Forensic Science has uses in what fields?
a. Military intelligence
b. Policy reinforcement.
c. Law enforcement
d. All of the above
d. All of the above
Forensic Science is a _______ to help find scientific truth.
Methodology
The goal of forensic science it to produce results that are ________, accurate, and free from Bias.
Reproducible
How many stages of the forensic process does the book list?
7 stages.
preparation, survey, documentation, preservation, examination & analysis, reconstruction, and reporting.
Which of the following would you not be concerned with during the preparation stage of the forensic process?
a. OS type of systems
b. previewing the systems
c. number of systems to examine
d. type and brand of technology
b. previewing the systems. that will be done in the examination and analysis stage.
T/F you should large hard drives to capture multiple images.
F. Best practice is to use a one pre-wiped drive per image.
T/F Digital forensics experts need only a write blocker and hard drives for most jobs.
F. There is a long list of equipment that an expert should have including, a variety of cable, laptop computers, extra batteries, etc.
T/F The Surveying step of the forensic process involves assessing what digital evidence is available and what s worth taking.
T.
T/F The Surveying step of the forensic process can should be completed quickly.
F. Under normal circumstances there is no rush to determine what has probative value. Be methodical in this step.
Sorting between irrelevant and relevant sources of digital evidence is part of the _______ step.
Surveying
T/F Note taking should start in the documentation stage.
F. all stages of the forensic process before and after the documentation step should have copious notes.
T/F Evidence intake is a paperwork intensive process.
T.
When it comes to copies of notes and data _____ is the standard safe number.
2 copies
The documentation step does not do which of the following?
a. helps to recall facts
b. allows for reproduction of your investigation
c. creates evidence
d. maintains a record of errors made.
c. Creates evidence
T/F The preservation stage of the forensic process should never change any data.
F. Often, there is no way to collect data without causing a change somewhere on the drive.
The level of data collected during the preservation stage depends on what?
a. Severity of the crime
b. Size of budget
c. Time constraints
d. All of the above.
d. All of the above.
T/F Preservation only includes the data not hardware.
F. Some investigations especially criminal include seizing hardware.
Don't leave evidence behind, but only take what is _______.
Essential
There are ____ levels of forensic examination & analysis.
3.
Survey/triage, preliminary forensic analysis, and in depth forensic analysis.
A quick look at evidence through a write blocker is called a ____.
Preview
Which of the following is not part of a preliminary analysis?
a. Key artifacts
b. User made documents
c. Carved data
c. Carved data.
Carving data is reserved for a more complete search.
Which of the following is not a part of an in dept forensic analysis?
a. Password cracking
b. Triage imaging
c. Carving data
b. Triage imaging.
Triage imaging is an image that only takes the most common areas where evidence is found, it is not complete enough for an in depth forensic analysis.
T/F Time constraints are one of the main factors in determining what type of analysis is done.
T.
T/F Only a small portion of the data collected from a computer is useless, most has probative value.
F.
Most data is useless to an investigation, the majority of data on a drive is software, OS files, and non-user created.
T/F The bulk of evidence comes from user generated file or values.
T.
When dealing with huge amounts of data granular ______ can greatly aid in removing useless info.
Filters
Removing duplicate files is also known as ______.
de-duping
T/F the reconstruction step of the forensic process includes reconstructing events in such a way as to fit a theory.
F.
reconstruction include analyzing the evidence and data reconstructing events based on that information.
There are ____ types of analysis in the Reconstruction step.
3.
Functional.
Temporal.
Relational.
T/F Reports should be written at the level of other Digital Forensics Experts.
F.
The reports should be understandable by lay people.
T/F Functional analysis includes things such as, "does this computer have -Blank- ability?", and "Could this evidence have been tampered with?".
T.
Abnormal behavior on a system can be spotted more easily by establishing a ________ normal from logs and functional analysis.
Baseline
T/F Alibis are difficult to prove with digital evidence.
T.
Most if not all processes of computer interaction can be automated, making it hard to confirm if a person was actually using their computer.
T/F Relational analysis includes connecting things, people, and places, and determining what kind of connection they have.
T.
T/F A temporal analysis includes placing events on a timeline.
T.