy
b.
NTI SafeBack
d.
ProDiscover Basic
16. Forensics tools such as ____ can retrieve deleted files for use as evidence.
a.
ProDiscover Basic
c.
FDisk
b.
ProDelete
d.
GainFile
17. When analyzing digital evidence, your job is to ____.
a.
recover the data
c.
copy the data
b.
destroy the data
d.
load the data
18. ____ can be the most time-consuming task, even when you know exactly what to look for in the evidence.
a.
Evidence recovery
c.
Data analysis
b.
Data recovery
d.
Evidence recording
19. When you write your final report, state what you did and what you ____.
a.
did not do
c.
wanted to do
b.
found
d.
could not do
20. In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____.
a.
checked values
c.
evidence backup
b.
verification
d.
repeatable findings
21. After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and ____.
a.
critique the case
c.
present the case
b.
repeat the case
d.
read the final report
COMPLETION
1. When you are dealing with password protected files, you might need to acquire ____________________ or find an expert who can help you crack the passwords.
2. During the ____________________ design or approach to the case, you outline the general steps you need to follow to investigate the case.
3. A(n) ____________________ lists each piece of evidence on a separate page.
4. A(n) ____________________ is usually conducted to collect information from a witness or suspect about specific facts related to an investigation.
5. A(n) ____________________ is where you conduct your investigations and where most of your equipment and software are located, including the secure evidence containers.
MATCHING
Match each item with a statement below
a.
FTK’s Internet Keyword Search
f.
Norton DiskEdit
b.
Data recovery
g.
MS-DOS 6.22
c.
Free space
h.
Multi-evidence form
d.
Interrogation
i.
Self-evaluation
e.
Forensic workstation
1. an essential part of professional growth
2. extracts all related e-mail address information for Web-based e-mail investigations
3. process of trying to get a suspect to confess to a specific incident or crime
4. a type of evidence custody form
5. also known as a computer forensics workstation
6. is the more well-known and lucrative side of the computer forensics business
7. can be used for new files that are saved or files that expand as data is added to them
8. the least intrusive (in terms of changing data) Microsoft operating system
9. an older computer forensics tool
SHORT ANSWER
1. What should you do to handle evidence contained in large computer components?
2. What is required to conduct an investigation involving Internet abuse?
3. What is required to conduct an investigation involving e-mail abuse?
4. What are the differences between computer forensics and data recovery?
5. Describe some of the technologies used with hardware write-blocker devices. Identify some of the more commonly used vendors and their products.
6. What are the items you need when setting up your workstation for computer forensics?
7. What additional items are useful when setting up a forensic workstation?
8. What items are needed when gathering the resources you identified in your investigation plan?
9. Describe the process of creating a bit-stream copy of an evidence disk.
10. Mention six important questions you should ask yourself when critiquing your work.
Chapter 3: The Investigator's Office and Laboratory
TRUE/FALSE
1. Performing a forensic analysis of a disk 200 GB or larger can take several days and often involves running imaging software overnight and on weekends.
2. Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses.
3. If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.
4. A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.
5. Computing systems in a forensics lab should be able to process typical cases in a timely manner.
MULTIPLE CHOICE
1. A ____is where you conduct your investigations, store evidence, and do most of your work.
a.
forensic workstation
c.
storage room
b.
computer forensics lab
d.
workbench
2. Lab costs can be broken down into daily, ____, and annual expenses.
a.
weekly
c.
bimonthly
b.
monthly
d.
quarterly
3. ____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.
a.
HTCN reports
c.
Uniform crime reports
b.
IDE reports
d.
ASCLD reports
4. Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Windows File System.
a.
NTFS
c.
FAT24
b.
ext3
d.
ext2
5. ____ was created by police officers who wanted to formalize credentials in computing investigations.
a.
HTCN
c.
TEMPEST
b.
NISPOM
d.
IACIS
6. IACIS requires recertification every ____ years to demonstrate continuing work in the field of computer forensics.
a.
2
c.
4
b.
3
d.
5
7. What HTCN certification level requires candidates have three years of investigative experience in any discipline from law enforcement or corporate or have a college degree with one year of experience in investigations?
a.
Certified Computer Crime Investigator, Basic Level
b.
Certified Computer Crime Investigator, Advanced Level
c.
Certified Computer Forensic Technician, Basic
d.
Certified Computer Forensic Technician, Advanced
8. To preserve the integrity of evidence data, your lab should function as an evidence locker or safe, making it a ____or a secure storage safe.
a.
secure workstation
c.
protected PC
b.
secure workbench
d.
secure facility
9. The EMR from a computer monitor can be picked up as far away as ____ mile.
a.
1/4
c.
3/4
b.
1/2
d.
1
10. Defense contractors during the Cold War were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____.
a.
TEMPEST
c.
NISPOM
b.
RAID
d.
EMR
11. A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.
a.
gypsum
c.
wood
b.
steel
d.
expanded metal
12. Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity.
a.
once
c.
three times
b.
twice
d.
four times
13. One way to investigate older and unusual computing systems is to keep track of ____ that still use these systems.
a.
AICIS lists
c.
SIGs
b.
uniform reports
d.
Minix
14. A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you’re analyzing.
a.
disaster recovery
c.
configuration management
b.
risk management
d.
security
15. You should have at least one copy of your backups on site and a duplicate copy or a previous copy of your backups stored in a safe ____ facility.
a.
in-site
c.
off-site
b.
storage
d.
online
16. In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery.
a.
configuration management
c.
recovery logging
b.
risk assessment
d.
change management
17. For labs using high-end ____ servers (such as Digital Intelligence F.R.E.D.C. or F.R.E.D.M.), you must consider methods for restoring large data sets.
a.
RAID
c.
WAN
b.
ISDN
d.
TEMPEST
18. ____involves determining how much risk is acceptable for any process or operation, such as replacing equipment.
a.
Risk configuration
c.
Configuration management
b.
Change management
d.
Risk management
19. Computing components are designed to last 18 to ____ months in normal business operations.
a.
24
c.
36
b.
30
d.
42
20. In the ____, you justify acquiring newer and better resources to investigate computer forensics cases.
a.
risk evaluation
c.
configuration plan
b.
business case
d.
upgrade policy
21. By using ____ to attract new customers or clients, you can justify future budgets for the lab’s operation and staff.
a.
pricing
c.
budgeting
b.
marketing
d.
changing
COMPLETION
1. The ______________________________ provides guidelines for managing a forensics lab and for acquiring official crime-lab certification.
2. The lab ____________________ sets up processes for managing cases and reviews them regularly.
3. For daily work production, several examiners can work together in a large open area, as long as they all have ____________________ level of authority and access need.
4. ____________________ Chapter 5, Section 3 (http://nsi.org/Library/Govt/Nispom.html) describes the characteristics of a safe storage container.
5. A(n) ____________________ plan ensures that you can restore your workstations and file servers to their original condition if a catastrophic failure occurs.
MATCHING
Match each item with a statement below
a.
FireWire
f.
SIG
b.
Guidance Software
g.
MAN
c.
Business case
h.
Norton Ghost
d.
F.R.E.D.C.
i.
Disaster recovery plan
e.
ASCLD/LAB
1. sponsors the EnCE certification program
2. a high-end RAID server from Digital Intelligence
3. a plan you can use to sell your services to your management or clients
4. stands for Metropolitan Area Network
5. tool for directly restoring files
6. addresses how to restore a workstation you reconfigured for a specific investigation
7. ruled by the IEEE 1394B standard
8. can be a valuable source of support for recovering and analyzing uncommon systems
9. certification program that regulates how crime labs are organized and managed
No comments:
Post a Comment