Digital Archaeology: The Art and Science of
ST
Digital Forensics – 1st Edition
TEST BANK
UV
IA
_A
Michael W. Graves
PP
Comprehensive Test Bank for Instructors and
RO
Students
© Michael W. Graves
VE
All rights reserved. Reproduction or distribution without permission is prohibited.
D?
??
©STUDYSTREAM
, From Digital Chapter 1
Archaeology, by Review
Michael Graves Questions
1. In Eoghan Casey’s model of an investigation there are multiple steps. Which of these is not one of those steps?
TU
a. Examination
*b. Interrogation
c. Identification/Assessment
d. Preservation
e. Reporting
2. The process of documentation begins in the Identification/Assessment phase.
V
*a. True
b. False
IA
3. Which of the following would not likely be a stakeholder in a civil lawsuit against a major automobile manufacturer?
a. Government regulatory agencies
b. The United Autoworkers Union
c. The judge assigned to the case
_A
d. Owners of that company’s products
*e. All of these would be interested parties.
4. Collecting exculpatory evidence is exclusively the responsibility of the defense counsel.
a. True
*b. False
PP
5. How many steps are there in Eoghan Casey’s Investigation Model?
Correct Answer(s):
a. 6
b. six
RO
c. six.
d. 6.
6. Bob Smith is suspected of using his company’s Internet facilities as a conduit for sending large quantities of SPAM to
millions of users. You are called in to examine his computer to see if there is evidence to support this claim. This is initially
a form of what type of investigation?
a. Civil
VE
*b. Internal
c. Criminal
d. This is not something you would do.
7. You suspect that there are a number of deleted files that can still be salvaged in the unallocated space of a drive
image. During which phase of the investigation would you use a data carving utility?
D?
*a. Examination
b. Acquisition
c. Identification/Assessment
d. Analysis
e. Reporting
??
8. During which phase of an investigation do you make your first entries into a chain of custody log?
a. Examination
*b. Acquisition
c. Identification/Assessment
, d. Analysis
e. Reporting
9. Criminal cases have more stringent evidence-gathering requirements because ________________.
a. Only civil cases fall under constitutional guidelines.
b. Criminal cases are generally handled by Federal judges.
TU
*c. The Constitution protects the rights of citizens being tried in criminal proceedings.
d. Civil cases do not involve jail time or possible capital punishment.
e. They don’t. Civil cases have the most stringent requirements.
10. A person has been sued by her neighbor for building a fence on the wrong side of the property line. She tries to act as
her own defense attorney and is battered in court. She can appeal the case on Constitutional grounds, since she was
never advised of her right to be represented by counsel.
V
???What does this one have to do with the book? Could this be reworded as a computer related case? -Michael
a. True
*b. False
IA
11. When qualifying an incident as a computer crime, which of the following characteristics would not be considered a
valid description?
a. The data in the computer are the objects of the act.
_A
b. The computer is the instrument or the tool of the act.
*c. The computer is one of the objects stolen during a burglary.
d. The computer is the target of an act.
12. What is the purpose of having a model for investigations? How does it help the investigator or the student learning to
be an investigator?
PP
Correct Answer:
A model acts as a blueprint for how an investigation should be structured. It allows students to break an investigation
down into basic steps, making it easier to learn the process. It allows the seasoned professional to make sure that nothing
is missed in the course of the project.
13. Why is it necessary to calculate hash values on the primary image made from a suspect’s hard drive? How many
RO
hash calculations do you make?
Correct Answer:
You calculate the hash value for the original volume and compare it to the value you get from the copy. They must match.
If not, you need to figure out why it doesn’t and document the reason. How many do you make? That’s kind of a trick
question. Ideally, you will make two calculations for each copy. If you have both MDA5 and a SHA-256 calculations for
each copy, and each version matches, it will be very difficult for the opposition to challenge the validity of your copies.
VE
14. Collecting the legal authorizations to begin an investigation are part of the ___________ stage of the model.
*a. Identification/Assessment
b. Analysis
c. Collection/Acquisition
d. Reporting
D?
15. You work for a private organization that contracts out forensic investigations. In the process of examining a suspect’s
hard drive in the course of an internal investigation, you come across numerous files that are quite obviously child
pornography. You turn them over to the local law enforcement, which obtains a warrant and seizes the computer. Which
document applies to this situation?
*a. FRCP
b. FRE
??
c. PMBOX
d. None. You were acting privately.
16. What is the first thing that you should do upon acquiring a new tool for your forensic department?
, Correct Answer:
Test it.
17. How many steps are there in Kruse-Heiser Investigation Model?
Correct Answer(s):
TU
a. 4
b. four
c. 4.
d. four.
18. You are among the first onto a scene in which multiple computers are being seized. As a part of the festivities, you
make take a number of digital photographs and a video recording tape of the scene. What primary collection of
V
documentation hosts these images and videos?
a. The Case Timeline
b. Procedural Documentation
IA
c. Chain of Custody
*d. General Case Documentation
e. Process Documentation
19. The FRCP is a set of rules that is relevant to which type of investigation?
_A
a. Internal
*b. Criminal
c. Civil
d. It affects all of them equally.
20. You are about to seize an external hard disk drive that you found in the vicinity of a crime scene. You record the
PP
make, model, and serial number of the drive before you pack it up for shipping. Of which set of documents does the
record become a part?
???The first two answers below were identical. I deleted one of them. -Michael
a. The Case Timeline
b. The Case Timeline
*cb. Chain of Custody
*dc. General Case Documentation
RO
ed. Process Documentation
VE
D?
??
ST
Digital Forensics – 1st Edition
TEST BANK
UV
IA
_A
Michael W. Graves
PP
Comprehensive Test Bank for Instructors and
RO
Students
© Michael W. Graves
VE
All rights reserved. Reproduction or distribution without permission is prohibited.
D?
??
©STUDYSTREAM
, From Digital Chapter 1
Archaeology, by Review
Michael Graves Questions
1. In Eoghan Casey’s model of an investigation there are multiple steps. Which of these is not one of those steps?
TU
a. Examination
*b. Interrogation
c. Identification/Assessment
d. Preservation
e. Reporting
2. The process of documentation begins in the Identification/Assessment phase.
V
*a. True
b. False
IA
3. Which of the following would not likely be a stakeholder in a civil lawsuit against a major automobile manufacturer?
a. Government regulatory agencies
b. The United Autoworkers Union
c. The judge assigned to the case
_A
d. Owners of that company’s products
*e. All of these would be interested parties.
4. Collecting exculpatory evidence is exclusively the responsibility of the defense counsel.
a. True
*b. False
PP
5. How many steps are there in Eoghan Casey’s Investigation Model?
Correct Answer(s):
a. 6
b. six
RO
c. six.
d. 6.
6. Bob Smith is suspected of using his company’s Internet facilities as a conduit for sending large quantities of SPAM to
millions of users. You are called in to examine his computer to see if there is evidence to support this claim. This is initially
a form of what type of investigation?
a. Civil
VE
*b. Internal
c. Criminal
d. This is not something you would do.
7. You suspect that there are a number of deleted files that can still be salvaged in the unallocated space of a drive
image. During which phase of the investigation would you use a data carving utility?
D?
*a. Examination
b. Acquisition
c. Identification/Assessment
d. Analysis
e. Reporting
??
8. During which phase of an investigation do you make your first entries into a chain of custody log?
a. Examination
*b. Acquisition
c. Identification/Assessment
, d. Analysis
e. Reporting
9. Criminal cases have more stringent evidence-gathering requirements because ________________.
a. Only civil cases fall under constitutional guidelines.
b. Criminal cases are generally handled by Federal judges.
TU
*c. The Constitution protects the rights of citizens being tried in criminal proceedings.
d. Civil cases do not involve jail time or possible capital punishment.
e. They don’t. Civil cases have the most stringent requirements.
10. A person has been sued by her neighbor for building a fence on the wrong side of the property line. She tries to act as
her own defense attorney and is battered in court. She can appeal the case on Constitutional grounds, since she was
never advised of her right to be represented by counsel.
V
???What does this one have to do with the book? Could this be reworded as a computer related case? -Michael
a. True
*b. False
IA
11. When qualifying an incident as a computer crime, which of the following characteristics would not be considered a
valid description?
a. The data in the computer are the objects of the act.
_A
b. The computer is the instrument or the tool of the act.
*c. The computer is one of the objects stolen during a burglary.
d. The computer is the target of an act.
12. What is the purpose of having a model for investigations? How does it help the investigator or the student learning to
be an investigator?
PP
Correct Answer:
A model acts as a blueprint for how an investigation should be structured. It allows students to break an investigation
down into basic steps, making it easier to learn the process. It allows the seasoned professional to make sure that nothing
is missed in the course of the project.
13. Why is it necessary to calculate hash values on the primary image made from a suspect’s hard drive? How many
RO
hash calculations do you make?
Correct Answer:
You calculate the hash value for the original volume and compare it to the value you get from the copy. They must match.
If not, you need to figure out why it doesn’t and document the reason. How many do you make? That’s kind of a trick
question. Ideally, you will make two calculations for each copy. If you have both MDA5 and a SHA-256 calculations for
each copy, and each version matches, it will be very difficult for the opposition to challenge the validity of your copies.
VE
14. Collecting the legal authorizations to begin an investigation are part of the ___________ stage of the model.
*a. Identification/Assessment
b. Analysis
c. Collection/Acquisition
d. Reporting
D?
15. You work for a private organization that contracts out forensic investigations. In the process of examining a suspect’s
hard drive in the course of an internal investigation, you come across numerous files that are quite obviously child
pornography. You turn them over to the local law enforcement, which obtains a warrant and seizes the computer. Which
document applies to this situation?
*a. FRCP
b. FRE
??
c. PMBOX
d. None. You were acting privately.
16. What is the first thing that you should do upon acquiring a new tool for your forensic department?
, Correct Answer:
Test it.
17. How many steps are there in Kruse-Heiser Investigation Model?
Correct Answer(s):
TU
a. 4
b. four
c. 4.
d. four.
18. You are among the first onto a scene in which multiple computers are being seized. As a part of the festivities, you
make take a number of digital photographs and a video recording tape of the scene. What primary collection of
V
documentation hosts these images and videos?
a. The Case Timeline
b. Procedural Documentation
IA
c. Chain of Custody
*d. General Case Documentation
e. Process Documentation
19. The FRCP is a set of rules that is relevant to which type of investigation?
_A
a. Internal
*b. Criminal
c. Civil
d. It affects all of them equally.
20. You are about to seize an external hard disk drive that you found in the vicinity of a crime scene. You record the
PP
make, model, and serial number of the drive before you pack it up for shipping. Of which set of documents does the
record become a part?
???The first two answers below were identical. I deleted one of them. -Michael
a. The Case Timeline
b. The Case Timeline
*cb. Chain of Custody
*dc. General Case Documentation
RO
ed. Process Documentation
VE
D?
??
