,TestBank For Digital Archaeology: The Art and Science of Digital Forensics 1st Edition
Chapter 1 Review Questions
1. In Eoghan Casey’s model of an investigation there are multiple steps. Which of these is not one of those steps?
a. Examination
*b. Interrogation
c. Identification/Assessment
d. Preservation
e. Reporting
2. The process of documentation begins in the Identification/Assessment phase.
*a. True
b. False
3. Which of the following would not likely be a stakeholder in a civil lawsuit against a major automobile manufacturer?
a. Government regulatory agencies
b. The United Autoworkers Union
c. The judge assigned to the case
d. Owners of that company’s products
*e. All of these would be interested parties.
4. Collecting exculpatory evidence is exclusively the responsibility of the defense counsel.
a. True
*b. False
5. How many steps are there in Eoghan Casey’s Investigation Model?
Correct Answer(s):
a. 6
b. six
c. six.
d. 6.
6. Bob Smith is suspected of using his company’s Internet facilities as a conduit for sending large quantities of SPAM to millions of
users. You are called in to examine his computer to see if there is evidence to support this claim. This is initially a form of what type
of investigation?
a. Civil
*b. Internal
c. Criminal
d. This is not something you would do.
7. You suspect that there are a number of deleted files that can still be salvaged in the unallocated space of a drive image. During
which phase of the investigation would you use a data carving utility?
*a. Examination
b. Acquisition
c. Identification/Assessment
d. Analysis
e. Reporting
8. During which phase of an investigation do you make your first entries into a chain of custody log?
a. Examination
*b. Acquisition
c. Identification/Assessment
d. Analysis
e. Reporting
1
,TestBank For Digital Archaeology: The Art and Science of Digital Forensics 1st Edition
Chapter 1 Review Questions
9. Criminal cases have more stringent evidence-gathering requirements because ________________.
a. Only civil cases fall under constitutional guidelines.
b. Criminal cases are generally handled by Federal judges.
*c. The Constitution protects the rights of citizens being tried in criminal proceedings.
d. Civil cases do not involve jail time or possible capital punishment.
e. They don’t. Civil cases have the most stringent requirements.
10. A person has been sued by her neighbor for building a fence on the wrong side of the property line. She tries to act as her own
defense attorney and is battered in court. She can appeal the case on Constitutional grounds, since she was never advised of her
right to be represented by counsel.
???What does this one have to do with the book? Could this be reworded as a computer related case? -Michael
a. True
*b. False
11. When qualifying an incident as a computer crime, which of the following characteristics would not be considered a valid
description?
a. The data in the computer are the objects of the act.
b. The computer is the instrument or the tool of the act.
*c. The computer is one of the objects stolen during a burglary.
d. The computer is the target of an act.
12. What is the purpose of having a model for investigations? How does it help the investigator or the student learning to be an
investigator?
Correct Answer:
A model acts as a blueprint for how an investigation should be structured. It allows students to break an investigation down into
basic steps, making it easier to learn the process. It allows the seasoned professional to make sure that nothing is missed in the
course of the project.
13. Why is it necessary to calculate hash values on the primary image made from a suspect’s hard drive? How many hash
calculations do you make?
Correct Answer:
You calculate the hash value for the original volume and compare it to the value you get from the copy. They must match. If not, you
need to figure out why it doesn’t and document the reason. How many do you make? That’s kind of a trick question. Ideally, you will
make two calculations for each copy. If you have both MDA5 and a SHA-256 calculations for each copy, and each version matches,
it will be very difficult for the opposition to challenge the validity of your copies.
14. Collecting the legal authorizations to begin an investigation are part of the ___________ stage of the model.
*a. Identification/Assessment
b. Analysis
c. Collection/Acquisition
d. Reporting
15. You work for a private organization that contracts out forensic investigations. In the process of examining a suspect’s hard drive
in the course of an internal investigation, you come across numerous files that are quite obviously child pornography. You turn them
over to the local law enforcement, which obtains a warrant and seizes the computer. Which document applies to this situation?
*a. FRCP
b. FRE
c. PMBOX
d. None. You were acting privately.
16. What is the first thing you should do upon acquiring a new tool for your forensic department?
Correct Answer:
Test it.
2
, TestBank For Digital Archaeology: The Art and Science of Digital Forensics 1st Edition
Chapter 1 Review Questions
17. How many steps are there in Kruse-Heiser Investigation Model?
Correct Answer(s):
a. 4
b. four
c. 4.
d. four.
18. You are among the first onto a scene in which multiple computers are being seized. As a part of the festivities, you take a
number of digital photographs and a video recording of the scene. What primary collection of documentation hosts these images
and videos?
a. The Case Timeline
b. Procedural Documentation
c. Chain of Custody
*d. General Case Documentation
e. Process Documentation
19. The FRCP is a set of rules that is relevant to which type of investigation?
a. Internal
*b. Criminal
c. Civil
d. It affects all of them equally.
20. You are about to seize an external hard disk drive that you found in the vicinity of a crime scene. You record the make, model,
and serial number of the drive before you pack it up for shipping. Of which set of documents does the record become a part?
???The first two answers below were identical. I deleted one of them. -Michael
a. The Case Timeline
*b. Chain of Custody
*c. General Case Documentation
d. Process Documentation
3
Chapter 1 Review Questions
1. In Eoghan Casey’s model of an investigation there are multiple steps. Which of these is not one of those steps?
a. Examination
*b. Interrogation
c. Identification/Assessment
d. Preservation
e. Reporting
2. The process of documentation begins in the Identification/Assessment phase.
*a. True
b. False
3. Which of the following would not likely be a stakeholder in a civil lawsuit against a major automobile manufacturer?
a. Government regulatory agencies
b. The United Autoworkers Union
c. The judge assigned to the case
d. Owners of that company’s products
*e. All of these would be interested parties.
4. Collecting exculpatory evidence is exclusively the responsibility of the defense counsel.
a. True
*b. False
5. How many steps are there in Eoghan Casey’s Investigation Model?
Correct Answer(s):
a. 6
b. six
c. six.
d. 6.
6. Bob Smith is suspected of using his company’s Internet facilities as a conduit for sending large quantities of SPAM to millions of
users. You are called in to examine his computer to see if there is evidence to support this claim. This is initially a form of what type
of investigation?
a. Civil
*b. Internal
c. Criminal
d. This is not something you would do.
7. You suspect that there are a number of deleted files that can still be salvaged in the unallocated space of a drive image. During
which phase of the investigation would you use a data carving utility?
*a. Examination
b. Acquisition
c. Identification/Assessment
d. Analysis
e. Reporting
8. During which phase of an investigation do you make your first entries into a chain of custody log?
a. Examination
*b. Acquisition
c. Identification/Assessment
d. Analysis
e. Reporting
1
,TestBank For Digital Archaeology: The Art and Science of Digital Forensics 1st Edition
Chapter 1 Review Questions
9. Criminal cases have more stringent evidence-gathering requirements because ________________.
a. Only civil cases fall under constitutional guidelines.
b. Criminal cases are generally handled by Federal judges.
*c. The Constitution protects the rights of citizens being tried in criminal proceedings.
d. Civil cases do not involve jail time or possible capital punishment.
e. They don’t. Civil cases have the most stringent requirements.
10. A person has been sued by her neighbor for building a fence on the wrong side of the property line. She tries to act as her own
defense attorney and is battered in court. She can appeal the case on Constitutional grounds, since she was never advised of her
right to be represented by counsel.
???What does this one have to do with the book? Could this be reworded as a computer related case? -Michael
a. True
*b. False
11. When qualifying an incident as a computer crime, which of the following characteristics would not be considered a valid
description?
a. The data in the computer are the objects of the act.
b. The computer is the instrument or the tool of the act.
*c. The computer is one of the objects stolen during a burglary.
d. The computer is the target of an act.
12. What is the purpose of having a model for investigations? How does it help the investigator or the student learning to be an
investigator?
Correct Answer:
A model acts as a blueprint for how an investigation should be structured. It allows students to break an investigation down into
basic steps, making it easier to learn the process. It allows the seasoned professional to make sure that nothing is missed in the
course of the project.
13. Why is it necessary to calculate hash values on the primary image made from a suspect’s hard drive? How many hash
calculations do you make?
Correct Answer:
You calculate the hash value for the original volume and compare it to the value you get from the copy. They must match. If not, you
need to figure out why it doesn’t and document the reason. How many do you make? That’s kind of a trick question. Ideally, you will
make two calculations for each copy. If you have both MDA5 and a SHA-256 calculations for each copy, and each version matches,
it will be very difficult for the opposition to challenge the validity of your copies.
14. Collecting the legal authorizations to begin an investigation are part of the ___________ stage of the model.
*a. Identification/Assessment
b. Analysis
c. Collection/Acquisition
d. Reporting
15. You work for a private organization that contracts out forensic investigations. In the process of examining a suspect’s hard drive
in the course of an internal investigation, you come across numerous files that are quite obviously child pornography. You turn them
over to the local law enforcement, which obtains a warrant and seizes the computer. Which document applies to this situation?
*a. FRCP
b. FRE
c. PMBOX
d. None. You were acting privately.
16. What is the first thing you should do upon acquiring a new tool for your forensic department?
Correct Answer:
Test it.
2
, TestBank For Digital Archaeology: The Art and Science of Digital Forensics 1st Edition
Chapter 1 Review Questions
17. How many steps are there in Kruse-Heiser Investigation Model?
Correct Answer(s):
a. 4
b. four
c. 4.
d. four.
18. You are among the first onto a scene in which multiple computers are being seized. As a part of the festivities, you take a
number of digital photographs and a video recording of the scene. What primary collection of documentation hosts these images
and videos?
a. The Case Timeline
b. Procedural Documentation
c. Chain of Custody
*d. General Case Documentation
e. Process Documentation
19. The FRCP is a set of rules that is relevant to which type of investigation?
a. Internal
*b. Criminal
c. Civil
d. It affects all of them equally.
20. You are about to seize an external hard disk drive that you found in the vicinity of a crime scene. You record the make, model,
and serial number of the drive before you pack it up for shipping. Of which set of documents does the record become a part?
???The first two answers below were identical. I deleted one of them. -Michael
a. The Case Timeline
*b. Chain of Custody
*c. General Case Documentation
d. Process Documentation
3
