Capstone Test Exam Questions And Answers
Describe what chain of custody is and why it is so important in
dealing with seized digital evidence. - - -
correct answer ✅The chain of custody is the continuity of control
of evidence that makes it possible to account for all that has
happened to evidence between its original collection and its
appearance in court, preferably unaltered. If forensic specialist can't
demonstrate that they have maintained the chain of custody, then
the court may consider all their conclusions invalid. This is the most
important principle in any effort, digital or nondigital. The chain of
physical custody must be maintained. From the time the evidence is
first seized by a law enforcement officer or civilian investigator until
the moment it is shown in court, the whereabouts and custody of
the evidence, and how it was handled and stored and by whom,
must be able to be shown at all times. Failure to maintain proper
chain of custody can lead to evidence being excluded from trial.
Why is it important to perform a bit by bit copy of seized digital
evidence if possible? What types of digital evidence cannot use this
technique and why? - - -
correct answer ✅There are two main reasons to duplicate hard
drives and work on them:
1. A forensics examination could destroy evidence.
2. The original computer system from which evidence is gathered
cannot be removed.
,Capstone Test Exam Questions And Answers
Before any data analysis occurs, it usually makes sense to create an
exact, bit for bit copy of the original storage media that exists on
the subject computer. Forensic imaging is the process of taking an
exact copy of a hard drive, and is the very foundation of computer
forensics, data recovery and eDiscovery processing. Deleted files,
slack space, system files and executables (and documents renamed
to mimic system files and executables) are all part of a forensic
image. Once the forensic image or copy has been obtained, it can
then be expanded onto a control computer in a secure facility for
file and data search.
While forensic software, in the hands of a skilled examiner, can
access date and time information not available to users, it cannot
retrieve dates once they have been altered.There is some loss of
potential evidence when working with a duplicate. The original
hard drive contains traces of previous contents of sectors, that can
at very high costs and with difficulty be used to regenerate previous
contents of the sector. No duplication process can transfer this
hidden data to another drive.
Why is documenting your process important for the digital forensic
examiner or investigator? - - -
correct answer ✅Documentation of forensic processing
methodologies and findings is critical. Without proper
, Capstone Test Exam Questions And Answers
documentation, a forensic specialist has difficulty presenting
findings. When security or audit findings become the object of a
lawsuit or a criminal investigation, the legal system requires proper
documentation. Without documentation, courts are unlikely to
accept investigative results. Thus, a system forensics specialist must
know the ins and outs of computer evidence processing
methodology. This methodology includes strong evidence-
processing documentation and good chain-of-custody procedures.
The rule is that you document everything. Who was present when
the device was seized? What was connected to the device or
showing on the screen when you seized it? What specific tools and
techniques did you use? Who had access to the evidence from the
time of seizure until the time of trial? All of this must be
documented. And when in doubt, err on the side of
overdocumentation.
Explain what the Daubert Standard is and my is it important to
digital forensic examiner or investigator? - - -
correct answer ✅The Daubert standard provides a rule of
evidence regarding the admissibility of expert witnesses' testimony
during United States federal legal proceedings. Pursuant to this
standard, a party may raise a Daubert motion, which is a special
case of motion in limine raised before or during trial to exclude the
presentation of unqualified evidence to the jury.
Describe what chain of custody is and why it is so important in
dealing with seized digital evidence. - - -
correct answer ✅The chain of custody is the continuity of control
of evidence that makes it possible to account for all that has
happened to evidence between its original collection and its
appearance in court, preferably unaltered. If forensic specialist can't
demonstrate that they have maintained the chain of custody, then
the court may consider all their conclusions invalid. This is the most
important principle in any effort, digital or nondigital. The chain of
physical custody must be maintained. From the time the evidence is
first seized by a law enforcement officer or civilian investigator until
the moment it is shown in court, the whereabouts and custody of
the evidence, and how it was handled and stored and by whom,
must be able to be shown at all times. Failure to maintain proper
chain of custody can lead to evidence being excluded from trial.
Why is it important to perform a bit by bit copy of seized digital
evidence if possible? What types of digital evidence cannot use this
technique and why? - - -
correct answer ✅There are two main reasons to duplicate hard
drives and work on them:
1. A forensics examination could destroy evidence.
2. The original computer system from which evidence is gathered
cannot be removed.
,Capstone Test Exam Questions And Answers
Before any data analysis occurs, it usually makes sense to create an
exact, bit for bit copy of the original storage media that exists on
the subject computer. Forensic imaging is the process of taking an
exact copy of a hard drive, and is the very foundation of computer
forensics, data recovery and eDiscovery processing. Deleted files,
slack space, system files and executables (and documents renamed
to mimic system files and executables) are all part of a forensic
image. Once the forensic image or copy has been obtained, it can
then be expanded onto a control computer in a secure facility for
file and data search.
While forensic software, in the hands of a skilled examiner, can
access date and time information not available to users, it cannot
retrieve dates once they have been altered.There is some loss of
potential evidence when working with a duplicate. The original
hard drive contains traces of previous contents of sectors, that can
at very high costs and with difficulty be used to regenerate previous
contents of the sector. No duplication process can transfer this
hidden data to another drive.
Why is documenting your process important for the digital forensic
examiner or investigator? - - -
correct answer ✅Documentation of forensic processing
methodologies and findings is critical. Without proper
, Capstone Test Exam Questions And Answers
documentation, a forensic specialist has difficulty presenting
findings. When security or audit findings become the object of a
lawsuit or a criminal investigation, the legal system requires proper
documentation. Without documentation, courts are unlikely to
accept investigative results. Thus, a system forensics specialist must
know the ins and outs of computer evidence processing
methodology. This methodology includes strong evidence-
processing documentation and good chain-of-custody procedures.
The rule is that you document everything. Who was present when
the device was seized? What was connected to the device or
showing on the screen when you seized it? What specific tools and
techniques did you use? Who had access to the evidence from the
time of seizure until the time of trial? All of this must be
documented. And when in doubt, err on the side of
overdocumentation.
Explain what the Daubert Standard is and my is it important to
digital forensic examiner or investigator? - - -
correct answer ✅The Daubert standard provides a rule of
evidence regarding the admissibility of expert witnesses' testimony
during United States federal legal proceedings. Pursuant to this
standard, a party may raise a Daubert motion, which is a special
case of motion in limine raised before or during trial to exclude the
presentation of unqualified evidence to the jury.
